Improve security of systemd service rest-server.service by restricting network access

[eriksjolund]

What is the purpose of this change? What does it change?

Improve security of rest-server.service by restricting network access.

This patch improves the overall security assessment score given by systemd-analyze security rest-server.service from "1.3 OK" to "0.6 SAFE" (when using systemd-analyze version 253)

• Remove AF_INET AF_INET6 from RestrictAddressFamilies. Sockets originating from socket activation are not affected by the systemd directive RestrictAddressFamilies. See systemd.exec man page.

• Add PrivateNetwork=yes as recommended for socket-activated services in the systemd.socket man page.

• Add dependency on rest-server.socket

Was the change discussed in an issue or in the forum before?

Yes, in the forum:

https://forum.restic.net/t/using-none-instead-of-af-inet-af-inet6-for-restrictaddressfamilies-in-systemd-unit-rest-server-service/6448

Checklist

• I have enabled maintainer edits for this PR
• I have added tests for all changes in this PR
• I have added documentation for the changes (in the manual)
• There's a new file in changelog/unreleased/ that describes the changes for our users (template here)
• I have run gofmt on the code in all commits
• All commit messages are formatted in the same style as the other commits in the repo
• I'm done, this Pull Request is ready for review

[MichaelEischer]

Thanks for opening a PR! I like the changes in general, but I think some comments and in particular the changelog are too verbose:

[MichaelEischer]

LGTM. Thanks!