feat: add optional secret handling for server status reporting

[froz42]

Anyone can spoof server status reporting without a proper secret. This merge request is incomplete for the UI and install script but fix this.

if someone make the implementation of the script.sh it should not leak the credential or at least be protected by a token in the uri

[moonrailgun]

i think its looks verrrrrrrrrry cool but can you support workspace feature rather than only use env?

or i can finish it later, but maybe rebase and resolve conflict first?