{ config, lib, pkgs, ... }:

{
  security.acme.acceptTerms = true;
  security.acme.email = "info+acme@hacc.space";
  services.nginx.enable = true;
  services.nginx.package = pkgs.nginx.override {
    modules = [ pkgs.nginxModules.rtmp ];
  };
  services.nginx.virtualHosts = {
    "hainich.chaoswit.ch" = {
      enableACME = true;
      forceSSL = true;
    };
    "hainich.hacc.space" = {
      enableACME = true;
      forceSSL = true;
      locations = {
        "/" = {
          return = "404";
        };
      };
    };
  };

  networking.firewall.allowedTCPPorts = [ 1935 ];
  services.nginx.appendConfig = ''
  rtmp {
    server {
      listen 1935;
      application cutiestream {
        live on;
        allow publish all;
        allow play all;
      }
      application ingest {
        live on;

        record all;
        record_path /data/ingest;
        record_unique on;

        include /var/secrets/ingest.conf;
      }
    }
  }
  '';

  systemd.services.nginx.serviceConfig.ReadWriteDirectories = "/data/ingest /var/secrets";
}