homepage: read HA token from env var; stop committing it in plaintext
services.yaml now references key: "{{HOMEPAGE_VAR_HASS_TOKEN}}" instead of
the inline long-lived HA JWT (which was exposed in this public-fronted repo
and has been rotated + revoked). Secret now lives only in observability/.env
(untracked, mode 600). Add .gitignore for .env/secrets so this can't recur.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
+13
@@ -0,0 +1,13 @@
|
||||
# Secrets / credentials — never commit
|
||||
.env
|
||||
.env.*
|
||||
*.env
|
||||
secrets.yaml
|
||||
secrets.yml
|
||||
secrets.*.yaml
|
||||
*.key
|
||||
*.pem
|
||||
*.crt
|
||||
credentials
|
||||
*credentials*
|
||||
*.secret
|
||||
Reference in New Issue
Block a user