// tailwart — merge into your live Tailscale policy (admin console).
// Snippet, not a full policy. Kept here so an upstream pull of any other repo
// can't clobber it.

// 1) tagOwners — add (self-ownership required for auth-key node creation):
//    "tag:stalwart": ["autogroup:admin", "tag:stalwart"],

// 2) grants — Stalwart reaches the three shared backends:
{ "src": ["tag:stalwart"], "dst": ["tag:db-postgres"], "ip": ["tcp:5432"] },
{ "src": ["tag:stalwart"], "dst": ["tag:db-redis"],    "ip": ["tcp:6379"] },
{ "src": ["tag:stalwart"], "dst": ["tag:garage"],      "ip": ["tcp:3900"] },

// 3) grants — the edge proxy (tag:reverse-proxy) reaches the mailbox ports.
//    8080 is the JMAP/admin HTTP tier (fronted by the main L7 Caddy).
{
  "src": ["tag:reverse-proxy"],
  "dst": ["tag:stalwart"],
  "ip":  ["tcp:25", "tcp:465", "tcp:587", "tcp:143", "tcp:993", "tcp:8080"],
},

// 4) admin console (not this file): assign tag:stalwart to the same OAuth
//    client federatedSocial uses, on the Devices/Core + Keys/AuthKeys scopes.
//    Missing → 403 "calling actor does not have enough permissions" at boot.