{ config, lib, pkgs, ... }:
{
  config = lib.mkIf config.services.webserver.enable {
    services.nginx = {
      package = (pkgs.nginx.override {
        modules = with pkgs.nginxModules; [ rtmp ];
      });
      appendConfig = ''
        rtmp {
          server {
            listen 1935;
            chunk_size 4096;
            allow publish all;
            application stream {
              record off;
              live on;
              allow play all;
              hls on;
              hls_path /var/www/landing-page/streams/hls/;
              hls_fragment_naming system;
              hls_fragment 3;
              hls_playlist_length 40;
            }
          }
        }
      '';
    };
    networking.nftables.tables.rtmp = {
      family = "inet";
      content = ''
        chain input {
	  type filter hook input priority 0; policy drop;
          ip saddr { 10.0.0.0/8, ${config.secrets.ips.luna}, ${config.secrets.ips.corn} } tcp dport 1935 accept comment "Accept RTMP"
        }
      '';
    };
    systemd.services.nginx.serviceConfig.ReadWritePaths = [ "/var/www/landing-page/streams/hls/" ];
  };
}