nixos/ipa: replace activationScript

Replaced with a dedicated systemd service.

nixos/modules/security/ipa.nix

@@ -181,7 +181,14 @@ in {
       '';
     };
 
-    system.activationScripts.ipa = stringAfter ["etc"] ''
+    systemd.services."ipa-activation" = {
+      wantedBy = [ "sysinit.target" ];
+      before = [ "sysinit.target" "shutdown.target" ];
+      conflicts = [ "shutdown.target" ];
+      unitConfig.DefaultDependencies = false;
+      serviceConfig.Type = "oneshot";
+      serviceConfig.RemainAfterExit = true;
+      script = ''
         # libcurl requires a hard copy of the certificate
         if ! ${pkgs.diffutils}/bin/diff ${cfg.certificate} /etc/ipa/ca.crt > /dev/null 2>&1; then
           rm -f /etc/ipa/ca.crt
@@ -200,6 +207,7 @@ in {
         EOF
         fi
       '';
+    };
 
     services.sssd.config = ''
       [domain/${cfg.domain}]