diff --git a/flake.nix b/flake.nix
index 082c2be..7ac02c3 100644
--- a/flake.nix
+++ b/flake.nix
@@ -86,8 +86,6 @@
           ./services/nginx.nix
           ./services/blog.nix
           ./services/coturn.nix
-          ./services/livekit.nix
-          ./services/lk-jwt.nix
           ./services/wireguard-outer.nix
           ./services/borgbackup-vps.nix
         ];
diff --git a/result b/result
deleted file mode 120000
index 62fedd1..0000000
--- a/result
+++ /dev/null
@@ -1 +0,0 @@
-/nix/store/252q6jdcng8my1dsrxb8j5klf1yzaikp-nixos-system-nixos-25.11.20260329.107cba9
\ No newline at end of file
diff --git a/services/livekit.nix b/services/livekit.nix
deleted file mode 100644
index a4d6f7d..0000000
--- a/services/livekit.nix
+++ /dev/null
@@ -1,70 +0,0 @@
-{ config, pkgs, ... }:
-
-{
-  sops.secrets."livekit/api_key" = {
-    sopsFile = ./secrets/livekit_vps.yaml;
-    mode = "0400";
-    owner = "livekit";
-    group = "livekit";
-  };
-  sops.secrets."livekit/api_secret" = {
-    sopsFile = ./secrets/livekit_vps.yaml;
-    mode = "0400";
-    owner = "livekit";
-    group = "livekit";
-  };
-
-  users.users.livekit = {
-    isSystemUser = true;
-    group = "livekit";
-  };
-  users.groups.livekit = { };
-
-  # WebRTC media (UDP) and ICE TCP fallback. HTTP signaling goes through nginx.
-  networking.firewall = {
-    allowedTCPPorts = [ 7881 ];
-    allowedUDPPortRanges = [
-      {
-        from = 50000;
-        to = 50200;
-      }
-    ];
-  };
-
-  systemd.services.livekit = {
-    description = "LiveKit SFU server";
-    wantedBy = [ "multi-user.target" ];
-    after = [ "network-online.target" ];
-    wants = [ "network-online.target" ];
-
-    serviceConfig = {
-      User = "livekit";
-      Group = "livekit";
-      RuntimeDirectory = "livekit";
-      Restart = "always";
-      RestartSec = 5;
-    };
-
-    script = ''
-      API_KEY=$(cat ${config.sops.secrets."livekit/api_key".path})
-      API_SECRET=$(cat ${config.sops.secrets."livekit/api_secret".path})
-
-      cat > /run/livekit/config.yaml <<YAML
-      port: 7880
-      bind_addresses:
-        - "127.0.0.1"
-      rtc:
-        port_range_start: 50000
-        port_range_end: 50200
-        use_external_ip: true
-        tcp_port: 7881
-      logging:
-        level: info
-      keys:
-        $API_KEY: $API_SECRET
-      YAML
-
-      exec ${pkgs.livekit}/bin/livekit-server --config /run/livekit/config.yaml
-    '';
-  };
-}
diff --git a/services/lk-jwt.nix b/services/lk-jwt.nix
deleted file mode 100644
index d7b6883..0000000
--- a/services/lk-jwt.nix
+++ /dev/null
@@ -1,60 +0,0 @@
-{ config, pkgs, lib, ... }:
-
-let
-  # lk-jwt-service isn't in nixpkgs — build from source.
-  # On first `nix build`, the fake hashes will fail and print the correct ones.
