diff --git a/gitea/gitea.yaml b/gitea/gitea.yaml
index 651bdf5..db3221e 100644
--- a/gitea/gitea.yaml
+++ b/gitea/gitea.yaml
@@ -115,42 +115,65 @@ metadata:
 data:
   startup.sh: |
     #!/bin/sh
-    echo "startup..."
-    if test ! -f "/data/startup.ran"; then
-      echo "waiting 60s for startup..."
-      sleep 60s
-      echo "writing pw to files"
-      echo $SHODAN_PW > /data/shodan.pw
-      echo $ARGOCD_PW > /data/argocd.pw
-      echo $GITEA_PW > /data/gitea.pw
-      echo "creating users..."
-      echo $ARGOCD_PW
-      su git -c 'echo $ARGOCD_PW' 
-      su git -c 'SHODAN_PW=`cat /data/shodan.pw` && gitea admin user create --username shodan --admin --password $SHODAN_PW --email thrawn235@gmail.com'
-      su git -c 'ARGOCD_PW=`cat /data/argocd.pw` && gitea admin user create --username argocd --password $ARGOCD_PW --email argocd@undercloud.local --must-change-password=false'
-      su git -c 'GITEA_PW=`cat /data/gitea.pw` && gitea admin auth add-ldap --name ldap --security-protocol StartTLS --host ldap.undercloud.local. --port 389 --user-search-base "ou=users,dc=undercloud,dc=cf" --user-filter "(&(objectClass=person)(uid=%s))" --admin-filter "(&(memberOf=cn=gitea-admins,ou=groups,dc=undercloud,dc=cf))" --email-attribute mail --avatar-attribute jpegPhoto --synchronize-users --skip-tls-verify --username-attribute uid --bind-dn "cn=gitea,ou=serviceaccounts,ou=users,dc=undercloud,dc=cf" --bind-password $GITEA_PW --attributes-in-bind --firstname-attribute cn --surname-attribute sn'
+    set -eu
+
+    echo "startup..."
+    if [ ! -f /data/startup.ran ]; then
+      echo "waiting for gitea API..."
+      for i in $(seq 1 60); do
+        if curl -sSf http://localhost:3000/api/v1/version >/dev/null 2>&1; then
+          break
+        fi
+        sleep 2
+      done
+
+      echo "writing pw to files"
+      printf '%s' "${SHODAN_PW:-}" > /data/shodan.pw
+      printf '%s' "${ARGOCD_PW:-}" > /data/argocd.pw
+      printf '%s' "${GITEA_PW:-}"  > /data/gitea.pw
+
+      echo "creating users..."
+      su git -c 'SHODAN_PW=$(cat /data/shodan.pw); gitea admin user create --username shodan --admin --password "$SHODAN_PW" --email thrawn235@gmail.com || true'
+      su git -c 'ARGOCD_PW=$(cat /data/argocd.pw); gitea admin user create --username argocd --password "$ARGOCD_PW" --email argocd@undercloud.local --must-change-password=false || true'
+      su git -c 'GITEA_PW=$(cat /data/gitea.pw); gitea admin auth add-ldap --name ldap --security-protocol StartTLS --host ldap.undercloud.local. --port 389 --user-search-base "ou=users,dc=undercloud,dc=cf" --user-filter "(&(objectClass=person)(uid=%s))" --admin-filter "(&(memberOf=cn=gitea-admins,ou=groups,dc=undercloud,dc=cf))" --email-attribute mail --avatar-attribute jpegPhoto --synchronize-users --skip-tls-verify --username-attribute uid --bind-dn "cn=gitea,ou=serviceaccounts,ou=users,dc=undercloud,dc=cf" --bind-password "$GITEA_PW" --attributes-in-bind --firstname-attribute cn --surname-attribute sn || true'
 
-      sleep 30s
-      echo "wget tea..."
-      wget https://git.undercloud.local:3000/Undercloud/undercloud-infrastructure/raw/branch/main/k8s-binaries/tea
-      echo "wget ctea..."
-      wget https://git.undercloud.local:3000/Undercloud/undercloud-infrastructure/raw/branch/main/k8s-binaries/ctea
-      chmod +x tea
-      chmod +x ctea
-      #echo "using tea to create login..."
