diff --git a/.github/workflows/frontend-overpass.yaml b/.github/workflows/frontend-overpass.yaml
index 4b2f7c463..3a3f742a0 100644
--- a/.github/workflows/frontend-overpass.yaml
+++ b/.github/workflows/frontend-overpass.yaml
@@ -45,7 +45,7 @@ jobs:
         uses: actions/checkout@v6
         with:
           repository: OpenHistoricalMap/overpass-turbo
-          ref: 527c3accf412f73766b70193f4577f2d2021d534
+          ref: d10732ea33ef79b2f79a8132f73d0034272155f4
           path: overpass-turbo
 
       - name: Enable Corepack
diff --git a/.github/workflows/preview-web-down.yaml b/.github/workflows/preview-web-down.yaml
new file mode 100644
index 000000000..2d749c0a8
--- /dev/null
+++ b/.github/workflows/preview-web-down.yaml
@@ -0,0 +1,82 @@
+name: Preview website down (k3s)
+# Remove a website preview: helm uninstall + delete its namespace.
+on:
+  workflow_dispatch:
+    inputs:
+      ref:
+        description: web-* branch whose preview to remove
+        required: true
+  delete:
+  pull_request:
+    types: [closed]
+
+jobs:
+  teardown:
+    runs-on: ubuntu-22.04
+    timeout-minutes: 20
+    steps:
+      - name: Resolve branch
+        id: r
+        run: |
+          # branch name from whichever event fired
+          case "${{ github.event_name }}" in
+            workflow_dispatch) BRANCH="${{ github.event.inputs.ref }}" ;;
+            delete)            BRANCH="${{ github.event.ref }}" ;;
+            pull_request)      BRANCH="${{ github.event.pull_request.head.ref }}" ;;
+          esac
+          case "$BRANCH" in
+            web-*) ;;
+            *) echo "branch '$BRANCH' is not a web-* preview; nothing to do"; echo "skip=true" >> $GITHUB_OUTPUT; exit 0 ;;
+          esac
+          SLUG="$(echo "$BRANCH" | tr '[:upper:]' '[:lower:]' \
+            | sed 's/[^a-z0-9]/-/g; s/-\+/-/g; s/^-//; s/-$//' | cut -c1-40 | sed 's/-$//')"
+          echo "skip=false"               >> $GITHUB_OUTPUT
+          echo "branch=$BRANCH"           >> $GITHUB_OUTPUT
+          echo "release=$SLUG"            >> $GITHUB_OUTPUT
+          # shared namespace for all previews; only the release is per-branch
+          echo "namespace=preview"        >> $GITHUB_OUTPUT
+          echo "host=$SLUG.ohmstaging.org" >> $GITHUB_OUTPUT
+
+      - uses: actions/checkout@v4
+        if: steps.r.outputs.skip != 'true'
+
+      - name: Install cloudflared
+        if: steps.r.outputs.skip != 'true'
+        run: |
+          sudo curl -fsSL https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64 \
+            -o /usr/local/bin/cloudflared
+          sudo chmod +x /usr/local/bin/cloudflared
+
+      - name: Install helm
+        if: steps.r.outputs.skip != 'true'
+        uses: azure/setup-helm@v4
+        with:
+          version: v3.15.1
+
+      - name: Setup kubeconfig
+        if: steps.r.outputs.skip != 'true'
+        run: |
+          mkdir -p $HOME/.kube
+          echo "${{ secrets.STAGING_K3S_KUBECONFIG }}" | base64 -d > $HOME/.kube/config
+          chmod 600 $HOME/.kube/config
+
+      - name: Open Cloudflare Access tunnel to k3s API
+        if: steps.r.outputs.skip != 'true'
+        env:
+          TUNNEL_SERVICE_TOKEN_ID: ${{ secrets.STAGING_CF_ACCESS_CLIENT_ID }}
+          TUNNEL_SERVICE_TOKEN_SECRET: ${{ secrets.STAGING_CF_ACCESS_CLIENT_SECRET }}
+        run: |
+          cloudflared access tcp --hostname k3s.ohmstaging.org --url 127.0.0.1:16443 &
+          for i in {1..30}; do
+            curl -sk -o /dev/null --max-time 5 https://127.0.0.1:16443/livez && exit 0
+            sleep 2
+          done
+          echo "Tunnel failed to reach k3s" >&2; exit 1
+          
+      # Uninstall only this branch's release. The shared `preview` namespace and
+      # its middleware stay (other previews live there).
+      - name: Helm uninstall
+        if: steps.r.outputs.skip != 'true'
+        run: |
+          helm -n ${{ steps.r.outputs.namespace }} uninstall ${{ steps.r.outputs.release }} || echo "release already gone"
+          kubectl -n ${{ steps.r.outputs.namespace }} delete job ${{ steps.r.outputs.release }}-restore --ignore-not-found
diff --git a/.github/workflows/preview-web-up.yaml b/.github/workflows/preview-web-up.yaml
new file mode 100644
index 000000000..829a8fb6c
--- /dev/null
+++ b/.github/workflows/preview-web-up.yaml
@@ -0,0 +1,264 @@
+name: Preview website (k3s)
+
+# Website preview for a web-* branch on k3s staging, reachable at
+# web-<branch>.ohmstaging.org.
+on:
+  workflow_dispatch:
+    inputs:
+      ref:
+        description: web-* branch to preview
+        required: true
+      backup_url:
+        description: apidb backup URL (.sql or .sql.gz); blank = PREVIEW_BACKUP_URL secret
+        required: false
+  push:
+    branches:
+      - 'web-*'
+
+concurrency:
+  # one run per branch; a new push cancels the in-flight preview build
+  group: preview-web-${{ github.event.inputs.ref || github.ref_name }}
+  cancel-in-progress: true
+
+jobs:
+  preview:
+    runs-on: ubuntu-22.04
+    timeout-minutes: 60
+    steps:
+      - name: Resolve names
+        id: n
+        run: |
+          BRANCH="${{ github.event.inputs.ref || github.ref_name }}"
+          case "$BRANCH" in
+            web-*) ;;
+            *) echo "::error::branch '$BRANCH' must start with web-"; exit 1 ;;
+          esac
