nixos/kanidm: Fix bind paths

1. We bound the directory of certificates, this lead to forced read-only
   binds of these directories, even if they should have been bound
   read-write for other files in there. Looking at the history, there
   seems to be no compelling reason for this, so switch to binding
   the files directly.
2. `/run/kanidmd` is configured as `RuntimeDirectory` so bound
   automatically and we don’t need to specify it explicitly.

(cherry picked from commit c4f052c08a)

nixos/modules/services/security/kanidm.nix

@@ -54,15 +54,10 @@ let
     ++ optional (cfg.provision.extraJsonFile != null) cfg.provision.extraJsonFile
     ++ mapAttrsToList (_: x: x.basicSecretFile) cfg.provision.systems.oauth2
   );
-  secretDirectories = unique (
+  secretPaths = [
-    map builtins.dirOf (
+    cfg.serverSettings.tls_chain
-      [
+    cfg.serverSettings.tls_key
-        cfg.serverSettings.tls_chain
+  ] ++ optionals cfg.provision.enable provisionSecretFiles;
-        cfg.serverSettings.tls_key
-      ]
-      ++ optionals cfg.provision.enable provisionSecretFiles
-    )
-  );
 
   # Merge bind mount paths and remove paths where a prefix is already mounted.
   # This makes sure that if e.g. the tls_chain is in the nix store and /nix/store is already in the mount
@@ -881,7 +876,7 @@ in
         (
           defaultServiceConfig
           // {
-            BindReadOnlyPaths = mergePaths (defaultServiceConfig.BindReadOnlyPaths ++ secretDirectories);
+            BindReadOnlyPaths = mergePaths (defaultServiceConfig.BindReadOnlyPaths ++ secretPaths);
           }
         )
         {
@@ -895,8 +890,6 @@ in
 
           BindPaths =
             [
-              # To create the socket
-              "/run/kanidmd:/run/kanidmd"
               # To store backups
               cfg.serverSettings.online_backup.path
             ]