infra/nix/oracle-stream/configuration.nix

{
  config,
  pkgs,
  ...
}: {
  imports = [
    # Include the results of the hardware scan.
    ./hardware.nix
  ];

  boot = {
    tmp.cleanOnBoot = true;
  };
  zramSwap.enable = true;

  nix = {
    settings = {
      auto-optimise-store = true;
      experimental-features = ["nix-command" "flakes"];
    };
    gc = {
      automatic = true;
      dates = "weekly";
      options = "--delete-older-than 30d";
    };
    # Free up to 1GiB whenever there is less than 100MiB left.
    extraOptions = ''
      min-free = ${toString (100 * 1024 * 1024)}
      max-free = ${toString (1024 * 1024 * 1024)}
    '';
  };

  networking = {
    hostName = "stream";
    domain = "gmem.ca";
    firewall = {
      trustedInterfaces = ["tailscale0"];
      checkReversePath = "loose";
      allowedTCPPorts = [80 443 1935];
      allowedUDPPortRanges = [
        {
          from = 4000;
          to = 4007;
        }
        {
          from = 8000;
          to = 8010;
        }
      ];
      allowedUDPPorts = [41641 1935];
      enable = true;
    };
    nftables.enable = true;
    nameservers = ["1.1.1.1" "1.0.0.1"];
  };

  time.timeZone = "Europe/London";

  users.users.root.openssh.authorizedKeys.keys = let
    authorizedKeys = pkgs.fetchurl {
      url = "https://gmem.ca/ssh";
      sha256 = "0vm0q5fzx55mmgw7md430c20rvywmknmpvnkffx9szlm0l74bypc";
    };
  in
    pkgs.lib.splitString "\n" (builtins.readFile
      authorizedKeys);

  environment.systemPackages = with pkgs; [
    vim
    wget
    htop
    git
    screen
    nix-output-monitor
    tailscale
    nfs-utils
  ];

  services = {
    rpcbind.enable = true;
    openssh.enable = true;
    tailscale.enable = true;
    owncast = {
      enable = true;
      port = 8080;
      openFirewall = false;
    };
    nginx = {
      additionalModules = [pkgs.nginxModules.rtmp];
      enable = true;
      recommendedProxySettings = true;
      recommendedGzipSettings = true;
      recommendedBrotliSettings = true;
      recommendedZstdSettings = true;
      recommendedOptimisation = true;
      recommendedTlsSettings = true;
      virtualHosts = {
        "stream.gmem.ca" = {
          enableACME = true;
          forceSSL = true;
          locations."/" = {
            proxyPass = "http://127.0.0.1:8080";
            proxyWebsockets = true;

            extraConfig = ''
              client_max_body_size 100M;
              proxy_pass_header Authorization;
            '';
          };
        };
      };

      appendConfig = ''
        rtmp {
          server {
            listen 1936;
            chunk_size 4096;
            application live {
              live on;
              allow publish 127.0.0.1;
              allow publish 100.110.180.123;
              allow publish fd7a:115c:a1e0::246e:b47b;
              deny publish all;
              allow play all;

              record off;
              hls on;
              hls_path /tmp/hls;
              dash on;
              dash_path /tmp/dash;
            }
          }
        }
      '';
    };
  };

  security.acme = {
    acceptTerms = true;
    defaults = {
      email = "acme@gmem.ca";
    };
  };

  system.stateVersion = "23.11"; # dId YoU rEaD tHe CoMmEnT?
}