diff --git a/.woodpecker.yml b/.woodpecker.yml
index d7fd24e..9fd0ae8 100644
--- a/.woodpecker.yml
+++ b/.woodpecker.yml
@@ -3,13 +3,12 @@ steps:
     image: python:3-bookworm
     commands:
       - apt-get update
-      - apt-get install -y ca-certificates curl gnupg tar wget libssl-dev python3-pip cython3 pipx apt-transport-https coreutils iputils-ping openssh-client libvirt-clients
-      - echo ${TEST_NODE_SSH_KEY} > /tmp/ssh-key && chmod 600 /tmp/ssh-key
-      - cat /tmp/ssh-key
+      - apt-get install -y ca-certificates curl gnupg tar wget libssl-dev python3-pip cython3 pipx apt-transport-https coreutils iputils-ping openssh-client libvirt-clients genisoimage
+      - make ci.init
+      - cat /tmp/ci-ssh-id
       -  eval "$(ssh-agent -s)"
-      - ssh-add /tmp/ssh-key
-      - ssh mcaptcha-ci@192.168.0.102 "echo f"
-      - virsh -c qemu+ssh://mcaptcha-ci@192.168.0.102/system?sshauth=privkey&no_verify=1 list
+      - ssh-add /tmp/ci-ssh-id
+      - ssh -o StrictHostKeyChecking=accept-new mcaptcha-ci@192.168.0.102 "echo f"
       - install -m 0755 -d /etc/apt/keyrings
       - curl -fsSL https://packages.opentofu.org/opentofu/tofu/gpgkey | gpg --no-tty --batch --dearmor -o /etc/apt/keyrings/opentofu.gpg
       - chmod a+r /etc/apt/keyrings/opentofu.gpg
@@ -19,7 +18,7 @@ steps:
       - apt-get install -y tofu
       - tofu -chdir=terraform/mcaptcha/ init
       - tofu -chdir=terraform/mcaptcha/ plan -var-file="ci.tfvars" -out="mcaptcha"
-      - tofu -chdir=terraform/mcaptcha/ apply mcaptcha -var-file="ci.tfvars"
+      - tofu -chdir=terraform/mcaptcha/ apply "mcaptcha"
       - cd ../../
       - pipx install --include-deps ansible
       - pipx ensurepath && echo $SHELL
@@ -28,7 +27,7 @@ steps:
       - pipx install --include-deps pytest-testinfra
       - cd tests/cache/ && py.test --verbose base.py
       - cd tests/mcaptcha/ && py.test --verbose base.py
-      - echo yes | tofu -chdir=terraform/mcaptcha/ destroy  \
+      - echo yes | tofu  destroy  \
         -var-file="ci.tfvars"
-      - shred /tmp/ssh-key && rm /tmp/ssh-key
+      - make ci.clean
     secrets: [TEST_NODE_SSH_KEY]
diff --git a/Makefile b/Makefile
index 601d16e..a4f7aee 100644
--- a/Makefile
+++ b/Makefile
@@ -134,5 +134,11 @@ test.cache: ## Test cache configuration
 test.mcaptcha: ## Test mcaptcha configuration
 	$(call test_mcaptcha)
 
+ci.init:
+	./scripts/ci.sh --init "$$TEST_NODE_SSH_KEY"
+
+ci.clean:
+	./scripts/ci.sh --clean
+
 help: ## Prints help for targets with comments
 	@cat $(MAKEFILE_LIST) | grep -E '^[a-zA-Z_-].+:.*?## .*$$' | awk 'BEGIN {FS = ":.*?## "}; {printf "\033[36m%-30s\033[0m %s\n", $$1, $$2}'
diff --git a/scripts/ci.sh b/scripts/ci.sh
new file mode 100755
index 0000000..c062c73
--- /dev/null
+++ b/scripts/ci.sh
@@ -0,0 +1,84 @@
+#!/bin/bash
+# ci.sh: Helper script to automate deployment operations on CI/CD
+# Copyright © 2022 Aravinth Manivannan <realaravinth@batsense.net>
+# 
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as
+# published by the Free Software Foundation, either version 3 of the
+# License, or (at your option) any later version.
+# 
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+# 
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+set -xEeuo  pipefail
+#source $(pwd)/scripts/lib.sh
+
+readonly SSH_ID_FILE=/tmp/ci-ssh-id
+
+match_arg() {
+    if [ $1 == $2 ] || [ $1 == $3 ]
+    then
+        return 0
+    else
+        return 1
+    fi
+}
+
+help() {
+	cat << EOF
+USAGE: ci.sh [SUBCOMMAND]
+Helper script to automate deployment operations on CI/CD
+
+Subcommands
+
+  -c  --clean	cleanup secrets, SSH key and other runtime data
+  -i  --init <SSH_PRIVATE_KEY>	initialize environment, write SSH private to file
+  -h  --help	print this help menu
+EOF
+}
+
+# $1: SSH private key
+write_ssh(){
+	truncate --size 0 $SSH_ID_FILE
+	echo "$1" > $SSH_ID_FILE
+	chmod 600 $SSH_ID_FILE
+}
+
+
+clean() {
+	if [ -f $SSH_ID_FILE ]
+	then
+		shred $SSH_ID_FILE
+		rm $SSH_ID_FILE
+	fi
+}
+
+if (( "$#" < 1 ))
+then
+	help
+	exit -1
+fi
+
+
+if match_arg $1 '-i' '--init'
+then
+	if (( "$#" < 2 ))
+	then
+		help
+		exit -1
+	fi
+	write_ssh "$2"
+elif match_arg $1 '-c' '--clean'
+then
+	clean
+elif match_arg $1 '-h' '--help'
+then
+	help
+else
+	help
+fi
diff --git a/terraform/mcaptcha/ci.tfvars b/terraform/mcaptcha/ci.tfvars
index 3205632..dab49ce 100644
--- a/terraform/mcaptcha/ci.tfvars
+++ b/terraform/mcaptcha/ci.tfvars
@@ -1,4 +1,4 @@
-libvirt_uri = "qemu+ssh://mcaptcha-ci@192.168.0.102/system?keyfile=/tmp/ssh-key&sshauth=privkey&no_verify=1"
+libvirt_uri = "qemu+ssh://mcaptcha-ci@192.168.0.102/system?keyfile=/tmp/ci-ssh-id&sshauth=privkey&no_verify=1"
 #known_hosts_verify=ignore&keyfile=/tmp/ssh-key&sshauth=privkey&no_verify=1"
 libvirt_pool_path = "/srv/libvirt/pool/mcaptcha_basic/"
 libvirt_debian_src = "https://images.ci.mcaptcha.org/debian-12-generic-amd64.qcow2"