feat(mail): configure Postfix relay with SOPS encrypted secrets

Added configuration for Postfix to use an external SMTP relay with encrypted credentials managed by SOPS. Updated `mail.nix` to include relay settings and linked the secrets file for password storage.

systems/x86_64-linux/sgx/mail.nix

@@ -4,7 +4,27 @@
     mailutils
     mutt
   ];
-  services.postfix.enable = true;
-  services.postfix.rootAlias = config.metacfg.user.name;
-  services.postfix.extraAliases = "admin: root";
+
+  services.postfix = {
+    enable = true;
+    relayHost = "smtp.gmail.com";
+    relayPort = 587;
+    rootAlias = "harald.hoyer@gmail.com";
+    extraAliases = "admin: root";
+    config = {
+      smtp_use_tls = "yes";
+      smtp_sasl_auth_enable = "yes";
+      smtp_sasl_security_options = "";
+      smtp_sasl_password_maps = "texthash:${config.sops.secrets.sasl_passwd.path}";
+      # optional: Forward mails to root (e.g. from cron jobs, smartd)
+      # to me privately and to my work email:
+      virtual_alias_maps = "inline:{ {root=you@gmail.com, you@work.com} }";
+    };
+  };
+
+  sops.secrets.sasl_passwd = {
+    sopsFile = ../../../.secrets/sgx/relay.yaml; # bring your own password file
+    owner = config.services.postfix.user;
+  };
+
 }