From 0ba55757f8027da906f84a1330bd11fc3ae1f0f0 Mon Sep 17 00:00:00 2001
From: nixbitcoin <nixbitcoin@i2pmail.org>
Date: Mon, 18 May 2020 14:32:49 +0000
Subject: [PATCH] clightning: allow group access to RPC socket

---
 modules/clightning.nix          | 7 ++++---
 modules/presets/secure-node.nix | 5 -----
 2 files changed, 4 insertions(+), 8 deletions(-)

diff --git a/modules/clightning.nix b/modules/clightning.nix
index 619d210..4a08ae0 100644
--- a/modules/clightning.nix
+++ b/modules/clightning.nix
@@ -13,6 +13,7 @@ let
     always-use-proxy=${if cfg.always-use-proxy then "true" else "false"}
     ${optionalString (cfg.bind-addr != null) "bind-addr=${cfg.bind-addr}"}
     bitcoin-rpcuser=${cfg.bitcoin-rpcuser}
+    rpc-file-mode=0660
   '';
 in {
   options.services.clightning = {
@@ -61,10 +62,8 @@ in {
     cli = mkOption {
       readOnly = true;
       default = pkgs.writeScriptBin "lightning-cli"
-      # Switch user because c-lightning doesn't allow setting the permissions of the rpc socket
-      # https://github.com/ElementsProject/lightning/issues/1366
       ''
-        exec sudo -u clightning ${pkgs.nix-bitcoin.clightning}/bin/lightning-cli --lightning-dir='${cfg.dataDir}' "$@"
+        ${pkgs.nix-bitcoin.clightning}/bin/lightning-cli --lightning-dir='${cfg.dataDir}' "$@"
       '';
       description = "Binary to connect with the clightning instance.";
     };
@@ -110,6 +109,8 @@ in {
         while [[ ! -e ${cfg.dataDir}/bitcoin/lightning-rpc ]]; do
             sleep 0.1
         done
+        # Needed to enable lightning-cli for users with group 'clightning'
+        chmod g+x ${cfg.dataDir}/bitcoin
       '';
     };
   };
diff --git a/modules/presets/secure-node.nix b/modules/presets/secure-node.nix
index 83b567e..ebde6a9 100644
--- a/modules/presets/secure-node.nix
+++ b/modules/presets/secure-node.nix
@@ -132,12 +132,7 @@ in {
     services.onion-chef.enable = true;
     services.onion-chef.access.operator = [ "bitcoind" "clightning" "nginx" "liquidd" "spark-wallet" "electrs" "sshd" ];
 
-    # Unfortunately c-lightning doesn't allow setting the permissions of the rpc socket
-    # https://github.com/ElementsProject/lightning/issues/1366
     security.sudo.configFile =
-     (optionalString cfg.clightning.enable ''
-       operator    ALL=(clightning) NOPASSWD: ALL
-     '') +
      (optionalString cfg.lnd.enable ''
        operator    ALL=(lnd) NOPASSWD: ALL
      '');