From 966d668f4db83d7e1cfe691d8bd6290c282afedd Mon Sep 17 00:00:00 2001
From: Patrick Mulligan <patjmulligan@protonmail.com>
Date: Fri, 27 Feb 2026 09:56:02 -0500
Subject: [PATCH] Fix macaroon permission error by copying with root script

The LND admin macaroon is only readable by the lnd user, not the lnd
group. Copy it to the lightning-pub data dir via ExecStartPre root
script, matching the pattern used by RTL.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 modules/lightning-pub.nix | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/modules/lightning-pub.nix b/modules/lightning-pub.nix
index 84c23c7..6a595d4 100644
--- a/modules/lightning-pub.nix
+++ b/modules/lightning-pub.nix
@@ -198,10 +198,17 @@ in {
         WATCHDOG_MAX_DIFF_SATS = toString cfg.watchdogMaxDiffSats;
         LND_ADDRESS = "${lnd.rpcAddress}:${toString lnd.rpcPort}";
         LND_CERT_PATH = lnd.certPath;
-        LND_MACAROON_PATH = "${lnd.networkDir}/admin.macaroon";
+        LND_MACAROON_PATH = "${cfg.dataDir}/admin.macaroon";
       } // cfg.extraEnv;
 
       serviceConfig = nbLib.defaultHardening // {
+        # Copy the admin macaroon (only readable by lnd user, not group)
+        ExecStartPre = [
+          (nbLib.rootScript "lightning-pub-copy-macaroon" ''
+            install --compare -m 640 -o ${cfg.user} -g ${cfg.group} \
+              ${lnd.networkDir}/admin.macaroon '${cfg.dataDir}/admin.macaroon'
+          '')
+        ];
         ExecStart = "${lightningPubEnv} ${pkgs.nodejs_22}/bin/node build/src/index.js";
         SyslogIdentifier = "lightning-pub";
         User = cfg.user;