systemd cert management units & docs updates

[tashian]

Ideas for updates to our systemd certificate management units:

• more env variables that can be overridden (contexts)
• don't try reload/restart in the main systemd unit. just don't.
• add a one-shot bootstrapping unit — ref it in after and wants of the renewer unit
• add a one-shot enrollment unit
• suggest using systemd credentials

Some inspiration can come from Joe's setup

docs updates for this:

• update Production Considerations doc to reflect the new units
• update Practical Zero Trust systemd examples to be compatible with the new units