diff --git a/roles/services/templates/docker-compose.yml.j2 b/roles/services/templates/docker-compose.yml.j2
index 967c355..6fe9feb 100644
--- a/roles/services/templates/docker-compose.yml.j2
+++ b/roles/services/templates/docker-compose.yml.j2
@@ -69,8 +69,8 @@ services:
       - {{ services_root }}/traefik/dynamic:/etc/traefik/dynamic:ro
       - {{ services_root }}/traefik/acme.json:/acme/acme.json
       - {{ services_root }}/traefik/logs:/var/log/traefik
-    environment:
-      - CLOUDFLARE_DNS_API_TOKEN=${CLOUDFLARE_DNS_API_TOKEN}
+    # env_file passes CLOUDFLARE_DNS_API_TOKEN (and all secrets) to Traefik
+    env_file: .env
     logging:
       driver: json-file
       options:
diff --git a/roles/services/templates/traefik/dynamic/routes.yml.j2 b/roles/services/templates/traefik/dynamic/routes.yml.j2
index e90a531..bc4e491 100644
--- a/roles/services/templates/traefik/dynamic/routes.yml.j2
+++ b/roles/services/templates/traefik/dynamic/routes.yml.j2
@@ -1,8 +1,17 @@
 # Traefik dynamic routing config — generated by Ansible
 # Do not edit manually; re-run ansible-playbook deploy.yml
 
-# NOTE: wildcard cert (*.csrx.ru) будет включён после переноса NS на Cloudflare.
-# Тогда переключим ACME на dnsChallenge и добавим tls.stores.default.defaultGeneratedCert
+# ── Wildcard TLS certificate via Cloudflare DNS-01 ────────────────────────────
+# One *.csrx.ru cert covers all subdomains. New services = zero cert wait.
+tls:
+  stores:
+    default:
+      defaultGeneratedCert:
+        resolver: letsencrypt
+        domain:
+          main: "*.{{ domain_base }}"
+          sans:
+            - "{{ domain_base }}"
 
 http:
   routers:
diff --git a/roles/services/templates/traefik/traefik.yml.j2 b/roles/services/templates/traefik/traefik.yml.j2
index 9511cdf..8053173 100644
--- a/roles/services/templates/traefik/traefik.yml.j2
+++ b/roles/services/templates/traefik/traefik.yml.j2
@@ -93,9 +93,12 @@ certificatesResolvers:
     acme:
       email: "{{ acme_email }}"
       storage: /acme/acme.json
-      # TODO: switch to dnsChallenge after Cloudflare NS propagation
-      httpChallenge:
-        entryPoint: web
+      dnsChallenge:
+        provider: cloudflare
+        # Use Cloudflare's own resolvers to avoid propagation delays
+        resolvers:
+          - "1.1.1.1:53"
+          - "1.0.0.1:53"
 
 providers:
   file: