Enable TLS on mail relay

config/hosts/mail-2/acme.nix

@@ -0,0 +1,9 @@
+{ ... }:
+{
+  security.acme.certs = {
+    "mail-2.grzb.de" = {
+      listenHTTP = ":80";
+      reloadServices = [ "postfix.service" ];
+    };
+  };
+}

config/hosts/mail-2/configuration.nix

@@ -79,7 +79,7 @@
     useDHCP = false;
     firewall = {
       enable = true;
-      allowedTCPPorts = [ 25 ];
+      allowedTCPPorts = [ 25 80 ];
     };
   };
 

config/hosts/mail-2/default.nix

@@ -3,5 +3,6 @@
   imports = [
     ./configuration.nix
     ./postfix.nix
+    ./acme.nix
   ];
 }

config/hosts/mail-2/postfix.nix

@@ -1,4 +1,5 @@
-{ ... }: {
+{ config, ... }:
+{
   # Postfix relay configuration, see: https://www.postfix.org/STANDARD_CONFIGURATION_README.html#backup
   services.postfix = {
     enable = true;
@@ -7,6 +8,8 @@
       "grzb.de"
       "nekover.se"
     ];
+    sslCert = "${config.security.acme.certs."mail-2.grzb.de".directory}/fullchain.pem";
+    sslKey = "${config.security.acme.certs."mail-2.grzb.de".directory}/key.pem";
     extraConfig = ''
       message_size_limit = 20971520
       smtpd_relay_restrictions = permit_mynetworks reject_unauth_destination