nixos-config/modules/system/services/server/nginx/rtmp/default.nix

{ config, lib, pkgs, nodes, ... }:
{
  config = lib.mkIf config.services.webserver.enable {
    services.nginx = {
      additionalModules = with pkgs.nginxModules; [ rtmp ];
      appendConfig = ''
        rtmp {
          server {
            listen 1935;
            chunk_size 4096;
            allow publish all;
            application stream {
              record off;
              live on;
              allow play all;
              hls on;
              hls_path /var/www/landing-page/streams/hls/;
              hls_fragment_naming system;
              hls_fragment 3;
              hls_playlist_length 40;
            }
          }
        }
      '';
    };
    networking.firewall.extraInputRules = let
      targetHosts = lib.attrValues (lib.mapAttrs (_: node: node.config.deployment.targetHost) nodes);
    in ''
      ip6 saddr { ${lib.concatStringsSep ", " targetHosts} } tcp dport 1935 accept
      ip saddr { ${config.secrets.ips.luna}, ${config.secrets.ips.corn} } tcp dport 1935 accept
    '';
    systemd.services.nginx.serviceConfig.ReadWritePaths = [ "/var/www/landing-page/streams/hls/" ];
  };
}