fix: untrack runtime config files and add them to .gitignore

These files are machine-specific and generated at runtime — they should
never have been committed. Remove from index (files kept on disk) and
add explicit gitignore rules to prevent future re-adds.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

.gitignore

@@ -16,6 +16,22 @@ config/wireguard/
 *.crt
 *.pem
 
+# Runtime-generated config files (machine-specific, generated at startup)
+config/api/caddy/Caddyfile
+config/api/calendar.json
+config/api/cell_config.json
+config/api/wireguard.json
+config/api/webdav/webdav.conf
+config/api/dhcp/
+config/caddy/Caddyfile
+config/dhcp/dnsmasq.conf
+config/dns/Corefile
+config/mail/mailserver.env
+config/mail/config/dovecot-quotas.cf
+config/ntp/chrony.conf
+config/radicale/
+config/webdav/users.passwd
+
 # Logs
 *.log
 logs/

config/api/caddy/Caddyfile

@@ -1,57 +0,0 @@
-{
-    auto_https off
-}
-
-# Main cell domain — no service-IP restriction needed
-http://pic0.lan, http://172.20.0.2:80 {
-    handle /api/* {
-        reverse_proxy cell-api:3000
-    }
-    handle /calendar* {
-        reverse_proxy cell-radicale:5232
-    }
-    handle /files* {
-        reverse_proxy cell-filegator:8080
-    }
-    handle /webmail* {
-        reverse_proxy cell-rainloop:8888
-    }
-    handle {
-        reverse_proxy cell-webui:80
-    }
-}
-
-# Per-service virtual IPs — each gets its own IP so iptables can target them
-http://calendar.lan, http://172.20.0.21:80 {
-    reverse_proxy cell-radicale:5232
-}
-
-http://files.lan, http://172.20.0.22:80 {
-    reverse_proxy cell-filegator:8080
-}
-
-http://mail.lan, http://webmail.lan, http://172.20.0.23:80 {
-    reverse_proxy cell-rainloop:8888
-}
-
-http://webdav.lan, http://172.20.0.24:80 {
-    reverse_proxy cell-webdav:80
-}
-
-http://api.lan {
-    reverse_proxy cell-api:3000
-}
-
-http://webui.lan {
-    reverse_proxy cell-webui:80
-}
-
-# Catch-all for direct IP / localhost
-:80 {
-    handle /api/* {
-        reverse_proxy cell-api:3000
-    }
-    handle {
-        reverse_proxy cell-webui:80
-    }
-}

config/api/calendar.json

@@ -1,3 +0,0 @@
-{
-  "port": 5233
-}

config/api/cell_config.json

@@ -1,22 +0,0 @@
-{
-  "_identity": {
-    "cell_name": "pic0",
-    "domain": "dec",
-    "ip_range": "172.20.0.0/16",
-    "wireguard_port": 51820
-  },
-  "_pending_restart": {
-    "needs_restart": false,
-    "changes": [],
-    "containers": [],
-    "network_recreate": false
-  },
-  "calendar": {
-    "port": 5233
-  },
-  "wireguard": {
-    "port": 51820,
-    "address": "",
-    "private_key": ""
-  }
-}

config/api/webdav/webdav.conf

@@ -1,22 +0,0 @@
-# WebDAV configuration for Personal Internet Cell
-[global]
-# WebDAV server settings
-port = 8080
-host = 0.0.0.0
-root = /var/lib/webdav
-
-# Authentication
-auth_type = basic
-auth_file = /etc/webdav/users
-
-# SSL/TLS settings
-ssl = no
-ssl_cert = /etc/ssl/certs/webdav.crt
-ssl_key = /etc/ssl/private/webdav.key
-
-# Logging
-log_level = info
-log_file = /var/log/webdav.log
-
-# File permissions
-umask = 022

config/caddy/Caddyfile

@@ -1,57 +0,0 @@
-{
-    auto_https off
-}
-
-# Main cell domain — no service-IP restriction needed
-http://pic0.dec, http://172.20.0.2:80 {
-    handle /api/* {
-        reverse_proxy cell-api:3000
-    }
-    handle /calendar* {
-        reverse_proxy cell-radicale:5232
-    }
-    handle /files* {
-        reverse_proxy cell-filegator:8080
-    }
-    handle /webmail* {
-        reverse_proxy cell-rainloop:8888
-    }
-    handle {
-        reverse_proxy cell-webui:80
-    }
-}
-
-# Per-service virtual IPs — each gets its own IP so iptables can target them
-http://calendar.dec, http://172.20.0.21:80 {
-    reverse_proxy cell-radicale:5232
-}
-
-http://files.dec, http://172.20.0.22:80 {
-    reverse_proxy cell-filegator:8080
-}
-
-http://mail.dec, http://webmail.dec, http://172.20.0.23:80 {
-    reverse_proxy cell-rainloop:8888
-}
-
-http://webdav.dec, http://172.20.0.24:80 {
-    reverse_proxy cell-webdav:80
-}
-
-http://api.dec {
-    reverse_proxy cell-api:3000
-}
-
-http://webui.dec {
-    reverse_proxy cell-webui:80
-}
-
-# Catch-all for direct IP / localhost
-:80 {
-    handle /api/* {
-        reverse_proxy cell-api:3000
-    }
-    handle {
-        reverse_proxy cell-webui:80
-    }
-}

config/dhcp/dnsmasq.conf

@@ -1,32 +0,0 @@
-# Personal Internet Cell - dnsmasq Configuration
-# Provides DHCP and local DNS resolution
-
-# Interface to listen on
-interface=eth0
-bind-interfaces
-
-# DHCP configuration
-dhcp-range=172.20.1.50,172.20.1.150,12h
-dhcp-option=3,172.20.0.1  # Gateway
-dhcp-option=6,172.20.0.2  # DNS server
-dhcp-option=42,172.20.0.4 # NTP server
-
-# DNS configuration
-port=53
-domain=local.cell
-expand-hosts
-local=/local.cell/
-
-# DNS forwarding
-server=8.8.8.8
-server=1.1.1.1
-
-# Cache size
-cache-size=1000
-
-# Logging
-log-queries
-log-dhcp
-
-# Static leases (optional)
-# dhcp-host=00:11:22:33:44:55,192.168.1.100,mydevice 

config/dns/Corefile

@@ -1,12 +0,0 @@
-. {
-    forward . 8.8.8.8 1.1.1.1
-    cache
-    log
-    health
-}
-
-dec {
-    file /data/dec.zone
-    log
-}
-

config/mail/mailserver.env

@@ -1,3 +0,0 @@
-OVERRIDE_HOSTNAME=mail.cell.local
-POSTMASTER_ADDRESS=admin@cell.local
-LOG_LEVEL=warn

config/ntp/chrony.conf

@@ -1,24 +0,0 @@
-# Personal Internet Cell - chrony Configuration
-# Provides NTP time synchronization
-
-# Allow NTP client access from local network
-allow 172.20.0.0/16
-allow 127.0.0.1
-
-# NTP servers to sync with
-server time.google.com iburst
-server time.cloudflare.com iburst
-server pool.ntp.org iburst
-
-# Local stratum for this server
-local stratum 10
-
-# Key file for authentication (optional)
-# keyfile /etc/chrony/chrony.keys
-
-# Drift file
-driftfile /var/lib/chrony/drift
-
-# Make chrony work as a server
-port 123
-bindaddress 0.0.0.0