diff --git a/.gitea/workflows/deploy-kubeviz.yml b/.gitea/workflows/deploy-kubeviz.yml
index 3b1f926..98b28f4 100644
--- a/.gitea/workflows/deploy-kubeviz.yml
+++ b/.gitea/workflows/deploy-kubeviz.yml
@@ -13,6 +13,10 @@ jobs:
       IMAGE_REPO: localhost/kubeviz
       IMAGE_TAG: prod
       SERVICE_NAME: kubeviz.service
+      SYSTEMD_SCOPE: user
+      INSTALL_QUADLET: "true"
+      QUADLET_SRC: deploy/quadlet/kubeviz-traefik.container
+      PODMAN_USE_SUDO: "false"
     steps:
       - name: Checkout + Build/Deploy (git, no Node runtime required)
         env:
diff --git a/deploy/quadlet/README.md b/deploy/quadlet/README.md
index 9a8738e..cf7c790 100644
--- a/deploy/quadlet/README.md
+++ b/deploy/quadlet/README.md
@@ -78,12 +78,21 @@ For private base images (for example `dhi.io/golang:*`), ensure the runner user
 
 The deploy script forwards `REGISTRY_AUTH_FILE` to `sudo podman` automatically.
 
+Default workflow mode uses user services (`systemctl --user`) and rootless Podman:
+- `SYSTEMD_SCOPE=user`
+- `PODMAN_USE_SUDO=false`
+- quadlet target: `~/.config/containers/systemd/kubeviz.container`
+
+So no root sudo is required for normal deploy runs.
+
 Required sudo permissions for the Gitea runner user (example):
 
 ```text
 gitea-runner ALL=(root) NOPASSWD:/usr/bin/podman build *,/usr/bin/podman tag *,/usr/bin/systemctl restart kubeviz.service,/usr/bin/systemctl is-active kubeviz.service
 ```
 
+Only needed when you switch to `SYSTEMD_SCOPE=system` or `PODMAN_USE_SUDO=true`.
+
 The user must be the one that executes the Gitea Actions runner service (often `gitea-runner`).
 Check it with:
 
diff --git a/scripts/deploy-with-podman.sh b/scripts/deploy-with-podman.sh
index 08990db..cdf00ed 100755
--- a/scripts/deploy-with-podman.sh
+++ b/scripts/deploy-with-podman.sh
@@ -4,6 +4,12 @@ set -euo pipefail
 IMAGE_REPO="${IMAGE_REPO:-localhost/kubeviz}"
 IMAGE_TAG="${IMAGE_TAG:-prod}"
 SERVICE_NAME="${SERVICE_NAME:-kubeviz.service}"
+SYSTEMD_SCOPE="${SYSTEMD_SCOPE:-user}"
+INSTALL_QUADLET="${INSTALL_QUADLET:-true}"
+QUADLET_SRC="${QUADLET_SRC:-deploy/quadlet/kubeviz-traefik.container}"
+USER_QUADLET_DIR="${USER_QUADLET_DIR:-${HOME}/.config/containers/systemd}"
+SYSTEM_QUADLET_DIR="${SYSTEM_QUADLET_DIR:-/etc/containers/systemd}"
+PODMAN_USE_SUDO="${PODMAN_USE_SUDO:-}"
 
 if [ -z "${REGISTRY_AUTH_FILE:-}" ]; then
   if [ -n "${XDG_RUNTIME_DIR:-}" ] && [ -f "${XDG_RUNTIME_DIR}/containers/auth.json" ]; then
@@ -13,10 +19,37 @@ if [ -z "${REGISTRY_AUTH_FILE:-}" ]; then
   fi
 fi
 
