Split out configs

Signed-off-by: Tommy <contact@tommytran.io>

etc/systemd/system/unbound.service.d/override.conf

@@ -0,0 +1,19 @@
+[Service]
+MemoryDenyWriteExecute=true
+PrivateDevices=true
+PrivateTmp=true
+ProtectHome=true
+ProtectClock=true
+ProtectControlGroups=true
+ProtectKernelLogs=true
+ProtectKernelModules=true
+# This breaks using socket options like 'so-rcvbuf'. Explicitly disable for visibility.
+ProtectKernelTunables=true
+ProtectProc=invisible
+RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX
+RestrictRealtime=true
+SystemCallArchitectures=native
+SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module mount @obsolete @resources
+RestrictNamespaces=yes
+LockPersonality=yes
+RestrictSUIDSGID=yes

etc/systemd/zram-generator.conf

@@ -0,0 +1,4 @@
+[zram0]
+zram-fraction = 1
+max-zram-size = 8192
+compression-algorithm = zstd