scripts: add NoNewPrivileges=true to systemd unit file (#5381)

Also add comment about unsupported options in different systemd versions.

scripts/systemd/gogs.service

@@ -18,10 +18,13 @@ WorkingDirectory=/home/git/gogs
 ExecStart=/home/git/gogs/gogs web
 Restart=always
 Environment=USER=git HOME=/home/git
-# Hardening
+
+# Some distributions may not support these hardening directives. If you cannot start the service due
+# to an unknown option, comment out the ones not supported by your version of systemd.
 ProtectSystem=full
 PrivateDevices=yes
 PrivateTmp=yes
+NoNewPrivileges=true
 
 [Install]
 WantedBy=multi-user.target