diff --git a/ops/renovate/bot-config.js b/ops/renovate/bot-config.js
new file mode 100644
index 0000000..572fb19
--- /dev/null
+++ b/ops/renovate/bot-config.js
@@ -0,0 +1,26 @@
+// Renovate Bot-Config (NICHT die Repo-Config).
+//
+// Die Repo-Config liegt im Repository selbst unter `renovate.json` und
+// enthaelt nur Repo-spezifische Sachen (extends, packageRules, ignorePaths,
+// docker-compose patterns).
+//
+// Diese Bot-Config hier wird ueber RENOVATE_CONFIG_FILE in den Renovate-
+// Container gemountet. Sie enthaelt nur Plattform-, Discovery- und Limits-
+// Einstellungen. Den Auth-Token uebergeben wir ueber --env-file.
+module.exports = {
+  platform: "gitea",
+  endpoint: "https://git.kaleschke.info/api/v1",
+  username: "renovate",
+  gitAuthor: "Renovate Bot <renovate@kaleschke.info>",
+  onboarding: false,
+  requireConfig: "optional",
+  // Autodiscover funktioniert in Gitea nur fuer eigene/Org-Repos; unser
+  // Service-Account hat nur Collaborator-Rechte. Daher explicit list.
+  autodiscover: false,
+  repositories: ["Micha/homelab-infra"],
+  // Limits konservativ: wenig PRs gleichzeitig, damit das Review-Volumen
+  // handhabbar bleibt.
+  prHourlyLimit: 0,
+  prConcurrentLimit: 5,
+  branchConcurrentLimit: 10,
+};
diff --git a/ops/renovate/run-renovate.sh b/ops/renovate/run-renovate.sh
index da13132..3989cde 100644
--- a/ops/renovate/run-renovate.sh
+++ b/ops/renovate/run-renovate.sh
@@ -20,7 +20,7 @@ RENOVATE_IMAGE="${RENOVATE_IMAGE:-renovate/renovate:41}"
 RENOVATE_TOKEN_FILE="${RENOVATE_TOKEN_FILE:-/mnt/user/appdata/secrets/renovate_token.txt}"
 RENOVATE_LOG_DIR="${RENOVATE_LOG_DIR:-/mnt/user/services/renovate/logs}"
 RENOVATE_STATE_DIR="${RENOVATE_STATE_DIR:-/mnt/user/services/renovate/state}"
-RENOVATE_CONFIG_FILE="${RENOVATE_CONFIG_FILE:-/mnt/user/services/homelab-infra/renovate.json}"
+RENOVATE_CONFIG_FILE="${RENOVATE_CONFIG_FILE:-/mnt/user/services/homelab-infra/ops/renovate/bot-config.js}"
 # Gitea sitzt hinter Traefik unter git.kaleschke.info; der WAN-Pfad geht
 # ueber Public-IP -> FRITZBox. Vom Docker-Container aus loest der Standard-
 # Resolver den Host moeglicherweise nicht auf (siehe `extra_hosts` im Komodo-
@@ -60,9 +60,7 @@ LATEST_SYMLINK="$RENOVATE_LOG_DIR/latest.log"
   umask 077
   cat > "$ENV_FILE" <<EFEOF
 RENOVATE_TOKEN=$(cat "$RENOVATE_TOKEN_FILE")
-RENOVATE_CONFIG_FILE=/usr/src/app/config.json
-RENOVATE_PLATFORM=gitea
-RENOVATE_ENDPOINT=https://git.kaleschke.info/api/v1
+RENOVATE_CONFIG_FILE=/usr/src/app/config.js
 LOG_LEVEL=${RENOVATE_LOG_LEVEL:-info}
 EFEOF
   chmod 600 "$ENV_FILE"
@@ -72,7 +70,7 @@ EFEOF
     --add-host "git.kaleschke.info:$GITEA_HOST_LAN_IP" \
     --dns 1.1.1.1 \
     --dns 8.8.8.8 \
-    -v "$RENOVATE_CONFIG_FILE":/usr/src/app/config.json:ro \
+    -v "$RENOVATE_CONFIG_FILE":/usr/src/app/config.js:ro \
     -v "$RENOVATE_STATE_DIR":/tmp/renovate \
     --env-file "$ENV_FILE" \
     "$RENOVATE_IMAGE" 2>&1
diff --git a/renovate.json b/renovate.json
index 6aaebfd..3e7a662 100644
--- a/renovate.json
+++ b/renovate.json
@@ -5,18 +5,7 @@
     ":dependencyDashboard",
     ":semanticCommits"
   ],
-  "platform": "gitea",
-  "endpoint": "https://git.kaleschke.info/api/v1",
-  "username": "renovate",
-  "gitAuthor": "Renovate Bot <renovate@kaleschke.info>",
-  "onboarding": false,
-  "requireConfig": "optional",
-  "autodiscover": false,
-  "repositories": ["Micha/homelab-infra"],
   "dependencyDashboardTitle": "Renovate Dependency Dashboard",
-  "prHourlyLimit": 0,
-  "prConcurrentLimit": 5,
-  "branchConcurrentLimit": 10,
   "labels": ["dependencies"],
   "rangeStrategy": "pin",
   "lockFileMaintenance": {