diff --git a/.env.example b/.env.example
new file mode 100644
index 0000000..f17a08f
--- /dev/null
+++ b/.env.example
@@ -0,0 +1,19 @@
+# Gluetun VPN Configuration
+# Provider (e.g. airvpn, mullvad, nordvpn, surfshark, etc.)
+VPN_SERVICE_PROVIDER=
+# VPN Type (wireguard or openvpn)
+VPN_TYPE=
+
+# WireGuard Credentials
+WIREGUARD_PRIVATE_KEY=
+WIREGUARD_ADDRESSES=
+
+WIREGUARD_ENDPOINT_IP=
+# WIREGUARD_ENDPOINT_PORT=51820
+WIREGUARD_PUBLIC_KEY=
+WIREGUARD_PRIVATE_KEY=
+WIREGUARD_ADDRESSES=
+
+# Traefik Basic Auth
+# Format: username:hashedpassword (from htpasswd -nB username)
+TRAEFIK_AUTH=
diff --git a/docker-compose.yml b/docker-compose.yml
index fcaa800..ac274c9 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -19,10 +19,12 @@ services:
       - traefik.http.middlewares.tidal-redirect.redirectscheme.permanent=true
       - traefik.http.middlewares.tidal-redirect.redirectscheme.scheme=https
       - traefik.http.routers.tidal.middlewares=tidal-redirect
+      - traefik.http.middlewares.tidal-auth.basicauth.users=${TRAEFIK_AUTH}
       - traefik.http.routers.tidal-secure.entrypoints=https
       - traefik.http.routers.tidal-secure.rule=Host(`tidal.dongho.kim`)
       - traefik.http.routers.tidal-secure.tls=true
       - traefik.http.routers.tidal-secure.tls.certresolver=cloudflare
+      - traefik.http.routers.tidal-secure.middlewares=tidal-auth
       - traefik.http.services.tidal-secure-service.loadbalancer.server.port=8080
   web:
     build: .