From 87bc0baa94d41df68c767e35f79a53929dd18946 Mon Sep 17 00:00:00 2001
From: Dorian <dorian@Dorians-MacBook-Air.local>
Date: Mon, 30 Mar 2026 19:14:27 +0100
Subject: [PATCH] fix: add debian-tor group to backend service for onion
 address access

The backend couldn't read Tor hidden service hostnames because the
systemd service only had SupplementaryGroups=dialout. Adding debian-tor
allows the backend to read /var/lib/tor/hidden_service_*/hostname
without needing sudo (which is blocked by NoNewPrivileges=yes).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 image-recipe/configs/archipelago.service | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/image-recipe/configs/archipelago.service b/image-recipe/configs/archipelago.service
index 4e69581b..eb3fd154 100644
--- a/image-recipe/configs/archipelago.service
+++ b/image-recipe/configs/archipelago.service
@@ -30,7 +30,7 @@ ReadWritePaths=/var/lib/archipelago /etc/containers /var/lib/containers /run/con
 # Privilege restriction — restored with rootless podman (no sudo needed)
 NoNewPrivileges=yes
 PrivateDevices=no
-SupplementaryGroups=dialout
+SupplementaryGroups=dialout debian-tor
 
 # Network restriction (allow only IPv4/IPv6 + Unix sockets)
 RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6