rsp2k/coredns
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
coredns/.env.example
Ryan Malloy 162abedfdd .env now gitignored; .env.example is the committed template 
Per standard Docker convention. The active `.env` is per-host
(contains the actual TSIG secret + any host-specific port/hostname
overrides). The `.env.example` template documents the expected
variables with stub values so a fresh checkout knows what to copy.

Also: docker-compose.yml now passes ACME_TSIG_SECRET to the coredns
container via plain `environment:` directive -- compose auto-reads
`.env` for substitution. No --env-file gymnastics needed at the
invocation level.
2026-05-21 12:37:23 -06:00

51 lines
2.2 KiB
Plaintext
Raw Blame History

# Template for the operational .env file. Copy to .env and fill in real
# values. .env is gitignored (contains the active TSIG secret + any
# other host-specific overrides). Keeping this template in git lets
# new operators / fresh checkouts know what env vars are expected.
COMPOSE_PROJECT_NAME=coredns
# Custom CoreDNS image tag (CalVer). Built locally via `docker compose
# build coredns` using ./coredns/Dockerfile; pulls plugins from the
# referenced git repos at build time. Bump this when re-rolling.
COREDNS_IMAGE_TAG=2026.05.21
# Legacy pin (no longer the active image; kept for emergency rollback
# to upstream CoreDNS if the custom build needs to be reverted).
COREDNS_IMAGE=coredns/coredns:1.11.3
# Host ports. systemd-resolved usually binds 53, so default to 5353.
# Override to 53 if you actually want this to be the host's resolver.
DNS_PORT=5353
METRICS_PORT=9153
# 8080 is famously contested (dev servers, alternate HTTP). 8081 less so.
HEALTH_PORT=8081
# DoT (DNS-over-TLS, RFC 7858) — IANA port 853. Host port 8853 to
# stay unprivileged.
DOT_PORT=8853
# DoH (DNS-over-HTTPS, RFC 8484) — typically 443. Host port 8443
# because Caddy already owns 443 on this host.
DOH_PORT=8443
# --- Production cert provisioning (Caddy sidecar + Let's Encrypt) ---
# Hostname the cert is issued for. Must be a name you control and that
# resolves via the public DNS server holding the zone (Vultr's NS).
CADDY_HOSTNAME=dns.supported.systems
# Contact email registered with Let's Encrypt for expiry notifications.
ACME_EMAIL=rpm@malloys.us
# VULTR_API_KEY is intentionally NOT stored here. Caddy reads it from
# the shell environment via docker compose's variable interpolation —
# export it in your shell (or in ~/.zshenv) before `make tls-up`.
# TSIG shared secret for the rfc2136 plugin (RFC 2136 dynamic updates).
# Same secret is used by all authorised RFC 2136 clients (Caddy via
# caddy-dns/rfc2136, nsupdate, etc.). Rotate by regenerating with
# `openssl rand -base64 32` and updating this value + all clients.
# Lives in `.env` (tracked in our PRIVATE git) for operational
# simplicity; if you want a stricter convention, move to `.env.local`
# (gitignored) and pass `--env-file .env.local` at compose time.
ACME_TSIG_SECRET=GENERATE_VIA_openssl_rand_base64_32
Reference in New Issue View Git Blame Copy Permalink