mailsystem: Add option to use selfsigned certificates in preparation for testing

mailsystem/selfsigned.nix

@@ -0,0 +1,33 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+with (import ./common.nix {inherit config;}); let
+  cfg = config.mailsystem;
+in {
+  config = lib.mkIf (cfg.enable && cfg.certificateScheme == "selfsigned") {
+    systemd.services.mailsystem-selfsigned-certificate = {
+      after = ["local-fs.target"];
+      script = ''
+        # Create certificates if they do not exist yet
+        dir="${certificateDirectory}"
+        fqdn="${cfg.fqdn}"
+        [[ $fqdn == /* ]] && fqdn=$(< "$fqdn")
+        key="${sslKeyPath}"
+        cert="${sslCertPath}"
+
+        if [[ ! -f $key || ! -f $cert ]]; then
+          mkdir -p "$dir"
+          (umask 077; "${pkgs.openssl}/bin/openssl" genrsa -out "$key" 4096) &&
+          "${pkgs.openssl}/bin/openssl" req -new -key "$key" -x509 -subj "/CN=$fqdn" -days 3650 -out "$cert"
+        fi
+      '';
+      serviceConfig = {
+        Type = "oneshot";
+        PrivateTmp = true;
+      };
+    };
+  };
+}