fix: Home Assistant NET_RAW cap, container storage on LUKS, NET_BIND for all
- Home Assistant: add NET_RAW for DHCP discovery (fixes dhcp permission error) - Nextcloud/BTCPay/Jellyfin/etc: add NET_BIND_SERVICE (was missing) - Container storage: redirect graphroot to /var/lib/archipelago/containers/storage (prevents root partition filling up — was 100% after 6 images on 29GB root) Tested on .198: 10 containers running simultaneously: Bitcoin Knots (syncing), LND (wallet ready), FileBrowser (healthy), Grafana, Vaultwarden, SearXNG, Home Assistant, Electrumx, Uptime Kuma, Jellyfin Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
parent
c6ae14d09c
commit
fe92d45b72
@ -48,12 +48,23 @@ pub(super) fn is_valid_docker_image(image: &str) -> bool {
|
|||||||
pub(super) fn get_app_capabilities(app_id: &str) -> Vec<String> {
|
pub(super) fn get_app_capabilities(app_id: &str) -> Vec<String> {
|
||||||
match app_id {
|
match app_id {
|
||||||
// Apps that need user switching and file ownership changes
|
// Apps that need user switching and file ownership changes
|
||||||
"nextcloud" | "homeassistant" | "home-assistant" | "btcpay-server" | "btcpayserver"
|
// Home Assistant needs NET_RAW for DHCP discovery
|
||||||
|
"homeassistant" | "home-assistant" => vec![
|
||||||
|
"--cap-add=CHOWN".to_string(),
|
||||||
|
"--cap-add=FOWNER".to_string(),
|
||||||
|
"--cap-add=SETUID".to_string(),
|
||||||
|
"--cap-add=SETGID".to_string(),
|
||||||
|
"--cap-add=DAC_OVERRIDE".to_string(),
|
||||||
|
"--cap-add=NET_BIND_SERVICE".to_string(),
|
||||||
|
"--cap-add=NET_RAW".to_string(),
|
||||||
|
],
|
||||||
|
"nextcloud" | "btcpay-server" | "btcpayserver"
|
||||||
| "jellyfin" | "onlyoffice" | "onlyoffice-documentserver" | "portainer" => vec![
|
| "jellyfin" | "onlyoffice" | "onlyoffice-documentserver" | "portainer" => vec![
|
||||||
"--cap-add=CHOWN".to_string(),
|
"--cap-add=CHOWN".to_string(),
|
||||||
"--cap-add=SETUID".to_string(),
|
"--cap-add=SETUID".to_string(),
|
||||||
"--cap-add=SETGID".to_string(),
|
"--cap-add=SETGID".to_string(),
|
||||||
"--cap-add=DAC_OVERRIDE".to_string(),
|
"--cap-add=DAC_OVERRIDE".to_string(),
|
||||||
|
"--cap-add=NET_BIND_SERVICE".to_string(),
|
||||||
],
|
],
|
||||||
// Nginx Proxy Manager needs to bind low ports
|
// Nginx Proxy Manager needs to bind low ports
|
||||||
"nginx-proxy-manager" => vec![
|
"nginx-proxy-manager" => vec![
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user