Harden the aurweb tuvotereminder service

This service only requires MySQL access and ability to submit an email.

roles/aurweb/templates/aurweb-tuvotereminder.service.j2

@@ -7,3 +7,27 @@ After=mysqld.service
 Type=oneshot
 User={{ aurweb_user }}
 ExecStart=/usr/local/bin/aurweb-tuvotereminder
+
+NoNewPrivileges=true
+LockPersonality=true
+CapabilityBoundingSet=
+
+PrivateDevices=true
+PrivateTmp=true
+ProtectSystem=strict
+
+MemoryDenyWriteExecute=true
+RemoveIPC=true
+RestrictRealtime=true
+RestrictNamespaces=true
+RestrictSUIDSGID=true
+
+ProtectHostname=true
+ProtectControlGroups=true
+ProtectKernelLogs=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectClock=true
+ProtectProc=noaccess
+
+SystemCallArchitectures=native