diff --git a/nix/hosts/cc-ci/configuration.nix b/nix/hosts/cc-ci/configuration.nix
index 90eeb44..47e445e 100644
--- a/nix/hosts/cc-ci/configuration.nix
+++ b/nix/hosts/cc-ci/configuration.nix
@@ -56,6 +56,7 @@
   environment.systemPackages = with pkgs; [
     curl
     git
+    git-lfs
     jq
     openssh
   ];
diff --git a/tests/gitea/custom/test_git_push.py b/tests/gitea/custom/test_git_push.py
index fb41191..87548e3 100644
--- a/tests/gitea/custom/test_git_push.py
+++ b/tests/gitea/custom/test_git_push.py
@@ -77,7 +77,9 @@ def test_git_push(live_app):
         user=user, password=password,
     )
     assert status == 201, f"repo create HTTP {status}: {body}"
-    clone_url = body.get("clone_url") or f"https://{live_app}/{user}/{repo_name}.git"
+    # Embed credentials directly in the URL so clone + push both work without
+    # a separate credential helper. Password is a 32-char hex string (URL-safe).
+    cred_url = f"https://{user}:{password}@{live_app}/{user}/{repo_name}.git"
 
     tmpdir = tempfile.mkdtemp(prefix="ccci-gitea-push-")
     try:
@@ -86,14 +88,12 @@ def test_git_push(live_app):
             "GIT_AUTHOR_EMAIL": "ci@ci.local",
             "GIT_COMMITTER_NAME": "CI Test Bot",
             "GIT_COMMITTER_EMAIL": "ci@ci.local",
-            # Embed credentials so HTTPS push works without interactive prompt.
-            "GIT_CONFIG_COUNT": "1",
-            "GIT_CONFIG_KEY_0": f"url.https://{user}:{password}@{live_app}/.insteadOf",
-            "GIT_CONFIG_VALUE_0": f"https://{live_app}/",
+            "GIT_SSL_NO_VERIFY": "true",
+            "GIT_TERMINAL_PROMPT": "0",
         }
 
         # 2. Clone (empty repo)
-        _run_git(["clone", clone_url, tmpdir], cwd="/tmp", env=git_env)
+        _run_git(["clone", cred_url, tmpdir], cwd="/tmp", env=git_env)
         _run_git(["checkout", "-b", "main"], cwd=tmpdir, env=git_env)
 
         # 3. Commit a file
diff --git a/tests/gitea/custom/test_lfs_roundtrip.py b/tests/gitea/custom/test_lfs_roundtrip.py
index 718bc96..959764c 100644
--- a/tests/gitea/custom/test_lfs_roundtrip.py
+++ b/tests/gitea/custom/test_lfs_roundtrip.py
@@ -90,15 +90,14 @@ def test_lfs_roundtrip(live_app):
 
     user, password = admin_creds(live_app)
     repo_name = "ci-lfs-test"
+    # Embed credentials directly in the URL (password is 32-char hex, URL-safe).
+    cred_url = f"https://{user}:{password}@{live_app}/{user}/{repo_name}.git"
     git_env = {
         "GIT_AUTHOR_NAME": "CI LFS Bot",
         "GIT_AUTHOR_EMAIL": "ci@ci.local",
         "GIT_COMMITTER_NAME": "CI LFS Bot",
         "GIT_COMMITTER_EMAIL": "ci@ci.local",
-        "GIT_CONFIG_COUNT": "1",
-        "GIT_CONFIG_KEY_0": f"url.https://{user}:{password}@{live_app}/.insteadOf",
-        "GIT_CONFIG_VALUE_0": f"https://{live_app}/",
-        # Suppress interactive LFS credential prompts
+        "GIT_SSL_NO_VERIFY": "true",
         "GIT_TERMINAL_PROMPT": "0",
     }
 
@@ -109,12 +108,11 @@ def test_lfs_roundtrip(live_app):
         user=user, password=password,
     )
     assert status in (201, 409), f"repo create HTTP {status}: {body}"
-    clone_url = f"https://{live_app}/{user}/{repo_name}.git"
 
     tmpdir = tempfile.mkdtemp(prefix="ccci-gitea-lfs-")
     try:
         # 2. Clone repo
-        _run_git(["clone", clone_url, tmpdir], cwd="/tmp", env=git_env)
+        _run_git(["clone", cred_url, tmpdir], cwd="/tmp", env=git_env)
         _run_git(["lfs", "install"], cwd=tmpdir, env=git_env)
 
         # 3. Track *.bin as LFS
@@ -145,7 +143,7 @@ def test_lfs_roundtrip(live_app):
         # 6. Download in a FRESH clone (proves the LFS server stores and serves the object)
         fresh_dir = tempfile.mkdtemp(prefix="ccci-gitea-lfs-dl-")
         try:
-            _run_git(["clone", clone_url, fresh_dir], cwd="/tmp", env=git_env)
+            _run_git(["clone", cred_url, fresh_dir], cwd="/tmp", env=git_env)
             fetched_path = os.path.join(fresh_dir, "testblob.bin")
             assert os.path.exists(fetched_path), "testblob.bin not fetched in fresh clone"
             with open(fetched_path, "rb") as f:
@@ -181,7 +179,7 @@ def test_lfs_roundtrip(live_app):
         import time
         deadline = time.time() + 120
         while time.time() < deadline:
-            status2, _ = _api(live_app, "/api/v1/version", user=user, password=password)
+            status2, _ = _api(live_app, "/version", user=user, password=password)
             if status2 == 200:
                 break
             time.sleep(5)
@@ -200,7 +198,7 @@ def test_lfs_roundtrip(live_app):
         # 8. Verify a fresh clone still works after restart (tokens still validate)
         post_restart_dir = tempfile.mkdtemp(prefix="ccci-gitea-lfs-restart-")
         try:
-            _run_git(["clone", clone_url, post_restart_dir], cwd="/tmp", env=git_env)
+            _run_git(["clone", cred_url, post_restart_dir], cwd="/tmp", env=git_env)
             pr_blob = os.path.join(post_restart_dir, "testblob.bin")
             assert os.path.exists(pr_blob), "testblob.bin not fetched in post-restart clone"
             with open(pr_blob, "rb") as f: