chore(traefik): clearer naming for aggregated services

roles/traefik/defaults/main.yml

@@ -51,14 +51,22 @@ log_level: "INFO"
 # Network name
 traefik_network: "proxy"
 
-# Services to expose (defined by application roles via host_vars or group_vars)
+# Services to expose through DMZ (defined on backend servers via host_vars)
-# Each backend server should define this variable with their services
+# The DMZ proxy aggregates these from all backend_servers and auto-populates backend_host
-# traefik_services:
+# dmz_exposed_services:
 #   - name: httpbin
 #     domain: httpbin.example.com
 #     port: 8080
 #     protocol: http  # http or https
-#     entrypoints: [websecure]  # optional, defaults based on SSL config
+
+# Services to expose directly on the proxy (for hosts not managed by Ansible)
+# Define on the DMZ host itself - requires explicit backend_host
+# traefik_services:
+#   - name: external-api
+#     domain: api.example.com
+#     backend_host: 10.0.0.50  # required for direct definitions
+#     port: 8080
+#     protocol: http
 
 # DMZ mode: Explicit backend server mapping
 # Define which backend servers this DMZ proxy should route to

roles/traefik/tasks/main.yml

@@ -9,10 +9,15 @@
 
 - name: Build service registry from backend servers (DMZ mode)
   set_fact:
-    proxied_services: "{{ proxied_services | default([]) + hostvars[item].traefik_services | default([]) | map('combine', {'backend_host': hostvars[item].ansible_host | default(item)}) | list }}"
+    proxied_services: "{{ proxied_services | default([]) + hostvars[item].dmz_exposed_services | default([]) | map('combine', {'backend_host': hostvars[item].ansible_host | default(item)}) | list }}"
   loop: "{{ _backend_servers | default([]) }}"
   when: traefik_mode == 'dmz'
 
+- name: Add directly defined services to registry (DMZ mode)
+  set_fact:
+    proxied_services: "{{ proxied_services | default([]) + traefik_services | default([]) }}"
+  when: traefik_mode == 'dmz'
+
 - name: Debug service registry
   debug:
     var: proxied_services