diff --git a/README.md b/README.md
index b075596..e04ebd3 100644
--- a/README.md
+++ b/README.md
@@ -396,18 +396,19 @@ docker compose logs -f app  # tail logs
 
 ## CI/CD
 
-Go to GitLab → padelnomics → Settings → CI/CD → Variables and add:
+Pull-based deployment via Gitea Actions — no SSH keys or deploy credentials in CI.
 
-| Variable | Value | Notes |
-|----------|-------|-------|
-| SSH_PRIVATE_KEY | Your ed25519 private key | Mask it, type "Variable" |
-| DEPLOY_HOST | Your Hetzner server IP | e.g. 1.2.3.4 |
-| DEPLOY_USER | SSH username on the server | e.g. deploy or root |
-| SSH_KNOWN_HOSTS | Server host key | Run `ssh-keyscan $YOUR_SERVER_IP` |
+1. Push to master → Gitea Actions runs tests (`.gitea/workflows/ci.yaml`)
+2. On success, CI creates tag `v<run_number>` using the built-in `github.token`
+3. On-server supervisor polls for new tags every 60s and deploys automatically
 
-Server-side one-time setup:
-1. Add the matching public key to `~/.ssh/authorized_keys` for the deploy user
-2. Clone the repo to `/opt/padelnomics`
-3. Create `.env` from `padelnomics/.env.example` with production values
-4. `chmod +x deploy.sh && ./deploy.sh` for the first deploy
-5. Point reverse proxy to port 5000
+**Server-side one-time setup:**
+```bash
+bash infra/setup_server.sh    # creates padelnomics_service user, keys, dirs
+ssh root@<server> 'bash -s' < infra/bootstrap_supervisor.sh
+```
+
+1. `setup_server.sh` generates an ed25519 SSH deploy key — add the printed public key to Gitea:
+   `git.padelnomics.io → padelnomics → Settings → Deploy Keys → Add key (read-only)`
+2. Add the printed age public key to `.sops.yaml`, re-encrypt, commit + push
+3. Run `bootstrap_supervisor.sh` — clones from `git.padelnomics.io:2222`, decrypts secrets, starts systemd supervisor