diff --git a/deploy/files/usr/local/lib/systemd/system/left4me-web.service b/deploy/files/usr/local/lib/systemd/system/left4me-web.service
index 079efe0..0cfef4b 100644
--- a/deploy/files/usr/local/lib/systemd/system/left4me-web.service
+++ b/deploy/files/usr/local/lib/systemd/system/left4me-web.service
@@ -15,7 +15,10 @@ EnvironmentFile=/etc/left4me/web.env
 ExecStart=/opt/left4me/.venv/bin/gunicorn --workers 1 --threads 8 --bind 0.0.0.0:8000 'l4d2web.app:create_app()'
 Restart=on-failure
 RestartSec=3
-NoNewPrivileges=true
+# NoNewPrivileges intentionally not set: the worker invokes fusermount3
+# (setuid-root) to mount FUSE overlays and sudo to run the systemctl
+# wrapper. NoNewPrivileges blocks both. Hardening is still provided by
+# dedicated user, PrivateTmp, ProtectSystem=full, and narrow sudoers.
 PrivateTmp=true
 ProtectSystem=full
 ReadWritePaths=/var/lib/left4me