From caf23320513d74b7e2f8e96be569123bae234a20 Mon Sep 17 00:00:00 2001 From: CroneKorkN Date: Fri, 15 May 2026 16:42:17 +0200 Subject: [PATCH] fix(left4me): bind /var/lib/left4me/.steam + /opt/left4me/steam into server unit MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Server@.service has TemporaryFileSystem virtualizing /var/lib and /opt; the .steam home dir (which holds symlinks to /opt/left4me/steam/linux{32,64}) wasn't bound back into the unit's filesystem view. srcds dlopen's ~/.steam/sdk32/steamclient.so for Steam master-server registration — under the unit it returned ENOENT, SteamAPI_Init failed, and the server fell back to LAN-only mode regardless of +sv_lan 0. Clients then got "LAN servers are restricted to local clients (class C)" on connect. Bind both /var/lib/left4me/.steam (the symlinks) and /opt/left4me/steam (the symlink targets) read-only into the unit. The Steam SDK file is written by steamcmd as part of the install flow, so RO is fine — srcds doesn't write back. Co-Authored-By: Claude Opus 4.7 (1M context) --- bundles/left4me/metadata.py | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/bundles/left4me/metadata.py b/bundles/left4me/metadata.py index 81d35cd..fff5204 100644 --- a/bundles/left4me/metadata.py +++ b/bundles/left4me/metadata.py @@ -182,6 +182,15 @@ HARDENING_SERVER = { 'BindReadOnlyPaths': ( '/var/lib/left4me/installation', '/var/lib/left4me/overlays', + # Steam SDK: srcds dlopen's ~/.steam/sdk32/steamclient.so for + # Steam master-server registration. Without this, SteamAPI_Init + # fails and the server falls back to LAN-only mode regardless + # of sv_lan=0 — clients then get "LAN servers are restricted + # to local clients (class C)". .steam holds symlinks into + # /opt/left4me/steam, so both paths need to be bound back + # through TemporaryFileSystem. + '/var/lib/left4me/.steam', + '/opt/left4me/steam', '/etc/left4me/host.env', '/etc/ssl', '/etc/ca-certificates',