diff --git a/hosts/cube/default.nix b/hosts/cube/default.nix
index 7f799a5..97b57ef 100644
--- a/hosts/cube/default.nix
+++ b/hosts/cube/default.nix
@@ -8,13 +8,13 @@
 
   time.timeZone = "Europe/Amsterdam";
 
-  users.users.root.passwordFile = config.age.secrets."cube.password.hash".path;
+  users.users.root.passwordFile = config.age.secrets."cube.rgb.password.hash".path;
 
   users.users.rgb = normalUser {
     description                 = "RGB";
     extraGroups                 = [ "wheel" ];
     openssh.authorizedKeys.keys = [ keys.rgbcube ];
-    hashedPasswordFile          = config.age.secrets."cube.password.hash".path;
+    hashedPasswordFile          = config.age.secrets."cube.rgb.password.hash".path;
   };
 })
 
diff --git a/hosts/cube/mail.nix b/hosts/cube/mail.nix
index 720fd79..59aadfe 100644
--- a/hosts/cube/mail.nix
+++ b/hosts/cube/mail.nix
@@ -5,6 +5,18 @@ let
 
   fqdn = "mail.${domain}";
 in serverSystemConfiguration {
+  services.prometheus.exporters = {
+    dmarc = enabled {
+      imap.host         = domain;
+      imap.passwordFile = config.age.secrets."cube.mail.password".path;
+      imap.username     = "contact@${domain}";
+    };
+
+    dovecot = enabled {};
+    postfix = enabled {};
+    rspamd  = enabled {};
+  };
+
   mailserver = enabled {
     inherit fqdn;
 
diff --git a/hosts/cube/nginx.nix b/hosts/cube/nginx.nix
index 182686a..d42bcaf 100644
--- a/hosts/cube/nginx.nix
+++ b/hosts/cube/nginx.nix
@@ -3,7 +3,14 @@
 serverSystemConfiguration {
   networking.firewall.allowedTCPPorts = [ 80 443 ];
 
+  services.prometheus.exporters = {
+    nginxlog = enabled {};
+    nginx    = enabled {};
+  };
+
   services.nginx = enabled {
+    statusPage = true;
+
     recommendedGzipSettings  = true;
     recommendedOptimisation  = true;
     recommendedProxySettings = true;
diff --git a/hosts/cube/prometheus.nix b/hosts/cube/prometheus.nix
new file mode 100644
index 0000000..51832f7
--- /dev/null
+++ b/hosts/cube/prometheus.nix
@@ -0,0 +1,9 @@
+{ ulib, ... }: with ulib;
+
+serverSystemConfiguration {
+  services.prometheus = enabled {
+    exporters.node = enabled {
+      enabledCollectors = [ "systemd" ];
+    };
+  };
+}
diff --git a/secrets/cube.mail.password.age b/secrets/cube.mail.password.age
new file mode 100644
index 0000000..77bc291
Binary files /dev/null and b/secrets/cube.mail.password.age differ
diff --git a/secrets/cube.password.hash.age b/secrets/cube.rgb.password.hash.age
similarity index 100%
rename from secrets/cube.password.hash.age
rename to secrets/cube.rgb.password.hash.age
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 10cad13..f0d3f02 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -5,7 +5,8 @@ rec {
   };
 
   "acme.age".publicKeys                     = [ keys.cube ];
-  "cube.password.hash.age".publicKeys       = [ keys.cube ];
+  "cube.rgb.password.hash.age".publicKeys   = [ keys.cube ];
+  "cube.mail.password.age".publicKeys       = [ keys.cube ];
   "cube.mail.password.hash.age".publicKeys  = [ keys.cube ];
   "cube.id.age".publicKeys                  = [ keys.rgbcube ];
   "enka.said.password.hash.age".publicKeys  = [ keys.rgbcube ];