From 2c8e29b35bc5b8165c854966594a68456e341f62 Mon Sep 17 00:00:00 2001
From: Erik Arvstedt <erik.arvstedt@gmail.com>
Date: Wed, 8 Sep 2021 17:01:13 +0200
Subject: [PATCH] lnd: extract option `certPath`

Improves service encapsulation.
---
 modules/btcpayserver.nix           |  2 +-
 modules/charge-lnd.nix             |  2 +-
 modules/lightning-loop.nix         |  2 +-
 modules/lightning-pool.nix         |  3 +--
 modules/lnd-rest-onion-service.nix |  3 +--
 modules/lnd.nix                    | 11 ++++++++---
 6 files changed, 13 insertions(+), 10 deletions(-)

diff --git a/modules/btcpayserver.nix b/modules/btcpayserver.nix
index 751614f..0e5d9e6 100644
--- a/modules/btcpayserver.nix
+++ b/modules/btcpayserver.nix
@@ -211,7 +211,7 @@ in {
         ${optionalString (cfg.btcpayserver.lightningBackend == "lnd") ''
           {
             echo -n "${lndConfig}"
-            ${pkgs.openssl}/bin/openssl x509 -noout -fingerprint -sha256 -in ${config.nix-bitcoin.secretsDir}/lnd-cert \
+            ${pkgs.openssl}/bin/openssl x509 -noout -fingerprint -sha256 -in ${config.services.lnd.certPath} \
               | sed -e 's/.*=//;s/://g'
           } >> '${cfg.btcpayserver.dataDir}/settings.config'
         ''}
diff --git a/modules/charge-lnd.nix b/modules/charge-lnd.nix
index b6cf8aa..c3d4580 100644
--- a/modules/charge-lnd.nix
+++ b/modules/charge-lnd.nix
@@ -105,7 +105,7 @@ in
         macaroonDir=${dataDir}/lnddir-proxy/data/chain/bitcoin/mainnet
         mkdir -p $macaroonDir
         ln -sf /run/lnd/charge-lnd.macaroon $macaroonDir
-        ln -sf ${config.nix-bitcoin.secretsDir}/lnd-cert ${dataDir}/lnddir-proxy/tls.cert
+        ln -sf ${lnd.certPath} ${dataDir}/lnddir-proxy/tls.cert
       '';
       serviceConfig = nbLib.defaultHardening // {
         ExecStart = ''
diff --git a/modules/lightning-loop.nix b/modules/lightning-loop.nix
index 1eed2ff..d6e6a65 100644
--- a/modules/lightning-loop.nix
+++ b/modules/lightning-loop.nix
@@ -22,7 +22,7 @@ let
 
     lnd.host=${lnd.rpcAddress}:${toString lnd.rpcPort}
     lnd.macaroonpath=${lnd.networkDir}/admin.macaroon
-    lnd.tlspath=${secretsDir}/lnd-cert
+    lnd.tlspath=${lnd.certPath}
 
     ${optionalString (cfg.proxy != null) "server.proxy=${cfg.proxy}"}
 
diff --git a/modules/lightning-pool.nix b/modules/lightning-pool.nix
index 0ec6bb6..7f49f3d 100644
--- a/modules/lightning-pool.nix
+++ b/modules/lightning-pool.nix
@@ -5,7 +5,6 @@ with lib;
 let
   cfg = config.services.lightning-pool;
   nbLib = config.nix-bitcoin.lib;
-  secretsDir = config.nix-bitcoin.secretsDir;
 
   lnd = config.services.lnd;
 
@@ -18,7 +17,7 @@ let
 
     lnd.host=${lnd.rpcAddress}:${toString lnd.rpcPort}
     lnd.macaroondir=${lnd.networkDir}
-    lnd.tlspath=${secretsDir}/lnd-cert
+    lnd.tlspath=${lnd.certPath}
 
     ${cfg.extraConfig}
   '';
diff --git a/modules/lnd-rest-onion-service.nix b/modules/lnd-rest-onion-service.nix
index 1d873cc..344885e 100644
--- a/modules/lnd-rest-onion-service.nix
+++ b/modules/lnd-rest-onion-service.nix
@@ -5,7 +5,6 @@ with lib;
 let
   cfg = config.services.lnd.restOnionService;
   nbLib = config.nix-bitcoin.lib;
-  secretsDir = config.nix-bitcoin.secretsDir;
   runAsUser = config.nix-bitcoin.runAsUserCmd;
 
   lnd = config.services.lnd;
@@ -17,7 +16,7 @@ let
      --host=$(cat ${config.nix-bitcoin.onionAddresses.dataDir}/lnd/lnd-rest) \
      --port=${toString lnd.restPort} \
      --lnddir=${lnd.dataDir} \
-     --tlscertpath=${secretsDir}/lnd-cert "$@"
+     --tlscertpath=${lnd.certPath} "$@"
   '';
 in {
   options.services.lnd.restOnionService = {
diff --git a/modules/lnd.nix b/modules/lnd.nix
index fcadc5c..7dec2d2 100644
--- a/modules/lnd.nix
+++ b/modules/lnd.nix
@@ -14,7 +14,7 @@ let
   configFile = pkgs.writeText "lnd.conf" ''
     datadir=${cfg.dataDir}
     logdir=${cfg.dataDir}/logs
-    tlscertpath=${secretsDir}/lnd-cert
+    tlscertpath=${cfg.certPath}
     tlskeypath=${secretsDir}/lnd-key
 
     listen=${toString cfg.address}:${toString cfg.port}
@@ -126,7 +126,7 @@ in {
       ''
         ${runAsUser} ${cfg.user} ${cfg.package}/bin/lncli \
           --rpcserver ${cfg.rpcAddress}:${toString cfg.rpcPort} \
-          --tlscertpath '${secretsDir}/lnd-cert' \
+          --tlscertpath '${cfg.certPath}' \
           --macaroonpath '${networkDir}/admin.macaroon' "$@"
       '';
       description = "Binary to connect with the lnd instance.";
@@ -149,6 +149,11 @@ in {
       default = cfg.user;
       description = "The group as which to run LND.";
     };
+    certPath = mkOption {
+      readOnly = true;
+      default = "${secretsDir}/lnd-cert";
+      description = "LND TLS certificate path.";
+    };
     inherit (nbLib) enforceTor;
   };
 
@@ -211,7 +216,7 @@ in {
           # Retrying is necessary because it can happen that the lnd socket is
           # existing, but the RPC service isn't yet, which results in error
           # "waiting to start, RPC services not available".
-          curl = "${pkgs.curl}/bin/curl -s --show-error --retry 10 --cacert ${secretsDir}/lnd-cert";
+          curl = "${pkgs.curl}/bin/curl -s --show-error --retry 10 --cacert ${cfg.certPath}";
           restUrl = "https://${cfg.restAddress}:${toString cfg.restPort}/v1";
         in [
           (nbLib.script "lnd-create-wallet" ''