to round this "issue" out for anyone else who comes along trying to figure out something similar: it turns out that when you follow the "fully self-hosted example using bind" in the manual, there is a subtle thing which probably goes unnoticed for many, namely
bind.zones.*.file = "/var/db/bind/${name}"; is in a directory which needs to be read/writable by bind. On my machine that directory had not yet even been created, and never actually was. This is because I had instead set bind.zones.*.file = ./zone-file-in-my-git-repo which means that Nix put the zone file into the nix store (which is fine as far as I am concerned) but the problem is that bind tries to create the .jnl file right next to it (in the nix store) when doing the acme updates, which it obviously cannot/should not do. So that is what threw the permission denied error which took a while to track down. (and for which I am grateful to K900 ⚡️ for your patience in helping me get there!)

My probably-not-the-best workaround was to add the zone file the the machine using something like environment.etc."bind/zones/the-zone-file"; and then a oneshot systemd service which runs the chmod --recursive named:named /etc/bind/zones command. Then everything seemed to finally work.

Test "Can request certificate with Lego's built in web server" failed with error: "unit "acme-finished-http.example.test.target" is inactive and there are no pending jobs"

In reply to@hexa:lossy.network
acme test failure on unstable-small https://gist.github.com/mweinelt/7398a4d24ef4a4cd8f9dfa771ecb1f2a