docs(deploy): tighten perf-tuning escape hatches

- RT example: add AmbientCapabilities=CAP_SYS_NICE so the User=left4me
  service can actually enter SCHED_FIFO on Trixie.
- CPU governor: note that linux-cpupower may need apt install.
- CPUAffinity=2: clarify that per-instance values typically increment.
- NIC tuning: note that ethtool may need apt install.

deploy/README.md

@@ -86,6 +86,8 @@ The performance governor squeezes a few percent off jitter under bursty load. `s
 sudo cpupower frequency-set -g performance
 ```
 
+Install via `sudo apt install linux-cpupower` if the binary isn't present.
+
 Persist via your distro's CPU-frequency tooling (e.g. `/etc/default/cpufrequtils`).
 
 ### Per-instance CPU affinity
@@ -97,11 +99,13 @@ Persist via your distro's CPU-frequency tooling (e.g. `/etc/default/cpufrequtils
 CPUAffinity=2
 ```
 
+This pins the instance to CPU 2 specifically; per-instance values would typically be 1, 2, 3, ... so each server has its own core.
+
 A reasonable strategy on an N-core host: leave core 0 for the kernel + IRQs + system services, then pin one instance per remaining core.
 
 ### NIC tuning
 
-Hardware-specific. On a host with a single primary interface (replace `eth0`):
+Hardware-specific (install via `sudo apt install ethtool` if not present). On a host with a single primary interface (replace `eth0`):
 
 ```sh
 sudo ethtool -G eth0 rx 4096 tx 4096
@@ -121,8 +125,11 @@ Source-engine servers do not need real-time scheduling, and a misbehaving `srcds
 CPUSchedulingPolicy=fifo
 CPUSchedulingPriority=10
 LimitRTPRIO=10
+AmbientCapabilities=CAP_SYS_NICE
 ```
 
+The `AmbientCapabilities=CAP_SYS_NICE` line is needed because the service runs as `User=left4me` with `NoNewPrivileges=true`; without it some kernels/systemd combinations refuse to apply the RT policy.
+
 ### Applying changes to running servers
 
 Unit-file changes do not apply to already-running services. After any change: