2 files changed, 70 insertions, 0 deletions
diff --git a/remote-dev/README.md b/remote-dev/README.md
index 2e92509..a17c913 100644
--- a/remote-dev/README.md
+++ b/remote-dev/README.md
@@ -157,6 +157,39 @@ git log --show-signature -1
   PATH. The leaf-tools policy above exists precisely to keep this
   shadowing contained to harmless tools.
 
+## Podman (rootless)
+
+Nix can't manage setuid helpers, `/etc/subuid`/`/etc/subgid`, or kernel
+cmdline. Do this once on the VM as root:
+
+```sh
+sudo apt install -y uidmap
+grep "^$USER:" /etc/subuid /etc/subgid || \
+  sudo usermod --add-subuids 100000-165535 --add-subgids 100000-165535 "$USER"
+```
+
+Then enable cgroups v2 (required for rootless CPU/memory limits on
+Ubuntu 20.04, which still defaults to v1):
+
+```sh
+sudo sed -i 's|^GRUB_CMDLINE_LINUX_DEFAULT="\(.*\)"|GRUB_CMDLINE_LINUX_DEFAULT="\1 systemd.unified_cgroup_hierarchy=1"|' /etc/default/grub
+sudo update-grub
+sudo reboot
+```
+
+Verify after reboot:
+
+```sh
+stat -fc %T /sys/fs/cgroup/    # → cgroup2fs
+podman info | grep -E 'cgroupVersion|graphDriverName|networkBackend'
+# expected: cgroupVersion: v2, graphDriverName: overlay, networkBackend: netavark
+podman run --rm docker.io/library/alpine echo hi
+```
+
+The home-manager profile already installs `podman`, `crun`, `conmon`,
+`netavark`, `aardvark-dns`, `slirp4netns`, and `passt`, and writes
+sensible `~/.config/containers/{registries,storage,policy}.conf` files.
+
 ## How it's wired
 
 `home.nix` uses `config.lib.file.mkOutOfStoreSymlink` so the symlinks
diff --git a/remote-dev/home.nix b/remote-dev/home.nix
index 0db172b..6ba6620 100644
--- a/remote-dev/home.nix
+++ b/remote-dev/home.nix
@@ -116,6 +116,17 @@ in
     zsh-syntax-highlighting
     zsh-autosuggestions
     zsh-history-substring-search
+
+    # Rootless podman (see README "Podman" section for host prerequisites).
+    # The nix `podman` is wrapped to find these helpers via /nix/store paths,
+    # so we don't need to write a containers.conf for `helper_binaries_dir`.
+    podman
+    crun         # OCI runtime (lighter than runc; default for rootless)
+    conmon       # container monitor process
+    netavark     # default network stack on podman 4+
+    aardvark-dns # DNS for netavark networks
+    slirp4netns  # rootless user-mode networking
+    passt        # pasta backend (slirp4netns successor; podman picks it up)
   ];
 
   # ── direnv + nix-direnv ─────────────────────────────────────────────────────
@@ -140,6 +151,32 @@ in
     "git/ignore".source       = link "dot_config/git/ignore";
   };
 
+  # ── Rootless podman config ──────────────────────────────────────────────────
+  # Kept inline (not in the chezmoi tree) because Arch's system-wide
+  # /etc/containers defaults already work there; these files exist only
+  # to give nix's user-installed podman sane rootless defaults.
+  xdg.configFile."containers/registries.conf".text = ''
+    unqualified-search-registries = ["docker.io", "quay.io", "ghcr.io"]
+    short-name-mode = "permissive"
+  '';
+
+  xdg.configFile."containers/storage.conf".text = ''
+    [storage]
+    # runroot/graphroot default to $XDG_RUNTIME_DIR/containers and
+    # $XDG_DATA_HOME/containers/storage respectively for rootless — leave unset.
+    driver = "overlay"
+
+    [storage.options.overlay]
+    # Kernel >=5.13 supports rootless overlay natively (VM is on 5.15),
+    # so mount_program is left unset → uses the kernel driver directly
+    # instead of fuse-overlayfs.
+  '';
+
+  xdg.configFile."containers/policy.json".text = builtins.toJSON {
+    default = [ { type = "insecureAcceptAnything"; } ];
+    transports.docker-daemon."" = [ { type = "insecureAcceptAnything"; } ];
+  };
+
   # ~/.ssh/config from the dotfiles tree (read-only); keys + known_hosts
   # stay machine-local on the VM. We can't symlink via home.file because
   # mkOutOfStoreSymlink exposes the working-tree perms (0664 under Ubuntu's