tailwart/acl-snippet.hujson

// tailwart — merge into your live Tailscale policy (admin console).
// Snippet, not a full policy. Kept here so an upstream pull of any other repo
// can't clobber it.

// 1) tagOwners — add (self-ownership required for auth-key node creation):
//    "tag:stalwart": ["autogroup:admin", "tag:stalwart"],

// 2) grants — Stalwart reaches the three shared backends:
{ "src": ["tag:stalwart"], "dst": ["tag:db-postgres"], "ip": ["tcp:5432"] },
{ "src": ["tag:stalwart"], "dst": ["tag:db-redis"],    "ip": ["tcp:6379"] },
{ "src": ["tag:stalwart"], "dst": ["tag:garage"],      "ip": ["tcp:3900"] },

// 3) grants — the edge proxy (tag:reverse-proxy) reaches the mailbox ports.
//    8080 is the JMAP/admin HTTP tier (fronted by the main L7 Caddy).
{
  "src": ["tag:reverse-proxy"],
  "dst": ["tag:stalwart"],
  "ip":  ["tcp:25", "tcp:465", "tcp:587", "tcp:143", "tcp:993", "tcp:8080"],
},

// 4) admin console (not this file): assign tag:stalwart to the same OAuth
//    client federatedSocial uses, on the Devices/Core + Keys/AuthKeys scopes.
//    Missing → 403 "calling actor does not have enough permissions" at boot.
Scaffold tailwart: Stalwart mailbox as a Tailscale sidecar Over-engineered play stack for infinidim.net — Stalwart wired into the shared Postgres + Redis + Garage S3 over the tailnet, with no WAN presence. Public mail ports are fronted by a separate caddy-l4 layer-4 proxy (caddy/) that can run on any tailnet host tagged tag:reverse-proxy — decoupled from the mailbox. - docker-compose.yml: ts-stalwart sidecar + stalwart, backends via MagicDNS - config/config.toml: PG (data/fts) + Redis (lookup) + S3 (blob) strawman - caddy/: xcaddy build with caddy-l4, JSON layer-4 mail proxy, own compose - acl-snippet.hujson: tag:stalwart owner + backend/edge grants - .env.example + gitignored .env (pulled from shared infra) Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> 2026-06-03 22:25:38 -04:00			`// tailwart — merge into your live Tailscale policy (admin console).`
			`// Snippet, not a full policy. Kept here so an upstream pull of any other repo`
			`// can't clobber it.`

			`// 1) tagOwners — add (self-ownership required for auth-key node creation):`
			`// "tag:stalwart": ["autogroup:admin", "tag:stalwart"],`

			`// 2) grants — Stalwart reaches the three shared backends:`
			`{ "src": ["tag:stalwart"], "dst": ["tag:db-postgres"], "ip": ["tcp:5432"] },`
			`{ "src": ["tag:stalwart"], "dst": ["tag:db-redis"], "ip": ["tcp:6379"] },`
			`{ "src": ["tag:stalwart"], "dst": ["tag:garage"], "ip": ["tcp:3900"] },`

			`// 3) grants — the edge proxy (tag:reverse-proxy) reaches the mailbox ports.`
			`// 8080 is the JMAP/admin HTTP tier (fronted by the main L7 Caddy).`
			`{`
			`"src": ["tag:reverse-proxy"],`
			`"dst": ["tag:stalwart"],`
			`"ip": ["tcp:25", "tcp:465", "tcp:587", "tcp:143", "tcp:993", "tcp:8080"],`
			`},`

			`// 4) admin console (not this file): assign tag:stalwart to the same OAuth`
			`// client federatedSocial uses, on the Devices/Core + Keys/AuthKeys scopes.`
			`// Missing → 403 "calling actor does not have enough permissions" at boot.`