homepage: read HA token from env var; stop committing it in plaintext
services.yaml now references key: "{{HOMEPAGE_VAR_HASS_TOKEN}}" instead of
the inline long-lived HA JWT (which was exposed in this public-fronted repo
and has been rotated + revoked). Secret now lives only in observability/.env
(untracked, mode 600). Add .gitignore for .env/secrets so this can't recur.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
@@ -200,7 +200,7 @@
|
||||
widget:
|
||||
type: homeassistant
|
||||
url: http://192.168.99.100:8123
|
||||
key: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiI1MmRhODYzMzFkMDI0NzhiODcxYzhjYjE4MGNhMWEwMCIsImlhdCI6MTc3MDYwODA3MCwiZXhwIjoyMDg1OTY4MDcwfQ.Nwq2auBILpZXsZI1g7mbE8JIBa5XrUwo599oEVCp2QQ
|
||||
key: "{{HOMEPAGE_VAR_HASS_TOKEN}}"
|
||||
fields: ["sensor.processor_use", "binary_sensor.update_available"]
|
||||
|
||||
- Cloud & Storage:
|
||||
|
||||
Reference in New Issue
Block a user