diff --git a/systems/vesuvio/certificates.nix b/systems/vesuvio/certificates.nix
new file mode 100644
index 0000000..dce62e8
--- /dev/null
+++ b/systems/vesuvio/certificates.nix
@@ -0,0 +1,25 @@
+{ config, ... }:
+{
+  security.acme = {
+    acceptTerms = true;
+    defaults = {
+      email = "acme@uku.moe";
+      webroot = "/var/lib/acme/acme-challenge";
+    };
+  };
+
+  services.nginx.virtualHosts = {
+    "acme.uku3lig.net" = {
+      serverAliases = [
+        "*.uku3lig.net"
+        "*.uku.moe"
+      ];
+
+      locations."/.well-known/acme-challenge".root = config.security.acme.defaults.webroot;
+    };
+  };
+
+  # /var/lib/acme/acme-challenge must be writable by the ACME user and readable by the Nginx user.
+  # The easiest way to achieve this is to add the Nginx user to the ACME group.
+  users.users.nginx.extraGroups = [ "acme" ];
+}
diff --git a/systems/vesuvio/default.nix b/systems/vesuvio/default.nix
index 46a7b3d..7c06490 100644
--- a/systems/vesuvio/default.nix
+++ b/systems/vesuvio/default.nix
@@ -1,6 +1,7 @@
 { pkgs, ... }:
 {
   imports = [
+    ./certificates.nix
     ./frp.nix
     ./hetzner.nix
   ];
@@ -10,8 +11,16 @@
     traceroute
   ];
 
-  services.openssh = {
-    ports = [ 4269 ];
-    openFirewall = true;
+  services = {
+    nginx.enable = true;
+    openssh = {
+      ports = [ 4269 ];
+      openFirewall = true;
+    };
   };
+
+  networking.firewall.allowedTCPPorts = [
+    80
+    443
+  ];
 }
diff --git a/systems/vesuvio/mail.nix b/systems/vesuvio/mail.nix
new file mode 100644
index 0000000..7d40abd
--- /dev/null
+++ b/systems/vesuvio/mail.nix
@@ -0,0 +1,35 @@
+{ config, ... }:
+let
+  certName = "mail.c.uku3lig.net";
+  certLocation = config.security.acme.certs.${certName}.directory;
+in
+{
+  security.acme.certs.${certName} = {
+    group = config.services.maddy.group;
+    extraLegoRenewFlags = [ "--reuse-key" ]; # soopyc said its more secure
+  };
+
+  services.maddy = {
+    enable = true;
+    hostname = "mx1.uku3lig.net";
+    primaryDomain = "uku3lig.net";
+    localDomains = [
+      "$(primary_domain)"
+      "uku.moe"
+    ];
+
+    tls = {
+      loader = "file";
+      certificates = [
+        {
+          certPath = "${certLocation}/fullchain.pem";
+          keyPath = "${certLocation}/key.pem";
+        }
+      ];
+    };
+
+    config = ''
+
+    '';
+  };
+}