{
  service_configs,
  ...
}:
let
  keyFile = ../secrets/livekit_keys;
in
{
  services.livekit = {
    enable = true;
    inherit keyFile;
    openFirewall = true;

    settings = {
      port = service_configs.ports.public.livekit.port;
      bind_addresses = [ "127.0.0.1" ];

      rtc = {
        port_range_start = 50100;
        port_range_end = 50200;
        use_external_ip = true;
      };

      # Disable LiveKit's built-in TURN; coturn is already running
      turn = {
        enabled = false;
      };

      logging = {
        level = "info";
      };
    };
  };

  services.lk-jwt-service = {
    enable = true;
    inherit keyFile;
    livekitUrl = "wss://${service_configs.livekit.domain}";
    port = service_configs.ports.private.lk_jwt.port;
  };

  services.caddy.virtualHosts."${service_configs.livekit.domain}".extraConfig = ''
    @jwt path /sfu/get /healthz
    handle @jwt {
      reverse_proxy :${builtins.toString service_configs.ports.private.lk_jwt.port}
    }
    handle {
      reverse_proxy :${builtins.toString service_configs.ports.public.livekit.port}
    }
  '';
}