docs: standardize example IPs to RFC 5737 documentation ranges

Replace all 10.0.0.x private IPs with RFC 5737 documentation IPs
(192.0.2.x, 198.51.100.x) across 30 files. Also update env var
reference page to link to unified secrets management docs.

RFC 5737 IPs are reserved for documentation and will never conflict
with real infrastructure, making examples safe to copy-paste.

Author: maxfield-allison

README.md

@@ -60,7 +60,7 @@ services:
       - DNSWEAVER_INTERNAL_DNS_TOKEN_FILE=/run/secrets/technitium_token
       - DNSWEAVER_INTERNAL_DNS_ZONE=home.example.com
       - DNSWEAVER_INTERNAL_DNS_RECORD_TYPE=A
-      - DNSWEAVER_INTERNAL_DNS_TARGET=10.0.0.100
+      - DNSWEAVER_INTERNAL_DNS_TARGET=192.0.2.100
       - DNSWEAVER_INTERNAL_DNS_DOMAINS=*.home.example.com
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock:ro
@@ -90,7 +90,7 @@ flowchart LR
 2. dnsweaver extracts the hostname and matches it against configured provider domain patterns
 
 3. The matching provider creates the DNS record:
-   - **A record**: `myapp.home.example.com → 10.0.0.100`
+   - **A record**: `myapp.home.example.com → 192.0.2.100`
    - **CNAME**: `myapp.example.com → proxy.example.com`
 
 4. When the container stops (or the Kubernetes resource is deleted), the DNS record is automatically cleaned up
@@ -130,7 +130,7 @@ metadata:
   name: my-app
   annotations:
     dnsweaver.dev/record-type: "A"
-    dnsweaver.dev/target: "10.0.0.100"
+    dnsweaver.dev/target: "192.0.2.100"
 spec:
   rules:
     - host: app.example.com
@@ -149,7 +149,7 @@ environment:
   # Internal: Technitium → private IP
   - DNSWEAVER_INTERNAL_TYPE=technitium
   - DNSWEAVER_INTERNAL_RECORD_TYPE=A
-  - DNSWEAVER_INTERNAL_TARGET=10.0.0.100
+  - DNSWEAVER_INTERNAL_TARGET=192.0.2.100
   - DNSWEAVER_INTERNAL_DOMAINS=*.example.com
 
   # External: Cloudflare → tunnel CNAME
@@ -160,7 +160,7 @@ environment:
 ```
 
 With this configuration, when `app.example.com` starts:
-- Internal DNS → `A` record → `10.0.0.100`
+- Internal DNS → `A` record → `192.0.2.100`
 - External DNS → `CNAME` record → `tunnel.example.com`
 
 ## Contributing

docs/config.example.yml

@@ -110,7 +110,7 @@ providers:
       - "*.internal.example.com"
       - "*.home.example.com"
     record_type: A        # A, AAAA, or CNAME
-    target: 10.0.0.100    # Where to point DNS records (your load balancer/gateway IP)
+    target: 192.0.2.100    # Where to point DNS records (your load balancer/gateway IP)
     ttl: 300              # TTL in seconds
     mode: managed         # managed, authoritative, or additive
     config:
@@ -152,7 +152,7 @@ providers:
     domains:
       - "*.custom.example.com"
     record_type: A
-    target: 10.0.0.50
+    target: 192.0.2.50
     config:
       url: https://webhook.example.com/dns
       auth_header: X-API-Key
@@ -167,7 +167,7 @@ providers:
   #   domains:
   #     - "*.rfc.example.com"
   #   record_type: A
-  #   target: 10.0.0.100
+  #   target: 192.0.2.100
   #   ttl: 300
   #   config:
   #     server: ns1.example.com:53
@@ -195,7 +195,7 @@ providers:
 #   domains_regex:
 #     - "^app-[0-9]+\\.example\\.com$"
 #   record_type: A
-#   target: 10.0.0.100
+#   target: 192.0.2.100
 #   config:
 #     url: http://dns:5380
 #     token: ${TECHNITIUM_TOKEN}

docs/configuration/domains.md

@@ -49,9 +49,9 @@ When a hostname matches multiple providers, dnsweaver creates records in **all**
 ```bash
 DNSWEAVER_INSTANCES=internal-dns,public-dns
 
-# Internal DNS: *.example.com → 10.0.0.100 (private IP)
+# Internal DNS: *.example.com → 192.0.2.100 (private IP)
 DNSWEAVER_INTERNAL_DNS_DOMAINS=*.example.com
-DNSWEAVER_INTERNAL_DNS_TARGET=10.0.0.100
+DNSWEAVER_INTERNAL_DNS_TARGET=192.0.2.100
 
