persist zulip

ssl port email?
add tls (I don't know how this works)
2026-01-12 19:09:27 +01:00 · 2026-01-12 18:01:52 +01:00 · 2026-01-12 17:46:49 +01:00 · 2026-01-12 17:37:55 +01:00 · 2026-01-12 17:35:38 +01:00 · 2026-01-12 16:31:58 +01:00
17 changed files with 96 additions and 51 deletions
--- a/machines.nix
+++ b/machines.nix
@@ -77,9 +77,7 @@
      # BROKEN
      # zulip chat client
      # chat.domain
-      # zulip chat server
-      # zulip.domain
-      # ./modules/nixos/zulip.nix
+      ./modules/nixos/zulip.nix
    ];
  };
 }
--- a/modules/nixos/mailserver.nix
+++ b/modules/nixos/mailserver.nix
@@ -2,10 +2,14 @@
  mailserver = {
    enable = true;
    stateVersion = 3;
+
+    # domain bs
    fqdn = "mail.${config.networking.domain}";
    domains = ["${config.networking.domain}"];
    x509.useACMEHost = config.mailserver.fqdn;
+
    loginAccounts = {
+      # test acc
      "test@${config.networking.domain}" = {
        hashedPasswordFile = builtins.toString config.age.secrets.mailserver-acc-test-pw.path;
      };
@@ -15,6 +19,17 @@
      };
    };
  };
+
+  # put dkim key into /etc for declarability
+  mailserver.dkimKeyDirectory = "/etc/dkim";
+  environment.etc."dkim/${config.networking.domain}.${config.mailserver.dkimSelector}.key" = {
+    source = config.age.secrets."dkim-${config.networking.domain}.${config.mailserver.dkimSelector}.key".path;
+    mode = "600";
+    user = config.services.rspamd.user;
+    group = config.services.rspamd.group;
+  };
+
+  # does acme for me
  services.nginx = {
    enable = true;
    virtualHosts = {
@@ -28,9 +43,12 @@
    acceptTerms = true;
    defaults.email = "mtgmonket@gmail.com";
  };
+
+  # persist directories per the backup guidelines
  environment.persistence."/persist" = {
    directories = [
-      "/var/dkim"
+      # not needed bc the dkim dir is declared
+      # "/var/dkim"
      "/var/vmail"
      "/var/lib/redis-rspamd"
      "/var/lib/acme"
--- a/modules/nixos/zulip.nix
+++ b/modules/nixos/zulip.nix
@@ -8,25 +8,47 @@
    # host domain
    host = "chat.${config.networking.domain}";

-    # secrets
+    # secrets; head rolled on keyboard for all :)
    camoKeyFile = builtins.toString config.age.secrets.zulip-camoKey.path;
    rabbitmqPasswordFile = builtins.toString config.age.secrets.zulip-rabbitmqPassword.path;
    secretKeyFile = builtins.toString config.age.secrets.zulip-secretKey.path;
    sharedSecretKeyFile = builtins.toString config.age.secrets.zulip-sharedSecretKey.path;
    avatarSaltKeyFile = builtins.toString config.age.secrets.zulip-avatarSaltKey.path;
-    extraSecrets = {
