#!/bin/bash

set -o errexit -o nounset -o pipefail

cd /etc/session-ticket-keys

exec {fd}>sync-lock
flock $fd

if [[ -f synced ]]; then
    echo skipping rotation due to sync
    rm synced
    exit 0
fi

rsync -tI 2.key 1.key
rsync -tI 3.key 2.key
rsync -tI 4.key 3.key
rsync -tI next.key 4.key
head -c 80 </dev/random >tmp.key
mv tmp.key next.key

cat next.key {1..4}.key > keys.new
mv keys.new keys

status=0

if systemctl is-active --quiet nginx.service; then
    nginx -s reload || status=1
fi

if systemctl is-active --quiet dnsdist.service; then
    dnsdist -c -e 'reloadAllCertificates()' || status=1
fi

exit $status