diff --git a/bluebuild/recipe.yml b/bluebuild/recipe.yml
index 4a3d3a1..cad5e62 100644
--- a/bluebuild/recipe.yml
+++ b/bluebuild/recipe.yml
@@ -41,40 +41,33 @@ modules:
     destination: /usr/share/veilor-os/scripts
 
   # ── 2. Branding overrides at build time ─────────────────────────
-  - type: script
+  # Use raw `type: containerfile` (RUN line) instead of `type: script`
+  # — bluebuild's script-module helper script.nu fails 'chmod:
+  # Operation not permitted' on its own bind-mounted layer under
+  # podman/buildah privileged. Raw RUN bypasses the helper.
+  - type: containerfile
     snippets:
       - |
-        # os-release brand
-        sed -i \
-          -e 's|^GRUB_DISTRIBUTOR=.*|GRUB_DISTRIBUTOR="veilor-os"|' \
-          /etc/default/grub 2>/dev/null || true
-        # Apply our kde-theme + plymouth in build
-        bash /usr/share/veilor-os/scripts/kde-theme-apply.sh || true
-        bash /usr/share/veilor-os/scripts/30-apply-v03-theme.sh 2>/dev/null || true
-        plymouth-set-default-theme details 2>/dev/null || true
-        # Mark all our shipped scripts + CLIs executable. cp -a from the
-        # repo preserves perms but BlueBuild's `type: files` sometimes
-        # drops the +x bit on the way through; belt-and-braces here.
-        chmod +x /usr/share/veilor-os/scripts/*.sh \
-                 /usr/share/veilor-os/scripts/selinux/*.sh \
-                 /usr/local/bin/veilor-* 2>/dev/null || true
-        # Refresh fontconfig cache so Fira Code is picked up by KDE
-        fc-cache -f 2>/dev/null || true
-        # os-release brand override (atomic /etc is r/w; safe to overwrite)
-        if [ -f /etc/os-release ]; then
-          sed -i \
-            -e 's|^NAME=.*|NAME="veilor-os"|' \
-            -e 's|^PRETTY_NAME=.*|PRETTY_NAME="veilor-os 0.7 (atomic)"|' \
-            -e 's|^ID=.*|ID=veilor|' \
-            -e 's|^ID_LIKE=.*|ID_LIKE="fedora kinoite"|' \
-            /etc/os-release || true
-        fi
-        # Sanity: brand-leak check, fail build if any onyx/personal data slipped in
-        if grep -rqi 'onyx\|192\.168\.0\.\|fedora\.local\|xynki\.dev' \
-            /etc/veilor* /etc/tuned/profiles/veilor-* /usr/share/veilor-os 2>/dev/null; then
-          echo "[ERR] brand leak detected in shipped state"
-          exit 1
-        fi
+        RUN sed -i -e 's|^GRUB_DISTRIBUTOR=.*|GRUB_DISTRIBUTOR="veilor-os"|' /etc/default/grub 2>/dev/null || true ; \
+            bash /usr/share/veilor-os/scripts/kde-theme-apply.sh 2>/dev/null || true ; \
+            bash /usr/share/veilor-os/scripts/30-apply-v03-theme.sh 2>/dev/null || true ; \
+            plymouth-set-default-theme details 2>/dev/null || true ; \
+            chmod +x /usr/share/veilor-os/scripts/*.sh \
+                     /usr/share/veilor-os/scripts/selinux/*.sh \
+                     /usr/local/bin/veilor-* 2>/dev/null || true ; \
+            fc-cache -f 2>/dev/null || true ; \
+            if [ -f /etc/os-release ]; then \
+              sed -i \
+                -e 's|^NAME=.*|NAME="veilor-os"|' \
+                -e 's|^PRETTY_NAME=.*|PRETTY_NAME="veilor-os 0.7 (atomic)"|' \
+                -e 's|^ID=.*|ID=veilor|' \
+                -e 's|^ID_LIKE=.*|ID_LIKE="fedora kinoite"|' \
+                /etc/os-release || true ; \
+            fi ; \
+            if grep -rqi 'onyx\|192\.168\.0\.\|fedora\.local\|xynki\.dev' \
+                /etc/veilor* /etc/tuned/profiles/veilor-* /usr/share/veilor-os 2>/dev/null; then \
+              echo "[ERR] brand leak detected" ; exit 1 ; \
+            fi
 
   # ── 3. Override secureblue's run0-only — restore sudo ───────────
   # secureblue removes sudo + replaces with run0. Too disruptive for
@@ -127,26 +120,18 @@ modules:
     source: config/just
     destination: /usr/share/ublue-os/just
 
-  # ── 8. Service tuning: tailscale pre-disabled, yggdrasil idle ───
-  - type: systemd
-    system:
-      enabled:
-        - yggdrasil.service        # idle warm-fallback (config = empty Listen[])
-      disabled:
-        - tailscaled.service       # awaits first-boot prompt for join
-        # secureblue parents already enable: sshd, fail2ban, usbguard,
-        # auditd, firewalld, chronyd, sddm — no re-enable needed.
-
-  # ── 9. veilor-os specific systemd units ─────────────────────────
-  # All veilor-* units come in via overlay/etc/systemd/system/ —
-  # explicit enable here since they aren't part of secureblue's set.
-  - type: systemd
-    system:
-      enabled:
-        - veilor-firstboot.service
-        - veilor-modules-lock.service
-        - veilor-postinstall.service
-        - veilor-doctor.timer
+  # ── 8 + 9. systemd unit enables/disables ────────────────────────
+  # Same chmod-permitted blocker on `type: systemd` helper. Use raw
+  # RUN systemctl preset/enable/disable instead.
+  - type: containerfile
+    snippets:
+      - |
+        RUN systemctl enable yggdrasil.service 2>/dev/null || true ; \
+            systemctl disable tailscaled.service 2>/dev/null || true ; \
+            systemctl enable veilor-firstboot.service 2>/dev/null || true ; \
+            systemctl enable veilor-modules-lock.service 2>/dev/null || true ; \
+            systemctl enable veilor-postinstall.service 2>/dev/null || true ; \
+            systemctl enable veilor-doctor.timer 2>/dev/null || true
 
   # ── 10. signing config ──────────────────────────────────────────
   # cosign.pub committed alongside this recipe; cosign.key kept off