diff --git a/.gitea/workflows/nightly.yml b/.gitea/workflows/nightly.yml
index af5e1750..81cf885c 100644
--- a/.gitea/workflows/nightly.yml
+++ b/.gitea/workflows/nightly.yml
@@ -85,7 +85,6 @@ jobs:
           GLITCHTIP_SECRET_KEY=${{ secrets.GLITCHTIP_SECRET_KEY }}
           GLITCHTIP_DOMAIN=https://glitchtip.archiv.raddatz.cloud
           SENTRY_DSN=${{ secrets.SENTRY_DSN }}
-          OBS_CONFIG_DIR=/srv/familienarchiv-staging/obs-configs
           EOF
 
       - name: Verify backend /import:ro mount is wired
@@ -132,24 +131,6 @@ jobs:
             --profile staging \
             up -d --wait --remove-orphans
 
-      - name: Sync observability configs to host
-        # DooD: runner-config.yaml only shares /var/run/docker.sock with the host
-        # daemon — no workspace directory is mapped. Relative bind mounts in
-        # docker-compose.observability.yml would resolve to paths that don't
-        # exist on the host; Docker auto-creates directories in their place,
-        # causing "not a directory" mount failures at container startup.
-        #
-        # Fix: find the job container's overlay2 merged directory (visible in the
-        # host's mount namespace), then use nsenter to copy from there into a
-        # stable host path. The overlay path is the job container's full
-        # filesystem as seen from the host — no socket tricks needed.
-        run: |
-          OVERLAY=$(docker inspect "$(hostname)" --format '{{.GraphDriver.Data.MergedDir}}')
-          SRC="${OVERLAY}$(pwd)/infra/observability"
-          docker run --rm --privileged --pid=host \
-            alpine:3.21@sha256:48b0309ca019d89d40f670aa1bc06e426dc0931948452e8491e3d65087abc07d \
-            sh -c "nsenter -t 1 -m -- sh -c 'mkdir -p /srv/familienarchiv-staging/obs-configs && cp -r \"${SRC}/.\" /srv/familienarchiv-staging/obs-configs/'"
-
       - name: Start observability stack
         run: |
           docker compose \
diff --git a/.gitea/workflows/release.yml b/.gitea/workflows/release.yml
index 4237c9cf..2645dc15 100644
--- a/.gitea/workflows/release.yml
+++ b/.gitea/workflows/release.yml
@@ -83,7 +83,6 @@ jobs:
           GLITCHTIP_SECRET_KEY=${{ secrets.GLITCHTIP_SECRET_KEY }}
           GLITCHTIP_DOMAIN=https://glitchtip.archiv.raddatz.cloud
           SENTRY_DSN=${{ secrets.SENTRY_DSN }}
-          OBS_CONFIG_DIR=/srv/familienarchiv-production/obs-configs
           EOF
 
       - name: Build images
@@ -105,16 +104,6 @@ jobs:
             --env-file .env.production \
             up -d --wait --remove-orphans
 
