diff --git a/charts/openconcho/values.yaml b/charts/openconcho/values.yaml
index e27a03a..021d3db 100644
--- a/charts/openconcho/values.yaml
+++ b/charts/openconcho/values.yaml
@@ -53,6 +53,7 @@ securityContext:
 # Directories mounted as ephemeral tmpfs (in-memory) to satisfy nginx's write requirements
 # when the root filesystem is read-only. Add entries for any additional writable paths.
 tmpfsMounts:
+  - mountPath: /etc/nginx/conf.d
   - mountPath: /var/cache/nginx
   - mountPath: /var/run
   - mountPath: /tmp
diff --git a/docker/40-openconcho-config.sh b/docker/40-openconcho-config.sh
index 88656ca..8e4937a 100644
--- a/docker/40-openconcho-config.sh
+++ b/docker/40-openconcho-config.sh
@@ -3,11 +3,11 @@
 # Lets one prebuilt image target any Honcho backend without a rebuild.
 #   OPENCONCHO_DEFAULT_HONCHO_URL — absolute URL seeding the first instance, or empty.
 #   OPENCONCHO_UPSTREAM_ALLOWLIST — optional comma-separated host globs (SSRF guard).
-# Runs from /docker-entrypoint.d before nginx starts. Requires the html dir to
-# be writable (default); skip or bind-mount config.js when running --read-only.
+# Runs from /docker-entrypoint.d before nginx starts. Writes config.js to /tmp
+# so the container works cleanly under a read-only root filesystem.
 set -eu
 
-cat > /usr/share/nginx/html/config.js <<EOF
+cat > /tmp/openconcho-config.js <<EOF
 window.__OPENCONCHO_DEFAULT_HONCHO_URL__ = "${OPENCONCHO_DEFAULT_HONCHO_URL:-}";
 EOF
 
diff --git a/docker/nginx.conf.template b/docker/nginx.conf.template
index 04abd34..6c62014 100644
--- a/docker/nginx.conf.template
+++ b/docker/nginx.conf.template
@@ -39,7 +39,7 @@ server {
     # Runtime config — regenerated per container start, must never be cached.
     location = /config.js {
         add_header Cache-Control "no-cache, no-store, must-revalidate";
-        try_files $uri =404;
+        alias /tmp/openconcho-config.js;
     }
 
     # Long-cache static assets — Vite hashes filenames so they're immutable.