refactor: [#28] complete Hetzner token management simplification

- Centralize all Hetzner tokens in provider configuration files
- Standardize token names (HETZNER_API_TOKEN, HETZNER_DNS_API_TOKEN)
- Remove ~/.config/hetzner/ directory support for simplified workflow
- Update provider scripts to use centralized token management
- Update DNS management script for new token structure
- Update all documentation and setup guides
- Add comprehensive refactoring documentation
- Remove hetzner.env from git tracking (contains secrets)

Tested: E2E tests pass (2m 54s) - fully validated refactoring

Files modified:
- infrastructure/config/templates/providers/hetzner.env.tpl (standardized template)
- infrastructure/terraform/providers/hetzner/provider.sh (removed ~/.config/hetzner support)
- scripts/manage-hetzner-dns.sh (updated to use provider config)
- docs/guides/providers/hetzner/* (updated setup guides)
- docs/refactoring/hetzner-token-simplification.md (new refactoring documentation)

Files untracked:
- infrastructure/config/providers/hetzner.env (contains secrets, now properly ignored)

Author: josecelano

docs/guides/providers/hetzner/README.md

@@ -71,17 +71,17 @@ The Torrust Tracker Demo uses a comprehensive Hetzner setup:
 ### 2. API Token Setup
 
 ```bash
-# Create secure token storage
-mkdir -p ~/.config/hetzner
-chmod 700 ~/.config/hetzner
+# Copy provider configuration template
+cp infrastructure/config/templates/providers/hetzner.env.tpl infrastructure/config/providers/hetzner.env
 
-# Store Hetzner Cloud API token
-echo "YOUR_CLOUD_TOKEN" > ~/.config/hetzner/cloud_api_token
-chmod 600 ~/.config/hetzner/cloud_api_token
+# Edit the configuration file to add your tokens
+# Add these lines to infrastructure/config/providers/hetzner.env:
+#   HETZNER_API_TOKEN=your_64_character_cloud_api_token_here
+#   HETZNER_DNS_API_TOKEN=your_dns_api_token_here
 
-# Store Hetzner DNS API token
-echo "YOUR_DNS_TOKEN" > ~/.config/hetzner/dns_api_token
-chmod 600 ~/.config/hetzner/dns_api_token
+# Get your tokens from:
+# Cloud API: https://console.hetzner.cloud/ → Project → Security → API Tokens
+# DNS API: https://dns.hetzner.com/ → API Tokens
 ```
 
 ### 3. Domain Configuration
@@ -169,7 +169,7 @@ ENVIRONMENT=production-hetzner PROVIDER=hetzner make infra-destroy
 
 **Infrastructure Problems:**
 
-- **API Token Issues**: Verify tokens are stored correctly in `~/.config/hetzner/`
+- **API Token Issues**: Verify tokens are configured correctly in `infrastructure/config/providers/hetzner.env`
 - **Network Connectivity**: Check Hetzner status page for outages
 - **Resource Limits**: Verify account limits in Hetzner console
 
@@ -183,11 +183,11 @@ ENVIRONMENT=production-hetzner PROVIDER=hetzner make infra-destroy
 
 ```bash
 # Test Hetzner Cloud API
-curl -H "Authorization: Bearer $(cat ~/.config/hetzner/cloud_api_token)" \
+curl -H "Authorization: Bearer $HETZNER_API_TOKEN"
      "https://api.hetzner.cloud/v1/servers"
 
 # Test Hetzner DNS API
-curl -H "Auth-API-Token: $(cat ~/.config/hetzner/dns_api_token)" \
+curl -H "Auth-API-Token: $HETZNER_DNS_API_TOKEN"
      "https://dns.hetzner.com/api/v1/zones"
 
 # Check DNS propagation
@@ -204,8 +204,9 @@ Hetzner configuration integrates with the main project's twelve-factor approach:
 ```bash
 # infrastructure/config/environments/production-hetzner.env
 PROVIDER=hetzner
-HETZNER_CLOUD_TOKEN_FILE=~/.config/hetzner/cloud_api_token
-HETZNER_DNS_TOKEN_FILE=~/.config/hetzner/dns_api_token
+# Token file paths (for reference)
+HETZNER_API_TOKEN_CONFIG=infrastructure/config/providers/hetzner.env
+HETZNER_DNS_TOKEN_CONFIG=infrastructure/config/providers/hetzner.env
 DOMAIN_NAME=your-domain.com
 TRACKER_SUBDOMAIN=tracker.your-domain.com
 GRAFANA_SUBDOMAIN=grafana.your-domain.com

docs/guides/providers/hetzner/hetzner-cloud-setup-guide.md

@@ -28,27 +28,28 @@ This guide explains how to set up and use the Hetzner Cloud provider with the To
 For enhanced security, store your Hetzner Cloud API token using secure file storage
 instead of environment variables:
 
