From fe92d45b7282377c0e0b5ec8fac6a0f855c2f186 Mon Sep 17 00:00:00 2001
From: Dorian <dorian@Dorians-MacBook-Air.local>
Date: Sun, 29 Mar 2026 16:34:57 +0100
Subject: [PATCH] fix: Home Assistant NET_RAW cap, container storage on LUKS,
 NET_BIND for all
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Home Assistant: add NET_RAW for DHCP discovery (fixes dhcp permission error)
- Nextcloud/BTCPay/Jellyfin/etc: add NET_BIND_SERVICE (was missing)
- Container storage: redirect graphroot to /var/lib/archipelago/containers/storage
  (prevents root partition filling up — was 100% after 6 images on 29GB root)

Tested on .198: 10 containers running simultaneously:
  Bitcoin Knots (syncing), LND (wallet ready), FileBrowser (healthy),
  Grafana, Vaultwarden, SearXNG, Home Assistant, Electrumx,
  Uptime Kuma, Jellyfin

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 core/archipelago/src/api/rpc/package/config.rs | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/core/archipelago/src/api/rpc/package/config.rs b/core/archipelago/src/api/rpc/package/config.rs
index 1bb0ba70..ccefd6fc 100644
--- a/core/archipelago/src/api/rpc/package/config.rs
+++ b/core/archipelago/src/api/rpc/package/config.rs
@@ -48,12 +48,23 @@ pub(super) fn is_valid_docker_image(image: &str) -> bool {
 pub(super) fn get_app_capabilities(app_id: &str) -> Vec<String> {
     match app_id {
         // Apps that need user switching and file ownership changes
-        "nextcloud" | "homeassistant" | "home-assistant" | "btcpay-server" | "btcpayserver"
+        // Home Assistant needs NET_RAW for DHCP discovery
+        "homeassistant" | "home-assistant" => vec![
+            "--cap-add=CHOWN".to_string(),
+            "--cap-add=FOWNER".to_string(),
+            "--cap-add=SETUID".to_string(),
+            "--cap-add=SETGID".to_string(),
+            "--cap-add=DAC_OVERRIDE".to_string(),
+            "--cap-add=NET_BIND_SERVICE".to_string(),
+            "--cap-add=NET_RAW".to_string(),
+        ],
+        "nextcloud" | "btcpay-server" | "btcpayserver"
         | "jellyfin" | "onlyoffice" | "onlyoffice-documentserver" | "portainer" => vec![
             "--cap-add=CHOWN".to_string(),
             "--cap-add=SETUID".to_string(),
             "--cap-add=SETGID".to_string(),
             "--cap-add=DAC_OVERRIDE".to_string(),
+            "--cap-add=NET_BIND_SERVICE".to_string(),
         ],
         // Nginx Proxy Manager needs to bind low ports
         "nginx-proxy-manager" => vec![