diff --git a/infra/ansible/playbooks/haproxy.yml b/infra/ansible/playbooks/haproxy.yml
index bbea43651..dc57baae3 100644
--- a/infra/ansible/playbooks/haproxy.yml
+++ b/infra/ansible/playbooks/haproxy.yml
@@ -1,52 +1,62 @@
-# HAProxy playbook — provisions one Incus container `haproxy` and
-# lays down the HAProxy config in front of the backend-api +
-# stream-server pools.
+# HAProxy playbook — provisions the SHARED edge container
+# `veza-haproxy` (one per R720, serves staging+prod+forgejo+talas
+# simultaneously), then lays down the config + Let's Encrypt certs.
 #
-# v1.0.9 W4 Day 19.
+# Idempotent : re-run safe ; container creation no-ops if present.
 #
-# Run with:
+# Bootstrap (one-shot, before the first deploy_app.yml run) :
 #   ansible-galaxy collection install community.general
-#   ansible-playbook -i inventory/lab.yml playbooks/haproxy.yml
+#   ansible-playbook -i inventory/staging.yml playbooks/haproxy.yml \
+#     --vault-password-file .vault-pass
+#
+# Subsequent runs : same command. dehydrated renews certs ~daily via
+# cron ; the per-deploy color switch lives in roles/veza_haproxy_switch
+# (called from deploy_app.yml), NOT here.
 ---
-- name: Provision Incus container for HAProxy
+- name: Provision shared edge HAProxy container
   hosts: incus_hosts
   become: true
   gather_facts: true
   tasks:
-    - name: Launch haproxy container
+    - name: Launch veza-haproxy container if absent
       ansible.builtin.shell:
         cmd: |
           set -e
-          if ! incus info haproxy >/dev/null 2>&1; then
-            incus launch images:ubuntu/22.04 haproxy
-            for _ in $(seq 1 30); do
-              if incus exec haproxy -- cloud-init status 2>/dev/null | grep -q "status: done"; then
-                break
-              fi
-              sleep 1
-            done
-            incus exec haproxy -- apt-get update
-            incus exec haproxy -- apt-get install -y python3 python3-apt
+          if incus info veza-haproxy >/dev/null 2>&1; then
+            echo "veza-haproxy already exists"
+            exit 0
           fi
-      args:
+          incus launch "{{ veza_app_base_image | default('images:debian/13') }}" veza-haproxy --profile veza-app --profile veza-net --network "{{ veza_incus_network | default('veza-net') }}"
+          for _ in $(seq 1 30); do
+            if incus exec veza-haproxy -- /bin/true 2>/dev/null; then
+              break
+            fi
+            sleep 1
+          done
+          incus exec veza-haproxy -- apt-get update
+          incus exec veza-haproxy -- apt-get install -y python3 python3-apt
         executable: /bin/bash
       register: provision_result
       changed_when: "'incus launch' in provision_result.stdout"
       tags: [haproxy, provision]
 
-    - name: Refresh inventory so the new container is reachable
+    - name: Refresh inventory so veza-haproxy is reachable
       ansible.builtin.meta: refresh_inventory
 
-- name: Apply common baseline
+- name: Apply common baseline (SSH hardening, fail2ban, node_exporter)
   hosts: haproxy
   become: true
   gather_facts: true
   roles:
     - common
 
-- name: Install + configure HAProxy
+- name: Install + configure HAProxy + dehydrated/Let's Encrypt
   hosts: haproxy
   become: true
   gather_facts: true
+  vars:
+    # Force blue-green topology — the edge HAProxy doesn't run lab's
+    # multi-instance branch.
+    haproxy_topology: blue-green
   roles:
     - haproxy