-      email_password = builtins.toString config.age.secrets.zulip-extraSecrets-email_password.path;
-    };
+
+    # TODO check for parity with `mailserver-acc-admin-pw.age`
+    extraSecrets.email_password = builtins.toString config.age.secrets.zulip-extraSecrets-email_password.path;

    # settings
    zulipSettings = rec {
-      EMAIL_USE_TLS = true;
-      EMAIL_PORT = 587;
+      # email users
+      ZULIP_ADMINISTRATOR = "admin@${config.networking.domain}";
+      EMAIL_HOST_USER = ZULIP_ADMINISTRATOR;
+
+      # configure mailserver port
+      EMAIL_HOST = config.mailserver.fqdn;
+      EMAIL_USE_SSL = true;
+      EMAIL_PORT = 465;
+
+      # setting to allow realm creation; probably unsafe, might delete later :3
+      OPEN_REALM_CREATION = true;
+
+      # send all noreply emails from `admin@galaxious.de`
+      # TODO configure admin to send from any address
      ADD_TOKENS_TO_NOREPLY_ADDRESS = false;
      NOREPLY_EMAIL_ADDRESS = ZULIP_ADMINISTRATOR;
-      OPEN_REALM_CREATION = true;
+
+      # domain name
      EXTERNAL_HOST = config.services.zulip.host;
-      ZULIP_ADMINISTRATOR = "admin@${config.networking.domain}";
    };
  };
+  # persist
+  environment.persistence."/persist".directories = [
+    # messages
+    "/var/lib/rabbitmq"
+    # uploads
+    "/var/lib/zulip"
+
+    # contrived, but in the store a couple layers down
+    # "/var/lib/redis-zulip"
+  ];
 }
--- a/pub-keys.nix
+++ b/pub-keys.nix
@@ -1,10 +1,11 @@
 {
  age.secrets = {
    andromeda-pw.file = ./secrets/andromeda-pw.age;
+    "dkim-galaxious.de.mail.key".file = ./secrets/dkim-galaxious.de.mail.key.age;
    mtgmonkey-pw.file = ./secrets/mtgmonkey-pw.age;
    mailserver-acc-test-pw.file = ./secrets/mailserver-acc-test-pw.age;
    mailserver-acc-admin-pw.file = ./secrets/mailserver-acc-admin-pw.age;
-    "mailserver-acc-zulip+admin-pw".file = ./secrets + "/mailserver-acc-zulip+admin-pw.age";
+    "mailserver-acc-zulip+admin-pw".file = "${./secrets}/mailserver-acc-zulip+admin-pw.age";
    zulip-avatarSaltKey.file = ./secrets/zulip-avatarSaltKey.age;
    zulip-camoKey.file = ./secrets/zulip-camoKey.age;
    zulip-extraSecrets-email_password.file = ./secrets/zulip-extraSecrets-email_password.age;
@@ -16,7 +17,7 @@
    ssh = {
      andromeda = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJy2VD362wUcu0lKj2d6OIU8dbAna0Lu/NaAYIj8gdIA andromeda@lenovo";
      lenovo = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHG4eqsLTq2os2mxfwhys3BpVnowcJrqt2CbRFzN2pJb root@lenovo";
-      _109-199-104-83 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINlpE7T8kvfbDtVRpnkr33EVjBkU+yF2IQPbzkbNVFF3 root@109-199-104-83";
