The security team monitors additions of systemd services to Tumbleweed and
this way we stumbled over the recent addition of headscale.

The systemd service of headscale specified the CAP_CHOWN capability:

/usr/lib/systemd/system/headscale.service
```
[Service]
<snip>
User=headscale
Group=headscale
ExecStart=/usr/bin/headscale serve
Restart=always
RestartSec=5

WorkingDirectory=/var/lib/headscale
ReadWritePaths=/var/lib/headscale /var/run

AmbientCapabilities=CAP_NET_BIND_SERVICE CAP_CHOWN
CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_CHOWN
<snip>
```

I couldn't find any reason for the service being granted CAP_CHOWN. Therefore
I asked the upstream maintainer, Kristoffer Dalby, about it, and he also
cannot see why this is needed. Quote:

```
I suspect that this is carried over from the systemd file used in NixOS,
which in turned was copied from a separate project that had a stricter
systemd file than standard. So it might just be a copy pasta error.

If you test it without, please let me know what you find out.
```

Can you please remove the CAP_CHOWN from the systemd unit and check whether
the package still works as expected. Then we can give feedback to upstream to
apply this hardening there, too. Thanks!