From 462bdc8599b09b3496498365022213a550dae549 Mon Sep 17 00:00:00 2001
From: Daniel Micay <daniel.micay@grapheneos.org>
Date: Sun, 9 Jul 2023 18:04:17 -0400
Subject: [PATCH] add session ticket key management scripts

---
 nginx-create-session-ticket-keys                  | 15 +++++++++++++++
 nginx-rotate-session-ticket-keys                  | 15 +++++++++++++++
 .../nginx-create-session-ticket-keys.service      | 12 ++++++++++++
 .../nginx-rotate-session-ticket-keys.service      |  9 +++++++++
 .../system/nginx-rotate-session-ticket-keys.timer |  8 ++++++++
 5 files changed, 59 insertions(+)
 create mode 100755 nginx-create-session-ticket-keys
 create mode 100755 nginx-rotate-session-ticket-keys
 create mode 100644 systemd/system/nginx-create-session-ticket-keys.service
 create mode 100644 systemd/system/nginx-rotate-session-ticket-keys.service
 create mode 100644 systemd/system/nginx-rotate-session-ticket-keys.timer

diff --git a/nginx-create-session-ticket-keys b/nginx-create-session-ticket-keys
new file mode 100755
index 0000000..5c678e4
--- /dev/null
+++ b/nginx-create-session-ticket-keys
@@ -0,0 +1,15 @@
+#!/bin/bash
+
+set -o errexit -o nounset -o pipefail
+
+umask 077
+
+mkdir -p /etc/nginx/session-ticket-keys
+mount -t ramfs -o mode=700 ramfs /etc/nginx/session-ticket-keys
+
+cd /etc/nginx/session-ticket-keys
+
+openssl rand -out 1.key 80
+openssl rand -out 2.key 80
+openssl rand -out 3.key 80
+openssl rand -out 4.key 80
diff --git a/nginx-rotate-session-ticket-keys b/nginx-rotate-session-ticket-keys
new file mode 100755
index 0000000..3543281
--- /dev/null
+++ b/nginx-rotate-session-ticket-keys
@@ -0,0 +1,15 @@
+#!/bin/bash
+
+set -o errexit -o nounset -o pipefail
+
+umask 077
+
+cd /etc/nginx/session-ticket-keys
+
+rsync -It 2.key 1.key
+rsync -It 3.key 2.key
+rsync -It 4.key 3.key
+openssl rand -out new.key 80
+rsync -It new.key 4.key
+rm new.key
+nginx -s reload
diff --git a/systemd/system/nginx-create-session-ticket-keys.service b/systemd/system/nginx-create-session-ticket-keys.service
new file mode 100644
index 0000000..87f1dd4
--- /dev/null
+++ b/systemd/system/nginx-create-session-ticket-keys.service
@@ -0,0 +1,12 @@
+[Unit]
+Description=Create nginx TLS session ticket keys
+Before=nginx.service
+
+[Service]
+Type=oneshot
+User=root
+Group=root
+ExecStart=/usr/local/bin/nginx-create-session-ticket-keys
+
+[Install]
+WantedBy=multi-user.target
diff --git a/systemd/system/nginx-rotate-session-ticket-keys.service b/systemd/system/nginx-rotate-session-ticket-keys.service
new file mode 100644
index 0000000..65b89b8
--- /dev/null
+++ b/systemd/system/nginx-rotate-session-ticket-keys.service
@@ -0,0 +1,9 @@
+[Unit]
+Description=Rotate nginx TLS session ticket keys
+After=nginx.service nginx-create-session-ticket-keys.service
+
+[Service]
+Type=oneshot
+User=root
+Group=root
+ExecStart=/usr/local/bin/nginx-rotate-session-ticket-keys
diff --git a/systemd/system/nginx-rotate-session-ticket-keys.timer b/systemd/system/nginx-rotate-session-ticket-keys.timer
new file mode 100644
index 0000000..bf1527c
--- /dev/null
+++ b/systemd/system/nginx-rotate-session-ticket-keys.timer
@@ -0,0 +1,8 @@
+[Unit]
+Description=Run nginx-rotate-session-ticket-keys three times daily
+
+[Timer]
+OnCalendar=0/8:00:00
+
+[Install]
+WantedBy=timers.target