feat: add mail

.sops.yaml

@@ -16,6 +16,7 @@ keys:
 - &keycloak_osh age1ktmx2szedfnpe5xumnzs8vkk0ffqgga6ved3drtksg9pye6ndsnsnqq488
 - &kasen_osh age1fjcafp0j45sz03zq5srnxyq2mujndmn25vceg3wj2cgzymqm73ssmhdgku
 - &logistics_osh age1tkkau8vk5h9dh3kemash4eghn7lk84j0hhpmvvf7j6phgcsm9vmsphv0py
+- &mail_osh age1nxgmdahcjhmtrf7q66jep55cjdcw6tfpw722jr4gytaykgf89ugqxufgyd
 - &kuwubernetes_osh age1q2yjpxlqkfhsfxumtmax6zsyt669vlr9ffjks3dpkjf3cqdakcwqt2nt66
 - &kuwubernetes_cluster age1nmdv4q8hcyj3s6qevrmc9w2vhd4a8tsj5j5e0cry5utex7vqeprslyjvxz
 #- &sakuya_osh age1ehdj6hghtr8sf5s5c03rru4y3a02nwrt694e36tjnd6g7eq4l43qfradn6
@@ -116,6 +117,12 @@ creation_rules:
   - pgp: *pgp_common
     age:
     - *litterbox2_osh
+- path_regex: 'systems/mail/secrets\.yaml$'
+  shamir_threshold: 1
+  key_groups:
+  - pgp: *pgp_common
+    age:
+    - *mail_osh
 - path_regex: 'systems/minecraft/secrets\.yaml$'
   shamir_threshold: 1
   key_groups:

modules/system/access.nix

@@ -49,7 +49,7 @@
           mkGetAddressFor = nameAllowed: addressForAttr: hostName: network: let
             forSystem = access.systemFor hostName;
             forSystemHas = network: forSystem.access ? ${addressForAttr}.${network} || forSystem.access ? address4ForNetwork.${network};
-            err = throw "no interface found between ${config.networking.hostName} -> ${hostName}@${network}";
+            err = throw "no interface found between ${config.networking.hostName} -> ${hostName}@${network} OR disable promtail and prometheus-node-exporter services";
             fallback =
               if nameAllowed
               then lib.warn "getAddressFor hostname fallback for ${config.networking.hostName} -> ${hostName}@${network}" (access.getHostnameFor hostName network)

systems/mail/default.nix

@@ -0,0 +1,24 @@
+_: {
+  imports = [
+  ];
+  arch = "x86_64";
+  type = "NixOS";
+  ci.allowFailure = true;
+  access.online.enable = false;
+  modules = [
+    ./nixos.nix
+  ];
+  network.networks = {
+    tail = {
+      #address4 = "100.78.97.73";
+      #address6 = "fd7a:115c:a1e0::d834:6149";
+    };
+  };
+  exports = {
+    services = {
+      promtail.enable = false;
+      prometheus-exporters-node.enable = false;
+      tailscale.enable = false;
+    };
+  };
+}

systems/mail/nixos.nix

@@ -0,0 +1,21 @@
+{meta, ...}: {
+  imports = let
+    inherit (meta) nixos;
+  in [
+    nixos.sops
+    nixos.ct.meiling
+    nixos.tailscale
+  ];
+
+  services = {
+    prometheus.exporters.node.enable = false;
+    promtail.enable = false;
+  };
+
+  sops = {
+    defaultSopsFile = ./secrets.yaml;
+    secrets.tailscale-key.key = "tailscale-key";
+  };
+
+  system.stateVersion = "23.11";
+}

