diff --git a/config/services/idmail.nix b/config/services/idmail.nix
index b4674a2..3218705 100644
--- a/config/services/idmail.nix
+++ b/config/services/idmail.nix
@@ -73,6 +73,8 @@ in
   systemd.services.idmail.serviceConfig.RestartSec = "60"; # Retry every minute
 
   services.nginx = {
+    enable = true;
+    recommendedSetup = true;
     upstreams.idmail = {
       servers."127.0.0.1:3000" = { };
       extraConfig = ''
@@ -82,7 +84,7 @@ in
     };
     virtualHosts.${idmailDomain} = {
       forceSSL = true;
-      useACMEWildcardHost = true;
+      useACMEHost = domain;
       locations."/" = {
         proxyPass = "http://idmail";
         proxyWebsockets = true;
diff --git a/config/services/stalwart.nix b/config/services/stalwart.nix
index 17d96bc..df1f6a9 100644
--- a/config/services/stalwart.nix
+++ b/config/services/stalwart.nix
@@ -125,6 +125,8 @@ in
     }
   ];
   services.nginx = {
+    enable = true;
+    recommendedSetup = true;
     upstreams.stalwart = {
       servers."127.0.0.1:8080" = { };
       extraConfig = ''
@@ -136,7 +138,7 @@ in
       {
         ${domain} = {
           forceSSL = true;
-          useACMEWildcardHost = true;
+          useACMEHost = domain;
           extraConfig = ''
             client_max_body_size 512M;
           '';
@@ -154,7 +156,7 @@ in
         ]
         (_: {
           forceSSL = true;
-          useACMEWildcardHost = true;
+          useACMEHost = domain;
           locations."/".proxyPass = "http://stalwart";
         });
   };
diff --git a/hosts/maddy/default.nix b/hosts/maddy/default.nix
index 01e0014..e1cd3ce 100644
--- a/hosts/maddy/default.nix
+++ b/hosts/maddy/default.nix
@@ -2,7 +2,7 @@
   imports = [
     ../../config/basic
     ../../config/support/initrd-ssh.nix
-    ../../config/services/maddy.nix
+    # ../../config/services/maddy.nix
     ../../config/support/zfs.nix
 
     ./net.nix
diff --git a/hosts/mailnix/net.nix b/hosts/mailnix/net.nix
index b4daf3f..8244117 100644
--- a/hosts/mailnix/net.nix
+++ b/hosts/mailnix/net.nix
@@ -52,6 +52,7 @@
     };
   };
   networking.nftables.firewall.zones.untrusted.interfaces = [ "lan01" ];
+  users.groups.acme.members = [ "nginx" ];
   security.acme.certs = {
     "${config.secrets.secrets.global.domains.mail_public}" = {
       domain = config.secrets.secrets.global.domains.mail_public;
diff --git a/hosts/mailnix/secrets/generated/buildSSHKey.age b/hosts/mailnix/secrets/generated/buildSSHKey.age
deleted file mode 100644
index 7c8dcba..0000000
Binary files a/hosts/mailnix/secrets/generated/buildSSHKey.age and /dev/null differ
diff --git a/hosts/mailnix/secrets/generated/dhparams.pem.age b/hosts/mailnix/secrets/generated/dhparams.pem.age
new file mode 100644
index 0000000..074e00d
Binary files /dev/null and b/hosts/mailnix/secrets/generated/dhparams.pem.age differ