diff --git a/hosts/midas/services/nginx/default.nix b/hosts/midas/services/nginx/default.nix
index 99142a59..11d226f9 100644
--- a/hosts/midas/services/nginx/default.nix
+++ b/hosts/midas/services/nginx/default.nix
@@ -1,6 +1,9 @@
 { ... }:
 {
-  imports = [ ./nixfox ];
+  imports = [
+    ./nixfox
+    ./rtmp
+  ];
 
   services.nginx.enable = true;
 }
diff --git a/hosts/midas/services/nginx/nixfox/default.nix b/hosts/midas/services/nginx/nixfox/default.nix
index 50201ec6..e996068f 100644
--- a/hosts/midas/services/nginx/nixfox/default.nix
+++ b/hosts/midas/services/nginx/nixfox/default.nix
@@ -1,7 +1,7 @@
 { config, pkgs, ... }:
 {
   services.nginx.virtualHosts = {
-    "nixfox.ca" = {
+    "${config.vars.primeDomain}" = {
       default = true;
       enableACME = true;
       addSSL = true;
diff --git a/hosts/midas/services/nginx/rtmp/default.nix b/hosts/midas/services/nginx/rtmp/default.nix
new file mode 100644
index 00000000..2c06d376
--- /dev/null
+++ b/hosts/midas/services/nginx/rtmp/default.nix
@@ -0,0 +1,49 @@
+{ config, lib, pkgs, nodes, ... }:
+{
+  services.nginx = {
+    virtualHosts."stream.${config.vars.primeDomain}" = {
+      enableACME = true;
+      addSSL = true;
+
+      root = "/var/www/rtmp";
+
+      locations."/".extraConfig = ''
+        add_header 'Access-Control-Allow-Origin' '*' always;
+        add_header 'Access-Control-Allow-Methods' 'GET, OPTIONS' always;
+        add_header 'Access-Control-Allow-Headers' 'Range, Origin, X-Requested-With, Content-Type, Accept' always;
+        add_header 'Access-Control-Expose-Headers' 'Content-Length, Content-Range' always;
+      '';
+    };
+
+    additionalModules = with pkgs.nginxModules; [ rtmp ];
+
+    appendConfig = ''
+      rtmp {
+        server {
+          listen [::]:1935;
+          chunk_size 4096;
+          allow publish all;
+
+          application stream {
+            live on;
+            allow play all;
+            hls on;
+            hls_path /var/www/rtmp/;
+            hls_base_url https://stream.${config.vars.primeDomain}/;
+            hls_playlist_length 40;
+          }
+        }
+      }
+    '';
+  };
+
+  # NixOS sandboxes this path by default. Allow it to be unsandboxed
+  systemd.services.nginx.serviceConfig.ReadWritePaths = [ "/var/www/rtmp" ];
+
+  # Allow rtmp to select hosts
+  networking.firewall.extraInputRules = let
+    targetHosts = lib.attrValues (lib.mapAttrs (_: node: node.config.deployment.targetHost) nodes);
+  in ''
+    ip6 saddr { ${lib.concatStringsSep ", " targetHosts} } tcp dport 1935 accept
+  '';
+}