Add rtmp back, we're so back

hosts/midas/services/nginx/rtmp/default.nix

@@ -0,0 +1,49 @@
+{ config, lib, pkgs, nodes, ... }:
+{
+  services.nginx = {
+    virtualHosts."stream.${config.vars.primeDomain}" = {
+      enableACME = true;
+      addSSL = true;
+
+      root = "/var/www/rtmp";
+
+      locations."/".extraConfig = ''
+        add_header 'Access-Control-Allow-Origin' '*' always;
+        add_header 'Access-Control-Allow-Methods' 'GET, OPTIONS' always;
+        add_header 'Access-Control-Allow-Headers' 'Range, Origin, X-Requested-With, Content-Type, Accept' always;
+        add_header 'Access-Control-Expose-Headers' 'Content-Length, Content-Range' always;
+      '';
+    };
+
+    additionalModules = with pkgs.nginxModules; [ rtmp ];
+
+    appendConfig = ''
+      rtmp {
+        server {
+          listen [::]:1935;
+          chunk_size 4096;
+          allow publish all;
+
+          application stream {
+            live on;
+            allow play all;
+            hls on;
+            hls_path /var/www/rtmp/;
+            hls_base_url https://stream.${config.vars.primeDomain}/;
+            hls_playlist_length 40;
+          }
+        }
+      }
+    '';
+  };
+
+  # NixOS sandboxes this path by default. Allow it to be unsandboxed
+  systemd.services.nginx.serviceConfig.ReadWritePaths = [ "/var/www/rtmp" ];
+
+  # Allow rtmp to select hosts
+  networking.firewall.extraInputRules = let
+    targetHosts = lib.attrValues (lib.mapAttrs (_: node: node.config.deployment.targetHost) nodes);
+  in ''
+    ip6 saddr { ${lib.concatStringsSep ", " targetHosts} } tcp dport 1935 accept
+  '';
+}