From dae5fd3b53ea2df786817bab6ada17fad1842d65 Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Sun, 22 Mar 2026 10:11:21 +0000
Subject: [PATCH] Allow rootless Podman to bind ports 80 and 443

Rootless processes cannot bind privileged ports (<1024) by default.
Lower net.ipv4.ip_unprivileged_port_start to 80 at startup, and persist
it to /etc/sysctl.conf so the setting survives reboots.

https://claude.ai/code/session_01FKCW3FDjNFj6jve4niMFXH
---
 infra/start.sh | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/infra/start.sh b/infra/start.sh
index 6d9b0cf..eab899f 100755
--- a/infra/start.sh
+++ b/infra/start.sh
@@ -59,6 +59,15 @@ EOF
 
 echo "[hiy] Generated proxy/caddy.json for ${DOMAIN_SUFFIX}"
 
+# ── Allow rootless processes to bind ports 80/443 ─────────────────────────────
+# Rootless Podman cannot bind privileged ports (<1024) by default.
+# Lower the threshold to 80 for this boot, and persist it across reboots.
+if [ "$(sysctl -n net.ipv4.ip_unprivileged_port_start)" -gt 80 ]; then
+    sudo sysctl -w net.ipv4.ip_unprivileged_port_start=80
+    grep -qxF 'net.ipv4.ip_unprivileged_port_start=80' /etc/sysctl.conf 2>/dev/null \
+        || echo 'net.ipv4.ip_unprivileged_port_start=80' | sudo tee -a /etc/sysctl.conf > /dev/null
+fi
+
 # ── Ensure Podman socket is active ────────────────────────────────────────────
 # Podman rootless resets XDG_RUNTIME_DIR to /run/user/<uid> if that directory
 # exists (regardless of what the caller set). So we must ensure that directory