docs: replace GitLab CI/CD section with Gitea pull-based deployment

Remove outdated SSH-push model referencing GitLab variables. Document
the actual pull-based flow: Gitea Actions → tag → supervisor polls.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

README.md

@@ -396,18 +396,19 @@ docker compose logs -f app  # tail logs
 
 ## CI/CD
 
-Go to GitLab → padelnomics → Settings → CI/CD → Variables and add:
+Pull-based deployment via Gitea Actions — no SSH keys or deploy credentials in CI.
 
-| Variable | Value | Notes |
-|----------|-------|-------|
-| SSH_PRIVATE_KEY | Your ed25519 private key | Mask it, type "Variable" |
-| DEPLOY_HOST | Your Hetzner server IP | e.g. 1.2.3.4 |
-| DEPLOY_USER | SSH username on the server | e.g. deploy or root |
-| SSH_KNOWN_HOSTS | Server host key | Run `ssh-keyscan $YOUR_SERVER_IP` |
+1. Push to master → Gitea Actions runs tests (`.gitea/workflows/ci.yaml`)
+2. On success, CI creates tag `v<run_number>` using the built-in `github.token`
+3. On-server supervisor polls for new tags every 60s and deploys automatically
 
-Server-side one-time setup:
-1. Add the matching public key to `~/.ssh/authorized_keys` for the deploy user
-2. Clone the repo to `/opt/padelnomics`
-3. Create `.env` from `padelnomics/.env.example` with production values
-4. `chmod +x deploy.sh && ./deploy.sh` for the first deploy
-5. Point reverse proxy to port 5000
+**Server-side one-time setup:**
+```bash
+bash infra/setup_server.sh    # creates padelnomics_service user, keys, dirs
+ssh root@<server> 'bash -s' < infra/bootstrap_supervisor.sh
+```
+
+1. `setup_server.sh` generates an ed25519 SSH deploy key — add the printed public key to Gitea:
+   `git.padelnomics.io → padelnomics → Settings → Deploy Keys → Add key (read-only)`
+2. Add the printed age public key to `.sops.yaml`, re-encrypt, commit + push
+3. Run `bootstrap_supervisor.sh` — clones from `git.padelnomics.io:2222`, decrypts secrets, starts systemd supervisor

infra/bootstrap_supervisor.sh

@@ -15,7 +15,7 @@ set -euo pipefail
 
 SERVICE_USER="padelnomics_service"
 REPO_DIR="/opt/padelnomics"
-GITLAB_PROJECT="deemanone/padelnomics"
+GITEA_REPO="ssh://git@git.padelnomics.io:2222/deemanone/padelnomics.git"
 UV="/home/${SERVICE_USER}/.local/bin/uv"
 
 [ "$(id -u)" = "0" ] || { echo "ERROR: Run as root"; exit 1; }
@@ -35,7 +35,7 @@ if [ -d "${REPO_DIR}/.git" ]; then
     sudo -u "${SERVICE_USER}" git -C "${REPO_DIR}" fetch --tags --prune-tags origin
 else
     sudo -u "${SERVICE_USER}" git clone \
-        "git@gitlab.com:${GITLAB_PROJECT}.git" "${REPO_DIR}"
+        "${GITEA_REPO}" "${REPO_DIR}"
 fi
 
 LATEST_TAG=$(sudo -u "${SERVICE_USER}" \

infra/setup_server.sh

@@ -75,7 +75,8 @@ fi
 
 if [ ! -f "${SSH_DIR}/config" ]; then
     cat > "${SSH_DIR}/config" <<EOF
-Host gitlab.com
+Host git.padelnomics.io
+    Port 2222
     IdentityFile ${DEPLOY_KEY}
     IdentitiesOnly yes
 EOF
@@ -83,7 +84,7 @@ EOF
     chmod 600 "${SSH_DIR}/config"
 fi
 
-ssh-keyscan -H gitlab.com >> "${SSH_DIR}/known_hosts" 2>/dev/null
+ssh-keyscan -H -p 2222 git.padelnomics.io >> "${SSH_DIR}/known_hosts" 2>/dev/null
 sort -u "${SSH_DIR}/known_hosts" -o "${SSH_DIR}/known_hosts"
 chown "${SERVICE_USER}:${SERVICE_USER}" "${SSH_DIR}/known_hosts"
 chmod 644 "${SSH_DIR}/known_hosts"