{
  config,
  lib,
  ...
}: let
  mail_config = config.services.mailserver;
  acmeRoot = "/var/lib/acme/acme-challenge";
in {
  config = lib.mkIf (mail_config.enable && mail_config.ssl_config.useACME) {
    services.nginx = {
      enable = true;
      virtualHosts."${mail_config.fqdn}" = {
        serverName = mail_config.fqdn;
        serverAliases = mail_config.domains;
        forceSSL = true;
        enableACME = true;
        acmeRoot = acmeRoot;
      };
    };

    security.acme.certs."${mail_config.fqdn}" = {
      reloadServices = ["postfix.service" "dovecot2.service"];
    };
  };
}