From 94a2567b153bd26de6bfc078ae3b72d23d4c8db9 Mon Sep 17 00:00:00 2001
From: Daniel Micay <daniel.micay@grapheneos.org>
Date: Tue, 27 May 2025 14:21:58 -0400
Subject: [PATCH] add tls group for session ticket keys

---
 deploy-initial                                        | 1 +
 etc/fstab.virtual                                     | 2 +-
 etc/systemd/system/create-session-ticket-keys.service | 3 ++-
 etc/systemd/system/rotate-session-ticket-keys.service | 3 ++-
 4 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/deploy-initial b/deploy-initial
index 119d687..ac9527a 100755
--- a/deploy-initial
+++ b/deploy-initial
@@ -61,6 +61,7 @@ rsync -cv etc/nftables/nftables-${hosts_firewall[$host]:-web}.conf $remote:/mnt/
 ssh $remote "arch-chroot /mnt systemctl enable chronyd.service fstrim.timer logrotate.timer nftables.service plocate-updatedb.timer systemd-networkd.service systemd-oomd.service sshd.service sysstat.service unbound.service"
 ssh $remote "arch-chroot /mnt systemctl disable remote-fs.target systemd-network-generator.service systemd-userdbd.socket"
 ssh $remote "arch-chroot /mnt groupadd -g 2000 io_uring"
+ssh $remote "arch-chroot /mnt groupadd -g 2100 tls"
 
 ssh $remote "umask 077 && dd if=/dev/random of=/mnt/swapfile bs=1M count=$swap status=progress"
 
diff --git a/etc/fstab.virtual b/etc/fstab.virtual
index 3d6121f..afaa095 100644
--- a/etc/fstab.virtual
+++ b/etc/fstab.virtual
@@ -1,2 +1,2 @@
 /dev/mapper/swap none swap defaults 0 0
-tmpfs /etc/session-ticket-keys tmpfs size=1M,mode=750,noswap,x-systemd.before=create-session-ticket-keys.service,x-systemd.required-by=create-session-ticket-keys.service 0 0
+tmpfs /etc/session-ticket-keys tmpfs size=1M,mode=750,gid=2100,noswap,x-systemd.before=create-session-ticket-keys.service,x-systemd.required-by=create-session-ticket-keys.service 0 0
diff --git a/etc/systemd/system/create-session-ticket-keys.service b/etc/systemd/system/create-session-ticket-keys.service
index 49526d1..ba1da30 100644
--- a/etc/systemd/system/create-session-ticket-keys.service
+++ b/etc/systemd/system/create-session-ticket-keys.service
@@ -4,8 +4,9 @@ Before=nginx.service
 
 [Service]
 ExecStart=/usr/local/bin/create-session-ticket-keys
+Group=tls
 Type=oneshot
-UMask=0077
+UMask=0027
 
 [Install]
 WantedBy=multi-user.target
diff --git a/etc/systemd/system/rotate-session-ticket-keys.service b/etc/systemd/system/rotate-session-ticket-keys.service
index 40f56c4..4b56248 100644
--- a/etc/systemd/system/rotate-session-ticket-keys.service
+++ b/etc/systemd/system/rotate-session-ticket-keys.service
@@ -5,5 +5,6 @@ Requires=nginx.service create-session-ticket-keys.service
 
 [Service]
 ExecStart=/usr/local/bin/rotate-session-ticket-keys
+Group=tls
 Type=oneshot
-UMask=0077
+UMask=0027