I wonder if the ACME renew service should depend on nss-lookup.target or not.
I have unbound as local DNS, when doing nixos-rebuild, the ACME renew services cannot resolve letsencrypt hosts because the local DNS (unbound) is not yet started.
Unbound systemd sets it should start before nss-lookup.
The most logical thing should be that the ACME renew services should execute after nss-lookup.target
I can fix this in my own configuration with some hacks, but I wonder if this shouldn;t be the default in NixOS?