diff --git a/configuration.nix b/configuration.nix
index 16b7b19..07a1713 100644
--- a/configuration.nix
+++ b/configuration.nix
@@ -40,6 +40,7 @@
 
     ./services/matrix.nix
     ./services/coturn.nix
+    ./services/livekit.nix
 
     ./services/monero.nix
     ./services/xmrig.nix
diff --git a/flake.nix b/flake.nix
index 64d1cb8..5d84f04 100644
--- a/flake.nix
+++ b/flake.nix
@@ -123,6 +123,8 @@
           coturn = 3478;
           coturn_tls = 5349;
           ntfy = 2586;
+          livekit = 7880;
+          lk_jwt = 8081;
         };
 
         https = {
@@ -182,6 +184,10 @@
           domain = "ntfy.${https.domain}";
         };
 
+        livekit = {
+          domain = "livekit.${https.domain}";
+        };
+
         syncthing = {
           dataDir = services_dir + "/syncthing";
           signalBackupDir = "/${zpool_ssds}/bak/signal";
diff --git a/secrets/livekit_keys b/secrets/livekit_keys
new file mode 100644
index 0000000..f3bc827
Binary files /dev/null and b/secrets/livekit_keys differ
diff --git a/services/livekit.nix b/services/livekit.nix
new file mode 100644
index 0000000..c1579d7
--- /dev/null
+++ b/services/livekit.nix
@@ -0,0 +1,53 @@
+{
+  service_configs,
+  ...
+}:
+let
+  keyFile = ../secrets/livekit_keys;
+
+  ports = service_configs.ports;
+in
+{
+  services.livekit = {
+    enable = true;
+    inherit keyFile;
+    openFirewall = true;
+
+    settings = {
+      port = ports.livekit;
+      bind_addresses = [ "127.0.0.1" ];
+
+      rtc = {
+        port_range_start = 50100;
+        port_range_end = 50200;
+        use_external_ip = true;
+      };
+
+      # Disable LiveKit's built-in TURN; coturn is already running
+      turn = {
+        enabled = false;
+      };
+
+      logging = {
+        level = "info";
+      };
+    };
+  };
+
+  services.lk-jwt-service = {
+    enable = true;
+    inherit keyFile;
+    livekitUrl = "wss://${service_configs.livekit.domain}";
+    port = ports.lk_jwt;
+  };
+
+  services.caddy.virtualHosts."${service_configs.livekit.domain}".extraConfig = ''
+    @jwt path /sfu/get /healthz
+    handle @jwt {
+      reverse_proxy :${builtins.toString ports.lk_jwt}
+    }
+    handle {
+      reverse_proxy :${builtins.toString ports.livekit}
+    }
+  '';
+}
diff --git a/services/matrix.nix b/services/matrix.nix
index 8f5bb25..fe9b0ea 100644
--- a/services/matrix.nix
+++ b/services/matrix.nix
@@ -47,7 +47,7 @@
     header /.well-known/matrix/* Content-Type application/json
     header /.well-known/matrix/* Access-Control-Allow-Origin *
     respond /.well-known/matrix/server `{"m.server": "${service_configs.matrix.domain}:${builtins.toString service_configs.ports.https}"}`
-    respond /.well-known/matrix/client `{"m.server":{"base_url":"https://${service_configs.matrix.domain}"},"m.homeserver":{"base_url":"https://${service_configs.matrix.domain}"},"org.matrix.msc3575.proxy":{"base_url":"https://${config.services.matrix-continuwuity.settings.global.server_name}"}}`
+    respond /.well-known/matrix/client `{"m.server":{"base_url":"https://${service_configs.matrix.domain}"},"m.homeserver":{"base_url":"https://${service_configs.matrix.domain}"},"org.matrix.msc3575.proxy":{"base_url":"https://${config.services.matrix-continuwuity.settings.global.server_name}"},"org.matrix.msc4143.rtc_foci":[{"type":"livekit","livekit_service_url":"https://${service_configs.livekit.domain}"}]}`
   '';
 
   services.caddy.virtualHosts."${service_configs.matrix.domain}".extraConfig = ''