diff --git a/custom_helm_charts/nzbget/templates/deployment.yaml b/custom_helm_charts/nzbget/templates/deployment.yaml
index b303d50..a24acf3 100644
--- a/custom_helm_charts/nzbget/templates/deployment.yaml
+++ b/custom_helm_charts/nzbget/templates/deployment.yaml
@@ -21,6 +21,10 @@ spec:
     spec:
       volumes:
 {{ toYaml .Values.volumes | indent 6 }}
+    {{- with .Values.initContainers }}
+      initContainers:
+{{ toYaml . | indent 8 }}
+    {{- end }}
       containers:
         - name: {{ .Chart.Name }}
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
diff --git a/helm-values/nzbget_values.yaml b/helm-values/nzbget_values.yaml
index e52e620..ad1ae3e 100644
--- a/helm-values/nzbget_values.yaml
+++ b/helm-values/nzbget_values.yaml
@@ -22,20 +22,49 @@ env:
     value: "http://gluetun.default.svc.cluster.local:8888"
   - name: NO_PROXY
     value: "localhost,127.0.0.1,.svc,.cluster.local"
-  # Newshosting usenet provider credentials, sourced from the out-of-band
-  # `usenet-creds` Secret (not in git, same pattern as gluetun-wireguard).
-  # Referenced in nzbget.conf as ${NEWSHOSTING_USER} / ${NEWSHOSTING_PASS}
-  # so the password never lives in plaintext in the config file.
-  - name: NEWSHOSTING_USER
-    valueFrom:
-      secretKeyRef:
-        name: usenet-creds
-        key: NEWSHOSTING_USER
-  - name: NEWSHOSTING_PASS
-    valueFrom:
-      secretKeyRef:
-        name: usenet-creds
-        key: NEWSHOSTING_PASS
+
+# nzbget cannot read server credentials from environment variables (its
+# ${...} config syntax only references other nzbget options, not env). So an
+# init container renders the Server1 (newshosting) block into nzbget.conf on
+# every start: the non-secret settings live here in git, while the username
+# and password come from the out-of-band `usenet-creds` Secret (same pattern
+# as gluetun-wireguard — secret not committed). Rotating the secret + a pod
+# restart re-renders the creds. No provider password is ever stored in git.
+initContainers:
+  - name: render-newshosting
+    image: lscr.io/linuxserver/nzbget:latest
+    command:
+      - sh
+      - -c
+      - |
+        f=/config/nzbget.conf
+        [ -f "$f" ] || { echo "nzbget.conf absent; main container will seed defaults"; exit 0; }
+        sed -i \
+          -e "s|^Server1.Active=.*|Server1.Active=yes|" \
+          -e "s|^Server1.Name=.*|Server1.Name=newshosting|" \
+          -e "s|^Server1.Host=.*|Server1.Host=news.newshosting.com|" \
+          -e "s|^Server1.Port=.*|Server1.Port=563|" \
+          -e "s|^Server1.Encryption=.*|Server1.Encryption=yes|" \
+          -e "s|^Server1.Connections=.*|Server1.Connections=30|" \
+          -e "s|^Server1.Username=.*|Server1.Username=${NEWSHOSTING_USER}|" \
+          -e "s|^Server1.Password=.*|Server1.Password=${NEWSHOSTING_PASS}|" \
+          "$f"
+        echo "rendered newshosting Server1 block into nzbget.conf"
+    env:
+      - name: NEWSHOSTING_USER
+        valueFrom:
+          secretKeyRef:
+            name: usenet-creds
+            key: NEWSHOSTING_USER
+      - name: NEWSHOSTING_PASS
+        valueFrom:
+          secretKeyRef:
+            name: usenet-creds
+            key: NEWSHOSTING_PASS
+    volumeMounts:
+      - name: plex-data
+        mountPath: /config
+        subPath: configs/nzbget
 
 service:
   type: ClusterIP