local shutdown (this will be needed for, at least, the restarts when https certificates expire)

[pshaughn]

There needs to be a way to receive local commands that doesn't go through https.

possible approach:

• have a plaintext "admin secret" in a file; at startup test its permissions to be sure it's not accidentally public; if it doesn't exist at all that's okay
• if secret does exist, open an extra insecure ws server, with a different port, just for the admin commands and not normal login flow. connections know they came from this server, admin command handlers that see this ignore the password and instead check that the connection is local-loopback and includes the correct admin secret
• make sure the extra ws server shuts down
• write scripts that read the admin secret and run essential commands

[pshaughn]

this is probably the hard part of writing a systemd wrapper