From 4b71b5751f5b47d7fe2711cfe55bdf13bc843fdc Mon Sep 17 00:00:00 2001
From: Ronni Baslund <rhb@vdoc.dk>
Date: Fri, 12 Jun 2026 15:46:31 +0200
Subject: [PATCH] =?UTF-8?q?fix(mail):=20chown=20zpush=20state=20on=20pod?=
 =?UTF-8?q?=20start=20=E2=80=94=20root-owned=20files=20break=20sync?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

A root-run z-push-admin (kubectl exec defaults to root) left a
root-owned 'users' file on the state PVC; Apache runs as www-data, so
every request 500'd with 'Not possible to write to the configured
state directory'. An initContainer now normalizes ownership on every
start (state is disposable, ownership isn't precious), and the docs
say to exec z-push-admin as www-data.
---
 docs/SERVICES.md                                |  7 +++++--
 infrastructure/production/fleet/apps/zpush.yaml | 13 +++++++++++++
 2 files changed, 18 insertions(+), 2 deletions(-)

diff --git a/docs/SERVICES.md b/docs/SERVICES.md
index 8e96b34..1cd61b2 100644
--- a/docs/SERVICES.md
+++ b/docs/SERVICES.md
@@ -184,8 +184,11 @@ curl -k -i -X OPTIONS https://mail.dezky.local/Microsoft-Server-ActiveSync
 curl -k -i -u user@tenant.tld:app-password -X OPTIONS \
   https://mail.dezky.local/Microsoft-Server-ActiveSync
 
-# Per-device sync state
-docker exec dezky-zpush php /usr/share/z-push/z-push-admin.php -a list
+# Per-device sync state. ALWAYS run as www-data — a root-run z-push-admin
+# leaves root-owned state files that 500 every request ("Not possible to
+# write to the configured state directory"). The prod pod has an
+# initContainer that re-chowns the state dir on start as a backstop.
+docker exec -u www-data dezky-zpush php /usr/share/z-push/z-push-admin.php -a list
 ```
 
 ---
diff --git a/infrastructure/production/fleet/apps/zpush.yaml b/infrastructure/production/fleet/apps/zpush.yaml
index 14270ac..19d54c0 100644
--- a/infrastructure/production/fleet/apps/zpush.yaml
+++ b/infrastructure/production/fleet/apps/zpush.yaml
@@ -45,6 +45,19 @@ spec:
       labels:
         app.kubernetes.io/name: zpush
     spec:
+      # Normalize state ownership on every start: Apache/Z-Push runs as
+      # www-data, but anything exec'd as root (kubectl exec z-push-admin,
+      # debugging) can leave root-owned files on the PVC — which 500s every
+      # request with "Not possible to write to the configured state
+      # directory" (bitten 2026-06-12). State is disposable, ownership isn't
+      # precious: just take it back at boot.
+      initContainers:
+        - name: fix-state-ownership
+          image: git.lastcloud.io/ronnibaslund/dezky/zpush:latest
+          command: ["sh", "-c", "chown -R www-data:www-data /var/lib/z-push"]
+          volumeMounts:
+            - name: state
+              mountPath: /var/lib/z-push
       containers:
         - name: zpush
           # CI pins this to the commit SHA at deploy time; :latest is the fallback.