diff --git a/infra/ansible/playbooks/haproxy.yml b/infra/ansible/playbooks/haproxy.yml
index f9f62c2c9..42f0d2de3 100644
--- a/infra/ansible/playbooks/haproxy.yml
+++ b/infra/ansible/playbooks/haproxy.yml
@@ -58,6 +58,39 @@
     - name: Refresh inventory so veza-haproxy is reachable
       ansible.builtin.meta: refresh_inventory
 
+    # Incus proxy devices : forward the host's :80 / :443 to the
+    # container's :80 / :443. Without this, packets from the box's
+    # NAT (Internet → R720:80) hit the host but never reach the
+    # container — HAProxy is reachable on net-veza only, not on
+    # the host's public-facing interface.
+    - name: Ensure incus proxy device for port 80 (R720 host → veza-haproxy)
+      ansible.builtin.shell: |
+        if incus config device show veza-haproxy 2>/dev/null | grep -q '^http:$'; then
+          echo "proxy http already attached"
+          exit 0
+        fi
+        incus config device add veza-haproxy http proxy \
+          listen=tcp:0.0.0.0:80 \
+          connect=tcp:127.0.0.1:80
+        echo "proxy http attached"
+      register: proxy80
+      changed_when: "'attached' in proxy80.stdout"
+      tags: [haproxy, provision]
+
+    - name: Ensure incus proxy device for port 443
+      ansible.builtin.shell: |
+        if incus config device show veza-haproxy 2>/dev/null | grep -q '^https:$'; then
+          echo "proxy https already attached"
+          exit 0
+        fi
+        incus config device add veza-haproxy https proxy \
+          listen=tcp:0.0.0.0:443 \
+          connect=tcp:127.0.0.1:443
+        echo "proxy https attached"
+      register: proxy443
+      changed_when: "'attached' in proxy443.stdout"
+      tags: [haproxy, provision]
+
 # Common role intentionally NOT applied to the haproxy container :
 # it's reached via `incus exec` (no SSH inside), and the role's
 # SSH-hardening / fail2ban / node_exporter setup assumes a full