-SUDO_PODMAN=(sudo podman)
+if [ -z "${PODMAN_USE_SUDO}" ]; then
+  if [ "${SYSTEMD_SCOPE}" = "system" ]; then
+    PODMAN_USE_SUDO="true"
+  else
+    PODMAN_USE_SUDO="false"
+  fi
+fi
+
+PODMAN_CMD=(podman)
+SYSTEMCTL_CMD=(systemctl --user)
+if [ "${PODMAN_USE_SUDO}" = "true" ]; then
+  PODMAN_CMD=(sudo podman)
+fi
+if [ "${SYSTEMD_SCOPE}" = "system" ]; then
+  SYSTEMCTL_CMD=(sudo systemctl)
+  QUADLET_TARGET_DIR="${SYSTEM_QUADLET_DIR}"
+else
+  SYSTEMCTL_CMD=(systemctl --user)
+  QUADLET_TARGET_DIR="${USER_QUADLET_DIR}"
+  if [ -z "${XDG_RUNTIME_DIR:-}" ]; then
+    export XDG_RUNTIME_DIR="/run/user/$(id -u)"
+  fi
+fi
+
 if [ -n "${REGISTRY_AUTH_FILE:-}" ] && [ -f "${REGISTRY_AUTH_FILE}" ]; then
   export REGISTRY_AUTH_FILE
-  SUDO_PODMAN=(sudo --preserve-env=REGISTRY_AUTH_FILE podman)
+  if [ "${PODMAN_USE_SUDO}" = "true" ]; then
+    PODMAN_CMD=(sudo --preserve-env=REGISTRY_AUTH_FILE podman)
+  else
+    PODMAN_CMD=(podman)
+  fi
   echo "Using registry auth file: ${REGISTRY_AUTH_FILE}"
 else
   echo "Warning: no REGISTRY_AUTH_FILE found; private base image pulls may fail."
@@ -32,13 +65,30 @@ SOURCE_IMAGE="${IMAGE_REPO}:ci-${BUILD_ID}"
 RELEASE_IMAGE="${IMAGE_REPO}:${IMAGE_TAG}"
 
 echo "Building ${SOURCE_IMAGE}"
-"${SUDO_PODMAN[@]}" build --pull=always -t "${SOURCE_IMAGE}" .
+"${PODMAN_CMD[@]}" build --pull=always -t "${SOURCE_IMAGE}" .
 
 echo "Tagging ${RELEASE_IMAGE}"
-"${SUDO_PODMAN[@]}" tag "${SOURCE_IMAGE}" "${RELEASE_IMAGE}"
+"${PODMAN_CMD[@]}" tag "${SOURCE_IMAGE}" "${RELEASE_IMAGE}"
 
-echo "Restarting ${SERVICE_NAME}"
-sudo systemctl restart "${SERVICE_NAME}"
-sudo systemctl is-active --quiet "${SERVICE_NAME}"
+if [ "${INSTALL_QUADLET}" = "true" ]; then
+  if [ ! -f "${QUADLET_SRC}" ]; then
+    echo "Quadlet source not found: ${QUADLET_SRC}"
+    exit 1
+  fi
+  echo "Installing quadlet ${QUADLET_SRC} -> ${QUADLET_TARGET_DIR}/kubeviz.container"
+  if [ "${SYSTEMD_SCOPE}" = "system" ]; then
+    sudo mkdir -p "${QUADLET_TARGET_DIR}"
+    sudo cp "${QUADLET_SRC}" "${QUADLET_TARGET_DIR}/kubeviz.container"
+  else
+    mkdir -p "${QUADLET_TARGET_DIR}"
+    cp "${QUADLET_SRC}" "${QUADLET_TARGET_DIR}/kubeviz.container"
+  fi
+fi
+
+echo "Reloading ${SYSTEMD_SCOPE} systemd and restarting ${SERVICE_NAME}"
+"${SYSTEMCTL_CMD[@]}" daemon-reload
+"${SYSTEMCTL_CMD[@]}" enable --now "${SERVICE_NAME}"
+"${SYSTEMCTL_CMD[@]}" restart "${SERVICE_NAME}"
+"${SYSTEMCTL_CMD[@]}" is-active --quiet "${SERVICE_NAME}"
 
 echo "Deployment successful: ${RELEASE_IMAGE}"