diff --git a/config/nginx/site.conf.tmpl b/config/nginx/site.conf.tmpl
index 934e7a0..935dfe0 100644
--- a/config/nginx/site.conf.tmpl
+++ b/config/nginx/site.conf.tmpl
@@ -10,8 +10,8 @@ server {
     allow all;
   }
 
-  ## __HTTP_BODY__
+  __HTTP_BODY__
 }
 
 # ===================== HTTPS (Port 443) ====================
-## __SSL_SERVER_BLOCK__
\ No newline at end of file
+__SSL_SERVER_BLOCK__
\ No newline at end of file
diff --git a/scripts/10-provision.sh b/scripts/10-provision.sh
index ec7bf8c..eb0ecc2 100644
--- a/scripts/10-provision.sh
+++ b/scripts/10-provision.sh
@@ -15,6 +15,11 @@ apt-get -y -o Dpkg::Options::="--force-confdef" \
   unzip curl composer git certbot python3-certbot-nginx \
   ca-certificates rsyslog sudo openssl monit acl netcat-openbsd
 
+# <<< Apache konsequent entfernen >>>
+systemctl disable --now apache2 >/dev/null 2>&1 || true
+apt-get -y purge 'apache2*' >/dev/null 2>&1 || true
+apt-get -y autoremove >/dev/null 2>&1 || true
+
 log "Systemuser/Dirs …"
 id vmail >/dev/null 2>&1 || adduser --system --group --home /var/mail vmail
 id "$APP_USER" >/dev/null 2>&1 || adduser --disabled-password --gecos "" "$APP_USER"
diff --git a/scripts/70-nginx.sh b/scripts/70-nginx.sh
index 185d022..cdebf4d 100644
--- a/scripts/70-nginx.sh
+++ b/scripts/70-nginx.sh
@@ -11,6 +11,9 @@ NGINX_SITE_LINK="/etc/nginx/sites-enabled/${APP_USER}.conf"
 ACME_ROOT="/var/www/letsencrypt"
 install -d -m 0755 "$ACME_ROOT"
 
+# Default-Sites konsequent entfernen (verhindert doppelten default_server)
+rm -f /etc/nginx/sites-enabled/default /etc/nginx/sites-available/default || true
+
 # HTTP/2 prüfen
 NGINX_HTTP2_SUFFIX=""
 if nginx -V 2>&1 | grep -q http_v2; then
@@ -126,6 +129,7 @@ if [[ $SSL_ENABLED -eq 1 ]]; then
   render="${render/__SSL_SERVER_BLOCK__/$SSL_BLOCK}"
 else
   render="${render/__HTTP_BODY__/$HTTP_BODY_APP}"
+  # HTTPS-Block komplett entfernen
   render="${render/__SSL_SERVER_BLOCK__/}"
 fi