chore(deploy): rewrite ansible for motief on motief.sgeboers.nl, remove drone

- Replace gtfs/bokeh deploy with motief/streamlit (port 8501)
- Update inventory to motief.sgeboers.nl
- Remove stale .drone.yml
- Add CI guard to forbid .env in repo
- Add env removal report and secrets rotation checklist

.drone.yml

@@ -1,26 +0,0 @@
-kind: pipeline
-type: docker
-name: default
-
-steps:
-  - name: deploy
-    image: appleboy/drone-ssh
-    settings:
-      host:
-        from_secret: DEPLOY_HOST
-      port:
-        from_secret: DEPLOY_SSH_PORT
-      username:
-        from_secret: DEPLOY_USER
-      password:
-        from_secret: DEPLOY_PASSWORD
-      script: |
-        set -e
-        cd /home/webapps/motief
-        git pull origin main
-        uv sync
-        systemctl --user restart motief
-
-trigger:
-  branch:
-    - main

.github/workflows/forbid-env.yml

@@ -0,0 +1,20 @@
+name: Forbid .env in repo
+
+on:
+  pull_request:
+  push:
+
+jobs:
+  check-no-env:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Fail if .env exists
+        run: |
+          if [ -f .env ]; then
+            echo ".env exists in repository root — failing build to avoid accidental secret exposure" >&2
+            exit 1
+          fi
+        shell: bash

ansible/deploy.yaml

@@ -1,26 +1,26 @@
 ---
-- name: deploy gtfs application
+- name: deploy motief application
-  hosts: sgeboers.nl
+  hosts: motief.sgeboers.nl
   remote_user: webapps
 
   tasks:
-    - name: make directories
+    - name: pull latest code
       ansible.builtin.git:
-        repo: https://git.sgeboers.nl/sgeboers/gtfs.git
+        repo: git@git.sgeboers.nl:sgeboers/motief.git
-        dest: ~/gtfs/code
+        dest: ~/motief
         clone: yes
         force: yes
-    - name: install virtualenv
+
-      ansible.builtin.pip:
+    - name: sync dependencies with uv
-        name: virtualenv
+      ansible.builtin.shell:
-        executable: pip3
+        cmd: uv sync
-    - name: install correct packages
+        chdir: ~/motief
-      ansible.builtin.pip:
+
-        requirements: ~/gtfs/code/requirements.txt
+    - name: stop existing streamlit process
-        virtualenv: ~/gtfs/env
-    - name: stop old script
       ansible.builtin.shell:
-        cmd: kill $(ps aux | grep "bokeh serve" | grep -v grep | awk '{print $2}') || true
+        cmd: pkill -f "streamlit run Home.py" || true
-    - name: start script
+
+    - name: start streamlit
       ansible.builtin.shell:
-        cmd: . ~/gtfs/env/bin/activate; cd ~/gtfs/code; nohup bokeh serve main.py --allow-websocket-origin=sgeboers.nl:5006 --allow-websocket-origin=gtfs.sgeboers.nl &
+        cmd: nohup uv run streamlit run Home.py --server.port=8501 --server.address=0.0.0.0 &
+        chdir: ~/motief

ansible/inventory.ini

@@ -1 +1 @@
-sgeboers.nl
+motief.sgeboers.nl

thoughts/shared/changes/2026-03-28-env-removal-report.md

@@ -0,0 +1,36 @@
+---
+date: 2026-03-28
+title: "Remove .env from tracking — report"
+---
+
+Summary
+-------
+
+I removed `.env` from the repository index and added it to `.gitignore` to prevent accidental future commits. This was a non-destructive, forward-facing change — the repository history still contains prior commits that touched `.env`.
+
+What I ran
+-----------
+
+- git rm --cached .env
+- ensured `.gitignore` contains `.env`
+- committed the change: chore(secrets): stop tracking .env and add to .gitignore
+
+Commits that referenced .env
+----------------------------
+
+These commits touched `.env` in the repository history (from git log --all -- .env):
+
+- 35f4667 2026-03-28 Sven Geboers chore(secrets): stop tracking .env and add to .gitignore
+- 3551a82 2026-03-21 Sven Geboers feat(analysis): add 2D political compass and 2D trajectories
+
+Notes
+-----
+
+- The `.env` file was removed from the index but remains in historical commits. If you need to remove it from history, we can perform a history rewrite (git-filter-repo or BFG) and force-push; this is destructive and requires coordination.
+- I created a CI guard to fail builds if a `.env` file is present in the repository root (see .github/workflows/forbid-env.yml). This prevents accidental re-adding via pushes/PRs.
+
+Next steps (recommended)
+------------------------
+
+1. Rotate secrets that might have been in `.env` (see the secrets-rotation checklist next). This is mandatory if those keys were used anywhere publicly or in shared CI.
+2. If you require history purge, reply confirming and I'll prepare a filter-repo run and the exact force-push sequence.

thoughts/shared/changes/2026-03-28-secrets-rotation-checklist.md

@@ -0,0 +1,25 @@
+---
+date: 2026-03-28
+title: "Secrets rotation checklist"
+---
+
+Rotate these secrets if they were stored in `.env` or otherwise exposed:
+
+- OPENROUTER_API_KEY / OPENAI_API_KEY
+- NPM_TOKEN
+- DEPLOY SSH keys or passwords (DEPLOY_SSH_KEY, DEPLOY_PASSWORD)
+- Any database credentials, API keys, or third-party service tokens
+
+Steps
+-----
+
+1. Revoke the current tokens in each provider's dashboard.
+2. Create new tokens/keys and store them in the repository secrets (GitHub Settings → Secrets).
+3. Update any running services / CI variables to use the new tokens.
+4. If you used SSH keys and replaced them, update the authorized_keys on the VPS and remove the old key.
+
+Verification
+------------
+
+- Use CI dry-run jobs that check connectivity and token validity.
+- Run local commands that use the new tokens.