deploy/hardening: allow x86 syscalls on web drop-in (steamcmd is 32-bit)

The web service handles install jobs by fork-exec'ing steamcmd_linux,
a 32-bit binary. With SystemCallArchitectures=native (x86_64 only) the
kernel SIGSYS-kills it on its first i386 syscall — surfaced as bash
exit 159 (= 128 + SIGSYS) in job logs. Mirror the server drop-in's
`native x86` so the install path works again; the server unit already
needed the same allowance for srcds_linux.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

deploy/files/etc/systemd/system/left4me-web.service.d/10-hardening.conf

@@ -28,7 +28,12 @@ ProtectClock=true
 ProtectControlGroups=true
 ProtectHostname=true
 LockPersonality=true
-SystemCallArchitectures=native
+# `native x86` (not just `native`) — the install job fork-execs
+# steamcmd_linux, a 32-bit binary, which makes i386-numbered syscalls.
+# Under `native` alone the kernel SIGSYS-kills it (bash exit 159 =
+# 128+SIGSYS). Mirrors the server unit, which needs the same allowance
+# for srcds_linux. See deploy/files/etc/systemd/system/left4me-server@.service.d/10-hardening.conf.
+SystemCallArchitectures=native x86
 SystemCallFilter=@system-service
 SystemCallFilter=~@debug @mount @raw-io @reboot @swap @cpu-emulation @obsolete
 RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX

deploy/tests/test_example_units.py

@@ -261,7 +261,9 @@ def test_web_hardening_dropin_present_with_directives():
     ):
         assert d in text, f"missing {d!r} in web hardening drop-in"
     # WEB-specific
-    assert "SystemCallArchitectures=native" in text
+    # `native x86` (not `native`) because the install job fork-execs
+    # steamcmd_linux (32-bit). Plain `native` produces SIGSYS (bash exit 159).
+    assert "SystemCallArchitectures=native x86" in text
     assert "SystemCallFilter=@system-service" in text
     assert "SystemCallFilter=~@debug @mount @raw-io @reboot @swap @cpu-emulation @obsolete" in text
     # WEB must NOT include the sudo-incompatible directives.