From b73ef55a65caa43b5c55206baf13d64dbdc972f4 Mon Sep 17 00:00:00 2001
From: sysops <sysops@LenovoT14Gen5>
Date: Sat, 13 Jun 2026 22:01:29 +0200
Subject: [PATCH] =?UTF-8?q?fix:=20archivmail.service=20ben=C3=B6tigt=20CAP?=
 =?UTF-8?q?=5FNET=5FADMIN=20f=C3=BCr=20Firewall-Aktivierung?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Der Admin-Endpoint "Firewall aktivieren" (POST /api/admin/security/fix,
enable_firewall) ruft "nft -f /etc/nftables.conf" auf. flush ruleset
benötigt CAP_NET_ADMIN, das fehlte bisher in der systemd-Unit, wodurch
der Aufruf mit "Operation not permitted" fehlschlug.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 install.sh | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/install.sh b/install.sh
index 01e645d..572bd52 100755
--- a/install.sh
+++ b/install.sh
@@ -628,8 +628,9 @@ Requires=postgresql.service manticore.service
 Type=simple
 User=${AM_USER}
 Group=${AM_USER}
-AmbientCapabilities=CAP_NET_BIND_SERVICE
-CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+# CAP_NET_ADMIN: required for the admin "enable firewall" action (nft -f /etc/nftables.conf)
+AmbientCapabilities=CAP_NET_BIND_SERVICE CAP_NET_ADMIN
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_NET_ADMIN
 ExecStart=${INSTALL_DIR}/archivmail --config ${CONFIG_DIR}/config.yml
 Restart=on-failure
 RestartSec=5