# ── Secrets / runtime config ────────────────────────────────────────────────
# Populated env / config files (keep the *.example templates).
.env
**/.env
globals/globals.env
ssh-notify.conf
auto-update.conf
!*.env.example
!**/.env.example
!*.conf.example

# ── Private keys (NEVER commit) ─────────────────────────────────────────────
# age identities and SSH private keys. globals/age-pubkey.txt and
# globals/authorized_keys are PUBLIC and intentionally tracked.
*-private-key.txt
*age-key*
*.age.key
id_ed25519
id_ed25519_*
*.pem

# Squid TLS-interception CA -- generated on the host at deploy time, never
# committed (the private key can MITM any client that trusts it).
deployments/squid/ssl/

# copyparty generated config -- cfg/copyparty.conf holds the admin password and
# cfg/ftps.pem the FTPS key; both are generated on the host at deploy time. The
# copyparty.conf.example template stays tracked.
deployments/copyparty/cfg/

# ── Backups ─────────────────────────────────────────────────────────────────
*.tar.gz.age
*-backup-*.tar.gz*

# ── Build output ────────────────────────────────────────────────────────────
dist/

# ── Editor / OS noise ───────────────────────────────────────────────────────
*.tmp
*.swp
.DS_Store
Thumbs.db
