Add subuid/subgid entries for rootless Podman user namespace mapping

Without entries in /etc/subuid and /etc/subgid, Podman cannot map the
UIDs/GIDs present in image layers (e.g. gid 42 for /etc/shadow) into
the user namespace, causing 'lchown: invalid argument' on layer extraction.

Add a 65536-ID range starting at 100000 for the current user if missing,
then run podman system migrate so existing storage is updated.

https://claude.ai/code/session_01FKCW3FDjNFj6jve4niMFXH

infra/start.sh

@@ -59,6 +59,25 @@ EOF
 
 echo "[hiy] Generated proxy/caddy.json for ${DOMAIN_SUFFIX}"
 
+# ── Ensure subuid/subgid entries exist for rootless Podman ────────────────────
+# Rootless Podman maps UIDs/GIDs inside containers using subordinate ID ranges
+# from /etc/subuid and /etc/subgid. Without a sufficient range, pulling or
+# building images whose layers contain files owned by non-root UIDs/GIDs fails
+# with "invalid argument" / "insufficient UIDs or GIDs in user namespace".
+# Standard range: 65536 subordinate IDs starting at 100000.
+_HIY_USER="$(id -un)"
+_HIY_SUBID_CHANGED=0
+if ! grep -q "^${_HIY_USER}:" /etc/subuid 2>/dev/null; then
+    echo "${_HIY_USER}:100000:65536" | sudo tee -a /etc/subuid > /dev/null
+    _HIY_SUBID_CHANGED=1
+fi
+if ! grep -q "^${_HIY_USER}:" /etc/subgid 2>/dev/null; then
+    echo "${_HIY_USER}:100000:65536" | sudo tee -a /etc/subgid > /dev/null
+    _HIY_SUBID_CHANGED=1
+fi
+# Migrate existing Podman storage to the new mappings when entries were added.
+[ "$_HIY_SUBID_CHANGED" = "1" ] && podman system migrate
+
 # ── Allow rootless processes to bind ports 80/443 ─────────────────────────────
 # Rootless Podman cannot bind privileged ports (<1024) by default.
 # Lower the threshold to 80 for this boot, and persist it across reboots.