 # Public DNS: *.example.com → public.example.com (public CNAME)
 DNSWEAVER_PUBLIC_DNS_DOMAINS=*.example.com
@@ -60,7 +60,7 @@ DNSWEAVER_PUBLIC_DNS_TARGET=public.example.com
 
 With this configuration, `app.example.com` creates records in **both** providers:
 
-- Internal DNS: `app.example.com → A → 10.0.0.100`
+- Internal DNS: `app.example.com → A → 192.0.2.100`
 - Public DNS: `app.example.com → CNAME → public.example.com`
 
 ### Non-Overlapping Patterns

docs/configuration/environment.md

@@ -1,6 +1,6 @@
 # Environment Variables Reference
 
-All configuration is via environment variables with the `DNSWEAVER_` prefix. Variables support the `_FILE` suffix for Docker secrets.
+All configuration is via environment variables with the `DNSWEAVER_` prefix. Variables support the `_FILE` suffix for [secrets management](secrets.md) (Docker secrets, Kubernetes Secrets, or any file-based injection).
 
 ## Configuration File
 

docs/configuration/modes.md

@@ -37,7 +37,7 @@ Each provider instance can operate in one of three modes, controlling how aggres
 When `ownership_tracking: true` (default), dnsweaver creates a TXT record alongside each DNS record to track ownership:
 
 ```
-app.home.example.com       A      10.0.0.100
+app.home.example.com       A      192.0.2.100
 _dnsweaver.app.home.example.com  TXT    "dnsweaver-id=abc123"
 ```
 

docs/configuration/multi-instance.md

@@ -46,7 +46,7 @@ environment:
   - DNSWEAVER_INTERNAL_TOKEN_FILE=/run/secrets/technitium_token
   - DNSWEAVER_INTERNAL_ZONE=home.example.com
   - DNSWEAVER_INTERNAL_RECORD_TYPE=A
-  - DNSWEAVER_INTERNAL_TARGET=10.0.0.100
+  - DNSWEAVER_INTERNAL_TARGET=192.0.2.100
   - DNSWEAVER_INTERNAL_DOMAINS=*.home.example.com
 
