.env now gitignored; .env.example is the committed template

Per standard Docker convention. The active `.env` is per-host
(contains the actual TSIG secret + any host-specific port/hostname
overrides). The `.env.example` template documents the expected
variables with stub values so a fresh checkout knows what to copy.

Also: docker-compose.yml now passes ACME_TSIG_SECRET to the coredns
container via plain `environment:` directive -- compose auto-reads
`.env` for substitution. No --env-file gymnastics needed at the
invocation level.

.env.example

@@ -1,3 +1,8 @@
+# Template for the operational .env file. Copy to .env and fill in real
+# values. .env is gitignored (contains the active TSIG secret + any
+# other host-specific overrides). Keeping this template in git lets
+# new operators / fresh checkouts know what env vars are expected.
+
 COMPOSE_PROJECT_NAME=coredns
 
 # Custom CoreDNS image tag (CalVer). Built locally via `docker compose
@@ -34,3 +39,12 @@ ACME_EMAIL=rpm@malloys.us
 # VULTR_API_KEY is intentionally NOT stored here. Caddy reads it from
 # the shell environment via docker compose's variable interpolation —
 # export it in your shell (or in ~/.zshenv) before `make tls-up`.
+
+# TSIG shared secret for the rfc2136 plugin (RFC 2136 dynamic updates).
+# Same secret is used by all authorised RFC 2136 clients (Caddy via
+# caddy-dns/rfc2136, nsupdate, etc.). Rotate by regenerating with
+# `openssl rand -base64 32` and updating this value + all clients.
+# Lives in `.env` (tracked in our PRIVATE git) for operational
+# simplicity; if you want a stricter convention, move to `.env.local`
+# (gitignored) and pass `--env-file .env.local` at compose time.
+ACME_TSIG_SECRET=GENERATE_VIA_openssl_rand_base64_32

.gitignore

@@ -14,3 +14,7 @@ caddy-config/
 
 # Local-only env overrides
 .env.local
+
+# Operational secrets / per-host overrides. Use .env.example as template.
+.env
+.env.local

docker-compose.yml

@@ -54,6 +54,10 @@ services:
     container_name: coredns
     restart: unless-stopped
     command: ["-conf", "/etc/coredns/Corefile"]
+    # The Corefile uses {$ACME_TSIG_SECRET} expansion to read the
+    # TSIG secret. Passed in from compose's env (which auto-reads .env).
+    environment:
+      - ACME_TSIG_SECRET=${ACME_TSIG_SECRET}
     depends_on:
       caddy:
         condition: service_healthy