From a5275b879575432e6a246859af108ce26c3c4607 Mon Sep 17 00:00:00 2001
From: Bert-Jan Fikse <bert-jan@whatwedo.ch>
Date: Thu, 22 Jan 2026 17:14:38 +0100
Subject: [PATCH] chore(traefik): clearer naming for aggregated services

---
 roles/traefik/defaults/main.yml | 16 ++++++++++++----
 roles/traefik/tasks/main.yml    |  7 ++++++-
 2 files changed, 18 insertions(+), 5 deletions(-)

diff --git a/roles/traefik/defaults/main.yml b/roles/traefik/defaults/main.yml
index c896ae2..44f83de 100644
--- a/roles/traefik/defaults/main.yml
+++ b/roles/traefik/defaults/main.yml
@@ -51,14 +51,22 @@ log_level: "INFO"
 # Network name
 traefik_network: "proxy"
 
-# Services to expose (defined by application roles via host_vars or group_vars)
-# Each backend server should define this variable with their services
-# traefik_services:
+# Services to expose through DMZ (defined on backend servers via host_vars)
+# The DMZ proxy aggregates these from all backend_servers and auto-populates backend_host
+# dmz_exposed_services:
 #   - name: httpbin
 #     domain: httpbin.example.com
 #     port: 8080
 #     protocol: http  # http or https
-#     entrypoints: [websecure]  # optional, defaults based on SSL config
+
+# Services to expose directly on the proxy (for hosts not managed by Ansible)
+# Define on the DMZ host itself - requires explicit backend_host
+# traefik_services:
+#   - name: external-api
+#     domain: api.example.com
+#     backend_host: 10.0.0.50  # required for direct definitions
+#     port: 8080
+#     protocol: http
 
 # DMZ mode: Explicit backend server mapping
 # Define which backend servers this DMZ proxy should route to
diff --git a/roles/traefik/tasks/main.yml b/roles/traefik/tasks/main.yml
index d9253eb..7c6587c 100644
--- a/roles/traefik/tasks/main.yml
+++ b/roles/traefik/tasks/main.yml
@@ -9,10 +9,15 @@
 
 - name: Build service registry from backend servers (DMZ mode)
   set_fact:
-    proxied_services: "{{ proxied_services | default([]) + hostvars[item].traefik_services | default([]) | map('combine', {'backend_host': hostvars[item].ansible_host | default(item)}) | list }}"
+    proxied_services: "{{ proxied_services | default([]) + hostvars[item].dmz_exposed_services | default([]) | map('combine', {'backend_host': hostvars[item].ansible_host | default(item)}) | list }}"
   loop: "{{ _backend_servers | default([]) }}"
   when: traefik_mode == 'dmz'
 
+- name: Add directly defined services to registry (DMZ mode)
+  set_fact:
+    proxied_services: "{{ proxied_services | default([]) + traefik_services | default([]) }}"
+  when: traefik_mode == 'dmz'
+
 - name: Debug service registry
   debug:
     var: proxied_services