lnd: prepare for netns and bring in line with clightning

- Adds bitcoind-host, and tor-socks options to allow using with
  network namespaces.
- Adds listen, rpclisten, and restlisten option to specify host on which
  to listen on for peer, rpc and rest connections respectively
- Adds announce-tor option and generates Tor Hidden Service with nix
  instead of lnd to bring in line with clightning.

WARNING: Breaking changes for Tor Hidden Service. Manual migration
necessary.

examples/configuration.nix

@@ -47,6 +47,10 @@
   # Disable clightning and uncomment the following line in order to enable lnd,
   # a lightning implementation written in Go.
   # services.lnd.enable = true;
+  # Enable this option to announce our Tor Hidden Service. By default lnd
+  # offers outgoing functionality, but doesn't announce the Tor Hidden Service
+  # under which peers can reach us.
+  # services.lnd.announce-tor = true;
   ## WARNING
   # If you use lnd, you should manually backup your wallet mnemonic
   # seed. This will allow you to recover on-chain funds. You can run the

modules/lnd.nix

@@ -5,6 +5,7 @@ with lib;
 let
   cfg = config.services.lnd;
   inherit (config) nix-bitcoin-services;
+  onion-chef-service = (if cfg.announce-tor then [ "onion-chef.service" ] else []);
   secretsDir = config.nix-bitcoin.secretsDir;
   configFile = pkgs.writeText "lnd.conf" ''
     datadir=${cfg.dataDir}
@@ -13,17 +14,17 @@ let
     tlscertpath=${secretsDir}/lnd-cert
     tlskeypath=${secretsDir}/lnd-key
 
-    rpclisten=localhost:${toString cfg.rpcPort}
+    listen=${toString cfg.listen}
-    restlisten=localhost:${toString cfg.restPort}
+    ${lib.concatMapStrings (rpclisten: "rpclisten=${rpclisten}:${toString cfg.rpcPort}\n") cfg.rpclisten}
+    ${lib.concatMapStrings (restlisten: "restlisten=${restlisten}:${toString cfg.restPort}\n") cfg.restlisten}
 
     bitcoin.active=1
     bitcoin.node=bitcoind
 
     tor.active=true
-    tor.v3=true
+    ${optionalString (cfg.tor-socks != null) "tor.socks=${cfg.tor-socks}"}
-    tor.streamisolation=true
-    tor.privatekeypath=${cfg.dataDir}/v3_onion_private_key
 
+    bitcoind.rpchost=${cfg.bitcoind-host}
     bitcoind.rpcuser=${config.services.bitcoind.rpcuser}
     bitcoind.zmqpubrawblock=${config.services.bitcoind.zmqpubrawblock}
     bitcoind.zmqpubrawtx=${config.services.bitcoind.zmqpubrawtx}
@@ -45,6 +46,25 @@ in {
       default = "/var/lib/lnd";
       description = "The data directory for LND.";
     };
+    listen = mkOption {
+      type = types.str;
+      default = "localhost";
+      description = "Bind to given address to listen to peer connections";
+    };
+    rpclisten = mkOption {
+      type = types.listOf types.str;
+      default = [ "localhost" ];
+      description = ''
+        Bind to given address to listen to RPC connections.
+      '';
+    };
+    restlisten = mkOption {
+      type = types.listOf types.str;
+      default = [ "localhost" ];
+      description = ''
+        Bind to given address to listen to REST connections.
+      '';
+    };
     rpcPort = mkOption {
       type = types.port;
       default = 10009;
@@ -55,6 +75,23 @@ in {
       default = 8080;
       description = "Port on which to listen for REST connections.";
     };
+    bitcoind-host = mkOption {
+      type = types.str;
+      default = "127.0.0.1";
+      description = ''
+        The host that your local bitcoind daemon is listening on.
+      '';
+    };
+    tor-socks = mkOption {
+      type = types.nullOr types.str;
+      default = null;
+      description = "Set a socks proxy to use to connect to Tor nodes";
+    };
+    announce-tor = mkOption {
+      type = types.bool;
+      default = false;
+      description = "Announce LND Tor Hidden Service";
+    };
     extraConfig = mkOption {
       type = types.lines;
       default = "";
@@ -96,19 +133,21 @@ in {
     ];
 
     services.bitcoind = {
-      zmqpubrawblock = "tcp://127.0.0.1:28332";
+      zmqpubrawblock = "tcp://${cfg.bitcoind-host}:28332";
-      zmqpubrawtx = "tcp://127.0.0.1:28333";
+      zmqpubrawtx = "tcp://${cfg.bitcoind-host}:28333";
     };
 
+    services.onion-chef.access.lnd = if cfg.announce-tor then [ "lnd" ] else [];
     systemd.services.lnd = {
       description = "Run LND";
       path  = [ pkgs.nix-bitcoin.bitcoind ];
       wantedBy = [ "multi-user.target" ];
-      requires = [ "bitcoind.service" ];
+      requires = [ "bitcoind.service" ] ++ onion-chef-service;
-      after = [ "bitcoind.service" ];
+      after = [ "bitcoind.service" ] ++ onion-chef-service;
       preStart = ''
         install -m600 ${configFile} '${cfg.dataDir}/lnd.conf'
         echo "bitcoind.rpcpass=$(cat ${secretsDir}/bitcoin-rpcpassword)" >> '${cfg.dataDir}/lnd.conf'
+        ${optionalString cfg.announce-tor "echo externalip=$(cat /var/lib/onion-chef/lnd/lnd) >> '${cfg.dataDir}/lnd.conf'"}
       '';
       serviceConfig = nix-bitcoin-services.defaultHardening // {
         ExecStart = "${cfg.package}/bin/lnd --configfile=${cfg.dataDir}/lnd.conf";

modules/presets/secure-node.nix

@@ -24,6 +24,11 @@ in {
       default = 9735;
       description = "Port on which to listen for tor client connections.";
     };
+    services.lnd.onionport = mkOption {
+      type = types.ints.u16;
+      default = 9735;
+      description = "Port on which to listen for tor client connections.";
+    };
     services.electrs.onionport = mkOption {
       type = types.port;
       default = 50002;
@@ -82,7 +87,11 @@ in {
     services.tor.hiddenServices.clightning = mkHiddenService { port = cfg.clightning.onionport; toHost = (builtins.head (builtins.split ":" cfg.clightning.bind-addr)); };
 
     # lnd
-    services.lnd.enforceTor = true;
+    services.lnd = {
+      tor-socks = cfg.tor.client.socksListenAddress;
+      enforceTor = true;
+    };
+    services.tor.hiddenServices.lnd = mkHiddenService { port = cfg.lnd.onionport; };
 
     # liquidd
     services.liquidd = {