diff --git a/.gitignore b/.gitignore
index 830a3b3..a5b35b9 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,3 +1,4 @@
 .ansible-vaultpass
 .venv/*
 .git-crypt-backup/
+.DS_Store
diff --git a/CLAUDE.md b/CLAUDE.md
index 723851f..f91179b 100644
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -107,7 +107,7 @@ Tasks are tagged by service/component for selective deployment:
 
 The `podman` user (and other service users) have `/bin/nologin` as their shell. To run commands as these users via SSH:
 
-- **One-off commands**: `sudo -H -u podman bash -c 'command here'`
+- **One-off commands**: `sudo -H -u podman bash -c 'cd; command here'` — the `cd;` preamble is REQUIRED (it moves into the podman user's home so podman finds its rootless storage/config; without it commands fail). Replace `command here` with whatever you need to run.
 - **Interactive shell**: `sudo -H -u podman bash -c 'cd; bash'`
 - **systemctl --user** requires `XDG_RUNTIME_DIR`:
   ```bash
diff --git a/ansible/roles/podman/tasks/containers/skudak/partsy.yml b/ansible/roles/podman/tasks/containers/skudak/partsy.yml
new file mode 100644
index 0000000..c319c0a
--- /dev/null
+++ b/ansible/roles/podman/tasks/containers/skudak/partsy.yml
@@ -0,0 +1,55 @@
+---
+- import_tasks: gitea/podman-gitea-login.yml
+
+- name: create partsy-skudak host directory volumes
+  become: true
+  ansible.builtin.file:
+    path: "{{ item }}"
+    state: directory
+    owner: "{{ podman_subuid.stdout }}"
+    group: "{{ podman_user }}"
+    mode: 0777
+  notify: restorecon podman
+  loop:
+    - "{{ partsy_skudak_path }}/data"
+    - "{{ partsy_skudak_path }}/backups"
+
+- name: flush handlers
+  ansible.builtin.meta: flush_handlers
+
+- import_tasks: podman/podman-check.yml
+  vars:
+    container_name: partsy-skudak
+    container_image: "{{ image }}"
+
+- name: create partsy-skudak container
+  become: true
+  become_user: "{{ podman_user }}"
+  containers.podman.podman_container:
+    name: partsy-skudak
+    image: "{{ image }}"
+    restart_policy: on-failure:3
+    log_driver: journald
+    network:
+      - shared
+    env:
+      PARTSY_MODE: free
+      PARTSY_DATA_DIR: /data
+      PARTSY_BACKUP_DIR: /backups
+      PARTSY_PORT: "8080"
+      PARTSY_STATIC_DIR: /app/static
+      PARTSY_AUTH_ENABLED: "true"
+      PARTSY_ADMIN_USERNAME: admin
+      PARTSY_ADMIN_PASSWORD: "{{ partsy_skudak_admin_password }}"
+      PARTSY_SECURE_COOKIES: "true"
+      LOG_LEVEL: info
+    volumes:
+      - "{{ partsy_skudak_path }}/data:/data"
+      - "{{ partsy_skudak_path }}/backups:/backups"
+    ports:
+      - "8082:8080"
+
+- name: create systemd startup job for partsy-skudak
+  include_tasks: podman/systemd-generate.yml
+  vars:
+    container_name: partsy-skudak
diff --git a/ansible/vars/vault.yml b/ansible/vars/vault.yml
index 1dc60c1..2805c36 100644
Binary files a/ansible/vars/vault.yml and b/ansible/vars/vault.yml differ