diff --git a/containers/homepage/default.nix b/containers/homepage/default.nix
index 7b4becb..6217847 100644
--- a/containers/homepage/default.nix
+++ b/containers/homepage/default.nix
@@ -100,6 +100,17 @@ pkgs.dockerTools.buildLayeredImage {
     chmod 1777 tmp
   '';
 
+  # /app/config must be writable by the runtime user (1000): homepage seeds
+  # missing skeleton configs (proxmox.yaml, etc.) and writes /app/config/logs.
+  # The deployment mounts ConfigMap files at /app/config/<file>.yaml via
+  # subPath, which leaves the parent dir as image filesystem — so its
+  # ownership has to be set at build time.
+  fakeRootCommands = ''
+    mkdir -p app/config
+    chown -R 1000:1000 app
+  '';
+  enableFakechroot = true;
+
   config = {
     Entrypoint = [ "${homepage}/bin/homepage" ];
     Env = [
diff --git a/docs/changelog.d/+homepage-config-perms-fix.bugfix.md b/docs/changelog.d/+homepage-config-perms-fix.bugfix.md
new file mode 100644
index 0000000..20e1135
--- /dev/null
+++ b/docs/changelog.d/+homepage-config-perms-fix.bugfix.md
@@ -0,0 +1,5 @@
+Fixed homepage container EACCES on cold start: the nix-built image now chowns
+`/app/config` to uid 1000 at build time via `fakeRootCommands`, matching the
+behavior of the old Dockerfile. Without this, homepage couldn't seed missing
+skeleton configs (proxmox.yaml etc.) or create `/app/config/logs`, crashing on
+its first uncached request. Caught during the ringtail cutover.