From f873256f65b2d3241c907375fb2b38026d5f70c9 Mon Sep 17 00:00:00 2001
From: Tuan-Dat Tran <tuan-dat.tran@tudattr.dev>
Date: Thu, 4 Jun 2026 01:45:01 +0200
Subject: [PATCH] feat(edge_vps): add traefik dynamic config template

---
 roles/edge_vps/tasks/30_traefik.yaml          | 13 ++--
 .../templates/traefik/dynamic_config.yml.j2   | 67 +++++++++++++++++++
 2 files changed, 73 insertions(+), 7 deletions(-)
 create mode 100644 roles/edge_vps/templates/traefik/dynamic_config.yml.j2

diff --git a/roles/edge_vps/tasks/30_traefik.yaml b/roles/edge_vps/tasks/30_traefik.yaml
index 7de6ec1..0f63662 100644
--- a/roles/edge_vps/tasks/30_traefik.yaml
+++ b/roles/edge_vps/tasks/30_traefik.yaml
@@ -6,10 +6,9 @@
     mode: "0644"
   notify: restart traefik
 
-- name: Deploy Cloudflare credentials for ACME
-  ansible.builtin.copy:
-    content: |
-      CF_DNS_API_TOKEN={{ vault_edge_vps.traefik.cloudflare_api_token }}
-    dest: "{{ edge_vps_traefik_config_dir }}/cloudflare.env"
-    mode: "0600"
-  no_log: true
+- name: Deploy Traefik dynamic config
+  ansible.builtin.template:
+    src: traefik/dynamic_config.yml.j2
+    dest: "{{ edge_vps_traefik_config_dir }}/dynamic_config.yml"
+    mode: "0644"
+  notify: restart traefik
diff --git a/roles/edge_vps/templates/traefik/dynamic_config.yml.j2 b/roles/edge_vps/templates/traefik/dynamic_config.yml.j2
new file mode 100644
index 0000000..4ce99bc
--- /dev/null
+++ b/roles/edge_vps/templates/traefik/dynamic_config.yml.j2
@@ -0,0 +1,67 @@
+http:
+  middlewares:
+    redirect-to-https:
+      redirectScheme:
+        scheme: https
+
+  routers:
+    main-app-router-redirect:
+      rule: "Host(`{{ edge_vps_pangolin_dashboard_url | regex_replace('^https?://', '') }}`)"
+      service: next-service
+      entryPoints:
+        - web
+      middlewares:
+        - redirect-to-https
+
+    next-router:
+      rule: "Host(`{{ edge_vps_pangolin_dashboard_url | regex_replace('^https?://', '') }}`) && !PathPrefix(`/api/v1`)"
+      service: next-service
+      entryPoints:
+        - websecure
+      tls:
+        certResolver: letsencrypt
+        domains:
+          - main: "{{ edge_vps_pangolin_base_domain }}"
+            sans:
+              - "*.{{ edge_vps_pangolin_base_domain }}"
+{% for domain in edge_vps_traefik_extra_tls_domains | default([]) %}
+          - main: "{{ domain }}"
+            sans:
+              - "*.{{ domain }}"
+{% endfor %}
+
+    api-router:
+      rule: "Host(`{{ edge_vps_pangolin_dashboard_url | regex_replace('^https?://', '') }}`) && PathPrefix(`/api/v1`)"
+      service: api-service
+      entryPoints:
+        - websecure
+      tls:
+        certResolver: letsencrypt
+
+    ws-router:
+      rule: "Host(`{{ edge_vps_pangolin_dashboard_url | regex_replace('^https?://', '') }}`)"
+      service: api-service
+      entryPoints:
+        - websecure
+      tls:
+        certResolver: letsencrypt
+
+  services:
+    next-service:
+      loadBalancer:
+        servers:
+          - url: "http://pangolin:3002"
+
+    api-service:
+      loadBalancer:
+        servers:
+          - url: "http://pangolin:3000"
+
+tcp:
+  serversTransports:
+    pp-transport-v1:
+      proxyProtocol:
+        version: 1
+    pp-transport-v2:
+      proxyProtocol:
+        version: 2