diff --git a/.env.sample b/.env.sample
index 0ac5747..cb14413 100644
--- a/.env.sample
+++ b/.env.sample
@@ -86,6 +86,15 @@ COMPOSE_FILE="compose.yml"
 #SECRET_PORKBUN_API_KEY_VERSION=v1
 #SECRET_PORKBUN_SECRET_API_KEY_VERSION=v1
 
+## Cloudflare, htps://cloudflare.com
+## To insert your secrets:
+## abra app secret insert {myapp.example.coop} cf_email v1 "<CLOUDFLARE_EMAIL>"
+## abra app secret insert {myapp.example.coop} cf_api_key v1 "<CLOUDFLARE_API_KEY>"
+## cf_api_key is an account API key from Cloudflare that has DNS read + edit permission
+#COMPOSE_FILE="$COMPOSE_FILE:compose.cloudflare.yml"
+#SECRET_CLOUDFLARE_EMAIL_VERSION=v1 # generate=false
+#SECRET_CLOUDFLARE_API_KEY_VERSION=v1 # generate=false
+
 #####################################################################
 # Manual wildcard certificate insertion                             #
 #####################################################################
diff --git a/README.md b/README.md
index a2bf262..e0e84bb 100644
--- a/README.md
+++ b/README.md
@@ -42,8 +42,8 @@ subdomains, like
 need to give Traefik access to your DNS provider so that it can carry out
 Letsencrypt DNS challenges.
 
-1. Use Gandi, OVH, DO, Azure, or PorkBun for DNS 🤡 (support for other providers
-   can be easily added, see
+1. Use Gandi, OVH, DO, Azure, PorkBun, or Cloudflare for DNS 🤡 (support for
+   other providers can be easily added, see
    [the `lego` docs](https://go-acme.github.io/lego/dns/#dns-providers).
 2. Run `abra app config YOURAPPDOMAIN`
 3. Uncomment e.g. `ENABLE_GANDI` and the related `SECRET_.._VERSION` line, e.g.
diff --git a/compose.cloudflare.yml b/compose.cloudflare.yml
new file mode 100644
index 0000000..1feb55b
--- /dev/null
+++ b/compose.cloudflare.yml
@@ -0,0 +1,18 @@
+version: "3.8"
+
+services:
+  app:
+    environment:
+      - CLOUDFLARE_EMAIL_FILE=/run/secrets/cf_email
+      - CLOUDFLARE_API_KEY_FILE=/run/secrets/cf_api_key
+    secrets:
+      - cf_email
+      - cf_api_key
+  
+secrets:
+  cf_email:
+    name: ${STACK_NAME}_cf_email_${SECRET_CLOUDFLARE_EMAIL_VERSION}
+    external: true
+  cf_api_key:
+    name: ${STACK_NAME}_cf_api_key_${SECRET_CLOUDFLARE_API_KEY_VERSION}
+    external: true