diff --git a/deploy/files/usr/local/lib/systemd/system/left4me-web.service b/deploy/files/usr/local/lib/systemd/system/left4me-web.service
index c6d6477..3465516 100644
--- a/deploy/files/usr/local/lib/systemd/system/left4me-web.service
+++ b/deploy/files/usr/local/lib/systemd/system/left4me-web.service
@@ -17,14 +17,15 @@ Restart=on-failure
 RestartSec=3
 # NoNewPrivileges intentionally not set: the worker invokes fusermount3
 # (setuid-root) and sudo to run the systemctl wrapper.
-# PrivateTmp intentionally not set: it creates a private mount
-# namespace, which would hide per-instance fuse-overlayfs mounts from
-# the host and the gameserver units. The mount must land in the host
-# namespace so the systemd-managed gameserver service inherits it at
-# unshare time. Remaining hardening: dedicated user, ProtectSystem,
-# ReadWritePaths, narrow sudoers allowlist.
+# ProtectSystem=full + ReadWritePaths implicitly give this unit a
+# private mount namespace. MountFlags=shared makes its mount events
+# propagate back to the host so per-instance fuse-overlayfs mounts are
+# visible to the gameserver units (which inherit host mounts at their
+# own unshare time). Without it, the per-instance mount only exists
+# inside the worker's namespace and the gameserver units fail CHDIR.
 ProtectSystem=full
 ReadWritePaths=/var/lib/left4me
+MountFlags=shared
 
 [Install]
 WantedBy=multi-user.target