From 9dd83c5b926693789d68f0413b99d2d71a8db0cc Mon Sep 17 00:00:00 2001
From: Jet Pham <jetthomaspham@gmail.com>
Date: Mon, 9 Mar 2026 22:46:49 -0700
Subject: [PATCH] fix: allow stalwart to read agenix secrets

---
 modules/mail.nix | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/modules/mail.nix b/modules/mail.nix
index 5dae503..124393a 100644
--- a/modules/mail.nix
+++ b/modules/mail.nix
@@ -48,7 +48,8 @@
     };
   };
 
-  # Allow Stalwart to read the ACME certificate procured for Caddy
+  # Allow Stalwart to read the ACME certificate procured for Caddy and the agenix secret
   systemd.services.stalwart.serviceConfig.SupplementaryGroups = [ "acme" ];
+  systemd.services.stalwart.serviceConfig.ReadOnlyPaths = [ "/run/agenix/stalwart-admin" ];
 
 }