+          # DNS-safe slug: lowercase, non-alnum -> '-', trim, max 40 chars.
+          SLUG="$(echo "$BRANCH" | tr '[:upper:]' '[:lower:]' \
+            | sed 's/[^a-z0-9]/-/g; s/-\+/-/g; s/^-//; s/-$//' | cut -c1-40 | sed 's/-$//')"
+          echo "branch=$BRANCH"            >> $GITHUB_OUTPUT
+          echo "slug=$SLUG"                >> $GITHUB_OUTPUT
+          echo "release=$SLUG"             >> $GITHUB_OUTPUT
+          # one shared namespace for all previews; each branch is its own release
+          echo "namespace=preview"         >> $GITHUB_OUTPUT
+          echo "host=$SLUG.ohmstaging.org" >> $GITHUB_OUTPUT
+
+      - uses: actions/checkout@v4
+        with:
+          ref: ${{ steps.n.outputs.branch }}
+          fetch-depth: 0
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GHCR_GITHUB_TOKEN }}
+
+      - name: Setup Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.11'
+
+      - name: Setup git
+        run: |
+          git config --global user.email "noreply@developmentseed.org"
+          git config --global user.name "Github Action"
+
+      - name: Install chartpress
+        run: pip install chartpress==2.3.0 ruamel.yaml
+
+      - name: Run chartpress (build + push)
+        env:
+          GITHUB_TOKEN: ${{ secrets.GHCR_GITHUB_TOKEN }}
+        run: chartpress --push
+
+      - name: Install cloudflared
+        run: |
+          sudo curl -fsSL https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64 \
+            -o /usr/local/bin/cloudflared
+          sudo chmod +x /usr/local/bin/cloudflared
+
+      - name: Install helm
+        uses: azure/setup-helm@v4
+        with:
+          version: v3.15.1
+
+      - name: Setup kubeconfig
+        run: |
+          mkdir -p $HOME/.kube
+          KCFG="${{ secrets.STAGING_K3S_KUBECONFIG }}"
+          if [ -z "$KCFG" ]; then
+            echo "ERROR: STAGING_K3S_KUBECONFIG is empty" >&2; exit 1
+          fi
+          echo "$KCFG" | base64 -d > $HOME/.kube/config
+          chmod 600 $HOME/.kube/config
+
+      - name: Open Cloudflare Access tunnel to k3s API
+        env:
+          TUNNEL_SERVICE_TOKEN_ID: ${{ secrets.STAGING_CF_ACCESS_CLIENT_ID }}
+          TUNNEL_SERVICE_TOKEN_SECRET: ${{ secrets.STAGING_CF_ACCESS_CLIENT_SECRET }}
+        run: |
+          cloudflared access tcp --hostname k3s.ohmstaging.org --url 127.0.0.1:16443 &
+          CF_PID=$!
+          for i in {1..30}; do
+            if curl -sk -o /dev/null --max-time 5 https://127.0.0.1:16443/livez; then
+              echo "tunnel up (k3s reachable)"; exit 0
+            fi
+            sleep 2
+          done
+          echo "Tunnel failed to reach k3s" >&2; kill $CF_PID 2>/dev/null || true; exit 1
+
+      - name: Verify access
+        run: kubectl get nodes
+
+      - name: Substitute secrets into preview values
+        uses: bluwy/substitute-string-action@v3
+        with:
+          _input-file: 'values.k3s.preview.template.yaml'
+          _format-key: '{{key}}'
+          _output-file: 'values.k3s.preview.yaml'
+          PREVIEW_HOST: ${{ steps.n.outputs.host }}
+          PREVIEW_NS: ${{ steps.n.outputs.namespace }}
+          PREVIEW_DB_PASSWORD: ${{ secrets.PREVIEW_DB_PASSWORD }}
+          MAILER_ADDRESS: ${{ secrets.MAILER_ADDRESS }}
+          MAILER_USERNAME: ${{ secrets.MAILER_USERNAME }}
+          MAILER_PASSWORD: ${{ secrets.MAILER_PASSWORD }}
+          STAGING_OPENSTREETMAP_AUTH_ID: ${{ secrets.STAGING_OPENSTREETMAP_AUTH_ID }}
+          STAGING_OPENSTREETMAP_AUTH_SECRET: ${{ secrets.STAGING_OPENSTREETMAP_AUTH_SECRET }}
+          STAGING_WIKIPEDIA_AUTH_ID: ${{ secrets.STAGING_WIKIPEDIA_AUTH_ID }}
+          STAGING_WIKIPEDIA_AUTH_SECRET: ${{ secrets.STAGING_WIKIPEDIA_AUTH_SECRET }}
+          STAGING_RAILS_CREDENTIALS_YML_ENC: ${{ secrets.STAGING_RAILS_CREDENTIALS_YML_ENC }}
+          STAGING_RAILS_MASTER_KEY: ${{ secrets.STAGING_RAILS_MASTER_KEY }}
+          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+
+      - name: Helm dep up
+        run: cd ohm && helm dep up
+
+      # Step 1: bring up db + memcached + cgimap, web OFF, so the restore can
+      # load the apidb before web boots and runs migrations.
+      - name: Deploy data tier (web off)
+        run: |
+          helm upgrade --install ${{ steps.n.outputs.release }} ./ohm \
+            -n ${{ steps.n.outputs.namespace }} --create-namespace \
+            -f ./ohm/values.yaml \
+            -f ./values.k3s.preview.yaml \
+            --set osm-seed.web.enabled=false \
+            --wait --timeout=10m
+
+      - name: Restore apidb from backup
+        env:
+          NS: ${{ steps.n.outputs.namespace }}
+          RELEASE: ${{ steps.n.outputs.release }}
+          BACKUP_URL: ${{ github.event.inputs.backup_url || secrets.PREVIEW_BACKUP_URL }}
+        run: |
+          if [ -z "$BACKUP_URL" ]; then
+            echo "::error::set the PREVIEW_BACKUP_URL secret (or pass backup_url on dispatch)"; exit 1
+          fi
+          echo "backup: $BACKUP_URL"
+          WEB_IMAGE="$(helm -n "$NS" get values "$RELEASE" -a -o json \
+            | python3 -c 'import sys,json;w=json.load(sys.stdin)["osm-seed"]["web"]["image"];print(w["name"]+":"+w["tag"])')"
+          echo "restore image: $WEB_IMAGE"
+          kubectl -n "$NS" delete job "$RELEASE-restore" --ignore-not-found
