JshWright · November 6, 2016 19:57
diff --git a/rotate_tickets.yaml b/rotate_tickets.yaml
 # vim:ft=ansible:
 - name: Rotate TLS tickets
  hosts: yourhostlist
  become: True

  vars:
    key_count: some number...
    ticket_path: /etc/nginx/ssl # Ideally this should not be on persistent storage

  tasks:

    # The base64 dance is necessary because Ansible (technically Jinja2) doesn't preserve raw bytes when rendering
    - name: Get 48 random bytes
      local_action: shell dd if=/dev/urandom bs=1 count=48 | /usr/bin/base64
      run_once: True
      become: False
      register: random_bytes_b64

    - name: Ensure TLS ticket key directory exists
      file: name="{{ ticket_path }}" state=directory owner=root group=root mode=755

    - name: Make sure the ticket key files exist (just make new random ones if necessary)
      command: dd if=/dev/urandom of={{ ticket_path }}/tls_ticket_key.{{ item }}.key bs=1 count=48 creates={{ ticket_path }}/tls_ticket_key.{{ item }}.key
      with_sequence: count="{{ key_count }}"

    - name: Rotate keys
      copy: src={{ ticket_path}}/tls_ticket_key.{{ item|int - 1 }}.key dest={{ ticket_path }}/tls_ticket_key.{{ item }}.key remote_src=True owner=root group=root mode=600
      with_sequence: start="{{ key_count }}" end=2 stride=-1

    - name: Copy base64 version of the new key
      copy: dest={{ ticket_path}}/tls_ticket_key.1.key.base64 content="{{ random_bytes_b64.stdout }}" owner=root group=root mode=600

    - name: Decode the new key
      shell: /usr/bin/base64 -d {{ ticket_path}}/tls_ticket_key.1.key.base64 > {{ ticket_path }}/tls_ticket_key.1.key

    - name: Verify the permissions of the new key
      file: state=file name={{ ticket_path}}/tls_ticket_key.1.key owner=root group=root mode=600

    - name: Reload Nginx
      service: name=nginx state=reloaded
	# vim:ft=ansible:
	- name: Rotate TLS tickets
	hosts: yourhostlist
	become: True

	vars:
	key_count: some number...
	ticket_path: /etc/nginx/ssl # Ideally this should not be on persistent storage

	tasks:

	# The base64 dance is necessary because Ansible (technically Jinja2) doesn't preserve raw bytes when rendering
	- name: Get 48 random bytes
	local_action: shell dd if=/dev/urandom bs=1 count=48 \| /usr/bin/base64
	run_once: True
	become: False
	register: random_bytes_b64

	- name: Ensure TLS ticket key directory exists
	file: name="{{ ticket_path }}" state=directory owner=root group=root mode=755

	- name: Make sure the ticket key files exist (just make new random ones if necessary)
	command: dd if=/dev/urandom of={{ ticket_path }}/tls_ticket_key.{{ item }}.key bs=1 count=48 creates={{ ticket_path }}/tls_ticket_key.{{ item }}.key
	with_sequence: count="{{ key_count }}"

	- name: Rotate keys
	copy: src={{ ticket_path}}/tls_ticket_key.{{ item\|int - 1 }}.key dest={{ ticket_path }}/tls_ticket_key.{{ item }}.key remote_src=True owner=root group=root mode=600
	with_sequence: start="{{ key_count }}" end=2 stride=-1

	- name: Copy base64 version of the new key
	copy: dest={{ ticket_path}}/tls_ticket_key.1.key.base64 content="{{ random_bytes_b64.stdout }}" owner=root group=root mode=600

	- name: Decode the new key
	shell: /usr/bin/base64 -d {{ ticket_path}}/tls_ticket_key.1.key.base64 > {{ ticket_path }}/tls_ticket_key.1.key

	- name: Verify the permissions of the new key
	file: state=file name={{ ticket_path}}/tls_ticket_key.1.key owner=root group=root mode=600

	- name: Reload Nginx
	service: name=nginx state=reloaded