diff --git a/bundles/left4me/files/etc/sysctl.d/99-left4me.conf b/bundles/left4me/files/etc/sysctl.d/99-left4me.conf deleted file mode 100644 index 0860833..0000000 --- a/bundles/left4me/files/etc/sysctl.d/99-left4me.conf +++ /dev/null @@ -1,36 +0,0 @@ -# Host-side perf baseline for left4me — see -# docs/superpowers/specs/2026-05-09-l4d2-server-host-perf-baseline-design.md -# -# UDP socket buffers: distro defaults of ~128 KiB are too small for sustained -# Source-engine UDP across multiple instances. 8 MiB matches the standard -# 1 Gbit recommendation; rmem_default/wmem_default protect sockets that don't -# explicitly enlarge their buffers. -net.core.rmem_max = 8388608 -net.core.wmem_max = 8388608 -net.core.rmem_default = 524288 -net.core.wmem_default = 524288 - -# Kernel softirq UDP path: the per-CPU backlog queue starts dropping packets -# at the default 1000 under multi-instance burst; 5000 absorbs realistic peaks. -# netdev_budget = 600 gives softirq more drain headroom per pass. -net.core.netdev_max_backlog = 5000 -net.core.netdev_budget = 600 - -# Latency-sensitive default: avoid swap unless the box is really under -# pressure. Harmless on swapless hosts. -vm.swappiness = 10 - -# Per-socket UDP buffer floors: protect game-server sockets that don't bump -# their own SO_RCVBUF/SO_SNDBUF when softirq drains lag briefly. -net.ipv4.udp_rmem_min = 16384 -net.ipv4.udp_wmem_min = 16384 - -# Default qdisc for ifaces we don't explicitly shape with CAKE. Debian Trixie -# already defaults to fq_codel; setting it explicitly is belt-and-suspenders -# and survives kernel-default churn. -net.core.default_qdisc = fq_codel - -# TCP congestion control: BBR for any bulk TCP egress on the host (admin SSH, -# backups, package fetches, web-app responses) so a long flow does not push -# the bottleneck queue ahead of game UDP. UDP srcds is unaffected. -net.ipv4.tcp_congestion_control = bbr diff --git a/bundles/left4me/items.py b/bundles/left4me/items.py index 8545e6f..49eb9c0 100644 --- a/bundles/left4me/items.py +++ b/bundles/left4me/items.py @@ -96,15 +96,6 @@ files = { 'group': 'root', 'test_with': 'visudo -cf {}', }, - '/etc/sysctl.d/99-left4me.conf': { - 'source': 'etc/sysctl.d/99-left4me.conf', - 'mode': '0644', - 'owner': 'root', - 'group': 'root', - 'triggers': [ - 'action:left4me_sysctl_reload', - ], - }, '/etc/left4me/host.env': { 'source': 'etc/left4me/host.env.mako', 'content_type': 'mako', @@ -130,6 +121,20 @@ files = { }, } +symlinks = { + '/etc/sysctl.d/99-left4me.conf': { + 'target': '/opt/left4me/src/deploy/files/etc/sysctl.d/99-left4me.conf', + 'owner': 'root', + 'group': 'root', + 'needs': [ + 'git_deploy:/opt/left4me/src', + ], + 'triggers': [ + 'action:left4me_sysctl_reload', + ], + }, +} + actions = { 'left4me_sysctl_reload': { 'command': 'sysctl --system >/dev/null', diff --git a/bundles/left4me/metadata.py b/bundles/left4me/metadata.py index f7dad04..75d87b9 100644 --- a/bundles/left4me/metadata.py +++ b/bundles/left4me/metadata.py @@ -83,17 +83,6 @@ defaults = { '/etc/left4me', }, }, - 'sysctl': { - # Block ptrace except from CAP_SYS_PTRACE holders. Belt-and-braces - # with SystemCallFilter=~@debug + PrivateUsers=true in the gameserver - # unit. See: - # left4me docs/superpowers/specs/2026-05-15-hardening-defenses-survey.md - 'kernel': { - 'yama': { - 'ptrace_scope': '2', - }, - }, - }, 'systemd-timers': { # Daily re-fetch of Steam Workshop metadata + .vpk downloads for any # item whose author published an update. The CLI just inserts a