contrib/sni-router: render mtg-config.toml from a tracked .example

Track `mtg-config.toml.example` with `secret = "${MTG_SECRET}"`; the
rendered `mtg-config.toml` and local `.env` are gitignored, so the
secret never lands in a tracked file.

Quick start switches from "paste the secret into mtg-config.toml" to
either `envsubst < mtg-config.toml.example > mtg-config.toml` or
`cp` + hand-edit `${MTG_SECRET}` for users without envsubst.

After #502 made DOMAIN env-driven, the secret was the last hand-edit
of a tracked file in the example. Follow-up to #506.

contrib/sni-router/.gitignore

+# Rendered from mtg-config.toml.example; contains the live secret.
+mtg-config.toml
+
+# Local environment overrides (DOMAIN, MTG_SECRET, ...)
+.env

contrib/sni-router/README.md

 
 # 3. Configure:
 #    - .env (or export)  →  DOMAIN=your.domain   # used by HAProxy + Caddy
-#    - mtg-config.toml   →  paste the secret
+#    - render mtg-config.toml from the tracked template
+#      (the rendered file is gitignored — secret stays out of git):
+MTG_SECRET=<secret-from-step-2> envsubst < mtg-config.toml.example > mtg-config.toml
+#      (Or `cp mtg-config.toml.example mtg-config.toml` and edit ${MTG_SECRET}
+#      by hand if you don't have envsubst.)
 
 # 4. (Optional) put your site content into www/
 
 |---|---|
 | `docker-compose.yml` | Service definitions |
 | `haproxy.cfg` | SNI routing rules (reads `$DOMAIN` from the environment) |
-| `mtg-config.toml` | mtg proxy config — **paste your secret** |
+| `mtg-config.toml.example` | mtg proxy config template — render with `envsubst` or copy + edit |
+| `mtg-config.toml` | Rendered mtg proxy config (gitignored, contains your secret) |
 | `Caddyfile` | Web server config (auto-HTTPS) |
 | `www/` | Static site content served by Caddy |

contrib/sni-router/docker-compose.yml

 #
 # Quick start:
 #   1. Set DOMAIN in a .env file next to this one (or export it)
-#   2. mtg generate-secret YOUR_DOMAIN   -> paste into mtg-config.toml
+#   2. mtg generate-secret YOUR_DOMAIN   -> render mtg-config.toml:
+#        MTG_SECRET=<secret> envsubst < mtg-config.toml.example > mtg-config.toml
+#      (the rendered file is gitignored). See README.md for the cp+edit variant.
 #   3. docker compose up -d
 #
 # DOMAIN is forwarded to both Caddy (TLS cert) and HAProxy (SNI ACL),

contrib/sni-router/mtg-config.toml → contrib/sni-router/mtg-config.toml.example

-# Minimal mtg configuration for the SNI-router setup.
+# Minimal mtg configuration template for the SNI-router setup.
 #
-# 1. Generate a secret:  mtg generate-secret --hex <your.domain>
-# 2. Paste it into the `secret` field below.
-# 3. Set DOMAIN=<your.domain> in .env (HAProxy + Caddy pick it up).
+# This is the tracked template; `docker compose` mounts `mtg-config.toml`
+# (gitignored), so render or copy this file before `docker compose up -d`:
+#
+#   1. Set DOMAIN=<your.domain> in .env (HAProxy + Caddy pick it up).
+#   2. Generate the secret:  mtg generate-secret --hex <your.domain>
+#   3. Produce mtg-config.toml — pick one:
+#        MTG_SECRET=<secret> envsubst < mtg-config.toml.example > mtg-config.toml
+#      or just copy and hand-edit `${MTG_SECRET}`:
+#        cp mtg-config.toml.example mtg-config.toml && $EDITOR mtg-config.toml
 
-secret = "PASTE_YOUR_SECRET_HERE"
+secret = "${MTG_SECRET}"
 bind-to = "[::]:3128"
 
 # HAProxy in front sends PROXY protocol v2 headers so mtg can see the