{ config, pkgs, lib, ... }:
let
  mail_config = config.mailserver;
  acmeRoot = "/var/lib/acme/acme-challenge";

in {
  config = (lib.mkIf (mail_config.enable && mail_config.ssl_config.useACME) {
    services.nginx = {
      enable = true;
      virtualHosts."${mail_config.fqdn}" = {
        serverName = mail_config.fqdn;
        serverAliases = mail_config.domains;
        forceSSL = true;
        enableACME = true;
        acmeRoot = acmeRoot;
      };
    };

    security.acme.certs."${mail_config.fqdn}" = {
      reloadServices = [ "postfix.service" "dovecot2.service" ];
    };
  });
}