systems/mail/secrets.yaml

@@ -0,0 +1,53 @@
+tailscale-key: ENC[AES256_GCM,data:cMMm0Ml3k4nKTo5zmK/2jE6x3u6yr5QMR7hPOyT5TfHE5mBK94IldWgSANInyRFMMu+BK8krqjQo/zZO1w==,iv:DvuM0WgpSG/JZR66P/oScfwdVOcb3/MqcBXtrVp82jg=,tag:X8ViyuYcws3luqnKdqZOHQ==,type:str]
+sops:
+    shamir_threshold: 1
+    age:
+        - recipient: age1nxgmdahcjhmtrf7q66jep55cjdcw6tfpw722jr4gytaykgf89ugqxufgyd
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLdzJoWkVaS0tRY09lSC9U
+            cFBzeFFZVHgzNXhjK3plU0lmaWFBR3dJMFFnCmZhM0RGQ3dVdTVBS2NmeHpPNjlQ
+            MTd6UUtRQjQ4eWxIb2RkRXJXK29zcjAKLS0tIDRlM1hpMGgwL0E4aFVKZ2o5bXlz
+            ODhPcHAzODQzU2xReEdrZGhlL3B0OTgKunVH5uufWivBmKOzjfa3e1QoBmbI7Gez
+            OMe1ROXX/y602d4NuYh7SItX+fJj7tWYHYqos/bckwAwvKNC6zchQg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-11-16T05:04:17Z"
+    mac: ENC[AES256_GCM,data:NO+2WlrJibhP3FVJ8wQvilnb0FfUcEZv+WTLuxHpibfQxsufSiHtem3zUsfOxaBlSLWtLaavqAwgEMNcJD/Zgr58/DY5qtDpG5Zfnma7wBwqqEwQhDmjipcz08KcYIGlAF/u2ReTZf0oHhBjjGIPJIstIZSWgKzQI7HpT/064/E=,iv:+G5o52+RX57OEBGyp925U0Z7gs9021GEZGNsYYdCU4k=,tag:NiwoNKCgyRN7WmUYgCf1YQ==,type:str]
+    pgp:
+        - created_at: "2025-11-16T05:13:03Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA82M54yws73UAQ//dOvbM+VVwxJLG2XbtmtwMMy7FHi9M0xAOx1wiv9UE5Qo
+            zxw3jfSfH2trf/ODvKy3Rh04KlNfLs6BTODpTcdUjwEEf3su4fLzdxN2E9D/VaM1
+            VzwWbAmX+66OidMwwewTqGJWP/8wPL6LkOPYt4HhMUr3Ohw22XFTTfzHyocjXGh/
+            YJ4zSPae95p8DoUte7vc3kAmg2ofqA6nTPQOMl4ifQ+351u+L22wlEufV35CycsG
+            zt3jEKWaX9uo9sp7zAw1vxcNnIOEy9agLSjYvhuU50AGRPtRzVwYNYE4EJYh3iO/
+            aAsz6KnhyKHmrY0JQ/uXSMKX7g33m+iqlp1JDuueXGBqdibxvW99uP01Nqb6tdUQ
+            MxeRKYuLTUnrYHnLDayblK6Z7H9SWcEPuBpgFEC+gmZRsOx6bEIibsyuwLRsWG+M
+            VcAl9rsQeMhfRGZ3wPV5AeMTmngNqtYGdehYT4OHHNI+McBwh2HbtnhVglarrimH
+            XAZqjErN16oYaTYRUtxePYnIa5SkNAstUDInW/0qlfEp9xdq/QCeB4MqTYyXIOuT
+            bFwlI68qm89MMvK/jqYpzyPHwJuv3QRBM20TQKp618y+ESJIwVZwGcMXeq4bDpm8
+            oxEOW0QxOvq6jVdYJeCJgzv2pPFlw3N5/xw/OxGFgzHEvSoEhMtkYc0CPPF1IpfS
+            XgHaeUi/Igbb5DF/fj8bTouM2ZylxOGC0DrJMx3L5z80arWNFHQNORj+NXhhWCyZ
+            dyHjcbC9zVZiOyj2eDgKxWyDqVtobdc65VVsMAd5cmDdWMh1gYj+JG0Wb0Uur9I=
+            =tNO1
+            -----END PGP MESSAGE-----
+          fp: CD8CE78CB0B3BDD4
+        - created_at: "2025-11-16T05:13:03Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQEMA2W9MER3HLb7AQf+ILr4cA4jxea27/pLjU9DkFoJat2Mi1oxbf+sM7zm4LWa
+            DykNDUhgJJdgC/8E0ziWnwnxREUxcxy5nEYwoxq8tGYh/Ct3s6Bnyg1kqCvF5Tvf
+            6Uo3znA0endVOOlCNCGT14VnModQhCzyG4gzj7xbYBRvreLg0HNjotTFv3ubdo1T
+            CmGkODuotB/mZv0SV0nIYeoiVheIvzqOyByQ8KIF4sjESN5zulHZT3C1ZkD7zbsS
+            nYZIkPOl4pNjjCRJ3ObjJTSsFThIq5HoeUgVc0SGA+5sdiF7CEHbZ6ApLgQhG8QI
+            XlPvvYs2E4ctczg3FAVvZX7UsEDdULOo1CTFsNoTV9JeAWjzIHofqqnhszrJDGdE
+            0Ifw6YMJhhvO9IFAb5PdQ2zC2JQRvMXvmC22Fuyn5taGK85vXNi8rIsPERNmCFpx
+            Rqm8teAo4u++CsrWTx1zeCKVlGzWjBJDX5GWNc3ihg==
+            =Zvuq
+            -----END PGP MESSAGE-----
+          fp: 65BD3044771CB6FB
+    unencrypted_suffix: _unencrypted
+    version: 3.11.0