+      _109-199-104-83 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBH5TA6Br8K4xTjD5YcXQDh4UQSvuE0lEs1UxUytDiAn root@109-199-104-83";
    };
  };
 }
--- a/secrets/andromeda-pw.age
+++ b/secrets/andromeda-pw.age
@@ -1,7 +1,8 @@
 age-encryption.org/v1
-> ssh-ed25519 mT2fyg K7kzILfWN/0BDwr0a2oGiuc3kROPhW79nEFs4Fqm7Uw
-LvTmIvmmBOKsW3wYxI58arafExAaX/VWIjCZ0v9i28Y
-> ssh-ed25519 UHxfvA FB8alLQWDkoRqIM6l4D39Ty+Wc318JZyjLTthXCIL0s
-QNAOXZq10TaofYpDflKbywJpQTmzq8lZJEoa6Say+s4
--- 9qhHzZQfZFT95v5M2GQHP4ZoAwY8Ba7veV/PRvTX2tQ
-<EFBFBD>t<EFBFBD>]<13><><EFBFBD><EFBFBD><EFBFBD>Q<EFBFBD><51>f&<26><><EFBFBD><EFBFBD>W<EFBFBD>c<7F>c<EFBFBD>ά^,<2C>8S<38>2<EFBFBD>iKX<4B><58><EFBFBD><EFBFBD><EFBFBD><12><><0B>KB5<42><35>W6<57>*<2A><><EFBFBD><EFBFBD>:,<2C><><EFBFBD><EFBFBD><05>k<EFBFBD>Êo<C38A>u3<75><33><EFBFBD>;<1D><><EFBFBD>E<EFBFBD>Ti<54>9&*o<>q<06>'q<>B
+-> ssh-ed25519 mT2fyg ixFM7swaItfNnTRVSdTm1wZJ8lHUv7tDOgSXo1OpgCc
+lf8/ChfcpgYkK8mTS9Zk++toOu0KNh88S+Lqu4a0UIw
+-> ssh-ed25519 UHxfvA hbsRwdzU1IP3K/gH0btUOQ8hZer8Kgq+RqzcEVrCqTE
+iSVh+yeypHoalRhaRM2XMlBvtO8HCyatDnWgUyC3GWU
+--- hcs6DJZRvjoKDPI/cjUXRfM7+06PNJvWqjkvJof/bSs
+Bo<1A>p<EFBFBD>Qlg-<2D>\<5C>=ƙ	ڼ<0B><><1E><>sv<13><>~<7E><>O<EFBFBD><4F>{Rx<1E>IErô<>s<EFBFBD>1<1F><>v<EFBFBD><76><EFBFBD>:<<3C>
+i<EFBFBD><EFBFBD><EFBFBD>1<EFBFBD>v<0E><03>K<EFBFBD><4B><07><16><>*<2A> |<7C> <20><><EFBFBD><EFBFBD><EFBFBD>5[{<7B>\<5C>
--- a/secrets/dkim-galaxious.de.mail.key.age
+++ b/secrets/dkim-galaxious.de.mail.key.age
--- a/secrets/mailserver-acc-admin-pw.age
+++ b/secrets/mailserver-acc-admin-pw.age
--- a/secrets/mailserver-acc-test-pw.age
+++ b/secrets/mailserver-acc-test-pw.age
--- a/secrets/mailserver-acc-zulip+admin-pw.age
+++ b/secrets/mailserver-acc-zulip+admin-pw.age
@@ -1,9 +1,10 @@
 age-encryption.org/v1
-> ssh-ed25519 mT2fyg FHuYkPGH3UL3O34LIx8cDhJIWfskCN7UVG3AdWiKg1o
-eR7vCHJDwKKM046yFTZ+ZNjGGEo4/OiYWGxME7Px30g
-> ssh-ed25519 UHxfvA 7mvZu454XNEa23FzE8QQ5vIfl2PTixieAhwtjS2kKBM
-nX+3S24PR5ymH6XYbITgNG3AS98OzkVYs0b2tcEkpYE
-> ssh-ed25519 j/PduQ ivvo7z0GMBIeApn1fSNkrKBAI9vrzV3kOshH9KTRCkg
-G1qrQfYKoaYyFXplnr7itkU9fT7SEe96UuWGYz5qoak
--- cifQaIuyTN6u6GWRVqui2qjQqQSYgEYKJlFY1g54y78
-<EFBFBD><EFBFBD><EFBFBD>V1;<19>ki<6B>bڸ<62>g<><67><EFBFBD>n6.<2E>N<EFBFBD>RR <20><06>g<EFBFBD>|yP<1B>ѾPRfq'<08><>F%<25><>a"l<1D>;<3B>+<2B>M<EFBFBD><4D><EFBFBD><EFBFBD>v<EFBFBD><76><EFBFBD><EFBFBD><0E>&<26><><EFBFBD><EFBFBD>P<EFBFBD><0B>#<23><><EFBFBD>
+-> ssh-ed25519 mT2fyg sRu0FIphSJVMBcC02mo1YuZdy3i2+/jMeN3ROvxp4kM
+sEwx23t3IAauISKesq+110ZKRKxQv3Zesd0AJufYOLs
+-> ssh-ed25519 UHxfvA +YaJGPRT7nX2CqVzw1ixNLpW7MfzEnj44pSwj4iUwhI
+E2U6Q+4uesNCWK7uVSztrA84TU/n/xLFm3PJH0hO/EM
+-> ssh-ed25519 yXDKAA V2kygl0BK/oYpKnnheslBO2YqXFdQWFgtqfmDNdgolc
