diff --git a/docker-compose.yml b/docker-compose.yml
index 7ec5eef..87d28e3 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -33,7 +33,7 @@ services:
       OPENCLAW_GATEWAY_TOKEN: ${OPENCLAW_GATEWAY_TOKEN}
       MOONSHOT_API_KEY: ${MOONSHOT_API_KEY}
       OPENAI_API_KEY: ${OPENAI_API_KEY}
-      OPENCLAW_GATEWAY_BIND: ${OPENCLAW_GATEWAY_BIND:-lan}
+      OPENCLAW_GATEWAY_BIND: ${OPENCLAW_GATEWAY_BIND:-}
       OPENCLAW_TAILSCALE_MODE: ${OPENCLAW_TAILSCALE_MODE:-off}
       OPENCLAW_ENABLE_TAILSCALE: ${OPENCLAW_ENABLE_TAILSCALE:-0}
       GOG_ACCOUNT: ${GOG_ACCOUNT:-}
diff --git a/docker/Dockerfile b/docker/Dockerfile
index 68fd45f..c522328 100644
--- a/docker/Dockerfile
+++ b/docker/Dockerfile
@@ -45,7 +45,7 @@ RUN echo '#!/bin/sh' > /home/node/.local/bin/tailscale-start.sh && \
     echo 'sleep 3' >> /home/node/.local/bin/tailscale-start.sh && \
     echo 'if [ -n "$TAILSCALE_AUTH_KEY" ]; then tailscale --socket=/tmp/tailscale.sock up --authkey="$TAILSCALE_AUTH_KEY" --hostname="${TAILSCALE_HOSTNAME:-openclaw-gateway}" || true; fi' >> /home/node/.local/bin/tailscale-start.sh && \
     echo 'sleep 2' >> /home/node/.local/bin/tailscale-start.sh && \
-    echo 'tailscale --socket=/tmp/tailscale.sock serve --bg 18789 || true' >> /home/node/.local/bin/tailscale-start.sh && \
+    echo 'if [ "${OPENCLAW_TAILSCALE_MODE:-off}" = "serve" ]; then tailscale --socket=/tmp/tailscale.sock serve --bg 18789 || true; fi' >> /home/node/.local/bin/tailscale-start.sh && \
     chmod +x /home/node/.local/bin/tailscale-start.sh
 
 # Copy custom tools into the image
@@ -57,9 +57,9 @@ RUN chmod +x /usr/local/bin/*
 RUN mkdir -p /var/tmp/openclaw-compile-cache /home/node/.openclaw/ssh /home/node/.openclaw/gog /home/node/.openclaw/gws /opt/openclaw/defaults \
     && chown -R node:node /home/node/.openclaw /opt/openclaw/defaults /var/tmp/openclaw-compile-cache
 
-# Link ssh to standard locations
-RUN mkdir -p /home/node/.ssh \
-    && ln -sf /home/node/.openclaw/ssh /home/node/.ssh
+# Link ssh to the persistent volume location
+RUN rm -rf /home/node/.ssh \
+    && ln -s /home/node/.openclaw/ssh /home/node/.ssh
 
 # Copy default config into the image
 COPY config/openclaw.json /opt/openclaw/defaults/openclaw.json
diff --git a/docker/bin/start-gateway.sh b/docker/bin/start-gateway.sh
index 5297500..da2eac4 100644
--- a/docker/bin/start-gateway.sh
+++ b/docker/bin/start-gateway.sh
@@ -4,9 +4,17 @@ set -eu
 CONFIG_DIR="${HOME:-/home/node}/.openclaw"
 CONFIG_FILE="${CONFIG_DIR}/openclaw.json"
 DEFAULT_CONFIG="/opt/openclaw/defaults/openclaw.json"
-BIND="${OPENCLAW_GATEWAY_BIND:-lan}"
 TAILSCALE_MODE="${OPENCLAW_TAILSCALE_MODE:-off}"
 PORT="${OPENCLAW_GATEWAY_PORT:-18789}"
+RAW_BIND="${OPENCLAW_GATEWAY_BIND:-}"
+
+if [ -n "${RAW_BIND}" ]; then
+  BIND="${RAW_BIND}"
+elif [ "${TAILSCALE_MODE}" = "serve" ]; then
+  BIND="loopback"
+else
+  BIND="lan"
+fi
 
 mkdir -p "${CONFIG_DIR}"
 
@@ -29,7 +37,9 @@ jq \
   .gateway.bind = $bind |
   .gateway.tailscale.mode = $tailscale_mode |
   .gateway.auth.mode = "token" |
+  .gateway.auth.allowTailscale = ($tailscale_mode == "serve") |
   .gateway.auth.token = (if $token == "" then (.gateway.auth.token // "${OPENCLAW_GATEWAY_TOKEN}") else $token end) |
+  .gateway.trustedProxies = (((.gateway.trustedProxies // []) + (if $tailscale_mode == "serve" then ["127.0.0.1", "::1"] else [] end)) | unique) |
   .gateway.controlUi.allowInsecureAuth = true |
   .models.providers.openai = {
     baseUrl: "https://api.openai.com/v1",
diff --git a/stack.yml b/stack.yml
deleted file mode 100644
index 90defca..0000000
--- a/stack.yml
+++ /dev/null
@@ -1,44 +0,0 @@
-version: "3.8"
-
-services:
-  openclaw-gateway:
-    image: ${OPENCLAW_IMAGE:-registry.lan/openclaw:latest}
-    environment:
-      HOME: /home/node
-      TERM: xterm-256color
-      OPENCLAW_GATEWAY_TOKEN: ${OPENCLAW_GATEWAY_TOKEN}
-      MOONSHOT_API_KEY: ${MOONSHOT_API_KEY}
-      OPENAI_API_KEY: ${OPENAI_API_KEY}
-      OPENCLAW_GATEWAY_BIND: ${OPENCLAW_GATEWAY_BIND:-lan}
-      OPENCLAW_TAILSCALE_MODE: ${OPENCLAW_TAILSCALE_MODE:-off}
-      OPENCLAW_ENABLE_TAILSCALE: ${OPENCLAW_ENABLE_TAILSCALE:-0}
-      GOG_ACCOUNT: ${GOG_ACCOUNT:-}
-    volumes:
-      - openclaw-config:/home/node/.openclaw
-      - openclaw-workspace:/home/node/.openclaw/workspace
-    ports:
-      - target: 18789
-        published: ${OPENCLAW_GATEWAY_PORT:-18789}
-        protocol: tcp
-        mode: host
-      - target: 18790
-        published: ${OPENCLAW_BRIDGE_PORT:-18790}
-        protocol: tcp
-        mode: host
-    init: true
-    deploy:
-      replicas: 1
-      placement:
-        constraints:
-          - node.hostname == tpi-n1
-    networks:
-      - dokploy-network
-    command: ["/usr/local/bin/start-gateway.sh"]
-
-volumes:
-  openclaw-config:
-  openclaw-workspace:
-
-networks:
-  dokploy-network:
-    external: true