+          cat <<EOF | kubectl -n "$NS" apply -f -
+          apiVersion: batch/v1
+          kind: Job
+          metadata:
+            name: $RELEASE-restore
+          spec:
+            backoffLimit: 1
+            ttlSecondsAfterFinished: 600
+            template:
+              spec:
+                restartPolicy: Never
+                containers:
+                  - name: restore
+                    image: $WEB_IMAGE
+                    env:
+                      - name: PGPASSWORD
+                        value: "${{ secrets.PREVIEW_DB_PASSWORD }}"
+                      - name: BACKUP_URL
+                        value: "$BACKUP_URL"
+                    command: ["bash","-c"]
+                    args:
+                      - |
+                        set -euo pipefail
+                        echo "waiting for db..."
+                        until pg_isready -h $RELEASE-db -p 5432; do sleep 2; done
+                        # the db is ephemeral but survives a helm upgrade that does not
+                        # restart it; skip the restore if it already has data.
+                        if [ "\$(psql -h $RELEASE-db -U postgres -d openhistoricalmap -tAc "SELECT to_regclass('public.users') IS NOT NULL")" = "t" ]; then
+                          echo "db already populated; skipping restore"
+                          exit 0
+                        fi
+                        echo "downloading + restoring backup..."
+                        # handle both plain .sql and gzipped .sql.gz
+                        case "\$BACKUP_URL" in
+                          *.gz) curl -fsSL "\$BACKUP_URL" | gunzip -c | psql -h $RELEASE-db -U postgres -d openhistoricalmap ;;
+                          *)    curl -fsSL "\$BACKUP_URL" | psql -h $RELEASE-db -U postgres -d openhistoricalmap ;;
+                        esac
+                        echo "restore done"
+          EOF
+          kubectl -n "$NS" wait --for=condition=complete --timeout=30m job/$RELEASE-restore \
+            || { kubectl -n "$NS" logs job/$RELEASE-restore --tail=80; exit 1; }
+
+      # The chart renders the web Ingress (osm-seed.web.ingress.enabled) with a
+      # router.middlewares annotation pointing at this Middleware, so create it
+      # first. It forces X-Forwarded-Proto=https: Cloudflare already terminated
+      # TLS, but Traefik would otherwise send http and the app's force_ssl would
+      # redirect to https forever.
+      - name: Create Traefik middleware (force https proto)
+        run: |
+          cat <<EOF | kubectl -n ${{ steps.n.outputs.namespace }} apply -f -
+          apiVersion: traefik.io/v1alpha1
+          kind: Middleware
+          metadata:
+            name: https-proto
+          spec:
+            headers:
+              customRequestHeaders:
+                X-Forwarded-Proto: https
+          EOF
+
+      # Step 2: enable web. It waits for db, runs rails db:migrate on the restored
+      # data, then serves. The chart renders the Traefik Ingress for the host.
+      - name: Deploy web
+        run: |
+          helm upgrade --install ${{ steps.n.outputs.release }} ./ohm \
+            -n ${{ steps.n.outputs.namespace }} \
+            -f ./ohm/values.yaml \
+            -f ./values.k3s.preview.yaml \
+            --wait --timeout=20m
+
+      - name: Purge Cloudflare cache for the preview host
+        continue-on-error: true
+        env:
+          CF_TOKEN: ${{ secrets.STAGING_CF_API_TOKEN }}
+          CF_ZONE: ${{ secrets.STAGING_CF_ZONE_ID }}
+          HOST: ${{ steps.n.outputs.host }}
+        run: |
+          if [ -z "$CF_TOKEN" ] || [ -z "$CF_ZONE" ]; then
+            echo "no STAGING_CF_API_TOKEN / STAGING_CF_ZONE_ID; skipping purge"; exit 0
+          fi
+          resp=$(curl -sS -X POST \
+            "https://api.cloudflare.com/client/v4/zones/$CF_ZONE/purge_cache" \
+            -H "Authorization: Bearer $CF_TOKEN" \
+            -H "Content-Type: application/json" \
+            --data "{\"hosts\":[\"$HOST\"]}")
+          echo "$resp"
+          echo "$resp" | grep -q '"success":true' \
+            || echo "::warning::cache purge failed (purge-by-host needs Enterprise; or set a bypass Cache Rule for web-*.ohmstaging.org)"
+
+      - name: Summary
+        if: always()
+        run: |
+          {
+            echo "### Preview"
+            echo ""
+            echo "- branch: \`${{ steps.n.outputs.branch }}\`"
+            echo "- url: https://${{ steps.n.outputs.host }}"
+            echo "- release: \`${{ steps.n.outputs.release }}\` (ns \`${{ steps.n.outputs.namespace }}\`)"
+            echo ""
+            echo "Tear it down with the **Preview website teardown** workflow."
+          } >> $GITHUB_STEP_SUMMARY
diff --git a/.gitignore b/.gitignore
index 7d85eced9..57343a928 100644
--- a/.gitignore
+++ b/.gitignore
@@ -45,4 +45,6 @@ images/tiler-server-martin/config/nginx.conf
 values.k3s.staging.direct.yaml
 ohm/charts/
 k3s.sh
-*.zip
\ No newline at end of file
+*.zip
+test-preview.sh
+values.k3s.preview.yaml
\ No newline at end of file
diff --git a/images/db/Dockerfile b/images/db/Dockerfile
index ed35e853b..8de2288e1 100644
--- a/images/db/Dockerfile
+++ b/images/db/Dockerfile
@@ -1,7 +1,6 @@
-# Stage 1: Compilar el plugin para PostgreSQL 17
 FROM postgres:17 AS builder
 
