nixos/acme: add option to delay renewal untill after other units

[icewind1991]

• allow adding additional units to the after section
• add documentation for delaying renewal untill after timesync is done

Description of changes

Things done

• Built on platform(s)
  • x86_64-linux
  • aarch64-linux
  • x86_64-darwin
  • aarch64-darwin
• For non-Linux: Is sandbox = true set in nix.conf? (See Nix manual)
• Tested, as applicable:
  • NixOS test(s) (look inside nixos/tests)
  • and/or package tests
  • or, for functions and "core" functionality, tests in lib/tests or pkgs/test
  • made sure NixOS tests are linked to the relevant packages
• Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
• Tested basic functionality of all binary files (usually in ./result/bin/)
• 23.05 Release Notes (or backporting 22.11 Release notes)
  • (Package updates) Added a release notes entry if the change is major or breaking
  • (Module updates) Added a release notes entry if the change is significant
  • (Module addition) Added a release notes entry if adding a new NixOS module
• Fits CONTRIBUTING.md.

[benaryorg]

Reviewed points

• changes are backward compatible
• removed options are declared with mkRemovedOptionModule n/a
• changes that are not backward compatible are documented in release notes n/a
• module tests succeed on ARCHITECTURE
• options types are appropriate
• options description is set
• options example is provided
• documentation affected by the changes is updated

Possible improvements

The options example is not provided, however the ACME documentation contains a full example of how to use this mechanism.
Maybe the documentation could be linked, I don't know how though, and I think this change is sufficient as-is.

Comments

lgtm

[m1cr0man]

This looks good, however what do you think of adding the time sync dependency by default? Seems like it would be a common enough concern

[jian-lin]

what do you think of adding the time sync dependency by default

FYI, enabling systemd-time-wait-sync.service (thus adding time-sync.target) has some side effects.

man systemd.special:

The service manager automatically adds dependencies of type After= for this target unit to all SysV init script service units with an LSB header referring to the "$time" facility, as well to all timer units with at least one OnCalendar= directive.

This target provides stricter clock accuracy guarantees than time-set.target (see above), but likely requires network communication and thus introduces unpredictable delays.

IMHO, the issue that cert renewal before time is synced after boot is not common and I never have such issue. Will a retry after time is synced fix this issue? Does our acme module have a retry mechanism? I am not sure.

[icewind1991]

I expect that the only reason I ran into the issue was because the system is a raspberry pi with a non-persistent / so the clock is way out of sync at boot.

Most setups probably don't have a lot of clock drift at boot