From 3276efbb6b64b3c5bbbe7540a6372076e491f187 Mon Sep 17 00:00:00 2001
From: Dorian <dorian@Dorians-MacBook-Air.local>
Date: Wed, 18 Mar 2026 14:41:10 +0000
Subject: [PATCH] fix: rootless podman UID mapping + rpcallowip for container
 network
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Add automatic UID mapping fix to deploy script: uses sudo chown to
  set host UIDs matching rootless podman's subuid mapping (container
  UID 0→100000, 70→100070, 101→100101, 472→100472, 999→100999)
- Fix rpcallowip: rootless podman uses 10.89.0.0/16 not 10.88.0.0/16,
  changed to 0.0.0.0/0 (safe: only accessible via port mapping)
- ProtectHome=no + no PrivateTmp: rootless podman needs shared /tmp
  and writable ~/.local/share/containers

All 22 containers now running under rootless podman with working
Bitcoin RPC at block 941163.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 scripts/deploy-to-target.sh | 23 ++++++++++++++++++++++-
 1 file changed, 22 insertions(+), 1 deletion(-)

diff --git a/scripts/deploy-to-target.sh b/scripts/deploy-to-target.sh
index 504e482f..739fb2ca 100755
--- a/scripts/deploy-to-target.sh
+++ b/scripts/deploy-to-target.sh
@@ -651,6 +651,27 @@ PYEOF
       sudo mkdir -p /var/lib/archipelago/tor-config
       sudo chown -R archipelago:archipelago /var/lib/archipelago/dwn /var/lib/archipelago/content /var/lib/archipelago/federation /var/lib/archipelago/identities /var/lib/archipelago/tor-config 2>/dev/null || true
       echo "   Data directories OK"
+
+      # Rootless podman UID mapping: fix data dir ownership so container processes
+      # can write. Rootless podman maps container UIDs via subuid (container UID 0 →
+      # host UID 1000, container UID N → host UID 100000+N).
+      echo "   Fixing rootless podman UID mapping..."
+      # Containers running as root (UID 0 inside → host UID 100000 via subuid)
+      for dir in lnd electrumx btcpay nbxplorer immich jellyfin vaultwarden \
+                 home-assistant fedimint fedimint-gateway photoprism ollama filebrowser; do
+        [ -d "/var/lib/archipelago/$dir" ] && sudo chown -R 100000:100000 "/var/lib/archipelago/$dir" 2>/dev/null
+      done
+      # Bitcoin Knots: container UID 101 → host UID 100101
+      [ -d /var/lib/archipelago/bitcoin ] && sudo chown -R 100101:100101 /var/lib/archipelago/bitcoin 2>/dev/null
+      # Postgres containers: container UID 70 → host UID 100070
+      for dir in postgres-btcpay immich-db; do
+        [ -d "/var/lib/archipelago/$dir" ] && sudo chown -R 100070:100070 "/var/lib/archipelago/$dir" 2>/dev/null
+      done
+      # MariaDB: container UID 999 → host UID 100999
+      [ -d /var/lib/archipelago/mempool ] && sudo chown -R 100999:100999 /var/lib/archipelago/mempool 2>/dev/null
+      # Grafana: container UID 472 → host UID 100472
+      [ -d /var/lib/archipelago/grafana ] && sudo chown -R 100472:100472 /var/lib/archipelago/grafana 2>/dev/null
+      echo "   UID mapping done"
     ' 2>/dev/null || true
 
     # Deploy nostr-provider.js for NIP-07 iframe signing (window.nostr support)
@@ -869,7 +890,7 @@ MANIFEST_EOF
           -v /var/lib/archipelago/bitcoin:/home/bitcoin/.bitcoin \
           docker.io/bitcoinknots/bitcoin:latest \
           -server=1 \$BTC_EXTRA_ARGS \
-          -rpcallowip=127.0.0.1/32 -rpcallowip=10.88.0.0/16 -rpcbind=0.0.0.0:8332 \
+          -rpcallowip=0.0.0.0/0 -rpcbind=0.0.0.0:8332 \
           -rpcuser=$BITCOIN_RPC_USER -rpcpassword=$BITCOIN_RPC_PASS \
           -dbcache=\$BTC_DBCACHE
         echo '   Bitcoin Knots started (sync may take hours)'