diff --git a/hosts/web-arm/configuration.nix b/hosts/web-arm/configuration.nix
index b8f9db4..5a058ec 100644
--- a/hosts/web-arm/configuration.nix
+++ b/hosts/web-arm/configuration.nix
@@ -35,6 +35,7 @@
 
     ./sites/autoconfig.cloonar.com.nix
     ./sites/feeds.cloonar.com.nix
+    ./sites/webmail.cloonar.com.nix
 
     ./sites/vcard.cloonar.dev.nix
     ./sites/vcard.cloonar.com.nix
diff --git a/hosts/web-arm/sites/webmail.cloonar.com.nix b/hosts/web-arm/sites/webmail.cloonar.com.nix
new file mode 100644
index 0000000..bae375b
--- /dev/null
+++ b/hosts/web-arm/sites/webmail.cloonar.com.nix
@@ -0,0 +1,78 @@
+{ config, pkgs, lib, ... }:
+let
+  domain = config.networking.domain;
+  roundcubeRoot = "${config.services.roundcube.package}/public_html";
+  # PHP-FPM socket created by the roundcube module (pool named "roundcube"):
+  fpmSocket = config.services.phpfpm.pools.roundcube.socket;
+in
+{
+  # DB for Roundcube (PostgreSQL shown; MariaDB works too)
+  services.postgresql = {
+    enable = true;
+    ensureDatabases = [ "roundcube" ];
+    ensureUsers = [
+      { name = "roundcube"; ensureDBOwnership = true; }
+    ];
+  };
+
+  services.roundcube = {
+    enable = true;
+    configureNginx = false;        # <-- you’ll provide your own vhost
+    plugins = [ "managesieve" "archive" "zipdownload" ];
+    database = {
+      host = "localhost";
+      dbname = "roundcube";
+      username = "roundcube";
+    };
+
+    extraConfig = ''
+      // IMAP & SMTP
+      $config['imap_host'] = 'ssl://imap.${domain}:993';
+      $config['smtp_host'] = 'tls://mail.${domain}:587';
+      $config['smtp_user'] = '%u';
+      $config['smtp_pass'] = '%p';
+
+      // ManageSieve (filters + vacation)
+      $config['managesieve_host'] = 'tls://imap.${domain}:4190';
+    '';
+  };
+
+  services.nginx = {
+    enable = true;
+
+    virtualHosts."webmail.${domain}" = {
+      forceSSL = true;
+      enableACME = true;
+      root = roundcubeRoot;
+
+      extraConfig = ''
+        client_max_body_size 50m;
+      '';
+
+      locations = {
+        # Serve static assets directly
+        "~* ^/(favicon\\.ico|robots\\.txt|browserconfig\\.xml)$".tryFiles = "$uri =404";
+        "~* ^/(assets|installer|public|skins|plugins)/" = {
+          tryFiles = "$uri =404";
+        };
+
+        # PHP entry points
+        "~ \\.php$" = {
+          extraConfig = ''
+            include ${pkgs.nginx}/conf/fastcgi_params;
+            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+            fastcgi_param HTTPS on;
+            fastcgi_pass unix:${fpmSocket};
+            fastcgi_buffers 16 16k;
+            fastcgi_buffer_size 32k;
+          '';
+        };
+
+        # Default: let Roundcube handle routing
+        "/" = {
+          tryFiles = "$uri /index.php?$query_string";
+        };
+      };
+    };
+  };
+}