fix(left4me): bind /var/lib/left4me/workshop_cache into server unit

Same class of leak as the .steam bind: workshop VPKs in overlays are symlinks pointing to /var/lib/left4me/workshop_cache/<id>.vpk. With TemporaryFileSystem=/var/lib in HARDENING_SERVER and workshop_cache not in BindReadOnlyPaths, the targets are invisible inside the unit's mount namespace. Source silently fails to load the addons — no log message, the addon just doesn't appear in-game (saw the ions vocalizer workshop VPK dangling on server@2). Add workshop_cache to the bind list. Read-only is fine; srcds reads the VPKs, doesn't write them (web app populates the cache as left4me). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-15 17:11:17 +02:00 · 2026-05-15 17:11:17 +02:00 · f3fe49c60e
commit f3fe49c60e
parent 9a4e184378
1 changed files with 4 additions and 0 deletions
--- a/bundles/left4me/metadata.py
+++ b/bundles/left4me/metadata.py
@ -190,6 +190,10 @@ HARDENING_SERVER = {
    'BindReadOnlyPaths': (
        '/var/lib/left4me/installation',
        '/var/lib/left4me/overlays',
+        # Workshop VPKs in overlays are symlinks into workshop_cache;
+        # without this bind they dangle inside the unit and Source
+        # silently fails to load the addons.
+        '/var/lib/left4me/workshop_cache',
        # Steam SDK: srcds dlopen's ~/.steam/sdk32/steamclient.so for
        # Steam master-server registration. Without this, SteamAPI_Init
        # fails and the server falls back to LAN-only mode regardless