diff --git a/config.yml b/config.yml
index 4009705..7f49f3e 100644
--- a/config.yml
+++ b/config.yml
@@ -1,17 +1,21 @@
 # wg-portal Konfiguration für Pfannkuchen VPS
 # Docs: https://wgportal.org/master/documentation/overview/
+# Credentials kommen aus sops-entschlüsselter .env
 
 advanced:
   log_level: info
-  config_storage_path: "/app/config/wg0.conf"  # Exportiert Config zurück in Datei
+  # config_storage_path: ""  # DEAKTIVIERT – wg0.conf wird manuell verwaltet!
+  startup_import_peers: []
+  startup_create_unknown_peers: false
+  startup_create_default_peer: false
+  restore_state: true
 
 core:
-  admin_user: sascha@sascha-lutz.de
-  admin_password: l91aZNfYP27XxT-JOZsMBQ
-  admin_api_token: bjzpPsuuRIV9pEBmrULjzHv6PbXQCEOUI5HfPvRTXZw
-  editable_keys: true           # Erlaubt Key-Änderungen via UI/API
-  import_existing: true         # Importiert alle bestehenden Peers aus wg0
-  restore_state: true           # Stellt Peer-State wieder her (Enabled/Disabled)
+  admin_user: ${WG_PORTAL_ADMIN_USER}
+  admin_password: ${WG_PORTAL_ADMIN_PASSWORD}
+  editable_keys: true
+  import_existing: true
+  restore_state: true
   create_default_peer_on_login: false
   create_default_peer_on_user_creation: false
   self_provisioning_allowed: false
@@ -21,9 +25,8 @@ database:
   dsn: "/app/data/wg_portal.db"
 
 web:
-  external_url: "https://wg.sascha-lutz.de"
+  external_url: "https://vpn.sascha-lutz.de"
   request_logging: true
-  # listen_addr wird via Compose env gesetzt
   listening_address: ":8888"
 
 statistics: