# MediaMTX configuration for game-stream-app
# Spawned as a subprocess by obs-script/game_stream.py when OBS starts streaming.

###############################################################################
# Global
###############################################################################

logLevel: info
logDestinations: [stdout]
readTimeout: 10s
writeTimeout: 10s
writeQueueSize: 512

###############################################################################
# API (used by the OBS script dock to poll viewer count / stream status)
###############################################################################

api: yes
apiAddress: 127.0.0.1:49997

###############################################################################
# WebRTC (WHIP ingest + WHEP playback)
###############################################################################

webrtc: yes
# HTTP listener for WHIP/WHEP signaling (SDP exchange).
# NPM proxies /whep/* and the OBS WHIP target (localhost) to this.
webrtcAddress: :48889
webrtcEncryption: no   # TLS is handled at NPM; this listener is LAN/localhost only
# Dedicated UDP port for SRTP media. NPM Stream forwards public UDP 48189 here.
webrtcLocalUDPAddress: :48189
# No TCP fallback - we only want a single UDP path for simplicity.
webrtcLocalTCPAddress: ''
# Tell browsers to send media to the public hostname.
# Replace stream.hetherman.cloud if your public hostname differs.
webrtcAdditionalHosts:
  - stream.hetherman.cloud
# Public STUN helps browsers discover their own reflexive candidates when
# behind NAT; the server side does not need it but it speeds up ICE.
webrtcICEServers2:
  - url: stun:stun.l.google.com:19302
# Disable trickle handshake complications - plain offer/answer is enough.
webrtcHandshakeTimeout: 10s
webrtcTrackGatherTimeout: 2s

###############################################################################
# HLS (fallback for clients where WebRTC fails)
###############################################################################

hls: yes
hlsAddress: :48888
hlsEncryption: no
hlsAlwaysRemux: no
hlsVariant: lowLatency
hlsSegmentCount: 7
hlsSegmentDuration: 200ms
hlsPartDuration: 200ms
hlsSegmentMaxSize: 50M
hlsAllowOrigin: '*'
hlsTrustedProxies: []

###############################################################################
# Disabled protocols (reduce attack surface)
###############################################################################

rtsp: no
rtmp: no
srt: no

###############################################################################
# Paths
###############################################################################

pathDefaults:
  # Drop publishers that connect but never send media.
  sourceOnDemand: no

paths:
  # The single stream path. OBS publishes here via WHIP
  # (http://localhost:48889/game/whip), friends watch via WHEP
  # (https://stream.hetherman.cloud/whep/game/whep).
  game:
    source: publisher
    # Only the local OBS instance is allowed to publish.
    # External hijack attempts are blocked at this layer, independent of NPM.
    publishIPs:
      - 127.0.0.1/32
      - ::1/128
    # No reader restrictions - NPM + Authentik gate reads at the edge.