diff --git a/.gitea/workflows/deploy.yml b/.gitea/workflows/deploy.yml
index 8ac22f9..f149732 100644
--- a/.gitea/workflows/deploy.yml
+++ b/.gitea/workflows/deploy.yml
@@ -5,15 +5,9 @@ on:
     branches:
       - main
   workflow_dispatch:
-    inputs:
-      reason:
-        description: "Reason for manual deploy"
-        required: false
-        default: "manual"
 
 env:
-  COMPOSE_PROJECT: outline-sync
-  COMPOSE_FILE: docker-compose.yml
+  IMAGE: git.domverse-berlin.eu/ci/outline-sync/ui
 
 jobs:
   deploy:
@@ -21,45 +15,26 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v4
-        with:
-          token: ${{ secrets.GITEA_TOKEN }}
 
-      - name: Bump patch version
-        if: github.event_name != 'workflow_dispatch'
-        run: |
-          VERSION=$(cat VERSION)
-          MAJOR=$(echo $VERSION | cut -d. -f1)
-          MINOR=$(echo $VERSION | cut -d. -f2)
-          PATCH=$(echo $VERSION | cut -d. -f3)
-          NEW_VERSION="$MAJOR.$MINOR.$((PATCH + 1))"
-          echo $NEW_VERSION > VERSION
-          echo "APP_VERSION=$NEW_VERSION" >> $GITHUB_ENV
-          git config user.email "ci@domverse-berlin.eu"
-          git config user.name "CI"
-          git add VERSION
-          git commit -m "chore: bump version to $NEW_VERSION [skip ci]"
-          git push
+      - name: Login to Gitea registry
+        run: echo "${{ secrets.REGISTRY_TOKEN }}" | docker login git.domverse-berlin.eu -u ci --password-stdin
 
-      - name: Write .env
+      - name: Build and push
         run: |
-          cat > .env << EOF
-          OUTLINE_URL=http://outline:3000
-          OUTLINE_TOKEN=${{ secrets.OUTLINE_TOKEN }}
-          LOCAL_OUTLINE_URL=${{ secrets.LOCAL_OUTLINE_URL }}
-          LOCAL_OUTLINE_TOKEN=${{ secrets.LOCAL_OUTLINE_TOKEN }}
-          LOCAL_OUTLINE_HOST=${{ secrets.LOCAL_OUTLINE_HOST }}
-          TS_AUTHKEY=${{ secrets.TS_AUTHKEY }}
-          EOF
+          docker build --build-arg APP_VERSION="${{ gitea.sha }}" \
+            -t "$IMAGE:latest" -t "$IMAGE:${{ gitea.sha }}" .
+          docker push "$IMAGE:latest"
+          docker push "$IMAGE:${{ gitea.sha }}"
 
-      - name: Deploy with docker compose
+      - name: Trigger Portainer redeploy (retry on transient pull-lease failure)
         run: |
-          APP_VERSION=${APP_VERSION:-$(cat VERSION)}
-          echo "=== Deploying $APP_VERSION (commit ${{ gitea.sha }}) to ${{ gitea.ref_name }} ==="
-          docker compose -f "$COMPOSE_FILE" -p "$COMPOSE_PROJECT" build --build-arg APP_VERSION=$APP_VERSION
-          docker compose -f "$COMPOSE_FILE" -p "$COMPOSE_PROJECT" up -d --remove-orphans
+          for i in 1 2 3; do
+            code=$(curl -sk -X POST -o /dev/null -w '%{http_code}' "${{ secrets.PORTAINER_WEBHOOK_URL }}")
+            echo "attempt $i -> $code"
+            [ "$code" = "204" ] && exit 0
+            sleep 5
+          done
+          exit 1
 
       - name: Prune dangling images
         run: docker image prune -f
-
-      - name: Show running containers
-        run: docker compose -f "$COMPOSE_FILE" -p "$COMPOSE_PROJECT" ps
diff --git a/docker-compose.yml b/docker-compose.yml
index 15660ef..1784497 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -29,14 +29,11 @@ services:
       - "traefik.http.routers.outline-sync.rule=Host(`sync.domverse-berlin.eu`)"
       - "traefik.http.routers.outline-sync.entrypoints=https"
       - "traefik.http.routers.outline-sync.tls.certresolver=http"
-      - "traefik.http.routers.outline-sync.middlewares=authentik@docker"
+      - "traefik.http.routers.outline-sync.middlewares=crowdsec@file,authentik@docker"
       - "traefik.http.services.outline-sync.loadbalancer.server.port=8080"
 
   outline-sync-ui:
-    build:
-      context: .
-      args:
-        APP_VERSION: ${APP_VERSION:-dev}
+    image: git.domverse-berlin.eu/ci/outline-sync/ui:${TAG:-latest}
     container_name: outline-sync-ui
     restart: unless-stopped
     depends_on: