diff --git a/.gitea/workflows/build.yaml b/.gitea/workflows/build.yaml
index 00521d0..943e076 100644
--- a/.gitea/workflows/build.yaml
+++ b/.gitea/workflows/build.yaml
@@ -4,18 +4,11 @@ on:
   push:
     branches: [pro-features]
   workflow_dispatch:
-    inputs:
-      version_suffix:
-        description: "Version suffix (e.g. 'cst', 'beta1'). Empty = vanilla."
-        type: string
-        default: "cst"
 
 env:
   # Cargo.lock is lockfile v4, which requires Rust >= 1.78. Upstream's
   # .github/workflows/build.yaml pins 1.90; mirror that here.
   RUST_VERSION: "1.90"
-  VERSION_BASE: "1.1.15"
-  VERSION_SUFFIX: ${{ inputs.version_suffix || 'cst' }}
 
 jobs:
   build-amd64:
@@ -48,32 +41,25 @@ jobs:
             exit 1
           fi
 
-      - name: Compute version strings
+      - name: Read version from Cargo.toml
         shell: bash
         run: |
-          base="${VERSION_BASE}"
-          suffix="${VERSION_SUFFIX}"
-          [[ "$base" =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]] || {
-            echo "VERSION_BASE '$base' must be major.minor.patch"; exit 1; }
-          if [[ -n "$suffix" ]]; then display="${base}-${suffix}"; else display="${base}"; fi
-          echo "Base    : $base"
-          echo "Suffix  : $suffix"
-          echo "Display : $display"
+          # Single source of truth: the top-level Cargo.toml's first `version =`
+          # line (hbbs package). debian/changelog is patched to match below so
+          # the produced .deb filenames carry the same version.
+          display=$(grep -m1 -E '^version[[:space:]]*=' Cargo.toml \
+                    | sed -E 's/^version[[:space:]]*=[[:space:]]*"([^"]+)".*/\1/')
+          [[ -n "$display" ]] || { echo "Could not read version from Cargo.toml"; exit 1; }
+          echo "Version : $display"
           echo "VERSION_DISPLAY=$display" >> "$GITHUB_ENV"
 
-      - name: Patch Cargo.toml with display version
-        shell: bash
-        run: |
-          sed -i -E "0,/^version[[:space:]]*=/{s/^version[[:space:]]*=[[:space:]]*\"${VERSION_BASE}\"/version = \"${VERSION_DISPLAY}\"/}" Cargo.toml
-          grep '^version' Cargo.toml | head -1
-
       - name: Patch debian/changelog with display version
         shell: bash
         run: |
           # The .deb filename is derived from the first changelog entry's
-          # parenthesized version, NOT from Cargo.toml. Rewrite the leading
-          # entry so the produced .debs carry $VERSION_DISPLAY.
-          sed -i -E "0,/^rustdesk-server \(${VERSION_BASE}\)/{s/^rustdesk-server \(${VERSION_BASE}\)/rustdesk-server (${VERSION_DISPLAY})/}" debian/changelog
+          # parenthesized version, NOT from Cargo.toml. Rewrite whatever
+          # version is in the leading entry to match $VERSION_DISPLAY.
+          sed -i -E "0,/^rustdesk-server \([^)]+\)/{s/^rustdesk-server \([^)]+\)/rustdesk-server (${VERSION_DISPLAY})/}" debian/changelog
           head -1 debian/changelog
 
       - name: Ensure Rust toolchain configured
diff --git a/debian/changelog b/debian/changelog
index eaca93b..cbd4db5 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,4 +1,4 @@
-rustdesk-server (1.1.15) UNRELEASED; urgency=medium
+rustdesk-server (1.1.17-pro) UNRELEASED; urgency=medium
 
   * Fix: 127.0.0.1 is not loopback (#515)
   * Higher default bandwidth
diff --git a/docker-compose.yml b/docker-compose.yml
index 1199ac4..f0eea4e 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -1,39 +1,41 @@
-# Builds a minimal debian image that installs the hbbs/hbbr/utils .deb from a
-# Gitea Actions artifact and runs it. Both services share the same image; only
-# the entrypoint command differs.
+# Builds a minimal debian image that, on every container start, pulls the
+# hbbs/hbbr/utils .deb from a Gitea Actions artifact and installs it before
+# launching the binary. Both services share the same image; only the command
+# differs.
 #
-# Settings below are baked in as defaults. To override a value without editing
-# this file, export it in your shell or put it in .env, e.g.:
-#   RUSTDESK_DOMAIN=rd.example.com docker compose up -d
-#
-# To pin a specific artifact zip (skip API auto-discovery), set ARTIFACT_URL:
+# The .deb is fetched at runtime (not build time), so `docker compose up`
+# always picks up the newest successful run on $GITEA_BRANCH. To pin a
+# specific zip and skip auto-discovery, set ARTIFACT_URL in your shell or
+# .env, e.g.:
 #   ARTIFACT_URL=https://gitea.cstudio.ch/mike/rustdesk-server/actions/runs/173/artifacts/rustdesk-server-linux-amd64-1e961cdd929f7af97148b76d9de79998a89402a3 \
-#     docker compose build
+#     docker compose up -d
 #
 
 networks:
   rustdesk-net:
     external: false
 
-# Build args — passed to docker/Dockerfile.deb. ARTIFACT_URL, if set, short-
-# circuits the API discovery and downloads the zip directly.
+# The image only needs to bundle curl/jq/unzip/tini/dpkg + the fetch scripts —
+# no build args required. The actual .deb download happens at container start
+# (see docker/entrypoint.sh), driven by the env vars in x-rustdesk-env below.
 x-rustdesk-build: &rustdesk-build
   context: ./docker
   dockerfile: Dockerfile.deb
-  args:
-    GITEA_URL: "${GITEA_URL:-https://gitea.cstudio.ch}"
-    GITEA_OWNER: "${GITEA_OWNER:-mike}"
-    GITEA_REPO: "${GITEA_REPO:-rustdesk-server}"
-    GITEA_BRANCH: "${GITEA_BRANCH:-pro-features}"
-    ARTIFACT_URL: "${ARTIFACT_URL:-}"
-    CACHE_BUST: "${CACHE_BUST:-0}"
 
-# Runtime env that hbbs/hbbr actually read. Most settings (relay, bootstrap
-# admin, key, http port) are passed via CLI flags below — the binary's
-# env-var convention transforms `--foo-bar` into `FOO-BAR` (literal dashes,
-# uppercase), which is awkward in YAML, so flags are clearer. The names
-# below are the few that the binary reads as plain env vars.
+# Runtime env. Two groups:
+#   1) Artifact-fetch config consumed by entrypoint.sh on every container
+#      start — set ARTIFACT_URL to pin a specific zip, otherwise the script
+#      picks the newest successful run on $GITEA_BRANCH.
+#   2) hbbs/hbbr knobs. Most settings (relay, bootstrap admin, key, http
+#      port) are passed via CLI flags below — the binary's env-var
+#      convention transforms `--foo-bar` into `FOO-BAR` (literal dashes,
+#      uppercase), which is awkward in YAML, so flags are clearer.
 x-rustdesk-env: &rustdesk-env
+  GITEA_URL: "${GITEA_URL:-https://gitea.cstudio.ch}"
+  GITEA_OWNER: "${GITEA_OWNER:-mike}"
+  GITEA_REPO: "${GITEA_REPO:-rustdesk-server}"
+  GITEA_BRANCH: "${GITEA_BRANCH:-pro-features}"
+  ARTIFACT_URL: "${ARTIFACT_URL:-}"
   RUST_LOG: "${RUST_LOG:-info}"
   # Force relay for all sessions even on LAN. Uncomment to enable.
   # ALWAYS_USE_RELAY: "Y"
diff --git a/docker/Dockerfile.deb b/docker/Dockerfile.deb
index 1264d1a..c797a1b 100644
--- a/docker/Dockerfile.deb
+++ b/docker/Dockerfile.deb
@@ -1,22 +1,13 @@
-# Minimal debian image that installs hbbs/hbbr/rustdesk-utils from the .deb
-# artifact produced by the Gitea Actions workflow at
-# https://gitea.cstudio.ch/mike/rustdesk-server.
-#
-# To force a fresh artifact pull on rebuild, bump CACHE_BUST (e.g.
-# `docker compose build --build-arg CACHE_BUST=$(date +%s)`).
+# Minimal debian image with the tooling needed to download + install the
+# hbbs/hbbr/rustdesk-utils .deb at *container start* (not build time).
+# The actual fetch happens in /usr/local/sbin/entrypoint.sh, which calls
+# fetch-artifact.sh on every start — see docker-compose.yml for the runtime
+# env vars (GITEA_URL, GITEA_OWNER, GITEA_REPO, GITEA_BRANCH, ARTIFACT_URL).
 #
 # The Gitea workflow only produces amd64 .debs, so pin the image platform.
 # On non-amd64 hosts (e.g. Apple Silicon) Docker will emulate via qemu.
 FROM --platform=linux/amd64 debian:bookworm-slim
 
