nixos/dnscrypt-proxy: more fs isolation for the updater

It'd be better to do the update as an unprivileged user; for
now, we do our best to minimize the surface available.  We
filter mount syscalls to prevent the process from undoing the fs
isolation.

nixos/modules/services/networking/dnscrypt-proxy.nix

@@ -285,7 +285,9 @@ in
         PrivateTmp = true;
         PrivateDevices = true;
         ProtectHome = true;
-        ProtectSystem = true;
+        ProtectSystem = "strict";
+        ReadWritePaths = "${dirOf stateDirectory} ${stateDirectory}";
+        SystemCallFilter = "~@mount";
       };
     };