diff --git a/secrets/mcp.yaml b/secrets/mcp.yaml
index df6e7c2..ad6d12d 100644
--- a/secrets/mcp.yaml
+++ b/secrets/mcp.yaml
@@ -16,6 +16,7 @@ traefik:
     oauth2-plugin-secret: ENC[AES256_GCM,data:sArqwKHAdW35o5kD7DGfXSYCXFUXqvKQdoVnXutsNLw=,iv:qWf597QS3BqkVQkeAb99HbpDB0kUhdD+qKdpUPZEB0o=,tag:vXnb93npaklItWkMZ+/M9Q==,type:str]
 deploy-key:
     terakoda.com: ENC[AES256_GCM,data:STOAUPihw2KfndKm/XV5evihrTy/TQrbtVh7EpEyVE6Z1FsJd3UljcjhTmp/Z3nSpq4LCiezmaxISTnQDIP/NzPfou309SLl2QvD7deFhurMsYbeWJw62RP0ClBfteBaVxeqlH/pksoE1cJaZFxv/KxXYYoxzCUzeXC31GQv6Mft+/FnA1rsVp2n0Ay73hMVjMY0ml2csybLOuuKyxEq3nImhLFvtr4jJhVmxnN2L+bs0a+GohjC98HwITJD2OsrJwSpW4cv2v1GqeJCr2om5SgplwvjkiHJrg/WLO8N6BuVDOy0yx9Vbf1cAwkzPd3gBeKd5po+baJwRFAXpB03KvG/w6Yz/4ewo4X78IhwtLvTl876e/i/7K17ILvc5JJrKe9lmEuNUaItRPWYypEHrkge/PXSAvPIqRnAEi3jfOfVXWygZPerS3hs7bBE/Lem1U7/MUcK+pfXnZDgbWVsRuFhZhxasFGa7cG+gBUZsHWbyXi2e/koFUqUTR0HU0q0zF1xw/8jthPPGoIJ/0tP,iv:99AI3rnNjt9XqXJHnQ3DAEFm90h465ymjNWEpsWvRnM=,tag:96dnIojTXXONozgYDFwcBA==,type:str]
+    dm.terakoda.com: ENC[AES256_GCM,data:WvRoASLJZF3IqFTJvZbn/+l9Jm16+K2kf7MefMpElmIZhpROaWxyPO5DyJaCqGsUZOaf9+ulOhhy+harmyE2VtKYAA6XDkMh1aBFMuBxwYYY4D6UW182RhSfqTYCFD8KulgSpBYFHhbhmc8U9Yfp1248ex35abwX5+Ck0jD7v57TsWv37o7KzECyPkx3hzMbDeUe3ivqq/t5VUzrwws4Ds6eI3ytk/FX4VsjdoBDkHoDMyaloI6ErpEQX48KIP+ljYaOte4rTIXiX4ftbW3NVZtf7EVUJ8qa0sWhfSfYhSk+C1SMw+2jeYnG2pDBW7g46wj3uyq5l6+Wg3o1per/3YCdaiQ86taShpLVzbTdpLer7TwCZwxGlLgPO+75d2i2hKLBQdj/YpRAOAiz4sBYpHFc2cR20E8NnIWNxPg1CPrTnfsiOQ+qhbvvmjHShz3sRmT4I0QXP8Yr2fm6bkDQj6dWdyf2UmiNOqhVeqvABxlZIAM/Yhb+83eOQWY77G+loXxeo3e5vLBHeXvdYRkk,iv:ysnpaSDWG+YuqV2QOt3W6CfU8C5cThd1MzDwqzadCbQ=,tag:X9fjM4LhZe2XwG0OxnyoSA==,type:str]
 sops:
     age:
         - recipient: age1yvdzvuvu5wqztcx6ll2xk6x547uuyqy735tjjdd7zftkz53jsf9qf5ahue
@@ -36,7 +37,7 @@ sops:
             by9aNFY4dXNxaWxnTXFTQS9reHhuQWMKh5rZ93nFtBV9EpFVRp+E+GXZ6xzVy2Jw
             vFh4deGcAb60q4odSaeWfk1Dr7L9Ua69oK9omjbCNUt+P7Kwlfca7Q==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-06-04T22:56:20Z"
-    mac: ENC[AES256_GCM,data:EOPjNLAQRvi2FgmYwHST1eZDj1lMT4+Nwi5YS8yJI7w2Y8pkBiKx1JqMzNW7DSmwIf8J7TCmK+7bmJPF+WyLPous8B920zbn9Rt8ttLpSRBOHCReH9k3FwYAtAkYYCMB2oeDkpWjTnU2xeUh/FqOkRInw98sy3EO0HPEtXdPrng=,iv:17nuB8ders0PI92BrWX3mwuxqDafckM9Reu+wiRo5/0=,tag:mirzSqpscIrDp7vZwX0+NQ==,type:str]
+    lastmodified: "2025-06-15T03:39:30Z"
+    mac: ENC[AES256_GCM,data:NM96EJZf1MauW3RPd9G3GiI3sA4K05VnfS9yakBaToecTMrWpAPZ278faqvU8VocRb4GvMVHvTONGJ2G8d3GHboq+E3MGMopZBkbbDTTuc5KSaL4yOJz9iHrC6BOwWbovFOBKFt708Qq1Y9Gep0feGfy9zYiIqd0Ltnc5X2QXXY=,iv:1qlIilZ4PmnYNXV5G8xifCL1ym4rJgfgjMADnN/cOEw=,tag:onA5AW9VdL5n1aUiHVHN9A==,type:str]
     unencrypted_suffix: _unencrypted
     version: 3.10.2
diff --git a/system/hosts/mcp/containers/dm-companion.nix b/system/hosts/mcp/containers/dm-companion.nix
index 911c789..7885be0 100644
--- a/system/hosts/mcp/containers/dm-companion.nix
+++ b/system/hosts/mcp/containers/dm-companion.nix
@@ -1,6 +1,6 @@
 { config, ... }:
 let
-  inherit (import ./lib.nix config) mkContainer localHostRule havenisms;
+  inherit (import ./lib.nix config) mkContainer localHostRule terakoda;
 in
 {
   virtualisation.oci-containers.containers = {
@@ -14,22 +14,27 @@ in
         port = 8080;
         volumes = [
           "dm-companion:/pb/pb_data"
+          "/tank/web/dm.terakoda.com/pb_migrations:/pb/pb_migrations:ro"
         ];
         environment = { };
         extraLabels = {
           "traefik.http.routers.${hostName}-api.rule" =
-            "PathPrefix(`/api`) && ${localHostRule "dm" havenisms}";
+            "PathPrefix(`/api`) && ${localHostRule "dm" terakoda}";
           "traefik.http.routers.${hostName}-api.service" = "${hostName}";
         };
       };
+
     dm-companion = mkContainer {
+      image = "nginx:alpine";
       hostName = "dm";
-      image = "docker.havenisms.com/lazy-dm/app";
+      domain = terakoda;
       port = 80;
       dependsOn = [
         "dm-companion-pocketbase"
