If you just run grafana on 443, you can immediately catch the error Fail to start server. error: listen tcp 0.0.0.0:443: bind: permission denied. This is due to the OS security system.

This “misunderstanding” can be corrected in two ways - “with a crutch” and “correctly”.

The crutch method is to give the file the appropriate privileges:

setcap 'cap_net_bind_service=+ep' /usr/sbin/grafana-server

BUT, this is temporary, until the next update…

The correct method is to edit systemd. Well, how to “edit”…. redefine (redefine)…

Click systemctl edit grafana-server and enter the following into the editor:

[Service]
NoNewPrivileges=yes
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
AmbientCapabilities=CAP_NET_BIND_SERVICE

After which systemd will create the file /etc/systemd/system/grafana-server.service.d/override.conf with the required config. In this case, you don’t even need to reload systemd - just restart Grafana:

systemctl restart grafana-server.service