diff --git a/modules/lightning-loop.nix b/modules/lightning-loop.nix
index 65a6981..6260a12 100644
--- a/modules/lightning-loop.nix
+++ b/modules/lightning-loop.nix
@@ -6,8 +6,21 @@ let
   cfg = config.services.lightning-loop;
   inherit (config) nix-bitcoin-services;
   secretsDir = config.nix-bitcoin.secretsDir;
-in {
+  configFile = builtins.toFile "loop.conf" ''
+    datadir=${cfg.dataDir}
+    logdir=${cfg.dataDir}/logs
+    tlscertpath=${secretsDir}/loop-cert
+    tlskeypath=${secretsDir}/loop-key
 
+    lnd.host=${builtins.elemAt config.services.lnd.rpclisten 0}:${toString config.services.lnd.rpcPort}
+    lnd.macaroondir=${config.services.lnd.dataDir}/chain/bitcoin/mainnet
+    lnd.tlspath=${secretsDir}/lnd-cert
+
+    ${optionalString (cfg.proxy != null) "server.proxy=${cfg.proxy}"}
+
+    ${cfg.extraConfig}
+  '';
+in {
   options.services.lightning-loop = {
     enable = mkEnableOption "lightning-loop";
     package = mkOption {
@@ -16,26 +29,32 @@ in {
       defaultText = "pkgs.nix-bitcoin.lightning-loop";
       description = "The package providing lightning-loop binaries.";
     };
+    dataDir = mkOption {
+      type = types.path;
+      default = "/var/lib/lightning-loop";
+      description = "The data directory for lightning-loop.";
+    };
     proxy = mkOption {
       type = types.nullOr types.str;
       default = null;
-      description = "Connect through SOCKS5 proxy";
+      description = "host:port of SOCKS5 proxy for connnecting to the loop server.";
     };
-    extraArgs = mkOption {
-      type = types.separatedString " ";
+    extraConfig = mkOption {
+      type = types.lines;
       default = "";
-      description = "Extra command line arguments passed to loopd.";
+      example = ''
+        debuglevel=trace
+      '';
+      description = "Extra lines appended to the configuration file.";
     };
     cli = mkOption {
-      default = pkgs.writeScriptBin "loop"
-      # Switch user because lnd makes datadir contents readable by user only
-      ''
-        ${cfg.cliExec} sudo -u lnd ${cfg.package}/bin/loop "$@"
+      default = pkgs.writeScriptBin "loop" ''
+        ${cfg.cliExec} ${cfg.package}/bin/loop --tlscertpath ${secretsDir}/loop-cert "$@"
       '';
-      description = "Binary to connect with the lnd instance.";
+      description = "Binary to connect with the lightning-loop instance.";
     };
     inherit (nix-bitcoin-services) cliExec;
-    enforceTor =  nix-bitcoin-services.enforceTor;
+    enforceTor = nix-bitcoin-services.enforceTor;
   };
 
   config = mkIf cfg.enable {
@@ -47,27 +66,28 @@ in {
 
     environment.systemPackages = [ cfg.package (hiPrio cfg.cli) ];
 
+    systemd.tmpfiles.rules = [
+      "d '${cfg.dataDir}' 0770 lnd lnd - -"
+    ];
+
     systemd.services.lightning-loop = {
-      description = "Run loopd";
       wantedBy = [ "multi-user.target" ];
       requires = [ "lnd.service" ];
       after = [ "lnd.service" ];
       serviceConfig = nix-bitcoin-services.defaultHardening // {
-        ExecStart = ''
-          ${cfg.package}/bin/loopd \
-          --lnd.host=${config.services.lnd.listen}:10009 \
-          --lnd.macaroondir=${config.services.lnd.dataDir}/chain/bitcoin/mainnet \
-          --lnd.tlspath=${secretsDir}/lnd-cert \
-          ${optionalString (cfg.proxy != null) "--server.proxy=${cfg.proxy}"} \
-          ${cfg.extraArgs}
-        '';
+        ExecStart = "${cfg.package}/bin/loopd --configfile=${configFile}";
         User = "lnd";
         Restart = "on-failure";
         RestartSec = "10s";
-        ReadWritePaths = "${config.services.lnd.dataDir}";
+        ReadWritePaths = "${cfg.dataDir}";
       } // (if cfg.enforceTor
-          then nix-bitcoin-services.allowTor
-          else nix-bitcoin-services.allowAnyIP);
+            then nix-bitcoin-services.allowTor
+            else nix-bitcoin-services.allowAnyIP);
     };
+
+     nix-bitcoin.secrets = {
+       loop-key.user = "lnd";
+       loop-cert.user = "lnd";
+     };
   };
 }
diff --git a/pkgs/generate-secrets/generate-secrets.sh b/pkgs/generate-secrets/generate-secrets.sh
index 831b235..4255289 100755
--- a/pkgs/generate-secrets/generate-secrets.sh
+++ b/pkgs/generate-secrets/generate-secrets.sh
@@ -34,3 +34,10 @@ if [[ ! -e lnd-key || ! -e lnd-cert ]]; then
     openssl req -config $opensslConf -x509 -sha256 -days 1825 -key lnd-key -in lnd.csr -out lnd-cert
     rm lnd.csr
 fi
+
+if [[ ! -e loop-key || ! -e loop-cert ]]; then
+    openssl ecparam -genkey -name prime256v1 -out loop-key
+    openssl req -config $opensslConf -new -sha256 -key loop-key -out loop.csr -subj '/CN=localhost/O=loopd'
+    openssl req -config $opensslConf -x509 -sha256 -days 1825 -key loop-key -in loop.csr -out loop-cert
+    rm loop.csr
+fi
diff --git a/pkgs/generate-secrets/openssl.cnf b/pkgs/generate-secrets/openssl.cnf
index 641d13d..efc6cb5 100644
--- a/pkgs/generate-secrets/openssl.cnf
+++ b/pkgs/generate-secrets/openssl.cnf
@@ -32,3 +32,5 @@ IP.1 = 127.0.0.1
 DNS.1 = localhost
 # TODO: Remove hardcoded lnd IP
 IP.2 = 169.254.1.14
+# TODO: Remove hardcoded loopd IP
+IP.3 = 169.254.1.22