       ];
-      volumes = [ ];
+      volumes = [
+        "/tank/web/dm.terakoda.com/dist:/usr/share/nginx/html:ro"
+      ];
     };
   };
 }
diff --git a/system/hosts/mcp/static-site-hooks.nix b/system/hosts/mcp/static-site-hooks.nix
index 155088e..c3a00f9 100644
--- a/system/hosts/mcp/static-site-hooks.nix
+++ b/system/hosts/mcp/static-site-hooks.nix
@@ -6,7 +6,7 @@ let
   testHook =
     with pkgs;
     writeShellApplication {
-      name = "deploy-astro-app";
+      name = "build-npm-app";
       runtimeInputs = [
         openssh
         gitFull
@@ -43,50 +43,67 @@ in
       restartUnits = [ "webhook.service" ];
       owner = config.users.users.webhook.name;
     };
+    "deploy-key/dm.terakoda.com" = {
+      restartUnits = [ "webhook.service" ];
+      owner = config.users.users.webhook.name;
+    };
   };
 
-  services.webhook = {
-    enable = true;
-    verbose = true;
-    port = 9000;
-    openFirewall = true;
-    hooks = {
-      "deploy-terakoda-com" = {
-        id = "deploy-terakoda-com";
-        http-methods = [ "POST" ];
-        command-working-directory = "/tank/web/terakoda.com";
-        include-command-output-in-response-on-error = true;
-        execute-command = "${testHook}/bin/deploy-astro-app";
-        trigger-rule-mismatch-http-response-code = 400;
-        trigger-rule = {
-          or = [
-            # There were some issues getting the payload signature validation to work.
-            # Switching to only accepting requests from internal IPs.
-            # {
-            #   match = {
-            #     type = "payload-hmac-sha1";
-            #     secret = "mysecret";
-            #     parameter = {
-            #       source = "header";
-            #       name = "X-Hub-Signature";
-            #     };
-            #   };
-            # }
-            {
-              match = {
-                type = "ip-whitelist";
-                ip-range = "192.168.0.0/16";
-              };
-            }
-            {
-              match = {
-                type = "ip-whitelist";
-                ip-range = "10.88.0.0/16";
-              };
-            }
-          ];
+  services.webhook =
+    let
+      trigger-rule = {
+        or = [
+          # There were some issues getting the payload signature validation to work.
+          # Switching to only accepting requests from internal IPs.
+          # {
+          #   match = {
+          #     type = "payload-hmac-sha1";
+          #     secret = "mysecret";
+          #     parameter = {
+          #       source = "header";
+          #       name = "X-Hub-Signature";
+          #     };
+          #   };
+          # }
+          {
+            match = {
+              type = "ip-whitelist";
+              ip-range = "192.168.0.0/16";
+            };
+          }
+          {
+            match = {
+              type = "ip-whitelist";
+              ip-range = "10.88.0.0/16";
+            };
+          }
+        ];
+      };
+    in
+    {
+      enable = true;
+      verbose = true;
+      port = 9000;
+      openFirewall = true;
+      hooks = {
+        "deploy-terakoda-com" = {
+          id = "deploy-terakoda-com";
+          http-methods = [ "POST" ];
+          command-working-directory = "/tank/web/terakoda.com";
+          include-command-output-in-response-on-error = true;
+          execute-command = "${testHook}/bin/build-npm-app";
+          trigger-rule-mismatch-http-response-code = 400;
+          inherit trigger-rule;
+        };
+        "deploy-dm-terakoda-com" = {
+          id = "deploy-dm-terakoda-com";
+          http-methods = [ "POST" ];
+          command-working-directory = "/tank/web/dm.terakoda.com";
+          include-command-output-in-response-on-error = true;
+          execute-command = "${testHook}/bin/build-npm-app";
+          trigger-rule-mismatch-http-response-code = 400;
+          inherit trigger-rule;
         };
       };
     };
-  };
 }