diff --git a/flake.lock b/flake.lock
index 0205fe0..b8bf414 100644
--- a/flake.lock
+++ b/flake.lock
@@ -44,4 +44,4 @@
   },
   "root": "root",
   "version": 7
-}
+}
\ No newline at end of file
diff --git a/sp-modules/roundcube/config-paths-needed.json b/sp-modules/roundcube/config-paths-needed.json
new file mode 100644
index 0000000..a650a1e
--- /dev/null
+++ b/sp-modules/roundcube/config-paths-needed.json
@@ -0,0 +1,5 @@
+[
+  ["selfprivacy", "domain"],
+  ["selfprivacy", "modules", "roundcube"],
+  ["mailserver", "fqdn"]
+]
diff --git a/sp-modules/roundcube/flake.nix b/sp-modules/roundcube/flake.nix
new file mode 100644
index 0000000..d335522
--- /dev/null
+++ b/sp-modules/roundcube/flake.nix
@@ -0,0 +1,9 @@
+{
+  description = "Roundcube is a web-based email client.";
+
+  outputs = { self }: {
+    nixosModules.default = import ./module.nix;
+    configPathsNeeded =
+      builtins.fromJSON (builtins.readFile ./config-paths-needed.json);
+  };
+}
diff --git a/sp-modules/roundcube/module.nix b/sp-modules/roundcube/module.nix
new file mode 100644
index 0000000..1fd157d
--- /dev/null
+++ b/sp-modules/roundcube/module.nix
@@ -0,0 +1,39 @@
+{ config, lib, ... }:
+let
+  domain = config.selfprivacy.domain;
+  cfg = config.selfprivacy.modules.roundcube;
+in
+{
+  options.selfprivacy.modules.roundcube = {
+    enable = lib.mkOption {
+      default = false;
+      type = lib.types.bool;
+    };
+    subdomain = lib.mkOption {
+      default = "roundcube";
+      type = lib.types.strMatching "[A-Za-z0-9][A-Za-z0-9\-]{0,61}[A-Za-z0-9]";
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+
+    services.roundcube = {
+      enable = true;
+      # this is the url of the vhost, not necessarily the same as the fqdn of
+      # the mailserver
+      hostName = "${cfg.subdomain}.${config.selfprivacy.domain}";
+      extraConfig = ''
+        # starttls needed for authentication, so the fqdn required to match
+        # the certificate
+        $config['smtp_server'] = "tls://${config.mailserver.fqdn}";
+        $config['smtp_user'] = "%u";
+        $config['smtp_pass'] = "%p";
+      '';
+    };
+    services.nginx.virtualHosts."${cfg.subdomain}.${domain}" = {
+      forceSSL = true;
+      useACMEHost = domain;
+    };
+  };
+}
+