From 162abedfdd86a92363689b00335a503302957e79 Mon Sep 17 00:00:00 2001
From: Ryan Malloy <ryan@supported.systems>
Date: Thu, 21 May 2026 12:37:23 -0600
Subject: [PATCH] .env now gitignored; .env.example is the committed template

Per standard Docker convention. The active `.env` is per-host
(contains the actual TSIG secret + any host-specific port/hostname
overrides). The `.env.example` template documents the expected
variables with stub values so a fresh checkout knows what to copy.

Also: docker-compose.yml now passes ACME_TSIG_SECRET to the coredns
container via plain `environment:` directive -- compose auto-reads
`.env` for substitution. No --env-file gymnastics needed at the
invocation level.
---
 .env => .env.example | 14 ++++++++++++++
 .gitignore           |  4 ++++
 docker-compose.yml   |  4 ++++
 3 files changed, 22 insertions(+)
 rename .env => .env.example (64%)

diff --git a/.env b/.env.example
similarity index 64%
rename from .env
rename to .env.example
index e39613e..180cbfc 100644
--- a/.env
+++ b/.env.example
@@ -1,3 +1,8 @@
+# Template for the operational .env file. Copy to .env and fill in real
+# values. .env is gitignored (contains the active TSIG secret + any
+# other host-specific overrides). Keeping this template in git lets
+# new operators / fresh checkouts know what env vars are expected.
+
 COMPOSE_PROJECT_NAME=coredns
 
 # Custom CoreDNS image tag (CalVer). Built locally via `docker compose
@@ -34,3 +39,12 @@ ACME_EMAIL=rpm@malloys.us
 # VULTR_API_KEY is intentionally NOT stored here. Caddy reads it from
 # the shell environment via docker compose's variable interpolation —
 # export it in your shell (or in ~/.zshenv) before `make tls-up`.
+
+# TSIG shared secret for the rfc2136 plugin (RFC 2136 dynamic updates).
+# Same secret is used by all authorised RFC 2136 clients (Caddy via
+# caddy-dns/rfc2136, nsupdate, etc.). Rotate by regenerating with
+# `openssl rand -base64 32` and updating this value + all clients.
+# Lives in `.env` (tracked in our PRIVATE git) for operational
+# simplicity; if you want a stricter convention, move to `.env.local`
+# (gitignored) and pass `--env-file .env.local` at compose time.
+ACME_TSIG_SECRET=GENERATE_VIA_openssl_rand_base64_32
diff --git a/.gitignore b/.gitignore
index a0faaaa..efedb14 100644
--- a/.gitignore
+++ b/.gitignore
@@ -14,3 +14,7 @@ caddy-config/
 
 # Local-only env overrides
 .env.local
+
+# Operational secrets / per-host overrides. Use .env.example as template.
+.env
+.env.local
diff --git a/docker-compose.yml b/docker-compose.yml
index be9f8f8..4fdff5b 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -54,6 +54,10 @@ services:
     container_name: coredns
     restart: unless-stopped
     command: ["-conf", "/etc/coredns/Corefile"]
+    # The Corefile uses {$ACME_TSIG_SECRET} expansion to read the
+    # TSIG secret. Passed in from compose's env (which auto-reads .env).
+    environment:
+      - ACME_TSIG_SECRET=${ACME_TSIG_SECRET}
     depends_on:
       caddy:
         condition: service_healthy