simp_le service: letsencrypt cert auto-renewal

This new service invokes `simp_le` for a defined set of certs on a regular
basis with a systemd timer. `simp_le` is smart enough to handle account
registration, domain validation and renewal on its own. The only thing
required is an existing HTTP server that serves the path
`/.well-known/acme-challenge` from the webroot cert parameter.

Example:

  services.simp_le.certs."foo.example.com" = {
    webroot = "/var/www/challenges";
    extraDomains = [ "www.example.com" ];
    email = "foo@example.com";
    validMin = 2592000;
    renewInterval = "weekly";
  };

Example Nginx vhost:

  services.nginx.appendConfig = ''
    http {
      server {
        server_name _;
        listen 80;
        listen [::]:80;

        location /.well-known/acme-challenge {
          root /var/www/challenges;
        }

        location / {
          return 301 https://$host$request_uri;
        }
      }
    }
  '';