diff --git a/hosts/fw/modules/firewall.nix b/hosts/fw/modules/firewall.nix
index 61f9205..31f1fbc 100644
--- a/hosts/fw/modules/firewall.nix
+++ b/hosts/fw/modules/firewall.nix
@@ -122,7 +122,8 @@
 
               # Forward to git server
               oifname "server" ip daddr ${config.networkPrefix}.97.55 tcp dport { 22 } counter accept 
-              oifname "server" ip daddr ${config.networkPrefix}.97.5 tcp dport { 80, 443 } counter accept 
+              oifname "server" ip daddr ${config.networkPrefix}.97.5 tcp dport { 80, 443 } counter accept
+              oifname "server" ip daddr ${config.networkPrefix}.97.5 udp dport { 50000-50200 } counter accept comment "LiveKit SFU media"
 
               # lan and vpn to any
               iifname { "lan", "server", "vserver", "wg_cloonar" } oifname { "lan", "vb-*", "vm-*", "server", "vserver", "infrastructure", "multimedia", "smart", "wg_cloonar", "guest", "setup" } counter accept
@@ -172,6 +173,7 @@
               iifname "server" ip daddr ${config.networkPrefix}.96.255 udp dport { 9 } dnat to ${config.networkPrefix}.96.255
               iifname "wan" tcp dport { 22 } dnat to ${config.networkPrefix}.97.55
               iifname "wan" tcp dport { 80, 443 } dnat to ${config.networkPrefix}.97.5
+              iifname "wan" udp dport { 50000-50200 } dnat to ${config.networkPrefix}.97.5 comment "LiveKit SFU media"
               iifname "wan" tcp dport { 5000 } dnat to ${config.networkPrefix}.97.51
               iifname { "wan", "lan" } udp dport { 7777, 7778, 27015 } dnat to ${config.networkPrefix}.97.201
               iifname { "wan", "lan" } tcp dport { 27020 } dnat to ${config.networkPrefix}.97.201
diff --git a/hosts/fw/modules/web/matrix.nix b/hosts/fw/modules/web/matrix.nix
index d9a8ece..ecd94be 100644
--- a/hosts/fw/modules/web/matrix.nix
+++ b/hosts/fw/modules/web/matrix.nix
@@ -10,6 +10,13 @@ let
       issuer = baseUrl + "/";
       account = baseUrl + "/account";
     };
+    # MatrixRTC LiveKit focus for Element Call
+    "org.matrix.msc4143.rtc_foci" = [
+      {
+        type = "livekit";
+        livekit_service_url = "${baseUrl}/livekit/jwt";
+      }
+    ];
   };
   serverConfig."m.server" = "${fqdn}:443";
   mkWellKnown = data: ''
@@ -221,7 +228,13 @@ in {
       experimental_features = {
         msc4190_enabled = true;
         msc3202_device_masquerading = true;
+        # MatrixRTC support
+        msc3266_enabled = true;
+        msc4222_enabled = true;
       };
+
+      # MatrixRTC delayed events (MSC4140) — prevents stuck calls
+      max_event_delay_duration = "24h";
     };
   };
 
@@ -233,7 +246,7 @@ in {
   systemd.services.matrix-synapse.wants = [ "matrix-authentication-service.service" ];
   systemd.services.matrix-synapse.serviceConfig.PrivateUsers = lib.mkForce false;
   systemd.services.matrix-synapse.preStart = lib.mkAfter ''
-    install -m 0600 -o matrix-synapse /dev/null ${synapseVoipConfig}
+    install -m 0600 /dev/null ${synapseVoipConfig}
     TURN_SECRET=$(cat ${config.sops.secrets.coturn-static-secret.path})
     cat > ${synapseVoipConfig} <<EOF
     turn_uris:
@@ -263,6 +276,12 @@ in {
             issuer = "https://matrix.cloonar.com/";
             account = "https://matrix.cloonar.com/account";
           };
+          "org.matrix.msc4143.rtc_foci" = [
+            {
+              type = "livekit";
+              livekit_service_url = "https://matrix.cloonar.com/livekit/jwt";
+            }
+          ];
         };
         oidc_static_clients = {
           "https://matrix.cloonar.com/" = {
@@ -307,6 +326,21 @@ in {
     locations."/login".proxyPass = "http://127.0.0.1:8081";
     locations."/change-password".proxyPass = "http://127.0.0.1:8081";
 
+    # LiveKit JWT service for MatrixRTC
+    locations."^~ /livekit/jwt/" = {
+      proxyPass = "http://127.0.0.1:8082/";
+    };
+    # LiveKit SFU WebSocket
+    locations."^~ /livekit/sfu/" = {
+      proxyPass = "http://127.0.0.1:7880/";
+      proxyWebsockets = true;
+      extraConfig = ''
+        proxy_send_timeout 120;
+        proxy_read_timeout 120;
+        proxy_buffering off;
+      '';
+    };
+
     # Synapse endpoints
     locations."/_matrix".proxyPass = "http://[::1]:8008";
     locations."/_synapse/client".proxyPass = "http://[::1]:8008";
@@ -424,6 +458,55 @@ in {
     };
   };
 
+  #
+  # LiveKit SFU + JWT service for MatrixRTC video/voice calls
+  #
+
+  # LiveKit SFU — handles WebRTC media relay
+  services.livekit = {
+    enable = true;
+    openFirewall = true;
+    keyFile = "/run/livekit/key";
+    settings = {
+      rtc = {
+        port_range_start = 50000;
+        port_range_end = 50200;
+        use_external_ip = true;
+      };
+      room.auto_create = false;
+    };
+  };
+
+  # JWT service — validates Matrix OpenID tokens and issues LiveKit JWTs
+  services.lk-jwt-service = {
+    enable = true;
+    livekitUrl = "wss://${fqdn}/livekit/sfu";
+    port = 8082;
+    keyFile = "/run/livekit/key";
+  };
+
+  # Only allow cloonar.com users to create LiveKit rooms
+  systemd.services.lk-jwt-service.environment.LIVEKIT_FULL_ACCESS_HOMESERVERS = "cloonar.com";
+
+  # Generate LiveKit API key on boot
+  systemd.services.livekit-key-generate = {
+    description = "Generate LiveKit API key";
+    before = [ "livekit.service" "lk-jwt-service.service" ];
+    requiredBy = [ "livekit.service" "lk-jwt-service.service" ];
+    serviceConfig = {
+      Type = "oneshot";
+      RemainAfterExit = true;
+    };
+    script = ''
+      if [ ! -f /run/livekit/key ]; then
+        mkdir -p /run/livekit
+        SECRET=$(${pkgs.openssl}/bin/openssl rand -hex 32)
+        echo "lk-jwt-service: $SECRET" > /run/livekit/key
+        chmod 0644 /run/livekit/key
+      fi
+    '';
+  };
+
   # Mattermost bridge (bridgev2 — attrs replace entirely, so include all needed fields)
   services.mautrix-mattermost = {
     enable = true;
diff --git a/hosts/web-arm/sites/cloonar.com.nix b/hosts/web-arm/sites/cloonar.com.nix
index 5aac37c..5bdae4e 100644
--- a/hosts/web-arm/sites/cloonar.com.nix
+++ b/hosts/web-arm/sites/cloonar.com.nix
@@ -9,6 +9,13 @@ let
       issuer = "https://matrix.cloonar.com/";
       account = "https://matrix.cloonar.com/account";
     };
+    # MatrixRTC LiveKit focus for Element Call
+    "org.matrix.msc4143.rtc_foci" = [
+      {
+        type = "livekit";
+        livekit_service_url = "https://matrix.cloonar.com/livekit/jwt";
+      }
+    ];
   };
   matrixServerConfig."m.server" = "matrix.cloonar.com:443";
 in {