traefik-dns-watcher/.env.example

# ──────────────────────────────────────────────────────────────────────────────
# traefik-dns-watcher — environment configuration
# Copy this file to /etc/traefik-dns-watcher/env and fill in real values.
# For Docker Compose, pass these as environment: directives or an env_file.
# ──────────────────────────────────────────────────────────────────────────────

# ── Traefik API ───────────────────────────────────────────────────────────────

# Base URL of the Traefik API endpoint (no trailing slash).
# When running inside Docker on the same network, use the service name.
TRAEFIK_URL=http://traefik:8080

# Optional Basic Auth credentials if the Traefik API is protected.
# Leave empty if Traefik API is accessible without authentication (internal network).
TRAEFIK_USERNAME=
TRAEFIK_PASSWORD=

# ── DNS zones ─────────────────────────────────────────────────────────────────

# Comma-separated list of DNS zones that the watcher manages.
# Only Traefik routers with Host() rules matching these zones will produce DNS records.
DNS_ZONES=example.com,example.net

# Public IPv4 address that all A records will point to.
PUBLIC_IP=1.2.3.4

# Public IPv6 address for AAAA records. Leave empty to disable AAAA record generation.
PUBLIC_IPV6=

# TTL (in seconds) for all generated DNS records.
RECORD_TTL=300

# Enable Cloudflare automatic TTL handling in OctoDNS-generated records:
# octodns.cloudflare.auto-ttl: true
# true  - include provider-specific auto-ttl metadata
# false - do not include provider-specific metadata
CF_AUTO_TTL=true

# ── DNS Git repository ────────────────────────────────────────────────────────

# Absolute path to the pre-cloned DNS OctoDNS repository on the local filesystem.
# The service will not clone the repository; it must already exist.
# Docker: mount this path as a volume.
DNS_REPO_PATH=/dns-repo

# Branch to pull from and push to.
DNS_REPO_BRANCH=main

# Git remote name.
DNS_REPO_REMOTE=origin

# Optional HTTPS token auth for git pull/push (when remote URL is https://...)
# If GIT_AUTH_TOKEN is set, watcher enables non-interactive GIT_ASKPASS mode.
# GitHub example:
#   GIT_AUTH_USERNAME=x-access-token
#   GIT_AUTH_TOKEN=ghp_xxx
# GitLab example:
#   GIT_AUTH_USERNAME=oauth2
#   GIT_AUTH_TOKEN=glpat-xxx
GIT_AUTH_USERNAME=x-access-token
GIT_AUTH_TOKEN=

# Directory inside the repository where dynamic zone files are stored.
# The watcher will only write to this directory; static zones are left untouched.
DNS_REPO_DYNAMIC_DIR=zones-dynamic

# Author identity for git commits produced by this service.
DNS_REPO_AUTHOR_NAME=traefik-dns-watcher
DNS_REPO_AUTHOR_EMAIL=dns-bot@example.com

# ── Timing ────────────────────────────────────────────────────────────────────

# Interval between full periodic reconciles (independent of Docker events).
# Compensates for missed events after restarts or stream interruptions.
# Valid Go duration strings: 60s, 5m, 1h
RECONCILE_INTERVAL=60s

# Quiet-period after the last Docker event before a reconcile is triggered.
# Coalesces rapid bursts (e.g. rolling restarts) into a single reconcile.
DEBOUNCE_DELAY=5s

# Log level for watcher output. Allowed: debug, info, warn, error
LOG_LEVEL=info

# ── Docker ────────────────────────────────────────────────────────────────────

# Docker daemon endpoint. Leave empty to use the default Unix socket.
# The standard DOCKER_HOST variable is read automatically by the Docker SDK.
# Examples:
#   unix:///var/run/docker.sock   (default)
#   tcp://remote-host:2376
DOCKER_HOST=

# ── Filtering ─────────────────────────────────────────────────────────────────

# Comma-separated list of Traefik router names to exclude from DNS management.
# Useful for internal or special-purpose routers that happen to match a managed zone.
# Example: my-internal-router@docker,legacy-app@docker
EXCLUDE_ROUTERS=