nixos/gerrit: Apply initial hardening using the systemd unit

These options are a good start for sandboxing the service. It's planned
to set `ProtectSystem` to `strict` instead of `full`, but that requires
specific directories to be configured as writable. It's also planned to
filter system calls. However, that requires more testing but it
shouldn't prevent us from applying these options for now and add others
later.

Signed-off-by: Felix Singer <felixsinger@posteo.net>

0 files changed, 0 insertions, 0 deletions