diff --git a/DEPLOY.md b/DEPLOY.md
index 794bb90..a43b223 100644
--- a/DEPLOY.md
+++ b/DEPLOY.md
@@ -7,7 +7,7 @@ TLS for `hamkadr.ir` and reverse-proxies to the app.
 ## Architecture & open ports
 
 ```
-Internet ──443/80──► nginx (host, existing)  ──► 127.0.0.1:8090 ──► hamkadr_api (container :8080)
+Internet ──443/80──► nginx (host, existing)  ──► 127.0.0.1:2569 ──► hamkadr_api (container :8080)
                                                                          │ internal docker net
                                                                          ▼
                                                                    hamkadr_db (postgres, no host port)
@@ -18,7 +18,7 @@ Internet ──443/80──► nginx (host, existing)  ──► 127.0.0.1:8090
 | 22   | ✅ (ideally IP-restricted) | SSH |
 | 80   | ✅ | HTTP → 443 redirect + Let's Encrypt ACME |
 | 443  | ✅ | HTTPS `hamkadr.ir` |
-| 8090 | ❌ host-localhost only | app, reached only by nginx |
+| 2569 | ❌ host-localhost only | app, reached only by nginx |
 | 5432 | ❌ internal docker net only | Postgres — never published |
 
 `ufw` should be exactly: `allow 22, 80, 443`. Nothing else. (80/443 are already open since nginx
@@ -56,7 +56,7 @@ Set at `https://git.soroushasadi.com/soroushdes/hamkadr/settings/secrets` → ke
 
 ```dotenv
 # host port nginx proxies to (must match deploy/nginx-hamkadr.ir.conf)
-HOST_PORT=8090
+HOST_PORT=2569
 
 # Postgres — generate a strong password: openssl rand -hex 24
 POSTGRES_DB=hamkadr
diff --git a/deploy/nginx-hamkadr.ir.conf b/deploy/nginx-hamkadr.ir.conf
index c2740bc..4eb544b 100644
--- a/deploy/nginx-hamkadr.ir.conf
+++ b/deploy/nginx-hamkadr.ir.conf
@@ -5,16 +5,16 @@
 #   sudo nginx -t && sudo systemctl reload nginx
 #   sudo certbot --nginx -d hamkadr.ir -d www.hamkadr.ir   # adds the :443 server + HTTP→HTTPS redirect
 #
-# The port below MUST match HOST_PORT in the Gitea ENV_FILE secret (default 8090).
+# The port below MUST match HOST_PORT in the Gitea ENV_FILE secret (default 2569).
 
 server {
     listen 80;
     listen [::]:80;
     server_name hamkadr.ir www.hamkadr.ir;
 
-    # The app binds 127.0.0.1:8090 (docker-compose.yml, service "api") — never exposed publicly.
+    # The app binds 127.0.0.1:2569 (docker-compose.yml, service "api") — never exposed publicly.
     location / {
-        proxy_pass http://127.0.0.1:8090;
+        proxy_pass http://127.0.0.1:2569;
         proxy_http_version 1.1;
         proxy_set_header Host              $host;
         proxy_set_header X-Real-IP         $remote_addr;
diff --git a/docker-compose.yml b/docker-compose.yml
index 4228721..8e1d452 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -17,7 +17,7 @@ services:
       db:
         condition: service_healthy
     ports:
-      - "127.0.0.1:${HOST_PORT:-8090}:8080"   # localhost-only; nginx proxies hamkadr.ir → here
+      - "127.0.0.1:${HOST_PORT:-2569}:8080"   # localhost-only; nginx proxies hamkadr.ir → here
     environment:
       ASPNETCORE_ENVIRONMENT: "Production"
       ASPNETCORE_URLS: "http://+:8080"