diff --git a/.gitea/workflows/deploy-static.yml b/.gitea/workflows/deploy-static.yml
index 64ab40d..c0d3c4d 100644
--- a/.gitea/workflows/deploy-static.yml
+++ b/.gitea/workflows/deploy-static.yml
@@ -7,9 +7,14 @@ name: Deploy static site to devfarm
 #   jobs:
 #     deploy:
 #       uses: ringmaster/actions/.gitea/workflows/deploy-static.yml@main
+#       secrets: inherit
 #       with:
 #         site: myapp          # → https://myapp.dev.clubbabyseal.com
 #         build-command: npm run build
+#
+# Required secret (user-level in Gitea → Settings → Actions → Secrets):
+#   DEPLOY_SSH_KEY — private half of the gitea-ci-deploy key pair.
+#   Public key must be in /boot/config/ssh/authorized_keys on the NAS.
 
 on:
   workflow_call:
@@ -41,14 +46,14 @@ on:
         required: false
         default: .
         type: string
+    secrets:
+      DEPLOY_SSH_KEY:
+        required: true
+        description: SSH private key for the gitea-ci-deploy key pair.
 
 jobs:
   deploy:
     runs-on: ubuntu-latest
-    container:
-      image: gitea/runner-images:ubuntu-latest
-      volumes:
-        - /mnt/user/devsites:/mnt/user/devsites
 
     steps:
       - uses: actions/checkout@v4
@@ -63,19 +68,29 @@ jobs:
         run: ${{ inputs.build-command }}
 
       - name: Deploy to devfarm
+        env:
+          DEPLOY_SSH_KEY: ${{ secrets.DEPLOY_SSH_KEY }}
         run: |
           SITE="${{ inputs.site }}"
           SRC="${{ inputs.working-directory }}/${{ inputs.dist-dir }}"
           TARGET="/mnt/user/devsites/${SITE}/dist"
+          NAS="192.168.2.117"
 
-          # Validate site name: alphanumeric + hyphens only, no path traversal.
           if ! echo "$SITE" | grep -qE '^[a-z0-9-]+$'; then
             echo "ERROR: site name must match [a-z0-9-]+"
             exit 1
           fi
 
-          mkdir -p "$TARGET"
-          rm -rf "${TARGET:?}/"* 2>/dev/null || true
-          cp -a "${SRC}/." "${TARGET}/"
+          mkdir -p ~/.ssh
+          echo "$DEPLOY_SSH_KEY" > ~/.ssh/deploy_key
+          chmod 600 ~/.ssh/deploy_key
+          ssh-keyscan -H "$NAS" >> ~/.ssh/known_hosts 2>/dev/null
+
+          ssh -i ~/.ssh/deploy_key "root@${NAS}" "mkdir -p '${TARGET}'"
+          tar -C "${SRC}" -czf - . \
+            | ssh -i ~/.ssh/deploy_key "root@${NAS}" \
+                "rm -rf '${TARGET:?}'/* 2>/dev/null; tar -C '${TARGET}' -xzf -"
+          rm -f ~/.ssh/deploy_key
+
           echo "Deployed $SRC → $TARGET"
           echo "Live at: https://${SITE}.dev.clubbabyseal.com"