review fixes

irc/config.go

 	}
 
 	config.Server.Cloaks.Initialize()
+	if config.Server.Cloaks.Enabled {
+		if config.Server.Cloaks.Secret == "" || config.Server.Cloaks.Secret == "siaELnk6Kaeo65K3RCrwJjlWaZ-Bt3WuZ2L8MXLbNb4" {
+			return nil, fmt.Errorf("You must generate a new value of ip-cloaking.secret to enable cloaking")
+		}
+	}
 
 	for _, listenAddress := range config.Server.TorListeners.Listeners {
 		found := false

irc/utils/crypto.go

 	"crypto/rand"
 	"crypto/subtle"
 	"encoding/base32"
+	"encoding/base64"
 )
 
 var (
 
 	return subtle.ConstantTimeCompare([]byte(storedToken), []byte(suppliedToken)) == 1
 }
+
+// generate a 256-bit secret key that can be written into a config file
+func GenerateSecretKey() string {
+	var buf [32]byte
+	rand.Read(buf[:])
+	return base64.RawURLEncoding.EncodeToString(buf[:])
+}

oragono.go

 	"github.com/oragono/oragono/irc"
 	"github.com/oragono/oragono/irc/logger"
 	"github.com/oragono/oragono/irc/mkcerts"
+	"github.com/oragono/oragono/irc/utils"
 	"golang.org/x/crypto/bcrypt"
 	"golang.org/x/crypto/ssh/terminal"
 )
 	oragono upgradedb [--conf <filename>] [--quiet]
 	oragono genpasswd [--conf <filename>] [--quiet]
 	oragono mkcerts [--conf <filename>] [--quiet]
+	oragono mksecret [--conf <filename>] [--quiet]
 	oragono run [--conf <filename>] [--quiet]
 	oragono -h | --help
 	oragono --version
 				log.Fatal("  Could not create certificate:", err.Error())
 			}
 		}
+	} else if arguments["mksecret"].(bool) {
+		fmt.Println(utils.GenerateSecretKey())
 	} else if arguments["run"].(bool) {
 		if !arguments["--quiet"].(bool) {
 			logman.Info("server", fmt.Sprintf("Oragono v%s starting", irc.SemVer))

oragono.yaml

         # secret key to prevent dictionary attacks against cloaked IPs
         # any high-entropy secret is valid for this purpose:
         # you MUST generate a new one for your installation.
-        # suggestion: use the output of this command:
-        # python3 -c "import secrets; print(secrets.token_urlsafe())"
+        # suggestion: use the output of `oragono mksecret`
         # note that rotating this key will invalidate all existing ban masks.
         secret: "siaELnk6Kaeo65K3RCrwJjlWaZ-Bt3WuZ2L8MXLbNb4"