diff --git a/webapp.nix b/webapp.nix
index 25ee772..966e123 100644
--- a/webapp.nix
+++ b/webapp.nix
@@ -4,8 +4,8 @@
 let
   cfg = config.services.webapp;
 
-  # Build the Vue 3 webapp using buildNpmPackage
-  webapp = pkgs.buildNpmPackage {
+  # Build the Vue 3 webapp using stdenv + pnpm.configHook
+  webapp = pkgs.stdenv.mkDerivation (finalAttrs: {
     pname = "aio-webapp";
     version = "1.0.0";
 
@@ -15,17 +15,15 @@ let
       ref = cfg.gitRef;
     };
 
-    # SHA256 hash of npm dependencies
-    # Run `nix-prefetch-npm-deps package-lock.json` to get this hash
-    # Or use lib.fakeHash initially and let the build tell you the correct hash
-    npmDepsHash = cfg.npmDepsHash;
+    # Fixed-output derivation of the pnpm offline store.
+    # On first build / lockfile change, set hash = lib.fakeHash and rebuild;
+    # Nix will report the correct hash to substitute.
+    pnpmDeps = pkgs.pnpm.fetchDeps {
+      inherit (finalAttrs) pname version src;
+      hash = cfg.pnpmDepsHash;
+    };
 
-    # Node.js version (use LTS)
-    nodejs = pkgs.nodejs_20;
-
-    # Include devDependencies (vue-tsc, vite, etc. are needed for build)
-    npmFlags = [ "--include=dev" ];
-    makeCacheWritable = true;
+    nativeBuildInputs = [ pkgs.nodejs_20 pkgs.pnpm.configHook ];
 
     # Skip Electron binary download (we're building a web app, not desktop)
     ELECTRON_SKIP_BINARY_DOWNLOAD = "1";
@@ -79,10 +77,12 @@ let
     # Additional env vars
     NODE_ENV = "production";
 
-    # Explicitly add node_modules/.bin to PATH for vue-tsc, vite, etc.
+    # pnpm.configHook sets up the offline store and runs
+    # `pnpm install --offline --frozen-lockfile` before buildPhase.
     buildPhase = ''
-      export PATH="$PWD/node_modules/.bin:$PATH"
-      npm run build
+      runHook preBuild
+      pnpm run build
+      runHook postBuild
     '';
 
     # Install the built static files (Vite outputs to ./dist)
@@ -93,7 +93,7 @@ let
       runHook postInstall
     '';
 
-    # Don't run npm test
+    # Don't run pnpm test
     doCheck = false;
 
     meta = with lib; {
@@ -101,7 +101,7 @@ let
       license = licenses.mit;
       platforms = platforms.linux;
     };
-  };
+  });
 
 in {
   options.services.webapp = {
@@ -135,13 +135,13 @@ in {
       description = "Domain name for the webapp";
     };
 
-    npmDepsHash = lib.mkOption {
+    pnpmDepsHash = lib.mkOption {
       type = lib.types.str;
       default = lib.fakeHash;
       description = ''
-        SHA256 hash of npm dependencies.
-        Run `nix-prefetch-npm-deps package-lock.json` on the webapp source
-        to get the correct hash.
+        SRI hash of pnpm dependencies fetched from `pnpm-lock.yaml`.
+        Initially set to `lib.fakeHash`; on first build with a new lockfile,
+        Nix will fail with the correct hash to substitute in.
       '';
     };