{config, ...}: {
  services.zulip = {
    enable = true;

    # lets it set up my postgresql for me
    enablePostgresqlLocally = true;

    # host domain
    host = "chat.${config.networking.domain}";

    # secrets; head rolled on keyboard for all :)
    camoKeyFile = builtins.toString config.age.secrets.zulip-camoKey.path;
    rabbitmqPasswordFile = builtins.toString config.age.secrets.zulip-rabbitmqPassword.path;
    secretKeyFile = builtins.toString config.age.secrets.zulip-secretKey.path;
    sharedSecretKeyFile = builtins.toString config.age.secrets.zulip-sharedSecretKey.path;
    avatarSaltKeyFile = builtins.toString config.age.secrets.zulip-avatarSaltKey.path;

    # TODO check for parity with `mailserver-acc-admin-pw.age`
    extraSecrets.email_password = builtins.toString config.age.secrets.zulip-extraSecrets-email_password.path;

    # settings
    zulipSettings = rec {
      # email users
      ZULIP_ADMINISTRATOR = "admin@${config.networking.domain}";
      EMAIL_HOST_USER = ZULIP_ADMINISTRATOR;

      # configure mailserver port
      EMAIL_HOST = config.mailserver.fqdn;
      EMAIL_USE_TLS = true;
      EMAIL_PORT = 587; # non-secure port

      # setting to allow realm creation; probably unsafe, might delete later :3
      OPEN_REALM_CREATION = true;

      # send all noreply emails from `admin@galaxious.de`
      # TODO configure admin to send from any address
      ADD_TOKENS_TO_NOREPLY_ADDRESS = false;
      NOREPLY_EMAIL_ADDRESS = ZULIP_ADMINISTRATOR;

      # domain name
      EXTERNAL_HOST = config.services.zulip.host;
    };
  };

  # needed for non-secure connection through port 587
  mailserver.enableSubmissionSsl = true;
}