From a4da436061c06ca32f2d5766020dd0238c2d141e Mon Sep 17 00:00:00 2001
From: Patrick Mulligan <patjmulligan@protonmail.com>
Date: Fri, 9 Jan 2026 22:47:07 +0100
Subject: [PATCH] Completely disable sandboxing for build service

---
 modules/lamassu-lnbits.nix | 15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

diff --git a/modules/lamassu-lnbits.nix b/modules/lamassu-lnbits.nix
index 804f7bd..a726069 100644
--- a/modules/lamassu-lnbits.nix
+++ b/modules/lamassu-lnbits.nix
@@ -328,11 +328,20 @@ in
         Group = cfg.group;
         # Build can take a while, especially on first run
         TimeoutStartSec = "30min";
-        # Allow write access to data directory for cloning and building
-        ReadWritePaths = [ cfg.dataDir "/tmp" ];
-        # Relax sandboxing for build scripts
+        # Completely disable sandboxing for build (npm scripts need full access)
         PrivateTmp = false;
+        PrivateDevices = false;
+        ProtectSystem = false;
+        ProtectHome = false;
         NoNewPrivileges = false;
+        ProtectKernelTunables = false;
+        ProtectKernelModules = false;
+        ProtectControlGroups = false;
+        RestrictNamespaces = false;
+        RestrictSUIDSGID = false;
+        LockPersonality = false;
+        # Don't restrict syscalls
+        SystemCallFilter = "";
       };
 
       script = ''