improve(systemd): Enable sandboxing and user isolation for service

[gaaichan998]

Updated Systemd Configuration Guide

This PR substantially improves the systemd service configuration documentation for BililiveRecorder CLI version, with enhanced security practices and operational clarity.

Key Improvements:

1. Security Enhancements

   • Added dedicated system user/group creation
   • Implemented proper file/directory permissions
   • Introduced systemd service hardening options
   • Separated credentials into protected environment file

2. Configuration Updates

   • Standardized service naming convention
   • Improved path handling and directory structure guidance
   • Updated CLI arguments to use environment variables

3. Documentation Quality

   • Added detailed step-by-step instructions
   • Included comprehensive service management commands
   • Removed insecure inline credential configuration

4. Operational Best Practices

   • Added proper service sandboxing
   • Implemented resource restriction measures
   • Added systemd unit reload requirements

[shugen002]

很棒，但感觉好像对于普通用户会不会用力过猛，以致于劝退？

[gaaichan998]

Tested in Debian GNU/Linux 12 (bookworm), with kernel 6.1.0-28-amd64 and systemd 252 (252.31-1~deb12u1)
Output of sudo systemd-analyze security BililiveRecorder :

[gaaichan998]

很棒，但感觉好像对于普通用户会不会用力过猛，以致于劝退？

相比于原先的版本，应该是更简单的。我自己走了一遍流程，一路复制粘贴后运行，进行必要的修改（凭据、文件位置等）就可以运行起来。

AmbientCapabilities=及其下部分旨在于沙箱化录播姬单元和限制录播姬所能获得的能力（capability），在保证录播姬正常运行的情况下最小化权限及对系统的访问。

systemd.exec.html#Sandboxing
systemd.exec 中文手册#沙箱化

[gaaichan998]

systemd.md都是我手动修改的，我用llm对比了一下新旧文档的区别，帮我写Pull requests然后我再稍作修改。