diff --git a/.envrc b/.envrc
index 3560150..ea2979f 100644
--- a/.envrc
+++ b/.envrc
@@ -1,4 +1,6 @@
+use rbenv
 PATH_add bin
+PATH_add bundler-bin
 
 # export TF_VAR_do_token=$(pass jdormit-infra-do-token)
 # export DIGITALOCEAN_API_TOKEN=$(pass jdormit-infra-do-token)
diff --git a/.gitignore b/.gitignore
index e27a650..5f4a015 100644
--- a/.gitignore
+++ b/.gitignore
@@ -2,4 +2,6 @@
 /backend-config.tf
 */**/.terraform
 *.tfstate*
-*/**/tmp/
\ No newline at end of file
+*/**/tmp/
+.bundle
+bundler-bin/*
diff --git a/.ruby-version b/.ruby-version
new file mode 100644
index 0000000..15a2799
--- /dev/null
+++ b/.ruby-version
@@ -0,0 +1 @@
+3.3.0
diff --git a/Gemfile b/Gemfile
new file mode 100644
index 0000000..3cf9329
--- /dev/null
+++ b/Gemfile
@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+source "https://rubygems.org"
+
+git_source(:github) {|repo_name| "https://github.com/#{repo_name}" }
+
+gem "rake"
+
+gem "erb", "~> 4.0"
diff --git a/Gemfile.lock b/Gemfile.lock
new file mode 100644
index 0000000..873a450
--- /dev/null
+++ b/Gemfile.lock
@@ -0,0 +1,18 @@
+GEM
+  remote: https://rubygems.org/
+  specs:
+    cgi (0.4.1)
+    erb (4.0.4)
+      cgi (>= 0.3.3)
+    rake (13.1.0)
+
+PLATFORMS
+  ruby
+  x86_64-darwin-23
+
+DEPENDENCIES
+  erb (~> 4.0)
+  rake
+
+BUNDLED WITH
+   2.5.6
diff --git a/prod/gitea/packer/Makefile b/prod/gitea/packer/Makefile
deleted file mode 100644
index a98c3c4..0000000
--- a/prod/gitea/packer/Makefile
+++ /dev/null
@@ -1,28 +0,0 @@
-.PHONY: reissue-certs
-
-packer-manifest.json: gitea.json \
-                      scripts/dependencies.sh \
-                      scripts/volume.sh \
-                      files/gitea.service \
-                      files/app.ini \
-                      files/certbot-renew.service \
-                      files/certbot-renew.timer \
-                      scripts/gitea.sh \
-                      files/gitea-nginx.conf \
-                      scripts/nginx.sh \
-		      tmp/do.ini
-	packer build gitea.json
-
-files/app.ini: templates/app.ini.template
-	sigil -p -f templates/app.ini.template > files/app.ini
-
-tmp/do.ini: templates/do.ini.template tmp
-	sigil -p -f templates/do.ini.template > tmp/do.ini
-	chmod 600 tmp/do.ini
-
-tmp:
-	mkdir tmp
-
-reissue-certs:
-	rm -rf certbot
-	make
diff --git a/prod/gitea/packer/Rakefile b/prod/gitea/packer/Rakefile
new file mode 100644
index 0000000..af6fe46
--- /dev/null
+++ b/prod/gitea/packer/Rakefile
@@ -0,0 +1,36 @@
+require "erb"
+
+task :default => ["packer-manifest.json"]
+
+file "packer-manifest.json" => [
+       "gitea.json",
+       "scripts/dependencies.sh",
+       "scripts/volume.sh",
+       "files/gitea.service",
+       "files/app.ini",
+       "files/certbot-renew.service",
+       "files/certbot-renew.timer",
+       "scripts/gitea.sh",
+       "files/gitea-nginx.conf",
+       "scripts/nginx.sh",
+       "tmp/do.ini"
+     ] do |t|
+  sh "packer build gitea.json"
+end
+
+file "files/app.ini" => ["templates/app.ini.template"] do |t|
+  template = ERB.new(File.read(t.source))
+  File.write(t.name, template.result)
+end
+
+file "tmp/do.ini" => ["templates/do.ini.template", "tmp"] do |t|
+  template = ERB.new(File.read(t.source))
+  File.write(t.name, template.result)
+  chmod 0600, "tmp/do.ini"
+end
+
+directory "tmp"
+
+def env(var)
+  ENV[var] || raise("Variable #{var} not found")
+end
diff --git a/prod/gitea/packer/templates/app.ini.template b/prod/gitea/packer/templates/app.ini.template
index fa3001f..a468dba 100644
--- a/prod/gitea/packer/templates/app.ini.template
+++ b/prod/gitea/packer/templates/app.ini.template
@@ -3,12 +3,12 @@ RUN_USER = git
 RUN_MODE = prod
 
 [oauth2]
-JWT_SECRET = ${GITEA_JWT_SECRET:?}
+JWT_SECRET = <%= env('GITEA_JWT_SECRET') %>
 
 [security]
 INSTALL_LOCK   = true
-INTERNAL_TOKEN = ${GITEA_INTERNAL_TOKEN:?}
-SECRET_KEY     = ${GITEA_SECRET_KEY:?}
+INTERNAL_TOKEN = <%= env('GITEA_INTERNAL_TOKEN') %>
+SECRET_KEY     = <%= env('GITEA_SECRET_KEY') %>
 
 [database]
 DB_TYPE  = sqlite3
@@ -35,7 +35,7 @@ DISABLE_SSH      = false
 SSH_PORT         = 22
 LFS_START_SERVER = true
 LFS_CONTENT_PATH = /mnt/gitea/lfs
-LFS_JWT_SECRET   = ${GITEA_LFS_JWT_SECRET:?}
+LFS_JWT_SECRET   = <%= env('GITEA_LFS_JWT_SECRET') %>
 OFFLINE_MODE     = false
 
 [mailer]
@@ -43,7 +43,7 @@ ENABLED = true
 HOST    = smtp.mailgun.org:587
 FROM    = Jeremy Dormitzer's Git Forge <noreply@git.jeremydormitzer.com>
 USER    = noreply@mg.git.jeremydormitzer.com
-PASSWD  = ${GITEA_MAILGUN_PASSWORD:?}
+PASSWD  = <%= env('GITEA_MAILGUN_PASSWORD') %>
 
 [service]
 REGISTER_EMAIL_CONFIRM            = true
@@ -74,4 +74,4 @@ LEVEL                = info
 ROOT_PATH            = /mnt/gitea/log
 REDIRECT_MACARON_LOG = true
 MACARON              = console
-ROUTER               = console
\ No newline at end of file
+ROUTER               = console
diff --git a/prod/gitea/packer/templates/do.ini.template b/prod/gitea/packer/templates/do.ini.template
index 7c6ec3f..8383a41 100644
--- a/prod/gitea/packer/templates/do.ini.template
+++ b/prod/gitea/packer/templates/do.ini.template
@@ -1 +1 @@
-dns_digitalocean_token = ${DIGITALOCEAN_API_TOKEN:?}
\ No newline at end of file
+dns_digitalocean_token = <%= env('DIGITALOCEAN_API_TOKEN') %>