From e013bb6a9ae558865721be29c9a4534b2c309eb2 Mon Sep 17 00:00:00 2001
From: Neale Pickett <neale@woozle.org>
Date: Sat, 18 Feb 2023 12:47:05 -0700
Subject: [PATCH] Default to a secret file

---
 build/Dockerfile => Dockerfile |  0
 README.md                      |  7 +++----
 build.sh                       |  7 +++++++
 build/build.sh                 |  9 ---------
 build/gitlab-vars              | 25 -------------------------
 cmd/simpleauth/main.go         |  2 +-
 6 files changed, 11 insertions(+), 39 deletions(-)
 rename build/Dockerfile => Dockerfile (100%)
 create mode 100755 build.sh
 delete mode 100755 build/build.sh
 delete mode 100755 build/gitlab-vars

diff --git a/build/Dockerfile b/Dockerfile
similarity index 100%
rename from build/Dockerfile
rename to Dockerfile
diff --git a/README.md b/README.md
index f5358e7..18140e3 100644
--- a/README.md
+++ b/README.md
@@ -57,6 +57,7 @@ services:
     image: ghcr.io/nealey/simpleauth
     secrets:
       - password
+      - simpleauth.key
     deploy:
       labels:
         traefik.enable: "true"
@@ -78,10 +79,8 @@ When the HMAC is good, and the timestamp is in the future,
 the token is a valid authentication.
 This technique means there is no persistent server storage.
 
-If you use the default of pulling the session secret from the OS PRNG,
-then everybody will have to log in again every time the server restarts.
-You can use the `-secret` argument to provide a persistent secret,
-so this won't happen.
+If you don't want keys to persist across service invocations / reboots,
+you can pass in `-secret /dev/urandom`.
 
 Some things,
 like WebDAV,
diff --git a/build.sh b/build.sh
new file mode 100755
index 0000000..4990407
--- /dev/null
+++ b/build.sh
@@ -0,0 +1,7 @@
+#! /bin/sh
+
+set -e
+
+tag=git.woozle.org/neale/simpleauth:latest
+
+docker buildx --push --tag $tag $(dirname $0)/.
diff --git a/build/build.sh b/build/build.sh
deleted file mode 100755
index 9e80d56..0000000
--- a/build/build.sh
+++ /dev/null
@@ -1,9 +0,0 @@
-#! /bin/sh
-
-set -e
-
-tag=git.woozle.org/neale/simpleauth
-
-cd $(dirname $0)/..
-docker build -t $tag -f build/Dockerfile .
-docker push $tag
diff --git a/build/gitlab-vars b/build/gitlab-vars
deleted file mode 100755
index 582d871..0000000
--- a/build/gitlab-vars
+++ /dev/null
@@ -1,25 +0,0 @@
-#! /bin/sh
-
-case $1 in
-    -h|-help|--help)
-        echo "Usage: $0 TARGET"
-        echo
-        echo "Sets CI build variables for gitlab"
-        exit 1
-        ;;
-esac
-
-branch=$(git symbolic-ref -q --short HEAD)
-if [ "$branch" = "main" ]; then
-    branch=latest
-fi
-
-printf "Branch: %s\n" "$branch"
-printf "::set-output name=branch::%s\n" "$branch"
-printf "::set-output name=tag::%s\n" "$branch"
-
-# I think it will use whichever comes last
-git tag --points-at HEAD | while read tag; do
-    printf "Tag: %s\n" "$tag"
-    printf "::set-output name=tag::%s\n" "$tag"
-done
diff --git a/cmd/simpleauth/main.go b/cmd/simpleauth/main.go
index 663baa6..beb35fc 100644
--- a/cmd/simpleauth/main.go
+++ b/cmd/simpleauth/main.go
@@ -113,7 +113,7 @@ func main() {
 	)
 	secretPath := flag.String(
 		"secret",
-		"/dev/urandom",
+		"/run/secrets/simpleauth.key",
 		"Path to a file containing some sort of secret, for signing requests",
 	)
 	htmlPath := flag.String(