diff --git a/docker-compose.prod.yml b/docker-compose.prod.yml
new file mode 100644
index 0000000..446a2bd
--- /dev/null
+++ b/docker-compose.prod.yml
@@ -0,0 +1,70 @@
+services:
+  frontend:
+    container_name: ca-lose-frontend
+    hostname: lose-verkaufen
+    build: ./frontend
+    restart: unless-stopped
+
+  backend:
+    container_name: ca-lose-backend
+    build: ./backend
+    environment:
+      NODE_ENV: production
+      DB_HOST: ca-lose-mysql
+      DB_USER: root
+      DB_PASSWORD: ${DB_PASSWORD}
+      DB_NAME: ca_lose
+    depends_on:
+      - database
+    networks:
+      - ca-lose-internal
+    restart: unless-stopped
+
+  database:
+    container_name: ca-lose-mysql
+    image: mysql:8.0
+    restart: unless-stopped
+    environment:
+      MYSQL_ROOT_PASSWORD: ${DB_PASSWORD}
+      MYSQL_DATABASE: ca_lose
+      TZ: Europe/Berlin
+    volumes:
+      - ca-lose_mysql:/var/lib/mysql
+      - ./mysql-timezone.cnf:/etc/mysql/conf.d/timezone.cnf:ro
+    networks:
+      - ca-lose-internal
+
+  wireguard:
+    container_name: ca-lose-wireguard
+    image: ghcr.io/wg-easy/wg-easy
+    environment:
+      - WG_HOST=${WG_HOST}
+      - WG_DEFAULT_ADDRESS=10.10.0.x
+      - WG_DEFAULT_DNS=1.1.1.1
+      - WG_ALLOWED_IPS=172.25.0.0/24
+      - PASSWORD=${WG_PASSWORD}
+    volumes:
+      - ./wireguard-data:/etc/wireguard
+    ports:
+      - "127.0.0.1:51820:51820/udp" # WireGuard nur lokal erreichbar
+      - "127.0.0.1:51821:51821/tcp" # Web-UI nur lokal erreichbar
+    cap_add:
+      - NET_ADMIN
+      - SYS_MODULE
+    sysctls:
+      - net.ipv4.ip_forward=1
+      - net.ipv4.conf.all.src_valid_mark=1
+    networks:
+      - ca-lose-internal
+    restart: unless-stopped
+
+volumes:
+  ca-lose_mysql:
+  wireguard-data:
+
+networks:
+  ca-lose-internal:
+    driver: bridge
+    ipam:
+      config:
+        - subnet: 172.25.0.0/24
diff --git a/docker-compose.yml b/docker-compose.yml
index 088d0a5..2f86d1f 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -19,8 +19,6 @@ services:
       DB_NAME: ca_lose
     depends_on:
       - database
-    networks:
-      - ca-lose-internal
     restart: unless-stopped
 
   database:
@@ -36,40 +34,6 @@ services:
     volumes:
       - ca-lose_mysql:/var/lib/mysql
       - ./mysql-timezone.cnf:/etc/mysql/conf.d/timezone.cnf:ro
-    networks:
-      - ca-lose-internal
-
-  wireguard:
-    container_name: ca-lose-wireguard
-    image: ghcr.io/wg-easy/wg-easy
-    environment:
-      - WG_HOST=${WG_HOST}
-      - WG_DEFAULT_ADDRESS=10.10.0.x
-      - WG_DEFAULT_DNS=1.1.1.1
-      - WG_ALLOWED_IPS=172.25.0.0/24
-      - PASSWORD=${WG_PASSWORD}
-    volumes:
-      - ./wireguard-data:/etc/wireguard
-    ports:
-      - "10.0.0.1:51820:51820/udp" # WireGuard
-      - "10.0.0.1:51821:51821/tcp" # Web-UI
-    cap_add:
-      - NET_ADMIN
-      - SYS_MODULE
-    sysctls:
-      - net.ipv4.ip_forward=1
-      - net.ipv4.conf.all.src_valid_mark=1
-    networks:
-      - ca-lose-internal
-    restart: unless-stopped
 
 volumes:
   ca-lose_mysql:
-  wireguard-data:
-
-networks:
-  ca-lose-internal:
-    driver: bridge
-    ipam:
-      config:
-        - subnet: 172.25.0.0/24