From 64d59dd6366d12bb78ced17a9abce3cec86856f3 Mon Sep 17 00:00:00 2001
From: Christine Elisabeth Koppel <kuutruu@posteo.net>
Date: Sun, 15 Feb 2026 19:03:14 +0100
Subject: [PATCH] Fix the file permissions.

---
 nix-system-configs/modules/system/mail-server.nix | 14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)

diff --git a/nix-system-configs/modules/system/mail-server.nix b/nix-system-configs/modules/system/mail-server.nix
index 58a81c3..60820e3 100644
--- a/nix-system-configs/modules/system/mail-server.nix
+++ b/nix-system-configs/modules/system/mail-server.nix
@@ -52,13 +52,17 @@ in {
     # Create /etc/stalwart secret files so the generated TOML can reference them
     environment.etc = {
       "stalwart/mail-pw1".text = boardPassword; # principal password (board)
-      "stalwart/mail-pw1".mode = "0400";
+      "stalwart/mail-pw1".mode = "0440";
+      "stalwart/mail-pw1".owner = "stalwart";
       "stalwart/admin-pw".text = adminPassword; # admin fallback password
-      "stalwart/admin-pw".mode = "0400";
+      "stalwart/admin-pw".mode = "0440";
+      "stalwart/admin-pw".owner = "root";
       "stalwart/acme-secret".text = cloudflareToken; # API token for ACME (Cloudflare)
-      "stalwart/acme-secret".mode = "0400";
+      "stalwart/acme-secret".mode = "0440";
+      "stalwart/acme-secret".owner = "stalwart";
       "stalwart/cloudflare-username".text = cloudflareUsername; # contact email for ACME
-      "stalwart/cloudflare-username".mode = "0400";
+      "stalwart/cloudflare-username".mode = "0440";
+      "stalwart/cloudflare-username".owner = "stalwart";
     };
 
     # Enable Tailscale for remote access to Traefik dashboard and configuration
@@ -93,7 +97,7 @@ in {
               protocol = "smtp";
               tls.implicit = true;
               # Also trust proxy for SMTPS
-              proxy.trusted-networks = ["10.1.1.250/32"];
+              proxy.trusted-networks = ["10.1.1.250/31"];
             };
             imaps = {
               bind = "[::]:993";