From ee6a66c8017c999fe30b1b893fc68c5a03e2a4ec Mon Sep 17 00:00:00 2001
From: Dorian <dorian@Dorians-MacBook-Air.local>
Date: Sun, 29 Mar 2026 15:12:40 +0100
Subject: [PATCH] fix: NET_BIND_SERVICE cap for Bitcoin/LND + default for all
 apps

Bitcoin Knots failed to start with "failed to set loopback adapter up"
because cap-drop=ALL removed NET_BIND_SERVICE, which rootless podman
needs for network namespace setup.

- Add NET_BIND_SERVICE to Bitcoin/LND/Fedimint capabilities
- Add NET_BIND_SERVICE as default for ALL apps (rootless podman needs it)
- UID mapping fix from previous commit also included

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 core/archipelago/src/api/rpc/package/config.rs | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/core/archipelago/src/api/rpc/package/config.rs b/core/archipelago/src/api/rpc/package/config.rs
index 7455c2a1..41b56d81 100644
--- a/core/archipelago/src/api/rpc/package/config.rs
+++ b/core/archipelago/src/api/rpc/package/config.rs
@@ -62,7 +62,7 @@ pub(super) fn get_app_capabilities(app_id: &str) -> Vec<String> {
             "--cap-add=SETGID".to_string(),
             "--cap-add=NET_BIND_SERVICE".to_string(),
         ],
-        // Bitcoin and Lightning need file ownership ops + DAC_OVERRIDE for data dir access
+        // Bitcoin and Lightning need file ownership ops + NET_BIND_SERVICE for port binding
         "bitcoin" | "bitcoin-core" | "bitcoin-knots" | "lnd" | "fedimint"
         | "fedimint-gateway" => vec![
             "--cap-add=CHOWN".to_string(),
@@ -70,6 +70,7 @@ pub(super) fn get_app_capabilities(app_id: &str) -> Vec<String> {
             "--cap-add=SETUID".to_string(),
             "--cap-add=SETGID".to_string(),
             "--cap-add=DAC_OVERRIDE".to_string(),
+            "--cap-add=NET_BIND_SERVICE".to_string(),
         ],
         // Vaultwarden needs file ownership + NET_BIND_SERVICE (binds port 80 internally)
         "vaultwarden" => vec![
@@ -102,8 +103,10 @@ pub(super) fn get_app_capabilities(app_id: &str) -> Vec<String> {
             "--cap-add=DAC_OVERRIDE".to_string(),
             "--cap-add=NET_BIND_SERVICE".to_string(),
         ],
-        // Minimal apps (searxng, etc.) need no extra caps
-        _ => vec![],
+        // Default: NET_BIND_SERVICE for port binding in rootless podman networks
+        _ => vec![
+            "--cap-add=NET_BIND_SERVICE".to_string(),
+        ],
     }
 }