diff --git a/infrastructure/production/host/stalwart/config.toml b/infrastructure/production/host/stalwart/config.toml
index 1cc28c3..ce253e4 100644
--- a/infrastructure/production/host/stalwart/config.toml
+++ b/infrastructure/production/host/stalwart/config.toml
@@ -60,7 +60,7 @@ default = true
 # management API (STALWART_ADMIN_USER/PASSWORD on the platform-api side).
 [authentication]
 fallback-admin.user = "admin"
-fallback-admin.secret = "$env{STALWART_ADMIN_PASSWORD}"
+fallback-admin.secret = "%{env:STALWART_ADMIN_PASSWORD}%"
 
 # ── Resolver ───────────────────────────────────────────────────────────────
 # DNSSEC-aware system resolver. Mail deliverability depends on clean DNS.
@@ -85,7 +85,7 @@ enable = true
 # hostname; HMAC-signed so a public endpoint is safe.
 [webhook."audit-ingest"]
 url = "https://api.dezky.eu/ingest/stalwart/webhook"
-signature-key = "$env{STALWART_WEBHOOK_SECRET}"
+signature-key = "%{env:STALWART_WEBHOOK_SECRET}%"
 events = [
     "auth.success",
     "auth.failure",
diff --git a/infrastructure/production/host/stalwart/install.sh b/infrastructure/production/host/stalwart/install.sh
index 1a09db3..416958a 100755
--- a/infrastructure/production/host/stalwart/install.sh
+++ b/infrastructure/production/host/stalwart/install.sh
@@ -24,7 +24,7 @@ HOST_DIR="$(cd "$SCRIPT_DIR/.." && pwd)"
 CONFIG_FILE="${CONFIG_FILE:-$HOST_DIR/config.env}"
 
 PREFIX="/opt/stalwart"
-STALWART_REPO="${STALWART_REPO:-stalwartlabs/mail-server}"
+STALWART_REPO="${STALWART_REPO:-stalwartlabs/stalwart}"
 
 if [[ $EUID -ne 0 ]]; then
     error "Run as root."
@@ -67,7 +67,8 @@ else
 fi
 
 asset_url="$(curl -fsSL "$api" \
-    | grep -oE "https://[^\"]+${target}[^\"]+\.tar\.gz" \
+    | grep -oE "https://[^\"]+/stalwart-${target}\.tar\.gz" \
+    | grep -v foundationdb \
     | head -n1)"
 if [[ -z "$asset_url" ]]; then
     error "Could not find a ${target} .tar.gz asset in ${STALWART_REPO}@${STALWART_VERSION}."