Update to make systemd create the user

Also use some stricter security features systemd provides.

This change from github user John Goerzen @jgoerzen as provided
in his comment:
#816 (comment)

ProtectSystem=strict prevents it from modifying basically anything on
the filesystem, so therefore we have to specify the possible locations
for the runtime directory under ReadWritePaths.

Author: zander

contrib/systemd/yggdrasil.service

@@ -6,8 +6,6 @@ After=network-online.target
 After=yggdrasil-default-config.service
 
 [Service]
-User=yggdrasil
-Group=yggdrasil
 ProtectHome=true
 ProtectSystem=true
 SyslogIdentifier=yggdrasil
@@ -16,6 +14,12 @@ ExecStart=/usr/bin/yggdrasil -useconffile /etc/yggdrasil.conf
 ExecReload=/bin/kill -HUP $MAINPID
 Restart=always
 TimeoutStopSec=5
+Group=yggdrasil
+User=yggdrasil-dyn
+DynamicUser=true
+ProtectSystem=strict
+NoNewPrivileges=true
+ReadWritePaths=/var/run/yggdrasil /run/yggdrasil
 
 # make sure /var/run/yggdrasil/ is created writable for the user.
 RuntimeDirectory=yggdrasil