diff --git a/.defaults.sh b/.defaults.sh
index 38f5531..4fcfd3d 100644
--- a/.defaults.sh
+++ b/.defaults.sh
@@ -8,10 +8,6 @@ ROOT_URL=${ROOT_URL:-"http://127.0.0.1:3000"}
 SSH_DOMAIN=${SSH_DOMAIN:-"127.0.0.1"}
 SSH_PORT=${SSH_PORT:-"3022"}
 DISABLE_SSH=${DISABLE_SSH:-"false"}
-LFS_JWT_SECRET=${LFS_JWT_SECRET:-"$(head /dev/urandom | tr -dc 'A-Za-z0-9_' | head -c 32)"}
-SECRET_KEY=${SECRET_KEY:-"$(head /dev/urandom | tr -dc 'A-Za-z0-9_' | head -c 32)"}
-INTERNAL_TOKEN=${INTERNAL_TOKEN:-"$(head /dev/urandom | tr -dc 'A-Za-z0-9_' | head -c 64)"}
-JWT_SECRET=${JWT_SECRET:-"$(head /dev/urandom | tr -dc 'A-Za-z0-9_' | head -c 32)"}
 
 # global settings
 [ -z "${A_DEFAULT_SETTINGS}" ] \
diff --git a/.defaults/server.sh b/.defaults/server.sh
index 97fe368..3dbadc0 100644
--- a/.defaults/server.sh
+++ b/.defaults/server.sh
@@ -9,6 +9,7 @@ ROOT_URL         = {{%ROOT_URL%}}
 DISABLE_SSH      = {{%DISABLE_SSH%}}
 START_SSH_SERVER = true
 SSH_PORT         = {{%SSH_PORT%}}
+SSH_ROOT_PATH    = {{%MAIN_DIR%}}/data/ssh
 LFS_CONTENT_PATH = {{%MAIN_DIR%}}/data/git/lfs
 DOMAIN           = localhost
 LFS_START_SERVER = true
diff --git a/setup.sh b/setup.sh
index e472adb..e27ea28 100755
--- a/setup.sh
+++ b/setup.sh
@@ -12,23 +12,26 @@ set_in_file() {
     # ensure there is a line with $1=$2 in file $3
     grep -q "^$1=" "$3" && sed "s/^$1=.*/$1=$2/" -i "$3" \
         || echo "$1=$2" >> "$3"
-
 }
 gen_app_ini() {
     source "$curp/.defaults.sh"
+    tempini="$curp/custom/conf/app.ini.temp"
+    realini="$curp/custom/conf/app.ini"
     for x in $(find "$curp/.defaults" -type f -name "*.sh"); do
         source "$x"
     done
-    truncate -s 0 "$curp/custom/conf/app.ini"
+    truncate -s 0 "$tempini"
 
     # first build the template
     for x in $( ( set -o posix ; set ) |grep -o '^A_DEFAULT_SETTINGS.*=' | cut -d '=' -f1); do
-        echo -e "${!x}\n" >> "$curp/custom/conf/app.ini"
+        echo -e "${!x}\n" >> "$tempini"
     done
     # then replace variables in the template
-    for x in $(cat "$curp/custom/conf/app.ini" | grep -o '{{%.*%}}' | sed -e 's/^{{%//' -e 's/%}}//' | sort | uniq); do
-        sed -i -e "s#{{%$x%}}#$(echo -n "${!x}"|sed -z 's/\n/\\n/g')#" "$curp/custom/conf/app.ini"
+    for x in $(cat "$tempini" | grep -o '{{%.*%}}' | sed -e 's/^{{%//' -e 's/%}}//' | sort | uniq); do
+        sed -i -e "s#{{%$x%}}#$(echo -n "${!x}"|sed -z 's/\n/\\n/g')#" "$tempini"
     done
+    [[ "$(sha1sum "$tempini" | cut -d ' ' -f1 | tr -d '\n')" != "$(sha1sum "$realini" | cut -d ' ' -f1 | tr -d '\n')" ]] \
+        && mv "$tempini" "$realini" || rm "$tempini"
 }
 create_admin() {
     if [ -z "${ADMIN_PASSWORD}" ]; then
@@ -56,19 +59,21 @@ create_admin() {
     fi
 }
 create_org() { 
-    curl --silent -X POST "${apiurl}/orgs" \
+    orgid=$(curl --silent -X POST "${apiurl}/orgs" \
         -H "Authorization: token ${ADMIN_TOKEN}" \
         -H "accept: application/json" \
         -H "Content-Type: application/json" \
-        -d "{ \"username\": \"$1\", \"visibility\": \"limited\"}" 1>&2
+        -d "{ \"username\": \"$1\", \"visibility\": \"limited\"}" | jq -r '.id')
+    [[ "$orgid" != "null" ]] && sleep 1 || true
 }
 
