bundles/left4me: spread HARDENING_SERVER into left4me-server@.service

Replaces the inline hardening directives on the gameserver unit with the shared HARDENING_SERVER dict. Removes legacy ReadOnlyPaths / ReadWritePaths (superseded by TemporaryFileSystem + BindReadOnlyPaths + BindPaths in the dict). Brings the unit to the proven Test 7 composition with the i386 amendment (SystemCallArchitectures=native x86) and PrivatePIDs=true. Not deployed until bw apply. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-15 14:46:58 +02:00 · 2026-05-15 14:46:58 +02:00 · 640461c87a
commit 640461c87a
parent 85b9af0aaa
1 changed files with 9 additions and 21 deletions
--- a/bundles/left4me/metadata.py
+++ b/bundles/left4me/metadata.py
@ -326,20 +326,13 @@ def systemd_units(metadata):
                            '/var/lib/left4me/instances/%i/instance.env',
                        ),
                        'WorkingDirectory': '-/var/lib/left4me/runtime/%i/merged/left4dead2',
-                        'ExecStartPre': (
-                            '+/usr/bin/nsenter --mount=/proc/1/ns/mnt -- '
-                            '/usr/local/libexec/left4me/left4me-overlay mount %i'
-                        ),
-                        'ExecStart': (
-                            '/var/lib/left4me/runtime/%i/merged/srcds_run '
-                            '-game left4dead2 +hostport ${L4D2_PORT} $L4D2_ARGS'
-                        ),
-                        'ExecStopPost': (
-                            '+/usr/bin/nsenter --mount=/proc/1/ns/mnt -- '
-                            '/usr/local/libexec/left4me/left4me-overlay umount %i'
-                        ),
+                        'ExecStartPre': '+/usr/bin/nsenter --mount=/proc/1/ns/mnt -- /usr/local/libexec/left4me/left4me-overlay mount %i',
+                        'ExecStart': '/var/lib/left4me/runtime/%i/merged/srcds_run -game left4dead2 +hostport ${L4D2_PORT} $L4D2_ARGS',
+                        'ExecStopPost': '+/usr/bin/nsenter --mount=/proc/1/ns/mnt -- /usr/local/libexec/left4me/left4me-overlay umount %i',
                        'Restart': 'on-failure',
                        'RestartSec': '5',
+
+                        # Resource control (baseline from prior performance work).
                        'Slice': 'l4d2-game.slice',
                        'Nice': '-5',
                        'IOSchedulingClass': 'best-effort',
@ -352,15 +345,10 @@ def systemd_units(metadata):
                        'KillSignal': 'SIGINT',
                        'TimeoutStopSec': '15s',
                        'LogRateLimitIntervalSec': '0',
-                        'NoNewPrivileges': 'true',
-                        'PrivateTmp': 'true',
-                        'PrivateDevices': 'true',
-                        'ProtectHome': 'true',
-                        'ProtectSystem': 'strict',
-                        'ReadOnlyPaths': '/var/lib/left4me/installation /var/lib/left4me/overlays',
-                        'ReadWritePaths': '/var/lib/left4me/runtime/%i',
-                        'RestrictSUIDSGID': 'true',
-                        'LockPersonality': 'true',
+
+                        # Hardening profile — see HARDENING_SERVER constant near top of
+                        # this file for per-directive rationale.
+                        **HARDENING_SERVER,
                    },
                    'Install': {
                        'WantedBy': {'multi-user.target'},