diff --git a/inventories/z9/host_vars/engelsystem.yaml b/inventories/z9/host_vars/engelsystem.yaml
index d7e3209..548fe56 100644
--- a/inventories/z9/host_vars/engelsystem.yaml
+++ b/inventories/z9/host_vars/engelsystem.yaml
@@ -1,4 +1,4 @@
-docker_compose__compose_file_content: "{{ lookup('ansible.builtin.file', 'configs/engelsystem/compose.yaml') }}"
+docker_compose__compose_file_content: "{{ lookup('ansible.builtin.template', 'configs/engelsystem/compose.yaml.j2') }}"
 docker_compose__configuration_files: []
 
 cert__acme_account_email: j+letsencrypt-ccchh@jsts.xyz
diff --git a/playbooks/files/configs/engelsystem/compose.yaml b/playbooks/templates/configs/engelsystem/compose.yaml.j2
similarity index 85%
rename from playbooks/files/configs/engelsystem/compose.yaml
rename to playbooks/templates/configs/engelsystem/compose.yaml.j2
index 6fd1442..0fdf624 100644
--- a/playbooks/files/configs/engelsystem/compose.yaml
+++ b/playbooks/templates/configs/engelsystem/compose.yaml.j2
@@ -18,9 +18,8 @@ services:
       MAIL_HOST: send-only-mailserver.ccchh.net
       MAIL_PORT: 465
       MAIL_ENCRYPTION: tls
-      # MAIL_USERNAME and MAIL_PASSWORD are loaded from env file
-    env_file:
-      - engelsystem_secrets.env # Must be managed by the admin manually. Not managed by Ansible.
+      MAIL_USERNAME: aes
+      MAIL_PASSWORD: {{ lookup("community.general.passwordstore", "vm-secrets/engelsystem/MAIL_PASSWORD", create=false, missing="error") }}
     ports:
       - "5080:80"
     networks: