The web service handles install jobs by fork-exec'ing steamcmd_linux,
a 32-bit binary. With SystemCallArchitectures=native (x86_64 only) the
kernel SIGSYS-kills it on its first i386 syscall — surfaced as bash
exit 159 (= 128 + SIGSYS) in job logs. Mirror the server drop-in's
`native x86` so the install path works again; the server unit already
needed the same allowance for srcds_linux.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
The hardening-extraction subagent (commit just prior) re-introduced
ProcSubset=pid into the server@ drop-in because the design plan's
template had it. The directive had previously been removed from the
live unit by ckn-bw 4339289 — it hides /proc/cpuinfo and breaks
SteamAPI master-server registration, leaving the server in LAN-only
fallback ("LAN servers are restricted to local clients (class C)").
Add a negative assertion in the drop-in test so the regression cannot
sneak back in via a copy-paste edit.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Hardening directives leave the base unit body and live in:
deploy/files/etc/systemd/system/left4me-web.service.d/10-hardening.conf
deploy/files/etc/systemd/system/left4me-server@.service.d/10-hardening.conf
Reference units now describe just the base operational shape (exec,
env, restart, resources). Tests split: base-unit content and hardening
profile are asserted separately.
Part of 2026-05-15-deployment-responsibility-design.md migration
step 2. ckn-bw lands the matching reactor surgery + symlink delivery.