-### Option 1: Secure Storage (Recommended)
+### Provider Configuration Setup
 
 ```bash
-# Create secure storage directory
-mkdir -p ~/.config/hetzner
-chmod 700 ~/.config/hetzner
+# Copy provider configuration template
+cp infrastructure/config/templates/providers/hetzner.env.tpl infrastructure/config/providers/hetzner.env
 
-# Store the Hetzner Cloud API token (replace YOUR_TOKEN_HERE with actual token)
-echo "YOUR_TOKEN_HERE" > ~/.config/hetzner/cloud_api_token
-chmod 600 ~/.config/hetzner/cloud_api_token
+# Edit the configuration file to add your Hetzner Cloud API token
+# Replace REPLACE_WITH_YOUR_HETZNER_API_TOKEN with your actual 64-character token
+# HETZNER_API_TOKEN=your_64_character_token_here
 
-# Verify storage
-ls -la ~/.config/hetzner/
-# Should show: -rw------- 1 user user 65 date time cloud_api_token
+# Verify configuration
+grep HETZNER_API_TOKEN infrastructure/config/providers/hetzner.env
 ```
 
-### Test Token Storage
+### Test Token Configuration
 
 ```bash
-# Test that token can be loaded from storage
-CLOUD_TOKEN=$(cat ~/.config/hetzner/cloud_api_token)
+# Source the provider configuration
+source infrastructure/config/providers/hetzner.env
+
+# Test that token is loaded correctly
+CLOUD_TOKEN="$HETZNER_API_TOKEN"
 echo "Token length: ${#CLOUD_TOKEN} characters"
 # Should show: Token length: 64 characters
 
@@ -63,12 +64,12 @@ curl -H "Authorization: Bearer $CLOUD_TOKEN" \
 If you prefer environment variables, you can still use the traditional approach:
 
 ```bash
-export HETZNER_TOKEN=your_64_character_token_here
+export HETZNER_API_TOKEN=your_64_character_token_here
 ```
 
-> **Note**: The infrastructure scripts will automatically detect tokens from secure
-> storage first, then fall back to environment variables. Secure storage is
-> recommended for production use.
+> **Note**: The infrastructure scripts automatically load the Cloud API token
+> from `infrastructure/config/providers/hetzner.env`. You no longer need to set the
+> `HETZNER_API_TOKEN` environment variable if using provider configuration.
 
 ## Step 3: Configure Provider
 
@@ -88,7 +89,7 @@ export HETZNER_TOKEN=your_64_character_token_here
 
    ```bash
    # Required: Your Hetzner API token
-   HETZNER_TOKEN=your_64_character_token_here
+   HETZNER_API_TOKEN=your_64_character_token_here
 
    # Optional: Customize server settings
    HETZNER_SERVER_TYPE=cx31          # 2 vCPU, 8GB RAM, 80GB SSD
@@ -181,13 +182,13 @@ Hetzner Cloud service limitation makes manual volume attachment the only reliabl
 
    ```bash
    # Create a 20GB volume for persistent data
-   HCLOUD_TOKEN="$HETZNER_TOKEN" hcloud volume create \
+   HCLOUD_TOKEN="$HETZNER_API_TOKEN" hcloud volume create \
      --name torrust-data \
      --size 20 \
      --location fsn1
 
    # Attach volume to server
-   HCLOUD_TOKEN="$HETZNER_TOKEN" hcloud volume attach \
+   HCLOUD_TOKEN="$HETZNER_API_TOKEN" hcloud volume attach \
      torrust-data torrust-tracker-prod
    ```
 
@@ -406,7 +407,7 @@ by Hetzner. Use `hcloud server-type list` for current availability.
    export PATH=$PATH:$(go env GOPATH)/bin
 
    # List current server types
-   HCLOUD_TOKEN="$HETZNER_TOKEN" hcloud server-type list
+   HCLOUD_TOKEN="$HETZNER_API_TOKEN" hcloud server-type list
    ```
 
 2. Update your configuration with a valid server type:
@@ -428,7 +429,7 @@ by Hetzner. Use `hcloud server-type list` for current availability.
 2. Verify token has Read & Write permissions
 3. Check token is correctly set in both:
    - `infrastructure/config/providers/hetzner.env`
-   - Environment variable: `export HETZNER_TOKEN=your_token_here`
+   - Environment variable: `export HETZNER_API_TOKEN=your_token_here`
 
 #### 3. Provider Configuration Variable Collision
 
@@ -448,7 +449,7 @@ in provider scripts.
 1. Check current locations:
 
    ```bash
-   HCLOUD_TOKEN="$HETZNER_TOKEN" hcloud location list
+   HCLOUD_TOKEN="$HETZNER_API_TOKEN" hcloud location list
    ```
 
 2. Try different locations:
@@ -688,10 +689,10 @@ This limitation validates our architectural decision to make volume setup manual
 
