ci: add all possible credentials

When running the mirror-images step from within the release-image workflow
we receive error messages such as

> msg="Failed to sync" target=ghcr.io/continuwuity/continuwuity:v0.5.0-rc.7
> source=forgejo.ellis.link/continuwuation/continuwuity:v0.5.0-rc.7
> error="failed to send blob post, ref
> ghcr.io/continuwuity/continuwuity@sha256:74976f7b85018b5abd867333bc783c7230d985a4b0af595bbf55964e25afe6ef:
> unauthorized"

So, we will need to define our credentials in the release-image workflow too
it seems, when we pull in the mirror-image workflow.
This is a test by adding all credentials that are defined in mirror-images.yml
Probably we don't need them all, but if this does not work, the whole approach
is flawed and we can remove everyting again.

If it works, we should remove unneccessary credentials until we found the
required ones.

.envrc

@@ -2,7 +2,7 @@
 
 dotenv_if_exists
 
-if [ -f /etc/os-release ] && grep -q '^ID=nixos' /etc/os-release; then
+if command -v nix >/dev/null 2>&1; then
     use flake ".#${DIRENV_DEVSHELL:-default}"
 fi
 

.forgejo/actions/create-docker-manifest/action.yml

@@ -44,7 +44,7 @@ runs:
 
     - name: Login to builtin registry
       if: ${{ env.BUILTIN_REGISTRY_ENABLED == 'true' }}
-      uses: docker/login-action@v4
+      uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4
       with:
         registry: ${{ env.BUILTIN_REGISTRY }}
         username: ${{ inputs.registry_user }}
@@ -52,7 +52,7 @@ runs:
 
     - name: Set up Docker Buildx
       if: ${{ env.BUILTIN_REGISTRY_ENABLED == 'true' }}
-      uses: docker/setup-buildx-action@v4
+      uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4
       with:
         # Use persistent BuildKit if BUILDKIT_ENDPOINT is set (e.g. tcp://buildkit:8125)
         driver: ${{ env.BUILDKIT_ENDPOINT != '' && 'remote' || 'docker-container' }}
@@ -61,7 +61,7 @@ runs:
     - name: Extract metadata (tags) for Docker
       if: ${{ env.BUILTIN_REGISTRY_ENABLED == 'true' }}
       id: meta
-      uses: docker/metadata-action@v6
+      uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6
       with:
         flavor: |
           latest=auto

.forgejo/actions/prepare-docker-build/action.yml

@@ -67,7 +67,7 @@ runs:
       uses: ./.forgejo/actions/rust-toolchain
 
     - name: Set up Docker Buildx
-      uses: docker/setup-buildx-action@v4
+      uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4
       with:
         # Use persistent BuildKit if BUILDKIT_ENDPOINT is set (e.g. tcp://buildkit:8125)
         driver: ${{ env.BUILDKIT_ENDPOINT != '' && 'remote' || 'docker-container' }}
@@ -75,11 +75,11 @@ runs:
 
     - name: Set up QEMU
       if: ${{ env.BUILDKIT_ENDPOINT == '' }}
-      uses: docker/setup-qemu-action@v3
+      uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4
 
     - name: Login to builtin registry
       if: ${{ env.BUILTIN_REGISTRY_ENABLED == 'true' }}
-      uses: docker/login-action@v4
+      uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4
       with:
         registry: ${{ env.BUILTIN_REGISTRY }}
         username: ${{ inputs.registry_user }}
@@ -87,7 +87,7 @@ runs:
 
     - name: Extract metadata (labels, annotations) for Docker
       id: meta
-      uses: docker/metadata-action@v6
+      uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6
       with:
         images: ${{ inputs.images }}
         # default labels & annotations: https://github.com/docker/metadata-action/blob/master/src/meta.ts#L509
@@ -111,59 +111,3 @@ runs:
 
     - uses: ./.forgejo/actions/timelord
       id: timelord
-
-    - name: Cache Rust registry
-      if: ${{ env.BUILDKIT_ENDPOINT == '' }}
-      uses: actions/cache@v3
-      with:
-        path: |
-          .cargo/git
-          .cargo/git/checkouts
-          .cargo/registry
-          .cargo/registry/src
-        key: continuwuity-rust-registry-image-${{hashFiles('**/Cargo.lock') }}
-
-    - name: Cache cargo target
-      if: ${{ env.BUILDKIT_ENDPOINT == '' }}
-      id: cache-cargo-target
-      uses: actions/cache@v3
-      with:
-        path: |
-          cargo-target${{ env.CPU_SUFFIX }}-${{ inputs.slug }}-${{ inputs.profile }}
-        key: continuwuity-cargo-target${{ env.CPU_SUFFIX }}-${{ inputs.slug }}-${{ inputs.profile }}-${{hashFiles('**/Cargo.lock') }}-${{steps.rust-toolchain.outputs.rustc_version}}
-
-    - name: Cache apt cache
-      if: ${{ env.BUILDKIT_ENDPOINT == '' }}
-      id: cache-apt
-      uses: actions/cache@v3
-      with:
-        path: |
-          var-cache-apt-${{ inputs.slug }}
-        key: continuwuity-var-cache-apt-${{ inputs.slug }}
-
-    - name: Cache apt lib
-      if: ${{ env.BUILDKIT_ENDPOINT == '' }}
-      id: cache-apt-lib
-      uses: actions/cache@v3
-      with:
-        path: |
-          var-lib-apt-${{ inputs.slug }}
-        key: continuwuity-var-lib-apt-${{ inputs.slug }}
-
-    - name: inject cache into docker
-      if: ${{ env.BUILDKIT_ENDPOINT == '' }}
-      uses: https://github.com/reproducible-containers/buildkit-cache-dance@v3.3.2
-      with:
-        cache-map: |
-          {
-            ".cargo/registry": "/usr/local/cargo/registry",
-            ".cargo/git/db": "/usr/local/cargo/git/db",
-            "cargo-target${{ env.CPU_SUFFIX }}-${{ inputs.slug }}-${{ inputs.profile }}": {
-              "target": "/app/target",
-              "id": "cargo-target${{ env.CPU_SUFFIX }}-${{ inputs.slug }}-${{ inputs.profile }}"
-            },
-            "var-cache-apt-${{ inputs.slug }}": "/var/cache/apt",
-            "var-lib-apt-${{ inputs.slug }}": "/var/lib/apt",
-            "${{ steps.timelord.outputs.database-path }}":"/timelord"
-          }
-        skip-extraction: ${{ steps.cache.outputs.cache-hit }}

.forgejo/actions/rust-toolchain/action.yml

@@ -33,7 +33,7 @@ runs:
         echo "version=$(rustup --version)" >> $GITHUB_OUTPUT
     - name: Cache rustup toolchains
       if: steps.rustup-version.outputs.version == ''
-      uses: actions/cache@v3
+      uses: actions/cache@v5
       with:
         path: |
           ~/.rustup

.forgejo/actions/sccache/action.yml

@@ -9,7 +9,7 @@ runs:
   - name: Install sccache
     uses: https://git.tomfos.tr/tom/sccache-action@v1
   - name: Configure sccache
-    uses: https://github.com/actions/github-script@v8
+    uses: https://github.com/actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9
     with:
       script: |
         core.exportVariable('ACTIONS_RESULTS_URL', process.env.ACTIONS_RESULTS_URL || '');

.forgejo/actions/setup-llvm-with-apt/action.yml

@@ -57,7 +57,7 @@ runs:
 
     - name: Check for LLVM cache
       id: cache
-      uses: actions/cache@v4
+      uses: actions/cache@v5
       with:
         path: |
           /usr/bin/clang-*
@@ -120,7 +120,7 @@ runs:
 
     - name: Install additional packages
       if: inputs.extra-packages != ''
-      uses: https://github.com/awalsh128/cache-apt-pkgs-action@latest
+      uses: https://github.com/awalsh128/cache-apt-pkgs-action@2c09a5e66da6c8016428a2172bd76e5e4f14bb17 # latest
       with:
         packages: ${{ inputs.extra-packages }}
         version: 1.0

.forgejo/actions/setup-rust/action.yml

@@ -65,7 +65,7 @@ runs:
 
     - name: Cache toolchain binaries
       id: toolchain-cache
-      uses: actions/cache@v4
+      uses: actions/cache@v5
       with:
         path: |
           .cargo/bin
@@ -76,7 +76,7 @@ runs:
 
     - name: Cache Cargo registry and git
       id: registry-cache
-      uses: actions/cache@v4
+      uses: actions/cache@v5
       with:
         path: |
           .cargo/registry/index
@@ -149,37 +149,6 @@ runs:
     - name: Setup sccache
       uses: https://git.tomfos.tr/tom/sccache-action@v1
 
-    - name: Cache dependencies
-      id: deps-cache
-      uses: actions/cache@v4
-      with:
-        path: |
-          target/**/.fingerprint
-          target/**/deps
-          target/**/*.d
-          target/**/.cargo-lock
-          target/**/CACHEDIR.TAG
-          target/**/.rustc_info.json
-          /timelord/
-        # Dependencies cache - based on Cargo.lock, survives source code changes
-        key: >-
-          continuwuity-deps-${{ steps.runner-os.outputs.slug }}-${{ steps.runner-os.outputs.arch }}-${{ steps.rust-setup.outputs.version }}${{ inputs.cache-key-suffix && format('-{0}', inputs.cache-key-suffix) || '' }}-${{ hashFiles('rust-toolchain.toml', '**/Cargo.lock') }}
-        restore-keys: |
-          continuwuity-deps-${{ steps.runner-os.outputs.slug }}-${{ steps.runner-os.outputs.arch }}-${{ steps.rust-setup.outputs.version }}${{ inputs.cache-key-suffix && format('-{0}', inputs.cache-key-suffix) || '' }}-
-
-    - name: Cache incremental compilation
-      id: incremental-cache
-      uses: actions/cache@v4
-      with:
-        path: |
-          target/**/incremental
-        # Incremental cache - based on source code changes
-        key: >-
-          continuwuity-incremental-${{ steps.runner-os.outputs.slug }}-${{ steps.runner-os.outputs.arch }}-${{ steps.rust-setup.outputs.version }}${{ inputs.cache-key-suffix && format('-{0}', inputs.cache-key-suffix) || '' }}-${{ hashFiles('rust-toolchain.toml', '**/Cargo.lock') }}-${{ hashFiles('**/*.rs', '**/Cargo.toml') }}
-        restore-keys: |
-          continuwuity-incremental-${{ steps.runner-os.outputs.slug }}-${{ steps.runner-os.outputs.arch }}-${{ steps.rust-setup.outputs.version }}${{ inputs.cache-key-suffix && format('-{0}', inputs.cache-key-suffix) || '' }}-${{ hashFiles('rust-toolchain.toml', '**/Cargo.lock') }}-
-          continuwuity-incremental-${{ steps.runner-os.outputs.slug }}-${{ steps.runner-os.outputs.arch }}-${{ steps.rust-setup.outputs.version }}${{ inputs.cache-key-suffix && format('-{0}', inputs.cache-key-suffix) || '' }}-
-
     - name: End build cache restore group
       shell: bash
       run: echo "::endgroup::"

.forgejo/actions/timelord/action.yml

@@ -31,7 +31,7 @@ runs:
 
     - name: Restore binary cache
       id: binary-cache
-      uses: actions/cache/restore@v4
+      uses: actions/cache/restore@v5
       with:
         path: |
           /usr/share/rust/.cargo/bin
@@ -71,13 +71,13 @@ runs:
 
     - name: Install timelord-cli and git-warp-time
       if: steps.check-binaries.outputs.need-install == 'true'
-      uses: https://github.com/taiki-e/install-action@v2
+      uses: https://github.com/taiki-e/install-action@eea29cff9a2b68892c0845ae3e4f45fc47ee9354 # v2
       with:
         tool: git-warp-time,timelord-cli@3.0.1
 
     - name: Save binary cache
       if: steps.check-binaries.outputs.need-install == 'true'
-      uses: actions/cache/save@v4
+      uses: actions/cache/save@v5
       with:
         path: |
           /usr/share/rust/.cargo/bin
@@ -87,7 +87,7 @@ runs:
 
     - name: Restore timelord cache with fallbacks
       id: timelord-restore
-      uses: actions/cache/restore@v4
+      uses: actions/cache/restore@v5
       with:
         path: ${{ env.TIMELORD_CACHE_PATH }}
         key: ${{ env.TIMELORD_KEY }}
@@ -114,7 +114,7 @@ runs:
         timelord sync --source-dir ${{ env.TIMELORD_PATH }} --cache-dir ${{ env.TIMELORD_CACHE_PATH }}
 
     - name: Save updated timelord cache immediately
-      uses: actions/cache/save@v4
+      uses: actions/cache/save@v5
       with:
         path: ${{ env.TIMELORD_CACHE_PATH }}
         key: ${{ env.TIMELORD_KEY }}

.forgejo/workflows/build-debian.yml

@@ -54,13 +54,13 @@ jobs:
           fi
 
       - name: Checkout repository with full history
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           fetch-depth: 0
           ref: ${{ github.ref_name }}
 
       - name: Cache Cargo registry
-        uses: actions/cache@v4
+        uses: actions/cache@v5
         with:
           path: |
             ~/.cargo/registry

.forgejo/workflows/build-fedora.yml

@@ -30,14 +30,14 @@ jobs:
           echo "Fedora version: $VERSION"
 
       - name: Checkout repository with full history
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           fetch-depth: 0
           ref: ${{ github.ref_name }}
 
 
       - name: Cache DNF packages
-        uses: actions/cache@v4
+        uses: actions/cache@v5
         with:
           path: |
             /var/cache/dnf
@@ -47,7 +47,7 @@ jobs:
             dnf-fedora${{ steps.fedora.outputs.version }}-
 
       - name: Cache Cargo registry
-        uses: actions/cache@v4
+        uses: actions/cache@v5
         with:
           path: |
             ~/.cargo/registry
@@ -57,7 +57,7 @@ jobs:
             cargo-fedora${{ steps.fedora.outputs.version }}-
 
       - name: Cache Rust build dependencies
-        uses: actions/cache@v4
+        uses: actions/cache@v5
         with:
           path: |
             ~/rpmbuild/BUILD/*/target/release/deps

.forgejo/workflows/check-changelog.yml

@@ -0,0 +1,94 @@
+name: Checks / Changelog
+
+on:
+  pull_request_target:
+    types: [opened, synchronize, reopened, ready_for_review, labeled, unlabeled]
+
+permissions:
+  contents: read
+  pull-requests: write
+  issues: write
+
+jobs:
+  check-changelog:
+    name: Check changelog is added
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+          fetch-depth: 0
+          persist-credentials: false
+          sparse-checkout: .
+
+      - name: Check for changelog entry
+        id: check_files
+        run: |
+          git fetch origin ${GITHUB_BASE_REF}
+
+          # Check for Added (A) or Modified (M) files in changelog.d
+          CHANGELOG_CHANGES=$(git diff --name-status origin/${GITHUB_BASE_REF}...HEAD -- changelog.d/)
+
+          SRC_CHANGES=$(git diff --name-status origin/${GITHUB_BASE_REF}...HEAD -- src/)
+
+          echo "Changes in changelog.d/:"
+          echo "$CHANGELOG_CHANGES"
+          echo "Changes in src/:"
+          echo "$SRC_CHANGES"
+
+          if echo "$CHANGELOG_CHANGES" | grep -q "^[AM]"; then
+            echo "has_changelog=true" >> $GITHUB_OUTPUT
+          else
+            echo "has_changelog=false" >> $GITHUB_OUTPUT
+          fi
+
+          if [ -n "$SRC_CHANGES" ]; then
+            echo "src_changed=true" >> $GITHUB_OUTPUT
+          else
+            echo "src_changed=false" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Manage PR Labels
+        uses: https://github.com/actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9
+        env:
+          HAS_CHANGELOG: ${{ steps.check_files.outputs.has_changelog }}
+          SRC_CHANGED: ${{ steps.check_files.outputs.src_changed }}
+        with:
+          script: |
+            const hasChangelog = process.env.HAS_CHANGELOG === 'true';
+            const srcChanged = process.env.SRC_CHANGED === 'true';
+
+            const { data: pullRequest } = await github.rest.pulls.get({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              pull_number: context.issue.number,
+            });
+
+            const currentLabels = pullRequest.labels.map(l => l.name);
+
+            if (hasChangelog) {
+              console.log('PR has changelog');
+              await github.rest.issues.addLabels({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                issue_number: context.issue.number,
+                labels: ['Changelog/Added'],
+              });
+            } else if (currentLabels.includes('Changelog/None')) {
+              console.log('PR has Changelog/None label, skipping.');
+            } else if (srcChanged) {
+              console.log('PR is missing changelog');
+              await github.rest.issues.addLabels({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                issue_number: context.issue.number,
+                labels: ['Changelog/Missing'],
+              });
+              core.setFailed("Missing changelog entry (detected)");
+            } else if (currentLabels.includes('Changelog/Missing')) {
+              core.setFailed("Missing changelog entry (label)");
+            } else {
+              console.log('Changelog not needed');
+              // Changelog is probably not needed
+            }

.forgejo/workflows/documentation.yml

@@ -21,7 +21,7 @@ jobs:
 
     steps:
       - name: Sync repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           persist-credentials: false
           fetch-depth: 0
@@ -32,12 +32,12 @@ jobs:
 
       - name: Setup Node.js
         if: steps.runner-env.outputs.node_major == '' || steps.runner-env.outputs.node_major < '20'
-        uses: https://github.com/actions/setup-node@v6
+        uses: https://github.com/actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
         with:
           node-version: 22
 
       - name: Cache npm dependencies
-        uses: actions/cache@v3
+        uses: actions/cache@v5
         with:
           path: ~/.npm
           key: continuwuity-rspress-${{ steps.runner-env.outputs.slug }}-${{ steps.runner-env.outputs.arch }}-node-${{ steps.runner-env.outputs.node_version }}-${{ hashFiles('package-lock.json') }}
@@ -56,7 +56,7 @@ jobs:
 
       - name: Deploy to Cloudflare Pages (Production)
         if: github.ref == 'refs/heads/main' && vars.CLOUDFLARE_PROJECT_NAME != ''
-        uses: https://github.com/cloudflare/wrangler-action@v3
+        uses: https://github.com/cloudflare/wrangler-action@da0e0dfe58b7a431659754fdf3f186c529afbe65 # v3
         with:
           accountId: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
           apiToken: ${{ secrets.CLOUDFLARE_API_TOKEN }}
@@ -64,7 +64,7 @@ jobs:
 
       - name: Deploy to Cloudflare Pages (Preview)
         if: github.ref != 'refs/heads/main' && vars.CLOUDFLARE_PROJECT_NAME != ''
-        uses: https://github.com/cloudflare/wrangler-action@v3
+        uses: https://github.com/cloudflare/wrangler-action@da0e0dfe58b7a431659754fdf3f186c529afbe65 # v3
         with:
           accountId: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
           apiToken: ${{ secrets.CLOUDFLARE_API_TOKEN }}

.forgejo/workflows/element.yml

@@ -24,7 +24,7 @@ jobs:
 
     steps:
       - name: 📦 Setup Node.js
-        uses: https://github.com/actions/setup-node@v6
+        uses: https://github.com/actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
         with:
           node-version: "22"
 
@@ -121,7 +121,7 @@ jobs:
       - name: 🚀 Deploy to Cloudflare Pages
         if: vars.CLOUDFLARE_PROJECT_NAME != ''
         id: deploy
-        uses: https://github.com/cloudflare/wrangler-action@v3
+        uses: https://github.com/cloudflare/wrangler-action@da0e0dfe58b7a431659754fdf3f186c529afbe65 # v3
         with:
           accountId: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
           apiToken: ${{ secrets.CLOUDFLARE_API_TOKEN }}

.forgejo/workflows/mirror-images.yml

@@ -2,8 +2,11 @@ name: Mirror Container Images
 
 on:
   schedule:
-    # Run every 2 hours
-    - cron: "0 */2 * * *"
+    # Run nightly
+    - cron: "25 2 * * *"
+
+  workflow_call:
+
   workflow_dispatch:
     inputs:
       dry_run:
@@ -38,7 +41,7 @@ jobs:
       DOCKER_MIRROR_TOKEN: ${{ secrets.DOCKER_MIRROR_TOKEN }}
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           persist-credentials: false
 
@@ -51,10 +54,8 @@ jobs:
       #     owner: continuwuity
       #     repositories: continuwuity
 
-      - name: Install regctl
-        uses: https://forgejo.ellis.link/continuwuation/regclient-actions/regctl-installer@main
-        with:
-          binary: regsync
+      - name: Install regsync
+        uses: https://github.com/regclient/actions/regsync-installer@f3c6d87835906c175eb6ccfc18b348b69bb447e7 # main
 
       - name: Check what images need mirroring
         run: |

.forgejo/workflows/prek-checks.yml

@@ -16,7 +16,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           persist-credentials: false
 
@@ -47,7 +47,7 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           persist-credentials: false
 

.forgejo/workflows/release-image.yml

@@ -9,6 +9,9 @@ on:
     paths-ignore:
       - "*.md"
       - "**/*.md"
+      - "*.mdx"
+      - "**/*.mdx"
+      - "changelog.d/**"
       - ".gitlab-ci.yml"
       - ".gitignore"
       - "renovate.json"
@@ -43,7 +46,7 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           persist-credentials: false
       - name: Prepare Docker build environment
@@ -59,7 +62,7 @@ jobs:
           registry_password: ${{ secrets.BUILTIN_REGISTRY_PASSWORD || secrets.GITHUB_TOKEN }}
       - name: Build and push Docker image by digest
         id: build
-        uses: docker/build-push-action@v7
+        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7
         with:
           context: .
           file: "docker/Dockerfile"
@@ -97,7 +100,7 @@ jobs:
     needs: build-release
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           persist-credentials: false
       - name: Create multi-platform manifest
@@ -130,7 +133,7 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           persist-credentials: false
       - name: Prepare max-perf Docker build environment
@@ -146,7 +149,7 @@ jobs:
           registry_password: ${{ secrets.BUILTIN_REGISTRY_PASSWORD || secrets.GITHUB_TOKEN }}
       - name: Build and push max-perf Docker image by digest
         id: build
-        uses: docker/build-push-action@v7
+        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7
         with:
           context: .
           file: "docker/Dockerfile"
@@ -184,7 +187,7 @@ jobs:
     needs: build-maxperf
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           persist-credentials: false
       - name: Create max-perf manifest
@@ -195,3 +198,22 @@ jobs:
           images: ${{ env.IMAGE_PATH }}
           registry_user: ${{ vars.BUILTIN_REGISTRY_USER || github.actor }}
           registry_password: ${{ secrets.BUILTIN_REGISTRY_PASSWORD || secrets.GITHUB_TOKEN }}
+
+  mirror_images:
+    name: "Mirror Images"
+    runs-on: ubuntu-latest
+    needs:
+      - merge-maxperf
+      - merge-release
+    env:
+      BUILTIN_REGISTRY_USER: ${{ vars.BUILTIN_REGISTRY_USER }}
+      BUILTIN_REGISTRY_PASSWORD: ${{ secrets.BUILTIN_REGISTRY_PASSWORD }}
+      GITLAB_USERNAME: ${{ vars.GITLAB_USERNAME }}
+      GITLAB_TOKEN: ${{ secrets.GITLAB_TOKEN }}
+      N7574_GIT_USERNAME: ${{ vars.N7574_GIT_USERNAME }}
+      N7574_GIT_TOKEN: ${{ secrets.N7574_GIT_TOKEN }}
+      GH_PACKAGES_USER: ${{ vars.GH_PACKAGES_USER }}
+      GH_PACKAGES_TOKEN: ${{ secrets.GH_PACKAGES_TOKEN }}
+      DOCKER_MIRROR_USER: ${{ vars.DOCKER_MIRROR_USER }}
+      DOCKER_MIRROR_TOKEN: ${{ secrets.DOCKER_MIRROR_TOKEN }}
+    uses: ./.forgejo/workflows/mirror-images.yml

.forgejo/workflows/renovate.yml

@@ -43,11 +43,11 @@ jobs:
     name: Renovate
     runs-on: ubuntu-latest
     container:
-      image: ghcr.io/renovatebot/renovate:43.59.4@sha256:f951508dea1e7d71cbe6deca298ab0a05488e7631229304813f630cc06010892
+      image: ghcr.io/renovatebot/renovate:43.111.0@sha256:da5fcac20c48d9792aac9c61fd234531bfa8df61263a39387cd8920263ca4768
       options: --tmpfs /tmp:exec
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           show-progress: false
 
@@ -55,7 +55,7 @@ jobs:
         run: /usr/local/renovate/node -e 'console.log(`node heap limit = ${require("v8").getHeapStatistics().heap_size_limit / (1024 * 1024)} Mb`)'
 
       - name: Restore renovate repo cache
-        uses: actions/cache/restore@v4
+        uses: actions/cache/restore@v5
         with:
           path: |
             /tmp/renovate/cache/renovate/repository
@@ -64,7 +64,7 @@ jobs:
             renovate-repo-cache-
 
       - name: Restore renovate package cache
-        uses: actions/cache/restore@v4
+        uses: actions/cache/restore@v5
         with:
           path: |
             /tmp/renovate/cache/renovate/renovate-cache-sqlite
@@ -73,7 +73,7 @@ jobs:
             renovate-package-cache-
 
       - name: Restore renovate OSV cache
-        uses: actions/cache/restore@v4
+        uses: actions/cache/restore@v5
         with:
           path: |
             /tmp/osv
@@ -109,7 +109,7 @@ jobs:
       - name: Save renovate repo cache
         if: always()
         uses:
-          actions/cache/save@v4
+          actions/cache/save@v5
         with:
           path: |
             /tmp/renovate/cache/renovate/repository
@@ -117,7 +117,7 @@ jobs:
 
       - name: Save renovate package cache
         if: always()
-        uses: actions/cache/save@v4
+        uses: actions/cache/save@v5
         with:
           path: |
             /tmp/renovate/cache/renovate/renovate-cache-sqlite
@@ -125,7 +125,7 @@ jobs:
 
       - name: Save renovate OSV cache
         if: always()
-        uses: actions/cache/save@v4
+        uses: actions/cache/save@v5
         with:
           path: |
             /tmp/osv

.forgejo/workflows/update-flake-hashes.yml

@@ -14,50 +14,21 @@ jobs:
   update-flake-hashes:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
-          fetch-depth: 0
-          fetch-tags: false
-          fetch-single-branch: true
-          submodules: false
           persist-credentials: true
           token: ${{ secrets.FORGEJO_TOKEN }}
 
-      - uses: https://github.com/cachix/install-nix-action@19effe9fe722874e6d46dd7182e4b8b7a43c4a99 # v31.10.0
+      - name: Install Lix
+        uses: https://github.com/samueldr/lix-gha-installer-action@f5e94192f565f53d84f41a056956dc0d3183b343
         with:
-          nix_path: nixpkgs=channel:nixos-unstable
-
-        # We can skip getting a toolchain hash if this was ran as a dispatch with the intent
-        # to update just the rocksdb hash. If this was ran as a dispatch and the toolchain
-        # files are changed, we still update them, as well as the rocksdb import.
-      - name: Detect changed files
-        id: changes
-        run: |
-          git fetch origin ${{ github.base_ref }} --depth=1 || true
-          if [ -n "${{ github.event.pull_request.base.sha }}" ]; then
-            base=${{ github.event.pull_request.base.sha }}
-          else
-            base=$(git rev-parse HEAD~1)
-          fi
-          echo "Base: $base"
-          echo "HEAD: $(git rev-parse HEAD)"
-          git diff --name-only $base HEAD > changed_files.txt
-          echo "detected changes in $(cat changed_files.txt)"
-          # Join files with commas
-          files=$(paste -sd, changed_files.txt)
-          echo "files=$files" >> $FORGEJO_OUTPUT
-
-      - name: Debug output
-        run: |
-          echo "State of output"
-          echo "Changed files: ${{ steps.changes.outputs.files }}"
+          extra_nix_config: experimental-features = nix-command flakes flake-self-attrs
 
       - name: Get new toolchain hash
-        if: contains(steps.changes.outputs.files, 'Cargo.toml') || contains(steps.changes.outputs.files, 'Cargo.lock') || contains(steps.changes.outputs.files, 'rust-toolchain.toml')
         run: |
           # Set the current sha256 to an empty hash to make `nix build` calculate a new one
-          awk '/fromToolchainFile *\{/{found=1; print; next} found && /sha256 =/{sub(/sha256 = .*/, "sha256 = lib.fakeSha256;"); found=0} 1' nix/packages/rust.nix > temp.nix
-          mv temp.nix nix/packages/rust.nix
+          awk '/fromToolchainFile *\{/{found=1; print; next} found && /sha256 =/{sub(/sha256 = .*/, "sha256 = lib.fakeSha256;"); found=0} 1' nix/rust.nix > temp.nix
+          mv temp.nix nix/rust.nix
 
           # Build continuwuity and filter for the new hash
           # We do `|| true` because we want this to fail without stopping the workflow
@@ -65,36 +36,17 @@ jobs:
 
           # Place the new hash in place of the empty hash
           new_hash=$(cat new_toolchain_hash.txt)
-          sed -i "s|lib.fakeSha256|\"$new_hash\"|" nix/packages/rust.nix
+          sed -i "s|lib.fakeSha256|\"$new_hash\"|" nix/rust.nix
 
           echo "New hash:"
-          awk -F'"' '/fromToolchainFile/{found=1; next} found && /sha256 =/{print $2; found=0}' nix/packages/rust.nix
+          awk -F'"' '/fromToolchainFile/{found=1; next} found && /sha256 =/{print $2; found=0}' nix/rust.nix
           echo "Expected new hash:"
           cat new_toolchain_hash.txt
 
           rm new_toolchain_hash.txt
 
-      - name: Get new rocksdb hash
-        if: contains(steps.changes.outputs.files, '.nix') || contains(steps.changes.outputs.files, 'flake.lock')
-        run: |
-          # Set the current sha256 to an empty hash to make `nix build` calculate a new one
-          awk '/repo = "rocksdb";/{found=1; print; next} found && /sha256 =/{sub(/sha256 = .*/, "sha256 = lib.fakeSha256;"); found=0} 1' nix/packages/rocksdb/package.nix > temp.nix
-          mv temp.nix nix/packages/rocksdb/package.nix
-
-          # Build continuwuity and filter for the new hash
-          # We do `|| true` because we want this to fail without stopping the workflow
-          nix build .#default 2>&1 | tee >(grep 'got:' | awk '{print $2}' > new_rocksdb_hash.txt) || true
-
-          # Place the new hash in place of the empty hash
-          new_hash=$(cat new_rocksdb_hash.txt)
-          sed -i "s|lib.fakeSha256|\"$new_hash\"|" nix/packages/rocksdb/package.nix
-
-          echo "New hash:"
-          awk -F'"' '/repo = "rocksdb";/{found=1; next} found && /sha256 =/{print $2; found=0}' nix/packages/rocksdb/package.nix
-          echo "Expected new hash:"
-          cat new_rocksdb_hash.txt
-
-          rm new_rocksdb_hash.txt
+      - name: Update rocksdb
+        run: nix run .#update-rocksdb
 
       - name: Show diff
         run: git diff flake.nix nix

.github/FUNDING.yml

@@ -1,4 +1,4 @@
 github: [JadedBlueEyes, nexy7574, gingershaped]
 custom:
-  - https://ko-fi.com/nexy7574
-  - https://ko-fi.com/JadedBlueEyes
+  - https://timedout.uk/donate.html
+  - https://jade.ellis.link/sponsors

.pre-commit-config.yaml

@@ -24,7 +24,7 @@ repos:
         - id: check-added-large-files
 
   - repo: https://github.com/crate-ci/typos
-    rev: v1.44.0
+    rev: v1.45.1
     hooks:
       - id: typos
       - id: typos

CODE_OF_CONDUCT.md

@@ -1,131 +1 @@
-# Contributor Covenant Code of Conduct
-
-## Our Pledge
-
-We as members, contributors, and leaders pledge to make participation in our
-community a harassment-free experience for everyone, regardless of age, body
-size, visible or invisible disability, ethnicity, sex characteristics, gender
-identity and expression, level of experience, education, socio-economic status,
-nationality, personal appearance, race, caste, color, religion, or sexual
-identity and orientation.
-
-We pledge to act and interact in ways that contribute to an open, welcoming,
-diverse, inclusive, and healthy community.
-
-## Our Standards
-
-Examples of behavior that contributes to a positive environment for our
-community include:
-
-* Demonstrating empathy and kindness toward other people
-* Being respectful of differing opinions, viewpoints, and experiences
-* Giving and gracefully accepting constructive feedback
-* Accepting responsibility and apologizing to those affected by our mistakes,
-  and learning from the experience
-* Focusing on what is best not just for us as individuals, but for the overall
-  community
-
-Examples of unacceptable behavior include:
-
-* The use of sexualized language or imagery, and sexual attention or advances of
-  any kind
-* Trolling, insulting or derogatory comments, and personal or political attacks
-* Public or private harassment
-* Publishing others' private information, such as a physical or email address,
-  without their explicit permission
-* Other conduct which could reasonably be considered inappropriate in a
-  professional setting
-
-## Enforcement Responsibilities
-
-Community leaders are responsible for clarifying and enforcing our standards of
-acceptable behavior and will take appropriate and fair corrective action in
-response to any behavior that they deem inappropriate, threatening, offensive,
-or harmful.
-
-Community leaders have the right and responsibility to remove, edit, or reject
-comments, commits, code, wiki edits, issues, and other contributions that are
-not aligned to this Code of Conduct, and will communicate reasons for moderation
-decisions when appropriate.
-
-## Scope
-
-This Code of Conduct applies within all community spaces, and also applies when
-an individual is officially representing the community in public spaces.
-Examples of representing our community include using an official e-mail address,
-posting via an official social media account, or acting as an appointed
-representative at an online or offline event.
-
-## Enforcement
-
-Instances of abusive, harassing, or otherwise unacceptable behavior may be
-reported to the community leaders responsible for enforcement over Matrix at [#continuwuity:continuwuity.org](https://matrix.to/#/#continuwuity:continuwuity.org?via=continuwuity.org&via=ellis.link&via=explodie.org&via=matrix.org) or email at <tom@tcpip.uk>, <jade@continuwuity.org> and <nex@continuwuity.org> respectively.
-All complaints will be reviewed and investigated promptly and fairly.
-
-All community leaders are obligated to respect the privacy and security of the
-reporter of any incident.
-
-## Enforcement Guidelines
-
-Community leaders will follow these Community Impact Guidelines in determining
-the consequences for any action they deem in violation of this Code of Conduct:
-
-### 1. Correction
-
-**Community Impact**: Use of inappropriate language or other behavior deemed
-unprofessional or unwelcome in the community.
-
-**Consequence**: A private, written warning from community leaders, providing
-clarity around the nature of the violation and an explanation of why the
-behavior was inappropriate. A public apology may be requested.
-
-### 2. Warning
-
-**Community Impact**: A violation through a single incident or series of
-actions.
-
-**Consequence**: A warning with consequences for continued behavior. No
-interaction with the people involved, including unsolicited interaction with
-those enforcing the Code of Conduct, for a specified period of time. This
-includes avoiding interactions in community spaces as well as external channels
-like social media. Violating these terms may lead to a temporary or permanent
-ban.
-
-### 3. Temporary Ban
-
-**Community Impact**: A serious violation of community standards, including
-sustained inappropriate behavior.
-
-**Consequence**: A temporary ban from any sort of interaction or public
-communication with the community for a specified period of time. No public or
-private interaction with the people involved, including unsolicited interaction
-with those enforcing the Code of Conduct, is allowed during this period.
-Violating these terms may lead to a permanent ban.
-
-### 4. Permanent Ban
-
-**Community Impact**: Demonstrating a pattern of violation of community
-standards, including sustained inappropriate behavior, harassment of an
-individual, or aggression toward or disparagement of classes of individuals.
-
-**Consequence**: A permanent ban from any sort of public interaction within the
-community.
-
-## Attribution
-
-This Code of Conduct is adapted from the [Contributor Covenant][homepage],
-version 2.1, available at
-[https://www.contributor-covenant.org/version/2/1/code_of_conduct.html][v2.1].
-
-Community Impact Guidelines were inspired by
-[Mozilla's code of conduct enforcement ladder][Mozilla CoC].
-
-For answers to common questions about this code of conduct, see the FAQ at
-[https://www.contributor-covenant.org/faq][FAQ]. Translations are available at
-[https://www.contributor-covenant.org/translations][translations].
-
-[homepage]: https://www.contributor-covenant.org
-[v2.1]: https://www.contributor-covenant.org/version/2/1/code_of_conduct.html
-[Mozilla CoC]: https://github.com/mozilla/diversity
-[FAQ]: https://www.contributor-covenant.org/faq
-[translations]: https://www.contributor-covenant.org/translations
+Contributors are expected to follow the [Continuwuity Community Guidelines](continuwuity.org/community/guidelines).

CONTRIBUTING.md

@@ -36,7 +36,7 @@ # Run all checks
 prek --all-files
 ```
 
-Alternatively, you can use [pre-commit](https://pre-commit.com/):
+Alternatively, you can use [pre-commit][pre-commit]:
 ```bash
 # Requires python
 
@@ -52,6 +52,8 @@ # Run all checks manually
 
 These same checks are run in CI via the prek-checks workflow to ensure consistency. These must pass before the PR is merged.
 
+[pre-commit]: https://pre-commit.com/
+
 ### Running tests locally
 
 Tests, compilation, and linting can be run with standard Cargo commands:
@@ -109,7 +111,7 @@ ### Writing documentation
 
 ### Commit Messages
 
-Continuwuity follows the [Conventional Commits](https://www.conventionalcommits.org/) specification for commit messages. This provides a standardized format that makes the commit history more readable and enables automated tools to generate changelogs.
+Continuwuity follows the [Conventional Commits][conventional-commits] specification for commit messages. This provides a standardized format that makes the commit history more readable and enables automated tools to generate changelogs.
 
 The basic structure is:
 
@@ -168,6 +170,7 @@ ### Creating pull requests
 their contributions accepted. This includes users who have been banned from
 continuwuity Matrix rooms for Code of Conduct violations.
 
+[conventional-commits]: https://www.conventionalcommits.org/
 [issues]: https://forgejo.ellis.link/continuwuation/continuwuity/issues
 [continuwuity-matrix]: https://matrix.to/#/#continuwuity:continuwuity.org?via=continuwuity.org&via=ellis.link&via=explodie.org&via=matrix.org
 [complement]: https://github.com/matrix-org/complement/
@@ -175,3 +178,32 @@ ### Creating pull requests
 [nodejs-download]: https://nodejs.org/en/download
 [rspress]: https://rspress.rs/
 [documentation.yml]: https://forgejo.ellis.link/continuwuation/continuwuity/src/branch/main/.forgejo/workflows/documentation.yml
+
+#### Writing news fragments
+
+In order to make writing our changelogs easier, we make use of [Towncrier]. Towncrier builds changelogs based on
+"news fragments", which are little markdown files in the `changelog.d/` directory that describe individual changes.
+
+When you make a pull request that changes functionality, fixes a bug, or adds documentation, please add a news fragment
+describing your change. The file name *MUST* be in the format of `{pull_request_number}.{type}`, where `{type}` is one
+of the following:
+
+- `feature` - for new features
+- `bugfix` - for bug fixes
+- `doc` - for documentation changes
+- `misc` - for other changes that don't fit the above categories
+
+For example:
+
+```bash
+$ echo "Fixed the quantum flux stabiliser. Contributed by @alice." > changelog.d/42.bugfix
+```
+
+(Note: If you want to credit yourself, you should reference your forgejo handle, however links to other platforms are also acceptable.)
+
+When the next release is made, Towncrier will automatically include your news fragment in the changelog.
+
+You can read more about writing news fragments in the [Towncrier tutorial][tt].
+
+[Towncrier]: https://towncrier.readthedocs.io/
+[tt]: https://towncrier.readthedocs.io/en/stable/tutorial.html#creating-news-fragments

Cargo.toml

@@ -39,7 +39,7 @@ features = ["ffi", "std", "union"]
 version = "0.7.0"
 
 [workspace.dependencies.ctor]
-version = "0.6.0"
+version = "0.9.0"
 
 [workspace.dependencies.cargo_toml]
 version = "0.22"
@@ -60,7 +60,7 @@ default-features = false
 
 # used for TURN server authentication
 [workspace.dependencies.hmac]
-version = "0.12.1"
+version = "0.13.0"
 default-features = false
 
 # used for checking if an IP is in specific subnets / CIDR ranges easier
@@ -159,7 +159,7 @@ features = ["raw_value"]
 
 # Used for appservice registration files
 [workspace.dependencies.serde-saphyr]
-version = "0.0.21"
+version = "0.0.23"
 
 # Used to load forbidden room/user regex from config
 [workspace.dependencies.serde_regex]
@@ -278,7 +278,7 @@ features = [
 ]
 
 [workspace.dependencies.hyper-util]
-version = "=0.1.17"
+version = "=0.1.20"
 default-features = false
 features = [
     "server-auto",
@@ -332,7 +332,7 @@ version = "0.4.0"
 
 # used for MPMC channels
 [workspace.dependencies.async-channel]
-version = "2.3.1"
+version = "2.5.0"
 
 [workspace.dependencies.async-trait]
 version = "0.1.88"
@@ -344,7 +344,7 @@ version = "0.1.2"
 [workspace.dependencies.ruma]
 git = "https://forgejo.ellis.link/continuwuation/ruwuma"
 #branch = "conduwuit-changes"
-rev = "bb12ed288a31a23aa11b10ba0fad22b7f985eb88"
+rev = "1415caf8a32af4d943580c5ea4e12be1974593c2"
 features = [
     "compat",
     "rand",
@@ -383,12 +383,13 @@ features = [
     "unstable-pdu",
     "unstable-msc4155",
     "unstable-msc4143", # livekit well_known response
-    "unstable-msc4284"
+    "unstable-msc4284",
+    "unstable-msc4439", # pgp_key in .well_known/matrix/support
 ]
 
 [workspace.dependencies.rust-rocksdb]
 git = "https://forgejo.ellis.link/continuwuation/rust-rocksdb-zaidoon1"
-rev = "61d9d23872197e9ace4a477f2617d5c9f50ecb23"
+rev = "31fb8f772c7afcdc0061ab6a40cfa3a1be2fccd9"
 default-features = false
 features = [
     "multi-threaded-cf",
@@ -399,11 +400,11 @@ features = [
 ]
 
 [workspace.dependencies.sha2]
-version = "0.10.8"
+version = "0.11.0"
 default-features = false
 
 [workspace.dependencies.sha1]
-version = "0.10.6"
+version = "0.11.0"
 default-features = false
 
 # optional opentelemetry, performance measurements, flamegraphs, etc for performance measurements and monitoring
@@ -451,7 +452,7 @@ version = "0.46.0"
 # jemalloc usage
 [workspace.dependencies.tikv-jemalloc-sys]
 git = "https://forgejo.ellis.link/continuwuation/jemallocator"
-rev = "82af58d6a13ddd5dcdc7d4e91eae3b63292995b8"
+rev = "df86ff89d4b1e223b9f7d2dd2fbb7f202da7f554"
 default-features = false
 features = [
     "background_threads_runtime_support",
@@ -459,7 +460,7 @@ features = [
 ]
 [workspace.dependencies.tikv-jemallocator]
 git = "https://forgejo.ellis.link/continuwuation/jemallocator"
-rev = "82af58d6a13ddd5dcdc7d4e91eae3b63292995b8"
+rev = "df86ff89d4b1e223b9f7d2dd2fbb7f202da7f554"
 default-features = false
 features = [
     "background_threads_runtime_support",
@@ -467,7 +468,7 @@ features = [
 ]
 [workspace.dependencies.tikv-jemalloc-ctl]
 git = "https://forgejo.ellis.link/continuwuation/jemallocator"
-rev = "82af58d6a13ddd5dcdc7d4e91eae3b63292995b8"
+rev = "df86ff89d4b1e223b9f7d2dd2fbb7f202da7f554"
 default-features = false
 features = ["use_std"]
 
@@ -480,7 +481,7 @@ default-features = false
 features = ["resource"]
 
 [workspace.dependencies.sd-notify]
-version = "0.4.5"
+version = "0.5.0"
 default-features = false
 
 [workspace.dependencies.hardened_malloc-rs]
@@ -493,7 +494,7 @@ features = [
 ]
 
 [workspace.dependencies.rustyline-async]
-version = "0.4.3"
+version = "0.4.9"
 default-features = false
 
 [workspace.dependencies.termimad]
@@ -526,7 +527,7 @@ version = "0.4.13"
 version = "2.0"
 
 [workspace.dependencies.core_affinity]
-version = "0.8.1"
+version = "0.8.3"
 
 [workspace.dependencies.libc]
 version = "0.2"
@@ -550,15 +551,25 @@ version = "0.12.0"
 default-features = false
 features = ["sync", "tls-rustls", "rustls-provider"]
 
-[workspace.dependencies.resolv-conf]
-version = "0.7.5"
-
 [workspace.dependencies.yansi]
 version = "1.0.1"
 
 [workspace.dependencies.askama]
 version = "0.15.0"
 
+[workspace.dependencies.lettre]
+version = "0.11.19"
+default-features = false
+features = ["smtp-transport", "pool", "hostname", "builder", "rustls", "rustls-native-certs", "tokio1", "ring", "tokio1-rustls", "tracing", "serde"]
+
+[workspace.dependencies.governor]
+version = "0.10.4"
+default-features = false
+features = ["std"]
+
+[workspace.dependencies.nonzero_ext]
+version = "0.3.0"
+
 #
 # Patches
 #
@@ -571,25 +582,25 @@ version = "0.15.0"
 # adds event for CTRL+\: https://forgejo.ellis.link/continuwuation/rustyline-async/src/branch/main/.patchy/0001-add-event-for-ctrl.patch
 [patch.crates-io.rustyline-async]
 git = "https://forgejo.ellis.link/continuwuation/rustyline-async"
-rev = "e9f01cf8c6605483cb80b3b0309b400940493d7f"
+rev = "b13aca2cc08d5f78303746cd192d9a03d73e768e"
 
 # adds LIFO queue scheduling; this should be updated with PR progress.
 [patch.crates-io.event-listener]
 git = "https://forgejo.ellis.link/continuwuation/event-listener"
-rev = "fe4aebeeaae435af60087ddd56b573a2e0be671d"
+rev = "b2c19bcaf5a0a69c38c034e417bda04a9b991529"
 [patch.crates-io.async-channel]
 git = "https://forgejo.ellis.link/continuwuation/async-channel"
-rev = "92e5e74063bf2a3b10414bcc8a0d68b235644280"
+rev = "e990f0006b68dc9bace7a3c95fc90b5c4e44948d"
 
 # adds affinity masks for selecting more than one core at a time
 [patch.crates-io.core_affinity]
 git = "https://forgejo.ellis.link/continuwuation/core_affinity_rs"
-rev = "9c8e51510c35077df888ee72a36b4b05637147da"
+rev = "7c7a9dea35382743a63837cdd1d977efdb8f1b8a"
 
 # reverts hyperium#148 conflicting with our delicate federation resolver hooks
 [patch.crates-io.hyper-util]
 git = "https://forgejo.ellis.link/continuwuation/hyper-util"
-rev = "5886d5292bf704c246206ad72d010d674a7b77d0"
+rev = "09fcd3bf4656c81a8ad573bee410ab2b57f60b86"
 
 #
 # Our crates
@@ -919,7 +930,6 @@ fn_to_numeric_cast_any = "warn"
 format_push_string = "warn"
 get_unwrap = "warn"
 impl_trait_in_params = "warn"
-let_underscore_untyped = "warn"
 lossy_float_literal = "warn"
 mem_forget = "warn"
 missing_assert_message = "warn"

LICENSE

@@ -1,4 +1,3 @@
-
                                  Apache License
                            Version 2.0, January 2004
                         http://www.apache.org/licenses/
@@ -187,7 +186,7 @@
       same "printed page" as the copyright notice for easier
       identification within third-party archives.
 
-   Copyright 2023 June
+   Copyright 2023 Continuwuity Team and contributors
 
    Licensed under the Apache License, Version 2.0 (the "License");
    you may not use this file except in compliance with the License.

book.toml

@@ -1,23 +0,0 @@
-[book]
-title = "continuwuity"
-description = "continuwuity is a community continuation of the conduwuit Matrix homeserver, written in Rust."
-language = "en"
-authors = ["The continuwuity Community"]
-text-direction = "ltr"
-src = "docs"
-
-[build]
-build-dir = "public"
-create-missing = true
-extra-watch-dirs = ["debian", "docs"]
-
-[rust]
-edition = "2024"
-
-[output.html]
-edit-url-template = "https://forgejo.ellis.link/continuwuation/continuwuity/src/branch/main/{path}"
-git-repository-url = "https://forgejo.ellis.link/continuwuation/continuwuity"
-git-repository-icon = "fa-git-alt"
-
-[output.html.search]
-limit-results = 15

changelog.d/+1770db35.feature.md

@@ -0,0 +1 @@
+Added support for associating email addresses with accounts, requiring email addresses for registration, and resetting passwords via email. Contributed by @ginger

changelog.d/+7409b1db.feature.md

@@ -0,0 +1 @@
+Added support for requiring users to accept terms and conditions when registering.

changelog.d/+alias-enumeration-delete.bugfix.md

@@ -0,0 +1 @@
+Fixed room alias deletion so removing one local alias no longer removes other aliases from room alias listings.

changelog.d/1429.doc

@@ -0,0 +1 @@
+Added Testing and Troubleshooting instructions for Livekit documentation. Contributed by @stratself.

changelog.d/1542.bugfix.md

@@ -0,0 +1 @@
+Stripped `join_authorised_via_users_server` from json if user is already in room (@partha:cxy.run)

changelog.d/1572.bugfix

@@ -0,0 +1 @@
+Fixed internal server errors for fetching thumbnails. Contributed by @PerformativeJade

changelog.d/1579.bugfix

@@ -0,0 +1 @@
+Fixed error 500 when joining non-existent rooms. Contributed by @ezera.

changelog.d/1594.doc

@@ -0,0 +1 @@
+Refactored docker docs to include new initial token workflow, and add Caddyfile example. Contributed by @stratself.

changelog.d/1596.bugfix

@@ -0,0 +1 @@
+Refactored nix package. Breaking, since `all-features` package no longer exists. Continuwuity is now built with jemalloc and liburing by default. Contributed by @Henry-Hiles (QuadRadical).

changelog.d/1601.doc

@@ -0,0 +1 @@
+Add DNS tuning guide for Continuwuity. Users are recommended to set up a local caching resolver following the guide's advice. Contributed by @stratself

changelog.d/1609.feature.md

@@ -0,0 +1,2 @@
+Add new config option for [MSC4439](https://github.com/matrix-org/matrix-spec-proposals/pull/4439)
+PGP key URIs. Contributed by LogN.

changelog.d/1613.feature

@@ -0,0 +1 @@
+Added `!admin users reset-push-rules` command to reset the notification settings of users. Contributed by @nex.

changelog.d/1614.feature

@@ -0,0 +1 @@
+Notification pushers are now automatically removed when their associated device is. Admin commands now exist for manual cleanup too. Contributed by @nex.

changelog.d/1615.bugfix

@@ -0,0 +1 @@
+Fixed resolving IP of servers that only use SRV delegation. Contributed by @tulir.

changelog.d/1620.misc

@@ -0,0 +1 @@
+Fixed compiler warning in cf_opts.rs when building in release. Contributed by @ezera.

changelog.d/1623.bugfix

@@ -0,0 +1 @@
+Fixed "Sender must be a local user" error for make_join, make_knock, and make_leave federation routes. Contributed by @nex.

changelog.d/1624.feature

@@ -0,0 +1 @@
+Implemented option to deprioritize servers for room join requests. Contributed by @ezera.

changelog.d/1629.feature.md

@@ -0,0 +1 @@
+Added admin commands to get build information and features. Contributed by @Jade

changelog.d/1630.bugfix

@@ -0,0 +1 @@
+Fixed restricted joins not being signed when we are being used as an authorising server. Contributed by @nex, reported by [vel](matrix:u/vel:nhjkl.com?action=chat).

conduwuit-example.toml

@@ -95,6 +95,10 @@
 # engine API. To use this, set a database backup path that continuwuity
 # can write to.
 #
+# If you are using systemd, you will need to add the path to
+# ReadWritePaths in the service file, preferably via a drop-in file
+# through `systemctl edit`.
+#
 # For more information, see:
 # https://continuwuity.org/maintenance.html#backups
 #
@@ -519,6 +523,18 @@
 #
 #recaptcha_private_site_key =
 
+# Policy documents, such as terms and conditions or a privacy policy,
+# which users must agree to when registering an account.
+#
+# Example:
+# ```ignore
+# [global.registration_terms.privacy_policy]
+# en = { name = "Privacy Policy", url = "https://homeserver.example/en/privacy_policy.html" }
+# es = { name = "Política de Privacidad", url = "https://homeserver.example/es/privacy_policy.html" }
+# ```
+#
+#registration_terms = {}
+
 # Controls whether encrypted rooms and events are allowed.
 #
 #allow_encryption = true
@@ -1393,6 +1409,20 @@
 #
 #ignore_messages_from_server_names = []
 
+# List of server names that continuwuity will deprioritize (try last) when
+# a client requests to join a room.
+#
+# This can be used to potentially speed up room join requests, by
+# deprioritizing sending join requests through servers that are known to
+# be large or slow.
+#
+# continuwuity will still send join requests to servers in this list if
+# the room couldn't be joined via other servers it federates with.
+#
+# example: ["example.com"]
+#
+#deprioritize_joins_through_servers = []
+
 # Send messages from users that the user has ignored to the client.
 #
 # There is no way for clients to receive messages sent while a user was
@@ -1865,6 +1895,11 @@
 #
 #support_mxid =
 
+# PGP key URI for server support contacts, to be served as part of the
+# MSC1929 server support endpoint.
+#
+#support_pgp_key =
+
 # **DEPRECATED**: Use `[global.matrix_rtc].foci` instead.
 #
 # A list of MatrixRTC foci URLs which will be served as part of the
@@ -2037,3 +2072,41 @@
 # web->synapseHTTPAntispam->authorization
 #
 #secret =
+
+#[global.smtp]
+
+# A `smtp://`` URI which will be used to connect to a mail server.
+# Uncommenting the [global.smtp] group and setting this option enables
+# features which depend on the ability to send email,
+# such as self-service password resets.
+#
+# For most modern mail servers, format the URI like this:
+# 	`smtps://username:password@hostname:port`
+# Note that you will need to URL-encode the username and password. If your
+# username _is_ your email address, you will need to replace the `@` with
+# `%40`.
+#
+# For a guide on the accepted URI syntax, consult Lettre's documentation:
+# https://docs.rs/lettre/latest/lettre/transport/smtp/struct.AsyncSmtpTransport.html#method.from_url
+#
+#connection_uri =
+
+# The outgoing address which will be used for sending emails.
+#
+# For a syntax guide, see https://datatracker.ietf.org/doc/html/rfc2822#section-3.4
+#
+# ...or if you don't want to read the RFC, for some reason:
+# - `Name <address@domain.org>` to specify a sender name
+# - `address@domain.org` to not use a name
+#
+#sender =
+
+# Whether to require that users provide an email address when they
+# register.
+#
+#require_email_for_registration = false
+
+# Whether to require that users who register with a registration token
+# provide an email address.
+#
+#require_email_for_token_registration = false

docker/Dockerfile

@@ -10,18 +10,18 @@ RUN rm -f /etc/apt/apt.conf.d/docker-clean
 
 # Match Rustc version as close as possible
 # rustc -vV
-ARG LLVM_VERSION=20
+ARG LLVM_VERSION=21
 # ENV RUSTUP_TOOLCHAIN=${RUST_VERSION}
 
 # Install repo tools
 # Line one: compiler tools
-# Line two: curl, for downloading binaries
+# Line two: curl, for downloading binaries and wget because llvm.sh is broken with curl
 # Line three: for xx-verify
 RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
     --mount=type=cache,target=/var/lib/apt,sharing=locked \
     apt-get update && apt-get install -y \
     pkg-config make jq \
-    curl git software-properties-common \
+    wget curl git software-properties-common \
     file
 
 # LLVM packages
@@ -48,7 +48,7 @@ EOF
 
 # Developer tool versions
 # renovate: datasource=github-releases depName=cargo-bins/cargo-binstall
-ENV BINSTALL_VERSION=1.17.7
+ENV BINSTALL_VERSION=1.18.1
 # renovate: datasource=github-releases depName=psastras/sbom-rs
 ENV CARGO_SBOM_VERSION=0.9.1
 # renovate: datasource=crate depName=lddtree

docker/musl.Dockerfile

@@ -18,7 +18,7 @@ RUN --mount=type=cache,target=/etc/apk/cache apk add \
 
 # Developer tool versions
 # renovate: datasource=github-releases depName=cargo-bins/cargo-binstall
-ENV BINSTALL_VERSION=1.17.7
+ENV BINSTALL_VERSION=1.18.1
 # renovate: datasource=github-releases depName=psastras/sbom-rs
 ENV CARGO_SBOM_VERSION=0.9.1
 # renovate: datasource=crate depName=lddtree

docs/_meta.json

@@ -69,11 +69,6 @@
         "label": "Configuration Reference",
         "name": "/reference/config"
     },
-    {
-        "type": "file",
-        "label": "Environment Variables",
-        "name": "/reference/environment-variables"
-    },
     {
         "type": "dir",
         "label": "Admin Command Reference",

docs/advanced/_meta.json

@@ -3,5 +3,11 @@
         "type": "file",
         "name": "delegation",
         "label": "Delegation / split-domain"
+    },
+    {
+        "type": "file",
+        "name": "dns",
+        "label": "DNS tuning (recommended)"
     }
+
 ]

docs/advanced/delegation.mdx

@@ -18,12 +18,14 @@ ## Configuration
 ```toml
 [global.well_known]
 
+# defaults to port :443 if not specified
 client = "https://matrix.example.com"
 
 # port number MUST be specified
 server = "matrix.example.com:443"
 
 # (optional) customize your support contacts
+# Defaults to members of the admin room if unset
 #support_page =
 #support_role = "m.role.admin"
 #support_email =
@@ -42,9 +44,13 @@ # (optional) customize your support contacts
         client=https://matrix.example.com,
         server=matrix.example.com:443
         }
+
+      # You can also configure individual `.well-knowns` like this
+      # CONTINUWUITY_WELL_KNOWN__CLIENT: https://matrix.example.com
+      # CONTINUWUITY_WELL_KNOWN__SERVER: matrix.example.com:443
 ```
 
-## Serving with a reverse proxy
+## Reverse proxying well-known files to Continuwuity
 
 After doing the steps above, Continuwuity will serve these 3 JSON files:
 
@@ -94,9 +100,7 @@ ## Serving with a reverse proxy
 <summary>`https://example.com/.well-known/matrix/server`</summary>
 
 ```json
-{
-  "m.server": "matrix.example.com:443"
-}
+{ "m.server": "matrix.example.com:443" }
 ```
 
 </details>
@@ -115,12 +119,57 @@ ## Serving with a reverse proxy
 
 </details>
 
+### Serving well-known files manually
+
+Instead of configuring `[global.well_known]` options and reverse proxying well-known URIs, you can serve these files directly as static JSON that match the ones above. This is useful if your base domain points to a different physical server, and reverse proxying isn't feasible.
+
+<details>
+
+<summary>Example Caddyfile **for the base domain**</summary>
+
+```
+https://example.com {
+
+    respond /.well-known/matrix/server 200 {
+        body `{"m.server":"matrix.example.com:443"}`
+    }
+
+    handle /.well-known/matrix/client {
+    header Access-Control-Allow-Origin *
+    respond <<JSON
+    {
+        "m.homeserver": {
+            "base_url": "https://matrix.example.com/"
+        }
+    }
+    JSON
+    }
+}
+```
+
+</details>
+
+Remember to set the `Access-Control-Allow-Origin: *` header in your `/.well-known/matrix/client` path for web clients to work.
+
 ## Troubleshooting
 
+Check with the [Matrix Connectivity Tester][federation-tester] to see that it's working.
+
+[federation-tester]: https://federationtester.mtrnord.blog/
+
 ### Cannot log in with web clients
 
 Make sure there is an `Access-Control-Allow-Origin: *` header in your `/.well-known/matrix/client` path. While Continuwuity serves this header by default, it may be dropped by reverse proxies or other middlewares.
 
+### Issues with alternative setups
+
+As Matrix clients prioritize well-known URIs for their destination, this can lead to issues with alternative methods of accessing the server that doesn't use a publicly routeable IP and domain name. You will probably find yourself connecting to non-existent/undesired URLs in certain cases like:
+
+- Accessing to the server via localhost IPs (e.g. for testing purposes)
+- Accessing the server from behind a VPN, or from alternative networks (such as from an onionsite)
+
+In these scenarios, further configurations would be needed. Refer to the [Related Documentation](#related-documentation) section for resolution steps and see how they could apply to your use case.
+
 ---
 
 ## Using SRV records (not recommended)

docs/advanced/dns.mdx

@@ -0,0 +1,165 @@
+# DNS Tuning (recommended)
+
+For federation, Matrix homeservers conduct an enormous amount of DNS requests, sometimes up to thousands of queries per minute. Normal DNS resolvers are simply not designed for this load, and running Continuwuity with them will likely result in various [DNS and federation errors](../troubleshooting#dns-issues).
+
+To solve this issue, it is strongly recommended to self-host a high-quality, external caching DNS resolver for Continuwuity. This guide will use [Unbound][unbound] as the recommended example, but the general principle applies to any resolver.
+
+[unbound]: https://wiki.archlinux.org/title/Unbound
+
+## Overview
+
+For generic deployments, install your resolver of choice and configure `/etc/resolv.conf` to point to it. The resolver should ideally reside on the same host as Continuwuity.
+
+```txt title="/etc/resolv.conf"
+nameserver 127.0.0.1
+```
+
+**Avoid using `systemd-resolved`** as it does **not** perform very well under high load, and we have identified its DNS caching to not be very effective.
+
+### For Docker users
+
+Docker bridge networks uses a non-performant resolver to intercept and respond to container hostnames, and **this should also be avoided**. Instead, mount a custom `/etc/resolv.conf` file into the container, and hardcode a resolver address to bypass Docker's.
+
+It is recommended to run a dedicated resolver container for Continuwuity, as to separate from the host's resolver setup. To do this, create a custom bridge network and IP range, and explicitly define an IP address for the resolver container.
+
+<details>
+<summary>Example Docker deployment with unbound</summary>
+
+```yaml title="docker-compose.yml"
+networks:
+  matrix_net:
+    ipam:
+      driver: default
+      config:
+        - subnet: "10.10.10.0/24"
+
+services:
+    homeserver:
+        # ...
+        volume:
+            - ./continuwuity-resolv.conf:/etc/resolv.conf:ro
+
+    unbound:
+        # ...
+        networks:
+            matrix_net:
+                ipv4_address: 10.10.10.20
+```
+
+```txt title="continuwuity-resolv.conf"
+nameserver 10.10.10.20
+```
+
+</details>
+
+### For IPv4-only users
+
+If you don't have IPv6 connectivity, changing `ip_lookup_strategy` to only resolve for IPv4 will reduce unnecessary AAAA queries.
+
+```toml title="continuwuity.toml"
+[global]
+# 1 - Ipv4Only (Only query for A records, no AAAA/IPv6)
+ip_lookup_strategy = 1
+```
+
+## Unbound
+
+[Unbound][unbound] is the recommended resolver to run with Continuwuity. For Docker users, the `docker.io/madnuttah/unbound` image ([Github repo][madnuttah-unbound-repo]) can be used.
+
+After installation, you can tune `/etc/unbound/unbound.conf` values according to your needs. While Continuwuity cannot recommend a "works-for-everyone" Unbound DNS setup guide, the official [Unbound tuning guide][unbound-tuning-guide] and the [Unbound Arch Linux wiki page][unbound-arch-linux] may be of interest.
+
+Some values that are commonly tuned include:
+
+- Increase `rrset-cache-size` and `msg-cache-size` to something much higher than the default `4M`, such as `64M`.
+
+- Increase `discard-timeout` to something like `4800` to wait longer for upstream resolvers, as recursion can take a long time to respond to some domains. Continuwuity default to `dns_timeout = 10` seconds, so dropping requests early would lead to unnecessary retries and/or failures.
+
+### Using a forwarder (optional)
+
+Unbound by default employs **recursive resolution** and contacts many servers around the world. If this is not performant enough, consider forwarding your queries to public resolvers to benefit from their CDNs and get faster responses.
+
+However, most popular upstreams (such as Google DNS or Quad9) employ IP ratelimiting, so a generous cache is still needed to avoid making too many queries.
+
+DNS-over-TLS forwarders may also be used should you need on-the-wire encryption, but TLS overhead causes some speed penalties.
+
+If you want to use forwarders, configure it as follows:
+
+<details>
+
+<summary>unbound.conf</summary>
+
+```
+# Use cloudflare public resolvers as an example
+forward-zone:
+    name: "."
+    forward-addr: 1.0.0.1@53
+    forward-addr: 1.1.1.1@53
+    # Also use IPv6 ones if you're dual-stack
+    # forward-addr: 2606:4700:4700::1001@53
+    # forward-addr: 2606:4700:4700::1111@53
+
+# alternatively, use DNS-over-TLS for forwarders.
+# forward-zone:
+    # name: "."
+    # forward-tls-upstream: yes
+    # forward-addr: 1.0.0.1@853#cloudflare-dns.com
+    # forward-addr: 1.1.1.1@853#cloudflare-dns.com
+    # forward-addr: 2606:4700:4700::1001@853#cloudflare-dns.com
+    # forward-addr: 2606:4700:4700::1111@853#cloudflare-dns.com
+```
+
+</details>
+
+[madnuttah-unbound-repo]: https://github.com/madnuttah/unbound-docker/
+[unbound-tuning-guide]: https://unbound.docs.nlnetlabs.nl/en/latest/topics/core/performance.html
+[unbound-arch-linux]: https://wiki.archlinux.org/title/Unbound
+
+## Other resolvers
+
+### dnsproxy
+
+[Dnsproxy][dnsproxy] and its sister product [AdGuard Home][adguard-home] are known to work with Continuwuity and has an official Docker image. They have support for DNS-over-HTTPS as well as DNS-over-QUIC, but not recursion.
+
+To best utilise dnsproxy, you should enable proper caching with `--cache` and set `--cache-size` to something bigger, like `64000000`.
+
+[dnsproxy]: https://github.com/AdguardTeam/dnsproxy
+[adguard-home]: https://github.com/AdguardTeam/AdGuardHome
+
+### dnsmasq
+
+[dnsmasq][arch-linux-dnsmasq] can possibly work with Continuwuity, though it only supports forwarding rather than recursion. Increase the `cache-size` to something like `30000` for better caching performance.
+
+However, `dnsmasq` does not support TCP fallback which can be problematic when receiving large DNS responses such as from large SRV records. If you still want to use dnsmasq, make sure you disable `dns_tcp_fallback` in Continuwuity config.
+
+[arch-linux-dnsmasq]: https://wiki.archlinux.org/title/Dnsmasq
+
+### Technitium
+
+[Technitium][technitium] supports recursion as well as a myriad of forwarding protocols, allows saving cache to disk natively, and does work well with Continuwuity. Its default configurations however ratelimits single-IP requests by a lot, and hence must be changed. You may consult this [community guide][technitium-continuwuity] for more details on setting up a dedicated Technitium for Continuwuity.
+
+[technitium]: https://github.com/TechnitiumSoftware/DnsServer
+[technitium-continuwuity]: https://muoi.me/~stratself/articles/technitium-continuwuity/
+
+## Testing
+
+As a rough stress test, you can run `!admin query resolver flush-cache -a` or `!admin server clear-caches` to trigger a netburst of DNS queries. If your resolver can handle these loads without problem, then it should be ready for regular Continuwuity activity.
+
+To test connectivity against a specific server, use `!admin debug ping <SERVER_NAME>` and `!admin debug resolve-true-destination <SERVER_NAME>`.
+
+Note that it is expected that not all servers will be resolved, as some of them may be temporarily offline, have broken DNS and/or discovery configuration, or have been decommissioned.
+
+## Further steps
+
+- (Recommended) Set **`dns_cache_entries = 0`** inside Continuwuity and fully rely on the more performant external resolver.
+
+- Consider employing **persistent cache to disk**, so your resolver can still run without hassle after a restart. Unbound, via [Cache DB module][unbound-cachedb], can use Redis as a storage backend for this feature.
+
+- Consider [enabling **Serve Stale**][unbound-serve-stale] functionality to serve expired data beyond DNS TTLs. Since most Matrix homeservers have static IPs, this should help improve federation with them especially when upstream resolvers have timed out. For dnsproxy, this corresponds to its [optimistic caching options][dnsproxy-usage].
+
+- If you still experience DNS performance issues, another step could be to **disable DNSSEC** (which is computationally expensive) at a cost of slightly decreased security. On Unbound this is done by commenting out `trust-anchors` config options and removing the `validator` module.
+
+- Some users have reported that setting `query_over_tcp_only = true` in Continuwuity has improved DNS reliability at a slight performance cost due to TCP overhead. Generally this is not needed if your resolver and homeserver is on the same machine.
+
+[unbound-cachedb]: https://unbound.docs.nlnetlabs.nl/en/latest/manpages/unbound.conf.html#cache-db-module-options
+[unbound-serve-stale]: https://wiki.archlinux.org/title/Unbound#Serving_expired_records
+[dnsproxy-usage]: https://github.com/AdguardTeam/dnsproxy#usage

docs/calls.mdx

@@ -10,4 +10,4 @@ # Calls
 For either one to work correctly, you have to do some additional setup.
 
