I am not using cntools, but you don’t need the cold key on the block producer, so I assume it is fine. But I still don’t understand why cold.skey is there, it should only be on the cold machine, it should never be on a server. I assume it is there for commodity when rotating the kes keys and the operational certificate.
The read-only files are ok (400) if they belong to the user running the cnode service. It is even better to be read-only and only readable by that user.
Yes, the counter file needs to be read-write before the kes rotation, I assume cntools are making it read-write before generating the operational certificate, then read-only again.
However, since the Vasil Hard Fork, the counter needs to be exactly 1 more than the counter used when minting the last block (or 0 if the pool never minted a block), and I understand from people using cntools that the counter for the next operational certificate can be given by them when generating it. The counter file can be generated with carano-cli, there is a subcommand for that.