infrastructure/roles/mta_sts/templates/nginx.d.conf.j2

{% for config in mta_sts %}
{% set domain = "mta-sts." + config.domains | first %}
server {
    listen       80;
    listen       [::]:80;
    server_name  mta-sts.{{ config.domains | join(' mta-sts.') }};

    access_log   /var/log/nginx/{{ domain }}/access.log reduced;
    access_log   /var/log/nginx/{{ domain }}/access.log.json json_reduced;
    error_log    /var/log/nginx/{{ domain }}/error.log;

    include snippets/letsencrypt.conf;

    location / {
        access_log off;
        return 301 https://$server_name$request_uri;
    }
}

server {
    include      snippets/listen-443.conf;
    server_name  mta-sts.{{ config.domains | join(' mta-sts.') }};

    access_log   /var/log/nginx/{{ domain }}/access.log reduced;
    access_log   /var/log/nginx/{{ domain }}/access.log.json json_reduced;
    error_log    /var/log/nginx/{{ domain }}/error.log;

    ssl_certificate      /etc/letsencrypt/live/{{ domain }}/fullchain.pem;
    ssl_certificate_key  /etc/letsencrypt/live/{{ domain }}/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/{{ domain }}/chain.pem;

    location = /.well-known/mta-sts.txt {
        default_type text/plain;
        # Remember to bump the MTA-STS id in tf-stage1/archlinux.tf
        return 200 'version: STSv1\r\nmode: enforce\r\nmax_age: 2592000\r\nmx: {{ config.mx | join('\\r\\nmx: ')}}\r\n';
    }

    location / {
        access_log off;
        return 404;
    }
}
{% endfor %}