-  lk-jwt-service = pkgs.buildGoModule {
-    pname = "lk-jwt-service";
-    version = "0.3.0";
-    src = pkgs.fetchFromGitHub {
-      owner = "element-hq";
-      repo = "lk-jwt-service";
-      rev = "v0.3.0";
-      hash = "sha256-fA33LZkozPTng47kunXWkfUExVbMZsiL8Dtkm1hLV6U=";
-    };
-    vendorHash = "sha256-0A9pd+PAsGs4KS2BnCxc7PAaUAV3Z+XKNqSrmYvxNeM=";
-    meta.mainProgram = "lk-jwt-service";
-  };
-in
-{
-  sops.secrets."livekit/api_key" = {
-    sopsFile = ./secrets/livekit_vps.yaml;
-    mode = "0400";
-    owner = "livekit";
-    group = "livekit";
-  };
-  sops.secrets."livekit/api_secret" = {
-    sopsFile = ./secrets/livekit_vps.yaml;
-    mode = "0400";
-    owner = "livekit";
-    group = "livekit";
-  };
-
-  systemd.services.lk-jwt = {
-    description = "LiveKit JWT service for Matrix OpenID token exchange";
-    wantedBy = [ "multi-user.target" ];
-    after = [
-      "network-online.target"
-      "livekit.service"
-    ];
-    wants = [ "network-online.target" ];
-
-    serviceConfig = {
-      User = "livekit";
-      Group = "livekit";
-      Restart = "always";
-      RestartSec = 5;
-    };
-
-    environment = {
-      LIVEKIT_URL = "wss://livekit.ellie.town";
-      LK_JWT_PORT = "8080";
-    };
-
-    script = ''
-      export LIVEKIT_KEY_FROM_FILE=${config.sops.secrets."livekit/api_key".path}
-      export LIVEKIT_SECRET_FROM_FILE=${config.sops.secrets."livekit/api_secret".path}
-      exec ${lk-jwt-service}/bin/lk-jwt-service
-    '';
-  };
-}
diff --git a/services/secrets/livekit_vps.yaml b/services/secrets/livekit_vps.yaml
deleted file mode 100644
index 1480241..0000000
--- a/services/secrets/livekit_vps.yaml
+++ /dev/null
@@ -1,18 +0,0 @@
-livekit:
-    api_key: ENC[AES256_GCM,data:zD2FsmXwMR6A,iv:lPkUgWv6lmBsE6ASJbLkF99AhhOZXw/fjEDgehvdmKs=,tag:OfnqmoXJM/hVuNo1Iv5eew==,type:str]
-    api_secret: ENC[AES256_GCM,data:HwBLo3/BfMnMtkyYHUYGtCXvZ+IHwQX22otrfVe9895dQR45QgMTJfMDogE=,iv:xyqh45uZdLza+zQURnfaAAtS+hGKrDcVF3nL8TFFtus=,tag:btA+bHwVKwzX71mqZvzfKA==,type:str]
-sops:
-    age:
-        - recipient: age1856wmagg3dz4j07alwqnn6d75655t6wcs8glklyjyezhu5p875fq9sez4p
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0d1VYdWI0TEZtaStvUml6
-            NEdYS0gvbUlMTVRpY2xna3BRT2ZINkpLZG53CkNrcDNHUjc4Zm43NnhJKzc0UjBX
-            RTVrQ3hYWFVzdlJ5Zkh6ZWJkZi9CZUEKLS0tIDZuUjNQWmJXSlZqdGQySXNKV3F1
-            UXNYWktWUktGQWhpeThvOUFNUlFHWGcKvoGymssPBN5yQwpq2HTHYeNt5VnA1pKe
-            fyJ0mbwMq+/ZW88HE4vpUY8zONC0QCGprxysMVgsRpXFBfFKk0pjcQ==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-04-01T21:18:12Z"
-    mac: ENC[AES256_GCM,data:E4NwepDYNcwhusfuRFebEXyGQcwlhfvddMDWF3JfUAOERvZnmmY5+OMQc/qbF114r3UYvZr3qX1WgsFE4n4YiuGPFY+E5m4/6PV//Lwe4p5GWGto1fPMN7n2jB+Y1RJn+wP18pjvrIc9onaSgiOuP8eFijp1vZ6hX7kZ2lrEdrI=,iv:SP235ndbodZlpv+RwIKw/U6+XyDwJhjfF53pROWMlI0=,tag:4cWULyYdnJKyjxk+7bkkQg==,type:str]
-    unencrypted_suffix: _unencrypted
-    version: 3.12.1
diff --git a/services/wireguard-outer.nix b/services/wireguard-outer.nix
index 02ea612..1c6d072 100644
--- a/services/wireguard-outer.nix
+++ b/services/wireguard-outer.nix
@@ -60,34 +60,6 @@
       };
     };
 
-    virtualHosts."livekit.ellie.town" = {
-      enableACME = true;
-      forceSSL = true;
-      locations."/" = {
-        proxyPass = "http://127.0.0.1:7880";
-        proxyWebsockets = true;
-        extraConfig = ''
-          proxy_read_timeout 86400;
-        '';
-      };
-    };
-
-    virtualHosts."lk-jwt.ellie.town" = {
-      enableACME = true;
-      forceSSL = true;
-      locations."/" = {
-        proxyPass = "http://127.0.0.1:8080";
-        extraConfig = ''
-          add_header Access-Control-Allow-Origin * always;
-          add_header Access-Control-Allow-Methods "POST, OPTIONS" always;
-          add_header Access-Control-Allow-Headers "Content-Type, Authorization" always;
-          if ($request_method = OPTIONS) {
-            return 204;
-          }
-        '';
-      };
-    };
-
     # virtualHosts."akkoma.ellie.town" = {
     #   enableACME = true;
     #   forceSSL = true;
@@ -159,11 +131,6 @@
         default_type application/json;
         add_header Access-Control-Allow-Origin *;
         return 200 '{"m.homeserver":{"base_url":"https://matrix.ellie.town"}}';'';
-
-      locations."= /.well-known/element/call.json".extraConfig = ''
-        default_type application/json;
-        add_header Access-Control-Allow-Origin *;
-        return 200 '{"type":"livekit","livekit_service_url":"https://lk-jwt.ellie.town"}';'';
     };
   };