diff --git a/.gitea/workflows/deploy.yml b/.gitea/workflows/deploy.yml
index bf8aba7..4183fcf 100644
--- a/.gitea/workflows/deploy.yml
+++ b/.gitea/workflows/deploy.yml
@@ -6,20 +6,20 @@ on:
 
 jobs:
   deploy:
-    runs-on: [ mainhost ]   # keep your labels as-is
+    runs-on: [ mainhost ]  # must match your runner label (e.g. mainhost:host)
     env:
       SSH_HOST: ${{ secrets.SSH_HOST }}
       SSH_USER: ${{ secrets.SSH_USER }}
-      SSH_KEY_PATH: /home/gitea-runner/.ssh/deploy_stellaamor
+      SSH_KEY_PATH: ~/.ssh/deploy_stellaamor
+      SSH_OPTS: >-
+        -o BatchMode=yes -o IdentitiesOnly=yes -o NumberOfPasswordPrompts=0
+        -o ServerAliveInterval=15 -o ServerAliveCountMax=3
+        -o ConnectTimeout=20 -o StrictHostKeyChecking=no
       APP_ROOT: /var/www/stellaamor
       UPLOADS_DIR: uploads
       KEEP_N: "5"
       HEALTH_URL: https://stellaamor.com/
       SERVICE_RELOAD: "systemctl reload apache2 || true"
-      SSH_OPTS: "-o BatchMode=yes -o IdentitiesOnly=yes -o NumberOfPasswordPrompts=0 \
-             -o ServerAliveInterval=15 -o ServerAliveCountMax=3 \
-             -o ConnectTimeout=20 -o StrictHostKeyChecking=no"
-
 
     steps:
       - name: Checkout (pure git)
@@ -34,11 +34,10 @@ jobs:
           install -m 700 -d ~/.ssh
           umask 177
           cat > ~/.ssh/deploy_stellaamor <<'KEY'
-      ${{ secrets.SSH_KEY_STELLAAMOR }}
-      KEY
+${{ secrets.SSH_KEY_STELLAAMOR }}
+KEY
           chmod 600 ~/.ssh/deploy_stellaamor
 
-          
       - name: SSH smoke test
         run: ssh $SSH_OPTS -i "$SSH_KEY_PATH" ${SSH_USER}@${SSH_HOST} true
 
@@ -54,18 +53,14 @@ jobs:
           CUR="${APP}/current"
           UPLOADS="${{ env.UPLOADS_DIR }}"
 
-          # build tar outside repo dir then move (avoid tar reading its own output)
           tar -czf "$TAR" --exclude-vcs --exclude='./node_modules' --exclude="./${UPLOADS}" --exclude='./release' .
           mkdir -p release && mv "$TAR" "release/${REL}.tar.gz"
 
-          # ensure layout
           ssh $SSH_OPTS -i "$SSH_KEY_PATH" ${SSH_USER}@${SSH_HOST} \
             "set -e; sudo install -d -o ${SSH_USER} -g ${SSH_USER} -m 755 ${RELEASES} ${SHARED} ${SHARED}/${UPLOADS}"
 
-          # upload (verbose)
           scp -O $SSH_OPTS -vvv -i "$SSH_KEY_PATH" "release/${REL}.tar.gz" ${SSH_USER}@${SSH_HOST}:/tmp/${REL}.tar.gz
 
-          # unpack/switch/reload/health/prune
           ssh $SSH_OPTS -i "$SSH_KEY_PATH" ${SSH_USER}@${SSH_HOST} '
             set -euo pipefail
             REL="'${REL}'"; APP="'${APP}'"; SHARED="'${SHARED}'"; RELEASES="'${RELEASES}'"; CUR="'${CUR}'"; UPLOADS="'${UPLOADS}'";