feat: Import secretes from secrets.yml

[flooxo]

Description

I have implemented a new function so that it is now possible to import secrets from a secrets.yml file using the keyword !secret.

When loading the config, the corresponding key is loaded with the token from the secrets.yml file and replaced everywhere in the config.yml file

Fixes #609

Type of change

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)

Checklist:

• I've read & comply with the contributing guidelines
• I have tested my code for new features & regressions on both mobile & desktop devices, using the latest version of major browsers.
• I have made corresponding changes to the documentation (README.md).
• I've checked my modifications for any breaking changes, especially in the config.yml file

[netlify]

✅ Deploy Preview for homer-demo-content ready!

Name	Link
🔨 Latest commit	d6ffdd8
🔍 Latest deploy log	https://app.netlify.com/sites/homer-demo-content/deploys/65a551f3d55edf000836caf2
😎 Deploy Preview	https://deploy-preview-735--homer-demo-content.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify site configuration.

[kgromer]

This is awesome! Please pull this into the main branch.

[bastienwirtz]

Hello,

Indeed, secret in homer config file can be problematic. If you use secrets, Homer should not be exposed publicly (or behind some kind of auth proxy).
However, this approach can be misleading, users could think their secrets are secure in the separate file and expose it to the internet without any auth. It also add an additional request for no real value.

The only way to hide credentials would be to proxy the request on the server side.

[bastienwirtz]

This secret file is as public as the main config file. Having it separated can help manage the secrets, but it does not add any security.

[flooxo]

Thank you for the feedback. I certainly agree, it does not make the secrets more secure. Perhaps the wording in the documentation should be revised.

The advantage of this feature is that you can publish your config without worrying, as discussed in #609.
And I would say that most homer users also run other services and therefore know how to deal with secrets. This feature gives them a more structured way to manage secrets without enforcing specific security implementations :)