{ config, lib, pkgs, ... }:

{
  security.acme.acceptTerms = true;
  security.acme.email = "info+acme@hacc.space";
  services.nginx.enable = true;
  services.nginx.package = pkgs.nginx.override {
    modules = [ pkgs.nginxModules.rtmp ];
  };

# services.nginx.recommendedProxySettings = true;

  services.nginx.virtualHosts = let
  in {
    # let all empty subdomains pointing to hainich return 404
    "hainich.hacc.space" = {
      default = true;
      locations."/".return = "404";
    };
    "hacc.space" = {
      enableACME = true;
      forceSSL = true;
      locations."/".return = "301 https://hacc.earth";
    };
  };

  networking.firewall.allowedTCPPorts = [ 1935 ];
  services.nginx = {
    appendHttpConfig = ''
      add_header Permissions-Policy "interest-cohort=()";
    '';
    appendConfig = ''
      rtmp {
        server {
          listen 1935;
          application cutiestream {
            live on;
            allow publish all;
            allow play all;
          }
          application ingest {
            live on;
    
            record all;
            record_path /data/ingest;
            record_unique on;
    
    #        include /var/secrets/ingest.conf;
          }
        }
      }
    '';
  };

  systemd.services.nginx.serviceConfig.ReadWriteDirectories = "/data/ingest /var/secrets";
}