mailnix/mailsystem/nginx.nix

{
  config,
  pkgs,
  lib,
  ...
}:
with (import ./common.nix {inherit config;}); let
  cfg = config.mailsystem;
in {
  config =
    lib.mkIf cfg.enable {
      services.nginx = {
        enable = true;
        virtualHosts."${cfg.fqdn}" =
          {
            forceSSL = true;
            enableACME = cfg.certificateScheme == "acme";
          }
          // lib.optionalAttrs (cfg.certificateScheme == "selfsigned") {
            sslCertificate = sslCertPath;
            sslCertificateKey = sslKeyPath;
          };
      };

      networking.firewall.allowedTCPPorts = lib.optionals cfg.openFirewall [80 443];
    }
    // lib.mkIf (cfg.enable && cfg.certificateScheme == "acme") {
      security.acme.certs."${cfg.fqdn}".reloadServices = [
        "postfix.service"
        "dovecot2.service"
      ];
    };
}