Also use some stricter security features systemd provides.
This change from github user John Goerzen @jgoerzen as provided
in his comment:
https://github.com/yggdrasil-network/yggdrasil-go/pull/816#issuecomment-1006679721
ProtectSystem=strict prevents it from modifying basically anything on
the filesystem, so therefore we have to specify the possible locations
for the runtime directory under ReadWritePaths.
An Internet accessible service should aim to have as little as
possible attack surface, which is much easier to do when running
with the absolute minimum number of priviledges.
This makes the systemd setup run the service as a user 'yggdrasil'
and uses the systemd feature `RuntimeDirectory` to auto-create
the /var/run/yggdrasil dir so our non-elevated client can still
create the socket.
The sysusers file will cause the user be created on first install
using the sysusers subsystem.
