From 9fde84c8779343da6b55cc8a0ff3b6a1eebab8cb Mon Sep 17 00:00:00 2001
From: Daniel Micay <daniel.micay@grapheneos.org>
Date: Thu, 30 Oct 2025 14:12:24 -0400
Subject: [PATCH] add initial session ticket key synchronization

---
 deploy-primary                                |  4 +-
 deploy-secondary                              | 14 ++++++
 .../system/session-ticket-keys-sync.service   | 10 +++++
 .../system/session-ticket-keys-sync.timer     | 12 +++++
 hosts.sh                                      |  8 ++++
 session-ticket-keys-sync                      | 44 +++++++++++++++++++
 session-ticket-keys-sync-deploy               | 30 +++++++++++++
 7 files changed, 121 insertions(+), 1 deletion(-)
 create mode 100755 deploy-secondary
 create mode 100644 etc/systemd/system/session-ticket-keys-sync.service
 create mode 100644 etc/systemd/system/session-ticket-keys-sync.timer
 create mode 100755 session-ticket-keys-sync
 create mode 100755 session-ticket-keys-sync-deploy

diff --git a/deploy-primary b/deploy-primary
index 0713a9f..fe6dee4 100755
--- a/deploy-primary
+++ b/deploy-primary
@@ -10,7 +10,9 @@ for host in ${hosts_primary[@]}; do
     echo $host
     echo
 
-    rsync --chmod=F755 certbot-replicate $remote:/usr/local/bin/
+    rsync --chmod=F755 certbot-replicate session-ticket-keys-sync $remote:/usr/local/bin/
     rsync etc/systemd/system/certbot-renew.service.d/replicate.conf $remote:/etc/systemd/system/certbot-renew.service.d/
+    rsync etc/systemd/system/session-ticket-keys-sync.{service,timer} $remote:/etc/systemd/system/
     ssh $remote systemctl daemon-reload
+    ssh $remote systemctl enable --now session-ticket-keys-sync.timer
 done
diff --git a/deploy-secondary b/deploy-secondary
new file mode 100755
index 0000000..46598c8
--- /dev/null
+++ b/deploy-secondary
@@ -0,0 +1,14 @@
+#!/bin/bash
+
+. shared.sh
+. hosts.sh
+
+for host in ${hosts_secondary[@]}; do
+    remote=root@$host
+
+    echo
+    echo $host
+    echo
+
+    rsync --chmod=F755 session-ticket-keys-sync-deploy $remote:/usr/local/bin/
+done
diff --git a/etc/systemd/system/session-ticket-keys-sync.service b/etc/systemd/system/session-ticket-keys-sync.service
new file mode 100644
index 0000000..1bf2a34
--- /dev/null
+++ b/etc/systemd/system/session-ticket-keys-sync.service
@@ -0,0 +1,10 @@
+[Unit]
+Description=Sync TLS session ticket keys
+After=dnsdist.service nginx.service create-session-ticket-keys.service
+Requires=create-session-ticket-keys.service
+
+[Service]
+ExecStart=/usr/local/bin/session-ticket-keys-sync
+Group=tls
+Type=oneshot
+UMask=0027
diff --git a/etc/systemd/system/session-ticket-keys-sync.timer b/etc/systemd/system/session-ticket-keys-sync.timer
new file mode 100644
index 0000000..d1e83a1
--- /dev/null
+++ b/etc/systemd/system/session-ticket-keys-sync.timer
@@ -0,0 +1,12 @@
+[Unit]
+Description=Run session-ticket-keys-sync.service every minute
+After=create-session-ticket-keys.service
+Requires=create-session-ticket-keys.service
+
+[Timer]
+AccuracySec=1s
+OnActiveSec=0
+OnUnitActiveSec=1m
+
+[Install]
+WantedBy=timers.target
diff --git a/hosts.sh b/hosts.sh
index c4f3354..8236866 100644
--- a/hosts.sh
+++ b/hosts.sh
@@ -342,6 +342,14 @@ readonly hosts_primary=(
     0.releases.grapheneos.org
 )
 
+readonly hosts_secondary=(
+    {1..3}.ns1.grapheneos.org
+    {1..2}.ns2.grapheneos.org
+    {1..3}.grapheneos.org
+    {1..3}.grapheneos.network
+    {1..3}.releases.grapheneos.org
+)
+
 readonly hosts_backup=(
     mail.grapheneos.org
     staging.attestation.app
diff --git a/session-ticket-keys-sync b/session-ticket-keys-sync
new file mode 100755
index 0000000..698be82
--- /dev/null
+++ b/session-ticket-keys-sync
@@ -0,0 +1,44 @@
+#!/bin/bash
+
+set -o errexit -o nounset -o pipefail
+
+status=0
+
+cd /etc/session-ticket-keys
+
+if [[ ! -f syncing ]]; then
+    for mirror in $(cat /etc/mirrors); do
+        echo
+        echo Syncing from $mirror
+        echo
+
+        ssh $mirror "bash -c [[ -f /etc/session-ticket-keys/synced ]]" || continue
+
+        rm -rf sync
+        mkdir sync
+        rsync -aI $mirror:/etc/session-ticket-keys/{{next,1,2,3,4}.key,keys} sync/ || continue
+        rsync -aIv sync/{{next,1,2,3,4}.key,keys} . || continue
+        rm -r sync
+
+        if systemctl is-active --quiet nginx.service; then
+            nginx -s reload || true
+        fi
+
+        if systemctl is-active --quiet dnsdist.service; then
+            dnsdist -c -e 'reloadAllCertificates()' || true
+        fi
+
+        touch syncing
+        break
+    done
+fi
+
+for mirror in $(cat /etc/mirrors); do
+    echo
+    echo Syncing to $mirror
+    echo
+
+    ssh $mirror "rm -rf /etc/session-ticket-keys/sync && mkdir /etc/session-ticket-keys/sync" || continue
+    rsync -aI {{next,1,2,3,4}.key,keys} $mirror:/etc/session-ticket-keys/sync || continue
+    ssh $mirror session-ticket-keys-sync-deploy || continue
+done
diff --git a/session-ticket-keys-sync-deploy b/session-ticket-keys-sync-deploy
new file mode 100755
index 0000000..c09e2f9
--- /dev/null
+++ b/session-ticket-keys-sync-deploy
@@ -0,0 +1,30 @@
+#!/bin/bash
+
+set -o errexit -o nounset -o pipefail
+
+cd /etc/session-ticket-keys
+
+exec {fd}>sync-lock
+flock $fd
+
+if ! cmp --silent keys sync/keys; then
+    rsync -aIv sync/{{next,1,2,3,4}.key,keys} .
+    rm -rf sync
+
+    status=0
+
+    if systemctl is-active --quiet nginx.service; then
+        nginx -s reload || status=1
+    fi
+
+    if systemctl is-active --quiet dnsdist.service; then
+        dnsdist -c -e 'reloadAllCertificates()' || status=1
+    fi
+
+    touch synced
+
+    exit $status
+fi
+
+rm -rf sync
+touch synced