-# Instalar dependencias de compilación
+# Install build dependencies
 RUN apt-get update && apt-get install -y --no-install-recommends \
     ca-certificates \
     build-essential \
@@ -18,7 +17,7 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
     && update-ca-certificates \
     && rm -rf /var/lib/apt/lists/*
 
-# Clonar y compilar el plugin osmdbt para PostgreSQL 17
+# Clone and build osmdbt plugin for PostgreSQL 17
 RUN git clone https://github.com/openstreetmap/osmdbt.git /tmp/osmdbt && \
     cd /tmp/osmdbt && \
     git checkout v0.9 && \
@@ -29,6 +28,15 @@ RUN git clone https://github.com/openstreetmap/osmdbt.git /tmp/osmdbt && \
 
 FROM postgres:17
 
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    postgresql-17-postgis-3 \
+    postgresql-17-postgis-3-scripts \
+    && rm -rf /var/lib/apt/lists/*
+
+# Auto-create required extensions on fresh initdb
+COPY ./scripts/init-extensions.sh /docker-entrypoint-initdb.d/10-extensions.sh
+RUN chmod +x /docker-entrypoint-initdb.d/10-extensions.sh
+
 COPY --from=builder /tmp/osmdbt/postgresql-plugin/build/osm-logical.so /usr/lib/postgresql/17/lib/osm-logical.so
 
 RUN ln -s /usr/lib/postgresql/17/lib/osm-logical.so /usr/lib/postgresql/17/lib/osm_logical.so
diff --git a/images/db/scripts/init-extensions.sh b/images/db/scripts/init-extensions.sh
new file mode 100755
index 000000000..9c780af71
--- /dev/null
+++ b/images/db/scripts/init-extensions.sh
@@ -0,0 +1,8 @@
+#!/bin/sh
+set -e
+
+psql --username="$POSTGRES_USER" --dbname="$POSTGRES_DB" -v ON_ERROR_STOP=1 <<-'EOSQL'
+    CREATE EXTENSION IF NOT EXISTS postgis;
+    CREATE EXTENSION IF NOT EXISTS hstore;
+    CREATE EXTENSION IF NOT EXISTS btree_gist;
+EOSQL
diff --git a/images/web/Dockerfile b/images/web/Dockerfile
index d905ff9ac..12f686fa5 100644
--- a/images/web/Dockerfile
+++ b/images/web/Dockerfile
@@ -1,4 +1,4 @@
-FROM ruby:3.3-slim AS builder
+FROM ruby:3.4-slim AS builder
 
 ENV DEBIAN_FRONTEND=noninteractive \
     workdir=/var/www \
@@ -14,9 +14,9 @@ WORKDIR $workdir
 RUN apt-get update && \
     apt-get install -y --no-install-recommends \
     git curl gnupg build-essential \
-    libarchive-dev zlib1g-dev libcurl4-openssl-dev \
+    libarchive-dev zlib1g-dev libcurl4-openssl-dev libgd-dev \
     apache2 apache2-dev libapache2-mod-fcgid libapr1-dev libaprutil1-dev \
-    postgresql-client libpq-dev libxml2-dev libyaml-dev libgd-dev \
+    postgresql-client libpq-dev libxml2-dev libyaml-dev \
     pngcrush optipng advancecomp pngquant jhead jpegoptim gifsicle libjpeg-progs unzip\
     && curl -fsSL https://deb.nodesource.com/setup_24.x | bash - \
     && apt-get install -y nodejs \
@@ -24,14 +24,14 @@ RUN apt-get update && \
     && apt-get clean && rm -rf /var/lib/apt/lists/*
 
 # Download OHM Website using gitsha, faster than cloning
-ENV OPENHISTORICALMAP_WEBSITE_GITSHA=8fe2e830e089da8eb1af4ce611ea361307ee2ba7
+ENV OPENHISTORICALMAP_WEBSITE_GITSHA=67597d5d3ee63976aef37aec414073ce3ec51bd4
 ENV OHM_WEBSITE_URL=https://github.com/OpenHistoricalMap/ohm-website/archive/${OPENHISTORICALMAP_WEBSITE_GITSHA}.zip
 RUN rm -rf $workdir/* && curl -fsSL $OHM_WEBSITE_URL -o /tmp/ohm-website.zip && \
     unzip /tmp/ohm-website.zip -d /tmp && \
     mv /tmp/ohm-website-$OPENHISTORICALMAP_WEBSITE_GITSHA/* $workdir && \
     rm -rf /tmp/*
 
-RUN gem install bundler && \
+RUN gem install bundler -v 4.0.11 --no-document && \
     bundle install && \
     yarn install && \
     bundle exec rake yarn:install
@@ -77,7 +77,7 @@ RUN git clone https://github.com/OpenHistoricalMap/leaflet-ohm-timeslider-v2.git
     cp leaflet-ohm-timeslider.* $workdir/app/assets/stylesheets/ && \
     cp assets/* $workdir/app/assets/images/
 
