diff --git a/.forgejo/workflows/deploy.yaml b/.forgejo/workflows/deploy.yaml
index 2f69379..5d3a053 100644
--- a/.forgejo/workflows/deploy.yaml
+++ b/.forgejo/workflows/deploy.yaml
@@ -31,10 +31,15 @@ jobs:
       - name: Render site
         run: ./build.sh
 
+      - name: Setup SSH
+        run: |
+          mkdir -p -m0700 .ssh
+          echo "${{ secrets.KNOWN_HOSTS }}" | base64 -d > .ssh/known_hosts
+          chmod 644 .ssh/known_hosts
+
       - name: Setup SSH key
         if: forgejo.ref_name == 'staging'
         run: |
-          mkdir -p .ssh
           echo "${{ secrets.SSH_PRIVATE_KEY_STAGING }}" | base64 -d > .ssh/id_ed25519
           chmod 600 .ssh/id_ed25519
           ssh-keygen -f .ssh/id_ed25519 -y > .ssh/id_ed25519.pub
@@ -43,7 +48,6 @@ jobs:
       - name: Setup SSH key
         if: forgejo.ref_name == 'production'
         run: |
-          mkdir -p .ssh
           echo "${{ secrets.SSH_PRIVATE_KEY_PRODUCTION }}" | base64 -d > .ssh/id_ed25519
           chmod 600 .ssh/id_ed25519
           ssh-keygen -f .ssh/id_ed25519 -y > .ssh/id_ed25519.pub
@@ -51,11 +55,11 @@ jobs:
 
       - name: Sync rendered site to staging
         if: forgejo.ref_name == 'staging'
-        run: rsync -var -e 'ssh -i .ssh/id_ed25519' ./public/ deploy@www.berlin.ccc.de:srv/http/www-staging/
+        run: rsync -var -e 'ssh -i .ssh/id_ed25519 -O "HostKeyAlgorithms=ssh-ed25519"' ./public/ deploy@www.berlin.ccc.de:srv/http/www-staging/
         continue-on-error: true
       - name: Sync rendered site to production
         if: forgejo.ref_name == 'production'
-        run: rsync -var -e 'ssh -i .ssh/id_ed25519' ./public/ deploy@www.berlin.ccc.de:srv/http/www/
+        run: rsync -var -e 'ssh -i .ssh/id_ed25519 -O "HostKeyAlgorithms=ssh-ed25519"' ./public/ deploy@www.berlin.ccc.de:srv/http/www/
         continue-on-error: true
 
       - name: Cleanup