Don't create a challenge dir if no local domains

lib/fudo/acme-certs.nix

@@ -152,7 +152,8 @@ in {
     networking.firewall.allowedTCPPorts = [ 80 443 ];
     
     systemd = {
-      tmpfiles.rules = let
+      tmpfiles = mkIf hasLocalDomains {
+        rules = let
           copies = concatMapAttrs (domain: domainOpts:
             domainOpts.local-copies) localDomains;
           perms = copyOpts: if (copyOpts.group != null) then "0550" else "0500";
@@ -168,6 +169,7 @@ in {
         in (unique (concatMap (i: unique i) copy-paths)) ++ [
           "d \"${cfg.challenge-path}\" 755 acme nginx - -"
         ];
+      };
 
       services = concatMapAttrs (domain: domainOpts:
         concatMapAttrs (copy: copyOpts: let