 create_repo() {
-    curl --silent -X POST "${apiurl}$2" \
+    repoid=$(curl --silent -X POST "${apiurl}$2" \
         -H "Authorization: token ${ADMIN_TOKEN}" \
         -H "accept: application/json" \
         -H "Content-Type: application/json" \
-        -d "{\"auto_init\": false, \"private\": true, \"name\": \"$1\"}" 1>&2
+        -d "{\"auto_init\": false, \"private\": true, \"name\": \"$1\"}" | jq -r '.id')
+    [[ "$repoid" != "null" ]] && sleep 5 || true
 }
 
 # load local file
@@ -81,6 +86,15 @@ if [ -z "${ADMIN_EMAIL}" ]; then
     set_in_file "ADMIN_EMAIL" "${ADMIN_EMAIL}" "$curp/.custom_defaults.sh"
 fi
 
+for x in LFS_JWT_SECRET SECRET_KEY INTERNAL_TOKEN JWT_SECRET; do
+    # https://github.com/go-gitea/gitea/issues/3246
+    # these variables need to be the same every run !!!
+    if [ -z "${!x}" ]; then
+        declare "$x"="$(head /dev/urandom | tr -dc 'A-Za-z0-9_' | head -c 40)"
+    fi
+    set_in_file "$x" "${!x}" "$curp/.custom_defaults.sh"
+done
+
 mkdir -p "$curp/custom/conf/" "$curp/log"
 
 [ -z "$ADMIN_USER" ] && ADMIN_USER="$USER"
@@ -114,6 +128,23 @@ source "$curp/.custom_defaults.sh"
 serverurl="$(cat custom/conf/app.ini | grep '^ROOT_URL.*=' | rev | cut -d '=' -f1 | rev | tr -d '[:space:]')"
 pushuri="$(echo "$serverurl" | perl -pe "s#(https?://)#\${1}${ADMIN_USER}:${ADMIN_PASSWORD}@#" )"
 apiurl="$serverurl/api/v1"
+
+# setup GPG keys
+for x in $GPGIDS; do
+    curl --silent -X POST "$apiurl/user/gpg_keys" \
+        -H "Authorization: token ${ADMIN_TOKEN}" \
+        -H "accept: application/json" -H "Content-Type: application/json" \
+        -d "{ \"armored_public_key\": $(gpg --export --armor $x | python -c 'import json,sys; print(json.dumps(sys.stdin.read()))')}"
+done
+
+# setup ssh keys @TODO: per repo deploy keys
+for x in $SSHKEYFILES; do
+    curl --silent -X POST "$apiurl/admin/users/${ADMIN_USER}/keys" \
+        -H "Authorization: token ${ADMIN_TOKEN}" \
+        -H "accept: application/json" -H "Content-Type: application/json" \
+        -d "{ \"key\": $(cat "$x" | cut -d ' ' -f1,2 | python -c 'import json,sys; print(json.dumps(sys.stdin.read()))'), \"read_only\": false ,\"title\":\"$(cat "$x" | cut -d ' ' -f3)\"}"
+done
+
 # init ripos
 for REPO in ${REPOS}; do
     repoPath="$(echo "$REPO" | cut -d ':' -f1 | tr -d '[:space:]')"
@@ -125,15 +156,12 @@ for REPO in ${REPOS}; do
         repoOwner="${ADMIN_USER}"
     else
         create_org "$repoOrg"
-        sleep 1
         repoAPIEP="/org/$repoOrg/repos"
         repoOwner="$repoOrg"
     fi
     create_repo "${repoName}" "${repoAPIEP}" 1>&2
     ( 
         cd "$repoPath"
-        git remote add gitea-debug-dev "$pushuri/${repoOwner}/${repoName}.git" || true
-        git push "gitea-debug-dev" master 
+        git push "$pushuri/${repoOwner}/${repoName}.git" master
     )
-    exit
 done