diff --git a/.gitea/workflows/build-iso-dev.yml b/.gitea/workflows/build-iso-dev.yml
index dbd8d0bc..a1965f1e 100644
--- a/.gitea/workflows/build-iso-dev.yml
+++ b/.gitea/workflows/build-iso-dev.yml
@@ -13,13 +13,14 @@ jobs:
       - name: Checkout
         run: |
           # Direct fetch + sync (actions/checkout token is broken on this Gitea)
-          cd /home/archipelago/archy && git fetch origin main && git reset --hard origin/main
+          REPO_DIR="$HOME/archy"
+          cd "$REPO_DIR" && git fetch origin main && git reset --hard origin/main
           echo "=== Source at commit: $(git log --oneline -1) ==="
           rsync -a --delete \
             --exclude '.git' --exclude 'node_modules' --exclude 'target' \
             --exclude 'image-recipe/build' --exclude 'image-recipe/results' \
             --exclude 'web/dist' \
-            /home/archipelago/archy/ "$GITHUB_WORKSPACE/"
+            "$REPO_DIR/" "$GITHUB_WORKSPACE/"
           cd "$GITHUB_WORKSPACE"
           echo "=== Workspace version: $(grep '^version' core/archipelago/Cargo.toml) ==="
           [ -f "scripts/first-boot-containers.sh" ] && echo "  first-boot-containers.sh: PRESENT" || echo "  first-boot-containers.sh: MISSING"
diff --git a/.gitea/workflows/build-iso.yml b/.gitea/workflows/build-iso.yml
index 71663f2a..ee7d1144 100644
--- a/.gitea/workflows/build-iso.yml
+++ b/.gitea/workflows/build-iso.yml
@@ -13,11 +13,12 @@ jobs:
       - name: Checkout
         run: |
           # Direct clone using stored credentials (actions/checkout token is broken)
-          cd /home/archipelago/archy && git fetch origin main && git reset --hard origin/main
+          REPO_DIR="$HOME/archy"
+          cd "$REPO_DIR" && git fetch origin main && git reset --hard origin/main
           echo "=== Source at commit: $(git log --oneline -1) ==="
           echo "=== Syncing to workspace ==="
           rsync -a --delete --exclude='.git' --exclude='target/' --exclude='node_modules/' \
-            /home/archipelago/archy/ "$GITHUB_WORKSPACE/" || cp -a /home/archipelago/archy/* "$GITHUB_WORKSPACE/"
+            "$REPO_DIR/" "$GITHUB_WORKSPACE/" || cp -a "$REPO_DIR"/* "$GITHUB_WORKSPACE/"
           cd "$GITHUB_WORKSPACE"
           echo "=== Workspace version: $(grep '^version' core/archipelago/Cargo.toml) ==="
           echo "=== Key files ==="
@@ -45,7 +46,7 @@ jobs:
         run: |
           WORK_DIR="image-recipe/build/auto-installer"
           mkdir -p "$WORK_DIR"
-          CACHED="/home/archipelago/archy/image-recipe/build/auto-installer/debian-live-installer.iso"
+          CACHED="$HOME/archy/image-recipe/build/auto-installer/debian-live-installer.iso"
           if [ -f "$CACHED" ] && [ ! -f "$WORK_DIR/debian-live-installer.iso" ]; then
             cp "$CACHED" "$WORK_DIR/debian-live-installer.iso"
             echo "Cached Debian Live ISO copied ($(du -h "$WORK_DIR/debian-live-installer.iso" | cut -f1))"
diff --git a/image-recipe/configs/archipelago.service b/image-recipe/configs/archipelago.service
index 5c8bb957..45db3f39 100644
--- a/image-recipe/configs/archipelago.service
+++ b/image-recipe/configs/archipelago.service
@@ -9,8 +9,9 @@ User=archipelago
 Environment="ARCHIPELAGO_BIND=127.0.0.1:5678"
 # DEV_MODE disabled in production — enabled via override.conf on dev servers
 Environment="XDG_RUNTIME_DIR=/run/user/1000"
-ExecStartPre=/bin/bash -c 'mkdir -p /run/user/1000 && chown archipelago:archipelago /run/user/1000 && chmod 700 /run/user/1000'
-ExecStartPre=/bin/bash -c 'mkdir -p /var/lib/archipelago && echo "ARCHIPELAGO_HOST_IP=$(hostname -I 2>/dev/null | awk "{print $$1}")" > /var/lib/archipelago/host-ip.env'
+# + prefix runs these as root (needed for chown/mkdir outside ReadWritePaths)
+ExecStartPre=+/bin/bash -c 'mkdir -p /run/user/1000 && chown archipelago:archipelago /run/user/1000 && chmod 700 /run/user/1000'
+ExecStartPre=+/bin/bash -c 'mkdir -p /var/lib/archipelago && chown archipelago:archipelago /var/lib/archipelago && echo "ARCHIPELAGO_HOST_IP=$(hostname -I 2>/dev/null | awk "{print $$1}")" > /var/lib/archipelago/host-ip.env && chown archipelago:archipelago /var/lib/archipelago/host-ip.env'
 ExecStart=/usr/local/bin/archipelago
 Restart=on-failure
 RestartSec=5
@@ -42,8 +43,8 @@ RestrictRealtime=yes
 # SystemCallFilter disabled: rootless podman needs clone/unshare for user namespaces
 SystemCallArchitectures=native
 
-# Memory protection
-MemoryDenyWriteExecute=yes
+# MemoryDenyWriteExecute removed: ring (rustls) and secp256k1 (bitcoin/nostr)
+# use assembly code that requires executable memory mappings on some platforms
 
 # Resource limits
 MemoryMax=4G