diff --git a/.forgejo/workflows/CD.yml b/.forgejo/workflows/CD.yml
index ee14eddd..ab1cf5e5 100644
--- a/.forgejo/workflows/CD.yml
+++ b/.forgejo/workflows/CD.yml
@@ -156,5 +156,5 @@ jobs:
           ANSIBLE_CONFIG: ansible/ansible.cfg
         run: |
           ansible-playbook -i ansible/hosts.ini ./ansible/playbooks/deploy-docker.yml \
-            --extra-vars "target_host=${{ env.target_host }} folder=${{ env.folder }}"
+            --extra-vars "target_host=${{ env.target_host }} folder=${{ env.folder }} bw_access_token=${{ secrets.BW_ACCESS_TOKEN }}"
 
diff --git a/ansible/playbooks/deploy-docker.yml b/ansible/playbooks/deploy-docker.yml
index a9e843a0..3aa74c1b 100644
--- a/ansible/playbooks/deploy-docker.yml
+++ b/ansible/playbooks/deploy-docker.yml
@@ -14,12 +14,14 @@
       ansible.builtin.set_fact:
         secret_mapping: "{{ secret_mapping_content['content'] | b64decode | from_yaml }}"
 
-    - name: Generate .env content
-      vars:
-        env_variables: "{{ secret_mapping[target_host]['env_variables'] | default({}) }}"
-      ansible.builtin.template:
-        src: env_template.j2
+    - name: Write .env file to target host
+      ansible.builtin.copy:
         dest: "{{ repo_path }}/.env"
+        content: |
+          {% for key, secret_id in env_variables.items() %}
+          {{ key }}={{ lookup('community.general.bws', secret_id, base_url='https://vault.bitwarden.com', access_token=bw_access_token) }}
+          {% endfor %}
+
 
     - name: Verify .env file content
       ansible.builtin.shell: cat "{{ repo_path }}/.env"