{
  service_configs,
  ...
}:
let
  keyFile = ../secrets/livekit_keys;

  ports = service_configs.ports;
in
{
  services.livekit = {
    enable = true;
    inherit keyFile;
    openFirewall = true;

    settings = {
      port = ports.livekit;
      bind_addresses = [ "127.0.0.1" ];

      rtc = {
        port_range_start = 50100;
        port_range_end = 50200;
        use_external_ip = true;
      };

      # Disable LiveKit's built-in TURN; coturn is already running
      turn = {
        enabled = false;
      };

      logging = {
        level = "info";
      };
    };
  };

  services.lk-jwt-service = {
    enable = true;
    inherit keyFile;
    livekitUrl = "wss://${service_configs.livekit.domain}";
    port = ports.lk_jwt;
  };

  services.caddy.virtualHosts."${service_configs.livekit.domain}".extraConfig = ''
    @jwt path /sfu/get /healthz
    handle @jwt {
      reverse_proxy :${builtins.toString ports.lk_jwt}
    }
    handle {
      reverse_proxy :${builtins.toString ports.livekit}
    }
  '';
}