Final fix for real

ljfp · ljfp · commit 56cf7352d435 · 2025-10-04T21:16:39.000+02:00
diff --git a/deploy/nasaspaceapps.service.template.legacy b/deploy/nasaspaceapps.service.template.legacy
@@ -0,0 +1,25 @@
+[Unit]
+Description=NASA Sky Explorer Web Application
+After=network.target
+
+[Service]
+Type=simple
+User=nasaapp
+Group=nasaapp
+WorkingDirectory=/opt/nasa-sky-explorer
+Environment="PATH=/opt/nasa-sky-explorer/.venv/bin:/usr/local/bin:/usr/bin:/bin"
+ExecStart=/opt/nasa-sky-explorer/.venv/bin/uvicorn src.server:app --host 0.0.0.0 --port 80
+Restart=always
+RestartSec=10
+
+# Security hardening (NoNewPrivileges removed to allow capabilities)
+PrivateTmp=true
+ProtectHome=true
+
+# Logging
+StandardOutput=journal
+StandardError=journal
+SyslogIdentifier=nasaspaceapps
+
+[Install]
+WantedBy=multi-user.target
diff --git a/deploy/remote_deploy.sh b/deploy/remote_deploy.sh
@@ -31,24 +31,36 @@ pip install -r requirements.txt
 deactivate || true
 EOSCRIPT
 
-# Note: Port 80 binding is handled by systemd AmbientCapabilities
-# No need to set capabilities on the Python binary
+# Apply capability for port binding if needed (for systemd < 229)
+# Modern systemd (>= 229) uses AmbientCapabilities in the service file
+if [ "${UVICORN_PORT}" -lt 1024 ]; then
+  REAL_PYTHON=$(readlink -f "${APP_DIR}/.venv/bin/python")
+  if [ -f "${REAL_PYTHON}" ]; then
+    echo "Applying cap_net_bind_service to ${REAL_PYTHON}..."
+    setcap 'cap_net_bind_service=+ep' "${REAL_PYTHON}" || echo "Warning: Failed to set capability (may not be needed with modern systemd)"
+  fi
+fi
 
 LOG_DIR="${APP_DIR}/logs"
 mkdir -p "${LOG_DIR}"
 chown "${APP_USER}:${APP_USER}" "${LOG_DIR}"
 chmod 755 "${LOG_DIR}"
 
+# Always kill any existing uvicorn processes to avoid port conflicts
+echo "Stopping any existing uvicorn processes..."
+pkill -f "uvicorn src.server:app" || true
+sleep 2
+
 if command -v systemctl >/dev/null 2>&1; then
   systemctl daemon-reload || true
   if systemctl list-unit-files | grep -q "^${SERVICE_NAME}\.service"; then
+    echo "Restarting systemd service ${SERVICE_NAME}.service..."
     systemctl restart "${SERVICE_NAME}.service"
     exit 0
   fi
 fi
 
 echo "systemd unit ${SERVICE_NAME}.service not found or unavailable. Relaunching Uvicorn with nohup."
 
-pkill -f "uvicorn src.server:app" || true
 sudo -u "${APP_USER}" nohup "${APP_DIR}/.venv/bin/uvicorn" src.server:app --host 0.0.0.0 --port "${UVICORN_PORT}" \
   >"${LOG_DIR}/uvicorn.log" 2>&1 &
