Mail to [email protected] / [email protected] (and any unlisted lyte.dev address) was being rejected 550 mailbox does not exist — e.g. a Spotify mail to oliver@ bounced. There was no alias or catch-all for them, and the module doesn't manage accounts (user data), so this was config drift waiting to happen.

What this adds (declarative, ensured on every stalwart-apply)

• accountAliases — extra aliases ensured on an account's aliases (a list<EmailAlias>). Configured: daniel gets dax@/oliver@.
• catchAllAddress — sets Domain.catchAllAddress so any otherwise-unmatched lyte.dev address is delivered to daniel. Subsumes the explicit aliases; the tradeoff is accepting spam to bogus addresses (spam filter still routes most to Junk).

Both run in stalwart-apply with admin creds, are idempotent, and survive a DB rebuild (the whole point — like the trusted-domain rule that silently vanished before).

0.16 management-API format notes (the fiddly part)

• An account's aliases are list<EmailAlias> where EmailAlias = {enabled, name, domainId, description?}; name is the local part (+ domainId forms the address).
• The patch encodes the list as an index-keyed map ({"0":{…},"1":{…}}), not a JSON array.
• An empty name is rejected, so the catch-all is NOT an empty-name alias — it's the separate Domain.catchAllAddress field.

Verified live (SMTP RCPT against the MX, no actual delivery)

🤖 Generated with Claude Code

Reworked from the initial narrow denylist (Samba/arr/k3s) to default-deny: non-dragon LAN clients can only reach an explicit allowlist (router-forwarded public ports + UniFi/mDNS); everything else — Samba, MQTT, and any future service — is dropped. Future-proofs against new services being silently LAN-exposed.

Verified live on beefcake from a non-dragon LAN source:

• Samba 445 → BLOCKED ✓ · MQTT 1883 → BLOCKED ✓ · WSD 5357 → BLOCKED ✓
• HTTPS 443 → open ✓ · SSH 22 → open ✓ (both internet-forwarded anyway)
• dragon .0.10 → Samba/MQTT open ✓ (full access)

IPv4 only (dragon's v6 is SLAAC; guest VLAN closes v6 at L2). SSH stays open because it's WAN-forwarded — say the word if you also want it locked to dragon/tailnet (would mean dropping the router's :22 forward too).

Interim LAN hardening ahead of the isolated guest VLAN (which needs a UniFi SSID tag — pending controller creds).

Problem

WiFi clients currently share the untagged LAN with wired gear, and beefcake opens several sensitive services on all interfaces: Samba (445/139), the *arr stack (9876/9877), and the k3s API/kubelet (6443/10250). A guest on the main WiFi could reach any of them.

What this does

Drops LAN access to those ports unless the source is dragon (192.168.0.10, MAC-reserved bastion). Per design:

• tailnet (headscale) is the primary admin path and is fully untouched — these rules only match the eno1 (LAN) interface, never tailscale0.
• dragon is the LAN fallback — you hop through it for direct LAN admin when the tailnet is down.
• SSH (22), web (80/443, SSO-gated), mail, and game-server ports stay open on the LAN.
• IPv4 only: dragon's LAN v6 is SLAAC (unstable), so locking v6 risks breaking dragon via happy-eyeballs. The residual v6 gap is closed properly by the guest VLAN (L2 isolation, both protocols). Samba discovery is v4/mDNS, so the casual-guest hole is closed.

Reversible: pure firewall extraCommands; remove the import + redeploy to revert.

Verified live on beefcake

🤖 Generated with Claude Code

Comments out the meshtasticd.nix + mmrelay.nix imports so only the Mosquitto broker is active. The other two depend on secrets that are still placeholders (meshtastic-channel-url, mmrelay-credentials); enabling them now would fail-loop (meshtasticd-provision errors on the placeholder --seturl, mmrelay crash-loops on bad Matrix creds).

Already deployed to beefcake (broker-only) — mosquitto is active and listening on 1883. This PR brings main in line with what's deployed so a future deploy doesn't re-enable the broken units.

Re-enable by uncommenting the two imports once meshtastic-channel-url + mmrelay-credentials are filled in sops (and an unencrypted Matrix room + bot exist).