diff --git a/server/Dockerfile b/server/Dockerfile
index 46f9819..7a0e752 100644
--- a/server/Dockerfile
+++ b/server/Dockerfile
@@ -25,6 +25,8 @@ RUN mkdir -p /var/log /main/public/files /main/public/media
 ENV GOPATH=""
 VOLUME /main/public/files
 VOLUME /main/public/media
+ENV COOKIE_SECRET
+ENV KEY
 RUN echo 'cat /main/users.yaml.gpg | gpg --batch --no-tty --passphrase="$KEY" --decrypt > /main/users.yaml && /main/exec-server "$@"' > /main/entrypoint.sh
 ENTRYPOINT ["bash", "/main/entrypoint.sh"]
 CMD []
diff --git a/server/README.md b/server/README.md
index 255e429..06b1117 100644
--- a/server/README.md
+++ b/server/README.md
@@ -3,16 +3,16 @@
 1. Build a linux binary with `GOOS=linux CGO_ENABLED=0 go build -o ./exec-server -a -installsuffix cgo -ldflags "-s -w"`
 1. Add your usernames, passwords, groups to `releasedata/users.yaml`
 1. {one time} Generate and store an encryption `KEY` in Vault+Lastpass
-1. Build a Docker image with `docker build -t registry-app.eng.qops.net:5001/bel/work-notes:latest --build-arg KEY='{{INSERT YOUR KEY HERE}}' .`
-1. Push with `docker push registry-app.eng.qops.net:5001/bel/work-notes:latest`
-1. Run like `docker run -v /mnt/files:/main/public/files -v /mnt/media:/main/public/media -e KEY='{{INSERT YOUR KEY HERE}}' -p 3005:3005 --rm -it registry-app.eng.qops.net:5001/bel/work-notes:latest -auth ./users.yaml -p 3005`
+1. Build a Docker image with `docker build -t registry-app.eng.qops.net:5001/breel/work-notes:latest --build-arg KEY='{{INSERT YOUR KEY HERE}}' .`
+1. Push with `docker push registry-app.eng.qops.net:5001/breel/work-notes:latest`
+1. Run like `docker run -v /mnt/files:/main/public/files -v /mnt/media:/main/public/media -e KEY='{{INSERT YOUR KEY HERE}}' -p 3005:3005 --rm -it registry-app.eng.qops.net:5001/breel/work-notes:latest -auth ./users.yaml -p 3005`
 
 ### `users.yaml` Format
 
 ```yaml
 users:
-  bel:
-    password: bel
+  breel:
+    password: breel
     groups:
     - g1
     - g2
diff --git a/server/testdata/users.yaml b/server/testdata/users.yaml
index f0231a1..514f9f4 100644
--- a/server/testdata/users.yaml
+++ b/server/testdata/users.yaml
@@ -1,6 +1,6 @@
 users:
-  bel:
-    password: bel
+  breel:
+    password: breel
     groups:
     - g1
     - g2
diff --git a/todo.yaml b/todo.yaml
index 34fa0c3..d0641e7 100644
--- a/todo.yaml
+++ b/todo.yaml
@@ -1,9 +1,7 @@
 todo:
-- logout
-- encrypt files at docker build time, put decrypt key in vault
+- $TOKEN skips auth and sets Group
 - create fileauth login file
-- secret for cookie encrypt+decrypt
-- secrets
+- secrets;; $KEY, $TOKEN, $COOKIE_SECRET for crawler
 - team-specific deployment;; prob grab a VM
 - mark generated via meta so other files in the dir can be created, deleted, replaced safely
 - links like `/Smoktests` in user-files home wiki don't rewrite
@@ -15,6 +13,8 @@ todo:
 - anchor links work
 - ui; last updated; 2022.02.01T12:34:56
 done:
+- secret for cookie encrypt+decrypt
+- encrypt files at docker build time, put decrypt key in vault
 - gitlab/-/blob/about.md does NOT map to exactly 1 file
 - crawler does NOT modify title cause readme.md everywhere
 - use `meta` so no need for extra level for explicit single files