systemd: get udevd out of the critical chain

We don't need to wait for it at all

nixosModules/default.nix

@@ -80,7 +80,6 @@ in {
       "systemd-journald.service"
       "systemd-udevd-kernel.socket"
       "systemd-udevd-control.socket"
-      "systemd-udevd.service"
       "user.slice"
     ];
     upstreamWants = ["multi-user.target.wants"];
@@ -98,6 +97,39 @@ in {
   systemd.services.systemd-pstore.enable = lib.mkForce false;
   systemd.services.lastlog2-import.enable = lib.mkForce false;
   systemd.services.suid-sgid-wrappers.enable = lib.mkForce false;
+  systemd.services.systemd-udevd = {
+    # Redefine to remove the Before deps and get out of the critical chain
+    enable = true;
+    description = "Rule-based Manager for Device Events and Files";
+    unitConfig.DefaultDependencies = "no";
+    serviceConfig = {
+      CapabilityBoundingSet = "~CAP_SYS_TIME CAP_WAKE_ALARM";
+      Delegate = "";
+      DelegateSubgroup = "udev";
+      Type = "notify-reload";
+      OOMScoreAdjust = "-1000";
+      Sockets = "systemd-udevd-control.socket systemd-udevd-kernel.socket systemd-udevd-varlink.socket";
+      Restart = "always";
+      RestartSec = "0";
+      ExecStart = "${pkgs.systemd}/lib/systemd/systemd-udevd";
+      FileDescriptorStoreMax = "512";
+      FileDescriptorStorePreserve = "yes";
+      KillMode = "mixed";
+      TasksMax = "infinity";
+      PrivateMounts = "yes";
+      ProtectHostname = "yes";
+      MemoryDenyWriteExecute = "yes";
+      RestrictAddressFamilies = "AF_UNIX AF_NETLINK AF_INET AF_INET6";
+      RestrictRealtime = "yes";
+      RestrictSUIDSGID = "yes";
+      SystemCallFilter = ["@system-service @module @raw-io bpf" "~@clock"];
+      SystemCallErrorNumber = "EPERM";
+      SystemCallArchitectures = "native";
+      LockPersonality = "yes";
+      IPAddressDeny = "any";
+      WatchdogSec = "3min";
+    };
+  };
 
   # Configure user accounts
   # The immutable overlay wants userborn or sysusers.. we just want baked-in files w/o running a service.