-FROM ruby:3.3-slim
+FROM ruby:3.4-slim
 
 ENV DEBIAN_FRONTEND=noninteractive \
     workdir=/var/www \
@@ -116,6 +116,7 @@ RUN BUILD_DEPS=" \
     gifsicle \
     postgresql-client \
     curl \
+    git \
     libvips \
     nodejs \
     \
@@ -123,7 +124,7 @@ RUN BUILD_DEPS=" \
     \
     # Install Passenger as a gem and compile the Apache module
     \
-    && gem install passenger --no-document \
+    && gem install passenger -v 6.1.3 --no-document \
     && yes | passenger-install-apache2-module --auto --languages ruby \
     && passenger-config validate-install --auto \
     \
@@ -152,6 +153,10 @@ RUN a2enmod headers setenvif proxy proxy_http proxy_fcgi fcgid rewrite lbmethod_
     echo "ServerName localhost" >> /etc/apache2/apache2.conf && \
     apache2ctl configtest
 
+# Install bundler matching ohm-website Gemfile.lock to avoid Passenger preloader Gem::LoadError.
+RUN gem install bundler -v 4.0.11 --no-document
+
+
 RUN echo '#!/bin/bash\nexec /usr/local/bin/ruby --yjit --yjit-exec-mem-size=64 "$@"' > /usr/local/bin/ruby_yjit && \
     chmod +x /usr/local/bin/ruby_yjit
     
diff --git a/images/web/config/production.conf b/images/web/config/production.conf
index 87be1d2e5..cbd2c4e07 100644
--- a/images/web/config/production.conf
+++ b/images/web/config/production.conf
@@ -4,6 +4,9 @@
     DocumentRoot /var/www/public
     PassengerAppEnv production
     PassengerRuby /usr/local/bin/ruby
+    # Load Bundler before Ruby preloads default gems so Gemfile.lock pins
+    # (e.g. stringio 3.2.0) win over Ruby-bundled defaults like 3.1.2.
+    PassengerPreloadBundler on
     RewriteEngine On
     
     # Redirect to HTTPS
@@ -61,8 +64,10 @@
         Header set Access-Control-Allow-Origin "*"
     </Directory>
 
-    # Allow CORS for JSON, PBF, and PNG files for map-style
-    <FilesMatch "\.(json|pbf|png)$">
+    # Allow CORS for PBF and PNG files for map-style.
+    # JSON is excluded so /api/*.json keeps only the header Rails sends, avoiding a
+    # duplicate "*, *" (issue #1377).
+    <FilesMatch "\.(pbf|png)$">
         Header set Access-Control-Allow-Origin "*"
         Header set Access-Control-Allow-Methods "GET, OPTIONS"
         Header set Access-Control-Allow-Headers "Content-Type"
diff --git a/images/web/start.sh b/images/web/start.sh
index 21b8091c5..2c7712363 100755
--- a/images/web/start.sh
+++ b/images/web/start.sh
@@ -130,11 +130,14 @@ setup_production() {
 
   # Update map styles. This line should be removed later, as the configuration should come from the module.
   SERVER_URL_="${SERVER_URL/www./}"
+  # Tiler host. Defaults to vtiles.<server domain>; override VTILES_DOMAIN to use a
+  # shared tiler (e.g. a preview that has no tiler of its own).
+  VTILES_DOMAIN="${VTILES_DOMAIN:-vtiles.${SERVER_URL_}}"
   find /var/www/node_modules/@openhistoricalmap/map-styles/dist/ -type f -name "*.json" -exec sed -i.bak "s|openhistoricalmap.github.io|${SERVER_URL}|g" {} +
   find /var/www/node_modules/@openhistoricalmap/map-styles/dist/ -type f -name "*.json" -exec sed -i.bak "s|http://localhost:8888|https://${SERVER_URL}/map-styles|g" {} +
   find /var/www/node_modules/@openhistoricalmap/map-styles/dist/ -type f -name "*.json" -exec sed -i.bak "s|www.openhistoricalmap.org|${SERVER_URL}|g" {} +
-  find /var/www/node_modules/@openhistoricalmap/map-styles/dist/ -type f -name "*.json" -exec sed -i.bak "s|vtiles.openhistoricalmap.org|vtiles.${SERVER_URL_}|g" {} +
-  find /var/www/node_modules/@openhistoricalmap/map-styles/dist/ -type f -name "*.json" -exec sed -i.bak "s|vtiles.staging.openhistoricalmap.org|vtiles.${SERVER_URL_}|g" {} +
+  find /var/www/node_modules/@openhistoricalmap/map-styles/dist/ -type f -name "*.json" -exec sed -i.bak "s|vtiles.openhistoricalmap.org|${VTILES_DOMAIN}|g" {} +
+  find /var/www/node_modules/@openhistoricalmap/map-styles/dist/ -type f -name "*.json" -exec sed -i.bak "s|vtiles.staging.openhistoricalmap.org|${VTILES_DOMAIN}|g" {} +
 
   # Replace URLs in the public directory
   find "/var/www/public" -type f \( \
@@ -152,8 +155,8 @@ setup_production() {
       -e "s|openhistoricalmap.github.io|${SERVER_URL}|g" \
       -e "s|http://localhost:8888|https://${SERVER_URL}/map-styles|g" \
       -e "s|www.openhistoricalmap.org|${SERVER_URL}|g" \
-      -e "s|vtiles.openhistoricalmap.org|vtiles.${SERVER_URL_}|g" \
-      -e "s|vtiles.staging.openhistoricalmap.org|vtiles.${SERVER_URL_}|g" \
+      -e "s|vtiles.openhistoricalmap.org|${VTILES_DOMAIN}|g" \
+      -e "s|vtiles.staging.openhistoricalmap.org|${VTILES_DOMAIN}|g" \
       "$file"
   done
 
