diff --git a/nixos/roles/matrix/livekit.nix b/nixos/roles/matrix/livekit.nix
index c973c63..15ab0cb 100644
--- a/nixos/roles/matrix/livekit.nix
+++ b/nixos/roles/matrix/livekit.nix
@@ -9,7 +9,7 @@
     settings = {
       rtc = {
         tcp_port = 7881;
-        udp_port = 7882;
+        #udp_port = 7882;
         port_range_start = 50000;
         port_range_end = 60000;
         use_external_ip = true;
@@ -31,11 +31,24 @@
 
   systemd.services.livekit.serviceConfig = {
     PrivateUsers = lib.mkForce false;
+    DynamicUser = lib.mkForce false;
+    User = "livekit";
+    Group = "livekit";
     RestrictAddressFamilies = lib.mkForce [
       "AF_INET"
       "AF_INET6"
       "AF_NETLINK"
       "AF_UNIX"
     ];
+    SystemCallFilter = lib.mkForce [ "@system-service" ];
   };
+
+  users = {
+    users.livekit = {
+      isSystemUser = true;
+      group = "livekit";
+    };
+    groups.livekit = { };
+  };
+
 }
diff --git a/nixos/roles/nginx.nix b/nixos/roles/nginx.nix
index 304c3fe..632c4bc 100644
--- a/nixos/roles/nginx.nix
+++ b/nixos/roles/nginx.nix
@@ -100,8 +100,46 @@ in
 
       "calvin.cyperpunk.de" = mkWsProxy 15006;
       "cinny.cyperpunk.de" = mkWsProxy 8009;
-      "element.cyperpunk.de" = mkWsProxy 8010;
-      "element-call.cyperpunk.de" = mkWsProxy 8013;
+
+      "element-call.cyperpunk.de" = {
+        forceSSL = true;
+        enableACME = true;
+        locations."/" = {
+          proxyPass = "http://${upstream}:8013";
+          proxyWebsockets = true;
+          extraConfig = ''
+            add_header Cross-Origin-Opener-Policy "same-origin";
+            add_header Cross-Origin-Embedder-Policy "require-corp";
+            add_header Cross-Origin-Resource-Policy "cross-origin";
+          '';
+        };
+      };
+
+      "element.cyperpunk.de" = {
+        forceSSL = true;
+        enableACME = true;
+        locations = {
+          "/" = {
+            proxyPass = "http://${upstream}:8010";
+            proxyWebsockets = true;
+          };
+          "/widgets/element-call/config.json" = {
+            extraConfig = ''
+              	default_type application/json;
+              	add_header Access-Control-Allow-Origin *;
+              	return 200 '{
+              	"livekit_service_url": "https://cyperpunk.de/livekit/jwt/",
+              	"default_server_config": {
+              			"m.homeserver": {
+              					"base_url": "https://matrix.cyperpunk.de",
+              					"server_name":"cyperpunk.de"
+              					}
+              			}
+              	}';
+            '';
+          };
+        };
+      };
 
       "cyperpunk.de" = {
         forceSSL = true;
@@ -132,6 +170,15 @@ in
 
             '';
           };
+          "/_matrix/client/unstable/org.matrix.msc4143/rtc/transports" = {
+            extraConfig = ''
+              default_type application/json;
+              add_header Access-Control-Allow-Origin *;
+              add_header Access-Control-Allow-Headers "Authorization, Content-Type";
+              add_header Access-Control-Allow-Methods "GET, OPTIONS";
+              return 200 '{"rtc_transports":[{"type":"livekit","livekit_service_url":"https://cyperpunk.de/livekit/jwt/"}]}';
+            '';
+          };
         };
       };
     };