diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml
index 449fa6c..7280ff4 100644
--- a/.gitea/workflows/ci.yml
+++ b/.gitea/workflows/ci.yml
@@ -19,8 +19,10 @@ jobs:
         env:
           TOKEN: ${{ github.token }}
           REF: ${{ github.ref }}
+          GIT_SSL_NO_VERIFY: "true"
         run: |
           git init
+          git remote remove origin 2>/dev/null || true
           git remote add origin "${{ github.server_url }}/${{ github.repository }}.git"
           git config http.extraheader "Authorization: Bearer ${TOKEN}"
           git fetch --depth=1 origin "${REF}"
@@ -28,8 +30,10 @@ jobs:
 
       - name: Docker Build Test
         env:
+          NODE_IMAGE: mirror.soroushasadi.com/repository/docker-group/node:20-slim
           NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
         run: |
           docker build \
+            --build-arg NODE_IMAGE="$NODE_IMAGE" \
             --build-arg NPM_TOKEN="$NPM_TOKEN" \
             -t soroushasadi-site:test .
\ No newline at end of file
diff --git a/.gitea/workflows/deploy.yml b/.gitea/workflows/deploy.yml
index 17b13e6..350b427 100644
--- a/.gitea/workflows/deploy.yml
+++ b/.gitea/workflows/deploy.yml
@@ -19,6 +19,7 @@ jobs:
         env:
           TOKEN: ${{ github.token }}
           REF: ${{ github.ref }}
+          GIT_SSL_NO_VERIFY: "true"
         run: |
           git init
           git remote remove origin 2>/dev/null || true
@@ -39,6 +40,8 @@ jobs:
           EOF
 
       - name: Build Container
+        env:
+          NODE_IMAGE: mirror.soroushasadi.com/repository/docker-group/node:20-slim
         run: |
           docker compose build
 
diff --git a/.npmrc b/.npmrc
index 44d737f..1a2a6a1 100644
--- a/.npmrc
+++ b/.npmrc
@@ -2,7 +2,7 @@
 # the registry.npmjs.org hosts found in package-lock.json to this mirror at
 # install time (default replace-registry-host=npmjs), so the committed lockfile
 # is reused as-is — no regeneration needed.
-registry=https://mirror.soroushasadi.com/repository/npm-group/
+registry=http://mirror.soroushasadi.com/repository/npm-group/
 
 # Auth is never committed. CI and the Docker build append an `_authToken` line
 # from the NPM_TOKEN secret at install time; for local installs put the token in
diff --git a/Dockerfile b/Dockerfile
index 8798784..de92517 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -4,7 +4,7 @@
 # as mirror.soroushasadi.com/repository/docker-group/<image>.
 # Build directly against Docker Hub instead with:
 #   --build-arg NODE_IMAGE=node:20-slim
-ARG NODE_IMAGE=node:20-slim
+ARG NODE_IMAGE=mirror.soroushasadi.com/repository/docker-group/node:20-slim
 # ---------------------------------------------------------------------------
 # 1. Dependencies — installs node_modules and compiles the better-sqlite3
 #    native addon (needs python3 + a C++ toolchain).
@@ -15,9 +15,9 @@ RUN apt-get update \
   && apt-get install -y --no-install-recommends python3 make g++ ca-certificates \
   && rm -rf /var/lib/apt/lists/*
 # .npmrc points npm at the Nexus npm-group; NPM_TOKEN (optional) authenticates.
-# The token is written only into this build stage and never reaches the runner
-# image, which copies node_modules — not .npmrc.
-COPY package.json package-lock.json ./
+# The token is appended at build time only — never reaches the runner image.
+ARG NPM_TOKEN=""
+COPY package.json package-lock.json .npmrc ./
 RUN if [ -n "$NPM_TOKEN" ]; then \
       echo "//mirror.soroushasadi.com/repository/npm-group/:_authToken=${NPM_TOKEN}" >> .npmrc ; \
     fi \
diff --git a/docker-compose.yml b/docker-compose.yml
index 5d8ecc3..afcf3e0 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -1,13 +1,12 @@
+name: soroushasadi
+
 services:
   web:
     build:
       context: .
       dockerfile: Dockerfile
       args:
-        # Pull the base image through the Nexus docker-group proxy. Override per
-        # environment, e.g. NODE_IMAGE=node:20-slim docker compose build.
-        NODE_IMAGE: node:20-slim
-        # Optional Nexus npm-group token, consumed only by the deps stage.
+        NODE_IMAGE: ${NODE_IMAGE:-mirror.soroushasadi.com/repository/docker-group/node:20-slim}
         NPM_TOKEN: ${NPM_TOKEN:-}
     image: soroushasadi-site:latest
     container_name: soroushasadi-site
@@ -17,21 +16,20 @@ services:
     environment:
       NODE_ENV: production
       DATA_DIR: /data
-      # Set these in a sibling .env file (NOT committed) or your host env.
       ADMIN_PASSWORD: ${ADMIN_PASSWORD:?set ADMIN_PASSWORD}
       ADMIN_SESSION_SECRET: ${ADMIN_SESSION_SECRET:?set ADMIN_SESSION_SECRET}
       RESEND_API_KEY: ${RESEND_API_KEY:-}
       CONTACT_INBOX: ${CONTACT_INBOX:-}
       CONTACT_FROM: ${CONTACT_FROM:-}
     volumes:
-      # SQLite content DB + uploaded media persist across rebuilds.
       - cms-data:/data
     healthcheck:
-      test: ["CMD", "wget", "-qO-", "http://127.0.0.1:3000"]
+      test: ["CMD", "node", "-e",
+        "fetch('http://127.0.0.1:3000/').then(r=>process.exit(r.ok?0:1)).catch(()=>process.exit(1))"]
       interval: 30s
-      timeout: 5s
+      timeout: 10s
       retries: 3
-      start_period: 20s
+      start_period: 30s
 
 volumes:
   cms-data: