diff --git a/.gitea/workflows/dotnet-deploy.yml b/.gitea/workflows/dotnet-deploy.yml
index 0aee3b4..9214d11 100644
--- a/.gitea/workflows/dotnet-deploy.yml
+++ b/.gitea/workflows/dotnet-deploy.yml
@@ -83,6 +83,27 @@ jobs:
         run: |
           scp -i ~/.ssh/id_deploy -P "${SSH_PORT:-22}" -r "${{ env.PUBLISH_DIR }}/"* "${SSH_USER}@${SSH_HOST}:${REMOTE_DIR}/"
 
+
+        - name: Debug remote env & sudo rights
+          env:
+            SSH_USER: ${{ secrets.SSH_USER }}
+            SSH_HOST: ${{ secrets.SSH_HOST }}
+            SSH_PORT: ${{ secrets.SSH_PORT }}
+          run: |
+            set -euxo pipefail
+            ssh -tt -i ~/.ssh/id_deploy -p "${SSH_PORT:-22}" "${SSH_USER}@${SSH_HOST}" "
+              set -euxo pipefail
+              echo '== whoami/host =='
+              whoami; hostname
+              echo '== paths =='
+              command -v sudo || true
+              command -v systemctl || true
+              echo '== sudo -l (effektive Rechte) =='
+              /usr/bin/sudo -n -l || true
+              echo '== try daemon-reload (should be NOPASSWD) =='
+              /usr/bin/sudo -n /usr/bin/systemctl daemon-reload && echo OK || echo FAIL
+            "
+
       # -------- Option A: Neustart per systemd (empfohlen) --------
       # Benötigt: secrets.SERVICE_NAME (z. B. "myapp.service")
       - name: Restart service (systemd)