diff --git a/roles/services/templates/traefik/dynamic/routes.yml.j2 b/roles/services/templates/traefik/dynamic/routes.yml.j2
index bf4c672..6f49a70 100644
--- a/roles/services/templates/traefik/dynamic/routes.yml.j2
+++ b/roles/services/templates/traefik/dynamic/routes.yml.j2
@@ -1,6 +1,19 @@
 # Traefik dynamic routing config — generated by Ansible
 # Do not edit manually; re-run ansible-playbook deploy.yml
 
+# ── Wildcard TLS certificate via Cloudflare DNS-01 ────────────────────────────
+# One cert covers ALL *.csrx.ru subdomains + root csrx.ru.
+# Adding a new service = zero cert wait time, Traefik reuses this cert.
+tls:
+  stores:
+    default:
+      defaultGeneratedCert:
+        resolver: letsencrypt
+        domain:
+          main: "*.{{ domain_base }}"
+          sans:
+            - "{{ domain_base }}"
+
 http:
   routers:
     traefik-dashboard: