diff --git a/infrastructure/ansible/deploy_logic_push.yml b/infrastructure/ansible/deploy_logic_push.yml
index ec923fe..6fb8c5e 100644
--- a/infrastructure/ansible/deploy_logic_push.yml
+++ b/infrastructure/ansible/deploy_logic_push.yml
@@ -39,21 +39,50 @@
     app_secrets: {}
   when: app_secrets is undefined
 
+- name: "Lade Cloudflare Secrets (für Traefik Edge)"
+  set_fact:
+    cf_secrets: "{{ lookup('community.hashi_vault.vault_kv2_get', 'infrastructure/cloudflare', engine_mount_point='secret', url=lookup('env', 'VAULT_ADDR') | default('https://10.100.30.11:8200'), token=(vault_token | default(lookup('env', 'VAULT_TOKEN'))), validate_certs=false) | default({}) }}"
+  delegate_to: localhost
+  when: app_item.name == 'traefik-edge'
+  ignore_errors: true
+
+- name: "Merge Cloudflare Secrets in App Secrets"
+  set_fact:
+    # Wir mergen cf_secrets in app_secrets. Da app_secrets eine verschachtelte Struktur von hvac ist (manchmal), 
+    # müssen wir vorsichtig sein. Wir extrahieren die 'data'/'secret' payloads und mergen die.
+    # Einfacher: Wir schreiben beide in die .env loop.
+    cf_secrets_payload: "{{ cf_secrets.secret | default(cf_secrets.data | default(cf_secrets)) | default({}) }}"
+  when: app_item.name == 'traefik-edge' and cf_secrets is defined
+
 - name: "Erstelle .env Datei auf Remote"
   copy:
     dest: "{{ target_dir }}/.env"
     content: |
-      {# Fallback: Wenn app_secrets direkt die Daten sind oder in 'secret'/'data' stecken #}
+      {# App Secrets #}
       {% set final_secrets = app_secrets.secret | default(app_secrets.data | default(app_secrets)) %}
       {% if final_secrets is mapping %}
       {% for key, value in final_secrets.items() %}
-      {# Filtere Meta-Daten raus #}
       {% if key not in ['data', 'metadata', 'auth', 'lease_id', 'lease_duration', 'renewable', 'request_id', 'wrap_info', 'warnings', 'raw'] %}
       {{ key | trim }}={{ value }}
       {% endif %}
       {% endfor %}
       {% endif %}
+      
+      {# Cloudflare Secrets (Zusatz) #}
+      {% if cf_secrets_payload is defined and cf_secrets_payload is mapping %}
+      {% for key, value in cf_secrets_payload.items() %}
+      {% if key not in ['data', 'metadata', 'auth', 'lease_id', 'lease_duration', 'renewable', 'request_id', 'wrap_info', 'warnings', 'raw'] %}
+      # Mappe keys falls nötig: dns_api_token -> CF_DNS_API_TOKEN
+      {% if key == 'dns_api_token' %}CF_DNS_API_TOKEN={{ value }}{% endif %}
+      {% if key == 'dns_api_token' %}CF_ZONE_API_TOKEN={{ value }}{% endif %}
+      {% if key == 'email' %}CF_API_EMAIL={{ value }}{% endif %}
+      # Original auch schreiben
+      {{ key | trim }}={{ value }}
+      {% endif %}
+      {% endfor %}
+      {% endif %}
     mode: '0600'
+
   when: app_item.has_secrets | default(false) and app_secrets | length > 0
 
 # 4. Sync Dateien (Lokal -> Remote)