{ config, lib, ... }:
{
  sops.secrets.livekit_key_sfu = { };

  services.livekit = {
    enable = true;
    openFirewall = true;
    keyFile = config.sops.secrets.livekit_key_sfu.path;
    settings = {
      rtc = {
        tcp_port = 7881;
        #udp_port = 7882;
        port_range_start = 50000;
        port_range_end = 60000;
        use_external_ip = true;
        node_ip = "178.254.8.35";
      };
      room = {
        auto_create = true;
        enabled_codecs = [
          { mime = "video/VP8"; }
          { mime = "video/VP9"; }
          { mime = "video/H264"; }
          { mime = "audio/opus"; }
        ];
        enable_remote_unmute = true;
      };
    };
  };
  networking.firewall.allowedTCPPorts = [ 7881 ];

  systemd.services.livekit.serviceConfig = {
    PrivateUsers = lib.mkForce false;
    DynamicUser = lib.mkForce false;
    User = "livekit";
    Group = "livekit";
    RestrictAddressFamilies = lib.mkForce [
      "AF_INET"
      "AF_INET6"
      "AF_NETLINK"
      "AF_UNIX"
    ];
    SystemCallFilter = lib.mkForce [ "@system-service" ];
  };

  users = {
    users.livekit = {
      isSystemUser = true;
      group = "livekit";
    };
    groups.livekit = { };
  };

}