diff --git a/README.md b/README.md
index b80289e..ff29f5c 100644
--- a/README.md
+++ b/README.md
@@ -16,6 +16,17 @@ docker compose up --build  # db + app + scheduler + daily backup sidecar
 open http://localhost:8000/
 ```
 
+## Production (VPS)
+
+Apply the prod overlay so the app has no host port binding and joins the
+existing `intranet` Docker network (where Nginx Proxy Manager lives):
+
+```bash
+docker compose -f docker-compose.yml -f docker-compose.prod.yml up -d --build
+```
+
+Then point NPM at upstream `readmarkets-app-1:80`.
+
 ## Architecture
 
 - **app** (FastAPI + Jinja2 + HTMX) — web dashboard on port 8000
diff --git a/docker-compose.prod.yml b/docker-compose.prod.yml
new file mode 100644
index 0000000..d9b0bd8
--- /dev/null
+++ b/docker-compose.prod.yml
@@ -0,0 +1,28 @@
+# Production overlay. Applied on the VPS with:
+#
+#   docker compose -f docker-compose.yml -f docker-compose.prod.yml up -d
+#
+# Drops the host port binding entirely and joins the `intranet` external
+# Docker network so a front-side proxy (Nginx Proxy Manager) on the same
+# network can reach the container directly. The app listens on port 80
+# inside the container so NPM upstreams are uniform across services
+# (always `<container-name>:80`).
+#
+# The local-dev compose (just `docker-compose.yml` alone) still binds to
+# the host port from `.env` / CASSANDRA_PORT — unchanged.
+
+services:
+  app:
+    # Strip the host port binding from the base file: no public listener
+    # on the VPS, only the intranet bridge.
+    ports: []
+    command: ["uvicorn", "app.main:app", "--host", "0.0.0.0", "--port", "80", "--workers", "1"]
+    expose:
+      - "80"
+    networks:
+      - default
+      - intranet
+
+networks:
+  intranet:
+    external: true