add tls group for session ticket keys

deploy-initial

@@ -61,6 +61,7 @@ rsync -cv etc/nftables/nftables-${hosts_firewall[$host]:-web}.conf $remote:/mnt/
 ssh $remote "arch-chroot /mnt systemctl enable chronyd.service fstrim.timer logrotate.timer nftables.service plocate-updatedb.timer systemd-networkd.service systemd-oomd.service sshd.service sysstat.service unbound.service"
 ssh $remote "arch-chroot /mnt systemctl disable remote-fs.target systemd-network-generator.service systemd-userdbd.socket"
 ssh $remote "arch-chroot /mnt groupadd -g 2000 io_uring"
+ssh $remote "arch-chroot /mnt groupadd -g 2100 tls"
 
 ssh $remote "umask 077 && dd if=/dev/random of=/mnt/swapfile bs=1M count=$swap status=progress"
 

etc/fstab.virtual

@@ -1,2 +1,2 @@
 /dev/mapper/swap none swap defaults 0 0
-tmpfs /etc/session-ticket-keys tmpfs size=1M,mode=750,noswap,x-systemd.before=create-session-ticket-keys.service,x-systemd.required-by=create-session-ticket-keys.service 0 0
+tmpfs /etc/session-ticket-keys tmpfs size=1M,mode=750,gid=2100,noswap,x-systemd.before=create-session-ticket-keys.service,x-systemd.required-by=create-session-ticket-keys.service 0 0

etc/systemd/system/create-session-ticket-keys.service

@@ -4,8 +4,9 @@ Before=nginx.service
 
 [Service]
 ExecStart=/usr/local/bin/create-session-ticket-keys
+Group=tls
 Type=oneshot
-UMask=0077
+UMask=0027
 
 [Install]
 WantedBy=multi-user.target

etc/systemd/system/rotate-session-ticket-keys.service

@@ -5,5 +5,6 @@ Requires=nginx.service create-session-ticket-keys.service
 
 [Service]
 ExecStart=/usr/local/bin/rotate-session-ticket-keys
+Group=tls
 Type=oneshot
-UMask=0077
+UMask=0027