diff --git a/Dockerfile b/Dockerfile
index fbceca6..3499648 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,5 +1,5 @@
 # ── Stage 1: install dependencies ────────────────────────────────────────────
-FROM node:20-alpine AS deps
+FROM mirror.soroushasadi.com/node:20-alpine AS deps
 RUN apk add --no-cache libc6-compat
 WORKDIR /app
 
@@ -18,7 +18,7 @@ RUN for i in 1 2 3 4 5; do \
     echo "npm ci failed after 5 attempts" && exit 1
 
 # ── Stage 2: build ───────────────────────────────────────────────────────────
-FROM node:20-alpine AS builder
+FROM mirror.soroushasadi.com/node:20-alpine AS builder
 WORKDIR /app
 
 COPY --from=deps /app/node_modules ./node_modules
@@ -51,7 +51,7 @@ ENV NODE_ENV=production
 RUN npm run build
 
 # ── Stage 3: production runner ────────────────────────────────────────────────
-FROM node:20-alpine AS runner
+FROM mirror.soroushasadi.com/node:20-alpine AS runner
 WORKDIR /app
 
 ENV NODE_ENV=production
diff --git a/services/content/Dockerfile b/services/content/Dockerfile
index d42a413..1d96735 100644
--- a/services/content/Dockerfile
+++ b/services/content/Dockerfile
@@ -4,7 +4,7 @@ EXPOSE 8080
 # The .NET base image ships neither wget nor curl, which the container healthcheck needs.
 # Copy a single static busybox binary named `wget` (busybox dispatches on argv[0]).
 # This stays fully offline — no apt/network — matching the vendored Go builds.
-COPY --from=busybox:1.36 /bin/busybox /usr/bin/wget
+COPY --from=mirror.soroushasadi.com/busybox:1.36 /bin/busybox /usr/bin/wget
 
 FROM mcr.microsoft.com/dotnet/sdk:10.0 AS build
 WORKDIR /src
diff --git a/services/file/Dockerfile b/services/file/Dockerfile
index 03b2612..6363e0b 100644
--- a/services/file/Dockerfile
+++ b/services/file/Dockerfile
@@ -1,10 +1,11 @@
-FROM golang:1.25-alpine AS build
+FROM mirror.soroushasadi.com/golang:1.25-alpine AS build
+ENV GOPROXY=https://mirror.kargadan.ir/repository/go-group/ GOSUMDB=off
 WORKDIR /src
 # Dependencies are vendored — build fully offline (proxy.golang.org is geo-blocked from some regions)
 COPY . .
 RUN CGO_ENABLED=0 GOOS=linux go build -mod=vendor -o /file-svc ./cmd/server
 
-FROM alpine:3.20
+FROM mirror.soroushasadi.com/alpine:3.20
 RUN apk add --no-cache ca-certificates tzdata
 COPY --from=build /file-svc /file-svc
 EXPOSE 8080
diff --git a/services/gateway/Dockerfile b/services/gateway/Dockerfile
index 377fe61..ae094f7 100644
--- a/services/gateway/Dockerfile
+++ b/services/gateway/Dockerfile
@@ -1,10 +1,12 @@
-FROM golang:1.25-alpine AS builder
+FROM mirror.soroushasadi.com/golang:1.25-alpine AS builder
+# Go module/toolchain fetches via the kargadan Nexus (proxy.golang.org geo-blocked).
+ENV GOPROXY=https://mirror.kargadan.ir/repository/go-group/ GOSUMDB=off
 WORKDIR /app
 # Dependencies are vendored — build fully offline (proxy.golang.org is geo-blocked from some regions)
 COPY . .
 RUN CGO_ENABLED=0 GOOS=linux go build -mod=vendor -ldflags="-s -w" -o gateway ./cmd/server
 
-FROM alpine:3.20
+FROM mirror.soroushasadi.com/alpine:3.20
 RUN apk add --no-cache ca-certificates tzdata
 WORKDIR /app
 COPY --from=builder /app/gateway .
diff --git a/services/identity/Dockerfile b/services/identity/Dockerfile
index 31160d1..ad9e6dc 100644
--- a/services/identity/Dockerfile
+++ b/services/identity/Dockerfile
@@ -4,7 +4,7 @@ EXPOSE 8080
 # The .NET base image ships neither wget nor curl, which the container healthcheck needs.
 # Copy a single static busybox binary named `wget` (busybox dispatches on argv[0]).
 # This stays fully offline — no apt/network — matching the vendored Go builds.
-COPY --from=busybox:1.36 /bin/busybox /usr/bin/wget
+COPY --from=mirror.soroushasadi.com/busybox:1.36 /bin/busybox /usr/bin/wget
 
 FROM mcr.microsoft.com/dotnet/sdk:10.0 AS build
 WORKDIR /src
diff --git a/services/notification/Dockerfile b/services/notification/Dockerfile
index 682427d..c5ebc36 100644
--- a/services/notification/Dockerfile
+++ b/services/notification/Dockerfile
@@ -1,10 +1,11 @@
-FROM golang:1.25-alpine AS builder
+FROM mirror.soroushasadi.com/golang:1.25-alpine AS builder
+ENV GOPROXY=https://mirror.kargadan.ir/repository/go-group/ GOSUMDB=off
 WORKDIR /app
 # Dependencies are vendored — build fully offline (proxy.golang.org is geo-blocked from some regions)
 COPY . .
 RUN CGO_ENABLED=0 GOOS=linux go build -mod=vendor -ldflags="-s -w" -o notification-svc ./cmd/server
 
-FROM alpine:3.20
+FROM mirror.soroushasadi.com/alpine:3.20
 RUN apk add --no-cache ca-certificates tzdata
 WORKDIR /app
 COPY --from=builder /app/notification-svc .
diff --git a/services/render/Dockerfile b/services/render/Dockerfile
index a99dcbc..c6b7747 100644
--- a/services/render/Dockerfile
+++ b/services/render/Dockerfile
@@ -1,10 +1,11 @@
-FROM golang:1.25-alpine AS builder
+FROM mirror.soroushasadi.com/golang:1.25-alpine AS builder
+ENV GOPROXY=https://mirror.kargadan.ir/repository/go-group/ GOSUMDB=off
 WORKDIR /app
 # Dependencies are vendored — build fully offline (proxy.golang.org is geo-blocked from some regions)
 COPY . .
 RUN CGO_ENABLED=0 GOOS=linux go build -mod=vendor -ldflags="-s -w" -o render-svc ./cmd/server
 
-FROM alpine:3.20
+FROM mirror.soroushasadi.com/alpine:3.20
 RUN apk add --no-cache ca-certificates tzdata
 WORKDIR /app
 COPY --from=builder /app/render-svc .
diff --git a/services/studio/Dockerfile b/services/studio/Dockerfile
index e7b7e53..9e53ff7 100644
--- a/services/studio/Dockerfile
+++ b/services/studio/Dockerfile
@@ -4,7 +4,7 @@ EXPOSE 8080
 # The .NET base image ships neither wget nor curl, which the container healthcheck needs.
 # Copy a single static busybox binary named `wget` (busybox dispatches on argv[0]).
 # This stays fully offline — no apt/network — matching the vendored Go builds.
-COPY --from=busybox:1.36 /bin/busybox /usr/bin/wget
+COPY --from=mirror.soroushasadi.com/busybox:1.36 /bin/busybox /usr/bin/wget
 
 FROM mcr.microsoft.com/dotnet/sdk:10.0 AS build
 WORKDIR /src