diff --git a/.gitignore b/.gitignore
index 66ab533..6009da9 100644
--- a/.gitignore
+++ b/.gitignore
@@ -22,5 +22,8 @@ node_modules/
 .env
 .env.*
 
+# Ignore generated secrets
+dynamic.d/middlewares/crowdsec.yml
+
 # Ignore backup files
-*.~*    
\ No newline at end of file
+*.~*    
diff --git a/README.md b/README.md
index 085aaa1..03c1504 100644
--- a/README.md
+++ b/README.md
@@ -28,8 +28,7 @@ Configuration files is customized for Gbanyan personal usage.
 
 ## Configuration
 
-- **.env**: Cloudflare E-mail and API Token for SSL DNS Challenge
-  - Also defines `ACME_EMAIL` (Let’s Encrypt contact) and `CROWDSEC_LAPI_KEY`
+- **.env**: Cloudflare E-mail/API Token plus `CROWDSEC_LAPI_KEY`. Run `scripts/render_dynamic.sh` after editing `.env` so the CrowdSec middleware file is regenerated (it stays ignored by git).
 - **Traefik Configuration**: Modify `traefik.yml`, `dynamic.yml` to customize Traefik's behavior.
 - **Docker Compose**: Use `docker-compose.yml` to define services and networks.
 
diff --git a/docker-compose.yaml b/docker-compose.yaml
index 5059edd..70f12e3 100644
--- a/docker-compose.yaml
+++ b/docker-compose.yaml
@@ -13,8 +13,6 @@ services:
     environment:
       - CLOUDFLARE_EMAIL=${CLOUDFLARE_EMAIL}
       - CLOUDFLARE_DNS_API_TOKEN=${CLOUDFLARE_DNS_API_TOKEN}
-      - TRAEFIK_CERTIFICATESRESOLVERS_LETSENCRYPT_ACME_EMAIL=${ACME_EMAIL}
-      - CROWDSEC_LAPI_KEY=${CROWDSEC_LAPI_KEY}
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock:ro
       - ./certs:/letsencrypt
diff --git a/scripts/render_dynamic.sh b/scripts/render_dynamic.sh
new file mode 100755
index 0000000..61c602b
--- /dev/null
+++ b/scripts/render_dynamic.sh
@@ -0,0 +1,19 @@
+#!/usr/bin/env bash
+set -euo pipefail
+ROOT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
+cd "$ROOT_DIR"
+if [[ ! -f .env ]]; then
+  echo "Missing .env file. Copy .env.example and fill in secrets." >&2
+  exit 1
+fi
+set -a
+# shellcheck disable=SC1091
+source .env
+set +a
+: "${CROWDSEC_LAPI_KEY:?CROWDSEC_LAPI_KEY must be set in .env}"
+if ! command -v envsubst >/dev/null 2>&1; then
+  echo "envsubst is required to render templates." >&2
+  exit 1
+fi
+envsubst < dynamic.d/middlewares/crowdsec.yml.tmpl > dynamic.d/middlewares/crowdsec.yml
+echo "Rendered dynamic.d/middlewares/crowdsec.yml"
diff --git a/traefik.yml b/traefik.yml
index 39102a7..4285f1d 100644
--- a/traefik.yml
+++ b/traefik.yml
@@ -112,6 +112,7 @@ providers:
 certificatesResolvers:
   letsencrypt:
     acme:
+      email: gbanyan.huang@gmail.com
       storage: /letsencrypt/acme.json
       dnsChallenge:
         provider: cloudflare