# Local artifacts / secrets -- must never be committed *-openrc *.tar.gz *.tar.zst backups/ .vault-keys/ *.pem *.key *.crt # Keep CA certs that are NOT secrets if explicitly added in docs/ !docs/**/*.crt # Python __pycache__/ *.pyc *.pyo .venv/ venv/ # Editor .vscode/ .idea/ *.swp *~ # Logs *.log deploy-*.log # Juju local artifacts *.bundle bundle-pre-rebuild.yaml juju-status-pre-rebuild.yaml # NetBox token files .netbox-env .env # Octavia PKI artifacts - never commit overlays/octavia-pki.yaml octavia-pki/ passphrase.txt # Bundle backups (timestamped) bundle.yaml.bak-* # --- repo-sanitation sweep additions --- /remove/ *.kubeconfig kubeconfig vault-init*.txt init.txt *.bak *.tmp .DS_Store # generated at test runtime by tests/phase-00-maas-standup/make_fixtures.py tests/phase-00-maas-standup/fix/ tests/phase-00-teardown/fix/ tests/phase-00-maas-recidr/fix/ # Claude Code agent worktrees (local, never commit) .claude/worktrees/ # OpenTofu/Terraform local state + secrets -- DOCFIX-175. State files store # EVERY resource attribute in plaintext, including sensitive=true variables # (maas_api_key) -- sensitive only suppresses CLI output, not state storage. # See opentofu/README.md "State file handling" for the operator mitigations # (file permissions, backup, never pass secrets via -var). .terraform.lock.hcl # IS committed deliberately (provider-version pin, matches this repo's # exact-release-not-range discipline in opentofu/versions.tf). opentofu/**/.terraform/ opentofu/**/*.tfstate opentofu/**/*.tfstate.* opentofu/**/*.tfplan opentofu/**/*.auto.tfvars opentofu/**/*.auto.tfvars.json opentofu/**/override.tf opentofu/**/override.tf.json opentofu/**/*_override.tf opentofu/**/*_override.tf.json opentofu/**/crash.log opentofu/**/crash.*.log