nixos/acme: add option to set credential files

        # Only try loading the credentialsFile if the dns challenge is enabled

        EnvironmentFile = mkIf useDns data.credentialsFile;

        Environment = mkIf useDns

          (mapAttrsToList (k: v: ''"${k}=%d/${k}"'') data.credentialFiles);

        LoadCredential = mkIf useDns

          (mapAttrsToList (k: v: "${k}:${v}") data.credentialFiles);

        # Run as root (Prefixed with +)

        ExecStartPost = "+" + (pkgs.writeShellScript "acme-postrun" ''

          cd /var/lib/acme/${escapeShellArg cert}

        example = "/var/src/secrets/example.org-route53-api-token";

      };

      credentialFiles = mkOption {

        type = types.attrsOf (types.path);

        inherit (defaultAndText "credentialFiles" {}) default defaultText;

        description = lib.mdDoc ''

          Environment variables suffixed by "_FILE" to set for the cert's service

          for your selected dnsProvider.

          To find out what values you need to set, consult the documentation at

          <https://go-acme.github.io/lego/dns/> for the corresponding dnsProvider.

          This allows to securely pass credential files to lego by leveraging systemd

          credentials.

        '';

        example = literalExpression ''

          {

            "RFC2136_TSIG_SECRET_FILE" = "/run/secrets/tsig-secret-example.org";

          }

        '';

      };

      dnsPropagationCheck = mkOption {

        type = types.bool;

        inherit (defaultAndText "dnsPropagationCheck" true) default defaultText;

            `security.acme.certs.${cert}.listenHTTP` must be provided.

          '';

        }

        {

          assertion = all (hasSuffix "_FILE") (attrNames data.credentialFiles);

          message = ''

            Option `security.acme.certs.${cert}.credentialFiles` can only be

            used for variables suffixed by "_FILE".

          '';

        }

      ]) cfg.certs));

      users.users.acme = {