diff --git a/.gitea/workflows/ci-cd.yml b/.gitea/workflows/ci-cd.yml
index 7298da5..269d6a0 100644
--- a/.gitea/workflows/ci-cd.yml
+++ b/.gitea/workflows/ci-cd.yml
@@ -39,27 +39,38 @@ jobs:
           git fetch --depth=1 origin "${REF}"
           git checkout FETCH_HEAD
 
-      - name: Write NuGet config (Nexus)
+      - name: Write NuGet config (Liara primary; Nexus optional)
+        # NOTE: mirror.soroushasadi.com currently serves an incomplete TLS chain
+        # (leaf only, no intermediate). .NET on Linux does NOT auto-fetch the
+        # intermediate via AIA the way Windows does, so it fails with PartialChain.
+        # Liara serves a complete chain, so it is the deterministic source here.
+        # Re-add Nexus once nginx points ssl_certificate at fullchain.pem.
         run: |
           cat > /tmp/nuget.ci.config << 'EOF'
           <?xml version="1.0" encoding="utf-8"?>
           <configuration>
             <packageSources>
               <clear />
-              <add key="nexus"
-                   value="https://mirror.soroushasadi.com/repository/nuget-group/index.json"
+              <add key="liara"
+                   value="https://package-mirror.liara.ir/repository/nuget/index.json"
                    protocolVersion="3" />
             </packageSources>
+            <config>
+              <add key="http_retry_count" value="6" />
+              <add key="http_retry_delay_milliseconds" value="1000" />
+            </config>
           </configuration>
           EOF
 
       - name: Restore
-        run: dotnet restore src/JobsMedical.Web/JobsMedical.Web.csproj --configfile /tmp/nuget.ci.config
+        # NuGetAudit=false: the audit pings api.nuget.org for CVE data, which is
+        # filtered in Iran (100s timeout + NU1900 noise). The mirror has the packages.
+        run: dotnet restore src/JobsMedical.Web/JobsMedical.Web.csproj --configfile /tmp/nuget.ci.config -p:NuGetAudit=false
         env:
           DOTNET_CLI_TELEMETRY_OPTOUT: 1
 
       - name: Build
-        run: dotnet build src/JobsMedical.Web/JobsMedical.Web.csproj --no-restore -c Release
+        run: dotnet build src/JobsMedical.Web/JobsMedical.Web.csproj --no-restore -c Release -p:NuGetAudit=false
 
   # ── CD: build image → deploy on the server (push to main only) ────────────────
   deploy:
diff --git a/Dockerfile b/Dockerfile
index 49629bd..c7eb973 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -3,9 +3,9 @@ FROM mirror.soroushasadi.com/dotnet/sdk:10.0 AS build
 WORKDIR /src
 COPY nuget.docker.config /tmp/nuget.config
 COPY src/ ./src/
-RUN dotnet restore src/JobsMedical.Web/JobsMedical.Web.csproj --configfile /tmp/nuget.config
+RUN dotnet restore src/JobsMedical.Web/JobsMedical.Web.csproj --configfile /tmp/nuget.config -p:NuGetAudit=false
 RUN dotnet publish src/JobsMedical.Web/JobsMedical.Web.csproj -c Release -o /out --no-restore \
-    /p:UseAppHost=false
+    /p:UseAppHost=false /p:NuGetAudit=false
 
 FROM mirror.soroushasadi.com/dotnet/aspnet:10.0
 WORKDIR /app
diff --git a/nuget.docker.config b/nuget.docker.config
index 32e0817..7b2da98 100644
--- a/nuget.docker.config
+++ b/nuget.docker.config
@@ -1,9 +1,17 @@
 <?xml version="1.0" encoding="utf-8"?>
+<!--
+  NuGet source for the Docker image build (Linux .NET — runs `dotnet restore`
+  inside the SDK container). Uses the Liara mirror because it serves a complete
+  TLS chain. mirror.soroushasadi.com currently serves a leaf-only chain, which
+  .NET on Linux rejects with PartialChain (Windows auto-fetches the missing
+  intermediate via AIA; Linux does not). Re-add Nexus once nginx serves
+  fullchain.pem for mirror.soroushasadi.com.
+-->
 <configuration>
   <packageSources>
     <clear />
-    <add key="nexus"
-         value="https://mirror.soroushasadi.com/repository/nuget-group/index.json"
+    <add key="liara"
+         value="https://package-mirror.liara.ir/repository/nuget/index.json"
          protocolVersion="3" />
   </packageSources>
   <config>