From 768ca26e901ab18e5cb11626094ea81c4232eb2c Mon Sep 17 00:00:00 2001
From: Dorian <dorian@Dorians-MacBook-Air.local>
Date: Mon, 30 Mar 2026 23:03:27 +0100
Subject: [PATCH] fix: add required capabilities to UI container specs for
 nginx startup

Nginx needs CHOWN, SETUID, SETGID to chown cache directories and drop
privileges on startup. LND UI additionally needs NET_BIND_SERVICE to
bind port 80 inside the container. Without these, cap-drop ALL causes
nginx to crash with "Operation not permitted" on chown or bind.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 scripts/container-specs.sh | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/scripts/container-specs.sh b/scripts/container-specs.sh
index fa875e67..77907582 100755
--- a/scripts/container-specs.sh
+++ b/scripts/container-specs.sh
@@ -494,8 +494,8 @@ load_spec_archy-bitcoin-ui() {
   SPEC_MEMORY="$(mem_limit archy-bitcoin-ui)"
   SPEC_TIER="4"
   SPEC_LOCAL_IMAGE="true"
-  SPEC_CAPS=""
-  SPEC_SECURITY=""
+  SPEC_CAPS="CHOWN SETUID SETGID"
+  SPEC_SECURITY="no-new-privileges:true"
 }
 
 load_spec_archy-lnd-ui() {
@@ -506,8 +506,8 @@ load_spec_archy-lnd-ui() {
   SPEC_MEMORY="$(mem_limit archy-lnd-ui)"
   SPEC_TIER="4"
   SPEC_LOCAL_IMAGE="true"
-  SPEC_CAPS=""
-  SPEC_SECURITY=""
+  SPEC_CAPS="CHOWN SETUID SETGID NET_BIND_SERVICE"
+  SPEC_SECURITY="no-new-privileges:true"
 }
 
 load_spec_archy-electrs-ui() {
@@ -518,8 +518,8 @@ load_spec_archy-electrs-ui() {
   SPEC_MEMORY="$(mem_limit archy-electrs-ui)"
   SPEC_TIER="4"
   SPEC_LOCAL_IMAGE="true"
-  SPEC_CAPS=""
-  SPEC_SECURITY=""
+  SPEC_CAPS="CHOWN SETUID SETGID"
+  SPEC_SECURITY="no-new-privileges:true"
 }
 
 # ── Registry ─────────────────────────────────────────────────────────