Setup MTA-STS for remaining mail domains

https://tools.ietf.org/html/rfc8461

roles/mta_sts/defaults/main.yml

-mta_sts_domain: mta-sts.archlinux.org
+mta_sts:
+  - mx:
+      - mail.archlinux.org
+    domains:
+      - archlinux.org
+      - aur.archlinux.org
+      - master-key.archlinux.org
+  - mx:
+      - luna.archlinux.org
+    domains:
+      - lists.archlinux.org

roles/mta_sts/tasks/main.yml

 ---
 - name: create ssl cert
-  command: certbot certonly --email webmaster@archlinux.org --agree-tos --rsa-key-size 4096 --renew-by-default --webroot -w {{ letsencrypt_validation_dir }} -d '{{ mta_sts_domain }}' creates='/etc/letsencrypt/live/{{ mta_sts_domain }}/fullchain.pem'
+  command: certbot certonly --email webmaster@archlinux.org --agree-tos --rsa-key-size 4096 --renew-by-default --webroot -w {{ letsencrypt_validation_dir }} -d mta-sts.{{ item.domains | join(' -d mta-sts.') }} creates='/etc/letsencrypt/live/{{ "mta-sts." + item.domains | first }}/fullchain.pem'
+  loop: "{{ mta_sts }}"
 
 - name: make nginx log dir
-  file: path=/var/log/nginx/{{ mta_sts_domain }} state=directory owner=root group=root mode=0755
+  file: path=/var/log/nginx/{{ "mta-sts." + item.domains | first }} state=directory owner=root group=root mode=0755
+  loop: "{{ mta_sts }}"
 
 - name: set up nginx
   template: src=nginx.d.conf.j2 dest="/etc/nginx/nginx.d/mta-sts.conf" owner=root group=root mode=644

roles/mta_sts/templates/nginx.d.conf.j2

+{% for config in mta_sts %}
+{% set domain = "mta-sts." + config.domains | first %}
 server {
     listen       80;
     listen       [::]:80;
-    server_name  {{ mta_sts_domain }};
+    server_name  mta-sts.{{ config.domains | join(' mta-sts.') }};
 
-    access_log   /var/log/nginx/{{ mta_sts_domain }}/access.log reduced;
-    error_log    /var/log/nginx/{{ mta_sts_domain }}/error.log;
+    access_log   /var/log/nginx/{{ domain }}/access.log reduced;
+    error_log    /var/log/nginx/{{ domain }}/error.log;
 
     include snippets/letsencrypt.conf;
 
@@ -17,18 +19,18 @@ server {
 server {
     listen       443 ssl http2;
     listen       [::]:443 ssl http2;
-    server_name  {{ mta_sts_domain }};
+    server_name  mta-sts.{{ config.domains | join(' mta-sts.') }};
 
-    access_log   /var/log/nginx/{{ mta_sts_domain }}/access.log reduced;
-    error_log    /var/log/nginx/{{ mta_sts_domain }}/error.log;
+    access_log   /var/log/nginx/{{ domain }}/access.log reduced;
+    error_log    /var/log/nginx/{{ domain }}/error.log;
 
-    ssl_certificate      /etc/letsencrypt/live/{{ mta_sts_domain }}/fullchain.pem;
-    ssl_certificate_key  /etc/letsencrypt/live/{{ mta_sts_domain }}/privkey.pem;
-    ssl_trusted_certificate /etc/letsencrypt/live/{{ mta_sts_domain }}/chain.pem;
+    ssl_certificate      /etc/letsencrypt/live/{{ domain }}/fullchain.pem;
+    ssl_certificate_key  /etc/letsencrypt/live/{{ domain }}/privkey.pem;
+    ssl_trusted_certificate /etc/letsencrypt/live/{{ domain }}/chain.pem;
 
     location /.well-known/mta-sts.txt {
         default_type text/plain;
-        return 200 'version: STSv1\nmode: testing\nmax_age: 604800\nmx: mail.archlinux.org\n';
+        return 200 'version: STSv1\nmode: testing\nmax_age: 604800\nmx: {{ config.mx | join('\\nmx: ')}}\n';
     }
 
     location / {
@@ -36,3 +38,4 @@ server {
         return 404;
     }
 }
+{% endfor %}

tf-stage1/archlinux.tf

@@ -614,15 +614,19 @@ resource "hetznerdns_record" "archlinux_org_mail_aaaa" {
 }
 
 resource "hetznerdns_record" "archlinux_org_mtasts_cname" {
+  for_each = toset(["", ".aur", ".master-key", ".lists"])
+
   zone_id = hetznerdns_zone.archlinux.id
-  name    = "mta-sts"
+  name    = "mta-sts${each.value}"
   value   = "mail"
   type    = "CNAME"
 }
 
 resource "hetznerdns_record" "archlinux_org__mtasts_txt" {
+  for_each = toset(["", ".aur", ".master-key", ".lists"])
+
   zone_id = hetznerdns_zone.archlinux.id
-  name    = "_mta-sts"
+  name    = "_mta-sts${each.value}"
   ttl     = 600
   # date +%s
   value = "\"v=STSv1; id=1608210175\""