diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index b1391ec..71a3d64 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -5,3 +5,4 @@ jobs:
     with:
       PLATFORMS: 'linux/amd64, linux/arm64'
       NO_TEST: true
+      NOMAD_VAR_NO_DEPLOY: true
diff --git a/README.md b/README.md
index 7461edb..60006f0 100644
--- a/README.md
+++ b/README.md
@@ -20,6 +20,8 @@
 
 Installs `nomad`, `consul`, and `caddyserver` (router) together as a mini cluster running inside a `podman` container.
 
+(OK so we are now Hashistck-in-Docker _container_ :)
+
 Nomad jobs will run as `podman` containers on the VM itself, orchestrated by `nomad`, leveraging `/var/lib/containers`.
 
 The _brilliant_ `consul-template` will be used as "glue" between `consul` and `caddyserver` -- turning `caddyserver` into an always up-to-date reverse proxy router from incoming requests' Server Name Indication (SNI) to running containers :)
diff --git a/bin/entrypoint.sh b/bin/entrypoint.sh
index 2471367..30c3f2c 100755
--- a/bin/entrypoint.sh
+++ b/bin/entrypoint.sh
@@ -18,7 +18,8 @@ if [ ! -e $CONFIG ]; then
   else
     ARGS+=(--net=host)
   fi
-  podman run $ARGS --privileged -v /var/lib/containers:/var/lib/containers --cgroupns=host --restart=unless-stopped --name hindup -v /pv/CERTS:/root/.local/share/caddy -d hind > /dev/null
+  # the --net=host seems to be needed to be run legit *outside* the container (and/or manually!?) xxx
+  podman run $ARGS --privileged -v /var/lib/containers:/var/lib/containers --net=host --cgroupns=host --restart=unless-stopped --name hindup -v /pv/CERTS:/root/.local/share/caddy -d hind > /dev/null
 
 
   if [ ! $FIRST ]; then