-ARG GITEA_URL=https://gitea.cstudio.ch
-ARG GITEA_OWNER=mike
-ARG GITEA_REPO=rustdesk-server
-ARG GITEA_BRANCH=pro-features
-# When set, the script downloads this URL directly and skips API discovery.
-ARG ARTIFACT_URL=
-ARG CACHE_BUST=$(date +%s)
-
 ENV DEBIAN_FRONTEND=noninteractive
 
 RUN apt-get update \
@@ -25,12 +16,8 @@ RUN apt-get update \
  && rm -rf /var/lib/apt/lists/*
 
 COPY fetch-artifact.sh /usr/local/sbin/fetch-artifact.sh
-RUN chmod +x /usr/local/sbin/fetch-artifact.sh
-
-RUN echo "cache-bust=$CACHE_BUST" \
- && GITEA_URL="$GITEA_URL" GITEA_OWNER="$GITEA_OWNER" GITEA_REPO="$GITEA_REPO" \
-    GITEA_BRANCH="$GITEA_BRANCH" ARTIFACT_URL="$ARTIFACT_URL" \
-    /usr/local/sbin/fetch-artifact.sh
+COPY entrypoint.sh     /usr/local/sbin/entrypoint.sh
+RUN chmod +x /usr/local/sbin/fetch-artifact.sh /usr/local/sbin/entrypoint.sh
 
 WORKDIR /var/lib/rustdesk-server
 
@@ -38,5 +25,5 @@ WORKDIR /var/lib/rustdesk-server
 # 21118 web socket signal, 21119 web socket relay.
 EXPOSE 21114 21115 21116 21116/udp 21117 21118 21119
 
-ENTRYPOINT ["/usr/bin/tini", "--"]
-CMD ["/usr/bin/hbbs"]
+ENTRYPOINT ["/usr/bin/tini", "--", "/usr/local/sbin/entrypoint.sh"]
+CMD ["hbbs"]
diff --git a/docker/entrypoint.sh b/docker/entrypoint.sh
new file mode 100755
index 0000000..aba9eab
--- /dev/null
+++ b/docker/entrypoint.sh
@@ -0,0 +1,17 @@
+#!/usr/bin/env bash
+# Runtime entrypoint: pulls the latest .deb artifact from Gitea Actions and
+# installs it on every container start, then execs the CMD (hbbs / hbbr).
+#
+# Configuration comes from the environment — see docker-compose.yml:
+#   ARTIFACT_URL    pinned zip URL; if unset the script discovers the newest
+#                   successful run on GITEA_BRANCH
+#   GITEA_URL, GITEA_OWNER, GITEA_REPO, GITEA_BRANCH
+#                   required when ARTIFACT_URL is unset
+#
+# Container fails to start if the fetch fails — that's intentional: we always
+# want a fresh artifact, never a stale one.
+set -euo pipefail
+
+/usr/local/sbin/fetch-artifact.sh
+
+exec "$@"