Revert "nixos/nginx: not "before" ACME certs using DNS validation"

[Ma27]

This reverts commit 03122b4.

Consider the following setup:

• a.example.com uses the HTTP-01 challenge.
• b.example.com uses the DNS-01 challenge (and creates a wildcard cert for *.b.example.com).

This results in the following dependency cycle:

┌──────────────────┐    ┌─────────────────────┐
│acme-b.example.com│◄───┼acme-account-X.target│
└─────┬────────────┘    └───────▲─────────────┘
      │                         │
      │                         │
┌─────▼───────┐         ┌───────┼──────────┐
│nginx.service┼─────────►acme-a.example.com│
└─────────────┘         └──────────────────┘

• acme-account-X.target runs after acme-a.example.com (this is the "leader", i.e the cert that gets created first without other challenges in parallel to create the LE account without a race condition).

• acme-account-X.target is scheduled to be reached before acme-b.example.com.

• Because of the change I'm suggesting to revert, acme-a.example.com and acme-b.example.com are scheduled after/before nginx which is the reason for this cycle.

  This is only the case if the "leader" ACME unit (i.e. the cert for the first host - alphabetically sorted) is using the HTTP-01 challenge.

When all these units are started in one transaction (e.g. when multi-user.target is started), this cycle gets noticed by systemd.

---

cc @ThinkChaos

@NixOS/acme would you be OK with a backport?

Things done

• Built on platform(s)
  • x86_64-linux
  • aarch64-linux
  • x86_64-darwin
  • aarch64-darwin
• For non-Linux: Is sandboxing enabled in nix.conf? (See Nix manual)
  • sandbox = relaxed
  • sandbox = true
• Tested, as applicable:
  • NixOS test(s) (look inside nixos/tests)
  • and/or package tests
  • or, for functions and "core" functionality, tests in lib/tests or pkgs/test
  • made sure NixOS tests are linked to the relevant packages
• Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
• Tested basic functionality of all binary files (usually in ./result/bin/)
• 25.05 Release Notes (or backporting 24.11 and 25.05 Release notes)
  • (Package updates) Added a release notes entry if the change is major or breaking
  • (Module updates) Added a release notes entry if the change is significant
  • (Module addition) Added a release notes entry if adding a new NixOS module
• Fits CONTRIBUTING.md.

---

Add a 👍 reaction to pull requests you find important.

[ThinkChaos]

It's probably best to also revert the change in the other webservers (apache and caddy).
Related PR is #336412

[Ma27]

CC maintainers of caddy & httpd @lovek323 @techknowlogick

[ThinkChaos]

I didn't remember making that PR because it's been in limbo for a while, but I think this is better fixed by #355054. It ensures the service that creates the account is a cert that uses DNS validation, if one exists.
So in the example from above, we break the "acme-a.example.com before acme-account-X.target" dependency:

          ┌──────────────────┐
          │acme-b.example.com│    (DNS validation)
          └───┬────────────┬─┘
              │            │
              │            │
┌─────────────▼───────┐  ┌─▼───────────┐
│acme-account-X.target│  │nginx.service│
└─────────────┬───────┘  └─┬───────────┘
              │            │
              │            │
          ┌───▼────────────▼─┐
          │acme-a.example.com│    (HTTP validation)
          └──────────────────┘