nixos/hylafax: enable ProtectKernelLogs for most services

Also document that `ProtectClock` blocks access to serial line.
I couldn't found out why this is the case,
but faxgetty complains about the device file
not being accessible with `ProtectClock=true`.

nixos/modules/services/networking/hylafax/systemd.nix

@@ -106,8 +106,10 @@ let
         PrivateDevices = true;  # breaks /dev/tty...
         PrivateNetwork = true;
         PrivateTmp = true;
+        #ProtectClock = true;  # breaks /dev/tty... (why?)
         ProtectControlGroups = true;
         #ProtectHome = true;  # breaks custom spool dirs
+        ProtectKernelLogs = true;
         ProtectKernelModules = true;
         ProtectKernelTunables = true;
         #ProtectSystem = "strict";  # breaks custom spool dirs