diff --git a/infra/docker-compose.yml b/infra/docker-compose.yml
index 7384a22..46c7ee1 100644
--- a/infra/docker-compose.yml
+++ b/infra/docker-compose.yml
@@ -7,14 +7,16 @@
 services:
 
   # ── Podman socket proxy (unix → TCP) ──────────────────────────────────────
-  # Rootful Podman socket: /run/podman/podman.sock
-  # Rootless Podman socket: /run/user/<UID>/podman/podman.sock
+  # start.sh exports PODMAN_SOCK before invoking compose, so the correct
+  # socket is used regardless of rootful vs rootless:
+  #   rootful:  /run/podman/podman.sock
+  #   rootless: /run/user/<UID>/podman/podman.sock  (start.sh sets this)
   podman-proxy:
     image: alpine/socat
-    command: tcp-listen:2375,fork,reuseaddr unix-connect:/run/podman/podman.sock
+    command: tcp-listen:2375,fork,reuseaddr unix-connect:/podman.sock
     restart: unless-stopped
     volumes:
-      - /run/podman/podman.sock:/run/podman/podman.sock
+      - ${PODMAN_SOCK}:/podman.sock
     networks:
       - hiy-net
 
diff --git a/infra/start.sh b/infra/start.sh
index 81346e9..ea3d86f 100755
--- a/infra/start.sh
+++ b/infra/start.sh
@@ -59,6 +59,15 @@ EOF
 
 echo "[hiy] Generated proxy/caddy.json for ${DOMAIN_SUFFIX}"
 
+# ── Ensure Podman socket is active ────────────────────────────────────────────
+PODMAN_SOCK="/run/user/$(id -u)/podman/podman.sock"
+if [ ! -S "$PODMAN_SOCK" ]; then
+    echo "[hiy] Starting Podman socket…"
+    systemctl --user start podman.socket
+fi
+export PODMAN_SOCK
+export DOCKER_HOST="unix://${PODMAN_SOCK}"
+
 # ── Build images ───────────────────────────────────────────────────────────────
 make build