diff --git a/.forgejo/workflows/ci.yml b/.forgejo/workflows/ci.yml
index 117fb46..bd75c25 100644
--- a/.forgejo/workflows/ci.yml
+++ b/.forgejo/workflows/ci.yml
@@ -245,20 +245,20 @@ jobs:
           podman --remote pull "$REGISTRY_HOST/$APP_NAME/sharenet-backend-api-postgres:$IMAGE_TAG"
           podman --remote pull "$REGISTRY_HOST/$APP_NAME/sharenet-frontend:$IMAGE_TAG"
 
-      - name: Prepare in-pod nginx config on host
+      - name: Render nginx.conf and put on host (no unshare)
         run: |
           set -euo pipefail
-          # create dir on host (via user namespace)
-          podman --remote unshare mkdir -p /opt/sharenet/nginx /opt/sharenet/volumes/nginx-cache
-          # render temp config (inside the job container)
-          apk add --no-cache gettext >/dev/null
+          apk add --no-cache gettext >/dev/null   # envsubst
+          # Render template locally in the job container
           envsubst < nginx/nginx.conf > /tmp/nginx.conf
-          # write it onto the host
-          podman --remote unshare sh -c 'cat > /opt/sharenet/nginx/nginx.conf' < /tmp/nginx.conf
-          # reasonable perms for rootless mount
-          podman --remote unshare chown -R 1001:1001 /opt/sharenet
-          podman --remote unshare chmod 0755 /opt/sharenet /opt/sharenet/nginx /opt/sharenet/volumes /opt/sharenet/volumes/nginx-cache
-          podman --remote unshare chmod 0644 /opt/sharenet/nginx/nginx.conf || true
+
+          # Write it to the host via a remote Podman helper container.
+          # Run as uid:gid 1001:1001 so writes match prod-service’s ownership.
+          podman --remote run --rm -i \
+            --user 1001:1001 \
+            -v /opt/sharenet/nginx:/host-nginx:rw \
+            alpine:3.20 sh -c 'install -D -m 0644 /dev/stdin /host-nginx/nginx.conf' \
+            < /tmp/nginx.conf
 
       - name: Install envsubst (Alpine)
         run: apk add --no-cache gettext