diff --git a/nixos/roles/matrix/livekit.nix b/nixos/roles/matrix/livekit.nix
index a4d243d..cf52061 100644
--- a/nixos/roles/matrix/livekit.nix
+++ b/nixos/roles/matrix/livekit.nix
@@ -1,11 +1,11 @@
 { config, ... }:
 {
-  sops.secrets.livekit_key = { };
+  sops.secrets.livekit_key_sfu = { };
 
   services.livekit = {
     enable = true;
     openFirewall = true;
-    keyFile = config.sops.secrets.livekit_key.path;
+    keyFile = config.sops.secrets.livekit_key_sfu.path;
     settings = {
       rtc = {
         tcp_port = 7881;
diff --git a/nixos/roles/matrix/lk-jwt.nix b/nixos/roles/matrix/lk-jwt.nix
index fa06b39..7ce3978 100644
--- a/nixos/roles/matrix/lk-jwt.nix
+++ b/nixos/roles/matrix/lk-jwt.nix
@@ -1,19 +1,24 @@
-{ config, ... }:
+{ config, lib, ... }:
 let
   domain = "cyperpunk.de";
   synapseUrl = "http://100.109.179.25:8008";
 in
 {
-  sops.secrets.livekit_key = { };
+  sops.secrets.livekit_key_jwt = { };
+
+  networking.firewall.allowedTCPPorts = [ 18080 ];
 
   services.lk-jwt-service = {
     enable = true;
-    keyFile = config.sops.secrets.livekit_key.path;
+    keyFile = config.sops.secrets.livekit_key_jwt.path;
     livekitUrl = "wss://cyperpunk.de/livekit/sfu";
   };
 
