Succeeded with a work-around using a SystemD drop-in. Just before invoking the installer, my script has this:
mkdir -p /etc/systemd/system/ignition.service.d
cat >/etc/systemd/system/ignition.service.d/override.conf <<EOF
[Service]
AmbientCapabilities=CAP_NET_BIND_SERVICE CAP_NET_RAW
Environment=ACCEPT_IGNITION_EULA=Y
Environment=GATEWAY_ADMIN_USERNAME=someUserName
Environment=GATEWAY_ADMIN_PASSWORD=somePassword
Environment=IGNITION_EDITION=edge
Environment=GATEWAY_HTTP_PORT=80
Environment=GATEWAY_HTTPS_PORT=443
Environment=GATEWAY_GAN_PORT=8060
EOF
The installer launches like so:
useradd -c "Ignition Service" -U -m -G dialout ignition
"./$installer" -- unattended=text logLevel=debug user=ignition serviceName=ignition location=/usr/share/ignition
After the installer completes, I have this in the script:
cat >/etc/systemd/system/ignition.service.d/override.conf <<EOF
[Service]
AmbientCapabilities=CAP_NET_BIND_SERVICE CAP_NET_RAW
EOF
systemctl daemon-reload
This booted all the way up into Edge on ports 80 & 443 while running non-root. (:
Edit: I messed up the password hash somehow. But a plain password works.