diff --git a/.gitea/workflows/actions.yaml b/.gitea/workflows/actions.yaml
index 2bb9a09..6793f8b 100644
--- a/.gitea/workflows/actions.yaml
+++ b/.gitea/workflows/actions.yaml
@@ -57,10 +57,7 @@ jobs:
           apt-get install -y \
             genisoimage
 
-          sed 's|__ROOT_HASHED_PASSWORD__|${{ secrets.ROOT_HASHED_PASSWORD }}|g' \
-            cloud-init/user-data.template > cloud-init/user-data
-          sed 's|__PUBLIC_SSHKEY__|${{ secrets.PUBLIC_SSHKEY }}|g' \
-            cloud-init/user-data.template > cloud-init/user-data
+          envsubst < cloud-init/user-data.template > cloud-init/user-data
 
           genisoimage \
             -output seed.iso \
@@ -68,6 +65,9 @@ jobs:
             -joliet \
             -rock \
             cloud-init/meta-data cloud-init/user-data
+        env:
+          ROOT_HASHED_PASSWORD: ${{ secrets.ROOT_HASHED_PASSWORD }}
+          PUBLIC_SSHKEY: ${{ secrets.PUBLIC_SSHKEY }}
 
   # semrel:
   #   name: Semantic Release
diff --git a/cloud-init/user-data.template b/cloud-init/user-data.template
index 6959f1f..798202d 100644
--- a/cloud-init/user-data.template
+++ b/cloud-init/user-data.template
@@ -18,11 +18,10 @@ runcmd:
 disable_root: false
 users:
   - name: root
-    hashed_passwd: __ROOT_HASHED_PASSWORD__
+    hashed_passwd: ${ROOT_HASHED_PASSWORD}
     lock_passwd: false
     shell: /bin/bash
     ssh_authorized_keys:
-      - __PUBLIC_SSHKEY__
+      - ${PUBLIC_SSHKEY}
 ssh_authorized_keys:
-  - >
-    __PUBLIC_SSHKEY__
+  - ${PUBLIC_SSHKEY}