From 1b82acad1f7ff2abaa53e95d5a74159fcc6e7c56 Mon Sep 17 00:00:00 2001
From: Tuan-Dat Tran <tuan-dat.tran@tudattr.dev>
Date: Tue, 24 Feb 2026 23:53:00 +0100
Subject: [PATCH] feat(edge_vps): add Traefik setup task and template

---
 roles/edge_vps/tasks/30_traefik.yaml          | 15 +++++
 .../templates/traefik/traefik_config.yml.j2   | 57 +++++++++++++++++++
 2 files changed, 72 insertions(+)
 create mode 100644 roles/edge_vps/tasks/30_traefik.yaml
 create mode 100644 roles/edge_vps/templates/traefik/traefik_config.yml.j2

diff --git a/roles/edge_vps/tasks/30_traefik.yaml b/roles/edge_vps/tasks/30_traefik.yaml
new file mode 100644
index 0000000..7de6ec1
--- /dev/null
+++ b/roles/edge_vps/tasks/30_traefik.yaml
@@ -0,0 +1,15 @@
+---
+- name: Deploy Traefik config
+  ansible.builtin.template:
+    src: traefik/traefik_config.yml.j2
+    dest: "{{ edge_vps_traefik_config_dir }}/traefik_config.yml"
+    mode: "0644"
+  notify: restart traefik
+
+- name: Deploy Cloudflare credentials for ACME
+  ansible.builtin.copy:
+    content: |
+      CF_DNS_API_TOKEN={{ vault_edge_vps.traefik.cloudflare_api_token }}
+    dest: "{{ edge_vps_traefik_config_dir }}/cloudflare.env"
+    mode: "0600"
+  no_log: true
diff --git a/roles/edge_vps/templates/traefik/traefik_config.yml.j2 b/roles/edge_vps/templates/traefik/traefik_config.yml.j2
new file mode 100644
index 0000000..50b992e
--- /dev/null
+++ b/roles/edge_vps/templates/traefik/traefik_config.yml.j2
@@ -0,0 +1,57 @@
+api:
+  insecure: true
+  dashboard: true
+
+providers:
+  http:
+    endpoint: "http://pangolin:3001/api/v1/traefik-config"
+    pollInterval: "5s"
+  file:
+    filename: "/etc/traefik/dynamic_config.yml"
+
+experimental:
+  plugins:
+    badger:
+      moduleName: "github.com/fosrl/badger"
+      version: "v1.2.1"
+
+log:
+  level: "INFO"
+  format: "common"
+  maxSize: 100
+  maxBackups: 3
+  maxAge: 3
+  compress: true
+
+certificatesResolvers:
+  letsencrypt:
+    acme:
+      dnsChallenge:
+        provider: "cloudflare"
+      email: "{{ edge_vps_acme_email }}"
+      storage: "/letsencrypt/acme.json"
+      caServer: "https://acme-v02.api.letsencrypt.org/directory"
+
+entryPoints:
+  web:
+    address: ":80"
+  websecure:
+    address: ":443"
+    transport:
+      respondingTimeouts:
+        readTimeout: "30m"
+    http:
+      tls:
+        certResolver: "letsencrypt"
+  tcp-6443:
+    address: ":6443/tcp"
+
+serversTransport:
+  insecureSkipVerify: true
+
+ping:
+  entryPoint: "web"
+
+accessLog:
+  filePath: "/var/log/traefik/access.log"
+  format: common