systemd: add more options

[ci skip]

packaging/systemd/wesnothd.service.in

@@ -1,22 +1,34 @@
 [Unit]
 Description=Wesnoth@BINARY_SUFFIX@ Multiplayer Server Daemon
+Documentation=https://www.wesnoth.org/wiki/ServerAdministration
 Documentation=man:wesnothd(6)
 After=network.target
-# other wesnothd installations use the same port by default
+# Other wesnothd installations use the same port by default
 # Conflicts=wesnothd-1.12.service wesnothd-1.10.service
 
 [Service]
+# If wesnothd is started from within the game it runs under a different user
+# Deleting the pipe resets owner, group and mode
+ExecStartPre=/bin/rm -f @FIFO_DIR@/socket
+
 ExecStart=@CMAKE_INSTALL_FULL_BINDIR@/wesnothd@BINARY_SUFFIX@ -t 2 -T 5
-# you can use -c to specify the same configuration file
+# You can use -c to specify the same configuration file
 # which is used when starting wensothd from within the wesnoth UI
+# e.g. -c /home/user/.local/share/wesnoth/1.14/lan_server.cfg
 # (and make sure wesnothd has the required access permissions)
-ExecStopPost=/usr/bin/rm -f @FIFO_DIR@/socket
+
+ExecStopPost=/bin/rm -f @FIFO_DIR@/socket
+
 SyslogIdentifier=Wesnothd@BINARY_SUFFIX@
+WorkingDirectory=@FIFODIR@
+User=nobody
+Group=users
 
 # Additional security-related features
-# (when using the -c option, do not use the Protect options)
+# (when using the -c option, do not use ProtectHome)
 ProtectHome=yes
-ProtectSystem=full
+ProtectSystem=strict
+ReadWritePaths=@FIFO_DIR@
 PrivateTmp=yes
 PrivateDevices=yes
 NoNewPrivileges=yes
@@ -28,6 +40,7 @@ ProtectControlGroups=yes
 ProtectKernelTunables=yes
 ProtectKernelModules=yes
 RestrictNamespaces=yes
+LockPersonality=yes
 
 [Install]
 WantedBy=multi-user.target

packaging/systemd/wesnothd.tmpfiles.conf.in

@@ -1 +1 @@
-d @FIFO_DIR@ 0700 root root -
+d @FIFO_DIR@ 0700 nobody users -