left4me: symlink /etc/sysctl.d/99-left4me.conf to the checkout

Sysctl drop-in lives in left4me/deploy/files/etc/sysctl.d/99-left4me.conf
(absorbed kernel.yama.ptrace_scope from the metadata entry). Deliver
via target-side symlink instead of a verbatim copy.

Canary for the deployment-responsibility reshape (left4me design doc
2026-05-15-deployment-responsibility-design.md, step 1). Validated
end-to-end on ovh.left4me: symlink resolves to the checkout,
sysctl --system fires on apply, kernel target value matches, idempotent.
One-shot cleanup of stale /etc/sysctl.d/99-left4me-ptrace.conf
(orphan from earlier apply; bundles/sysctl does not auto-purge unmanaged
files).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

bundles/left4me/files/etc/sysctl.d/99-left4me.conf

@@ -1,36 +0,0 @@
-# Host-side perf baseline for left4me — see
-# docs/superpowers/specs/2026-05-09-l4d2-server-host-perf-baseline-design.md
-#
-# UDP socket buffers: distro defaults of ~128 KiB are too small for sustained
-# Source-engine UDP across multiple instances. 8 MiB matches the standard
-# 1 Gbit recommendation; rmem_default/wmem_default protect sockets that don't
-# explicitly enlarge their buffers.
-net.core.rmem_max = 8388608
-net.core.wmem_max = 8388608
-net.core.rmem_default = 524288
-net.core.wmem_default = 524288
-
-# Kernel softirq UDP path: the per-CPU backlog queue starts dropping packets
-# at the default 1000 under multi-instance burst; 5000 absorbs realistic peaks.
-# netdev_budget = 600 gives softirq more drain headroom per pass.
-net.core.netdev_max_backlog = 5000
-net.core.netdev_budget = 600
-
-# Latency-sensitive default: avoid swap unless the box is really under
-# pressure. Harmless on swapless hosts.
-vm.swappiness = 10
-
-# Per-socket UDP buffer floors: protect game-server sockets that don't bump
-# their own SO_RCVBUF/SO_SNDBUF when softirq drains lag briefly.
-net.ipv4.udp_rmem_min = 16384
-net.ipv4.udp_wmem_min = 16384
-
-# Default qdisc for ifaces we don't explicitly shape with CAKE. Debian Trixie
-# already defaults to fq_codel; setting it explicitly is belt-and-suspenders
-# and survives kernel-default churn.
-net.core.default_qdisc = fq_codel
-
-# TCP congestion control: BBR for any bulk TCP egress on the host (admin SSH,
-# backups, package fetches, web-app responses) so a long flow does not push
-# the bottleneck queue ahead of game UDP. UDP srcds is unaffected.
-net.ipv4.tcp_congestion_control = bbr

bundles/left4me/items.py

@@ -96,15 +96,6 @@ files = {
         'group': 'root',
         'test_with': 'visudo -cf {}',
     },
-    '/etc/sysctl.d/99-left4me.conf': {
-        'source': 'etc/sysctl.d/99-left4me.conf',
-        'mode': '0644',
-        'owner': 'root',
-        'group': 'root',
-        'triggers': [
-            'action:left4me_sysctl_reload',
-        ],
-    },
     '/etc/left4me/host.env': {
         'source': 'etc/left4me/host.env.mako',
         'content_type': 'mako',
@@ -130,6 +121,20 @@ files = {
     },
 }
 
+symlinks = {
+    '/etc/sysctl.d/99-left4me.conf': {
+        'target': '/opt/left4me/src/deploy/files/etc/sysctl.d/99-left4me.conf',
+        'owner': 'root',
+        'group': 'root',
+        'needs': [
+            'git_deploy:/opt/left4me/src',
+        ],
+        'triggers': [
+            'action:left4me_sysctl_reload',
+        ],
+    },
+}
+
 actions = {
     'left4me_sysctl_reload': {
         'command': 'sysctl --system >/dev/null',

bundles/left4me/metadata.py

@@ -83,17 +83,6 @@ defaults = {
             '/etc/left4me',
         },
     },
-    'sysctl': {
-        # Block ptrace except from CAP_SYS_PTRACE holders. Belt-and-braces
-        # with SystemCallFilter=~@debug + PrivateUsers=true in the gameserver
-        # unit. See:
-        #   left4me docs/superpowers/specs/2026-05-15-hardening-defenses-survey.md
-        'kernel': {
-            'yama': {
-                'ptrace_scope': '2',
-            },
-        },
-    },
     'systemd-timers': {
         # Daily re-fetch of Steam Workshop metadata + .vpk downloads for any
         # item whose author published an update. The CLI just inserts a