diff --git a/deploy/bird/Dockerfile b/deploy/bird/Dockerfile
index c01dabc..adfa407 100644
--- a/deploy/bird/Dockerfile
+++ b/deploy/bird/Dockerfile
@@ -35,6 +35,7 @@ FROM debian:bookworm-slim
 
 RUN apt-get update && apt-get install -y --no-install-recommends \
     ca-certificates \
+    gettext-base \
     netcat-openbsd \
     libreadline8 \
     libncurses6 \
diff --git a/deploy/bird/README.md b/deploy/bird/README.md
index b872dbc..3db6ff6 100644
--- a/deploy/bird/README.md
+++ b/deploy/bird/README.md
@@ -73,7 +73,8 @@ docker logs -f bird-rpki-client
 
 ## Notes
 
-- This setup targets RTR over TCP (`remote "host.docker.internal" port 323`).
+- This setup renders `bird.conf.template` at startup and uses `RPKI_HOST` / `RPKI_PORT`
+  for the RTR endpoint.
 - `network_mode: host` expects your RTR server to be reachable at
   `host.docker.internal:323` from the container.
 - Observation is controlled by env vars:
diff --git a/deploy/bird/bird.conf.ssh.template b/deploy/bird/bird.conf.ssh.template
new file mode 100644
index 0000000..8fafaf0
--- /dev/null
+++ b/deploy/bird/bird.conf.ssh.template
@@ -0,0 +1,30 @@
+log stderr all;
+router id 192.0.2.2;
+
+roa4 table rtr_roa_v4;
+roa6 table rtr_roa_v6;
+aspa table rtr_aspa;
+
+protocol device {
+}
+
+protocol rpki rpki_ssh {
+  roa4 { table rtr_roa_v4; };
+  roa6 { table rtr_roa_v6; };
+  aspa { table rtr_aspa; };
+
+  remote "${RPKI_HOST}" port ${RPKI_PORT};
+
+  min version 2;
+  max version 2;
+
+  refresh 3600;
+  retry 600;
+  expire 7200;
+
+  transport ssh {
+    user "rpki-rtr";
+    bird private key "/config/ssh/bird-rtr-client-rsa.pem";
+    remote public key "/run/bird/known_hosts";
+  };
+}
diff --git a/deploy/bird/bird.conf.template b/deploy/bird/bird.conf.template
new file mode 100644
index 0000000..bbb13f1
--- /dev/null
+++ b/deploy/bird/bird.conf.template
@@ -0,0 +1,28 @@
+log stderr all;
+router id 192.0.2.2;
+
+roa4 table rtr_roa_v4;
+roa6 table rtr_roa_v6;
+aspa table rtr_aspa;
+
+protocol device {
+}
+
+protocol rpki rpki_tcp {
+  roa4 { table rtr_roa_v4; };
+  roa6 { table rtr_roa_v6; };
+  aspa { table rtr_aspa; };
+
+  remote "${RPKI_HOST}" port ${RPKI_PORT};
+
+  min version 2;
+  max version 2;
+
+  refresh 3600;
+  retry 600;
+  expire 7200;
+
+  transport tcp {
+    authentication none;
+  };
+}
diff --git a/deploy/bird/docker-compose.ssh.yml b/deploy/bird/docker-compose.ssh.yml
index 609e3de..40fe27f 100644
--- a/deploy/bird/docker-compose.ssh.yml
+++ b/deploy/bird/docker-compose.ssh.yml
@@ -1,9 +1,10 @@
 services:
   bird-rpki-client:
     environment:
-      RPKI_HOST: "host.docker.internal"
+      BIRD_CONFIG_TEMPLATE_PATH: "/config/bird.conf.ssh.template"
+      RPKI_HOST: "0.0.0.0"
       RPKI_PORT: "${RPKI_RTR_SSH_PORT:-22}"
       OBSERVE_PROTO: "rpki_ssh"
     volumes:
-      - ./bird.conf.ssh.example:/config/bird.conf:ro
+      - ./bird.conf.ssh.template:/config/bird.conf.ssh.template:ro
       - ../../certs:/config/ssh:ro
diff --git a/deploy/bird/docker-compose.yml b/deploy/bird/docker-compose.yml
index cbf0a59..b67fa20 100644
--- a/deploy/bird/docker-compose.yml
+++ b/deploy/bird/docker-compose.yml
@@ -9,9 +9,9 @@ services:
     restart: unless-stopped
     network_mode: host
     environment:
-      BIRD_CONFIG_PATH: "/config/bird.conf"
+      BIRD_CONFIG_TEMPLATE_PATH: "/config/bird.conf.template"
 
-      RPKI_HOST: "host.docker.internal"
+      RPKI_HOST: "0.0.0.0"
       RPKI_PORT: "323"
 
       OBSERVE_PROTO: "rpki_tcp"
@@ -31,5 +31,5 @@ services:
       SHOW_ROA4: "1"
       SHOW_ROA6: "1"
     volumes:
-      - ./bird.conf:/config/bird.conf:ro
+      - ./bird.conf.template:/config/bird.conf.template:ro
       - ../../logs/bird:/app/logs
diff --git a/deploy/bird/entrypoint.sh b/deploy/bird/entrypoint.sh
index b0b8045..13da678 100644
--- a/deploy/bird/entrypoint.sh
+++ b/deploy/bird/entrypoint.sh
@@ -12,6 +12,7 @@ RPKI_HOST="${RPKI_HOST:-host.docker.internal}"
 RPKI_PORT="${RPKI_PORT:-323}"
 
 BIRD_CONFIG_PATH="${BIRD_CONFIG_PATH:-/config/bird.conf}"
+BIRD_CONFIG_TEMPLATE_PATH="${BIRD_CONFIG_TEMPLATE_PATH:-/config/bird.conf.template}"
 
 ASPA_TABLE="${OBSERVE_ASPA_TABLE:-rtr_aspa}"
 ROA4_TABLE="${OBSERVE_ROA4_TABLE:-rtr_roa_v4}"
@@ -35,6 +36,13 @@ STDERR_LOG="${LOG_DIR}/${LOG_NAME}.stderr.log"
 mkdir -p "$LOG_DIR"
 exec >>"$STDOUT_LOG" 2>>"$STDERR_LOG"
 
+if [ -r "$BIRD_CONFIG_TEMPLATE_PATH" ]; then
+  RENDERED_CONFIG_PATH="/run/bird/bird.generated.conf"
+  envsubst '${RPKI_HOST} ${RPKI_PORT}' < "$BIRD_CONFIG_TEMPLATE_PATH" > "$RENDERED_CONFIG_PATH"
+  BIRD_CONFIG_PATH="$RENDERED_CONFIG_PATH"
+  echo "[entrypoint] rendered config  : $BIRD_CONFIG_TEMPLATE_PATH -> $BIRD_CONFIG_PATH"
+fi
+
 ensure_ssh_known_hosts() {
   if [ -s "$SSH_KNOWN_HOSTS_PATH" ]; then
     return