initial certbot-renew service hardening

This doesn't switch to using a dedicated certbot user yet since the
hooks used across the services will all still need to work.

systemd/system/certbot-renew.service.d/local.conf

@@ -1,2 +1,28 @@
 [Service]
+CapabilityBoundingSet=
+CPUSchedulingPolicy=batch
 ExecStart=/usr/bin/certbot -q renew --no-random-sleep-on-renew
+LockPersonality=true
+MemoryDenyWriteExecute=true
+PrivateDevices=true
+PrivateIPC=true
+PrivateUsers=true
+ProcSubset=pid
+ProtectClock=true
+ProtectControlGroups=true
+ProtectHome=read-only
+ProtectHostname=true
+ProtectKernelLogs=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectProc=invisible
+ProtectSystem=strict
+ReadWritePaths=/etc/letsencrypt /var/lib/letsencrypt /var/log/letsencrypt -/srv/certbot
+RemoveIPC=true
+RestrictAddressFamilies=AF_INET AF_INET6
+RestrictNamespaces=true
+RestrictRealtime=true
+RestrictSUIDSGID=true
+SystemCallArchitectures=native
+SystemCallFilter=@system-service
+SystemCallFilter=~@privileged @resources @obsolete

systemd/system/certbot-renew.service.d/mail.grapheneos.org.conf

@@ -0,0 +1,4 @@
+[Service]
+AmbientCapabilities=CAP_NET_BIND_SERVICE
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+PrivateUsers=false