diff --git a/.gitea/workflows/sync-public.yml b/.gitea/workflows/sync-public.yml
index 42791a4..1a8081e 100644
--- a/.gitea/workflows/sync-public.yml
+++ b/.gitea/workflows/sync-public.yml
@@ -1,49 +1,49 @@
-name: Sync public mirror
-on:
-  push:
-    branches: [ main ]
-
-jobs:
-  sync:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Install tools (rsync)
-        run: |
-          sudo apt-get update && sudo apt-get install -y rsync
-
-      - name: Checkout private repo
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-
-      - name: Prepare SSH
-        env:
-          SSH_KEY: ${{ secrets.PUBLIC_REPO_SSH_KEY }}
+      - name: Sync files using .gitea/workflows/oss-keep.txt
         run: |
           set -euo pipefail
-          mkdir -p ~/.ssh
-          echo "$SSH_KEY" > ~/.ssh/id_sync
-          chmod 600 ~/.ssh/id_sync
-          printf 'Host 192.168.1.15\n  HostName 192.168.1.15\n  Port 22\n  User git\n  IdentityFile ~/.ssh/id_sync\n  IdentitiesOnly yes\n' >> ~/.ssh/config
-          ssh-keyscan -p 22 192.168.1.15 >> ~/.ssh/known_hosts
 
-      - name: Clone public repo
-        run: |
-          git clone --depth 1 ssh://git@192.168.1.15:22/Bausager/Flux-oss.git /tmp/public
+          KEEP_FILE=".gitea/workflows/oss-keep.txt"
+          INCLUDE_FILE="$(pwd)/.oss-include.rsync"
 
-      - name: Sync files (snapshot, safe)
-        run: |
-          rsync -a --delete \
-            --exclude '.git' \
-            --exclude '.gitea' \
+          echo "Generating rsync include list from $KEEP_FILE"
+          : > "$INCLUDE_FILE"
+          echo "## Generated from $KEEP_FILE" >> "$INCLUDE_FILE"
+          echo "+ */" >> "$INCLUDE_FILE"   # allow directory traversal
+
+          while IFS= read -r line; do
+            line="${line%%#*}"   # strip comments
+            line="$(echo "$line" | xargs || true)"
+            [ -z "$line" ] && continue
+            case "$line" in
+              !*)
+                pat="${line#!}"
+                echo "- $pat" >> "$INCLUDE_FILE"
+                ;;
+              *)
+                echo "+ $line" >> "$INCLUDE_FILE"
+                ;;
+            esac
+          done < "$KEEP_FILE"
+
+          echo "- *" >> "$INCLUDE_FILE"    # exclude everything else
+
+          echo "Rsync include rules:"
+          cat "$INCLUDE_FILE"
+
+          # Sync only allowed files to the public repo
+          rsync -a --delete --prune-empty-dirs \
+            --include-from="$INCLUDE_FILE" \
             ./ /tmp/public/
+
           cd /tmp/public
           git config user.name  "Gitea CI"
           git config user.email "ci@bausager.org"
-          if ! git diff --quiet; then
-            git add -A
-            git commit -m "Sync from Flux (private)"
-            git push origin HEAD:main
+
+          git add -A
+          if git diff --cached --quiet; then
+            echo "No public-eligible changes to push."
           else
-            echo "No changes to push."
+            echo "Pushing filtered subset to Flux-oss..."
+            git commit -m "Sync public subset from Flux (private)"
+            git push origin HEAD:main
           fi