Enable simple sandboxing in Bookwyrm systemd unit

packages/bookwyrm/nixos-module.nix

@@ -24,6 +24,21 @@ with pkgs . kernelmaft ;
 
 					User=bookwyrm
 					Group=bookwyrm
+
+					ProtectSystem=strict
+					ProtectHome=tmpfs
+					PrivateTmp=disconnected
+					PrivateDevices=true
+					PrivateIPC=true
+					ProtectHostname=true
+					ProtectClock=true
+					ProtectKernelTunables=true
+					ProtectKernelModules=true
+					ProtectControlGroups=strict
+					RestrictNamespaces=true
+					LockPersonality=true
+					RestrictRealtime=true
+					RestrictSUIDSGID=true
 				'' ;
 			} ;
 		} ;