diff --git a/flake.nix b/flake.nix
index f9c7cdf..36d8788 100644
--- a/flake.nix
+++ b/flake.nix
@@ -11,7 +11,7 @@
       inputs.nixpkgs.follows = "nixpkgs";
     };
   };
-  outputs = { self, nixpkgs, mailserver, sops-nix, ... }@attrs: let
+  outputs = { self, nixpkgs, sops-nix, mailserver, ... }@attrs: let
     lib = nixpkgs.lib;
     fn = import ./fn.nix { inherit lib; };
     system = "x86_64-linux";
diff --git a/services/mailserver.nix b/services/mailserver.nix
index debe831..91be653 100644
--- a/services/mailserver.nix
+++ b/services/mailserver.nix
@@ -1,8 +1,12 @@
-{ config, lib, ... }:
+{ config, lib, fn, mailserver, ... }:
 
 with lib;
 
-mkIf (elem "mailserver" config.machine.services) {
+{
+  imports = [
+    mailserver.nixosModules.mailserver
+  ];
+} // mkIf (elem "mailserver" config.machine.services) {
   mailserver = let
     cfg = config.machine;
     domain = cfg.domain;
@@ -12,7 +16,7 @@ mkIf (elem "mailserver" config.machine.services) {
     mkUser = user: rec {
       name = "${user.name}@${domain}";
       value = {
-        hashedPassword = (fileContents "${cfg.secretPath}/${user.name}.mail");
+        hashedPasswordFile = config.sops.secrets."users/${user.name}/mail".path;
         aliases = [ "${user.name}@${fdomain}" ]
                   ++ (flatten (map mkFqdnAlias user.aliases))
                   ++ (flatten (map mkExDomAlias ([ user.name ] ++ user.aliases)));
@@ -26,9 +30,9 @@ mkIf (elem "mailserver" config.machine.services) {
 
     # Use Let's Encrypt certificates. Note that this needs to set up a stripped
     # down nginx and opens port 80.
-    certificateScheme = 1;
-    certificateFile = "/var/lib/acme/" + fqdn + "/fullchain.pem";
-    keyFile = "/var/lib/acme/" + fqdn + "/key.pem";
+    certificateScheme = "manual";
+    certificateFile = "/var/lib/acme/" + fdomain + "/fullchain.pem";
+    keyFile = "/var/lib/acme/" + fdomain + "/key.pem";
 
     #dhParamBitLength = 4096; # this doesn't exist???
 
@@ -45,4 +49,8 @@ mkIf (elem "mailserver" config.machine.services) {
     # 1 Gb RAM for the server. Without virus scanning 256 MB RAM should be plenty)
     virusScanning = false;
   };
+  sops.secrets = (fn.sopsHelper
+    (user: "users/${user.name}/mail")
+    config.machine.mailAccounts
+    {});
 }