replace tmpfiles.d with RuntimeDirectory for nginx

This is much more robust because nginx will fail to start after being
killed or crashing due to only removing old Unix domain sockets when it
stops cleanly. It ends up owned by root:root instead of root:http which
is fine because only the master process opens it.

systemd/system/nginx.service.d/local.conf

@@ -21,6 +21,8 @@ RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
 RestrictNamespaces=true
 RestrictRealtime=true
 RestrictSUIDSGID=true
+RuntimeDirectory=nginx
+RuntimeDirectoryMode=700
 SystemCallArchitectures=native
 SystemCallFilter=@system-service
 SystemCallFilter=~@obsolete

tmpfiles.d/local-nginx.conf

@@ -1 +0,0 @@
-d /run/nginx 0750 root http -