diff --git a/infra/start.sh b/infra/start.sh
index 6d9b0cf..eab899f 100755
--- a/infra/start.sh
+++ b/infra/start.sh
@@ -59,6 +59,15 @@ EOF
 
 echo "[hiy] Generated proxy/caddy.json for ${DOMAIN_SUFFIX}"
 
+# ── Allow rootless processes to bind ports 80/443 ─────────────────────────────
+# Rootless Podman cannot bind privileged ports (<1024) by default.
+# Lower the threshold to 80 for this boot, and persist it across reboots.
+if [ "$(sysctl -n net.ipv4.ip_unprivileged_port_start)" -gt 80 ]; then
+    sudo sysctl -w net.ipv4.ip_unprivileged_port_start=80
+    grep -qxF 'net.ipv4.ip_unprivileged_port_start=80' /etc/sysctl.conf 2>/dev/null \
+        || echo 'net.ipv4.ip_unprivileged_port_start=80' | sudo tee -a /etc/sysctl.conf > /dev/null
+fi
+
 # ── Ensure Podman socket is active ────────────────────────────────────────────
 # Podman rootless resets XDG_RUNTIME_DIR to /run/user/<uid> if that directory
 # exists (regardless of what the caller set). So we must ensure that directory