The systemd administrator may wish to use additional resource control
facilities which systemd provides. Document the existence of these, and
provide some example options in commented form.
The supplied systemd unit file places some basic security restrictions
on the rest service. This patch enhances those, and improves the
overall security assessment score given by `systemd-analyze security`
from "8.3 EXPOSED" to "1.3 OK".
Closes#148
In addition to any existing filesystem restrictions on the (www-data)
backup user these config options uses namespaces and other kernel
features to further restrict what the _rest-server_ is allowed to do.
* `ProtectSystem=strict` and `ReadWritePaths=/path/to/backups` ensures
that the _rest-server_ is only allowed to write to its data directory.
* `ProtectHome=yes` and `PrivateTmp=yes` limits what the _rest-server_
gets (read) access to.
* `NoNewPrivileges=yes` prevents the _rest-server_ from using setuid
binaries, etc to escalate its privileges.
See https://www.freedesktop.org/software/systemd/man/systemd.exec.html
for further details
While at I also replaced the _/tmp/restic_ path with a more explicit
placeholder path. Given that one rarely wants to backup to _/tmp_ I
figured it better to force a choice of path rather than to have
someone accidentally end up using _/tmp/restic_ for their backups.
The directive "StartLimitInterval" has been replaced by [StartLimitIntervalSec=interval, StartLimitBurst=burst](https://www.freedesktop.org/software/systemd/man/systemd.unit.html#StartLimitIntervalSec=interval). I'd suggest that the default backoff settings are fine (in Ubuntu 19.10 no more than 5 restarts per 10 seconds, else delayed by 10 seconds per attempt) so this directive can simply be removed.
