fix: NET_BIND_SERVICE cap for Bitcoin/LND + default for all apps

Bitcoin Knots failed to start with "failed to set loopback adapter up"
because cap-drop=ALL removed NET_BIND_SERVICE, which rootless podman
needs for network namespace setup.

- Add NET_BIND_SERVICE to Bitcoin/LND/Fedimint capabilities
- Add NET_BIND_SERVICE as default for ALL apps (rootless podman needs it)
- UID mapping fix from previous commit also included

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

core/archipelago/src/api/rpc/package/config.rs

@@ -62,7 +62,7 @@ pub(super) fn get_app_capabilities(app_id: &str) -> Vec<String> {
             "--cap-add=SETGID".to_string(),
             "--cap-add=NET_BIND_SERVICE".to_string(),
         ],
-        // Bitcoin and Lightning need file ownership ops + DAC_OVERRIDE for data dir access
+        // Bitcoin and Lightning need file ownership ops + NET_BIND_SERVICE for port binding
         "bitcoin" | "bitcoin-core" | "bitcoin-knots" | "lnd" | "fedimint"
         | "fedimint-gateway" => vec![
             "--cap-add=CHOWN".to_string(),
@@ -70,6 +70,7 @@ pub(super) fn get_app_capabilities(app_id: &str) -> Vec<String> {
             "--cap-add=SETUID".to_string(),
             "--cap-add=SETGID".to_string(),
             "--cap-add=DAC_OVERRIDE".to_string(),
+            "--cap-add=NET_BIND_SERVICE".to_string(),
         ],
         // Vaultwarden needs file ownership + NET_BIND_SERVICE (binds port 80 internally)
         "vaultwarden" => vec![
@@ -102,8 +103,10 @@ pub(super) fn get_app_capabilities(app_id: &str) -> Vec<String> {
             "--cap-add=DAC_OVERRIDE".to_string(),
             "--cap-add=NET_BIND_SERVICE".to_string(),
         ],
-        // Minimal apps (searxng, etc.) need no extra caps
-        _ => vec![],
+        // Default: NET_BIND_SERVICE for port binding in rootless podman networks
+        _ => vec![
+            "--cap-add=NET_BIND_SERVICE".to_string(),
+        ],
     }
 }