diff --git a/modules/matrix.nix b/modules/matrix.nix
index b74ba05..9a3b8ce 100644
--- a/modules/matrix.nix
+++ b/modules/matrix.nix
@@ -65,8 +65,8 @@ in
         domain = matrixRtcDomain;
         tls_port = 5349;
         udp_port = 3478;
-        cert_file = "/var/lib/acme/${matrixRtcDomain}/fullchain.pem";
-        key_file = "/var/lib/acme/${matrixRtcDomain}/key.pem";
+        cert_file = "/run/credentials/livekit.service/turn-cert";
+        key_file = "/run/credentials/livekit.service/turn-key";
       };
     };
     keyFile = livekitKeyFile;
@@ -80,7 +80,10 @@ in
 
   systemd.services.lk-jwt-service.environment.LIVEKIT_FULL_ACCESS_HOMESERVERS = serverName;
 
-  systemd.services.livekit.serviceConfig.SupplementaryGroups = [ "acme" ];
+  systemd.services.livekit.serviceConfig.LoadCredential = [
+    "turn-cert:/var/lib/acme/${matrixRtcDomain}/fullchain.pem"
+    "turn-key:/var/lib/acme/${matrixRtcDomain}/key.pem"
+  ];
   systemd.services.livekit.after = [ "acme-${matrixRtcDomain}.service" ];
   systemd.services.livekit.requires = [ "acme-${matrixRtcDomain}.service" ];
 
diff --git a/modules/nginx.nix b/modules/nginx.nix
index c06241d..4285db1 100644
--- a/modules/nginx.nix
+++ b/modules/nginx.nix
@@ -402,6 +402,14 @@ in
             proxy_set_header Host $host;
             proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
             proxy_set_header X-Forwarded-Proto $scheme;
+
+            add_header Access-Control-Allow-Origin "*" always;
+            add_header Access-Control-Allow-Methods "GET, POST, OPTIONS" always;
+            add_header Access-Control-Allow-Headers "Authorization, Content-Type" always;
+
+            if ($request_method = OPTIONS) {
+              return 204;
+            }
           '';
         };