-  systemd.services.lk-jwt-service.environment = {
-    LIVEKIT_FULL_ACCESS_HOMESERVERS = domain;
-    MATRIX_BASE_URL = synapseUrl;
+  systemd.services.lk-jwt-service = {
+    environment = {
+      LIVEKIT_FULL_ACCESS_HOMESERVERS = domain;
+      MATRIX_BASE_URL = synapseUrl;
+      LIVEKIT_JWT_BIND = lib.mkForce ":18080";
+    };
   };
 }
diff --git a/nixos/roles/nginx.nix b/nixos/roles/nginx.nix
index 00a7162..304c3fe 100644
--- a/nixos/roles/nginx.nix
+++ b/nixos/roles/nginx.nix
@@ -116,7 +116,7 @@ in
           };
           "^~ /livekit/jwt/" = {
             priority = 400;
-            proxyPass = "http://${upstream}:8080/";
+            proxyPass = "http://${upstream}:18080/";
           };
           "^~ /livekit/sfu/" = {
             priority = 400;
diff --git a/secrets/secrets.yaml b/secrets/secrets.yaml
index 03f650a..120a54f 100644
--- a/secrets/secrets.yaml
+++ b/secrets/secrets.yaml
@@ -8,7 +8,8 @@ vaultwarden_admin_token: ENC[AES256_GCM,data:yoBs4CaIEJXB5b3PEwTpXFgxpX39hR9A4r9
 flame_phil_password: ENC[AES256_GCM,data:Xy2ixMeRlnzC2gjKGrjfSbz/ee4=,iv:WFuBS8jn7WYRxEDG3XBzCMnm4eNkHQpSs5+GUwq/dcg=,tag:1zzj0eB9/4KrmYAqcxJMlg==,type:str]
 flame_calvin_password: ENC[AES256_GCM,data:P5ppyqTjAJ1TL4hXtx5WyoS9a+g=,iv:sq98P3Oqud2FXfqsD76YS/p5NEF2xlN0MfG+ukCB9B0=,tag:AeKnu4Hg4xQ3tII0y6oNpQ==,type:str]
 paperless_admin: ENC[AES256_GCM,data:sVvlMQ3dDE2XsDfpwpCTbzPCEKdUMNTFtRXDIuBbgyf1gd6oiJzE23Ytc57plNUGg5h5aEtgxZ7NXeuK5vrhQw==,iv:x+QNAzY9k9t23UYlM9GcAke0urEA5jlV0VzHaBQkm7M=,tag:D/bMtjuwrX6pquZfJLwdkQ==,type:str]
-livekit_key: ENC[AES256_GCM,data:h5iDET2DrIgudFVIRSzVvQ701urpww/kcXhR7X+GMHjwTZwCLkaC5NmO83Q4e7hM+OIagO8gmoJ2MBWe85sJCw==,iv:LO3WIRurr5t3U6PFKCpMXlKrAXGJOCb9EYT3FBxOYFo=,tag:KLl+qBfTLwAnDr7MHcQg3w==,type:str]
+livekit_key_sfu: ENC[AES256_GCM,data:3pRAN0Vz134mg/omkSRlC9OAvToQg42aZbXj7TurYYOLUMnW6sWk+eexyIcYAAjCSP5GRES4WySuN/qjGeUDBKr8OYAxTXjR/w==,iv:NYhcfiKlXT3v5R4djkhHusMMRYgc3bCM66VD0G2MyME=,tag:8341ntSCmteTn+6AM0xu8g==,type:str]
+livekit_key_jwt: ENC[AES256_GCM,data:G8IDQoAFpibI7Rs0dTPj7kLj9RogPRpufiq6GMCSFhGYtscTrDlsGOu5+hq0hP487QHnCEMZIUPOcKxy54ktdW2SQKyUDP/qc037o0eFqjI=,iv:iss3/VN0/mbkWujwRsv1+/IIFQ9hVxOg5FVV8A5kl2o=,tag:geLyPYH2iHxcRLUtruUAJg==,type:str]
 gitea:
     dbPassword: ENC[AES256_GCM,data:S6VvRgkdYk1AzXljyQEEq68UJ9zrFy6+INBMIAspXNcqcM6o+es19o0mcXA=,iv:/pHYpkZZq+9Md+75uSCb2YXfSvaDzUh6mMfH53wb7eg=,tag:ZnbyCQwrK2JnbO5HFqgJYw==,type:str]
     internalToken: ENC[AES256_GCM,data:7N8TkPNb1YdCk2uAcCvVd2pKRVOf85//DYxAvz0UCg1E8ccEI5630xVyKafDFiSTM4ER7xiYelartzXL0jLWSf3QNOjSHUP8TIAz4bJRAZUJPxO917bURSLGGe7WEOfONzqy3Ts5QhrJ,iv:DiIs1ytlwLvqD/Ejep6m2fmpSqdFZkxBcgLNt6+29jY=,tag:8jsEcOkH0p+1mP9cnVjiDQ==,type:str]
@@ -27,7 +28,7 @@ sops:
             N3I5dzUwc3JtYzczMUhyT04vSHlZamMKT+FzYcDLmlEFYxm/XoBpJb8XaZzBH1v9
             6fuez+zApathZfl14w41kAUojPWBznnxDqYtNvzVVLXwnpp3BMx+7w==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-04-30T11:23:51Z"
-    mac: ENC[AES256_GCM,data:uN7xSSiy9fDdfFoGjYHyXaRg5eR2CJiW5mDH6OSoKPccZ/MjnA8KCVmdIZplKfQBEuQvxeGHHp2SnnNbEoEdu2tXNdv7eVh1IR4KITPjzHxAjjsOckozajcENF0EWC6uv+Ca3HDU61mC86cpnA6Te9dlk9g9oZ5IDKhQSbKTLVA=,iv:CCdkBQgiZZKf2obQjPGpT+5ltf+ahvDNJjl5xk5xw24=,tag:wOh92+4io+2vKyogkOffGw==,type:str]
+    lastmodified: "2026-04-30T11:36:37Z"
+    mac: ENC[AES256_GCM,data:CIRG016ew09deYXENzus8L1abAjpBnKMrziezorwsceFG5I59ch7OJn7edYyr+VaVPrjBb3JeNShC/Ks1Pq7cwl4MGlAyheCpfE1IcFFMK2r0ldvAqgAWZhqLM7QbyQbC9Gkbi95TiMiTgQ8RQRk6RZPEWdBPecLcARLoj9PbcQ=,iv:iAqWDjqy9xZ/xh1n94zWUXiMmqEX9PH0QEFSv6y0Onc=,tag:VJauyqv4HByK3Kq84QI8sQ==,type:str]
     unencrypted_suffix: _unencrypted
     version: 3.12.2