diff --git a/image-recipe/configs/archipelago.service b/image-recipe/configs/archipelago.service
index 93a18fc0..99d472fb 100644
--- a/image-recipe/configs/archipelago.service
+++ b/image-recipe/configs/archipelago.service
@@ -48,6 +48,14 @@ MemoryMax=4G
 LimitNOFILE=65535
 TasksMax=2048
 
+# Delegate cgroup controllers so rootless podman (run from this system service
+# as user=archipelago, not user@1000.service) can create transient libpod-*.scope
+# units with --memory / --cpus / --pids-limit. Without this, podman create fails
+# at start time with: "MemoryMax is out of range" because systemd rejects resource
+# limits on undelegated cgroup subtrees. Required for the ProdContainerOrchestrator
+# code path (see core/archipelago/src/container/prod_orchestrator.rs).
+Delegate=memory pids cpu io
+
 # Logging
 StandardOutput=journal
 StandardError=journal