{
  config,
  pkgs,
  lib,
  ...
}:
with (import ./common.nix {inherit config;}); let
  cfg = config.mailsystem;
in {
  config =
    lib.mkIf cfg.enable {
      services.nginx = {
        enable = true;
        virtualHosts."${cfg.fqdn}" = {
          forceSSL = true;
          enableACME = cfg.certificateScheme == "acme";
          sslCertificate = lib.mkIf (cfg.certificateScheme == "selfsigned") sslCertPath;
          sslCertificateKey = lib.mkIf (cfg.certificateScheme == "selfsigned") sslKeyPath;
        };
      };

      networking.firewall.allowedTCPPorts = lib.optionals cfg.openFirewall [80 443];
    }
    // lib.mkIf (cfg.enable && cfg.certificateScheme == "acme") {
      security.acme.certs."${cfg.fqdn}".reloadServices = [
        "postfix.service"
        "dovecot2.service"
      ];
    };
}