diff --git a/debian/contrib/uffd-admin b/debian/contrib/uffd-admin
index eaa1063d4eea66e9f15d8d2e00ea7429913f1ecf..897f6904c2751ef353e6a26ddaebb615c20b1bc8 100755
--- a/debian/contrib/uffd-admin
+++ b/debian/contrib/uffd-admin
@@ -1,15 +1,15 @@
-#!/bin/bash -x
+#!/bin/sh
 
-set -e
+set -eu
 
 export FLASK_APP=/usr/share/uffd/uffd
 export CONFIG_FILENAME=/etc/uffd/uffd.cfg
 
 if [ "$(whoami)" = "uffd" ]; then
 	flask "$@"
-elif command -v sudo &> /dev/null; then
+elif command -v sudo > /dev/null 2>&1; then
 	exec sudo --preserve-env=FLASK_APP,CONFIG_FILENAME -u uffd flask "$@"
-elif command -v runuser &> /dev/null; then
+elif command -v runuser > /dev/null 2>&1; then
 	exec runuser --preserve-environment -u uffd -- flask "$@"
 else
 	echo "Could not not become 'uffd' user, exiting"
diff --git a/debian/postinst b/debian/postinst
index 0c5816f07a506eb29896156aa9aeb455d6d1b408..7609f592065745c8bcc253fc499575ca3508efd0 100755
--- a/debian/postinst
+++ b/debian/postinst
@@ -10,6 +10,13 @@ case "$1" in
 		chown -R uffd:uffd /var/lib/uffd
 		chmod 0770 /var/lib/uffd
 
+		python3 <<EOF
+import secrets
+cfg = open('/etc/uffd/uffd.cfg', 'r').read()
+cfg = cfg.replace('\n#SECRET=autogenerated by postinst script\n',
+                  '\nSECRET="'+secrets.token_hex(128)+'"\n', 1)
+open('/etc/uffd/uffd.cfg', 'w').write(cfg)
+EOF
 		chown root:uffd /etc/uffd/uffd.cfg
 		chmod 0640 /etc/uffd/uffd.cfg
 
diff --git a/debian/uffd.cfg b/debian/uffd.cfg
index 954a0a998f5a3bed7e45769f2088c62ef1d4fb8e..0bf9babff32506a49b221d4a46c4f1a51659a0d5 100644
--- a/debian/uffd.cfg
+++ b/debian/uffd.cfg
@@ -1,2 +1,3 @@
 FLASK_ENV="production"
 SQLALCHEMY_DATABASE_URI="sqlite:////var/lib/uffd/db.sqlite"
+#SECRET=autogenerated by postinst script