+NpJNN4nfrbgOav8Y38C9DwKFZH+QTRp/US/8kyo9m0o
+--- LdqtfywtHOAy3AZ7AexZU0TJMU/ugq+ZYN07706rNxY
+<EFBFBD>
+U$<24>Ap<>nG<6E>Neɕ<65>u<EFBFBD>y`!<21>ʤ<EFBFBD><CAA4><EFBFBD>f;ipv<70>Y<EFBFBD><59>V_3<5F><33>N+<06><><EFBFBD>k#<23>{<7B><><EFBFBD><EFBFBD><EFBFBD>W<EFBFBD>*<2A>n(<28><0F><03><><14><>ջG6<47><36>݈yc`<60><>q<EFBFBD>:$K]?͗b=<3D>'<27>^<5E>9
--- a/secrets/mtgmonkey-pw.age
+++ b/secrets/mtgmonkey-pw.age
@@ -1,8 +1,7 @@
 age-encryption.org/v1
-> ssh-ed25519 mT2fyg vJUroogm1lL+g4D9kPvaKXwHLtQ9I0pM6SWDzuYji0o
-dRsKh5Z4E7gOSI5GDwe2Qh6H81oSh3LuF0jSWyERpZ4
-> ssh-ed25519 UHxfvA Cxh3+rMnMw0r8wVyLqdItC3/uNtmlR5r/q4fsnFRKyc
-EtR9sbq5heOxg+ldMRld9KDhruEhsly2HMUvVR8Sy5I
--- cIUB+TgDOllwLTG0XZbnV0AzV80SPzP9L6/HJAK1x8g
-<EFBFBD>	9<15>S[<5B><><1C><>Q<7F>,<2C>Z<EFBFBD>Pr<><EFBFBD><EFBFBD>"<EFBFBD><EFBFBD><EFBFBD><EFBFBD>L<0F><><EFBFBD><01>F$<24><>vs<76>-پ<><D9BE>&<26>T<EFBFBD><0B>
-<08>[<1C>콟4h$<24><>Ֆ<EFBFBD>:<3A><><EFBFBD><EFBFBD>k<EFBFBD><6B><EFBFBD>?<3F>1~<7E><><EFBFBD>MO±W'T<><54><EFBFBD><EFBFBD>
+-> ssh-ed25519 mT2fyg WZNwnBmikWIb4rlH89iIQHouM7cw07/E/KXz/AVv3V8
+FxLaO1zM0aGztJAsq+lgrM8gFogKY76Wcs1vYxhA19g
+-> ssh-ed25519 UHxfvA YIpS5r25kHVJtG3+kDVUvAPyTKDsRPG/jHwXmiD44SA
+FKAmC669aQzSbjBjbQbzCixdqnCXnb/JJRQo2MgEZgw
+--- xvwJ5oYHR3T1D44fl/aeAVjZglnKhq0JKZr9YecC3EE
+<EFBFBD>ow<6F>M<EFBFBD><4D><EFBFBD><EFBFBD>{<7B>8<EFBFBD>m<EFBFBD>$/<2F>1<EFBFBD><1A>0<EFBFBD>ts<74><73><EFBFBD>X<EFBFBD><EFBFBD><1D><><EFBFBD><EFBFBD><EFBFBD>Cד<EFBFBD><EFBFBD><EFBFBD><EFBFBD>\<13>h<>-}<7D><>E,<2C> <20><><1E>,dxdX<>TAk<41><6B><18>
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -8,6 +8,9 @@ in {
  "andromeda-pw.age".publicKeys = [andromeda lenovo];
  "mtgmonkey-pw.age".publicKeys = [andromeda lenovo];

+  # dkim private keys
+  "dkim-galaxious.de.mail.key.age".publicKeys = [andromeda lenovo _109-199-104-83];
+
  # mail account passwords
  "mailserver-acc-test-pw.age".publicKeys = [andromeda lenovo _109-199-104-83];
  "mailserver-acc-admin-pw.age".publicKeys = [andromeda lenovo _109-199-104-83];
--- a/secrets/zulip-avatarSaltKey.age
+++ b/secrets/zulip-avatarSaltKey.age
--- a/secrets/zulip-camoKey.age
+++ b/secrets/zulip-camoKey.age
@@ -1,9 +1,10 @@
 age-encryption.org/v1
-> ssh-ed25519 mT2fyg PuSf5leyB85HuKWlMJkL8v18NUbDBXHBlVrm5EEhHCo
-afWMNlJAsnTFbQhWHWZWDisgPxTIMYNUQEPt6w/S76g
-> ssh-ed25519 UHxfvA 0yY6R0w5on+k2TgrAAfkr3BhVpBymkdzOlNn1vwX7Xc
-U+Xoitf7/bbzrLLkCA8um2Alozrc0kGUPUviIeSC2hs
-> ssh-ed25519 j/PduQ KxUHl7qP4hqZB9bT+M4XdqIY3EptkK++/z1cZ5T/p3I
-h+eFBGLtmq7ZFuYLsqexEDNv1eKorJxldTitZ4DozNs
--- 8WLobgK1wezG9DNZymCRfhpQGwuSvpdkbcoHF51cpA8
