diff --git a/modules/bitcoind.nix b/modules/bitcoind.nix
index f1f1af0..74323cb 100644
--- a/modules/bitcoind.nix
+++ b/modules/bitcoind.nix
@@ -286,9 +286,6 @@ in {
         ExecStart = "${cfg.package}/bin/bitcoind -datadir='${cfg.dataDir}'";
         Restart = "on-failure";
         UMask = mkIf cfg.dataDirReadableByGroup "0027";
-
-        # Permission for preStart
-        PermissionsStartOnly = "true";
       } // (if cfg.enforceTor
             then nix-bitcoin-services.allowTor
             else nix-bitcoin-services.allowAnyIP)
@@ -328,9 +325,11 @@ in {
       description = "Bitcoin daemon user";
     };
     users.groups.${cfg.group} = {};
+    users.groups.bitcoinrpc = {};
 
     nix-bitcoin.secrets.bitcoin-rpcpassword = {
       user = "bitcoin";
+      group = "bitcoinrpc";
     };
   };
 }
diff --git a/modules/clightning.nix b/modules/clightning.nix
index 39b84a2..501b4c9 100644
--- a/modules/clightning.nix
+++ b/modules/clightning.nix
@@ -75,6 +75,7 @@ in {
     users.users.clightning = {
         description = "clightning User";
         group = "clightning";
+        extraGroups = [ "bitcoinrpc" ];
     };
     users.groups.clightning = {};
 
@@ -97,7 +98,6 @@ in {
         echo "bitcoin-rpcpassword=$(cat ${config.nix-bitcoin.secretsDir}/bitcoin-rpcpassword)" >> '${cfg.dataDir}/config'
         '';
       serviceConfig = nix-bitcoin-services.defaultHardening // {
-        PermissionsStartOnly = "true";
         ExecStart = "${pkgs.nix-bitcoin.clightning}/bin/lightningd --lightning-dir=${cfg.dataDir}";
         User = "clightning";
         Restart = "on-failure";
diff --git a/modules/electrs.nix b/modules/electrs.nix
index 15f4f8d..379ea0f 100644
--- a/modules/electrs.nix
+++ b/modules/electrs.nix
@@ -80,7 +80,6 @@ in {
         RuntimeDirectory = "electrs";
         RuntimeDirectoryMode = "700";
         WorkingDirectory = "/run/electrs";
-        PermissionsStartOnly = "true";
         ExecStart = ''
           ${pkgs.nix-bitcoin.electrs}/bin/electrs -vvv \
           ${if cfg.high-memory then
@@ -107,7 +106,7 @@ in {
     users.users.${cfg.user} = {
       description = "electrs User";
       group = cfg.group;
-      extraGroups = optionals cfg.high-memory [ "bitcoin" ];
+      extraGroups = [ "bitcoinrpc" ] ++ optionals cfg.high-memory [ "bitcoin" ];
     };
     users.groups.${cfg.group} = {};
   }
diff --git a/modules/lightning-charge.nix b/modules/lightning-charge.nix
index ccf11bc..aa392ed 100644
--- a/modules/lightning-charge.nix
+++ b/modules/lightning-charge.nix
@@ -51,6 +51,7 @@ in {
         fi
         '';
       serviceConfig = nix-bitcoin-services.defaultHardening // {
+          # Needed to access clightning.dataDir in preStart
           PermissionsStartOnly = "true";
           EnvironmentFile = "${config.nix-bitcoin.secretsDir}/lightning-charge-env";
           ExecStart = "${pkgs.nix-bitcoin.lightning-charge}/bin/charged -l ${config.services.clightning.dataDir}/bitcoin -d ${cfg.dataDir}/lightning-charge.db";
diff --git a/modules/liquid.nix b/modules/liquid.nix
index 7fe6674..bbd45fb 100644
--- a/modules/liquid.nix
+++ b/modules/liquid.nix
@@ -212,7 +212,7 @@ in {
       wantedBy = [ "multi-user.target" ];
       preStart = ''
         cp '${configFile}' '${cfg.dataDir}/elements.conf'
-        chmod o-rw  '${cfg.dataDir}/elements.conf'
+        chmod 640  '${cfg.dataDir}/elements.conf'
         chown -R '${cfg.user}:${cfg.group}' '${cfg.dataDir}'
         echo "rpcpassword=$(cat ${secretsDir}/liquid-rpcpassword)" >> '${cfg.dataDir}/elements.conf'
         echo "mainchainrpcpassword=$(cat ${secretsDir}/bitcoin-rpcpassword)" >> '${cfg.dataDir}/elements.conf'
@@ -222,12 +222,8 @@ in {
         User = "${cfg.user}";
         Group = "${cfg.group}";
         ExecStart = "${pkgs.nix-bitcoin.elementsd}/bin/elementsd ${cmdlineOptions}";
-        StateDirectory = "liquidd";
         PIDFile = "${pidFile}";
         Restart = "on-failure";
-
-        # Permission for preStart
-        PermissionsStartOnly = "true";
       } // (if cfg.enforceTor
           then nix-bitcoin-services.allowTor
           else nix-bitcoin-services.allowAnyIP
@@ -235,6 +231,7 @@ in {
     };
     users.users.${cfg.user} = {
       group = cfg.group;
+      extraGroups = [ "bitcoinrpc" ];
       description = "Liquid sidechain user";
     };
     users.groups.${cfg.group} = {};
diff --git a/modules/lnd.nix b/modules/lnd.nix
index 2da8c50..8554db6 100644
--- a/modules/lnd.nix
+++ b/modules/lnd.nix
@@ -163,6 +163,7 @@ in {
     users.users.lnd = {
       description = "LND User";
       group = "lnd";
+      extraGroups = [ "bitcoinrpc" ];
       home = cfg.dataDir; # lnd creates .lnd dir in HOME
     };
     users.groups.lnd = {};
diff --git a/modules/spark-wallet.nix b/modules/spark-wallet.nix
index 6488a56..f1c3179 100644
--- a/modules/spark-wallet.nix
+++ b/modules/spark-wallet.nix
@@ -71,7 +71,6 @@ in {
       requires = [ "clightning.service" ] ++ onion-chef-service;
       after = [ "clightning.service" ]  ++ onion-chef-service;
       serviceConfig = nix-bitcoin-services.defaultHardening // {
-        PermissionsStartOnly = "true";
         ExecStart = "${pkgs.bash}/bin/bash ${run-spark-wallet}";
         User = "spark-wallet";
         Restart = "on-failure";