From 3dafe3840bb3e53f1a78e9eeda610b297128dc0b Mon Sep 17 00:00:00 2001
From: Davide Scaini <davide.scaini@alumni.cern>
Date: Tue, 2 Jun 2026 15:09:00 +0200
Subject: [PATCH] deploy: add systemd unit + show-secret CLI command

bincio-auth.service: runs at port 4040, reads BINCIO_AUTH_JWT_SECRET
from /etc/bincio/secrets.env (shared with bincio-activity).

show-secret: prints the JWT secret stored by 'bincio-auth init',
so the operator can add it to secrets.env without raw sqlite3.
---
 bincio/auth/cli.py         | 17 +++++++++++++++++
 deploy/bincio-auth.service | 17 +++++++++++++++++
 2 files changed, 34 insertions(+)
 create mode 100644 deploy/bincio-auth.service

diff --git a/bincio/auth/cli.py b/bincio/auth/cli.py
index 86c17b7..9c9f2a5 100644
--- a/bincio/auth/cli.py
+++ b/bincio/auth/cli.py
@@ -71,6 +71,23 @@ def init_cmd(data_dir: str, handle: str, password: str, display_name: str, max_u
     ))
 
 
+@main.command("show-secret")
+@click.option("--data-dir", required=True, type=click.Path(), help="Data directory (contains instance.db)")
+def show_secret_cmd(data_dir: str) -> None:
+    """Print the JWT secret stored in the DB — use this to configure consumer services."""
+    from bincio.auth.db import get_setting, open_db
+
+    dd = Path(data_dir).expanduser().resolve()
+    if not (dd / "instance.db").exists():
+        raise click.UsageError(f"No instance.db in {dd}.")
+    db = open_db(dd)
+    secret = get_setting(db, "jwt_secret") or ""
+    db.close()
+    if not secret:
+        raise click.ClickException("No JWT secret found. Run `bincio-auth init` first.")
+    click.echo(secret)
+
+
 @main.command("serve")
 @click.option("--data-dir", required=True, type=click.Path(), help="Data directory (contains instance.db)")
 @click.option("--host", default="127.0.0.1")
diff --git a/deploy/bincio-auth.service b/deploy/bincio-auth.service
new file mode 100644
index 0000000..1e2548f
--- /dev/null
+++ b/deploy/bincio-auth.service
@@ -0,0 +1,17 @@
+[Unit]
+Description=bincio-auth API
+After=network.target
+
+[Service]
+WorkingDirectory=/opt/bincio-auth
+ExecStart=/root/.local/bin/uv run bincio-auth serve \
+    --data-dir /var/bincio-auth/data \
+    --host 127.0.0.1 \
+    --port 4040
+EnvironmentFile=/etc/bincio/secrets.env
+Environment=SESSION_DOMAIN=.bincio.org
+Restart=always
+RestartSec=5
+
+[Install]
+WantedBy=multi-user.target