Fix builds delegating to host Podman via CONTAINER_HOST

build.sh calls `podman build` inside the server container.
DOCKER_HOST is a Docker CLI variable; Podman does not use it to
automatically switch to remote mode.  Without CONTAINER_HOST set,
Podman runs locally inside the (unprivileged) container, has no
user-namespace support, and lchown fails for any layer file owned
by a non-zero GID (e.g. gid=42 for /etc/shadow).

Setting CONTAINER_HOST=tcp://podman-proxy:2375 makes Podman
automatically operate in remote mode and delegate all operations
to the host Podman service, which has the correct subuid/subgid
mappings and full user-namespace support.

https://claude.ai/code/session_01FKCW3FDjNFj6jve4niMFXH

infra/docker-compose.yml

@@ -41,6 +41,12 @@ services:
       HIY_BUILD_SCRIPT: /app/builder/build.sh
       CADDY_API_URL: http://caddy:2019
       DOCKER_HOST: tcp://podman-proxy:2375
+      # CONTAINER_HOST is the Podman-native equivalent of DOCKER_HOST.
+      # Setting it makes `podman` automatically operate in remote mode and
+      # delegate all builds/runs to the host's Podman service via the proxy,
+      # instead of trying to run Podman locally inside this container (which
+      # would fail: no user-namespace support in an unprivileged container).
+      CONTAINER_HOST: tcp://podman-proxy:2375
       RUST_LOG: hiy_server=debug,tower_http=info
     depends_on:
       caddy: