secrets: allow extending generate-secrets

`generate-secrets` is no longer a monolithic script. Instead, it's
composed of the values of option `nix-bitcoin.generateSecretsCmds`.

This has the following advantages:
- generate-secrets is now extensible by users
- Only secrets of enabled services are generated
- RPC IPs in the `lnd` and `loop` certs are no longer hardcoded.

Secrets are no longer automatically generated when entering nix-shell.
Instead, they are generated before deployment (via `krops-deploy`)
because secrets generation is now dependant on the node configuration.

modules/lnd.nix

@@ -293,7 +293,14 @@ in {
       lnd-wallet-password.user = cfg.user;
       lnd-key.user = cfg.user;
       lnd-cert.user = cfg.user;
-      lnd-cert.permissions = "0444"; # world readable
+      lnd-cert.permissions = "444"; # world readable
     };
+    # Advantages of manually pre-generating certs:
+    # - Reduces dynamic state
+    # - Enables deployment of a mesh of server plus client nodes with predefined certs
+    nix-bitcoin.generateSecretsCmds.lnd = ''
+      makePasswordSecret lnd-wallet-password
+      makeCert lnd '${optionalString (cfg.rpcAddress != "localhost") "IP:${cfg.rpcAddress}"}'
+    '';
   };
 }