diff --git a/.gitea/workflows/ci-cd-vm.yml b/.gitea/workflows/ci-cd-vm.yml
index 9513bfc..9b9b9a3 100644
--- a/.gitea/workflows/ci-cd-vm.yml
+++ b/.gitea/workflows/ci-cd-vm.yml
@@ -15,7 +15,7 @@ jobs:
         shell: bash
     env:
       REGISTRY: git.golife.love/chrischen
-      DEPLOY_DIR: /opt/rolac
+      DEPLOY_DIR: /home/chris/docker/rolac
     steps:
       - uses: actions/checkout@v4
 
diff --git a/deploy/vm/README.md b/deploy/vm/README.md
index 0a1bebc..44caf17 100644
--- a/deploy/vm/README.md
+++ b/deploy/vm/README.md
@@ -36,11 +36,11 @@ No TLS yet — plain HTTP on port **8080**. Add Let's Encrypt later (see the Azu
 
 1. **Deploy dir + secrets:**
    ```bash
-   sudo mkdir -p /opt/rolac/nginx/conf.d /opt/rolac/data/api-storage
-   sudo cp /path/to/repo/deploy/vm/.env.example /opt/rolac/.env
-   sudo nano /opt/rolac/.env    # real DB user/password + JWT_SECRET + APP_ORIGIN
+   sudo mkdir -p /home/chris/docker/rolac/nginx/conf.d /home/chris/docker/rolac/data/api-storage
+   sudo cp /path/to/repo/deploy/vm/.env.example /home/chris/docker/rolac/.env
+   sudo nano /home/chris/docker/rolac/.env    # real DB user/password + JWT_SECRET + APP_ORIGIN
    ```
-   Make sure the user the runner executes as can read/write `/opt/rolac`.
+   Make sure the user the runner executes as can read/write `/home/chris/docker/rolac`.
 
 2. **Registry token** — in Gitea: Settings → Applications → new token with
    `read:package` + `write:package`. Log Docker in once on the VM:
@@ -50,11 +50,11 @@ No TLS yet — plain HTTP on port **8080**. Add Let's Encrypt later (see the Azu
 
 3. **Install act_runner on the VM** with the label **`ubuntu`** and access to the
    host Docker. The runner must be able to run `dotnet`, `docker`, and
-   `docker compose`, and reach `/opt/rolac`:
+   `docker compose`, and reach `/home/chris/docker/rolac`:
    ```bash
    docker run -d --restart unless-stopped --name rolac-runner \
      -v /var/run/docker.sock:/var/run/docker.sock \
-     -v /opt/rolac:/opt/rolac \
+     -v /home/chris/docker/rolac:/home/chris/docker/rolac \
      -e GITEA_INSTANCE_URL=https://git.golife.love \
      -e GITEA_RUNNER_REGISTRATION_TOKEN=<token> \
      -e GITEA_RUNNER_LABELS=ubuntu \
@@ -92,10 +92,10 @@ On the VM, from a checkout of the repo:
 docker login git.golife.love -u ChrisChen
 docker build -t git.golife.love/chrischen/rolac-api:latest ./API
 docker build -t git.golife.love/chrischen/rolac-app:latest ./APP
-mkdir -p /opt/rolac/nginx/conf.d /opt/rolac/data/api-storage
-cp deploy/vm/docker-compose.yml      /opt/rolac/docker-compose.yml
-cp deploy/vm/nginx/conf.d/rolac.conf /opt/rolac/nginx/conf.d/rolac.conf
-cd /opt/rolac && docker compose up -d
+mkdir -p /home/chris/docker/rolac/nginx/conf.d /home/chris/docker/rolac/data/api-storage
+cp deploy/vm/docker-compose.yml      /home/chris/docker/rolac/docker-compose.yml
+cp deploy/vm/nginx/conf.d/rolac.conf /home/chris/docker/rolac/nginx/conf.d/rolac.conf
+cd /home/chris/docker/rolac && docker compose up -d
 curl -fsS http://localhost:8080/api/health
 ```
 
@@ -106,7 +106,7 @@ curl -fsS http://localhost:8080/api/health
 - **First boot runs DB migrations** against `192.168.68.55` automatically
   (`Program.cs` calls `MigrateAsync()` + seed). The VM must reach that host and the
   DB user needs DDL rights; back up before the first run.
-- **Uploaded files** persist under `/opt/rolac/data/api-storage`.
+- **Uploaded files** persist under `/home/chris/docker/rolac/data/api-storage`.
 - **Same Docker daemon for build + run** means `docker compose up` finds the freshly
   built `:<sha>` images locally; `docker compose pull` is unnecessary here (but
   harmless if you add it).
diff --git a/deploy/vm/runner/README.md b/deploy/vm/runner/README.md
index c019c6f..7de3fa4 100644
--- a/deploy/vm/runner/README.md
+++ b/deploy/vm/runner/README.md
@@ -10,7 +10,7 @@ It registers with the label **`ubuntu:host`**:
   instead of spawning a separate job container that wouldn't have dotnet/docker.
 
 The container mounts the **host Docker socket** (so build/push/compose act on the
-host daemon) and **`/opt/rolac`** at the same path (so compose's relative volumes
+host daemon) and **`/home/chris/docker/rolac`** at the same path (so compose's relative volumes
 resolve), and uses **host networking** (so the deploy step's
 `curl http://localhost:8080/api/health` works).
 
diff --git a/deploy/vm/runner/docker-compose.yml b/deploy/vm/runner/docker-compose.yml
index 94ef7fc..cb8322f 100644
--- a/deploy/vm/runner/docker-compose.yml
+++ b/deploy/vm/runner/docker-compose.yml
@@ -12,6 +12,6 @@ services:
       - /var/run/docker.sock:/var/run/docker.sock
       # deploy target — must be the SAME path so compose's relative ./data and
       # ./nginx volumes resolve to real host paths
-      - /opt/rolac:/opt/rolac
+      - /home/chris/docker/rolac:/home/chris/docker/rolac
       # persist runner registration so it doesn't re-register on restart
       - ./runner-data:/data