so we can persist password reset codes, OIDC auth sessions and tokens.
These features will also work in multi-node setups without sicky
sessions now
Signed-off-by: Nicola Murino <nicola.murino@gmail.com>
We can tighten security by adding the following to
the systemd service file:
* NoNewPrivileges: should never be needed
* DevicePolicy: only basics required
* PrivateDevices: only needs mounted stuff, never devs
* ProtectSystem: no need to change boot
* RestrictAddressFamilies: INET, UNIX only
Signed-off-by: Marc <mail@lpcvoid.com>
Since we can now override settings through environment variables, it's handy to contain those changes in a separate file. This way, sysadmins can generate such a file without having to touch the systemd file.
Meanwhile the current flags are converted to `Environment` entries, which can be overridden in the `EnvironmentFile` if so desired.
If the file is not present, the directive [is ignored](https://www.freedesktop.org/software/systemd/man/systemd.exec.html#EnvironmentFile=)