-      - name: Sync observability configs to host
-        # DooD: same overlay2 trick as nightly.yml — see that file for the
-        # full rationale. Production path: /srv/familienarchiv-production/obs-configs.
-        run: |
-          OVERLAY=$(docker inspect "$(hostname)" --format '{{.GraphDriver.Data.MergedDir}}')
-          SRC="${OVERLAY}$(pwd)/infra/observability"
-          docker run --rm --privileged --pid=host \
-            alpine:3.21@sha256:48b0309ca019d89d40f670aa1bc06e426dc0931948452e8491e3d65087abc07d \
-            sh -c "nsenter -t 1 -m -- sh -c 'mkdir -p /srv/familienarchiv-production/obs-configs && cp -r \"${SRC}/.\" /srv/familienarchiv-production/obs-configs/'"
-
       - name: Start observability stack
         run: |
           docker compose \
diff --git a/docker-compose.observability.yml b/docker-compose.observability.yml
index 2da53c3b..b83cb439 100644
--- a/docker-compose.observability.yml
+++ b/docker-compose.observability.yml
@@ -16,7 +16,7 @@ services:
     container_name: obs-prometheus
     restart: unless-stopped
     volumes:
-      - ${OBS_CONFIG_DIR:-./infra/observability}/prometheus/prometheus.yml:/etc/prometheus/prometheus.yml:ro
+      - ./infra/observability/prometheus/prometheus.yml:/etc/prometheus/prometheus.yml:ro
       - prometheus_data:/prometheus
     command:
       - '--config.file=/etc/prometheus/prometheus.yml'
@@ -79,7 +79,7 @@ services:
     container_name: obs-loki
     restart: unless-stopped
     volumes:
-      - ${OBS_CONFIG_DIR:-./infra/observability}/loki/loki-config.yml:/etc/loki/loki-config.yml:ro
+      - ./infra/observability/loki/loki-config.yml:/etc/loki/loki-config.yml:ro
       - loki_data:/loki
     command: -config.file=/etc/loki/loki-config.yml
     expose:
@@ -98,7 +98,7 @@ services:
     container_name: obs-promtail
     restart: unless-stopped
     volumes:
-      - ${OBS_CONFIG_DIR:-./infra/observability}/promtail/promtail-config.yml:/etc/promtail/promtail-config.yml:ro
+      - ./infra/observability/promtail/promtail-config.yml:/etc/promtail/promtail-config.yml:ro
       - /var/lib/docker/containers:/var/lib/docker/containers:ro
       # :ro restricts file-system access but NOT Docker API permissions — a compromised Promtail has full daemon access. Accepted risk on single-operator self-hosted archive.
       - /var/run/docker.sock:/var/run/docker.sock:ro
@@ -118,7 +118,7 @@ services:
     container_name: obs-tempo
     restart: unless-stopped
     volumes:
-      - ${OBS_CONFIG_DIR:-./infra/observability}/tempo/tempo.yml:/etc/tempo.yml:ro
+      - ./infra/observability/tempo/tempo.yml:/etc/tempo.yml:ro
       - tempo_data:/var/tempo
     command: -config.file=/etc/tempo.yml
     expose:
@@ -148,7 +148,7 @@ services:
       GF_USERS_ALLOW_SIGN_UP: "false"
     volumes:
       - grafana_data:/var/lib/grafana
-      - ${OBS_CONFIG_DIR:-./infra/observability}/grafana/provisioning:/etc/grafana/provisioning:ro
+      - ./infra/observability/grafana/provisioning:/etc/grafana/provisioning:ro
     healthcheck:
       test: ["CMD-SHELL", "wget -qO- http://localhost:3000/api/health | grep -q ok || exit 1"]
       interval: 30s
diff --git a/runner-config.yaml b/runner-config.yaml
index 68c4dc7a..23bef458 100644
--- a/runner-config.yaml
+++ b/runner-config.yaml
@@ -7,20 +7,20 @@ container:
   # is the requirement: Docker Compose resolves relative bind mounts to
   # $(pwd) inside the job container and passes that absolute path to the
   # host daemon — the daemon must find the file at that exact host path.
-  # Prerequisite: mkdir -p /volume1/gitea-workspace on the NAS, and add
-  #   - /volume1/gitea-workspace:/volume1/gitea-workspace
-  # to the runner service volumes in gitea's docker-compose.yml.
-  workdir_parent: /volume1/gitea-workspace
+  # Prerequisite: mkdir -p /srv/gitea-workspace on the host, and add
+  #   - /srv/gitea-workspace:/srv/gitea-workspace
+  # to the runner service volumes in gitea's compose.yaml.
+  workdir_parent: /srv/gitea-workspace
   # whitelists volumes that workflow steps may bind-mount
   valid_volumes:
     - "/var/run/docker.sock"
-    - "/volume1/gitea-workspace"
+    - "/srv/gitea-workspace"
   # appended to `docker run` when the runner spawns a job container
   # SECURITY: Mounting the Docker socket grants job containers root-equivalent
   # access to the host Docker daemon. Acceptable here because only trusted code
   # from this private repo runs on this runner. Do NOT use on a runner that
   # accepts untrusted PRs from external contributors.
-  options: "-v /var/run/docker.sock:/var/run/docker.sock -v /volume1/gitea-workspace:/volume1/gitea-workspace"
+  options: "-v /var/run/docker.sock:/var/run/docker.sock -v /srv/gitea-workspace:/srv/gitea-workspace"
   # keep network mode default (bridge) — Testcontainers handles its own networking
   force_pull: false