deploy: add systemd unit + show-secret CLI command

bincio-auth.service: runs at port 4040, reads BINCIO_AUTH_JWT_SECRET
from /etc/bincio/secrets.env (shared with bincio-activity).

show-secret: prints the JWT secret stored by 'bincio-auth init',
so the operator can add it to secrets.env without raw sqlite3.

bincio/auth/cli.py

@@ -71,6 +71,23 @@ def init_cmd(data_dir: str, handle: str, password: str, display_name: str, max_u
     ))
 
 
+@main.command("show-secret")
+@click.option("--data-dir", required=True, type=click.Path(), help="Data directory (contains instance.db)")
+def show_secret_cmd(data_dir: str) -> None:
+    """Print the JWT secret stored in the DB — use this to configure consumer services."""
+    from bincio.auth.db import get_setting, open_db
+
+    dd = Path(data_dir).expanduser().resolve()
+    if not (dd / "instance.db").exists():
+        raise click.UsageError(f"No instance.db in {dd}.")
+    db = open_db(dd)
+    secret = get_setting(db, "jwt_secret") or ""
+    db.close()
+    if not secret:
+        raise click.ClickException("No JWT secret found. Run `bincio-auth init` first.")
+    click.echo(secret)
+
+
 @main.command("serve")
 @click.option("--data-dir", required=True, type=click.Path(), help="Data directory (contains instance.db)")
 @click.option("--host", default="127.0.0.1")

deploy/bincio-auth.service

@@ -0,0 +1,17 @@
+[Unit]
+Description=bincio-auth API
+After=network.target
+
+[Service]
+WorkingDirectory=/opt/bincio-auth
+ExecStart=/root/.local/bin/uv run bincio-auth serve \
+    --data-dir /var/bincio-auth/data \
+    --host 127.0.0.1 \
+    --port 4040
+EnvironmentFile=/etc/bincio/secrets.env
+Environment=SESSION_DOMAIN=.bincio.org
+Restart=always
+RestartSec=5
+
+[Install]
+WantedBy=multi-user.target