From bf4e8c227700272003208198e505bf1a62c14e77 Mon Sep 17 00:00:00 2001
From: justin <justin@liquidator.optimal-reality.com>
Date: Sat, 6 Jun 2026 21:03:30 -0500
Subject: [PATCH] infra: MTA-STS HTTPS vhost (cert issued, policy live)

---
 infra/mta-sts/pw-mta-sts.conf | 15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

diff --git a/infra/mta-sts/pw-mta-sts.conf b/infra/mta-sts/pw-mta-sts.conf
index 750108a..c296309 100644
--- a/infra/mta-sts/pw-mta-sts.conf
+++ b/infra/mta-sts/pw-mta-sts.conf
@@ -1,7 +1,18 @@
+server {
+    listen 443 ssl;
+    http2 on;
+    server_name mta-sts.performancewest.net;
+    ssl_certificate     /etc/letsencrypt/live/mta-sts.performancewest.net/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/mta-sts.performancewest.net/privkey.pem;
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;
+    location /.well-known/mta-sts.txt { root /var/www/mta-sts; default_type text/plain; add_header Cache-Control "max-age=86400"; }
+    location /.well-known/acme-challenge/ { root /var/www/certbot; }
+    location / { return 404; }
+}
 server {
     listen 80;
     server_name mta-sts.performancewest.net;
     location /.well-known/acme-challenge/ { root /var/www/certbot; }
-    location /.well-known/mta-sts.txt { root /var/www/mta-sts; default_type text/plain; }
-    location / { return 404; }
+    location / { return 301 https://$host$request_uri; }
 }