diff --git a/scripts/10-provision.sh b/scripts/10-provision.sh
index eb0ecc2..f40451a 100644
--- a/scripts/10-provision.sh
+++ b/scripts/10-provision.sh
@@ -32,12 +32,34 @@ mkdir -p /etc/mysql/mariadb.conf.d
 [[ -f /etc/mysql/mariadb.cnf ]] || echo '!include /etc/mysql/mariadb.conf.d/*.cnf' > /etc/mysql/mariadb.cnf
 
 log "Redis absichern …"
-REDIS_CONF="/etc/redis/redis.conf"
+# Aktiven Redis-Config-Pfad aus systemd holen (Fallback: Standard)
+REDIS_CONF="$(systemctl show -p ExecStart redis-server \
+  | sed -n 's/^ExecStart=.*redis-server[[:space:]]\+\([^[:space:]]\+\).*/\1/p')"
+REDIS_CONF="${REDIS_CONF:-/etc/redis/redis.conf}"
+
+# Einmaliges, zufälliges Passwort (falls nicht von außen gesetzt)
 REDIS_PASS="${REDIS_PASS:-$(openssl rand -hex 16)}"
-sed -i 's/^\s*#\?\s*bind .*/bind 127.0.0.1/' "$REDIS_CONF"
-sed -i 's/^\s*#\?\s*protected-mode .*/protected-mode yes/' "$REDIS_CONF"
-grep -qE '^\s*#?\s*requirepass ' "$REDIS_CONF" \
-  && sed -i "s/^\s*#\?\s*requirepass .*/requirepass ${REDIS_PASS}/" "$REDIS_CONF" \
-  || printf "\nrequirepass %s\n" "${REDIS_PASS}" >> "$REDIS_CONF"
+
+# Bind + protected-mode hart setzen
+sed -i 's/^[[:space:]]*#\?[[:space:]]*bind .*/bind 127.0.0.1/' "$REDIS_CONF"
+sed -i 's/^[[:space:]]*#\?[[:space:]]*protected-mode .*/protected-mode yes/' "$REDIS_CONF"
+
+# Vorherige requirepass-Zeilen entfernen (kommentiert/unkommentiert), dann neu schreiben
+sed -i '/^[[:space:]]*#\?[[:space:]]*requirepass[[:space:]]\+/d' "$REDIS_CONF"
+printf '\nrequirepass %s\n' "${REDIS_PASS}" >> "$REDIS_CONF"
+
+# Dienst aktivieren & neu starten
 systemctl enable --now redis-server
-systemctl restart redis-server || true
\ No newline at end of file
+systemctl restart redis-server || true
+
+# Passwort für spätere Steps persistieren (damit 80-app.sh es hat)
+install -d -m 0755 /etc/mailwolt
+echo "REDIS_PASS=${REDIS_PASS}" > /etc/mailwolt/installer.env
+chmod 600 /etc/mailwolt/installer.env
+
+# Sanity-Check (kein harter Exit, nur Log)
+if redis-cli -a "${REDIS_PASS}" ping 2>/dev/null | grep -q PONG; then
+  log "Redis mit Passwort OK."
+else
+  warn "Redis PING mit Passwort fehlgeschlagen – bitte /etc/redis/redis.conf prüfen."
+fi
\ No newline at end of file
diff --git a/scripts/80-app.sh b/scripts/80-app.sh
index e8f4812..5268787 100644
--- a/scripts/80-app.sh
+++ b/scripts/80-app.sh
@@ -53,6 +53,8 @@ else
   fi
 fi
 
+[ -z "${REDIS_PASS:-}" ] && REDIS_PASS="$(awk '/^[[:space:]]*requirepass[[:space:]]+/ {print $2}' /etc/redis/redis.conf | tail -n1 || true)"
+
 # --- .env schreiben (vollständig wie vorher) --------------------------------
 upsert_env APP_URL             "${APP_URL_VAL}"
 upsert_env APP_HOST            "${APP_HOST_VAL}"
@@ -102,7 +104,7 @@ upsert_env SESSION_SAMESITE             "lax"
 upsert_env REDIS_CLIENT                 "phpredis"
 upsert_env REDIS_HOST                   "127.0.0.1"
 upsert_env REDIS_PORT                   "6379"
-upsert_env REDIS_PASSWORD               "${REDIS_PASS:-}"
+upsert_env REDIS_PASSWORD               "${REDIS_PASS}"
 upsert_env REDIS_DB                     "0"
 upsert_env REDIS_CACHE_DB               "1"
 upsert_env REDIS_CACHE_CONNECTION       "cache"
diff --git a/scripts/lib.sh b/scripts/lib.sh
index 09808cc..e85d656 100644
--- a/scripts/lib.sh
+++ b/scripts/lib.sh
@@ -1,5 +1,6 @@
 #!/usr/bin/env bash
 set -euo pipefail
+[ -f /etc/mailwolt/installer.env ] && . /etc/mailwolt/installer.env
 
 # ── Styling ────────────────────────────────────────────────────────────────
 GREEN="$(printf '\033[1;32m')"; YELLOW="$(printf '\033[1;33m')"