diff --git a/bundles/letsencrypt/README.md b/bundles/letsencrypt/README.md
index 0214915..1364f92 100644
--- a/bundles/letsencrypt/README.md
+++ b/bundles/letsencrypt/README.md
@@ -1,6 +1,6 @@
 https://github.com/dehydrated-io/dehydrated/wiki/example-dns-01-nsupdate-script
 
-```
+```sh
 printf "server 127.0.0.1
 zone acme.resolver.name.
 update add _acme-challenge.ckn.li.acme.resolver.name. 600 IN TXT "hello"
diff --git a/bundles/nginx/files/nginx.conf b/bundles/nginx/files/nginx.conf
index 804c64f..3ab068c 100644
--- a/bundles/nginx/files/nginx.conf
+++ b/bundles/nginx/files/nginx.conf
@@ -2,6 +2,8 @@ pid /var/run/nginx.pid;
 user www-data;
 worker_processes 10;
 
+include /etc/nginx/modules-enabled/*;
+
 events {
     worker_connections 768;
 }
@@ -15,12 +17,14 @@ http {
     server_names_hash_bucket_size 128;
     tcp_nopush on;
     client_max_body_size 32G;
-    
+
     % if node.has_bundle('php'):
     upstream php-handler {
         server unix:/var/run/php/php${node.metadata.get('php/version')}-fpm.sock;
     }
 
     % endif
-    include /etc/nginx/sites/*;
+    include /etc/nginx/sites-http/*;
 }
+
+include /etc/nginx/sites/*;
diff --git a/bundles/nginx/items.py b/bundles/nginx/items.py
index 045887b..2389481 100644
--- a/bundles/nginx/items.py
+++ b/bundles/nginx/items.py
@@ -9,6 +9,12 @@ directories = {
             'svc_systemd:nginx:restart',
         },
     },
+    '/etc/nginx/sites-http': {
+        'purge': True,
+        'triggers': {
+            'svc_systemd:nginx:restart',
+        },
+    },
     '/etc/nginx/ssl': {
         'purge': True,
         'triggers': {
@@ -26,22 +32,22 @@ files = {
         'triggers': {
             'svc_systemd:nginx:restart',
         },
-    }, 
+    },
     '/etc/nginx/fastcgi.conf': {
         'triggers': {
             'svc_systemd:nginx:restart',
         },
-    }, 
-    '/etc/nginx/sites/80.conf': {
+    },
+    '/etc/nginx/sites-http/80.conf': {
         'triggers': {
             'svc_systemd:nginx:restart',
         },
-    }, 
-    '/etc/nginx/sites/stub_status.conf': {
+    },
+    '/etc/nginx/sites-http/stub_status.conf': {
         'triggers': {
             'svc_systemd:nginx:restart',
         },
-    }, 
+    },
     '/etc/nginx/sites-available': {
         'delete': True,
         'needs': {
@@ -74,7 +80,12 @@ svc_systemd = {
 
 
 for name, config in node.metadata.get('nginx/vhosts').items():
-    files[f'/etc/nginx/sites/{name}'] = {
+    if config.get('http', True):
+        sites = 'sites-http'
+    else:
+        sites = 'sites'
+
+    files[f'/etc/nginx/{sites}/{name}'] = {
         'content': Template(filename=join(repo.path, 'data', config['content'])).render(
             server_name=name,
             **config.get('context', {}),
@@ -88,8 +99,8 @@ for name, config in node.metadata.get('nginx/vhosts').items():
             'svc_systemd:nginx:restart',
         },
     }
-    
+
     if name in node.metadata.get('letsencrypt/domains'):
-        files[f'/etc/nginx/sites/{name}']['needs'].append(
+        files[f'/etc/nginx/{sites}/{name}']['needs'].append(
             f'action:letsencrypt_ensure-some-certificate_{name}',
         )
diff --git a/bundles/nginx/metadata.py b/bundles/nginx/metadata.py
index ad0cd6b..5bd1ba4 100644
--- a/bundles/nginx/metadata.py
+++ b/bundles/nginx/metadata.py
@@ -6,6 +6,8 @@ defaults = {
     'apt': {
         'packages': {
             'nginx': {},
+            'libnginx-mod-stream': {},
+            'libnginx-mod-rtmp': {},
         },
     },
     'nftables': {
diff --git a/data/nginx/rtmp.conf b/data/nginx/rtmp.conf
new file mode 100644
index 0000000..e89e9c2
--- /dev/null
+++ b/data/nginx/rtmp.conf
@@ -0,0 +1,37 @@
+stream {
+    upstream backend {
+        server 127.0.0.1:${rtmp_port};
+    }
+    server {
+        listen ${rtmps_port} ssl;
+        listen [::]:${rtmps_port} ssl;
+
+        ssl_certificate /var/lib/dehydrated/certs/${server_name}/fullchain.pem;
+        ssl_certificate_key /var/lib/dehydrated/certs/${server_name}/privkey.pem;
+
+        proxy_pass backend;
+    }
+}
+
+rtmp {
+    server {
+        listen 127.0.0.1:${rtmp_port};
+        chunk_size 4096;
+
+        application ${streaming_key} {
+            live on;
+            record off;
+            allow publish 127.0.0.1;  # for streaming through nginx
+            allow play 127.0.0.1;     # for the pull from /live
+        }
+
+        application live {
+            live on;
+            record off;
+            deny publish all;         # no need to publish on /live
+            allow play all;           # playing allowed
+
+            pull rtmp://127.0.0.1:${rtmp_port}/${streaming_key};
+        }
+    }
+}
diff --git a/nodes/netcup.mails.py b/nodes/netcup.mails.py
index c140681..cf4bbed 100644
--- a/nodes/netcup.mails.py
+++ b/nodes/netcup.mails.py
@@ -107,6 +107,7 @@
                 'ckn.li': {},
                 'sublimity.de': {},
                 'freibrief.net': {},
+                'rtmp.sublimity.de': {},
             },
         },
         'mailserver': {
@@ -126,8 +127,24 @@
         'rspamd': {
             'hostname': 'rspamd.sublimity.de',
         },
+        'nftables': {
+            'input': {
+                'tcp dport 1937 accept',
+            },
+        },
         'nginx': {
             'vhosts': {
+                'rtmp.sublimity.de': {
+                    'http': False,
+                    'content': 'nginx/rtmp.conf',
+                    'context': {
+                        'rtmp_port': 1936,
+                        'rtmps_port': 1937,
+                        'streaming_key': 'testtest',
+                        #'streaming_key': '!decrypt:encrypt$gAAAAABjjSrmEUVBLIWnPDxKmd3VFmof3SGI-icr2tJZUeuZkXGYJ9IG5C_3R0oDT8CUoqVv74mxGyJQ9wj9EzQm8DNLuSaxqlMZbn4qvKMDYRlK2B0D0is=',
+                    },
+                    'internal_dns': False,
+                },
                 'cloud.sublimity.de': {
                     'content': 'nginx/proxy_pass.conf',
                     'context': {