From bc6b4e0becb2d270530fc9d8e69307a5f0062da1 Mon Sep 17 00:00:00 2001
From: Dorian <dorian@Dorians-MacBook-Air.local>
Date: Mon, 30 Mar 2026 22:14:01 +0100
Subject: [PATCH] fix: add DAC_OVERRIDE cap for rootless volume access, fix LND
 health check
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- electrumx: add DAC_OVERRIDE to SPEC_CAPS — rootless podman maps container
  UID 0 to host UID 1000, but volumes are owned by host UID 100000; without
  DAC_OVERRIDE the container can't write to its own data directory
- lnd: replace curl-based health check with lncli using readonly macaroon —
  the REST API requires macaroon auth, so unauthenticated curl always fails
- grafana: add DAC_OVERRIDE to SPEC_CAPS for the same rootless volume issue

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 scripts/container-specs.sh | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/scripts/container-specs.sh b/scripts/container-specs.sh
index 07c3d8a6..518f042f 100755
--- a/scripts/container-specs.sh
+++ b/scripts/container-specs.sh
@@ -170,7 +170,7 @@ load_spec_electrumx() {
   SPEC_TIER="1"
   SPEC_DATA_DIR="/var/lib/archipelago/electrumx"
   SPEC_DEPENDS="bitcoin-knots"
-  SPEC_CAPS=""
+  SPEC_CAPS="DAC_OVERRIDE"
 }
 
 # ── Tier 2: Services ─────────────────────────────────────────────────
@@ -183,7 +183,7 @@ load_spec_lnd() {
   SPEC_PORTS="9735:9735 10009:10009 8080:8080"
   SPEC_VOLUMES="/var/lib/archipelago/lnd:/root/.lnd"
   SPEC_MEMORY="$(mem_limit lnd)"
-  SPEC_HEALTH_CMD="curl -sf --insecure https://localhost:8080/v1/getinfo || exit 1"
+  SPEC_HEALTH_CMD="lncli --tlscertpath /root/.lnd/tls.cert --macaroonpath /root/.lnd/data/chain/bitcoin/mainnet/readonly.macaroon --rpcserver localhost:10009 getinfo > /dev/null 2>&1 || exit 1"
   SPEC_TIER="2"
   SPEC_DATA_DIR="/var/lib/archipelago/lnd"
   SPEC_DEPENDS="bitcoin-knots"
@@ -336,7 +336,7 @@ load_spec_grafana() {
   SPEC_TIER="3"
   SPEC_DATA_DIR="/var/lib/archipelago/grafana"
   SPEC_DATA_UID="100472:100472"
-  SPEC_CAPS="CHOWN SETUID SETGID"
+  SPEC_CAPS="CHOWN SETUID SETGID DAC_OVERRIDE"
 }
 
 load_spec_uptime-kuma() {