-      #./tea login add --url http://localhost:3000 -i --user shodan --password $SHODAN_PW
-      #./tea login default localhost:3000
-      echo "creating undercloud organisation"
-      sleep 30s
-      #./tea organization create undercloud
-      ./ctea --username shodan --password $SHODAN_PW --url http://localhost:3000 CreateOrg undercloud
-      sleep 5s
-      echo "creating undercloud team"
-      ./ctea --username shodan --password $SHODAN_PW --url http://localhost:3000 CreateTeam undercloud undercloud
       sleep 5s
+
+      API="http://localhost:3000/api/v1"
+      AUTH_USER="shodan"
+      AUTH_PASS="$(cat /data/shodan.pw)"
+      AUTH="-u ${AUTH_USER}:${AUTH_PASS}"
+
+      echo "create organization undercloud"
+      curl -sS $AUTH -H 'Content-Type: application/json' \
+        -X POST "$API/orgs" \
+        -d '{"username":"undercloud","full_name":"undercloud"}' || true
+
+      echo "create team undercloud"
+      curl -sS $AUTH -H 'Content-Type: application/json' \
+        -X POST "$API/orgs/undercloud/teams" \
+        -d '{"name":"undercloud","permission":"write","includes_all_repositories":false}' || true
+
+      echo "fetch team id"
+      TEAM_ID="$(curl -sS $AUTH "$API/orgs/undercloud/teams" \
+        | sed 's/},{/}\n{/g' | grep '"name":"undercloud"' \
+        | sed -n 's/.*"id":\([0-9][0-9]*\).*/\1/p' | head -n1)"
+      if [ -z "${TEAM_ID:-}" ]; then
+        echo "failed to determine TEAM_ID"; exit 1
+      fi
+      echo "TEAM_ID=$TEAM_ID"
+
       echo "add argocd to undercloud team"
-      ./ctea --username shodan --password $SHODAN_PW --url http://localhost:3000 AddUserToTeam undercloud undercloud argocd
-      sleep 5s
+      curl -sS $AUTH -X PUT "$API/teams/$TEAM_ID/members/argocd" >/dev/null || true
+
+      echo "ensure repo undercloud/k8aux-apps exists"
+      curl -sS $AUTH -H 'Content-Type: application/json' \
+        -X POST "$API/orgs/undercloud/repos" \
+        -d '{"name":"k8aux-apps","private":false,"auto_init":false}' || true
+
+      echo "grant team access to repo"
+      curl -sS $AUTH -X PUT "$API/teams/$TEAM_ID/repos/undercloud/k8aux-apps" >/dev/null || true
+
       echo "cloning k8aux-apps"
       execline-cd /data git clone http://git.undercloud.local:3000/undercloud/k8aux-apps.git
       execline-cd /data/k8aux-apps rm -Rf .git
@@ -159,20 +182,27 @@ data:
       execline-cd /data/k8aux-apps git config --global user.name "shodan"
       execline-cd /data/k8aux-apps git add .
       execline-cd /data/k8aux-apps git commit -m "upload"
+
       echo "push k8aux-apps to localhost"
-      execline-cd /data/k8aux-apps git push http://shodan:$SHODAN_PW@localhost:3000/undercloud/k8aux-apps.git --all
-      echo "delete local copy..."
-      #execline-cd /data rm -Rf k8aux-apps
-      echo "create PushMirror.."
-      ./ctea --username shodan --password $SHODAN_PW --url http://localhost:3000 AddPushMirror undercloud k8aux-apps "http://aux1.undercloud.cf.:3000/undercloud/k8aux-apps.git" shodan $SHODAN_PW 1h0m0s
-      ./ctea --username shodan --password $SHODAN_PW --url http://localhost:3000 AddPushMirror undercloud k8aux-apps "http://aux2.undercloud.cf.:3000/undercloud/k8aux-apps.git" shodan $SHODAN_PW 1h0m0s
+      execline-cd /data/k8aux-apps git push "http://shodan:${AUTH_PASS}@localhost:3000/undercloud/k8aux-apps.git" --all
+
+      echo "create push mirrors"
+      for DST in \
+        "http://git.undercloud.local:3000/undercloud/k8aux-apps.git"
+      do
+        curl -sS $AUTH -H 'Content-Type: application/json' \
+          -X POST "$API/repos/undercloud/k8aux-apps/push_mirrors" \
+          -d "{\"remote_address\":\"${DST}\",\"remote_username\":\"shodan\",\"remote_password\":\"${AUTH_PASS}\",\"interval\":\"1h0m0s\",\"sync_on_commit\":false}" \
+          || true
+      done
+
       echo "create startup.ran file..."
       touch /data/startup.ran
     else
       echo "startup ran already!"
     fi
     echo "startup done."
-    #exit 123
+
 ---
 apiVersion: v1
 kind: PersistentVolumeClaim