add buffyboard systemd service

this is the service i use on NixOS to access buffyboard during normal system operation (i.e. after the initrd mounts root and hands control to systemd).

it's heavily sandboxed -- because being able to read/write system-wide inputs is a fairly privileged, risky thing -- but it's working fine across my PinePhone Pro, touchscreen laptop, and KB/mouse-only desktop, so i'm fairly confident in the service config. nevertheless, systemd makes it easy for distros to add additional resources to the service file if i've missed something (and then hopefully share those upstream here).

buffyboard/buffyboard.service.in

+[Unit]
+Documentation=https://gitlab.postmarketos.org/postmarketOS/buffybox
+
+[Service]
+ExecStart=@bindir@/buffyboard
+Restart=on-failure
+
+# Allow access to input devices, framebuffer, tty
+DevicePolicy=closed
+DeviceAllow=/dev/uinput rw
+DeviceAllow=char-fb rw
+DeviceAllow=char-input rw
+DeviceAllow=char-tty rw
+# udev requires some limited networking
+RestrictAddressFamilies=AF_NETLINK
+
+# Hardening
+CapabilityBoundingSet=
+NoNewPrivileges=true
+RestrictSUIDSGID=true
+PrivateMounts=true
+PrivateTmp=true
+PrivateUsers=true
+ProtectClock=true
+ProtectControlGroups=true
+ProtectHome=true
+ProtectHostname=true
+ProtectKernelLogs=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectSystem=strict
+RemoveIPC=true
+LockPersonality=true
+MemoryDenyWriteExecute=true
+SystemCallArchitectures=native
+SystemCallFilter=@system-service
+SystemCallFilter=~@privileged
+SystemCallFilter=~@resources