left4me: add bw action verifying hardening drop-ins load on every apply

Post-daemon-reload self-test that asserts both /etc/systemd/system/left4me-{web,server@}.service.d/10-hardening.conf appear in `systemctl show -p DropInPaths` for the unit. Catches drift where the symlink lands but daemon-reload didn't take, or someone manually unlinked the drop-in. For the gameserver template we query `left4me-server@verify.service` — systemd resolves drop-ins for a template instance against `name@.service.d/` regardless of whether the instance has ever started. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-15 19:21:50 +02:00 · 2026-05-15 19:21:50 +02:00 · 4820b7193f
commit 4820b7193f
parent d175c56e6c
1 changed files with 24 additions and 0 deletions
--- a/bundles/left4me/items.py
+++ b/bundles/left4me/items.py
@ -173,6 +173,30 @@ actions = {
        'triggered': True,
        'cascade_skip': False,
    },
+    'left4me_verify_hardening_dropins_loaded': {
+        # Post-apply self-test: confirm systemd actually picked up the
+        # hardening drop-ins we shipped via symlink. Catches the failure
+        # mode where the symlink lands but daemon-reload didn't take or
+        # someone manually unlinked the drop-in. For the gameserver template
+        # we query an imaginary instance — systemd resolves drop-in paths
+        # for `name@instance.service` against the template (`name@.service.d/`),
+        # so the instance need not exist or ever have run.
+        'command': (
+            'systemctl show left4me-server@verify.service -p DropInPaths --value '
+            '| tr " " "\\n" '
+            '| grep -qx /etc/systemd/system/left4me-server@.service.d/10-hardening.conf '
+            '&& '
+            'systemctl show left4me-web.service -p DropInPaths --value '
+            '| tr " " "\\n" '
+            '| grep -qx /etc/systemd/system/left4me-web.service.d/10-hardening.conf'
+        ),
+        'cascade_skip': False,
+        'needs': [
+            'action:left4me_daemon_reload',
+            'symlink:/etc/systemd/system/left4me-web.service.d/10-hardening.conf',
+            'symlink:/etc/systemd/system/left4me-server@.service.d/10-hardening.conf',
+        ],
+    },
    'left4me_dpkg_add_i386_arch': {
        # steamcmd is 32-bit and pulls libc6:i386 + lib32z1 from the i386 arch.
        # apt-get update is part of this action because newly-added foreign