diff --git a/.gitignore b/.gitignore
index ce26e7b..d7dcc04 100755
--- a/.gitignore
+++ b/.gitignore
@@ -1,4 +1,10 @@
 **/*.enc
-/hosts
-/prox-server-firewall-setup.yml
-/prox-server-setup.yml
+hosts
+prox-server-firewall-setup.yml
+prox-server-setup.yml
+prox-deploy-service.yml
+
+!**/ansible_resources/*
+
+!.gitkeep
+**/certbot/certs/*
diff --git a/services/service_mail/ansible.cfg b/services/service_mail/ansible.cfg
new file mode 100755
index 0000000..c36ea5d
--- /dev/null
+++ b/services/service_mail/ansible.cfg
@@ -0,0 +1,6 @@
+[defaults]
+inventory = hosts
+
+[privilege_escalation]
+become_method=doas
+become_ask_pass=True
diff --git a/services/service_mail/ansible_resources/hosts b/services/service_mail/ansible_resources/hosts
new file mode 100755
index 0000000..ddde437
--- /dev/null
+++ b/services/service_mail/ansible_resources/hosts
@@ -0,0 +1,6 @@
+# {{ ansible_managed }}
+
+all:
+  hosts:
+    {{ proxy_server_hostname }}:
+    {{ proxy_server_hostname }}-defaultport:
diff --git a/services/service_mail/ansible_resources/prox-deploy-service.yml b/services/service_mail/ansible_resources/prox-deploy-service.yml
new file mode 100755
index 0000000..0f1d78d
--- /dev/null
+++ b/services/service_mail/ansible_resources/prox-deploy-service.yml
@@ -0,0 +1,41 @@
+# Ansible managed
+
+- hosts: {{ proxy_server_hostname }}
+  become: 'yes'
+  vars:
+    ansible_become_method: doas
+  tasks:
+    - name: Temporarily disable doas pass prompt as doas persist does not work within scripts
+      replace:
+        path: /etc/doas.conf
+        regexp: 'persist'
+        replace: 'nopass'
+
+    - name: Copy haproxy reverse proxy configuration to proxy 
+      ansible.builtin.template:
+        src: "proxy_resources/etc/haproxy/haproxy.cfg"
+        dest: "/etc/haproxy/haproxy.cfg"
+        owner: cspark-dev
+        group: cspark-dev
+    - name: Enable HAProxy
+      ansible.builtin.systemd:
+        name: haproxy
+        state: started
+
+    - name: Fetch SSL certificates
+      become: yes
+      synchronize:
+        src: /etc/letsencrypt/
+        dest: "data/certbot/certs"
+        mode: pull
+        rsync_path: doas rsync
+
+    - name: Switch back to doas persist 
+      replace:
+        path: /etc/doas.conf
+        regexp: 'nopass'
+        replace: 'persist'
+
+    - name: Debug Finish message
+      debug:
+        msg: Ansible playbook has finished!
diff --git a/services/service_mail/certbot-docker-compose-initrenew.yml b/services/service_mail/certbot-docker-compose-initrenew.yml
index 054ac4a..641e009 100755
--- a/services/service_mail/certbot-docker-compose-initrenew.yml
+++ b/services/service_mail/certbot-docker-compose-initrenew.yml
@@ -4,6 +4,8 @@
 # Do not run this and mailserver at same time (Uses the same VPN config and hostname)
 # TODO: Would be nice at some point to be able to use a different port exposed on mail.{{ domain_name }} for privacy aside from the default port 80. Could not get it working though, certbot has issues even when proxying from one port to port 80. Seems to be an issue with Gluetun and Certbot being only able to bind to ipv6 port 80.
 
+# WE ARE NOW HANDLING SSL CERTIFICATE RENWEAL ON PROXY, USE PROVIDED SCRIPT IN DIR TO COPY CERTS FROM PROXY TO HERE
+
 services:
   # Gluetun is used to connect container to VPN
   certbot-gluetun:
diff --git a/services/service_mail/data/certbot/.gitkeep b/services/service_mail/data/certbot/.gitkeep
new file mode 100644
index 0000000..e69de29
diff --git a/services/service_mail/data/config/user-patches.sh b/services/service_mail/data/config/user-patches.sh
index 6f3d46a..645dcc6 100755
--- a/services/service_mail/data/config/user-patches.sh
+++ b/services/service_mail/data/config/user-patches.sh
@@ -20,7 +20,7 @@ echo 'patching /etc/dovecot/conf.d/10-master.conf'
 cp -f /tmp/docker-mailserver/dovecot-masteroverride.conf /etc/dovecot/conf.d/10-master.conf
 
 echo 'patching /etc/dovecot/dovecot.conf'
-echo -e 'haproxy_trusted_networks = {{ vpn_server_ip }}\nhaproxy_timeout = 3s' >> /etc/dovecot/dovecot.conf
+echo -e 'haproxy_trusted_networks = {{ proxy_server_ip }}\nhaproxy_timeout = 3s' >> /etc/dovecot/dovecot.conf
 
