Motivation for this change

When using the DNS resolvers of my VPS provider with the cloudflare DNS provider, the DNS-01 challenge always fails because lego does not see the TXT record propagate in time. --dns.disable-cp (security.acme.certs.<name>.dnsPropagationCheck) doesn't seem to help here. Explicitly adding the authorative DNS server via --dns.resolvers "jade.ns.cloudflare.com" to the lego command line would fix this problem, but the acme module does not provide an option to add global options.

#80900 already added extraLegoRenewFlags to allow specifying extra options for the renew subcommand. This PR extends this with a extraLegoRunFlags option for the run subcommand and an extraLegoFlags option for global lego options. These serve to both solve the above problem and expose several lego cli options that are currently inaccessible but may be of interest to advanced users.

Things done

• Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
• Built on platform(s)
  • NixOS
  • macOS
  • other Linux distributions
• Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
• Tested compilation of all pkgs that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
• Tested execution of all binary files (usually in ./result/bin/)
• Determined the impact on package closure size (by running nix path-info -S before and after)
• Ensured that relevant documentation is up to date
• Fits CONTRIBUTING.md.