planet: harden planet generation service

Harden the unit by limiting access to the system and dissallowing
privilege escalation.

roles/planet/templates/planet.service.j2

@@ -6,3 +6,10 @@ Type=oneshot
 User=http
 ExecStart=/usr/bin/python2 planet.py archplanet/config.ini
 WorkingDirectory={{ planet_dir }}
+NoNewPrivileges=yes
+ProtectHome=true
+ProtectSystem=full
+PrivateTmp=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectControlGroups=true