{
  config,
  pkgs,
  lib,
  ...
}: let
  cfg = config.mailsystem;
in {
  config = lib.mkIf cfg.enable {
    services.nginx = {
      enable = true;
      virtualHosts."${cfg.fqdn}" = {
        forceSSL = true;
        enableACME = true;
      };
    };

    networking.firewall.allowedTCPPorts = lib.optionals cfg.openFirewall [80 443];

    security.acme.certs."${cfg.fqdn}".reloadServices = [
      "dovecot2.service"
    ];
  };
}