add session ticket key management scripts

nginx-create-session-ticket-keys

@@ -0,0 +1,15 @@
+#!/bin/bash
+
+set -o errexit -o nounset -o pipefail
+
+umask 077
+
+mkdir -p /etc/nginx/session-ticket-keys
+mount -t ramfs -o mode=700 ramfs /etc/nginx/session-ticket-keys
+
+cd /etc/nginx/session-ticket-keys
+
+openssl rand -out 1.key 80
+openssl rand -out 2.key 80
+openssl rand -out 3.key 80
+openssl rand -out 4.key 80

nginx-rotate-session-ticket-keys

@@ -0,0 +1,15 @@
+#!/bin/bash
+
+set -o errexit -o nounset -o pipefail
+
+umask 077
+
+cd /etc/nginx/session-ticket-keys
+
+rsync -It 2.key 1.key
+rsync -It 3.key 2.key
+rsync -It 4.key 3.key
+openssl rand -out new.key 80
+rsync -It new.key 4.key
+rm new.key
+nginx -s reload

systemd/system/nginx-create-session-ticket-keys.service

@@ -0,0 +1,12 @@
+[Unit]
+Description=Create nginx TLS session ticket keys
+Before=nginx.service
+
+[Service]
+Type=oneshot
+User=root
+Group=root
+ExecStart=/usr/local/bin/nginx-create-session-ticket-keys
+
+[Install]
+WantedBy=multi-user.target

systemd/system/nginx-rotate-session-ticket-keys.service

@@ -0,0 +1,9 @@
+[Unit]
+Description=Rotate nginx TLS session ticket keys
+After=nginx.service nginx-create-session-ticket-keys.service
+
+[Service]
+Type=oneshot
+User=root
+Group=root
+ExecStart=/usr/local/bin/nginx-rotate-session-ticket-keys

systemd/system/nginx-rotate-session-ticket-keys.timer

@@ -0,0 +1,8 @@
+[Unit]
+Description=Run nginx-rotate-session-ticket-keys three times daily
+
+[Timer]
+OnCalendar=0/8:00:00
+
+[Install]
+WantedBy=timers.target