   # External: Cloudflare for *.example.com → CNAME to proxy
@@ -60,7 +60,7 @@ environment:
 ```
 
 A service with hostname `app.home.example.com` creates:
-- A record in Technitium → `10.0.0.100`
+- A record in Technitium → `192.0.2.100`
 - No record in Cloudflare (excluded by `EXCLUDE_DOMAINS`)
 
 A service with hostname `app.example.com` creates:
@@ -80,7 +80,7 @@ environment:
   - DNSWEAVER_ZONE_A_TOKEN_FILE=/run/secrets/tech_token
   - DNSWEAVER_ZONE_A_ZONE=alpha.example.com
   - DNSWEAVER_ZONE_A_RECORD_TYPE=A
-  - DNSWEAVER_ZONE_A_TARGET=10.0.1.100
+  - DNSWEAVER_ZONE_A_TARGET=198.51.100.100
   - DNSWEAVER_ZONE_A_DOMAINS=*.alpha.example.com
 
   - DNSWEAVER_ZONE_B_TYPE=technitium

docs/contributing/adding-provider.md

@@ -312,7 +312,7 @@ func TestClient_CreateRecord(t *testing.T) {
 	defer server.Close()
 
 	client := NewClient(server.URL, "test-token")
-	err := client.CreateRecord(context.Background(), "test.example.com", "A", "10.0.0.1")
+	err := client.CreateRecord(context.Background(), "test.example.com", "A", "192.0.2.1")
 	if err != nil {
 		t.Fatalf("unexpected error: %v", err)
 	}
@@ -389,7 +389,7 @@ Your provider should support these record types as applicable:
 
 | Record Type | Purpose | Target Validation |
 |------------|---------|-------------------|
-| `A` | IPv4 address record | Valid IPv4 address (e.g., `10.0.0.100`) |
+| `A` | IPv4 address record | Valid IPv4 address (e.g., `192.0.2.100`) |
 | `AAAA` | IPv6 address record | Valid IPv6 address (e.g., `2001:db8::1` or `fd00::1`) |
 | `CNAME` | Canonical name (alias) | Valid hostname (e.g., `target.example.com`) |
 | `TXT` | Text record (used for ownership) | String value |

docs/contributing/development.md

@@ -123,7 +123,7 @@ services:
       - DNSWEAVER_TEST_TYPE=webhook
       - DNSWEAVER_TEST_URL=http://webhook-receiver:8080
       - DNSWEAVER_TEST_RECORD_TYPE=A
-      - DNSWEAVER_TEST_TARGET=10.0.0.1
+      - DNSWEAVER_TEST_TARGET=192.0.2.1
       - DNSWEAVER_TEST_DOMAINS=*.test.local
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock:ro

docs/deployment/docker-compose.md

@@ -17,7 +17,7 @@ services:
       - DNSWEAVER_INTERNAL_TOKEN_FILE=/run/secrets/dns_token
       - DNSWEAVER_INTERNAL_ZONE=home.example.com
       - DNSWEAVER_INTERNAL_RECORD_TYPE=A
-      - DNSWEAVER_INTERNAL_TARGET=10.0.0.100
+      - DNSWEAVER_INTERNAL_TARGET=192.0.2.100
       - DNSWEAVER_INTERNAL_DOMAINS=*.home.example.com
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock:ro
@@ -61,7 +61,7 @@ services:
       - DNSWEAVER_INTERNAL_TOKEN_FILE=/run/secrets/dns_token
       - DNSWEAVER_INTERNAL_ZONE=home.example.com
       - DNSWEAVER_INTERNAL_RECORD_TYPE=A
-      - DNSWEAVER_INTERNAL_TARGET=10.0.0.100
+      - DNSWEAVER_INTERNAL_TARGET=192.0.2.100
       - DNSWEAVER_INTERNAL_DOMAINS=*.home.example.com
     depends_on:
       - socket-proxy
@@ -103,7 +103,7 @@ services:
       - DNSWEAVER_INTERNAL_TOKEN_FILE=/run/secrets/technitium_token
       - DNSWEAVER_INTERNAL_ZONE=home.example.com
       - DNSWEAVER_INTERNAL_RECORD_TYPE=A
-      - DNSWEAVER_INTERNAL_TARGET=10.0.0.100
+      - DNSWEAVER_INTERNAL_TARGET=192.0.2.100
       - DNSWEAVER_INTERNAL_DOMAINS=*.home.example.com,*.example.com
 
       # External DNS (Cloudflare)
@@ -157,7 +157,7 @@ services:
       - DNSWEAVER_INTERNAL_TOKEN_FILE=/run/secrets/dns_token
       - DNSWEAVER_INTERNAL_ZONE=home.example.com
       - DNSWEAVER_INTERNAL_RECORD_TYPE=A
-      - DNSWEAVER_INTERNAL_TARGET=10.0.0.100  # Traefik's IP
+      - DNSWEAVER_INTERNAL_TARGET=192.0.2.100  # Traefik's IP
       - DNSWEAVER_INTERNAL_DOMAINS=*.home.example.com
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock:ro
@@ -168,7 +168,7 @@ services:
     image: traefik/whoami
     labels:
       - "traefik.http.routers.whoami.rule=Host(`whoami.home.example.com`)"
-    # dnsweaver will create: whoami.home.example.com → 10.0.0.100
+    # dnsweaver will create: whoami.home.example.com → 192.0.2.100
 
 secrets:
   dns_token:

docs/deployment/dual-stack.md

@@ -9,12 +9,12 @@ dnsweaver treats each provider instance independently. To create both A and AAAA
 ```mermaid
 flowchart LR
     subgraph dnsweaver
-        V4[dns-v4 instance<br/>Record: A<br/>Target: 10.0.0.100]
+        V4[dns-v4 instance<br/>Record: A<br/>Target: 192.0.2.100]
         V6[dns-v6 instance<br/>Record: AAAA<br/>Target: fd00::100]
     end
     V4 --> DNS[(DNS Server)]
     V6 --> DNS
-    DNS --> R1["app.example.com → A 10.0.0.100"]
+    DNS --> R1["app.example.com → A 192.0.2.100"]
     DNS --> R2["app.example.com → AAAA fd00::100"]
 ```
 
@@ -32,7 +32,7 @@ environment:
   - DNSWEAVER_DNS_V4_TOKEN_FILE=/run/secrets/dns_token
   - DNSWEAVER_DNS_V4_ZONE=example.com
   - DNSWEAVER_DNS_V4_RECORD_TYPE=A
-  - DNSWEAVER_DNS_V4_TARGET=10.0.0.100
+  - DNSWEAVER_DNS_V4_TARGET=192.0.2.100
   - DNSWEAVER_DNS_V4_DOMAINS=*.example.com
 
   # IPv6 records
@@ -59,7 +59,7 @@ providers:
     token_file: /run/secrets/dns_token
     zone: example.com
     record_type: A
-    target: 10.0.0.100
+    target: 192.0.2.100
     domains:
       - "*.example.com"
 
@@ -103,7 +103,7 @@ environment:
   # Internal IPv4
   - DNSWEAVER_INTERNAL_V4_TYPE=technitium
   - DNSWEAVER_INTERNAL_V4_RECORD_TYPE=A
-  - DNSWEAVER_INTERNAL_V4_TARGET=10.0.0.100
+  - DNSWEAVER_INTERNAL_V4_TARGET=192.0.2.100
   - DNSWEAVER_INTERNAL_V4_DOMAINS=*.example.com
   # ... (URL, zone, token)