nixos/web-servers: assert ACME cert access via service user and groups

Allows giving access using SupplementaryGroups.

nixos/modules/services/web-servers/nginx/default.nix

@@ -473,7 +473,7 @@ let
     '') authDef)
   );
 
-  mkCertOwnershipAssertion = import ../../../security/acme/mk-cert-ownership-assertion.nix;
+  mkCertOwnershipAssertion = import ../../../security/acme/mk-cert-ownership-assertion.nix lib;
 
   oldHTTP2 = (versionOlder cfg.package.version "1.25.1" && !(cfg.package.pname == "angie" || cfg.package.pname == "angieQuic"));
 in
@@ -1211,9 +1211,9 @@ in
         '';
       }
     ] ++ map (name: mkCertOwnershipAssertion {
-      inherit (cfg) group user;
       cert = config.security.acme.certs.${name};
       groups = config.users.groups;
+      services = [ config.systemd.services.nginx ] ++ lib.optional (cfg.enableReload || vhostCertNames != []) config.systemd.services.nginx-config-reload;
     }) vhostCertNames;
 
     services.nginx.additionalModules = optional cfg.recommendedBrotliSettings pkgs.nginxModules.brotli
@@ -1322,7 +1322,7 @@ in
     systemd.services.nginx-config-reload = let
       sslServices = map (certName: "acme-${certName}.service") vhostCertNames;
       sslTargets = map (certName: "acme-finished-${certName}.target") vhostCertNames;
-    in mkIf (cfg.enableReload || sslServices != []) {
+    in mkIf (cfg.enableReload || vhostCertNames != []) {
       wants = optionals cfg.enableReload [ "nginx.service" ];
       wantedBy = sslServices ++ [ "multi-user.target" ];
       # Before the finished targets, after the renew services.