diff --git a/fix-docker-lxc.sh b/fix-docker-lxc.sh
new file mode 100644
index 0000000..1fb772c
--- /dev/null
+++ b/fix-docker-lxc.sh
@@ -0,0 +1,39 @@
+#!/bin/bash
+# =====================================================================
+# Fix: Docker in unprivileged LXC containers
+# =====================================================================
+# Both NPM (CT 122) and Guacamole (CT 121) fail with:
+#   "open sysctl net.ipv4.ip_unprivileged_port_start: permission denied"
+#
+# Fix: Set AppArmor profile to unconfined.
+# Run on Proxmox host (10.0.0.240) as root.
+# Run THIS script first, then fix-guac-npm.sh second.
+# =====================================================================
+
+set -euo pipefail
+
+for CT_ID in 121 122; do
+    CT_CONF="/etc/pve/lxc/${CT_ID}.conf"
+    CT_NAME=$(pct config "${CT_ID}" | grep hostname | awk '{print $2}')
+
+    echo "=== Fixing CT ${CT_ID} (${CT_NAME}) ==="
+
+    pct stop "${CT_ID}" 2>/dev/null || true
+    sleep 3
+
+    if grep -q "lxc.apparmor.profile" "${CT_CONF}" 2>/dev/null; then
+        sed -i 's/^lxc\.apparmor\.profile:.*/lxc.apparmor.profile: unconfined/' "${CT_CONF}"
+    else
+        echo "lxc.apparmor.profile: unconfined" >> "${CT_CONF}"
+    fi
+
+    pct start "${CT_ID}"
+    sleep 5
+    pct exec "${CT_ID}" -- systemctl restart docker
+    sleep 3
+    echo "  Done"
+done
+
+echo ""
+echo "AppArmor fix applied to CT 121 and 122."
+echo "Now run: ./fix-guac-npm.sh"