mosquitto: systemd service sandboxing

running the service in a sandbox. read-only root file system,
with tmpfs mounted in /tmp, hidden /root and /home,
temporary /dev. the only writeable path is the data directory,
which according to my experiments is enough for the service
to work correctly.

nixos/modules/services/networking/mosquitto.nix

@@ -204,6 +204,16 @@ in
         Restart = "on-failure";
         ExecStart = "${pkgs.mosquitto}/bin/mosquitto -c ${mosquittoConf}";
         ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
+
+        ProtectSystem = "strict";
+        ProtectHome = true;
+        PrivateDevices = true;
+        PrivateTmp = true;
+        ReadWritePaths = "${cfg.dataDir}";
+        ProtectControlGroups = true;
+        ProtectKernelModules = true;
+        ProtectKernelTunables = true;
+        NoNewPrivileges = true;
       };
       preStart = ''
         rm -f ${cfg.dataDir}/passwd