diff --git a/ops/nixos/lib/lightspeed/lightspeed-ingest.nix b/ops/nixos/lib/lightspeed/lightspeed-ingest.nix
new file mode 100644
index 0000000000..0cf1e91e75
--- /dev/null
+++ b/ops/nixos/lib/lightspeed/lightspeed-ingest.nix
@@ -0,0 +1,40 @@
+{ depot, config, lib, ... }:
+let
+  cfg = config.services.lightspeed.ingest;
+  inherit (lib) mkOption types mkEnableOption;
+in
+{
+  options.services.lightspeed.ingest = {
+    enable = mkEnableOption "Lightspeed Ingest server (FTL->RTP)";
+  };
+
+  config = lib.mkIf cfg.enable {
+    systemd.services.lightspeed-ingest = {
+      after = [ "network.target" ];
+      wantedBy = [ "multi-user.target" ];
+      serviceConfig = {
+        ExecStart = "${depot.pkgs.lightspeed-ingest}/bin/lightspeed-ingest";
+        DynamicUser = true;
+        ProtectSystem = "strict";
+        CapabilityBoundingSet = "";
+        RestrictAddressFamilies = "AF_INET AF_INET6";
+        RestrictNamespaces = true;
+        PrivateDevices = true;
+        PrivateUsers = true;
+        ProtectClock = true;
+        ProtectControlGroups = true;
+        ProtectHome = "tmpfs";
+        ProtectKernelLogs = true;
+        ProtectKernelModules = true;
+        ProtectKernelTunables = true;
+        ProtectProc = "noaccess";
+        SystemCallArchitectures = "native";
+        RestrictRealtime = true;
+        LockPersonality = true;
+        MemoryDenyWriteExecute = true;
+        UMask = "0077";
+        ProtectHostname = true;
+      };
+    };
+  };
+}
diff --git a/ops/nixos/lib/lightspeed/lightspeed-webrtc.nix b/ops/nixos/lib/lightspeed/lightspeed-webrtc.nix
new file mode 100644
index 0000000000..2bf889471a
--- /dev/null
+++ b/ops/nixos/lib/lightspeed/lightspeed-webrtc.nix
@@ -0,0 +1,45 @@
+{ depot, config, lib, ... }:
+let
+  cfg = config.services.lightspeed.webrtc;
+  inherit (lib) mkOption types mkEnableOption;
+in
+{
+  options.services.lightspeed.webrtc = {
+    enable = mkEnableOption "Lightspeed WebRTC server (RTP->WebRTC)";
+    address = mkOption {
+      description = "Address to listen on for incoming RTP traffic and websockets";
+      default = "127.0.0.1";
+      type = types.str;
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    systemd.services.lightspeed-webrtc = {
+      after = [ "network.target" ];
+      wantedBy = [ "multi-user.target" ];
+      serviceConfig = {
+        ExecStart = "${depot.pkgs.lightspeed-webrtc}/bin/lightspeed-webrtc -addr ${cfg.address}";
+        DynamicUser = true;
+        ProtectSystem = "strict";
+        CapabilityBoundingSet = "";
+        RestrictAddressFamilies = "AF_INET AF_INET6";
+        RestrictNamespaces = true;
+        PrivateDevices = true;
+        PrivateUsers = true;
+        ProtectClock = true;
+        ProtectControlGroups = true;
+        ProtectHome = "tmpfs";
+        ProtectKernelLogs = true;
+        ProtectKernelModules = true;
+        ProtectKernelTunables = true;
+        ProtectProc = "noaccess";
+        SystemCallArchitectures = "native";
+        RestrictRealtime = true;
+        LockPersonality = true;
+        MemoryDenyWriteExecute = true;
+        UMask = "0077";
+        ProtectHostname = true;
+      };
+    };
+  };
+}