feat: add zulip integration

remote/README.md

@@ -7,6 +7,7 @@ Cargo workspace with the server-side pieces of Noisebell. Runs on any Linux box.
 | [`cache-service/`](cache-service/) | 3000 | Polls the Pi, stores the latest state in SQLite, fans out webhooks |
 | [`rss-service/`](rss-service/) | 3002 | Fetches current status from cache and serves RSS/Atom feeds |
 | [`discord-bot/`](discord-bot/) | 3001 | Posts door status to a Discord channel |
+| [`zulip-bot/`](zulip-bot/) | 3003 | Posts door status to a Zulip stream |
 | [`noisebell-common/`](noisebell-common/) | — | Shared types and helpers |
 
 See each service's README for configuration and API docs.
@@ -23,6 +24,7 @@ Or with Nix:
 nix build .#noisebell-cache
 nix build .#noisebell-rss
 nix build .#noisebell-discord
+nix build .#noisebell-zulip
 ```
 
 ## NixOS deployment
@@ -67,6 +69,8 @@ The flake exports a NixOS module for the hosted remote machine. It imports `agen
 | `secrets/pi-to-cache-key.age` | Pi + remote | Pi authenticates to cache `/webhook` |
 | `secrets/cache-to-pi-key.age` | Pi + remote | cache authenticates to Pi GET endpoints |
 | `secrets/discord-webhook-secret.age` | remote | cache authenticates to Discord bot `/webhook` |
+| `secrets/zulip-webhook-secret.age` | remote | cache authenticates to Zulip bridge `/webhook` |
 | `secrets/discord-token.age` | remote | Discord bot login |
+| `secrets/zulip-api-key.age` | remote | Zulip bot API authentication |
 
 When `extremist-software` builds a system using the Noisebell flake input, Nix uses the checked-out flake source for that input. The module points `agenix` at encrypted files inside that Noisebell source tree, such as `${inputs.noisebell}/secrets/discord-token.age`. At activation time `agenix` decrypts them locally on the target host into runtime paths like `/run/agenix/noisebell-discord-token`. The service modules then read those local decrypted files when systemd starts them.