diff --git a/ohm/requirements.yaml b/ohm/requirements.yaml
index bbd151c09..1d8c400f6 100644
--- a/ohm/requirements.yaml
+++ b/ohm/requirements.yaml
@@ -1,4 +1,4 @@
 dependencies:
   - name: osm-seed
-    version: '0.1.0-0.dev.git.997.h7a921d5'
+    version: '0.1.0-0.dev.git.1006.h3d2d82a'
     repository: https://osm-seed.github.io/osm-seed-chart/
\ No newline at end of file
diff --git a/values.k3s.preview.template.yaml b/values.k3s.preview.template.yaml
new file mode 100644
index 000000000..a5246f741
--- /dev/null
+++ b/values.k3s.preview.template.yaml
@@ -0,0 +1,176 @@
+osm-seed:
+  environment: staging
+  cloudProvider: k3s
+  serviceType: ClusterIP
+  createClusterIssuer: false
+  ingressClassName: ""
+  domain: ohmstaging.org
+  adminEmail: admin@openhistoricalmap.org
+
+  web:
+    enabled: true
+    priorityClass: medium-priority
+    serviceAccount:
+      enabled: false
+    replicaCount: 1
+    ingress:
+      enabled: true
+      className: traefik
+      hosts:
+        - "{{PREVIEW_HOST}}"
+      annotations:
+        traefik.ingress.kubernetes.io/router.middlewares: "{{PREVIEW_NS}}-https-proto@kubernetescrd"
+    livenessProbeExec: true
+    env:
+      SERVER_URL: "{{PREVIEW_HOST}}"
+      SERVER_PROTOCOL: "https"
+      MAILER_ADDRESS: "{{MAILER_ADDRESS}}"
+      MAILER_DOMAIN: ohmstaging.org
+      MAILER_USERNAME: "{{MAILER_USERNAME}}"
+      MAILER_PASSWORD: "{{MAILER_PASSWORD}}"
+      MAILER_FROM: web@noreply.openhistoricalmap.org
+      NOMINATIM_URL: nominatim.openhistoricalmap.org
+      OVERPASS_URL: overpass-api.openhistoricalmap.org
+      VTILES_DOMAIN: vtiles.openhistoricalmap.org
+
+      NEW_RELIC_LICENSE_KEY: "none"
+      NEW_RELIC_APP_NAME: "none"
+      ORGANIZATION_NAME: OpenHistoricalMap
+      WEBSITE_STATUS: "online"
+      RAILS_CREDENTIALS_YML_ENC: "cAkSjhiOMk1I7JYLHJFdA20ceYwoV4UarL3mp4L6LnclUbuqKY7lj9+5OnN6oSsfBGQj3gxE2IY9uD533q+strxnllbpViFcxFNIFJR+pfKXs24GLeZYtJGOOJ2NcSIxpsI0d+53Bm1/QekjLVfauGSF9rc3BRLwJHxGubxILlAOfiK3ArXBMADsAR8Hc//efRmtlo0gFXQ15DO9j3Mq//FO--RP4fuggOTjlj/NeD--fX2NTz6KLYly7/rSvJC81Q=="
+      RAILS_MASTER_KEY: "ceadf340a26657419e5343d46b60798c"
+      RAILS_ENV: production
+      RAILS_LOG_LEVEL: debug
+      OPENSTREETMAP_id_key: "tCygIMWpJVZ2c-vWYC_kI_YnMow3WmGbKLp2Rq_WgHI"
+      OAUTH_CLIENT_ID: "Zj5OnOQLXJKgGYFMwsisuhsHR-FAg1khf-wr0nE3OWo"
+      OAUTH_KEY: "OGNWJkSOmeJ8X08iL6Srv0oTaETIcwftD5OyFPbbY3A"
+
+      RAILS_STORAGE_SERVICE: s3
+      RAILS_STORAGE_REGION: us-east-1
+      RAILS_STORAGE_BUCKET: osmseed-dev
+      AWS_ACCESS_KEY_ID: "{{AWS_ACCESS_KEY_ID}}"
+      AWS_SECRET_ACCESS_KEY: "{{AWS_SECRET_ACCESS_KEY}}"
+      PASSENGER_MAX_POOL_SIZE: 3
+      OPENSTREETMAP_AUTH_ID: "none"
+      OPENSTREETMAP_AUTH_SECRET: "none"
+      WIKIPEDIA_AUTH_ID: "none"
+      WIKIPEDIA_AUTH_SECRET: "none"
+    resources:
+      enabled: false
+    autoscaling:
+      enabled: false
+    sharedMemorySize: 16Mi
+    nodeSelector:
+      enabled: false
+    nodeAffinity:
+      enabled: false
+    podAntiAffinity:
+      enabled: false
+
+  db:
+    enabled: true
+    priorityClass: medium-priority
+    env:
+      POSTGRES_DB: openhistoricalmap
+      POSTGRES_USER: postgres
+      POSTGRES_PASSWORD: "{{PREVIEW_DB_PASSWORD}}"
+      PGDATA: /var/lib/postgresql/data/pgdata
+    persistenceDisk:
+      enabled: false
+    sharedMemorySize: 256Mi
+    resources:
+      enabled: false
+    postgresqlConfig:
+      enabled: false
+    nodeSelector:
+      enabled: false
+    nodeAffinity:
+      enabled: false
+
+  memcached:
+    enabled: true
+    priorityClass: medium-priority
+    resources:
+      enabled: false
+    nodeSelector:
+      enabled: false
+    nodeAffinity:
+      enabled: false
+
+  cgimap:
+    enabled: true
+    priorityClass: medium-priority
+    resources:
+      enabled: false
+    autoscaling:
+      enabled: false
+    nodeSelector:
+      enabled: false
+    nodeAffinity:
+      enabled: false
+
+  # ----- Everything else OFF --------------------------------------------------
+  fullHistory:
+    enabled: false
+  changesetsDump:
+    enabled: false
+  dbBackupRestore:
+    enabled: false
+  planetDump:
+    enabled: false
+  replicationJob:
+    enabled: false
+  populateApidb:
+    enabled: false
+  osmProcessor:
+    enabled: false
+  tilerDb:
+    enabled: false
+  tilerImposm:
+    enabled: false
+  tilerServer:
+    enabled: false
+  tilerServerMartin:
+    enabled: false
+  tilerVarnish:
+    enabled: false
+  tilerCacheCleanerJob:
+    enabled: false
+  tilerCache:
+    enabled: false
+  tilerMonitorPipeline:
+    enabled: false
+  tilerMonitorLanguage:
+    enabled: false
+  tmDb:
+    enabled: false
+  tmApi:
+    enabled: false
+  osmSimpleMetrics:
+    enabled: false
+  monitoringReplication:
+    enabled: false
+  changesetReplicationJob:
+    enabled: false
+  planetFiles:
+    enabled: false
+  taginfoWeb:
+    enabled: false
+  taginfoDataProcessor:
+    enabled: false
+  nominatimUI:
+    enabled: false
+  nominatimApi:
+    enabled: false
+  overpassApi:
+    enabled: false
+  osmchaWeb:
+    enabled: false
+  osmchaApi:
+    enabled: false
+  osmchaDb:
+    enabled: false
+  osmxAdiffBuilder:
+    enabled: false
+  planetStats:
+    enabled: false
diff --git a/values.k3s.production.template.yaml b/values.k3s.production.template.yaml
index 806ff53f3..f2580da70 100644
--- a/values.k3s.production.template.yaml
+++ b/values.k3s.production.template.yaml
@@ -189,6 +189,8 @@ osm-seed:
 
