diff --git a/.gitea/workflows/nightly.yml b/.gitea/workflows/nightly.yml
index 7bc67a0e..86564f9c 100644
--- a/.gitea/workflows/nightly.yml
+++ b/.gitea/workflows/nightly.yml
@@ -165,12 +165,17 @@ jobs:
         # the host's. The bridge gateway IS the host; Caddy binds 0.0.0.0:443
         # and is therefore reachable from the container via that IP.
         # SNI still uses the public hostname so the TLS cert validates correctly.
+        #
+        # Gateway detection reads /proc/net/route (always present, no package
+        # required) instead of `ip route` to avoid a dependency on iproute2.
+        # Field $2=="00000000" is the default route; field $3 is the gateway as
+        # a little-endian 32-bit hex value which awk decodes to dotted-decimal.
         run: |
           set -e
           HOST="staging.raddatz.cloud"
           URL="https://$HOST"
-          HOST_IP=$(ip route show default | awk '/default/ {print $3}')
-          [ -n "$HOST_IP" ] || { echo "ERROR: could not detect Docker bridge gateway via 'ip route'"; exit 1; }
+          HOST_IP=$(awk 'NR>1 && $2=="00000000"{h=$3;printf "%d.%d.%d.%d\n",strtonum("0x"substr(h,7,2)),strtonum("0x"substr(h,5,2)),strtonum("0x"substr(h,3,2)),strtonum("0x"substr(h,1,2));exit}' /proc/net/route)
+          [ -n "$HOST_IP" ] || { echo "ERROR: could not detect Docker bridge gateway via /proc/net/route"; exit 1; }
           RESOLVE="--resolve $HOST:443:$HOST_IP"
           echo "Smoke test: $URL (pinned to $HOST_IP via bridge gateway)"
           curl -fsS "$RESOLVE" --max-time 10 "$URL/login" -o /dev/null