Remove binding to port 80 from deploy script.

ljfp · ljfp · commit dbb943ee29ec · 2025-10-04T21:09:52.000+02:00
diff --git a/deploy/nasaspaceapps.service.template b/deploy/nasaspaceapps.service.template
@@ -12,15 +12,19 @@ ExecStart=/opt/nasa-sky-explorer/.venv/bin/uvicorn src.server:app --host 0.0.0.0
 Restart=always
 RestartSec=10
 
+# Capability to bind to port 80
+AmbientCapabilities=CAP_NET_BIND_SERVICE
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+
 # Security hardening
 NoNewPrivileges=true
 PrivateTmp=true
 ProtectHome=true
-ReadWritePaths=/opt/nasa-sky-explorer/logs
 
 # Logging
-StandardOutput=append:/opt/nasa-sky-explorer/logs/uvicorn.log
-StandardError=append:/opt/nasa-sky-explorer/logs/uvicorn.log
+StandardOutput=journal
+StandardError=journal
+SyslogIdentifier=nasaspaceapps
 
 [Install]
 WantedBy=multi-user.target
diff --git a/deploy/remote_deploy.sh b/deploy/remote_deploy.sh
@@ -31,14 +31,8 @@ pip install -r requirements.txt
 deactivate || true
 EOSCRIPT
 
-# Apply capability to allow binding to port 80 (if port < 1024)
-if [ "${UVICORN_PORT}" -lt 1024 ]; then
-  REAL_PYTHON=$(readlink -f "${APP_DIR}/.venv/bin/python")
-  if [ -f "${REAL_PYTHON}" ]; then
-    echo "Applying cap_net_bind_service to ${REAL_PYTHON}..."
-    setcap 'cap_net_bind_service=+ep' "${REAL_PYTHON}" || echo "Warning: Failed to set capability"
-  fi
-fi
+# Note: Port 80 binding is handled by systemd AmbientCapabilities
+# No need to set capabilities on the Python binary
 
 LOG_DIR="${APP_DIR}/logs"
 mkdir -p "${LOG_DIR}"
