diff --git a/core/archipelago/src/api/rpc/package/config.rs b/core/archipelago/src/api/rpc/package/config.rs
index 7455c2a1..41b56d81 100644
--- a/core/archipelago/src/api/rpc/package/config.rs
+++ b/core/archipelago/src/api/rpc/package/config.rs
@@ -62,7 +62,7 @@ pub(super) fn get_app_capabilities(app_id: &str) -> Vec<String> {
             "--cap-add=SETGID".to_string(),
             "--cap-add=NET_BIND_SERVICE".to_string(),
         ],
-        // Bitcoin and Lightning need file ownership ops + DAC_OVERRIDE for data dir access
+        // Bitcoin and Lightning need file ownership ops + NET_BIND_SERVICE for port binding
         "bitcoin" | "bitcoin-core" | "bitcoin-knots" | "lnd" | "fedimint"
         | "fedimint-gateway" => vec![
             "--cap-add=CHOWN".to_string(),
@@ -70,6 +70,7 @@ pub(super) fn get_app_capabilities(app_id: &str) -> Vec<String> {
             "--cap-add=SETUID".to_string(),
             "--cap-add=SETGID".to_string(),
             "--cap-add=DAC_OVERRIDE".to_string(),
+            "--cap-add=NET_BIND_SERVICE".to_string(),
         ],
         // Vaultwarden needs file ownership + NET_BIND_SERVICE (binds port 80 internally)
         "vaultwarden" => vec![
@@ -102,8 +103,10 @@ pub(super) fn get_app_capabilities(app_id: &str) -> Vec<String> {
             "--cap-add=DAC_OVERRIDE".to_string(),
             "--cap-add=NET_BIND_SERVICE".to_string(),
         ],
-        // Minimal apps (searxng, etc.) need no extra caps
-        _ => vec![],
+        // Default: NET_BIND_SERVICE for port binding in rootless podman networks
+        _ => vec![
+            "--cap-add=NET_BIND_SERVICE".to_string(),
+        ],
     }
 }