homepage: read HA token from env var; stop committing it in plaintext

services.yaml now references key: "{{HOMEPAGE_VAR_HASS_TOKEN}}" instead of
the inline long-lived HA JWT (which was exposed in this public-fronted repo
and has been rotated + revoked). Secret now lives only in observability/.env
(untracked, mode 600). Add .gitignore for .env/secrets so this can't recur.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
tommy
2026-06-27 22:01:27 -05:00
parent 50e3107e38
commit 0be9ae426b
2 changed files with 14 additions and 1 deletions
+13
View File
@@ -0,0 +1,13 @@
# Secrets / credentials — never commit
.env
.env.*
*.env
secrets.yaml
secrets.yml
secrets.*.yaml
*.key
*.pem
*.crt
credentials
*credentials*
*.secret