diff --git a/docker-compose.yml b/docker-compose.yml
index 002c9d6..04001f3 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -11,7 +11,7 @@ services:
       - --api.dashboard=true
       # configure Let's Encrypt automatic certificates
       - --certificatesresolvers.${TRAEFIK_CERTRESOLVER}.acme.dnschallenge=true
-      - --certificatesresolvers.${TRAEFIK_CERTRESOLVER}.acme.dnschallenge.provider=hetzner
+      - --certificatesresolvers.${TRAEFIK_CERTRESOLVER}.acme.dnschallenge.provider=${TRAEFIK_DNSPROVIDER}
       - --certificatesresolvers.${TRAEFIK_CERTRESOLVER}.acme.email=${LETSENCRYPT_EMAIL}
       - --certificatesresolvers.${TRAEFIK_CERTRESOLVER}.acme.keytype=RSA4096
       - --certificatesresolvers.${TRAEFIK_CERTRESOLVER}.acme.storage=/certs.json
@@ -30,8 +30,8 @@ services:
       # should not need, but just in case, a folder for dynamic config files is also configured
       - --providers.file.directory=/config
       - --providers.file.watch=true
-    environment:
-      - HETZNER_API_KEY=${HETZNER_API_KEY}
+    env_file:
+      - ${TRAEFIK_DNSPROVIDER_ENVFILE}
     labels:
       # expose Træfik using Træfik (dashboard)
       - traefik.enable=${TRAEFIK_ENABLED}
diff --git a/env.dnsprovider.example b/env.dnsprovider.example
new file mode 100644
index 0000000..8e52be0
--- /dev/null
+++ b/env.dnsprovider.example
@@ -0,0 +1 @@
+HETZNER_API_KEY=
diff --git a/env.example b/env.example
index 782ae50..897bbb1 100644
--- a/env.example
+++ b/env.example
@@ -11,7 +11,8 @@ TRAEFIK_PILOT_TOKEN=
 TRAEFIK_TLSENABLED=true
 
 # Certificate provider
-HETZNER_API_KEY=
+TRAEFIK_DNSPROVIDER=hetzner
+TRAEFIK_DNSPROVIDER_ENVFILE=./.env.dnsprovider
 LETSENCRYPT_EMAIL=admin@mydomain.com
 
 # Debugging