diff --git a/ops/komodo/docker-compose.yml b/ops/komodo/docker-compose.yml
new file mode 100644
index 0000000..5005c2c
--- /dev/null
+++ b/ops/komodo/docker-compose.yml
@@ -0,0 +1,86 @@
+services:
+
+  # ──────────────────────────────────────────────────────────────────
+  # MongoDB — Datenbank fuer Komodo Core
+  # Netz: komodo_net (internal: true) — niemals frontend_net
+  # ──────────────────────────────────────────────────────────────────
+  komodo-mongo:
+    image: mongo:7
+    container_name: komodo-mongo
+    restart: unless-stopped
+    command: --quiet
+    volumes:
+      - /mnt/user/appdata/komodo/mongo:/data/db
+      - /mnt/user/appdata/secrets/komodo_mongo_password.txt:/run/secrets/mongo_password:ro
+    networks:
+      - komodo_net
+    environment:
+      - MONGO_INITDB_ROOT_USERNAME=komodo
+      - MONGO_INITDB_ROOT_PASSWORD_FILE=/run/secrets/mongo_password
+    security_opt:
+      - no-new-privileges:true
+
+  # ──────────────────────────────────────────────────────────────────
+  # Komodo Core — Management-UI (Portainer-Ersatz)
+  # Netz: frontend_net (Traefik) + komodo_net (MongoDB/Periphery)
+  # Admin-Dienst: dashboard-auth@file + secure-headers@file Pflicht
+  # ──────────────────────────────────────────────────────────────────
+  komodo-core:
+    image: ghcr.io/mbecker20/komodo:latest
+    container_name: komodo-core
+    restart: unless-stopped
+    depends_on:
+      - komodo-mongo
+    volumes:
+      - /mnt/user/appdata/komodo/core:/repo-cache
+    networks:
+      - komodo_net
+      - frontend_net
+    environment:
+      - TZ=Europe/Berlin
+      - KOMODO_HOST=https://komodo.kaleschke.info
+      - KOMODO_TITLE=Kallilabcore
+      - KOMODO_SECRET_KEY=${KOMODO_SECRET_KEY}
+      - KOMODO_MONGO_ADDRESS=komodo-mongo:27017
+      - KOMODO_MONGO_USERNAME=komodo
+      - KOMODO_MONGO_PASSWORD=${KOMODO_MONGO_PASSWORD}
+      - KOMODO_LOG_LEVEL=info
+    labels:
+      - traefik.enable=true
+      - traefik.docker.network=frontend_net
+      - traefik.http.routers.komodo.rule=Host(`komodo.kaleschke.info`)
+      - traefik.http.routers.komodo.entrypoints=websecure
+      - traefik.http.routers.komodo.tls=true
+      - traefik.http.routers.komodo.tls.certresolver=le
+      - traefik.http.routers.komodo.middlewares=dashboard-auth@file,secure-headers@file
+      - traefik.http.services.komodo.loadbalancer.server.port=9120
+    security_opt:
+      - no-new-privileges:true
+
+  # ──────────────────────────────────────────────────────────────────
+  # Komodo Periphery — Docker-Agent auf Kallilabcore
+  # Netz: komodo_net (internal) — kein Traefik noetig
+  # Ausnahme: Docker-Socket ohne :ro (Periphery startet/stoppt Container)
+  # ──────────────────────────────────────────────────────────────────
+  komodo-periphery:
+    image: ghcr.io/mbecker20/periphery:latest
+    container_name: komodo-periphery
+    restart: unless-stopped
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+      - /mnt/user/appdata/komodo/periphery:/etc/komodo
+    networks:
+      - komodo_net
+    environment:
+      - PERIPHERY_PASSKEY=${KOMODO_PERIPHERY_PASSKEY}
+      - TZ=Europe/Berlin
+    security_opt:
+      - no-new-privileges:true
+
+networks:
+  frontend_net:
+    external: true
+  komodo_net:
+    name: komodo_net
+    internal: true
+    driver: bridge