AmbientCapabilities in systemd units is more privileged than Hashicorp's unit

[dixneuf19]

While reviewing the official Hashicorp Vault Hardening guidelines, I found a difference between in the systemd unit of this repository and the official units installed with hashicorp linux packages.

One of the more relevant part for me is AmbientCapabilities, which is set to CAP_IPC_LOCK on Hashicorp repo, but CAP_SYSLOG CAP_IPC_LOCK here.

This modification was added in this commit https://github.com/ansible-community/ansible-vault/commit/5c4f74aef5724434c15efae5ae01740b7b5020f0 without much explanation, and I have tested on my setup reverting to AmbientCapabilities=CAP_IPC_LOCK without any issues.

Why is there this difference ? If there is no specific reason, I would be pleased to contribute to this repo with this simple PR!

There are also other difference, for ulimits for example, but there are not a specific issue in my case.