Try throwing all certificates into the same group to avoid permission issues

acme.nix

@@ -3,4 +3,7 @@
 {
   security.acme.acceptTerms = true;
   security.acme.email = "kontakt@hamburg.freifunk.net";
+  users.groups.certs = {
+    members = [ "dovecot2" "nginx" "postfix" ];
+  };
 }

dovecot.nix

@@ -119,7 +119,7 @@ in
   security = lib.mkIf config.variables.useSSL {
     acme.certs."dovecot2.${config.variables.myFQDN}" = {
       domain = "${config.variables.myFQDN}";
-      group = config.services.dovecot2.group;
+      group = "certs";
       postRun = "systemctl restart dovecot2.service";
       # cheat by getting the webroot from another certificate configured through nginx.
       webroot = config.security.acme.certs."${config.variables.myFQDN}".webroot;

postfix.nix

@@ -37,7 +37,7 @@ in
     # Configure the certificates...
     acme.certs."postfix.${config.variables.myFQDN}" = {
       domain = "${config.variables.myFQDN}";
-      group = config.services.postfix.group;
+      group = "certs";
       postRun = "systemctl restart postfix.service";
       # cheat by getting some settings from another certificate configured through nginx.
       webroot = config.security.acme.certs."${config.variables.myFQDN}".webroot;