diff --git a/modules/hosts/loptland/default.nix b/modules/hosts/loptland/default.nix
index a4d2871..428f0fc 100644
--- a/modules/hosts/loptland/default.nix
+++ b/modules/hosts/loptland/default.nix
@@ -35,6 +35,7 @@ topLevel: {
         mautrix-discord
         mautrix-signal
         element-call
+        element-web
 
         # game server
         minecraft-server
diff --git a/modules/hosts/loptland/nginx.nix b/modules/hosts/loptland/nginx.nix
index a28c106..5de5314 100644
--- a/modules/hosts/loptland/nginx.nix
+++ b/modules/hosts/loptland/nginx.nix
@@ -57,6 +57,20 @@
             forceSSL = true;
             useACMEHost = matrixDomain;
 
+            # MSC4143: advertise LiveKit as the RTC transport since Synapse doesn't implement this yet
+            locations."= /_matrix/client/unstable/org.matrix.msc4143/rtc/transports" = {
+              extraConfig = ''
+                default_type application/json;
+                add_header 'Access-Control-Allow-Origin' '*' always;
+                add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS' always;
+                add_header 'Access-Control-Allow-Headers' 'Authorization, Content-Type' always;
+                if ($request_method = OPTIONS) {
+                  return 204;
+                }
+                return 200 '{"rtc_transports":[{"type":"livekit","livekit_service_url":"https://call.${matrixDomain}/livekit/jwt"}]}';
+              '';
+            };
+
             locations."/" = {
               proxyPass = "http://localhost:${toString 8008}";
               extraConfig = ''
@@ -91,6 +105,7 @@
               tryFiles = "$uri /index.html";
               extraConfig = ''
                 add_header Cache-Control "no-cache" always;
+                add_header Content-Security-Policy "frame-ancestors 'self' https://chat.${matrixDomain}" always;
               '';
             };
 
diff --git a/modules/server/element-web.nix b/modules/server/element-web.nix
new file mode 100644
index 0000000..b395d4b
--- /dev/null
+++ b/modules/server/element-web.nix
@@ -0,0 +1,47 @@
+{
+  flake.modules.nixos.element-web =
+    { pkgs, ... }:
+    let
+      matrixDomain = "alwayssleepy.online";
+    in
+    {
+      services.nginx.virtualHosts."chat.${matrixDomain}" = {
+        forceSSL = true;
+        useACMEHost = matrixDomain;
+
+        locations."= /config.json" = {
+          extraConfig = ''
+            default_type application/json;
+            return 200 '${builtins.toJSON {
+              default_server_config = {
+                "m.homeserver" = {
+                  base_url = "https://matrix.${matrixDomain}";
+                  server_name = matrixDomain;
+                };
+              };
+              disable_custom_urls = true;
+              disable_guests = true;
+              features = {
+                feature_group_calls = true;
+              };
+              element_call = {
+                url = "https://call.${matrixDomain}";
+                use_exclusively = true;
+                brand = "Element Call";
+              };
+              brand = "Element";
+              default_theme = "dark";
+            }}';
+          '';
+        };
+
+        locations."/" = {
+          root = "${pkgs.element-web}";
+          tryFiles = "$uri /index.html";
+          extraConfig = ''
+            add_header Cache-Control "no-cache" always;
+          '';
+        };
+      };
+    };
+}
diff --git a/modules/server/mautrix-discord.nix b/modules/server/mautrix-discord.nix
index 3459b2e..6ac6c60 100644
--- a/modules/server/mautrix-discord.nix
+++ b/modules/server/mautrix-discord.nix
@@ -98,5 +98,8 @@
           };
         };
       };
+
+      # Give matrix-synapse access to the registration file via group membership
+      users.users.matrix-synapse.extraGroups = [ "mautrix-discord" ];
     };
 }