diff --git a/modules/lightning-pub.nix b/modules/lightning-pub.nix
index 84c23c7..6a595d4 100644
--- a/modules/lightning-pub.nix
+++ b/modules/lightning-pub.nix
@@ -198,10 +198,17 @@ in {
         WATCHDOG_MAX_DIFF_SATS = toString cfg.watchdogMaxDiffSats;
         LND_ADDRESS = "${lnd.rpcAddress}:${toString lnd.rpcPort}";
         LND_CERT_PATH = lnd.certPath;
-        LND_MACAROON_PATH = "${lnd.networkDir}/admin.macaroon";
+        LND_MACAROON_PATH = "${cfg.dataDir}/admin.macaroon";
       } // cfg.extraEnv;
 
       serviceConfig = nbLib.defaultHardening // {
+        # Copy the admin macaroon (only readable by lnd user, not group)
+        ExecStartPre = [
+          (nbLib.rootScript "lightning-pub-copy-macaroon" ''
+            install --compare -m 640 -o ${cfg.user} -g ${cfg.group} \
+              ${lnd.networkDir}/admin.macaroon '${cfg.dataDir}/admin.macaroon'
+          '')
+        ];
         ExecStart = "${lightningPubEnv} ${pkgs.nodejs_22}/bin/node build/src/index.js";
         SyslogIdentifier = "lightning-pub";
         User = cfg.user;