diff --git a/tasks/postfixadmin.yml b/tasks/postfixadmin.yml
index 7a44253..78759f8 100644
--- a/tasks/postfixadmin.yml
+++ b/tasks/postfixadmin.yml
@@ -5,11 +5,18 @@
 
 - name: postfixadmin - nginx local
   notify: reload nginx
-  when: mailserver_postfixadmin_domain == ""
+  # when: mailserver_postfixadmin_domain == ""
   template:
     src: postfixadmin-local.nginx
     dest: /etc/nginx/local.d/postfixadmin.act
 
+- name: postfixadmin - get cert for nginx domain
+  notify: dehydrated
+  when: mailserver_postfixadmin_domain != ""
+  lineinfile:
+    path: /etc/dehydrated/domains.txt
+    line: "{{ mailserver_postfixadmin_domain }}"
+
 - name: postfixadmin - nginx domain
   notify: reload nginx
   when: mailserver_postfixadmin_domain != ""
diff --git a/templates/postfixadmin-domain.nginx b/templates/postfixadmin-domain.nginx
new file mode 100644
index 0000000..b4a3f5d
--- /dev/null
+++ b/templates/postfixadmin-domain.nginx
@@ -0,0 +1,27 @@
+server {
+	listen [::]:443 ssl http2;
+	listen 443 ssl http2;
+
+	server_name {{ mailserver_postfixadmin_domain }};
+
+	ssl_certificate /etc/dehydrated/certs/{{ mailserver_postfixadmin_domain }}/fullchain.pem;
+	ssl_certificate_key /etc/dehydrated/certs/{{ mailserver_postfixadmin_domain }}/privkey.pem;
+
+	include snippets/letsencrypt.conf;
+
+	root /usr/share/webapps/postfixadmin/public;
+	index index.html index.htm index.php;
+
+	location ~ \.php(?:$|/) {
+		fastcgi_split_path_info ^(.+.php)(/.+)$;
+		fastcgi_pass unix:/run/php-fpm/php-fpm.sock;
+		fastcgi_index index.php;
+	
+		include fastcgi.conf;
+
+		fastcgi_param PHP_ADMIN_VALUE open_basedir=/etc/webapps/postfixadmin/:/usr/share/webapps/postfixadmin:/var/cache/postfixadmin/:/tmp:/usr/share/pear:/dev/urandom;
+		fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+		fastcgi_param PATH_INFO $fastcgi_path_info;
+		fastcgi_param HTTPS on;
+	}
+}