From 4820b7193fa5d19c585bc4442e07dad76591664b Mon Sep 17 00:00:00 2001
From: CroneKorkN <i@ckn.li>
Date: Fri, 15 May 2026 19:21:50 +0200
Subject: [PATCH] left4me: add bw action verifying hardening drop-ins load on
 every apply
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Post-daemon-reload self-test that asserts both
  /etc/systemd/system/left4me-{web,server@}.service.d/10-hardening.conf
appear in `systemctl show -p DropInPaths` for the unit. Catches drift
where the symlink lands but daemon-reload didn't take, or someone
manually unlinked the drop-in.

For the gameserver template we query `left4me-server@verify.service` —
systemd resolves drop-ins for a template instance against
`name@.service.d/` regardless of whether the instance has ever started.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 bundles/left4me/items.py | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)

diff --git a/bundles/left4me/items.py b/bundles/left4me/items.py
index fdeee89..d958c29 100644
--- a/bundles/left4me/items.py
+++ b/bundles/left4me/items.py
@@ -173,6 +173,30 @@ actions = {
         'triggered': True,
         'cascade_skip': False,
     },
+    'left4me_verify_hardening_dropins_loaded': {
+        # Post-apply self-test: confirm systemd actually picked up the
+        # hardening drop-ins we shipped via symlink. Catches the failure
+        # mode where the symlink lands but daemon-reload didn't take or
+        # someone manually unlinked the drop-in. For the gameserver template
+        # we query an imaginary instance — systemd resolves drop-in paths
+        # for `name@instance.service` against the template (`name@.service.d/`),
+        # so the instance need not exist or ever have run.
+        'command': (
+            'systemctl show left4me-server@verify.service -p DropInPaths --value '
+            '| tr " " "\\n" '
+            '| grep -qx /etc/systemd/system/left4me-server@.service.d/10-hardening.conf '
+            '&& '
+            'systemctl show left4me-web.service -p DropInPaths --value '
+            '| tr " " "\\n" '
+            '| grep -qx /etc/systemd/system/left4me-web.service.d/10-hardening.conf'
+        ),
+        'cascade_skip': False,
+        'needs': [
+            'action:left4me_daemon_reload',
+            'symlink:/etc/systemd/system/left4me-web.service.d/10-hardening.conf',
+            'symlink:/etc/systemd/system/left4me-server@.service.d/10-hardening.conf',
+        ],
+    },
     'left4me_dpkg_add_i386_arch': {
         # steamcmd is 32-bit and pulls libc6:i386 + lib32z1 from the i386 arch.
         # apt-get update is part of this action because newly-added foreign