{ config, pkgs, ... }:

{
  sops.secrets."livekit/api_key" = {
    sopsFile = ./secrets/livekit_vps.yaml;
    mode = "0400";
    owner = "livekit";
    group = "livekit";
  };
  sops.secrets."livekit/api_secret" = {
    sopsFile = ./secrets/livekit_vps.yaml;
    mode = "0400";
    owner = "livekit";
    group = "livekit";
  };

  users.users.livekit = {
    isSystemUser = true;
    group = "livekit";
  };
  users.groups.livekit = { };

  # WebRTC media (UDP) and ICE TCP fallback. HTTP signaling goes through nginx.
  networking.firewall = {
    allowedTCPPorts = [ 7881 ];
    allowedUDPPortRanges = [
      {
        from = 50000;
        to = 50200;
      }
    ];
  };

  systemd.services.livekit = {
    description = "LiveKit SFU server";
    wantedBy = [ "multi-user.target" ];
    after = [ "network-online.target" ];
    wants = [ "network-online.target" ];

    serviceConfig = {
      User = "livekit";
      Group = "livekit";
      RuntimeDirectory = "livekit";
      Restart = "always";
      RestartSec = 5;
    };

    script = ''
      API_KEY=$(cat ${config.sops.secrets."livekit/api_key".path})
      API_SECRET=$(cat ${config.sops.secrets."livekit/api_secret".path})

      cat > /run/livekit/config.yaml <<YAML
      port: 7880
      bind_addresses:
        - "127.0.0.1"
      rtc:
        port_range_start: 50000
        port_range_end: 50200
        use_external_ip: true
        tcp_port: 7881
      logging:
        level: info
      keys:
        $API_KEY: $API_SECRET
      YAML

      exec ${pkgs.livekit}/bin/livekit-server --config /run/livekit/config.yaml
    '';
  };
}