   tilerVarnish:
     enabled: true
+    ingress:
+      enabled: false
     image:
       name: varnish
       tag: "7.5"
@@ -266,6 +268,8 @@ osm-seed:
   # Web frontend - serves taginfo HTTP UI, downloads .db files from S3
   taginfoWeb:
     enabled: true
+    ingress:
+      enabled: false
     priorityClass: medium-priority
     serviceAccount:
       enabled: false
@@ -320,12 +324,14 @@ osm-seed:
   # ====================================================================================================
   nominatimApi:
     enabled: true
+    ingress:
+      enabled: false
     priorityClass: medium-priority
     serviceAnnotations:
       service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: "300"
-    ingressDomain: nominatim.openhistoricalmap.org
     replicaCount: 1
     env:
+      NOMINATIM_API_ENDPOINT: nominatim.openhistoricalmap.org
       PBF_URL: http://s3.amazonaws.com/planet.openhistoricalmap.org/planet/planet-260408_0307.osm.pbf
       REPLICATION_URL: http://planet.openhistoricalmap.org.s3.amazonaws.com/replication/minute
       REPLICATION_UPDATE_INTERVAL: 60
@@ -362,6 +368,8 @@ osm-seed:
   # ====================================================================================================
   overpassApi:
     enabled: true
+    ingress:
+      enabled: false
     priorityClass: medium-priority
     env:
       OVERPASS_META: attic
@@ -399,11 +407,12 @@ osm-seed:
 
   osmchaApi:
     enabled: true
+    ingress:
+      enabled: false
     priorityClass: medium-priority
     image:
       name: ghcr.io/openhistoricalmap/osmcha-django
       tag: 1bd58e1
-    ingressDomain: osmcha.openhistoricalmap.org
     env:
       DJANGO_SETTINGS_MODULE: "config.settings.production"
       OSMCHA_FRONTEND_VERSION: "v0.86.0-production"
diff --git a/values.k3s.staging.template.yaml b/values.k3s.staging.template.yaml
index 1e59e9f59..2274f18f6 100644
--- a/values.k3s.staging.template.yaml
+++ b/values.k3s.staging.template.yaml
@@ -173,6 +173,8 @@ osm-seed:
 
   tilerVarnish:
     enabled: true
+    ingress:
+      enabled: false
     image:
       name: varnish
       tag: "7.5"
@@ -250,6 +252,8 @@ osm-seed:
   # Web frontend - serves taginfo HTTP UI, downloads .db files from S3
   taginfoWeb:
     enabled: true
+    ingress:
+      enabled: false
     priorityClass: medium-priority
     serviceAccount:
       enabled: false
@@ -304,15 +308,17 @@ osm-seed:
   # ====================================================================================================
   nominatimApi:
     enabled: true
+    ingress:
+      enabled: false
     # image:
     #   name: developmentseed/osmseed-nominatim
     #   tag: 1.0.0-dev.hb293d54
     priorityClass: medium-priority
     serviceAnnotations:
       service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: "300"
-    ingressDomain: nominatim.openhistoricalmap.org
     replicaCount: 1
     env:
+      NOMINATIM_API_ENDPOINT: nominatim.ohmstaging.org
       PBF_URL: http://s3.amazonaws.com/planet.openhistoricalmap.org/planet/planet-260408_0307.osm.pbf
       REPLICATION_URL: http://planet.openhistoricalmap.org.s3.amazonaws.com/replication/minute
       REPLICATION_UPDATE_INTERVAL: 60
@@ -349,6 +355,8 @@ osm-seed:
   # ====================================================================================================
   overpassApi:
     enabled: true
+    ingress:
+      enabled: false
     # image:
     #   name: ghcr.io/openhistoricalmap/overpass-api
     #   tag: 0.0.1-0.dev.git.3377.h318c42d7
@@ -389,11 +397,12 @@ osm-seed:
 
