Restrict bootstrapd behavior in systemd service file 

See [this reddit comment](https://www.reddit.com/r/linux/comments/50btwi/im_really_liking_systemd/d7341y9) and check out `systemd.exec(5)`

You just add some lines such as:

``` ini
PrivateTmp=yes
PrivateDevices=yes
PrivateNetwork=yes
ProtectSystem=full
ProtectHome=yes
NoNewPrivileges=yes
```
