Default to a secret file

README.md

@@ -57,6 +57,7 @@ services:
     image: ghcr.io/nealey/simpleauth
     secrets:
       - password
+      - simpleauth.key
     deploy:
       labels:
         traefik.enable: "true"
@@ -78,10 +79,8 @@ When the HMAC is good, and the timestamp is in the future,
 the token is a valid authentication.
 This technique means there is no persistent server storage.
 
-If you use the default of pulling the session secret from the OS PRNG,
+If you don't want keys to persist across service invocations / reboots,
-then everybody will have to log in again every time the server restarts.
+you can pass in `-secret /dev/urandom`.
-You can use the `-secret` argument to provide a persistent secret,
-so this won't happen.
 
 Some things,
 like WebDAV,

build.sh

@@ -0,0 +1,7 @@
+#! /bin/sh
+
+set -e
+
+tag=git.woozle.org/neale/simpleauth:latest
+
+docker buildx --push --tag $tag $(dirname $0)/.

build/build.sh

@@ -1,9 +0,0 @@
-#! /bin/sh
-
-set -e
-
-tag=git.woozle.org/neale/simpleauth
-
-cd $(dirname $0)/..
-docker build -t $tag -f build/Dockerfile .
-docker push $tag

build/gitlab-vars

@@ -1,25 +0,0 @@
-#! /bin/sh
-
-case $1 in
-    -h|-help|--help)
-        echo "Usage: $0 TARGET"
-        echo
-        echo "Sets CI build variables for gitlab"
-        exit 1
-        ;;
-esac
-
-branch=$(git symbolic-ref -q --short HEAD)
-if [ "$branch" = "main" ]; then
-    branch=latest
-fi
-
-printf "Branch: %s\n" "$branch"
-printf "::set-output name=branch::%s\n" "$branch"
-printf "::set-output name=tag::%s\n" "$branch"
-
-# I think it will use whichever comes last
-git tag --points-at HEAD | while read tag; do
-    printf "Tag: %s\n" "$tag"
-    printf "::set-output name=tag::%s\n" "$tag"
-done

cmd/simpleauth/main.go

@@ -113,7 +113,7 @@ func main() {
 	)
 	secretPath := flag.String(
 		"secret",
-		"/dev/urandom",
+		"/run/secrets/simpleauth.key",
 		"Path to a file containing some sort of secret, for signing requests",
 	)
 	htmlPath := flag.String(