fix: add debian-tor group to backend service for onion address access

The backend couldn't read Tor hidden service hostnames because the systemd service only had SupplementaryGroups=dialout. Adding debian-tor allows the backend to read /var/lib/tor/hidden_service_*/hostname without needing sudo (which is blocked by NoNewPrivileges=yes). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-30 19:14:27 +01:00 · 2026-03-30 19:14:27 +01:00 · 87bc0baa94
commit 87bc0baa94
parent b515d3883f
1 changed files with 1 additions and 1 deletions
--- a/image-recipe/configs/archipelago.service
+++ b/image-recipe/configs/archipelago.service
@ -30,7 +30,7 @@ ReadWritePaths=/var/lib/archipelago /etc/containers /var/lib/containers /run/con
 # Privilege restriction — restored with rootless podman (no sudo needed)
 NoNewPrivileges=yes
 PrivateDevices=no
-SupplementaryGroups=dialout
+SupplementaryGroups=dialout debian-tor

 # Network restriction (allow only IPv4/IPv6 + Unix sockets)
 RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6