fix(left4me): bind /var/lib/left4me/.steam + /opt/left4me/steam into server unit

Server@.service has TemporaryFileSystem virtualizing /var/lib and /opt;
the .steam home dir (which holds symlinks to /opt/left4me/steam/linux{32,64})
wasn't bound back into the unit's filesystem view. srcds dlopen's
~/.steam/sdk32/steamclient.so for Steam master-server registration —
under the unit it returned ENOENT, SteamAPI_Init failed, and the server
fell back to LAN-only mode regardless of +sv_lan 0. Clients then got
"LAN servers are restricted to local clients (class C)" on connect.

Bind both /var/lib/left4me/.steam (the symlinks) and /opt/left4me/steam
(the symlink targets) read-only into the unit. The Steam SDK file is
written by steamcmd as part of the install flow, so RO is fine — srcds
doesn't write back.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

bundles/left4me/metadata.py

@@ -182,6 +182,15 @@ HARDENING_SERVER = {
     'BindReadOnlyPaths': (
         '/var/lib/left4me/installation',
         '/var/lib/left4me/overlays',
+        # Steam SDK: srcds dlopen's ~/.steam/sdk32/steamclient.so for
+        # Steam master-server registration. Without this, SteamAPI_Init
+        # fails and the server falls back to LAN-only mode regardless
+        # of sv_lan=0 — clients then get "LAN servers are restricted
+        # to local clients (class C)". .steam holds symlinks into
+        # /opt/left4me/steam, so both paths need to be bound back
+        # through TemporaryFileSystem.
+        '/var/lib/left4me/.steam',
+        '/opt/left4me/steam',
         '/etc/left4me/host.env',
         '/etc/ssl',
         '/etc/ca-certificates',