diff --git a/.gitea/workflows/deploy.yml b/.gitea/workflows/deploy.yml
index c33e3ab..6af85f9 100644
--- a/.gitea/workflows/deploy.yml
+++ b/.gitea/workflows/deploy.yml
@@ -78,27 +78,74 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
-      - name: Deploy via SSH
-        uses: appleboy/ssh-action@v1
-        with:
-          host: ${{ vars.DEPLOY_HOST }}
-          port: ${{ vars.SSH_PORT }}
-          username: ${{ vars.DEPLOY_USER }}
-          key: ${{ secrets.SSH_PRIVATE_KEY }}
-          known_hosts: ${{ vars.SSH_KNOWN_HOSTS }}
-          script: |
-            cd ${{ vars.DEPLOY_PATH }}
-            git pull origin main
+      - name: Deploy to server
+        env:
+          DEPLOY_HOST: ${{ vars.DEPLOY_HOST }}
+          DEPLOY_USER: ${{ vars.DEPLOY_USER }}
+          DEPLOY_PATH: ${{ vars.DEPLOY_PATH }}
+          SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
+          SSH_KNOWN_HOSTS: ${{ vars.SSH_KNOWN_HOSTS }}
+          SSH_PORT: ${{ vars.SSH_PORT || '22' }}
+        run: |
+          # Install tools missing from runner image
+          sudo apt-get update -qq && sudo apt-get install -y -qq rsync openssh-client > /dev/null 2>&1 || true
+
+          # Write SSH credentials
+          mkdir -p ~/.ssh
+          echo "$SSH_PRIVATE_KEY" > ~/.ssh/deploy_key
+          chmod 600 ~/.ssh/deploy_key
+          echo "$SSH_KNOWN_HOSTS" >> ~/.ssh/known_hosts
+
+          SSH_OPTS="-i ~/.ssh/deploy_key -o StrictHostKeyChecking=no -p $SSH_PORT"
+
+          # Sync application files
+          rsync -avz --delete \
+            --exclude '.git/' \
+            --exclude '.gitea/' \
+            --exclude '.env' \
+            --exclude '.venv/' \
+            --exclude '__pycache__/' \
+            --exclude '.pytest_cache/' \
+            --exclude 'logs/' \
+            --exclude '*.pyc' \
+            --exclude 'frontend/node_modules/' \
+            --exclude 'frontend/dist/' \
+            -e "ssh $SSH_OPTS" \
+            ./ ${DEPLOY_USER}@${DEPLOY_HOST}:${DEPLOY_PATH}/
+
+          # Install deps & restart on server
+          ssh $SSH_OPTS ${DEPLOY_USER}@${DEPLOY_HOST} << REMOTE_SCRIPT
+            set -e
+            cd ${DEPLOY_PATH}
+
+            # Create venv if not exists
+            if [ ! -d ".venv" ]; then
+              python3 -m venv .venv
+            fi
+
             source .venv/bin/activate
-            pip install -e .
+            pip install --quiet --upgrade pip
+            pip install --quiet -e .
+
+            # Setup DB and run migrations
             if [ "${{ inputs.run_setup_db }}" = "true" ] || [ "${{ github.event.inputs.run_setup_db }}" = "true" ]; then
               chmod +x deploy/setup_db.sh
               ./deploy/setup_db.sh
             else
               alembic upgrade head
             fi
+
+            # Build frontend
             cd frontend
             npm ci
             npm run build
             cd ..
+
+            # Restart service
             sudo systemctl restart stock-data-backend
+            echo "✓ stock-data-backend deployed"
+
+          REMOTE_SCRIPT
+
+          # Cleanup
+          rm -f ~/.ssh/deploy_key