Maybe this works

modules/matrix.nix

@@ -55,9 +55,19 @@ in
       rtc = {
         port_range_start = 50000;
         port_range_end = 60000;
+        tcp_port = 7881;
         use_external_ip = true;
+        allow_tcp_fallback = true;
       };
       room.auto_create = false;
+      turn = {
+        enabled = true;
+        domain = matrixRtcDomain;
+        tls_port = 5349;
+        udp_port = 3478;
+        cert_file = "/var/lib/acme/${matrixRtcDomain}/fullchain.pem";
+        key_file = "/var/lib/acme/${matrixRtcDomain}/key.pem";
+      };
     };
     keyFile = livekitKeyFile;
   };
@@ -70,6 +80,11 @@ in
 
   systemd.services.lk-jwt-service.environment.LIVEKIT_FULL_ACCESS_HOMESERVERS = serverName;
 
+  # Allow LiveKit to read ACME TLS certs for built-in TURN server
+  systemd.services.livekit.serviceConfig.SupplementaryGroups = [ "acme" ];
+  systemd.services.livekit.after = [ "acme-${matrixRtcDomain}.service" ];
+  systemd.services.livekit.requires = [ "acme-${matrixRtcDomain}.service" ];
+
   systemd.services.livekit-key = {
     before = [ "lk-jwt-service.service" "livekit.service" ];
     wantedBy = [ "multi-user.target" ];
@@ -83,7 +98,8 @@ in
   };
 
   networking.firewall = {
-    allowedTCPPorts = [ 7880 7881 ];
+    allowedTCPPorts = [ 7880 7881 5349 ];
+    allowedUDPPorts = [ 3478 ];
     allowedUDPPortRanges = [
       { from = 50000; to = 60000; }
     ];