diff --git a/skills/monitoring-with-munin/SKILL.md b/skills/monitoring-with-munin/SKILL.md
index d167f5a4fabd6d49f06fb0c2bd6b0508151fef34..595e7efd9ebbada5ee7202727d82ab3ef0ef622a 100644
--- a/skills/monitoring-with-munin/SKILL.md
+++ b/skills/monitoring-with-munin/SKILL.md
@@ -170,10 +170,26 @@ munin-run <plugin_name> config   # test config output
 munin-run <plugin_name>          # test value output
 ```
 
-Note: on systems where munin-node runs with `ProtectHome=yes` (systemd), plugins running as non-root users cannot access `/home/`. Either run as `user root` or place data outside `/home/`.
+Note: Debian's munin-node ships with `ProtectHome=yes` in systemd, which hides `/home/` from the entire process namespace regardless of user; `user root` in plugin-conf.d doesn't help. See [ProtectHome](#protecthome-and-home-access) for workarounds.
 
 After installing or removing plugins: `systemctl restart munin-node`
 
+## ProtectHome and /home/ access
+
+`ProtectHome=yes` mounts `/home/`, `/root`, `/run/user` as empty tmpfs. No user can see through it.
+
+Fix with
+
+```bash
+sudo mkdir -p /etc/systemd/system/munin-node.service.d
+printf '[Service]\nProtectHome=read-only\n' | sudo tee /etc/systemd/system/munin-node.service.d/override.conf
+sudo systemctl daemon-reload && sudo systemctl restart munin-node
+```
+
+Alternatives: `ProtectHome=tmpfs` + `BindReadOnlyPaths=` for selective exposure, or move data outside `/home/`.
+
+**Pitfall**: even with `ProtectHome=read-only`, a 750 home directory blocks the `munin` user from traversing the path. Use `user root` in plugin-conf.d for such cases.
+
 ## Alerting
 
 Alerts are configured in `/etc/munin/munin.conf` on the master. A contact is a command that receives alert text on stdin.