Fix: Rename stack.env to stack.env.example to prevent Portainer auto-load error

Portainer was trying to auto-load stack.env as an env file which caused
parsing errors. Renamed to stack.env.example so users manually copy
the values into Portainer UI instead.

Also updated .env.example with cleaner format.

.env.example

@@ -1,59 +1,20 @@
-# ============================================================================
+# LemonSec Environment Variables
-# LEMONSEC - Environment Configuration
+# Copy these values into Portainer UI when deploying
-# Copy this file to .env and fill in your values
-# ============================================================================
 
-# -----------------------------------------------------------------------------
+# Cloudflare DNS
-# Cloudflare DNS Configuration
-# -----------------------------------------------------------------------------
-# Your Cloudflare account email
 CF_API_EMAIL=your-email@example.com
-
-# Cloudflare Global API Key (from https://dash.cloudflare.com/profile/api-tokens)
-# OR use DNS API Token (more secure)
 CF_API_KEY=your-cloudflare-global-api-key
-# CF_DNS_API_TOKEN=your-cloudflare-dns-api-token
 
-# -----------------------------------------------------------------------------
+# TrueNAS Configuration
-# Timezone
+TRUENAS_IP=192.168.1.100
-# -----------------------------------------------------------------------------
+TRUENAS_NEXTCLOUD_PORT=9001
+
+# Authelia Secrets (generate with: openssl rand -hex 32)
+AUTHELIA_JWT_SECRET=replace-with-64-hex-chars
+AUTHELIA_SESSION_SECRET=replace-with-64-hex-chars
+AUTHELIA_STORAGE_KEY=replace-with-64-hex-chars
+
+# Optional
 TZ=Europe/Stockholm
-
+CROWDSEC_API_KEY=
-# -----------------------------------------------------------------------------
+TAILSCALE_IP=
-# CrowdSec API Key
-# Generate after first CrowdSec start: docker exec crowdsec cscli bouncers add traefik-bouncer
-CROWDSEC_API_KEY=your-crowdsec-api-key-here
-
-# -----------------------------------------------------------------------------
-# Authelia Secrets
-# Generate these with: openssl rand -hex 32
-# -----------------------------------------------------------------------------
-AUTHELIA_JWT_SECRET=change-me-32-characters-min
-AUTHELIA_SESSION_SECRET=change-me-32-characters-min  
-AUTHELIA_STORAGE_KEY=change-me-32-characters-min
-
-# -----------------------------------------------------------------------------
-# Grafana
-# -----------------------------------------------------------------------------
-GRAFANA_ADMIN_USER=admin
-GRAFANA_ADMIN_PASSWORD=change-me-strong-password
-GRAFANA_OAUTH_SECRET=generate-with-authelia
-
-# -----------------------------------------------------------------------------
-# Tailscale Configuration
-# Your Tailscale IP for internal routing
-# Find with: tailscale ip -4
-# -----------------------------------------------------------------------------
-TAILSCALE_IP=100.x.x.x
-
-# -----------------------------------------------------------------------------
-# TrueNAS / External Services
-# -----------------------------------------------------------------------------
-TRUENAS_IP=192.168.x.x  # Your TrueNAS VM IP
-TRUENAS_NEXTCLOUD_PORT=9001  # Port where TrueNAS Nextcloud is exposed
-
-# -----------------------------------------------------------------------------
-# External Services (add your own)
-# -----------------------------------------------------------------------------
-# NEXTCLOUD_MYSQL_PASSWORD=...
-# VAULTWARDEN_ADMIN_TOKEN=...

.gitignore

@@ -3,8 +3,8 @@
 .env.local
 .env.production
 
-# Keep stack.env as template for Portainer
+# stack.env is auto-loaded by Portainer - use stack.env.example as template
-# stack.env is intentionally NOT ignored
+stack.env
 
 # Secrets
 secrets/*.txt