diff --git a/.gitea/workflows/deploy.yml b/.gitea/workflows/deploy.yml
index 148b1e1..9b2b61b 100644
--- a/.gitea/workflows/deploy.yml
+++ b/.gitea/workflows/deploy.yml
@@ -24,6 +24,8 @@ jobs:
         with:
           context: .
           push: true
+          build-args: |
+            PB_PUBLIC_URL=${{ vars.PB_PUBLIC_URL }}
           tags: |
             docker.allmy.work/${{ gitea.repository }}:latest
             docker.allmy.work/${{ gitea.repository }}:${{ gitea.sha }}
diff --git a/Dockerfile b/Dockerfile
index f9b39dc..cb57248 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -7,6 +7,8 @@ RUN yarn install --immutable
 FROM node:22-alpine AS builder
 WORKDIR /app
 RUN corepack enable
+ARG PB_PUBLIC_URL
+ENV PB_PUBLIC_URL=$PB_PUBLIC_URL
 COPY --from=deps /app/node_modules ./node_modules
 COPY . .
 ENV NEXT_TELEMETRY_DISABLED=1
@@ -22,6 +24,7 @@ RUN addgroup -S -g 1001 nodejs && adduser -S -u 1001 -G nodejs nextjs
 COPY --from=builder /app/public ./public
 COPY --from=builder --chown=nextjs:nodejs /app/.next/standalone ./
 COPY --from=builder --chown=nextjs:nodejs /app/.next/static ./.next/static
+RUN mkdir -p .next/cache && chown -R nextjs:nodejs .next/cache
 USER nextjs
 EXPOSE 3000
 CMD ["node", "server.js"]
\ No newline at end of file
diff --git a/next.config.ts b/next.config.ts
index 0549719..a395085 100644
--- a/next.config.ts
+++ b/next.config.ts
@@ -1,8 +1,10 @@
 import type { NextConfig } from 'next';
 
-/* PocketBase origin — used to allowlist remote images.
- * PB_HOSTNAME and PB_PORT are server-only env vars; safe to read here. */
-const pbHostname = process.env.PB_HOSTNAME ?? '127.0.0.1';
+/* Public PocketBase host for the image optimizer allowlist.
+ * Derived from PB_PUBLIC_URL (e.g. https://cms.allmy.work) at BUILD time —
+ * remotePatterns is frozen into the build, so PB_PUBLIC_URL must be present
+ * during `next build` in CI (via build-arg), not just at runtime. */
+const pbPublicHost = process.env.PB_PUBLIC_URL ? new URL(process.env.PB_PUBLIC_URL).hostname : '127.0.0.1';
 
 const nextConfig: NextConfig = {
   output: 'standalone',
@@ -11,7 +13,7 @@ const nextConfig: NextConfig = {
     remotePatterns: [
       {
         protocol: 'https',
-        hostname: pbHostname,
+        hostname: pbPublicHost,
         pathname: '/api/files/**',
       },
     ],