From a71126ea29950e53954c34db3b7eaafecb4a56f3 Mon Sep 17 00:00:00 2001
From: Evan Scamehorn <scamehorn@wisc.edu>
Date: Wed, 7 Jan 2026 17:13:35 -0600
Subject: [PATCH] debian packages

---
 .gitea/workflows/deploy.yaml | 35 ++++++++++++++++++++++++-----------
 1 file changed, 24 insertions(+), 11 deletions(-)

diff --git a/.gitea/workflows/deploy.yaml b/.gitea/workflows/deploy.yaml
index 313aec8..6e5dedd 100644
--- a/.gitea/workflows/deploy.yaml
+++ b/.gitea/workflows/deploy.yaml
@@ -20,7 +20,8 @@ jobs:
 
       - name: Install System Dependencies
         run: |
-          apk add --no-cache rsync openssh-client bash git
+          apt-get update
+          apt-get install -y rsync openssh-client git ca-certificates
 
       - name: Setup Node.js
         uses: actions/setup-node@v4
@@ -34,11 +35,15 @@ jobs:
       - name: Get Hugo Version
         run: |
           if [ -f "hugoblox.yaml" ]; then
+            # Extract version from your config file
             VERSION=$(grep "hugo_version" hugoblox.yaml | awk '{print $2}' | tr -d "'\"")
             echo "HUGO_VERSION=$VERSION" >> $GITHUB_ENV
+          else
+            # Fallback if file doesn't exist
+            echo "HUGO_VERSION=0.125.0" >> $GITHUB_ENV
           fi
 
-      - name: Install dependencies
+      - name: Install Node Dependencies
         run: |
           if [ -f "package.json" ]; then
             pnpm install --no-frozen-lockfile || npm install
@@ -51,8 +56,10 @@ jobs:
           extended: true
 
       - name: Build with Hugo
+        env:
+          HUGO_ENVIRONMENT: production
         run: |
-          # Use your actual domain here
+          # Replace with your actual domain
           hugo --minify --baseURL "https://ejs.cam/"
 
       - name: Generate Pagefind search index
@@ -64,18 +71,24 @@ jobs:
       - name: Deploy via Rsync
         env:
           SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
+          REMOTE_HOST: ${{ secrets.REMOTE_HOST }}
+          REMOTE_USER: ${{ secrets.REMOTE_USER }}
+          REMOTE_PORT: ${{ secrets.REMOTE_PORT }}
         run: |
-          # Setup SSH
+          # 1. Prepare SSH Directory
           mkdir -p ~/.ssh
+          chmod 700 ~/.ssh
+
+          # 2. Load the Private Key
           echo "$SSH_PRIVATE_KEY" > ~/.ssh/id_ed25519
           chmod 600 ~/.ssh/id_ed25519
-          
-          # Scan host key to prevent MITM prompts
-          ssh-keyscan -p ${{ secrets.REMOTE_PORT }} ${{ secrets.REMOTE_HOST }} >> ~/.ssh/known_hosts
 
-          # Sync files
-          # --delete ensures old files are removed from /var/www
+          # 3. Add host to known_hosts to prevent interactive prompt
+          ssh-keyscan -p "$REMOTE_PORT" "$REMOTE_HOST" >> ~/.ssh/known_hosts
+
+          # 4. Sync files to NixOS /var/www
+          # Note: the trailing slash on ./public/ means "contents of public"
           rsync -avz --delete \
-            -e "ssh -p ${{ secrets.REMOTE_PORT }}" \
+            -e "ssh -p $REMOTE_PORT" \
             ./public/ \
-            ${{ secrets.REMOTE_USER }}@${{ secrets.REMOTE_HOST }}:/var/www/
+            $REMOTE_USER@$REMOTE_HOST:/var/www/