Introduce systemd.exec restrictions for better security

etc/systemd/system/nginx.service.d/custom.conf

@@ -6,3 +6,17 @@ ExecStop=-/sbin/start-stop-daemon --quiet --stop --pidfile /run/nginx.pid
 ExecStartPre=
 ExecStartPre=/usr/bin/install -Z -m 02755 -o www-data -g www-data -d /var/run/nginx
 ExecStartPre=/usr/sbin/nginx -t -q -g 'daemon on; master_process on;'
+ProtectSystem=strict
+PrivateTmp=true
+NoNewPrivileges=true
+PrivateDevices=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectControlGroups=true
+LockPersonality=true
+SystemCallArchitectures=native
+BindPaths=/var/log/nginx/
+BindPaths=/var/lib/nginx/
+BindPaths=/var/run/
+BindPaths=/run/
+InaccessiblePaths=/root/