lnd: add netns

- Adds lnd to netns-isolation.services
- Specifies listen option (defaults to localhost) as target of
  hiddenService.
- Amends hardcoded lnd ip to lnd-cert

WARNING: Breaking changes for lnd cert. lnd-key and lnd-cert will have
to be deleted and redeployed.

modules/netns-isolation.nix

@@ -92,6 +92,10 @@ in {
           id = 13;
           connections = [ "bitcoind" ];
         };
+        lnd = {
+          id = 14;
+          connections = [ "bitcoind" ];
+        };
       };
 
       systemd.services = {
@@ -191,6 +195,20 @@ in {
         bind-addr = "${netns.clightning.address}:${toString config.services.clightning.onionport}";
       };
 
+      # lnd: Custom netns configs
+      services.lnd = mkIf config.services.lnd.enable {
+        listen = netns.lnd.address;
+        rpclisten = [
+          "${netns.lnd.address}"
+          "127.0.0.1"
+        ];
+        restlisten = [
+          "${netns.lnd.address}"
+          "127.0.0.1"
+        ];
+        bitcoind-host = netns.bitcoind.address;
+      };
+
     })
     # Custom netns config option values if netns-isolation not enabled
     (mkIf (!cfg.enable) {

modules/presets/secure-node.nix

@@ -91,7 +91,7 @@ in {
       tor-socks = cfg.tor.client.socksListenAddress;
       enforceTor = true;
     };
-    services.tor.hiddenServices.lnd = mkHiddenService { port = cfg.lnd.onionport; };
+    services.tor.hiddenServices.lnd = mkHiddenService { port = cfg.lnd.onionport; toHost = cfg.lnd.listen; };
 
     # liquidd
     services.liquidd = {

pkgs/generate-secrets/openssl.cnf

@@ -30,3 +30,5 @@ subjectAltName			= @alt_names
 [ alt_names ]
 IP.1 = 127.0.0.1
 DNS.1 = localhost
+# TODO: Remove hardcoded lnd IP
+IP.2 = 169.254.1.14