   osmchaApi:
     enabled: true
+    ingress:
+      enabled: false
     priorityClass: medium-priority
     image:
       name: ghcr.io/openhistoricalmap/osmcha-django
       tag: 1bd58e1
-    ingressDomain: osmcha.ohmstaging.org
     env:
       DJANGO_SETTINGS_MODULE: "config.settings.production"
       OSMCHA_FRONTEND_VERSION: "v0.86.0-production"
diff --git a/values.production.template.yaml b/values.production.template.yaml
index 23e899fac..a9987dcba 100644
--- a/values.production.template.yaml
+++ b/values.production.template.yaml
@@ -112,6 +112,8 @@ osm-seed:
   # ====================================================================================================
   web:
     enabled: true
+    ingress:
+      enabled: false
     priorityClass: high-priority
     serviceAccount:
       enabled: true
@@ -119,18 +121,21 @@ osm-seed:
     replicaCount: 2
     serviceAnnotations:
       service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: "300"
-    ingressDomain: www.openhistoricalmap.org
     env:
       MAILER_ADDRESS: {{MAILER_ADDRESS}}
       MAILER_DOMAIN: openhistoricalmap.org
       MAILER_USERNAME: {{MAILER_USERNAME}}
       MAILER_PASSWORD: {{MAILER_PASSWORD}}
-      OSM_id_key: {{PRODUCTION_ID_APPLICATION}}
+      OPENSTREETMAP_id_key: {{PRODUCTION_ID_APPLICATION}}
       OAUTH_CLIENT_ID: {{PRODUCTION_OAUTH_CLIENT_ID}}
       OAUTH_KEY: {{PRODUCTION_OAUTH_KEY}}
-      MAILER_FROM: web@noreply.penhistoricalmap.org
+      MAILER_FROM: web@noreply.openhistoricalmap.org
+      SERVER_URL: www.openhistoricalmap.org
+      SERVER_PROTOCOL: https
       NOMINATIM_URL: nominatim.openhistoricalmap.org
       OVERPASS_URL: overpass-api.openhistoricalmap.org
+      VTILES_DOMAIN: vtiles.openhistoricalmap.org
+
       NEW_RELIC_LICENSE_KEY: 'none'
       NEW_RELIC_APP_NAME: 'none'
       ORGANIZATION_NAME: OpenHistoricalMap
@@ -142,7 +147,6 @@ osm-seed:
       RAILS_STORAGE_SERVICE: s3
       RAILS_STORAGE_REGION: us-east-1
       RAILS_STORAGE_BUCKET: ohm-website-production
-      EXTERNAL_CGIMAP: true
       PASSENGER_MAX_POOL_SIZE: 6
       OPENSTREETMAP_AUTH_ID: {{PRODUCTION_OPENSTREETMAP_AUTH_ID}}
       OPENSTREETMAP_AUTH_SECRET: {{PRODUCTION_OPENSTREETMAP_AUTH_SECRET}}
@@ -541,11 +545,12 @@ osm-seed:
 
   tmApi:
     enabled: true
+    ingress:
+      enabled: false
     priorityClass: medium-priority
     replicaCount: 1
     serviceAnnotations:
       service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: '300'
-    ingressDomain: tm-api.openhistoricalmap.org
     healthCheckPath: /api/docs
     env:
       TM_ORG_NAME: OpenHistoricalMap
diff --git a/values.staging.template.yaml b/values.staging.template.yaml
index 057a20ffe..1cf4eb15d 100644
--- a/values.staging.template.yaml
+++ b/values.staging.template.yaml
@@ -115,24 +115,29 @@ osm-seed:
     # ====================================================================================================
     web:
       enabled: true
+      ingress:
+        enabled: false
       priorityClass: "high-priority"
       serviceAccount:
         enabled: true
-        name: ohm-s3-bucket-access-staging    
+        name: ohm-s3-bucket-access-staging
       replicaCount: 1
-      ingressDomain: www.ohmstaging.org
       env:
         MAILER_ADDRESS: {{MAILER_ADDRESS}}
         MAILER_DOMAIN: ohmstaging.org
         MAILER_USERNAME: {{MAILER_USERNAME}}
         MAILER_PASSWORD: {{MAILER_PASSWORD}}
         # MAILER_PORT: "587"
-        OSM_id_key: 7E0Rn-ZjZpEW5cjM-CheEQAbp8nDiCuyB_UmIZOHysA
+        OPENSTREETMAP_id_key: 7E0Rn-ZjZpEW5cjM-CheEQAbp8nDiCuyB_UmIZOHysA
         OAUTH_CLIENT_ID: CiBBpurbtUj1np_QZOTngIePlS7K9uGvKDW2Pcw5O7Y
         OAUTH_KEY: 1O8WtBWivoefehDMT6sbm9TNUU_h_EXznI4cM5XMyJw
         MAILER_FROM: web@noreply.openhistoricalmap.org
+        SERVER_URL: www.ohmstaging.org
+        SERVER_PROTOCOL: https
         NOMINATIM_URL: nominatim.ohmstaging.org
         OVERPASS_URL: overpass-api.ohmstaging.org	
+        VTILES_DOMAIN: vtiles.ohmstaging.org
+
         NEW_RELIC_LICENSE_KEY: "none"
         NEW_RELIC_APP_NAME: "none"
         ORGANIZATION_NAME: OpenHistoricalMap
@@ -144,7 +149,6 @@ osm-seed:
         RAILS_STORAGE_SERVICE: s3
         RAILS_STORAGE_REGION: us-east-1
         RAILS_STORAGE_BUCKET: ohm-website-staging
-        EXTERNAL_CGIMAP: true
         PASSENGER_MAX_POOL_SIZE: 3
         OPENSTREETMAP_AUTH_ID: {{STAGING_OPENSTREETMAP_AUTH_ID}}
         OPENSTREETMAP_AUTH_SECRET: {{STAGING_OPENSTREETMAP_AUTH_SECRET}}
@@ -489,7 +493,6 @@ osm-seed:
       enabled: false
       priorityClass: medium-priority
       replicaCount: 1
-      ingressDomain: tm-api.ohmstaging.org
       healthCheckPath: /health
       env:
         TM_ORG_NAME: OpenHistoricalMap