 ```bash
 # Check current server types and availability
-HCLOUD_TOKEN="$HETZNER_TOKEN" hcloud server-type list
+HCLOUD_TOKEN="$HETZNER_API_TOKEN" hcloud server-type list
 
 # Check available locations
-HCLOUD_TOKEN="$HETZNER_TOKEN" hcloud location list
+HCLOUD_TOKEN="$HETZNER_API_TOKEN" hcloud location list
 
 # Validate configuration without applying
 make infra-plan ENVIRONMENT=production-hetzner PROVIDER=hetzner
@@ -703,8 +704,8 @@ make infra-status ENVIRONMENT=production-hetzner PROVIDER=hetzner
 make vm-ssh ENVIRONMENT=production-hetzner
 
 # Check server details (after deployment)
-HCLOUD_TOKEN="$HETZNER_TOKEN" hcloud server list
-HCLOUD_TOKEN="$HETZNER_TOKEN" hcloud server describe torrust-tracker-prod
+HCLOUD_TOKEN="$HETZNER_API_TOKEN" hcloud server list
+HCLOUD_TOKEN="$HETZNER_API_TOKEN" hcloud server describe torrust-tracker-prod
 ```
 
 ### Real-Time Information Commands
@@ -713,13 +714,13 @@ Always verify current Hetzner Cloud offerings before deployment:
 
 ```bash
 # Get current server types with pricing
-HCLOUD_TOKEN="$HETZNER_TOKEN" hcloud server-type list
+HCLOUD_TOKEN="$HETZNER_API_TOKEN" hcloud server-type list
 
 # Get current datacenter locations
-HCLOUD_TOKEN="$HETZNER_TOKEN" hcloud location list
+HCLOUD_TOKEN="$HETZNER_API_TOKEN" hcloud location list
 
 # Check image availability
-HCLOUD_TOKEN="$HETZNER_TOKEN" hcloud image list --type=system | grep ubuntu
+HCLOUD_TOKEN="$HETZNER_API_TOKEN" hcloud image list --type=system | grep ubuntu
 ```
 
 ## Docker Compose Commands on Deployed Server

docs/guides/providers/hetzner/hetzner-dns-setup-guide.md

@@ -64,23 +64,20 @@ This setup provides:
 Store the token securely on your system:
 
 ```bash
-# Create secure storage for API token
-mkdir -p ~/.config/hetzner
-chmod 700 ~/.config/hetzner
+# Configure DNS API token in provider configuration
+# Edit infrastructure/config/providers/hetzner.env and add:
+# HETZNER_DNS_API_TOKEN=your_dns_api_token_here
 
-# Store the token (replace YOUR_TOKEN_HERE with actual token)
-echo "YOUR_TOKEN_HERE" > ~/.config/hetzner/dns_api_token
-chmod 600 ~/.config/hetzner/dns_api_token
-
-# Verify storage
-ls -la ~/.config/hetzner/
+# Verify configuration
+grep HETZNER_DNS_API_TOKEN infrastructure/config/providers/hetzner.env
 ```
 
 ### 1.4 Test API Access
 
 ```bash
-# Load token from secure storage
-DNS_TOKEN=$(cat ~/.config/hetzner/dns_api_token)
+# Load token from provider configuration
+source infrastructure/config/providers/hetzner.env
+DNS_TOKEN="$HETZNER_DNS_API_TOKEN"
 
