diff --git a/.gitea/workflows/deploy.yml b/.gitea/workflows/deploy.yml
index 8dcd106..bba43dd 100644
--- a/.gitea/workflows/deploy.yml
+++ b/.gitea/workflows/deploy.yml
@@ -1,21 +1,13 @@
 # ──────────────────────────────────────────────────────────────────────────────
 # CrowdSec Admin — Gitea Actions CI/CD
 #
-# Triggers on push to main. Runner builds image + brings stack up via docker
-# compose on the host. Image stays local (no registry push), same pattern as
-# flight-radar.
+# Build image, push to Gitea registry, trigger Portainer redeploy via webhook.
+# Stack itself is managed by Portainer (type=git). Env vars (LAPI creds) live
+# in the Portainer stack — NOT in repo secrets — so rotation is one place.
 #
-# PREREQUISITES (one-time):
-#   1. Host LAPI machine registered (for DELETE auth):
-#        sudo cscli machines add crowdsec-admin --password '<PW>' -f -
-#   2. Host LAPI bouncer registered (for GET auth):
-#        sudo cscli bouncers add crowdsec-admin
-#   3. Repo secrets set in Gitea → Settings → Secrets:
-#        LAPI_MACHINE_ID=crowdsec-admin
-#        LAPI_MACHINE_PASSWORD=<PW>
-#        LAPI_BOUNCER_KEY=<bouncer key from step 2>
-#   4. DNS: crowdsec.domverse-berlin.eu → host IP.
-#   5. Authentik wildcard forward_domain already covers *.domverse-berlin.eu.
+# Repo secrets required:
+#   REGISTRY_TOKEN         token for ci user, scope write:package
+#   PORTAINER_WEBHOOK_URL  POST URL from Portainer stack auto-update setting
 # ──────────────────────────────────────────────────────────────────────────────
 
 name: Deploy
@@ -27,8 +19,7 @@ on:
   workflow_dispatch:
 
 env:
-  COMPOSE_PROJECT: crowdsec-admin
-  COMPOSE_FILE: docker-compose.yml
+  IMAGE: git.domverse-berlin.eu/ci/crowdsec-admin/app
 
 jobs:
   deploy:
@@ -37,25 +28,18 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v4
 
-      - name: Write .env for compose
-        run: |
-          cat > .env <<EOF
-          LAPI_MACHINE_ID=${{ secrets.LAPI_MACHINE_ID }}
-          LAPI_MACHINE_PASSWORD=${{ secrets.LAPI_MACHINE_PASSWORD }}
-          LAPI_BOUNCER_KEY=${{ secrets.LAPI_BOUNCER_KEY }}
-          EOF
-          chmod 600 .env
+      - name: Login to Gitea registry
+        run: echo "${{ secrets.REGISTRY_TOKEN }}" | docker login git.domverse-berlin.eu -u ci --password-stdin
 
-      - name: Deploy with docker compose
+      - name: Build and push
         run: |
-          echo "=== Deploying commit ${{ gitea.sha }} to ${{ gitea.ref_name }} ==="
-          docker compose -f "$COMPOSE_FILE" -p "$COMPOSE_PROJECT" up --build -d --remove-orphans
+          docker build -t "$IMAGE:latest" -t "$IMAGE:${{ gitea.sha }}" ./app
+          docker push "$IMAGE:latest"
+          docker push "$IMAGE:${{ gitea.sha }}"
 
-      - name: Show health
+      - name: Trigger Portainer redeploy
         run: |
-          sleep 3
-          docker compose -f "$COMPOSE_FILE" -p "$COMPOSE_PROJECT" ps
-          docker exec "$COMPOSE_PROJECT" python -c "import urllib.request; print(urllib.request.urlopen('http://127.0.0.1:8000/healthz', timeout=3).read().decode())" || true
+          curl -sk -X POST --fail "${{ secrets.PORTAINER_WEBHOOK_URL }}"
 
       - name: Prune dangling images
         run: docker image prune -f
diff --git a/docker-compose.yml b/docker-compose.yml
index 7f0e971..c74df93 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -1,8 +1,6 @@
 services:
   crowdsec-admin:
-    build:
-      context: ./app
-    image: crowdsec-admin:local
+    image: git.domverse-berlin.eu/ci/crowdsec-admin/app:${TAG:-latest}
     container_name: crowdsec-admin
     restart: unless-stopped
     networks:
@@ -21,7 +19,7 @@ services:
       - "traefik.http.routers.crowdsec-admin.rule=Host(`crowdsec.domverse-berlin.eu`)"
       - "traefik.http.routers.crowdsec-admin.entrypoints=https"
       - "traefik.http.routers.crowdsec-admin.tls.certresolver=http"
-      - "traefik.http.routers.crowdsec-admin.middlewares=authentik@docker"
+      - "traefik.http.routers.crowdsec-admin.middlewares=crowdsec@file,authentik@docker"
       - "traefik.http.services.crowdsec-admin.loadbalancer.server.port=8000"
 
       - "kuma.crowdsec-admin.http.name=CrowdSec Admin"