homepage: read HA token from env var; stop committing it in plaintext

services.yaml now references key: "{{HOMEPAGE_VAR_HASS_TOKEN}}" instead of
the inline long-lived HA JWT (which was exposed in this public-fronted repo
and has been rotated + revoked). Secret now lives only in observability/.env
(untracked, mode 600). Add .gitignore for .env/secrets so this can't recur.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
tommy
2026-06-27 22:01:27 -05:00
parent 50e3107e38
commit 0be9ae426b
2 changed files with 14 additions and 1 deletions
+13
View File
@@ -0,0 +1,13 @@
# Secrets / credentials — never commit
.env
.env.*
*.env
secrets.yaml
secrets.yml
secrets.*.yaml
*.key
*.pem
*.crt
credentials
*credentials*
*.secret
+1 -1
View File
@@ -200,7 +200,7 @@
widget:
type: homeassistant
url: http://192.168.99.100:8123
key: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiI1MmRhODYzMzFkMDI0NzhiODcxYzhjYjE4MGNhMWEwMCIsImlhdCI6MTc3MDYwODA3MCwiZXhwIjoyMDg1OTY4MDcwfQ.Nwq2auBILpZXsZI1g7mbE8JIBa5XrUwo599oEVCp2QQ
key: "{{HOMEPAGE_VAR_HASS_TOKEN}}"
fields: ["sensor.processor_use", "binary_sensor.update_available"]
- Cloud & Storage: