diff --git a/roles/livekit/README.md b/roles/livekit/README.md
index ad8a091..d709e41 100644
--- a/roles/livekit/README.md
+++ b/roles/livekit/README.md
@@ -18,6 +18,8 @@ The following mandatory variables have to be declared in the inventory on a per-
 enable_livekit: true
 livekit_turnserver_domain: # the fqdn for the livekit TURN server
 livekit_redis_enabled: # boolean value, defining if a redis database shall be created for livekit
+livekit_jwt_service_container_enabled: # boolean value, for toggling the lk-jwt-service on / off
+livekit_jwt_service_homeserver_allowlist: # optional list of domains or wildcard domains allowed to generate JWT tokens for livekit
 ```
 
 A second domain record for the TURN server is needed, 
diff --git a/roles/livekit/defaults/main.yml b/roles/livekit/defaults/main.yml
index 9778dc3..4cff1ca 100644
--- a/roles/livekit/defaults/main.yml
+++ b/roles/livekit/defaults/main.yml
@@ -1,6 +1,8 @@
 ---
-livekit_version: "v1.7"
-livekit_jwt_service_version: "latest"
+livekit_version: "1.7"
+livekit_jwt_service_version: ""
+livekit_jwt_service_container_image_tag: "latest"
+livekit_jwt_service_container_enabled: false
 livekit_domain: "{{ famedly_instance_domain }}"
 livekit_turnserver_domain: ~
 livekit_log_level: "info"
@@ -15,7 +17,25 @@ livekit_turn_port: 3478
 livekit_redis_port: 6379
 livekit_jwt_service_external_port: 8888
 livekit_user: "livekit"
-livekit_container_image_reference: "livekit/livekit-server:{{ livekit_version }}"
+livekit_container_image_reference: >-
+  {{
+    livekit_container_image_repository
+    + ':'
+    + livekit_container_image_tag | default('v' + livekit_version)
+  }}
+livekit_container_image_repository: >-
+  {{
+    (
+      container_registries[livekit_container_image_registry]
+      | default(livekit_container_image_registry)
+    )
+    + '/'
+    + livekit_container_image_namespace | default('')
+    + livekit_container_image_name
+  }}
+livekit_container_image_registry: "docker.io"
+livekit_container_image_namespace: "livekit/"
+livekit_container_image_name: "livekit-server"
 livekit_config_path: "/opt/livekit"
 livekit_config_file: "livekit.yaml"
 livekit_container_config: "/etc/livekit.yaml"
@@ -75,11 +95,35 @@ livekit_container_combined_volumes: >-
   {{ livekit_container_preset_volumes + livekit_container_volumes }}
 livekit_container_network_mode: "host"
 livekit_jwt_service_container_name: "jwt-service"
-livekit_jwt_service_container_image_reference: "docker-oss.nexus.famedly.de/lk-jwt-service:{{ livekit_jwt_service_version }}"
-livekit_jwt_service_container_env:
+livekit_jwt_service_container_image_reference: >-
+  {{
+    livekit_jwt_service_container_image_repository
+    + ':'
+    + livekit_jwt_service_container_image_tag | default('v' + livekit_jwt_service_version)
+  }}
+livekit_jwt_service_container_image_repository: >-
+  {{
+    (
+      container_registries[livekit_jwt_service_container_image_registry]
+      | default(livekit_jwt_service_container_image_registry)
+    )
+    + '/'
+    + livekit_jwt_service_container_image_namespace | default('')
+    + livekit_jwt_service_container_image_name
+  }}
+livekit_jwt_service_container_image_registry: "docker-oss.nexus.famedly.de"
+livekit_jwt_service_container_image_name: "lk-jwt-service"
+livekit_jwt_service_container_env_base:
   LIVEKIT_KEY: "secret"
   LIVEKIT_SECRET: "{{ livekit_secret_key }}"
   LIVEKIT_URL: "wss://{{ livekit_domain }}"
-  HS_ALLOWLIST: "*.famedly.de, *.famedly.care"
+livekit_jwt_service_homeserver_allowlist: []
+livekit_jwt_service_container_hs_allowlist:
+  HS_ALLOWLIST: "{{ livekit_jwt_service_homeserver_allowlist | join(',') }}"
+livekit_jwt_service_container_env: >-
+  {{ livekit_jwt_service_container_env_base
+    | combine(livekit_jwt_service_container_hs_allowlist
+    if (livekit_jwt_service_homeserver_allowlist != []) else {}, recursive=True)
+  }}
 livekit_jwt_service_container_ports:
   - "127.0.0.1:{{ livekit_jwt_service_external_port }}:8080"
diff --git a/roles/livekit/tasks/main.yml b/roles/livekit/tasks/main.yml
index b19b6ed..a5b2572 100644
--- a/roles/livekit/tasks/main.yml
+++ b/roles/livekit/tasks/main.yml
@@ -19,6 +19,7 @@
     state: present
     source: pull
     force_source: true
+  when: livekit_jwt_service_container_enabled
 
 - name: Ensure livekit config directory exists
   file:
@@ -49,12 +50,13 @@
     restart_policy: unless-stopped
     image_name_mismatch: recreate
 
-- name: 'Ensure lk-jwt-service container is running: {{ livekit_jwt_service_container_name }}'
+- name: 'Set state of lk-jwt-service container: {{ livekit_jwt_service_container_name }}'
   community.docker.docker_container:
     name: "{{ livekit_jwt_service_container_name }}"
     image: "{{ livekit_jwt_service_container_image_reference }}"
-    env: "{{ livekit_jwt_service_container_env | default(omit, true) }}"
+    env: "{{ livekit_jwt_service_container_env }}"
     ports: "{{ livekit_jwt_service_container_ports | default(omit, true) }}"
     network_mode: "{{ livekit_jwt_service_container_network_mode | default(omit, true) }}"
     restart_policy: unless-stopped
+    state: "{{ livekit_jwt_service_container_enabled | ternary('started', 'absent') }}"
     image_name_mismatch: recreate