-<EFBFBD>Cv<EFBFBD>?O<>g<EFBFBD>JO<4A><4F><0C>TԾw<D4BE>J=[<5B><><1F>70<37>2yȇ<79><C887><EFBFBD><EFBFBD><08>L<EFBFBD><EFBFBD>
+-> ssh-ed25519 mT2fyg 5ADzKAtycqfFpqW/dp71FTaK2gchzdWFNqxPyZ6deSY
+aISA4YwF1l9S0fmE84wOvAJpM221bwPDYvXELTVv9k
+-> ssh-ed25519 UHxfvA uKYcpPbaXA4r1OmlkuiIu/EqQ3IiHR7JpItnVgTaW2g
+LjySgI4mTlaZY81IJc6DmBh43l2qeGlQnZi+rOlbtb8
+-> ssh-ed25519 yXDKAA TMwoM06ZJsjkZ7eLguxqYB05jcRn+tTgVzE7WQIf0mw
+vKwCkWsywGsgVv6Y278Mi28MhCYBRRUnfg4+EouOw+0
+--- CScrim9wya9AhElXBtKBR3XBZDL83/g3MTfdF258GJ8
+K#<23>>8}c<><EFBFBD><7F>}8<><38>L<04>(<28><>c<EFBFBD><EFBFBD>
+<EFBFBD>w1<EFBFBD>"O<><4F>
--- a/secrets/zulip-extraSecrets-email_password.age
+++ b/secrets/zulip-extraSecrets-email_password.age
@@ -1,9 +1,10 @@
 age-encryption.org/v1
-> ssh-ed25519 mT2fyg BRDLpeTvLv4+ihpbdRXz/9wT/SflL0tIM/LSAtXI3RM
-ko6h87bR5hc9XH6L+ZRhZAofIowOvptdpMbIzPS26TI
-> ssh-ed25519 UHxfvA hN+tfjFVpQKtulo3CAfN1ZGeWpzMjRuBnmHHJmCgBV4
-q9B8xAsmSi1sYK4cKPDzbsLWgJdng3danwLVzJbOKzQ
-> ssh-ed25519 j/PduQ 65bPOqJKXgd9O0gERvsOiZ06GD5JujTmvb/KKbRO8nQ
-ansPGNwM1u8h7AvDcbRDy4K06BCPjLrv1laIFJxDvCI
--- EV6qlEPbG1vcr6xfhllXVWa28J8Lp2ojQacdcfsNXLk
-<EFBFBD>Y<04>._<><5F><EFBFBD>^<06>]<5D><>|<7C><>X@<08>=<3D>{T<>2<EFBFBD><32>IĂ<>_<EFBFBD><5F>+<2B><><EFBFBD>
+-> ssh-ed25519 mT2fyg IOcD4r19Gx2AvjusnnJDHQXr/U4Ti6qKr01I9lNQDQE
+fCwouMQPvhkyzehszuv0YhSfNh9zGKaFNDKaTZT0rD0
+-> ssh-ed25519 UHxfvA e95raPehUz6T2FR/eT8kzfrxt/Ou6kKsqi7z/3BkfwU
+uHymqnY3t7IwpxWkN8xen3Vsy6R7VMoj+fR0zPnPinY
+-> ssh-ed25519 yXDKAA nlR1prGysW+k8gq2npEiboFqoo9jKQ5ISxRiiCFlb0s
+kaGOvlQgO0nOAl12mMKvafa9ezmy8XdUC2tVPuBG4iw
+--- MRFAGURoyediqNSjGxr57a0w6n9lH2zVjfyrUZcyAYw
+
+z<EFBFBD>0
--- a/secrets/zulip-rabbitmqPassword.age
+++ b/secrets/zulip-rabbitmqPassword.age
--- a/secrets/zulip-secretKey.age
+++ b/secrets/zulip-secretKey.age
--- a/secrets/zulip-sharedSecretKey.age
+++ b/secrets/zulip-sharedSecretKey.age
Author	SHA1	Message	Date
andromeda	b25ce469b6	persist zulip	2026-01-12 19:09:27 +01:00
andromeda	d2d370442b	ssl port email?	2026-01-12 18:01:52 +01:00
andromeda	e05c9fe5a5	add tls (I don't know how this works)	2026-01-12 17:46:49 +01:00
andromeda	c1d8b4dff3	use non-tls ssl? [fix typo]	2026-01-12 17:37:55 +01:00
andromeda	a7e65a0943	use non-tls ssl?	2026-01-12 17:35:38 +01:00
andromeda	d2e95f2fb8	add EMAIL_HOST_USER?	2026-01-12 16:31:58 +01:00
andromeda	9b0944223f	fix typo	2026-01-12 16:19:37 +01:00
andromeda	bea6414758	actually add zulip module	2026-01-12 15:45:38 +01:00
andromeda	90ad40e207	fix zulip?	2026-01-12 15:41:06 +01:00
andromeda	803bc95317	fix dkim perms?	2026-01-12 14:26:35 +01:00
andromeda	4bd6ddece1	declare dkim secrets	2026-01-12 13:30:25 +01:00
andromeda	3fa9a368bf	update remote pub keys	2026-01-12 13:04:33 +01:00