From 6cf4517a88b7c808eeb2b72bfeb594b3301537d8 Mon Sep 17 00:00:00 2001
From: mwiegand <martin.wiegand@seibert.group>
Date: Fri, 15 May 2026 16:14:40 +0200
Subject: [PATCH] fix(deploy/files): drop ProcSubset=pid from web reference
 unit

Mirrors ckn-bw fix: ProcSubset=pid hides /proc/sys/kernel/random/boot_id,
which journalctl needs at startup; web unit invokes journalctl for
live log streaming.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .../files/usr/local/lib/systemd/system/left4me-web.service  | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/deploy/files/usr/local/lib/systemd/system/left4me-web.service b/deploy/files/usr/local/lib/systemd/system/left4me-web.service
index 52f869e..ef034b0 100644
--- a/deploy/files/usr/local/lib/systemd/system/left4me-web.service
+++ b/deploy/files/usr/local/lib/systemd/system/left4me-web.service
@@ -50,8 +50,12 @@ ProtectHome=true
 PrivateTmp=true
 
 # === /proc + kernel ===
+# Note: ProcSubset=pid is intentionally NOT set on the web unit.
+# It hides /proc/sys/kernel/random/boot_id which journalctl reads at
+# startup, and the web invokes `sudo -n left4me-journalctl` to stream
+# live server logs into the UI. The server unit can keep ProcSubset=pid
+# because srcds doesn't shell out to journalctl.
 ProtectProc=invisible                 # foreign-uid /proc hidden (defense: D4)
-ProcSubset=pid
 ProtectKernelTunables=true
 ProtectKernelModules=true
 ProtectKernelLogs=true