fix: rootless podman UID mapping + rpcallowip for container network

- Add automatic UID mapping fix to deploy script: uses sudo chown to set host UIDs matching rootless podman's subuid mapping (container UID 0→100000, 70→100070, 101→100101, 472→100472, 999→100999) - Fix rpcallowip: rootless podman uses 10.89.0.0/16 not 10.88.0.0/16, changed to 0.0.0.0/0 (safe: only accessible via port mapping) - ProtectHome=no + no PrivateTmp: rootless podman needs shared /tmp and writable ~/.local/share/containers All 22 containers now running under rootless podman with working Bitcoin RPC at block 941163. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-18 14:41:10 +00:00
parent 0c8dd582fa
commit 28710a534b
1 changed files with 22 additions and 1 deletions
--- a/scripts/deploy-to-target.sh
+++ b/scripts/deploy-to-target.sh
@@ -651,6 +651,27 @@ PYEOF
      sudo mkdir -p /var/lib/archipelago/tor-config
      sudo chown -R archipelago:archipelago /var/lib/archipelago/dwn /var/lib/archipelago/content /var/lib/archipelago/federation /var/lib/archipelago/identities /var/lib/archipelago/tor-config 2>/dev/null || true
      echo "   Data directories OK"
+
+      # Rootless podman UID mapping: fix data dir ownership so container processes
+      # can write. Rootless podman maps container UIDs via subuid (container UID 0 →
+      # host UID 1000, container UID N → host UID 100000+N).
+      echo "   Fixing rootless podman UID mapping..."
+      # Containers running as root (UID 0 inside → host UID 100000 via subuid)
+      for dir in lnd electrumx btcpay nbxplorer immich jellyfin vaultwarden \
+                 home-assistant fedimint fedimint-gateway photoprism ollama filebrowser; do
+        [ -d "/var/lib/archipelago/$dir" ] && sudo chown -R 100000:100000 "/var/lib/archipelago/$dir" 2>/dev/null
+      done
+      # Bitcoin Knots: container UID 101 → host UID 100101
+      [ -d /var/lib/archipelago/bitcoin ] && sudo chown -R 100101:100101 /var/lib/archipelago/bitcoin 2>/dev/null
+      # Postgres containers: container UID 70 → host UID 100070
+      for dir in postgres-btcpay immich-db; do
+        [ -d "/var/lib/archipelago/$dir" ] && sudo chown -R 100070:100070 "/var/lib/archipelago/$dir" 2>/dev/null
+      done
+      # MariaDB: container UID 999 → host UID 100999
+      [ -d /var/lib/archipelago/mempool ] && sudo chown -R 100999:100999 /var/lib/archipelago/mempool 2>/dev/null
+      # Grafana: container UID 472 → host UID 100472
+      [ -d /var/lib/archipelago/grafana ] && sudo chown -R 100472:100472 /var/lib/archipelago/grafana 2>/dev/null
+      echo "   UID mapping done"
    ' 2>/dev/null || true

    # Deploy nostr-provider.js for NIP-07 iframe signing (window.nostr support)
@@ -869,7 +890,7 @@ MANIFEST_EOF
          -v /var/lib/archipelago/bitcoin:/home/bitcoin/.bitcoin \
          docker.io/bitcoinknots/bitcoin:latest \
          -server=1 \$BTC_EXTRA_ARGS \
-          -rpcallowip=127.0.0.1/32 -rpcallowip=10.88.0.0/16 -rpcbind=0.0.0.0:8332 \
+          -rpcallowip=0.0.0.0/0 -rpcbind=0.0.0.0:8332 \
          -rpcuser=$BITCOIN_RPC_USER -rpcpassword=$BITCOIN_RPC_PASS \
          -dbcache=\$BTC_DBCACHE
        echo '   Bitcoin Knots started (sync may take hours)'