diff --git a/docker-compose.yaml b/docker-compose.yaml
new file mode 100644
index 0000000..470ef55
--- /dev/null
+++ b/docker-compose.yaml
@@ -0,0 +1,53 @@
+secrets:
+  cf-token:
+    file: /home/ampadmin/docker/traefik-v3/cf-token
+services:
+  traefik:
+    image: traefik:v3.6.15 # or traefik:v3.3 to pin a version
+    container_name: traefik
+    restart: unless-stopped
+    security_opt:
+      - no-new-privileges:true # helps to increase security
+    secrets:
+      - cf-token # the secret at the top of this file
+    env_file:
+      - .env # store other secrets e.g., dashboard password
+    networks:
+       - proxy
+    ports:
+      - 80:80
+      - 443:443
+     # - 10000:10000 # optional
+     # - 33073:33073 # optional
+    environment:
+      - TRAEFIK_DASHBOARD_CREDENTIALS=${TRAEFIK_DASHBOARD_CREDENTIALS}
+      - CF_API_EMAIL=asgardlabs@proton.me # Cloudflare email
+      - CF_DNS_API_TOKEN=YOUR-TOKEN # Cloudflare API Token
+      - CF_DNS_API_TOKEN_FILE=/run/secrets/cf-token # see https://doc.traefik.io/traefik/https/acme/#providers
+      # token file is the proper way to do it
+    volumes:
+      - /etc/localtime:/etc/localtime:ro
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+      - /home/ampadmin/docker/traefik-v3/config/traefik.yaml:/traefik.yaml:ro
+      - /home/ampadmin/docker/traefik-v3/config/acme.json:/acme.json
+      - /home/ampadmin/docker/traefik-v3/config/config.yaml:/config.yaml:ro
+      - /home/ampadmin/docker/traefik-v3/config/logs:/var/log/traefik
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.traefik.entrypoints=http"
+      - "traefik.http.routers.traefik.rule=Host(`traefik.bifrostlabs.org`)"
+      - "traefik.http.middlewares.traefik-auth.basicauth.users=${TRAEFIK_DASHBOARD_CREDENTIALS}"
+      - "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https"
+      - "traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto=https"
+      - "traefik.http.routers.traefik.middlewares=traefik-https-redirect"
+      - "traefik.http.routers.traefik-secure.entrypoints=https"
+      - "traefik.http.routers.traefik-secure.rule=Host(`traefik.bifrostlabs.org`)"
+      - "traefik.http.routers.traefik-secure.middlewares=traefik-auth"
+      - "traefik.http.routers.traefik-secure.tls=true"
+      - "traefik.http.routers.traefik-secure.tls.certresolver=cloudflare"
+      - "traefik.http.routers.traefik-secure.tls.domains[0].main=bifrostlabs.org"
+      - "traefik.http.routers.traefik-secure.tls.domains[0].sans=*.bifrostlabs.org"
+      - "traefik.http.routers.traefik-secure.service=api@internal"
+
+networks:
+  proxy: