diff --git a/nixos/module/generic/matrix-cluster.nix b/nixos/module/generic/matrix-cluster.nix
index 56473ee..165c959 100644
--- a/nixos/module/generic/matrix-cluster.nix
+++ b/nixos/module/generic/matrix-cluster.nix
@@ -288,7 +288,6 @@ in {
         cert = "${config.security.acme.certs.${realm}.directory}/full.pem";
         pkey = "${config.security.acme.certs.${realm}.directory}/key.pem";
         listening-ips = [ cfg.publicIp ];
-        no-tcp-relay = true;
         relay-ips = [ cfg.publicIp ];
         listening-port = 3478;
         tls-listening-port = 5349;
@@ -392,6 +391,12 @@ in {
       networking.firewall = lib.mkIf (cfg.turnSecretFile != null) {
         allowedUDPPorts = [ 3478 5349 ];
         allowedTCPPorts = [ 3478 5349 ];
+        allowedTCPPortRanges = [
+          {
+            from = 49152;
+            to = 65535;
+          }
+        ];
         allowedUDPPortRanges = [
           {
             from = 49152;
diff --git a/nixos/module/hectic/service/element-rtc.nix b/nixos/module/hectic/service/element-rtc.nix
index c5ec333..df9dc9a 100644
--- a/nixos/module/hectic/service/element-rtc.nix
+++ b/nixos/module/hectic/service/element-rtc.nix
@@ -80,11 +80,30 @@ in {
           }' '';
         };
 
+        locations."= /livekit/jwt" = {
+          priority = 500;
+          proxyPass = "http://[::1]:${toString config.services.lk-jwt-service.port}/";
+        };
+
         locations."^~ /livekit/jwt/" = {
           priority = 400;
           proxyPass = "http://[::1]:${toString config.services.lk-jwt-service.port}/";
         };
 
+        locations."= /livekit/sfu" = {
+          priority = 500;
+          proxyPass = "http://[::1]:${toString config.services.livekit.settings.port}/";
+          proxyWebsockets = true;
+          extraConfig = ''
+            proxy_send_timeout 120;
+            proxy_read_timeout 120;
+            proxy_buffering off;
+            proxy_set_header Accept-Encoding gzip;
+            proxy_set_header Upgrade $http_upgrade;
+            proxy_set_header Connection "upgrade";
+          '';
+        };
+
         locations."^~ /livekit/sfu/" = {
           priority = 400;
           proxyPass = "http://[::1]:${toString config.services.livekit.settings.port}/";
diff --git a/nixos/module/hectic/service/element.nix b/nixos/module/hectic/service/element.nix
index 21cc532..09a9f84 100644
--- a/nixos/module/hectic/service/element.nix
+++ b/nixos/module/hectic/service/element.nix
@@ -22,6 +22,8 @@ in {
       enableACME = true;
       forceSSL = true;
 
+      locations."= /config.element.${matrixDomain}.json".return = "302 /config.json";
+
       root = pkgs.element-web.override {
         conf = {
           default_server_config = {