contrib: import hardened systemd units

[mweinelt]

I developed these for the NixOS module and have been using them with
SQLite for quite some time.

And as promised, here they are. Cleaned up from all the NixOS-specific mess. I took the liberty to create the contrib directory as not to mess up the root any further.

If required I can also group these settings and add some comments here and there.

These options were tested against sytemd v246 and v247.

[root@juno:~]# systemd-analyze security pinnwand.service | grep -v "✓"
  NAME                                                        DESCRIPTION                                                                    EXPOSURE
✗ PrivateNetwork=                                             Service has access to the host's network                                            0.5
✗ RestrictAddressFamilies=~AF_(INET|INET6)                    Service may allocate Internet sockets                                               0.3
✗ DeviceAllow=                                                Service has a device ACL with some special devices                                  0.1
✗ IPAddressDeny=                                              Service does not define an IP address allow list                                    0.2
✗ RootDirectory=/RootImage=                                   Service runs within the host's root directory                                       0.1
✗ RestrictAddressFamilies=~AF_UNIX                            Service may allocate local sockets                                                  0.1

→ Overall exposure level for pinnwand.service: 1.1 OK 🙂