diff --git a/.gitea/workflows/gateway-build.yml b/.gitea/workflows/gateway-build.yml
index 55de0ff..ba79f28 100644
--- a/.gitea/workflows/gateway-build.yml
+++ b/.gitea/workflows/gateway-build.yml
@@ -1,4 +1,4 @@
-name: Build Gateway Image
+name: Build and Deploy Gateway
 
 on:
   push:
@@ -9,19 +9,24 @@ env:
   DEPLOY_PATH: /opt/vpn-proxy
 
 jobs:
-  build:
-    runs-on: ubuntu-latest
+  build-and-deploy:
+    runs-on: lxc-111
     steps:
       - name: Clone repository
         env:
           GIT_TOKEN: ${{ secrets.REGISTRY_TOKEN }}
         run: |
+          set -euo pipefail
           SERVER_HOST=$(echo "${{ gitea.server_url }}" | sed 's|https\?://||')
-          git clone --depth 2 "http://${{ gitea.actor }}:${GIT_TOKEN}@${SERVER_HOST}/${{ gitea.repository }}.git" .
+          rm -rf repo
+          git clone --depth 2 "http://${{ gitea.actor }}:${GIT_TOKEN}@${SERVER_HOST}/${{ gitea.repository }}.git" repo
+          cd repo
           git checkout ${{ gitea.sha }}
 
       - name: Build and push gateway image
         run: |
+          set -euo pipefail
+          cd repo
           REGISTRY_HOST=$(echo "${{ gitea.server_url }}" | sed 's|https\?://||')
           IMAGE="${REGISTRY_HOST}/${{ gitea.repository }}/gateway"
 
@@ -30,71 +35,10 @@ jobs:
           docker push "${IMAGE}:latest"
           docker push "${IMAGE}:${{ gitea.sha }}"
 
-  deploy:
-    needs: build
-    runs-on: lxc-111
-    steps:
       - name: Deploy gateway to LXC 111
         run: |
           set -euo pipefail
-
+          cd repo
           REGISTRY_HOST=$(echo "${{ gitea.server_url }}" | sed 's|https\?://||')
           IMAGE="${REGISTRY_HOST}/${{ gitea.repository }}/gateway"
-
-          echo "Logging into registry..."
-          echo "${{ secrets.REGISTRY_TOKEN }}" | docker login "$REGISTRY_HOST" -u "${{ gitea.actor }}" --password-stdin
-
-          echo "Preparing deploy directory: ${{ env.DEPLOY_PATH }}"
-          mkdir -p "${{ env.DEPLOY_PATH }}"
-
-          cat > "${{ env.DEPLOY_PATH }}/docker-compose.server.yml" <<EOF
-          services:
-            vpn-proxy-gateway:
-              image: ${IMAGE}:latest
-              container_name: vpn-proxy-gateway
-              network_mode: host
-              cap_add:
-                - NET_ADMIN
-                - NET_RAW
-              env_file:
-                - .env
-              environment:
-                DATA_DIR: /var/lib/vpn-proxy
-                SING_BOX_CONFIG: /etc/sing-box/config.json
-                SING_BOX_CACHE: /var/lib/sing-box/cache.db
-              volumes:
-                - vpn-proxy-data:/var/lib/vpn-proxy
-                - sing-box-cache:/var/lib/sing-box
-              restart: unless-stopped
-
-          volumes:
-            vpn-proxy-data:
-            sing-box-cache:
-          EOF
-
-          if [ ! -f "${{ env.DEPLOY_PATH }}/.env" ]; then
-            cat > "${{ env.DEPLOY_PATH }}/.env" <<'EOF'
-          PORT=3456
-          PROXY_PORT=8080
-          TPROXY_PORT=7895
-          TPROXY_MARK=1
-          TPROXY_TABLE=100
-          TPROXY_CHAIN=VPN_PROXY_TPROXY
-          ROUTING_RU_DIRECT=true
-          LOG_LEVEL=info
-          EOF
-            echo "Created default .env. Existing deployments can edit ${{ env.DEPLOY_PATH }}/.env and it will be preserved."
-          else
-            echo "Preserving existing .env"
-          fi
-
-          cd "${{ env.DEPLOY_PATH }}"
-
-          echo "Pulling latest image..."
-          docker compose -f docker-compose.server.yml pull
-
-          echo "Starting gateway..."
-          docker compose -f docker-compose.server.yml up -d
-
-          echo "Current container:"
-          docker ps --filter "name=vpn-proxy-gateway"
+          DEPLOY_PATH="${{ env.DEPLOY_PATH }}" GATEWAY_IMAGE="${IMAGE}:latest" bash scripts/deploy-gateway.sh
diff --git a/scripts/deploy-gateway.sh b/scripts/deploy-gateway.sh
new file mode 100644
index 0000000..be56a51
--- /dev/null
+++ b/scripts/deploy-gateway.sh
@@ -0,0 +1,60 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+DEPLOY_PATH="${DEPLOY_PATH:-/opt/vpn-proxy}"
+GATEWAY_IMAGE="${GATEWAY_IMAGE:?GATEWAY_IMAGE is required}"
+
+echo "Preparing deploy directory: ${DEPLOY_PATH}"
+mkdir -p "${DEPLOY_PATH}"
+
+cat > "${DEPLOY_PATH}/docker-compose.server.yml" <<EOF
+services:
+  vpn-proxy-gateway:
+    image: ${GATEWAY_IMAGE}
+    container_name: vpn-proxy-gateway
+    network_mode: host
+    cap_add:
+      - NET_ADMIN
+      - NET_RAW
+    env_file:
+      - .env
+    environment:
+      DATA_DIR: /var/lib/vpn-proxy
+      SING_BOX_CONFIG: /etc/sing-box/config.json
+      SING_BOX_CACHE: /var/lib/sing-box/cache.db
+    volumes:
+      - vpn-proxy-data:/var/lib/vpn-proxy
+      - sing-box-cache:/var/lib/sing-box
+    restart: unless-stopped
+
+volumes:
+  vpn-proxy-data:
+  sing-box-cache:
+EOF
+
+if [ ! -f "${DEPLOY_PATH}/.env" ]; then
+  cat > "${DEPLOY_PATH}/.env" <<'EOF'
+PORT=3456
+PROXY_PORT=8080
+TPROXY_PORT=7895
+TPROXY_MARK=1
+TPROXY_TABLE=100
+TPROXY_CHAIN=VPN_PROXY_TPROXY
+ROUTING_RU_DIRECT=true
+LOG_LEVEL=info
+EOF
+  echo "Created default .env. Edit ${DEPLOY_PATH}/.env if this server needs different ports."
+else
+  echo "Preserving existing .env"
+fi
+
+cd "${DEPLOY_PATH}"
+
+echo "Pulling image: ${GATEWAY_IMAGE}"
+docker compose -f docker-compose.server.yml pull
+
+echo "Starting gateway..."
+docker compose -f docker-compose.server.yml up -d
+
+echo "Current container:"
+docker ps --filter "name=vpn-proxy-gateway"