add flag 'ts-authkey-file' and env var TS_AUTHKEY_FILE for use with docker secrets

Author: angelbirth

scripts/docker/run.sh

@@ -27,6 +27,10 @@ if [ -n "$TSIDP_LOCAL_PORT" ]; then
     ARGS="$ARGS -local-port=$TSIDP_LOCAL_PORT"
 fi
 
+if [ -n "$TS_AUTHKEY_FILE" ]; then
+    ARGS="$ARGS -ts-authkey-file=$TS_AUTHKEY_FILE"
+fi
+
 # logging control
 if [ -n "$TSIDP_LOG" ]; then
     case "$TSIDP_LOG" in

tsidp-server.go

@@ -19,6 +19,7 @@ import (
 	"net/http"
 	"os"
 	"os/signal"
+	"path/filepath"
 	"strings"
 	"time"
 
@@ -29,7 +30,6 @@ import (
 	"tailscale.com/hostinfo"
 	"tailscale.com/ipn"
 	"tailscale.com/ipn/ipnstate"
-
 	"tailscale.com/tsnet"
 	"tailscale.com/version"
 )
@@ -51,6 +51,8 @@ var (
 	// extended debugging information
 	flagDebugAllRequests = flag.Bool("debug-all-requests", false, "capture and print all HTTP requests and responses")
 	flagDebugTSNet       = flag.Bool("debug-tsnet", false, "enable tsnet.Server logging")
+
+	flagAuthKeyFile = flag.String("ts-authkey-file", "", "authkey file")
 )
 
 // main initializes and starts the tsidp server
@@ -127,10 +129,28 @@ func main() {
 		defer cleanup()
 	} else {
 		hostinfo.SetApp("tsidp")
+		if *flagAuthKeyFile != "" {
+			f, _ := filepath.Abs(*flagAuthKeyFile)
+			file, err := os.Open(f)
+			if err != nil {
+				slog.Error("error opening auth key file", slog.Any("err", err))
+				os.Exit(1)
+			}
+			authKeyBytes, err := io.ReadAll(file)
+			if err != nil {
+				slog.Error("error reading auth key file", slog.Any("err", err))
+				os.Exit(1)
+			}
+			// reuse tsAuthKeyFile variable
+			*flagAuthKeyFile = string(authKeyBytes)
+		}
 		ts := &tsnet.Server{
 			Hostname: *flagHostname,
 			Dir:      *flagDir,
 		}
+		if *flagAuthKeyFile != "" {
+			ts.AuthKey = *flagAuthKeyFile
+		}
 		if *flagDebugTSNet {
 			ts.Logf = func(format string, args ...any) {
 				cur := slog.SetLogLoggerLevel(slog.LevelDebug) // force debug if this option is on