diff --git a/sp-modules/roundcube/config-paths-needed.json b/sp-modules/roundcube/config-paths-needed.json
index 5e0f12a..a650a1e 100644
--- a/sp-modules/roundcube/config-paths-needed.json
+++ b/sp-modules/roundcube/config-paths-needed.json
@@ -1,15 +1,5 @@
 [
-  [
-    "selfprivacy",
-    "domain"
-  ],
-  [
-    "selfprivacy",
-    "modules",
-    "roundcube"
-  ],
-  [
-    "mailserver",
-    "fqdn"
-  ]
-]
\ No newline at end of file
+  ["selfprivacy", "domain"],
+  ["selfprivacy", "modules", "roundcube"],
+  ["mailserver", "fqdn"]
+]
diff --git a/sp-modules/roundcube/module.nix b/sp-modules/roundcube/module.nix
index 9b24b9a..1b968dc 100644
--- a/sp-modules/roundcube/module.nix
+++ b/sp-modules/roundcube/module.nix
@@ -17,19 +17,24 @@ in
 
   config = lib.mkIf cfg.enable {
 
-  services.roundcube = {
-    enable = true;
-    # this is the url of the vhost, not necessarily the same as the fqdn of
-    # the mailserver
-    hostName = "${cfg.subdomain}.${config.selfprivacy.domain}";
-    extraConfig = ''
-      # starttls needed for authentication, so the fqdn required to match
-      # the certificate
-      $config['smtp_server'] = "tls://${config.mailserver.fqdn}";
-      $config['smtp_user'] = "%u";
-      $config['smtp_pass'] = "%p";
-    '';
+    services.roundcube = {
+      enable = true;
+      # this is the url of the vhost, not necessarily the same as the fqdn of
+      # the mailserver
+      hostName = "${cfg.subdomain}.${config.selfprivacy.domain}";
+      extraConfig = ''
+        # starttls needed for authentication, so the fqdn required to match
+        # the certificate
+        $config['smtp_server'] = "tls://${config.mailserver.fqdn}";
+        $config['smtp_user'] = "%u";
+        $config['smtp_pass'] = "%p";
+      '';
+    };
+    services.nginx.virtualHosts."${cfg.subdomain}.${domain}" = {
+      forceSSL = true;
+      useACMEHost = domain;
+      enableACME = false;
+    };
   };
-};
 }