fix: LND mainnet config, SearXNG settings seed, default caps

- LND: add --bitcoin.active --bitcoin.mainnet and all bitcoind
  connection args as container CMD args (was only env var before)
- SearXNG: add volume mount + auto-create settings.yml on install
  (container exits immediately without it)
- Default caps: all containers get full rootless podman baseline

Tested on .198:
- Bitcoin Knots: running, syncing (942803 blocks)
- Grafana: running, migration complete
- Vaultwarden: running, keys created
- SearXNG: running, listening on 8080
- LND: needs bitcoin container named 'bitcoin-knots' on archy-net

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

core/archipelago/src/api/rpc/package/config.rs

@@ -392,9 +392,21 @@ pub(super) async fn get_app_config(
                 "8080:8080".to_string(),
             ],
             vec!["/var/lib/archipelago/lnd:/root/.lnd".to_string()],
-            vec!["BITCOIN_ACTIVE=1".to_string()],
-            None,
+            vec![],
             None,
+            Some(vec![
+                "--bitcoin.active".to_string(),
+                "--bitcoin.mainnet".to_string(),
+                "--bitcoin.node=bitcoind".to_string(),
+                format!("--bitcoind.rpcuser={}", rpc_user),
+                format!("--bitcoind.rpcpass={}", rpc_pass),
+                "--bitcoind.rpchost=bitcoin-knots:8332".to_string(),
+                "--bitcoind.zmqpubrawblock=tcp://bitcoin-knots:28332".to_string(),
+                "--bitcoind.zmqpubrawtx=tcp://bitcoin-knots:28333".to_string(),
+                "--rpclisten=0.0.0.0:10009".to_string(),
+                "--restlisten=0.0.0.0:8080".to_string(),
+                "--listen=0.0.0.0:9735".to_string(),
+            ]),
         ),
         "btcpay-server" | "btcpayserver" => (
             vec!["23000:49392".to_string()],
@@ -483,7 +495,7 @@ pub(super) async fn get_app_config(
         ),
         "searxng" => (
             vec!["8888:8080".to_string()],
-            vec![],
+            vec!["/var/lib/archipelago/searxng:/etc/searxng".to_string()],
             vec![],
             None,
             None,

core/archipelago/src/api/rpc/package/install.rs

@@ -173,6 +173,22 @@ impl RpcHandler {
             self.write_bitcoin_conf(&rpc_user, &rpc_pass).await;
         }
 
+        // Pre-install: SearXNG settings.yml (required or container exits immediately)
+        if package_id == "searxng" {
+            let searx_dir = "/var/lib/archipelago/searxng";
+            let settings_path = format!("{}/settings.yml", searx_dir);
+            if !tokio::fs::try_exists(&settings_path).await.unwrap_or(false) {
+                let secret: [u8; 32] = rand::random();
+                let secret_hex = hex::encode(secret);
+                let settings = format!(
+                    "use_default_settings: true\ngeneral:\n  instance_name: Archipelago Search\nserver:\n  secret_key: \"{}\"\n  bind_address: \"0.0.0.0\"\n  port: 8080\n  limiter: false\nui:\n  default_theme: simple\n",
+                    secret_hex
+                );
+                let _ = tokio::fs::write(&settings_path, settings).await;
+                info!("Created SearXNG settings.yml");
+            }
+        }
+
         // Port mappings (skip for host-network containers)
         if !is_tailscale {
             for port in &ports {