[24.11] security.acme.defaults.server: customise only for stateVersion <= 24.05

[osnyx]

In PL-132659, we've decided to override security.acme.defaults.server from the upstream value to avoid triggering mass letsencrypt account re-registrations.

**Re-**registrations are only an issue for existing machines. Freshly bootstrapped systems won't cause any problems. As we cannot be certain that our workaround is going to work for all future NixOS releases, I propose to make this conditional on the VM state version <= 24.05. If ever necessary, this reduces the number of VMs in need of a state migration for the account in the future.

PL-133038

@flyingcircusio/release-managers

Release process

Impact: none, only new VMs affected

Changelog:

• acme: newly bootstrapped VMs now use the new default configuration for acme registries
  • upgraded VMs maintain the existing configuration to avoid forced re-registration at the letsencrypt registry

PR release workflow (internal)

• PR has internal ticket
• internal issue ID (PL-…) part of branch name
• internal issue ID mentioned in PR description text
• ticket is on Platform agile board
• ticket state set to Pull request ready
• if ticket is more urgent than within the next few days, directly contact a member of the Platform team

Design notes

• Provide a feature toggle if the change might need to be adjusted/reverted quickly depending on context. Consider whether the default should be on or off. Example: rate limiting.
• All customer-facing features and (NixOS) options need to be discoverable from documentation. Add or update relevant documentation such that hosted and guided customers can understand it as well.

Security implications

• Security requirements defined? (WHERE)
  • must not introduce any regressions
  • verify upgrade behaviour
• Security requirements tested? (EVIDENCE)
  • automated tests still pass
  • verified state version difference on a testvm