diff --git a/.env.sample b/.env.sample
index 18728a3..475733c 100644
--- a/.env.sample
+++ b/.env.sample
@@ -44,6 +44,12 @@ COMPOSE_FILE="compose.yml"
 #GANDI_ENABLED=1
 #SECRET_GANDIV5_API_KEY_VERSION=v1
 
+## Cloudflare, https://cloudflare.com
+#COMPOSE_FILE="$COMPOSE_FILE:compose.cloudflare.yml"
+#CLOUDFLARE_ENABLED=1
+#SECRET_CLOUDFLARE_EMAIL_VERSION=v1
+#SECRET_CLOUDFLARE_API_KEY=v1
+
 #####################################################################
 # Keycloak log-in                                                   #
 #####################################################################
diff --git a/compose.cloudflare.yml b/compose.cloudflare.yml
new file mode 100644
index 0000000..4caa409
--- /dev/null
+++ b/compose.cloudflare.yml
@@ -0,0 +1,20 @@
+version: "3.8"
+
+services:
+  app:
+    environment:
+      - CLOUDFLARE_EMAIL_FILE=/run/secrets/cloudflare_email
+      - CLOUDFLARE_API_KEY_FILE=/run/secrets/cloudflare_api_key
+      - LETS_ENCRYPT_DNS_CHALLENGE_ENABLED
+      - LETS_ENCRYPT_DNS_CHALLENGE_PROVIDER
+    secrets:
+      - cloudflare_email
+      - cloudflare_api_key
+
+secrets:
+  cloudflare_email:
+    name: ${STACK_NAME}_cloudflare_email_${SECRET_CLOUDFLARE_EMAIL_VERSION}
+    external: true
+  cloudflare_api_key:
+    name: ${STACK_NAME}_cloudflare_api_key_${SECRET_CLOUDFLARE_API_KEY}
+    external: true
diff --git a/compose.yml b/compose.yml
index 0d618ba..b204b0e 100644
--- a/compose.yml
+++ b/compose.yml
@@ -26,6 +26,8 @@ services:
     environment:
       - DASHBOARD_ENABLED
       - LOG_LEVEL
+      - LETS_ENCRYPT_EMAIL
+      - LETS_ENCRYPT_ENV
     healthcheck:
       test: ["CMD", "traefik", "healthcheck"]
       interval: 30s
diff --git a/entrypoint.sh.tmpl b/entrypoint.sh.tmpl
index 298d5dc..b085594 100644
--- a/entrypoint.sh.tmpl
+++ b/entrypoint.sh.tmpl
@@ -11,4 +11,9 @@ export OVH_APPLICATION_SECRET=$(cat "$OVH_APPLICATION_SECRET_FILE")
 export GANDIV5_API_KEY=$(cat "$GANDIV5_API_KEY_FILE")
 {{ end }}
 
+{{ if eq (env "CLOUDFLARE_ENABLED") "1" }}
+export CLOUDFLARE_EMAIL=$(cat "$CLOUDFLARE_EMAIL_FILE")
+export CLOUDFLARE_API_KEY=$(cat "$CLOUDFLARE_API_KEY_FILE")
+{{ end }}
+
 /entrypoint.sh "$@"
diff --git a/traefik.yml.tmpl b/traefik.yml.tmpl
index 980b909..603a869 100644
--- a/traefik.yml.tmpl
+++ b/traefik.yml.tmpl
@@ -77,30 +77,36 @@ metrics:
 {{ end }}
 
 certificatesResolvers:
+  {{ if eq (env "LETS_ENCRYPT_ENV") "staging" }}
   staging:
     acme:
       email: {{ env "LETS_ENCRYPT_EMAIL" }}
       storage: /etc/letsencrypt/staging-acme.json
       caServer: "https://acme-staging-v02.api.letsencrypt.org/directory"
-      httpChallenge:
-        entryPoint: web
       {{ if eq (env "LETS_ENCRYPT_DNS_CHALLENGE_ENABLED") "1" }}
       dnsChallenge:
         provider: {{ (env "LETS_ENCRYPT_DNS_CHALLENGE_PROVIDER") }}
         resolvers:
           - "1.1.1.1:53"
           - "8.8.8.8:53"
+      {{ else }}
+      httpChallenge:
+        entryPoint: web
       {{ end }}
+  {{ end }}
+  {{ if eq (env "LETS_ENCRYPT_ENV") "production" }}
   production:
     acme:
       email: {{ env "LETS_ENCRYPT_EMAIL" }}
       storage: /etc/letsencrypt/production-acme.json
-      httpChallenge:
-        entryPoint: web
       {{ if eq (env "LETS_ENCRYPT_DNS_CHALLENGE_ENABLED") "1" }}
       dnsChallenge:
         provider: {{ (env "LETS_ENCRYPT_DNS_CHALLENGE_PROVIDER") }}
         resolvers:
           - "1.1.1.1:53"
           - "8.8.8.8:53"
+      {{ else }}
+      httpChallenge:
+        entryPoint: web
       {{ end }}
+  {{ end }}