add initial session ticket key synchronization

deploy-primary

@@ -10,7 +10,9 @@ for host in ${hosts_primary[@]}; do
     echo $host
     echo
 
-    rsync --chmod=F755 certbot-replicate $remote:/usr/local/bin/
+    rsync --chmod=F755 certbot-replicate session-ticket-keys-sync $remote:/usr/local/bin/
     rsync etc/systemd/system/certbot-renew.service.d/replicate.conf $remote:/etc/systemd/system/certbot-renew.service.d/
+    rsync etc/systemd/system/session-ticket-keys-sync.{service,timer} $remote:/etc/systemd/system/
     ssh $remote systemctl daemon-reload
+    ssh $remote systemctl enable --now session-ticket-keys-sync.timer
 done

deploy-secondary

@@ -0,0 +1,14 @@
+#!/bin/bash
+
+. shared.sh
+. hosts.sh
+
+for host in ${hosts_secondary[@]}; do
+    remote=root@$host
+
+    echo
+    echo $host
+    echo
+
+    rsync --chmod=F755 session-ticket-keys-sync-deploy $remote:/usr/local/bin/
+done

etc/systemd/system/session-ticket-keys-sync.service

@@ -0,0 +1,10 @@
+[Unit]
+Description=Sync TLS session ticket keys
+After=dnsdist.service nginx.service create-session-ticket-keys.service
+Requires=create-session-ticket-keys.service
+
+[Service]
+ExecStart=/usr/local/bin/session-ticket-keys-sync
+Group=tls
+Type=oneshot
+UMask=0027

etc/systemd/system/session-ticket-keys-sync.timer

@@ -0,0 +1,12 @@
+[Unit]
+Description=Run session-ticket-keys-sync.service every minute
+After=create-session-ticket-keys.service
+Requires=create-session-ticket-keys.service
+
+[Timer]
+AccuracySec=1s
+OnActiveSec=0
+OnUnitActiveSec=1m
+
+[Install]
+WantedBy=timers.target

hosts.sh

@@ -342,6 +342,14 @@ readonly hosts_primary=(
     0.releases.grapheneos.org
 )
 
+readonly hosts_secondary=(
+    {1..3}.ns1.grapheneos.org
+    {1..2}.ns2.grapheneos.org
+    {1..3}.grapheneos.org
+    {1..3}.grapheneos.network
+    {1..3}.releases.grapheneos.org
+)
+
 readonly hosts_backup=(
     mail.grapheneos.org
     staging.attestation.app

session-ticket-keys-sync

@@ -0,0 +1,44 @@
+#!/bin/bash
+
+set -o errexit -o nounset -o pipefail
+
+status=0
+
+cd /etc/session-ticket-keys
+
+if [[ ! -f syncing ]]; then
+    for mirror in $(cat /etc/mirrors); do
+        echo
+        echo Syncing from $mirror
+        echo
+
+        ssh $mirror "bash -c [[ -f /etc/session-ticket-keys/synced ]]" || continue
+
+        rm -rf sync
+        mkdir sync
+        rsync -aI $mirror:/etc/session-ticket-keys/{{next,1,2,3,4}.key,keys} sync/ || continue
+        rsync -aIv sync/{{next,1,2,3,4}.key,keys} . || continue
+        rm -r sync
+
+        if systemctl is-active --quiet nginx.service; then
+            nginx -s reload || true
+        fi
+
+        if systemctl is-active --quiet dnsdist.service; then
+            dnsdist -c -e 'reloadAllCertificates()' || true
+        fi
+
+        touch syncing
+        break
+    done
+fi
+
+for mirror in $(cat /etc/mirrors); do
+    echo
+    echo Syncing to $mirror
+    echo
+
+    ssh $mirror "rm -rf /etc/session-ticket-keys/sync && mkdir /etc/session-ticket-keys/sync" || continue
+    rsync -aI {{next,1,2,3,4}.key,keys} $mirror:/etc/session-ticket-keys/sync || continue
+    ssh $mirror session-ticket-keys-sync-deploy || continue
+done

session-ticket-keys-sync-deploy

@@ -0,0 +1,30 @@
+#!/bin/bash
+
+set -o errexit -o nounset -o pipefail
+
+cd /etc/session-ticket-keys
+
+exec {fd}>sync-lock
+flock $fd
+
+if ! cmp --silent keys sync/keys; then
+    rsync -aIv sync/{{next,1,2,3,4}.key,keys} .
+    rm -rf sync
+
+    status=0
+
+    if systemctl is-active --quiet nginx.service; then
+        nginx -s reload || status=1
+    fi
+
+    if systemctl is-active --quiet dnsdist.service; then
+        dnsdist -c -e 'reloadAllCertificates()' || status=1
+    fi
+
+    touch synced
+
+    exit $status
+fi
+
+rm -rf sync
+touch synced