Switch to NixOS ACME module for certificate management

Drop most of the existing certificate handling, because we're effectively
duplicating functionality that NixOS offers for free with better
design, testing and maintainance than what we could provide downstream.

The remaining two options are to reference an
existing `security.acme.certs` configuration through
`mailserver.x509.useACMEHost` or to provide existing key material via
`mailserver.x509.certificateFile` and `mailserver.x509.privateKeyFile`.

Support for automatic creation of self-signed certificates has been
removed, because it is undesirable in public mail setups.

The updated setup guide now displays the recommended configuration that
relies on the NixOS ACME module, but requires further customization to
select a suitable challenge.

Co-Authored-By: Emily <git@emilylange.de>

tests/external.nix

@@ -26,7 +26,10 @@
           ./lib/config.nix
         ];
 
-        environment.systemPackages = with pkgs; [ netcat ];
+        environment.systemPackages = with pkgs; [
+          netcat
+          openssl
+        ];
 
         virtualisation.memorySize = 1024;
 

tests/internal.nix

@@ -113,6 +113,7 @@ in
     ''
       machine.start()
       machine.wait_for_unit("multi-user.target")
+      machine.wait_for_unit("dovecot.service")
 
       # Regression test for https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/issues/205
       with subtest("mail forwarded can are locally kept"):

tests/lib/cert.pem

@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBizCCATGgAwIBAgIUN4ncJfMVIQSSurMkdE73x4aefTMwCgYIKoZIzj0EAwIw
+GzEZMBcGA1UEAwwQdGVzdC5sb2NhbGRvbWFpbjAeFw0yNTEwMTgyMTQ4MTNaFw0z
+NTEwMTYyMTQ4MTNaMBsxGTAXBgNVBAMMEHRlc3QubG9jYWxkb21haW4wWTATBgcq
+hkjOPQIBBggqhkjOPQMBBwNCAARCJUj4j7eC/7Xso3REUscqHlWPvW9zvl5I6TIy
+zEXFsWxM0QxMuNW4oXE56UiCyJklcpk0JfQUGat+kKQqSUJyo1MwUTAdBgNVHQ4E
+FgQUW3CnmBf3n/Y30vfj3ERsIQnXu9QwHwYDVR0jBBgwFoAUW3CnmBf3n/Y30vfj
+3ERsIQnXu9QwDwYDVR0TAQH/BAUwAwEB/zAKBggqhkjOPQQDAgNIADBFAiEAhwAi
+K4xdr8KxD5xRvvzShheh48i8X7NtBIQ3bd01Jx4CIG/kYTDK5nDZri7UYOMsgz2l
+iWss56p2dGWTL7LrBHgM
+-----END CERTIFICATE-----

tests/lib/config.nix

@@ -10,6 +10,17 @@
   # Keep testing submission with explicit TLS
   mailserver.enableSubmission = true;
 
+  # Certificate created for testing purposes from RFC9500 private key
+  # https://datatracker.ietf.org/doc/rfc9500/
+  #   openssl req -x509 -new -key key.pem \
+  #    -subj "/CN=test.localdomain" \
+  #    -sha256 -days 3650 \
+  #    -out cert.pem
+  mailserver.x509 = {
+    certificateFile = "${./cert.pem}";
+    privateKeyFile = "${./key.pem}";
+  };
+
   # Enable second CPU core
   virtualisation.cores = lib.mkDefault 2;
 

tests/lib/key.pem

@@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIObLW92AqkWunJXowVR2Z5/+yVPBaFHnEedDk5WJxk/BoAoGCCqGSM49
+AwEHoUQDQgAEQiVI+I+3gv+17KN0RFLHKh5Vj71vc75eSOkyMsxFxbFsTNEMTLjV
+uKFxOelIgsiZJXKZNCX0FBmrfpCkKklCcg==
+-----END EC PRIVATE KEY-----

tests/multiple.nix

@@ -93,8 +93,9 @@ in
   testScript = ''
     start_all()
 
-    domain1.wait_for_unit("multi-user.target")
-    domain2.wait_for_unit("multi-user.target")
+    for domain in [domain1, domain2]:
+      domain.wait_for_unit("multi-user.target")
+      domain.wait_for_unit("dovecot.service")
 
     # TODO put this blocking into the systemd units?
     domain1.wait_until_succeeds(