diff --git a/hosts/lustro/runtime/node-agent/docker-compose.override.yml b/hosts/lustro/runtime/node-agent/docker-compose.override.yml
index 6e9baf7..869f50c 100644
--- a/hosts/lustro/runtime/node-agent/docker-compose.override.yml
+++ b/hosts/lustro/runtime/node-agent/docker-compose.override.yml
@@ -13,7 +13,11 @@ services:
       - VPS_EVENTS_PATH=/opt/homelab/events
       - CHECK_INTERVAL=60
     volumes:
-      # pi's SSH key for rsync event shipping to VPS (push-based node, no repo checkout)
-      - /home/pi/.ssh:/root/.ssh:ro
+      # pi's SSH key for rsync event shipping to VPS (push-based node, no repo
+      # checkout). Container runs as uid 1000 (homelab, HOME=/home/homelab) per
+      # the base compose — ssh has no -i flag, so the key must land in
+      # /home/homelab/.ssh, NOT /root/.ssh. uid match (pi=1000) satisfies
+      # OpenSSH strict ownership checks on the mounted key.
+      - /home/pi/.ssh:/home/homelab/.ssh:ro
       # Override ../.. from the base compose to the pushed deploy dir (no repo on node)
       - /opt/homelab/deploy/node-agent:/repo:ro