Symbiosis: It's too easy to break Exim by changing ssl certificate ownership.
Pretty much everything in /srv/ is owned by admin:admin, so it's tempting to run something like "chown -R admin:admin /srv". The problem is that Exim certificates lie in /srv//config/ssl/sets and Debian-exim (the user that runs Exim) is not a member of the admin group, so this is an awkward fact to learn and remember.
It might be better if the certificates were managed in /etc/ssl - from where they are currently, and tortuously symlinked.
Alternatively, if issue 38 https://gitlab.bytemark.co.uk/open-source/symbiosis/issues/38 is implemented, then I've made a suggestion for managing these certs.