homepage: read HA token from env var; stop committing it in plaintext
services.yaml now references key: "{{HOMEPAGE_VAR_HASS_TOKEN}}" instead of
the inline long-lived HA JWT (which was exposed in this public-fronted repo
and has been rotated + revoked). Secret now lives only in observability/.env
(untracked, mode 600). Add .gitignore for .env/secrets so this can't recur.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
+13
@@ -0,0 +1,13 @@
|
||||
# Secrets / credentials — never commit
|
||||
.env
|
||||
.env.*
|
||||
*.env
|
||||
secrets.yaml
|
||||
secrets.yml
|
||||
secrets.*.yaml
|
||||
*.key
|
||||
*.pem
|
||||
*.crt
|
||||
credentials
|
||||
*credentials*
|
||||
*.secret
|
||||
@@ -200,7 +200,7 @@
|
||||
widget:
|
||||
type: homeassistant
|
||||
url: http://192.168.99.100:8123
|
||||
key: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiI1MmRhODYzMzFkMDI0NzhiODcxYzhjYjE4MGNhMWEwMCIsImlhdCI6MTc3MDYwODA3MCwiZXhwIjoyMDg1OTY4MDcwfQ.Nwq2auBILpZXsZI1g7mbE8JIBa5XrUwo599oEVCp2QQ
|
||||
key: "{{HOMEPAGE_VAR_HASS_TOKEN}}"
|
||||
fields: ["sensor.processor_use", "binary_sensor.update_available"]
|
||||
|
||||
- Cloud & Storage:
|
||||
|
||||
Reference in New Issue
Block a user