{ config, lib, pkgs, nodes, ... }:
{
  services.nginx = {
    virtualHosts."stream.${config.vars.primeDomain}" = {
      enableACME = true;
      addSSL = true;

      root = "/var/www/rtmp";

      locations."/".extraConfig = ''
        add_header 'Access-Control-Allow-Origin' '*' always;
        add_header 'Access-Control-Allow-Methods' 'GET, OPTIONS' always;
        add_header 'Access-Control-Allow-Headers' 'Range, Origin, X-Requested-With, Content-Type, Accept' always;
        add_header 'Access-Control-Expose-Headers' 'Content-Length, Content-Range' always;
      '';
    };

    additionalModules = with pkgs.nginxModules; [ rtmp ];

    appendConfig = ''
      rtmp {
        server {
          listen [::]:1935;
          chunk_size 4096;
          allow publish all;

          application stream {
            live on;
            allow play all;
            hls on;
            hls_path /var/www/rtmp/;
            hls_base_url https://stream.${config.vars.primeDomain}/;
            hls_playlist_length 40;
          }
        }
      }
    '';
  };

  # NixOS sandboxes this path by default. Allow it to be unsandboxed
  systemd.services.nginx.serviceConfig.ReadWritePaths = [ "/var/www/rtmp" ];

  # Allow rtmp to select hosts
  networking.firewall.extraInputRules = let
    targetHosts = lib.attrValues (lib.mapAttrs (_: node: node.config.deployment.targetHost) nodes);
  in ''
    ip6 saddr { ${lib.concatStringsSep ", " targetHosts} } tcp dport 1935 accept
  '';
}