 # Test API access
 curl -H "Auth-API-Token: $DNS_TOKEN" \
@@ -117,22 +114,21 @@ stored using the same secure method.
 Store the Hetzner Cloud API token alongside the DNS token:
 
 ```bash
-# Store the Hetzner Cloud API token (replace YOUR_CLOUD_TOKEN_HERE with actual token)
-echo "YOUR_CLOUD_TOKEN_HERE" > ~/.config/hetzner/cloud_api_token
-chmod 600 ~/.config/hetzner/cloud_api_token
-
-# Verify both tokens are stored securely
-ls -la ~/.config/hetzner/
-# Should show:
-# -rw------- 1 user user 65 date time cloud_api_token
-# -rw------- 1 user user 65 date time dns_api_token
+# Configure Hetzner Cloud API token in provider configuration
+# Edit infrastructure/config/providers/hetzner.env and ensure you have:
+# HETZNER_API_TOKEN=your_64_character_cloud_api_token_here
+# HETZNER_DNS_API_TOKEN=your_dns_api_token_here
+
+# Verify both tokens are configured
+grep "HETZNER.*_TOKEN" infrastructure/config/providers/hetzner.env
 ```
 
 ### 1.5.3 Test Cloud API Access
 
 ```bash
-# Load token from secure storage
-CLOUD_TOKEN=$(cat ~/.config/hetzner/cloud_api_token)
+# Load token from provider configuration
+source infrastructure/config/providers/hetzner.env
+CLOUD_TOKEN="$HETZNER_API_TOKEN"
 
 # Test API access
 curl -H "Authorization: Bearer $CLOUD_TOKEN" \
@@ -141,17 +137,18 @@ curl -H "Authorization: Bearer $CLOUD_TOKEN" \
 # Expected output: {"servers": []} (empty array for new accounts)
 ```
 
-> **Note**: The infrastructure scripts will automatically detect and use the token
-> from `~/.config/hetzner/cloud_api_token`. You no longer need to set the
-> `HETZNER_TOKEN` environment variable if using secure storage.
+> **Note**: The infrastructure scripts automatically load tokens
+> from `infrastructure/config/providers/hetzner.env`. You no longer need to set
+> environment variables separately if using provider configuration.
 
 ## 🌐 Step 2: Create DNS Zone
 
 ### 2.1 Create Zone for Your Domain
 
 ```bash
 # Load API token
-DNS_TOKEN=$(cat ~/.config/hetzner/dns_api_token)
+source infrastructure/config/providers/hetzner.env
+DNS_TOKEN="$HETZNER_DNS_API_TOKEN"
 
 # Create DNS zone for torrust-demo.dev
 curl -X POST "https://dns.hetzner.com/api/v1/zones" \
@@ -227,7 +224,8 @@ SERVER_IP="138.199.166.49"  # Replace with your actual IP
 
 ```bash
 # Load API configuration
-DNS_TOKEN=$(cat ~/.config/hetzner/dns_api_token)
+source infrastructure/config/providers/hetzner.env
+DNS_TOKEN="$HETZNER_DNS_API_TOKEN"
 ZONE_ID="aBcDeFgHiJkLmNoPqRsTuVwXyZ"  # Replace with your zone ID
 SERVER_IP="138.199.166.49"              # Replace with your server IP
 
@@ -365,7 +363,8 @@ curl -k -I https://grafana.torrust-demo.dev
 ### View All Zones
 
 ```bash
-DNS_TOKEN=$(cat ~/.config/hetzner/dns_api_token)
+source infrastructure/config/providers/hetzner.env
+DNS_TOKEN="$HETZNER_DNS_API_TOKEN"
 curl -H "Auth-API-Token: $DNS_TOKEN" \
      "https://dns.hetzner.com/api/v1/zones" | jq
 ```
@@ -443,7 +442,8 @@ cat > scripts/manage-dns.sh << 'EOF'
 set -euo pipefail
 
 # Configuration
-DNS_TOKEN=$(cat ~/.config/hetzner/dns_api_token)
+source infrastructure/config/providers/hetzner.env
+DNS_TOKEN="$HETZNER_DNS_API_TOKEN"
 DOMAIN="torrust-demo.dev"
 BASE_URL="https://dns.hetzner.com/api/v1"
 
@@ -512,7 +512,8 @@ chmod +x scripts/manage-dns.sh
 
 ```bash
 # Test token validity
-DNS_TOKEN=$(cat ~/.config/hetzner/dns_api_token)
+source infrastructure/config/providers/hetzner.env
+DNS_TOKEN="$HETZNER_DNS_API_TOKEN"
 curl -H "Auth-API-Token: $DNS_TOKEN" \
      "https://dns.hetzner.com/api/v1/zones"