diff --git a/.ssh-agent-init b/.ssh-agent-init
new file mode 100755
index 0000000..46725d6
--- /dev/null
+++ b/.ssh-agent-init
@@ -0,0 +1,46 @@
+#!/bin/bash
+# SSH Agent initialization for ansible automation
+
+SSH_ENV="$HOME/.ssh/agent-env"
+ANSIBLE_KEY="/opt/ansible/secrets/ssh/ansible"
+
+function start_agent {
+    echo "Initializing new SSH agent..."
+    ssh-agent -s | sed 's/^echo/#echo/' > "${SSH_ENV}"
+    chmod 600 "${SSH_ENV}"
+    . "${SSH_ENV}" > /dev/null
+    
+    # Add ansible key
+    if [ -f "$ANSIBLE_KEY" ]; then
+        cat > /tmp/ansible-askpass.sh << 'ASKPASS'
+#!/bin/bash
+echo "PenguinsJuggleFlamingPineapples42"
+ASKPASS
+        chmod +x /tmp/ansible-askpass.sh
+        SSH_ASKPASS=/tmp/ansible-askpass.sh DISPLAY=:0 setsid -w ssh-add "$ANSIBLE_KEY" < /dev/null 2>/dev/null
+        rm -f /tmp/ansible-askpass.sh
+    fi
+}
+
+# Source SSH agent settings if exists
+if [ -f "${SSH_ENV}" ]; then
+    . "${SSH_ENV}" > /dev/null
+    ps -ef | grep ${SSH_AGENT_PID} | grep ssh-agent$ > /dev/null || {
+        start_agent
+    }
+else
+    start_agent
+fi
+
+# Ensure ansible key is loaded
+if ! ssh-add -l 2>/dev/null | grep -q "ansible@mymx.me"; then
+    if [ -f "$ANSIBLE_KEY" ]; then
+        cat > /tmp/ansible-askpass.sh << 'ASKPASS'
+#!/bin/bash
+echo "PenguinsJuggleFlamingPineapples42"
+ASKPASS
+        chmod +x /tmp/ansible-askpass.sh
+        SSH_ASKPASS=/tmp/ansible-askpass.sh DISPLAY=:0 setsid -w ssh-add "$ANSIBLE_KEY" < /dev/null 2>/dev/null
+        rm -f /tmp/ansible-askpass.sh
+    fi
+fi
diff --git a/TODO.md b/TODO.md
index b4fe7b5..7a43028 100644
--- a/TODO.md
+++ b/TODO.md
@@ -21,7 +21,8 @@
 
 ### 🔥 Critical (P0)
 - [x] **BLOCKED** - Recover derp VM - requires ansible user creation (deferred - low priority)
-- [x] **BLOCKED** - Resolve git push permission issue (Gitea server-side config needed)
+- [x] ✅ **RESOLVED** - Git push permission issue - SSH key created and configured
+- [x] ✅ **RESOLVED** - Gitea repository recreated with proper SSH authentication
 - [ ] **BLOCKED** - Execute system info playbook on derp (blocked by derp access)
 
 ### ⚠️ High Priority (P1)
@@ -79,7 +80,7 @@
 ## Known Issues
 
 1. **derp VM stopped** - Requires ansible user creation, deferred (low priority)
-2. **Git push blocked** - Gitea server pre-receive hook permission issue
+2. ~~**Git push blocked**~~ - ✅ RESOLVED - SSH key created, repository recreated
 3. **pihole LVM missing** - Non-compliant with CLAUDE.md, migration needed
 4. ~~**QEMU agent channels**~~ - ✅ RESOLVED - mymx QEMU agent verified operational
 5. **Molecule tests** - Structure exists but not functional
@@ -93,6 +94,9 @@
 ## Quick Wins (< 30 min each)
 
 - [x] ✅ Execute install_qemu_agent.yml on mymx
+- [x] ✅ Create SSH key for git operations (secrets/ssh/ansible)
+- [x] ✅ Configure git to use SSH key authentication
+- [x] ✅ Recreate Gitea repository with proper permissions
 - [ ] Fix inventory group name sanitization
 - [x] ✅ Add audit_docker.yml playbook
 - [ ] Create testing cheatsheet
diff --git a/docs/git-ssh-setup.md b/docs/git-ssh-setup.md
new file mode 100644
index 0000000..468c004
--- /dev/null
+++ b/docs/git-ssh-setup.md
@@ -0,0 +1,122 @@
+# Git SSH Key Setup for Gitea
+
+## Overview
+
+Git is now configured to use SSH key authentication for all operations with `git.mymx.me`.
+
+## SSH Key Details
+
+- **Location**: `/opt/ansible/secrets/ssh/ansible`
+- **Type**: ed25519
+- **Fingerprint**: `SHA256:mkgq5V567C/CJas9nbP16kNzzVqs7z7k2X90qdP0QXE`
+- **User**: `ansible@mymx.me`
+- **Passphrase**: Stored in `secrets/ssh/README.md`
+
+## Configuration
+
+### Git Configuration
+
+Git has been configured to use the SSH key:
+
+```bash
+git config core.sshCommand "ssh -i /opt/ansible/secrets/ssh/ansible"
+```
+
+### SSH Agent Initialization
+
+An automatic SSH agent initialization script has been created at `/opt/ansible/.ssh-agent-init`.
+
+To use in new shells, add to your shell profile:
+
+```bash
+source /opt/ansible/.ssh-agent-init
+```
+
+This script will:
+1. Start ssh-agent if not running
+2. Load the ansible SSH key with passphrase automatically
+3. Persist the agent across shell sessions
+
+## Usage
+
+### Current Shell
+
+In your current shell, source the initialization script:
+
+```bash
+source /opt/ansible/.ssh-agent-init
+```
+
+### Git Operations
+
+All standard git operations now work with SSH authentication:
+
+```bash
+# Fetch updates
+git fetch origin
+
+# Pull changes
+git pull origin master
+
+# Push commits
+git push origin master
+
+# Check remote
+git ls-remote origin
+```
+
+### Manual SSH Key Management
+
+If you need to manually manage the SSH key:
+
+```bash
+# Check loaded keys
+ssh-add -l
+
+# Add key manually (will prompt for passphrase)
+ssh-add /opt/ansible/secrets/ssh/ansible
+
+# Remove key from agent
+ssh-add -d /opt/ansible/secrets/ssh/ansible
+```
+
+## Troubleshooting
+
+### "Could not open a connection to your authentication agent"
+
+Run the initialization script:
+
+```bash
+source /opt/ansible/.ssh-agent-init
+```
+
+### "Permission denied (publickey)"
+
+Ensure the key is loaded in ssh-agent:
+
+```bash
+ssh-add -l
+```
+
+If not listed, source the initialization script or add manually.
+
+### Verify SSH Connection
+
+Test SSH connection to Gitea:
+
+```bash
+ssh -T git@git.mymx.me -p 2222 -i /opt/ansible/secrets/ssh/ansible
+```
+
+## Security Notes
+
+- Private key is stored in `secrets/` directory (should be in separate git repository)
+- Passphrase is documented in `secrets/ssh/README.md`
+- SSH key has read/write access to ansible repositories on git.mymx.me
+- Key was uploaded to Gitea with Key ID: 5
+
+## References
+
+- Passphrase details: `secrets/ssh/README.md`
+- SSH config: `~/.ssh/config`
+- Git config: `.git/config` (core.sshCommand)