lnd: extract option `certPath`

Improves service encapsulation.

modules/btcpayserver.nix

@@ -211,7 +211,7 @@ in {
         ${optionalString (cfg.btcpayserver.lightningBackend == "lnd") ''
           {
             echo -n "${lndConfig}"
-            ${pkgs.openssl}/bin/openssl x509 -noout -fingerprint -sha256 -in ${config.nix-bitcoin.secretsDir}/lnd-cert \
+            ${pkgs.openssl}/bin/openssl x509 -noout -fingerprint -sha256 -in ${config.services.lnd.certPath} \
               | sed -e 's/.*=//;s/://g'
           } >> '${cfg.btcpayserver.dataDir}/settings.config'
         ''}

modules/charge-lnd.nix

@@ -105,7 +105,7 @@ in
         macaroonDir=${dataDir}/lnddir-proxy/data/chain/bitcoin/mainnet
         mkdir -p $macaroonDir
         ln -sf /run/lnd/charge-lnd.macaroon $macaroonDir
-        ln -sf ${config.nix-bitcoin.secretsDir}/lnd-cert ${dataDir}/lnddir-proxy/tls.cert
+        ln -sf ${lnd.certPath} ${dataDir}/lnddir-proxy/tls.cert
       '';
       serviceConfig = nbLib.defaultHardening // {
         ExecStart = ''

modules/lightning-loop.nix

@@ -22,7 +22,7 @@ let
 
     lnd.host=${lnd.rpcAddress}:${toString lnd.rpcPort}
     lnd.macaroonpath=${lnd.networkDir}/admin.macaroon
-    lnd.tlspath=${secretsDir}/lnd-cert
+    lnd.tlspath=${lnd.certPath}
 
     ${optionalString (cfg.proxy != null) "server.proxy=${cfg.proxy}"}
 

modules/lightning-pool.nix

@@ -5,7 +5,6 @@ with lib;
 let
   cfg = config.services.lightning-pool;
   nbLib = config.nix-bitcoin.lib;
-  secretsDir = config.nix-bitcoin.secretsDir;
 
   lnd = config.services.lnd;
 
@@ -18,7 +17,7 @@ let
 
     lnd.host=${lnd.rpcAddress}:${toString lnd.rpcPort}
     lnd.macaroondir=${lnd.networkDir}
-    lnd.tlspath=${secretsDir}/lnd-cert
+    lnd.tlspath=${lnd.certPath}
 
     ${cfg.extraConfig}
   '';

modules/lnd-rest-onion-service.nix

@@ -5,7 +5,6 @@ with lib;
 let
   cfg = config.services.lnd.restOnionService;
   nbLib = config.nix-bitcoin.lib;
-  secretsDir = config.nix-bitcoin.secretsDir;
   runAsUser = config.nix-bitcoin.runAsUserCmd;
 
   lnd = config.services.lnd;
@@ -17,7 +16,7 @@ let
      --host=$(cat ${config.nix-bitcoin.onionAddresses.dataDir}/lnd/lnd-rest) \
      --port=${toString lnd.restPort} \
      --lnddir=${lnd.dataDir} \
-     --tlscertpath=${secretsDir}/lnd-cert "$@"
+     --tlscertpath=${lnd.certPath} "$@"
   '';
 in {
   options.services.lnd.restOnionService = {

modules/lnd.nix

@@ -14,7 +14,7 @@ let
   configFile = pkgs.writeText "lnd.conf" ''
     datadir=${cfg.dataDir}
     logdir=${cfg.dataDir}/logs
-    tlscertpath=${secretsDir}/lnd-cert
+    tlscertpath=${cfg.certPath}
     tlskeypath=${secretsDir}/lnd-key
 
     listen=${toString cfg.address}:${toString cfg.port}
@@ -126,7 +126,7 @@ in {
       ''
         ${runAsUser} ${cfg.user} ${cfg.package}/bin/lncli \
           --rpcserver ${cfg.rpcAddress}:${toString cfg.rpcPort} \
-          --tlscertpath '${secretsDir}/lnd-cert' \
+          --tlscertpath '${cfg.certPath}' \
           --macaroonpath '${networkDir}/admin.macaroon' "$@"
       '';
       description = "Binary to connect with the lnd instance.";
@@ -149,6 +149,11 @@ in {
       default = cfg.user;
       description = "The group as which to run LND.";
     };
+    certPath = mkOption {
+      readOnly = true;
+      default = "${secretsDir}/lnd-cert";
+      description = "LND TLS certificate path.";
+    };
     inherit (nbLib) enforceTor;
   };
 
@@ -211,7 +216,7 @@ in {
           # Retrying is necessary because it can happen that the lnd socket is
           # existing, but the RPC service isn't yet, which results in error
           # "waiting to start, RPC services not available".
-          curl = "${pkgs.curl}/bin/curl -s --show-error --retry 10 --cacert ${secretsDir}/lnd-cert";
+          curl = "${pkgs.curl}/bin/curl -s --show-error --retry 10 --cacert ${cfg.certPath}";
           restUrl = "https://${cfg.restAddress}:${toString cfg.restPort}/v1";
         in [
           (nbLib.script "lnd-create-wallet" ''