Add sandboxing to ntfy.service

[Velocifyer]

See systemd.exec(5) to find out what the options mean!

[Velocifyer]

Ideally ProtectSystem=strict would be used along with ReadWritePaths= and ReadOnlyPaths=, but I don't know every path ntfy uses.

[binwiederhier]

I tried this out and most seem harmless. However, PrivateTmp=true and ProtectSystem=full may cause problems with people's installations:

• PrivateTmp breaks how ntfy is installed on ntfy.sh, because it uses /tmp as the socket and nginx can't see it
• ProtectSystem=full may cause problems if people put their sqlite databases into /etc (which they obviously shouldn't)

So I think I'll add the others and update the docs with hardening suggestions. Sound good?

[Velocifyer]

PrivateTmp breaks how ntfy is installed on ntfy.sh, because it uses /tmp as the socket and nginx can't see it

You should be using /run.

ProtectSystem=full may cause problems if people put their sqlite databases into /etc (which they obviously shouldn't)

databases should not be in /etc.

If you want i can ammend the commit to remove PrivateTmp. If a lot of people are putting sockets in /run i reccommend that you still add PrivateTmp but put a warning in the changelog.