diff --git a/containers/shower/default.nix b/containers/shower/default.nix
index 23539fb..a59e3ab 100644
--- a/containers/shower/default.nix
+++ b/containers/shower/default.nix
@@ -21,7 +21,7 @@
 { pkgs ? import <nixpkgs> { } }:
 
 let
-  version = "1.0.1";
+  version = "1.0.2";
 
   python = pkgs.python314;
 
@@ -107,7 +107,7 @@ let
     outputHashAlgo = "sha256";
     # Pinned dep closure — reproducible until version bumps. To recompute,
     # set to pkgs.lib.fakeHash and read the failure.
-    outputHash = "sha256-9J2cxNxFSkSWLy2nwPtqV0Qtn54YVJ3LiijsqKQT+uc=";
+    outputHash = pkgs.lib.fakeHash;
 
     dontFixup = true;
   };
diff --git a/fly/nginx.conf b/fly/nginx.conf
index 44d3903..7a70167 100644
--- a/fly/nginx.conf
+++ b/fly/nginx.conf
@@ -343,6 +343,60 @@ http {
             return 403 "The host console is tailnet-only — visit shower.ops.eblu.me.\n";
         }
 
+        # Static assets — WhiteNoise + CompressedManifestStaticFilesStorage
+        # gives content-hashed filenames, so cache aggressively. Hashed
+        # names make cache invalidation automatic on app upgrades.
+        location /static/ {
+            proxy_pass https://indri_backend$request_uri;
+            proxy_ssl_verify off;
+            proxy_ssl_server_name on;
+            proxy_ssl_name shower.ops.eblu.me;
+
+            proxy_http_version 1.1;
+            proxy_set_header Connection $connection_upgrade;
+            proxy_set_header Host shower.ops.eblu.me;
+            proxy_set_header X-Real-IP $http_fly_client_ip;
+            proxy_set_header X-Forwarded-For $http_fly_client_ip;
+            proxy_set_header X-Forwarded-Proto $scheme;
+
+            proxy_cache services;
+            proxy_cache_valid 200 1y;
+            proxy_cache_valid 404 1m;
+            proxy_cache_use_stale error timeout updating;
+            proxy_cache_lock on;
+            proxy_cache_key $host$uri;
+            proxy_ignore_headers Cache-Control Set-Cookie;
+
+            add_header X-Cache-Status $upstream_cache_status;
+        }
+
+        # Prize photo uploads. Shorter TTL than /static/ because filenames
+        # aren't content-hashed — operators can re-upload a prize photo
+        # and we want guests to see the new image within a day.
+        location /media/ {
+            proxy_pass https://indri_backend$request_uri;
+            proxy_ssl_verify off;
+            proxy_ssl_server_name on;
+            proxy_ssl_name shower.ops.eblu.me;
+
+            proxy_http_version 1.1;
+            proxy_set_header Connection $connection_upgrade;
+            proxy_set_header Host shower.ops.eblu.me;
+            proxy_set_header X-Real-IP $http_fly_client_ip;
+            proxy_set_header X-Forwarded-For $http_fly_client_ip;
+            proxy_set_header X-Forwarded-Proto $scheme;
+
+            proxy_cache services;
+            proxy_cache_valid 200 1d;
+            proxy_cache_valid 404 1m;
+            proxy_cache_use_stale error timeout updating;
+            proxy_cache_lock on;
+            proxy_cache_key $host$uri;
+            proxy_ignore_headers Cache-Control Set-Cookie;
+
+            add_header X-Cache-Status $upstream_cache_status;
+        }
+
         location / {
             proxy_pass https://indri_backend$request_uri;
             proxy_ssl_verify off;
diff --git a/service-versions.yaml b/service-versions.yaml
index aa3a6b6..74d467e 100644
--- a/service-versions.yaml
+++ b/service-versions.yaml
@@ -47,7 +47,7 @@ services:
   - name: shower
     type: argocd
     last-reviewed: 2026-05-10
-    current-version: "1.0.1"
+    current-version: "1.0.2"
     upstream-source: https://forge.eblu.me/eblume/adelaide-baby-shower-app
     notes: |
       Django app for Adelaide / Heidi / Addie's baby shower. Wheel