From d0ae0a4df950c23e9c2a327bfde9ee50dd7a92b3 Mon Sep 17 00:00:00 2001
From: Bert-Jan Fikse <bert-jan@whatwedo.ch>
Date: Thu, 22 Jan 2026 17:14:38 +0100
Subject: [PATCH] chore(traefik): clearer naming for aggregated services

---
 roles/traefik/defaults/main.yml | 20 ++++++++++++++------
 roles/traefik/tasks/main.yml    |  9 +++++++--
 2 files changed, 21 insertions(+), 8 deletions(-)

diff --git a/roles/traefik/defaults/main.yml b/roles/traefik/defaults/main.yml
index c896ae2..a0ede49 100644
--- a/roles/traefik/defaults/main.yml
+++ b/roles/traefik/defaults/main.yml
@@ -51,20 +51,28 @@ log_level: "INFO"
 # Network name
 traefik_network: "proxy"
 
-# Services to expose (defined by application roles via host_vars or group_vars)
-# Each backend server should define this variable with their services
-# traefik_services:
+# Services to expose through DMZ (defined on backend servers via host_vars)
+# The DMZ proxy aggregates these from all backend_servers and auto-populates backend_host
+# traefik_dmz_exposed_services:
 #   - name: httpbin
 #     domain: httpbin.example.com
 #     port: 8080
 #     protocol: http  # http or https
-#     entrypoints: [websecure]  # optional, defaults based on SSL config
+
+# Services to expose directly on the proxy (for hosts not managed by Ansible)
+# Define on the DMZ host itself - requires explicit backend_host
+# traefik_services:
+#   - name: external-api
+#     domain: api.example.com
+#     backend_host: 10.0.0.50  # required for direct definitions
+#     port: 8080
+#     protocol: http
 
 # DMZ mode: Explicit backend server mapping
 # Define which backend servers this DMZ proxy should route to
 # If empty or undefined, routes to all servers in backend_servers group
-backend_servers_to_proxy: []
+traefik_backend_servers_to_proxy: []
 # Example:
-# backend_servers_to_proxy:
+# traefik_backend_servers_to_proxy:
 #   - backend1
 #   - backend2
\ No newline at end of file
diff --git a/roles/traefik/tasks/main.yml b/roles/traefik/tasks/main.yml
index d9253eb..385501c 100644
--- a/roles/traefik/tasks/main.yml
+++ b/roles/traefik/tasks/main.yml
@@ -4,15 +4,20 @@
 
 - name: Determine which backend servers to proxy (DMZ mode)
   set_fact:
-    _backend_servers: "{{ backend_servers_to_proxy if backend_servers_to_proxy | length > 0 else groups['backend_servers'] | default([]) }}"
+    _backend_servers: "{{ traefik_backend_servers_to_proxy if traefik_backend_servers_to_proxy | length > 0 else groups['backend_servers'] | default([]) }}"
   when: traefik_mode == 'dmz'
 
 - name: Build service registry from backend servers (DMZ mode)
   set_fact:
-    proxied_services: "{{ proxied_services | default([]) + hostvars[item].traefik_services | default([]) | map('combine', {'backend_host': hostvars[item].ansible_host | default(item)}) | list }}"
+    proxied_services: "{{ proxied_services | default([]) + hostvars[item].traefik_dmz_exposed_services | default([]) | map('combine', {'backend_host': hostvars[item].ansible_host | default(item)}) | list }}"
   loop: "{{ _backend_servers | default([]) }}"
   when: traefik_mode == 'dmz'
 
+- name: Add directly defined services to registry (DMZ mode)
+  set_fact:
+    proxied_services: "{{ proxied_services | default([]) + traefik_services | default([]) }}"
+  when: traefik_mode == 'dmz'
+
 - name: Debug service registry
   debug:
     var: proxied_services