diff --git a/infrastructure/ansible/deploy_logic_push.yml b/infrastructure/ansible/deploy_logic_push.yml
index 2d0090c..cb0ee4f 100644
--- a/infrastructure/ansible/deploy_logic_push.yml
+++ b/infrastructure/ansible/deploy_logic_push.yml
@@ -29,7 +29,7 @@
 # Nur ausführen, wenn has_secrets: true
 - name: "Lade Secrets aus Vault (Lokal lookup)"
   set_fact:
-    app_secrets: "{{ lookup('community.hashi_vault.vault_kv2_get', 'apps/' + app_item.name, engine_mount_point='secret', url=lookup('env', 'VAULT_ADDR') | default('https://10.100.30.11:8200'), token=(vault_token | default(lookup('env', 'VAULT_TOKEN'))), validate_certs=true) | default({}) }}"
+    app_secrets: "{{ lookup('community.hashi_vault.vault_kv2_get', 'apps/' + app_item.name, engine_mount_point='secret', url=lookup('env', 'VAULT_ADDR') | default('https://10.100.30.11:8200'), token=(vault_token | default(lookup('env', 'VAULT_TOKEN'))), validate_certs=false) | default({}) }}"
   delegate_to: localhost
   when: app_item.has_secrets | default(false)
   ignore_errors: true # Trotzdem ignorieren, falls Vault down ist oder Secret fehlt
@@ -46,11 +46,8 @@
   when: app_item.name == 'traefik-edge'
   ignore_errors: true
 
-- name: "Merge Cloudflare Secrets in App Secrets"
+- name: "Merge Cloudflare Secrets in App Secrets Payload"
   set_fact:
-    # Wir mergen cf_secrets in app_secrets. Da app_secrets eine verschachtelte Struktur von hvac ist (manchmal), 
-    # müssen wir vorsichtig sein. Wir extrahieren die 'data'/'secret' payloads und mergen die.
-    # Einfacher: Wir schreiben beide in die .env loop.
     cf_secrets_payload: "{{ cf_secrets.secret | default(cf_secrets.data | default(cf_secrets)) | default({}) }}"
   when: app_item.name == 'traefik-edge' and cf_secrets is defined
 
@@ -58,37 +55,48 @@
   copy:
     dest: "{{ target_dir }}/.env"
     content: |
-      {# App Secrets #}
-      {% set final_secrets = app_secrets.secret | default(app_secrets.data | default(app_secrets)) %}
-      {% if final_secrets is mapping %}
-      {% for key, value in final_secrets.items() %}
-      {% if key not in ['data', 'metadata', 'auth', 'lease_id', 'lease_duration', 'renewable', 'request_id', 'wrap_info', 'warnings', 'raw'] %}
-      {{ key | trim }}={{ value }}
-      {% endif %}
-      {% endfor %}
-      {% endif %}
+      {# App Secrets & Cloudflare Secrets zusammenführen #}
+      {% set all_secrets = {} %}
       
-      {# Cloudflare Secrets (Zusatz) #}
+      {# 1. App Secrets laden #}
+      {% set app_sec_data = app_secrets.secret | default(app_secrets.data | default(app_secrets)) %}
+      {% if app_sec_data is mapping %}
+        {% set _ = all_secrets.update(app_sec_data) %}
+      {% endif %}
+
+      {# 2. Cloudflare Secrets (für Traefik Edge) laden #}
       {% if cf_secrets_payload is defined and cf_secrets_payload is mapping %}
-      {% for key, value in cf_secrets_payload.items() %}
-      {% if key not in ['data', 'metadata', 'auth', 'lease_id', 'lease_duration', 'renewable', 'request_id', 'wrap_info', 'warnings', 'raw'] %}
-      
-      {% if key == 'api_token' %}
+        {% set _ = all_secrets.update(cf_secrets_payload) %}
+      {% endif %}
+
+      {# 3. Ausgabe #}
+      {% for key, value in all_secrets.items() %}
+        {% if key not in ['data', 'metadata', 'auth', 'lease_id', 'lease_duration', 'renewable', 'request_id', 'wrap_info', 'warnings', 'raw'] %}
+          
+          {# Spezifisches Mapping für Traefik Edge #}
+          {% if app_item.name == 'traefik-edge' %}
+            {# Mapping Regeln #}
+            {% if key == 'api_token' %}
       CF_DNS_API_TOKEN={{ value }}
       CF_ZONE_API_TOKEN={{ value }}
-      {% endif %}
-      
-      {% if key == 'email' %}
+            {% elif key == 'email' %}
       CF_API_EMAIL={{ value }}
-      {% endif %}
-
+            {% elif key in ['CLOUDFLARE_API_KEY', 'CLOUDFLARE_EMAIL'] %}
+              {# Alte Keys ignorieren #}
+            {% else %}
+              {# Alle anderen Keys 1:1 übernehmen #}
       {{ key | trim }}={{ value }}
-      {% endif %}
-      {% endfor %}
-      {% endif %}
-    mode: '0600'
+            {% endif %}
 
-  when: app_item.has_secrets | default(false) and app_secrets | length > 0
+          {% else %}
+            {# Für alle anderen Apps: 1:1 übernehmen #}
+      {{ key | trim }}={{ value }}
+          {% endif %}
+
+        {% endif %}
+      {% endfor %}
+    mode: '0600'
+  when: (app_item.has_secrets | default(false) and app_secrets | length > 0) or (app_item.name == 'traefik-edge' and cf_secrets_payload is defined)
 
 # 4. Sync Dateien (Lokal -> Remote)
 # Hinweis: 'copy' Modul unterstützt kein 'exclude'.