bundles/left4me: spread HARDENING_SERVER into left4me-server@.service

Replaces the inline hardening directives on the gameserver unit with
the shared HARDENING_SERVER dict. Removes legacy ReadOnlyPaths /
ReadWritePaths (superseded by TemporaryFileSystem + BindReadOnlyPaths
+ BindPaths in the dict). Brings the unit to the proven Test 7
composition with the i386 amendment (SystemCallArchitectures=native x86)
and PrivatePIDs=true.

Not deployed until bw apply.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

bundles/left4me/metadata.py

@@ -326,20 +326,13 @@ def systemd_units(metadata):
                             '/var/lib/left4me/instances/%i/instance.env',
                         ),
                         'WorkingDirectory': '-/var/lib/left4me/runtime/%i/merged/left4dead2',
-                        'ExecStartPre': (
+                        'ExecStartPre': '+/usr/bin/nsenter --mount=/proc/1/ns/mnt -- /usr/local/libexec/left4me/left4me-overlay mount %i',
-                            '+/usr/bin/nsenter --mount=/proc/1/ns/mnt -- '
+                        'ExecStart': '/var/lib/left4me/runtime/%i/merged/srcds_run -game left4dead2 +hostport ${L4D2_PORT} $L4D2_ARGS',
-                            '/usr/local/libexec/left4me/left4me-overlay mount %i'
+                        'ExecStopPost': '+/usr/bin/nsenter --mount=/proc/1/ns/mnt -- /usr/local/libexec/left4me/left4me-overlay umount %i',
-                        ),
-                        'ExecStart': (
-                            '/var/lib/left4me/runtime/%i/merged/srcds_run '
-                            '-game left4dead2 +hostport ${L4D2_PORT} $L4D2_ARGS'
-                        ),
-                        'ExecStopPost': (
-                            '+/usr/bin/nsenter --mount=/proc/1/ns/mnt -- '
-                            '/usr/local/libexec/left4me/left4me-overlay umount %i'
-                        ),
                         'Restart': 'on-failure',
                         'RestartSec': '5',
+
+                        # Resource control (baseline from prior performance work).
                         'Slice': 'l4d2-game.slice',
                         'Nice': '-5',
                         'IOSchedulingClass': 'best-effort',
@@ -352,15 +345,10 @@ def systemd_units(metadata):
                         'KillSignal': 'SIGINT',
                         'TimeoutStopSec': '15s',
                         'LogRateLimitIntervalSec': '0',
-                        'NoNewPrivileges': 'true',
+
-                        'PrivateTmp': 'true',
+                        # Hardening profile — see HARDENING_SERVER constant near top of
-                        'PrivateDevices': 'true',
+                        # this file for per-directive rationale.
-                        'ProtectHome': 'true',
+                        **HARDENING_SERVER,
-                        'ProtectSystem': 'strict',
-                        'ReadOnlyPaths': '/var/lib/left4me/installation /var/lib/left4me/overlays',
-                        'ReadWritePaths': '/var/lib/left4me/runtime/%i',
-                        'RestrictSUIDSGID': 'true',
-                        'LockPersonality': 'true',
                     },
                     'Install': {
                         'WantedBy': {'multi-user.target'},