docs: add AppArmor note, fix scripts table, migration env var info

README.md

@@ -38,6 +38,7 @@ chmod +x setup-npm-lxc.sh
 ```
 - Migrates SQLite DB, Let's Encrypt certs, and custom configs from HA addon
 - After setup: update OPNsense port forwards (80/443) from 10.0.0.55 → 10.0.0.226
+- For automated backup-based migration, set `HA_TOKEN` env var before running
 
 ### 4. Deploy Guacamole LXC
 ```bash
@@ -53,6 +54,12 @@ chmod +x setup-guacamole-lxc.sh
 - Increase HAOS VM memory to 8 GB
 - Optionally re-add AdGuard as HA integration pointing to 10.0.0.224
 
+## Docker-in-LXC Note
+
+The Guacamole and NPM scripts create **unprivileged** LXC containers with `lxc.apparmor.profile: unconfined` set automatically. This is required because Docker inside unprivileged LXC cannot access `net.ipv4.ip_unprivileged_port_start` under the default AppArmor profile. The setup scripts handle this automatically — the fix is applied between container creation and first start.
+
+If you already deployed the containers before this fix was baked in, run `fix-docker-lxc.sh` followed by `fix-guac-npm.sh` to retroactively apply it.
+
 ## Architecture After Migration
 
 ```
@@ -84,6 +91,7 @@ chmod +x setup-guacamole-lxc.sh
 |------|---------|
 | `recorder_exclude.yaml` | Recorder exclude config — merge into `configuration.yaml` |
 | `setup-adguard-lxc.sh` | CT 120 — AdGuard Home with SSH config migration |
-| `setup-guacamole-lxc.sh` | CT 121 — Guacamole via Docker Compose |
+| `setup-guacamole-lxc.sh` | CT 121 — Guacamole via Docker Compose (AppArmor fix baked in) |
-| `setup-npm-lxc.sh` | CT 122 — NPM with DB/cert migration from HA addon |
+| `setup-npm-lxc.sh` | CT 122 — NPM with DB/cert migration (AppArmor fix baked in) |
-| `README.md` | This file |
+| `fix-docker-lxc.sh` | Retroactive fix — adds AppArmor unconfined to CT 121 & 122 |
+| `fix-guac-npm.sh` | Retroactive fix — reinits Guacamole DB + retries NPM migration |