fix(mail): chown zpush state on pod start — root-owned files break sync

A root-run z-push-admin (kubectl exec defaults to root) left a
root-owned 'users' file on the state PVC; Apache runs as www-data, so
every request 500'd with 'Not possible to write to the configured
state directory'. An initContainer now normalizes ownership on every
start (state is disposable, ownership isn't precious), and the docs
say to exec z-push-admin as www-data.

infrastructure/production/fleet/apps/zpush.yaml

@@ -45,6 +45,19 @@ spec:
       labels:
         app.kubernetes.io/name: zpush
     spec:
+      # Normalize state ownership on every start: Apache/Z-Push runs as
+      # www-data, but anything exec'd as root (kubectl exec z-push-admin,
+      # debugging) can leave root-owned files on the PVC — which 500s every
+      # request with "Not possible to write to the configured state
+      # directory" (bitten 2026-06-12). State is disposable, ownership isn't
+      # precious: just take it back at boot.
+      initContainers:
+        - name: fix-state-ownership
+          image: git.lastcloud.io/ronnibaslund/dezky/zpush:latest
+          command: ["sh", "-c", "chown -R www-data:www-data /var/lib/z-push"]
+          volumeMounts:
+            - name: state
+              mountPath: /var/lib/z-push
       containers:
         - name: zpush
           # CI pins this to the commit SHA at deploy time; :latest is the fallback.