Add some security directives to the systemd example file

This adds several directives to the systemd example file.

• PrivateTmp=true: Sets up a new file system namespace for the executed processes and mounts private /tmp and /var/tmp directories inside it.
• ProtectSystem=full: Mounts /usr, /boot, and /etc as read-only for processes invoked by this service.
• PrivateDevices=: Sets up a new /dev mount point and only adds API pseudo devices such as /dev/null, /dev/zero or /dev/random but no physical devices. May cause problems with devices like the Raspberry Pi, so it’s false by default.
• NoNewPrivileges=true: Ensures that the service process and all its children can never gain new privileges through execve().

This MR probably needs some testing on other instances, before this can get merged.

More information about these directives here: systemd.exec(5)