# RTMP ingest pipeline with TLS termination via the stream module.
# - External publishers connect over RTMPS on tcp/1935.
# - The stream module terminates TLS and forwards plain RTMP to nginx-rtmp on 127.0.0.1:1936.
# - nginx-rtmp still triggers publish callbacks consumed by obsproxy.

rtmp {
    server {
        listen 1936;                # internal plain RTMP listener
        chunk_size 4096;

        application live {
            live on;
            record off;

            # Allow publish/play; obsproxy enforces the ingest PSK.
            allow publish all;
            allow play all;

            on_publish http://127.0.0.1:5000/rtmp_callbacks/on_publish;
            on_publish_done http://127.0.0.1:5000/rtmp_callbacks/on_publish_done;
        }
    }
}

stream {
    log_format stream_basic '$remote_addr:$remote_port -> $server_addr:$server_port '
                              'sent=$bytes_sent received=$bytes_received '
                              'time=$session_time';

    upstream rtmp_backend {
        server 127.0.0.1:1936;
    }

    server {
        listen 1935 ssl;
        proxy_pass rtmp_backend;
        access_log /var/log/nginx/rtmp_stream_access.log stream_basic;
        error_log /var/log/nginx/rtmp_stream_error.log error;

        ssl_certificate /etc/letsencrypt/live/yummers.dev/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/yummers.dev/privkey.pem;
        ssl_protocols TLSv1.2 TLSv1.3;
        ssl_ciphers HIGH:!aNULL:!MD5;
        ssl_session_cache shared:rtmp_stream_cache:10m;
        ssl_session_timeout 10m;
        proxy_timeout 5m;
    }
}