Using secrets for multiple api, ota, ap keys

[TV456]

Describe the enhancement

It would be very helpful to be able to store all ESP devices with a separate key or password for the api, ota and ap in the secrets.yaml file and then by !include (or through packages) selecting the appropriate keys/passwords.

Apparently this not the way ESPHome is set up, mainly because of security reasons.

Maybe it is an option to go about it the following way:

1. Add a yaml mapping to secrets: i.e.

esp_devices:
  [
    { "device_name": "test1", "api": "apiKey1", "ota": "otaKey1", "ap": "apPassword1" },
    { "device_name": "test2", "api": "apiKey2", "ota": "otaKey2", "ap": "apPassword2" },
    ...
  ]

2. Using a template to fetch the keys by device_name as substitution in example in an api.yaml file to include:

substitutions:
  api_encryption_key: {%- for devices in !secret esp_devices %}
      {% if devices.device_name == ${device_name} %}
        {{ devices.api }}
      {% endif %}
    {%- endfor %}

api:
  encryption:
    key: "${api_encryption_key}"

or by a reference:

api:
  encryption:
    key: !secrets esp_devices[$(device_name)]["api"]

In both examples the $(device_name) is the substitution set in main device yaml file.

Use cases

The use case would being able to set the entire base device setup in separate yaml-files for uniformity and easy maintenance and having the ability to have individual keys and passwords for each device.

Visual examples

No response

Anything else?

No response