.env now gitignored; .env.example is the committed template
Per standard Docker convention. The active `.env` is per-host (contains the actual TSIG secret + any host-specific port/hostname overrides). The `.env.example` template documents the expected variables with stub values so a fresh checkout knows what to copy. Also: docker-compose.yml now passes ACME_TSIG_SECRET to the coredns container via plain `environment:` directive -- compose auto-reads `.env` for substitution. No --env-file gymnastics needed at the invocation level.
This commit is contained in:
parent
3dd99fa81a
commit
162abedfdd
@ -1,3 +1,8 @@
|
|||||||
|
# Template for the operational .env file. Copy to .env and fill in real
|
||||||
|
# values. .env is gitignored (contains the active TSIG secret + any
|
||||||
|
# other host-specific overrides). Keeping this template in git lets
|
||||||
|
# new operators / fresh checkouts know what env vars are expected.
|
||||||
|
|
||||||
COMPOSE_PROJECT_NAME=coredns
|
COMPOSE_PROJECT_NAME=coredns
|
||||||
|
|
||||||
# Custom CoreDNS image tag (CalVer). Built locally via `docker compose
|
# Custom CoreDNS image tag (CalVer). Built locally via `docker compose
|
||||||
@ -34,3 +39,12 @@ ACME_EMAIL=rpm@malloys.us
|
|||||||
# VULTR_API_KEY is intentionally NOT stored here. Caddy reads it from
|
# VULTR_API_KEY is intentionally NOT stored here. Caddy reads it from
|
||||||
# the shell environment via docker compose's variable interpolation —
|
# the shell environment via docker compose's variable interpolation —
|
||||||
# export it in your shell (or in ~/.zshenv) before `make tls-up`.
|
# export it in your shell (or in ~/.zshenv) before `make tls-up`.
|
||||||
|
|
||||||
|
# TSIG shared secret for the rfc2136 plugin (RFC 2136 dynamic updates).
|
||||||
|
# Same secret is used by all authorised RFC 2136 clients (Caddy via
|
||||||
|
# caddy-dns/rfc2136, nsupdate, etc.). Rotate by regenerating with
|
||||||
|
# `openssl rand -base64 32` and updating this value + all clients.
|
||||||
|
# Lives in `.env` (tracked in our PRIVATE git) for operational
|
||||||
|
# simplicity; if you want a stricter convention, move to `.env.local`
|
||||||
|
# (gitignored) and pass `--env-file .env.local` at compose time.
|
||||||
|
ACME_TSIG_SECRET=GENERATE_VIA_openssl_rand_base64_32
|
||||||
4
.gitignore
vendored
4
.gitignore
vendored
@ -14,3 +14,7 @@ caddy-config/
|
|||||||
|
|
||||||
# Local-only env overrides
|
# Local-only env overrides
|
||||||
.env.local
|
.env.local
|
||||||
|
|
||||||
|
# Operational secrets / per-host overrides. Use .env.example as template.
|
||||||
|
.env
|
||||||
|
.env.local
|
||||||
|
|||||||
@ -54,6 +54,10 @@ services:
|
|||||||
container_name: coredns
|
container_name: coredns
|
||||||
restart: unless-stopped
|
restart: unless-stopped
|
||||||
command: ["-conf", "/etc/coredns/Corefile"]
|
command: ["-conf", "/etc/coredns/Corefile"]
|
||||||
|
# The Corefile uses {$ACME_TSIG_SECRET} expansion to read the
|
||||||
|
# TSIG secret. Passed in from compose's env (which auto-reads .env).
|
||||||
|
environment:
|
||||||
|
- ACME_TSIG_SECRET=${ACME_TSIG_SECRET}
|
||||||
depends_on:
|
depends_on:
|
||||||
caddy:
|
caddy:
|
||||||
condition: service_healthy
|
condition: service_healthy
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user