 #echo 'patching /etc/postfix/master.cf'
 #cp -f /tmp/docker-mailserver/postfix-masteroverride.cf /etc/postfix/master.cf
diff --git a/services/service_mail/deploy-service.yml b/services/service_mail/deploy-service.yml
index 8f5dd61..1d13b02 100755
--- a/services/service_mail/deploy-service.yml
+++ b/services/service_mail/deploy-service.yml
@@ -3,6 +3,12 @@
   vars:
     ansible_become_method: doas
   tasks:
+    - name: Temporarily disable doas pass prompt as doas persist does not work within scripts
+      replace:
+        path: /etc/doas.conf
+        regexp: 'persist'
+        replace: 'nopass'
+
     - name: Create necessary directories
       ansible.builtin.file:
         path: "{{ item }}" 
@@ -17,7 +23,6 @@
         - "{{ services_directory }}/service_mail/data/config"
         - "{{ services_directory }}/service_mail/data/config/rspamd/"
         - "{{ services_directory }}/service_mail/data/config/rspamd/override.d/"
-        - "{{ services_directory }}/service_mail/data/certbot/certs"
         - "{{ services_directory }}/service_mail/data/certbot/logs"
     - name: Copy configuration files
       ansible.builtin.template:
@@ -42,6 +47,19 @@
         - certbot-docker-compose-initrenew.yml 
         - myconfig.org
 
+    - name: Copy SSL certificates
+      ansible.builtin.copy:
+        src: data/certbot/certs
+        dest: "{{ services_directory }}/service_mail/data/certbot"
+        owner: service_mail
+        group: service_mail
+
+    - name: Switch back to doas persist 
+      replace:
+        path: /etc/doas.conf
+        regexp: 'nopass'
+        replace: 'persist'
+
     - name: Debug Finish message
       debug:
         msg: Ansible playbook has finished!
diff --git a/services/service_mail/docker-compose.yml b/services/service_mail/docker-compose.yml
index 5dbb232..7151879 100755
--- a/services/service_mail/docker-compose.yml
+++ b/services/service_mail/docker-compose.yml
@@ -32,7 +32,7 @@ services:
       - ./data/mail-state/:/var/mail-state/
       - ./data/mail-logs/:/var/log/mail/
       - ./data/config/:/tmp/docker-mailserver/
-      - ./data/certbot/certs/:/etc/letsencrypt
+      - ./data/certbot/certs:/etc/letsencrypt
       - /etc/localtime:/etc/localtime:ro
     environment:
       - OVERRIDE_HOSTNAME=mail.{{ domain_name }}
@@ -42,8 +42,8 @@ services:
         #      - SSL_TYPE=letsencrypt
       - SSL_TYPE=manual
       # Values should match the file paths inside the container:
-      - SSL_CERT_PATH=/etc/letsencrypt/live/mail.{{ domain_name }}/fullchain.pem
-      - SSL_KEY_PATH=/etc/letsencrypt/live/mail.{{ domain_name }}/privkey.pem
+      - SSL_CERT_PATH=/etc/letsencrypt/live/{{ domain_name }}/fullchain.pem
+      - SSL_KEY_PATH=/etc/letsencrypt/live/{{ domain_name }}/privkey.pem
 
       - ENABLE_SASLAUTHD=1
       - ENABLE_FAIL2BAN=1
diff --git a/services/service_mail/prox-server-ansible-playbooks-generate.yml b/services/service_mail/prox-server-ansible-playbooks-generate.yml
new file mode 100755
index 0000000..841ec90
--- /dev/null
+++ b/services/service_mail/prox-server-ansible-playbooks-generate.yml
@@ -0,0 +1,13 @@
+- hosts: localhost
+  tasks:
+    - name: Generate proxy server playbooks
+      template:
+        src: "ansible_resources/{{ item }}"
+        dest: "{{ item }}"
+        mode: '0777'
+      loop:
+        - hosts
+        - prox-deploy-service.yml
+    - name: Debug Finish message
+      debug:
+        msg: Ansible playbook has finished!
diff --git a/proxy_resources/etc/haproxy/haproxy.cfg b/services/service_mail/proxy_resources/etc/haproxy/haproxy.cfg
similarity index 100%
rename from proxy_resources/etc/haproxy/haproxy.cfg
rename to services/service_mail/proxy_resources/etc/haproxy/haproxy.cfg