 - For legacy calls to work, you need to set up a TURN/STUN server. [Read the TURN guide for tips on how to set up coturn](./calls/turn.mdx)
-- For MatrixRTC / Element Call to work, you have to set up the LiveKit backend (foci). LiveKit also uses TURN/STUN to increase reliability, so you might want to configure your TURN server first. [Read the LiveKit guide](./calls/livekit.mdx)
+- For MatrixRTC / Element Call to work, you have to set up the LiveKit backend (foci). LiveKit also uses TURN/STUN to increase reliability - you can set up its built-in TURN server, or integrate with an existing one. [Read the LiveKit guide](./calls/livekit.mdx)

docs/calls/livekit.mdx

@@ -4,6 +4,10 @@ # Matrix RTC/Element Call Setup
 This guide assumes that you are using docker compose for deployment. LiveKit only provides Docker images.
 :::
 
+:::tip
+You can find help setting up MatrixRTC in our dedicated room - [#matrixrtc:continuwuity.org](https://matrix.to/#/%23matrixrtc%3Acontinuwuity.org)
+:::
+
 ## Instructions
 
 ### 1. Domain
@@ -14,17 +18,21 @@ ### 1. Domain
 
 ### 2. Services
 
-Using LiveKit with Matrix requires two services - Livekit itself, and a service (`lk-jwt-service`) that grants Matrix users permission to connect to it.
+Using LiveKit with Matrix requires two services - LiveKit itself, and a service (`lk-jwt-service`) that grants Matrix users permission to connect to it.
 
 You must generate a key and secret to allow the Matrix service to authenticate with LiveKit. `LK_MATRIX_KEY` should be around 20 random characters, and `LK_MATRIX_SECRET` should be around 64. Remember to replace these with the actual values!
 
 :::tip Generating the secrets
 LiveKit provides a utility to generate secure random keys
 ```bash
-docker run --rm livekit/livekit-server:latest generate-keys
+~$ docker run --rm livekit/livekit-server:latest generate-keys
+API Key:  APIUxUnMnSkuFWV
+API Secret:  t93ZVjPeoEdyx7Wbet3kG4L3NGZIZVEFvqe0UuiVc22A
 ```
 :::
 
+Create a `docker-compose.yml` file as following:
+
 ```yaml
 services:
   lk-jwt-service:
@@ -32,10 +40,11 @@ ### 2. Services
     container_name: lk-jwt-service
     environment:
       - LIVEKIT_JWT_BIND=:8081
-      - LIVEKIT_URL=wss://livekit.example.com
-      - LIVEKIT_KEY=LK_MATRIX_KEY
-      - LIVEKIT_SECRET=LK_MATRIX_SECRET
-      - LIVEKIT_FULL_ACCESS_HOMESERVERS=example.com
+      - LIVEKIT_URL=wss://livekit.example.com # your LiveKit domain
+      - LIVEKIT_FULL_ACCESS_HOMESERVERS=example.com # your server_name
+      # Replace these with the generated values as above
+      - LIVEKIT_KEY=LK_MATRIX_KEY # APIUxUnMnSkuFWV
+      - LIVEKIT_SECRET=LK_MATRIX_SECRET # t93ZVjPeoEdyx7Wbet3kG4L3NGZIZVEFvqe0UuiVc22A
     restart: unless-stopped
     ports:
       - "8081:8081"
@@ -70,6 +79,8 @@ #      - "50100-50200:50100-50200/udp"
   enable_loopback_candidate: false
 keys:
   LK_MATRIX_KEY: LK_MATRIX_SECRET
+  # replace these with your key-secret pair. Example:
+  # APIUxUnMnSkuFWV: t93ZVjPeoEdyx7Wbet3kG4L3NGZIZVEFvqe0UuiVc22A
 ```
 
 #### Firewall hints
@@ -95,7 +106,7 @@ ### 4. Configure your Reverse Proxy
 
 Reverse proxies can be configured in many different ways - so we can't provide a step by step for this.
 
-By default, all routes should be forwarded to Livekit with the exception of the following path prefixes, which should be forwarded to the JWT/Authentication service:
+All paths should be forwarded to LiveKit by default, with the exception of the following path prefixes, which should be forwarded to the JWT/Authentication service:
 
 - `/sfu/get`
 - `/healthz`
@@ -104,7 +115,7 @@ ### 4. Configure your Reverse Proxy
 <details>
     <summary>Example caddy config</summary>
     ```
-    matrix-rtc.example.com {
+    livekit.example.com {
 
         # for lk-jwt-service
         @lk-jwt-service path /sfu/get* /healthz* /get_token*
@@ -122,7 +133,7 @@ ### 4. Configure your Reverse Proxy
     <summary>Example nginx config</summary>
     ```
     server {
-        server_name matrix-rtc.example.com;
+        server_name livekit.example.com;
 
         # for lk-jwt-service
         location ~ ^/(sfu/get|healthz|get_token) {
@@ -133,7 +144,7 @@ ### 4. Configure your Reverse Proxy
             proxy_buffering off;
         }
 
-        # for livekit
+        # for LiveKit
         location / {
             proxy_pass http://127.0.0.1:7880$request_uri;
             proxy_set_header X-Forwarded-For $remote_addr;
@@ -173,44 +184,11 @@ ### 6. Start Everything
 
 Start up the services using your usual method - for example `docker compose up -d`.
 
-## Additional Configuration
+## Additional TURN configuration
 
-### TURN Integration
+### Using LiveKit's built-in TURN server
 
-If you've already set up coturn, there may be a port clash between the two services. To fix this, make sure the `min-port` and `max-port` for coturn so it doesn't overlap with LiveKit's range:
-
-```ini
-min-port=50201
-max-port=65535
-```
-
-To improve LiveKit's reliability, you can configure it to use your coturn server.
-
-Generate a long random secret for LiveKit, and add it to your coturn config under the `static-auth-secret` option. You can add as many secrets as you want - so set a different one for each thing using your TURN server.
-
-Then configure livekit, making sure to replace `COTURN_SECRET`:
-
-```yaml
-# livekit.yaml
-rtc:
-  turn_servers:
-    - host: coturn.ellis.link
-      port: 3478
-      protocol: tcp
-      secret: "COTURN_SECRET"
-    - host: coturn.ellis.link
-      port: 5349
-      protocol: tls # Only if you've set up TLS in your coturn
-      secret: "COTURN_SECRET"
-    - host: coturn.ellis.link
-      port: 3478
-      protocol: udp
-      secret: "COTURN_SECRET"
-```
-
-## LiveKit's built in TURN server
-
-Livekit includes a built in TURN server which can be used in place of an external option. This TURN server will only work with Livekit, so you can't use it for legacy Matrix calling - or anything else.
+LiveKit includes a built-in TURN server which can be used in place of an external option. This TURN server will only work with LiveKit, so you can't use it for legacy Matrix calling or anything else.
 
 If you don't want to set up a separate TURN server, you can enable this with the following changes:
 
@@ -221,20 +199,175 @@ ### add this to livekit.yaml ###
   udp_port: 3478
   relay_range_start: 50300
   relay_range_end: 50400
-  domain: matrix-rtc.example.com
+  domain: livekit.example.com
 ```
 
 ```yaml
-### Add these to docker-compose ###
-- "3478:3478/udp"
-- "50300-50400:50300-50400/udp"
+### add these to livekit's docker-compose ###
+ports:
+  - "3478:3478/udp"
+  - "50300-50400:50300-50400/udp"
+### if you're using `network_mode: host`, you can skip this part
 ```
 
-### Related Documentation
+Recreate the LiveKit container (with `docker-compose up -d livekit`) to apply these changes. Remember to allow the new `3478/udp` and `50100:50200/udp` ports through your firewall.
 
-- [LiveKit GitHub](https://github.com/livekit/livekit)
-- [LiveKit Connection Tester](https://livekit.io/connection-test) - use with the token returned by `/sfu/get` or `/get_token`
-- [MatrixRTC proposal](https://half-shot.github.io/msc-crafter/#msc/4143)
-- [Synapse documentation](https://github.com/element-hq/element-call/blob/livekit/docs/self-hosting.md)
-- [Community guide](https://tomfos.tr/matrix/livekit/)
-- [Community guide](https://blog.kimiblock.top/2024/12/24/hosting-element-call/)
+### Integration with an external TURN server
+
+If you've already [set up coturn](./turn), you can configure Livekit to use it.
+
+:::tip Avoid port clashes between the two services
+
+Before continuing, make sure coturn's `min-port` and `max-port` do not overlap with LiveKit's port range:
+
+```ini
+# in your coturn.conf
+min-port=50201
+max-port=65535
+```
+:::
+
+Generate a long random secret for LiveKit, and add it to your coturn config under the `static-auth-secret` option. You can add as many secrets as you want, so set a different one for LiveKit to use.
+
+Then configure LiveKit, making sure to replace `COTURN_SECRET` with the one you generated:
+
+```yaml
+# livekit.yaml
+rtc:
+  turn_servers:
+    - host: coturn.example.com
+      port: 3478
+      protocol: udp
+      secret: "COTURN_SECRET"
+    - host: coturn.example.com
+      port: 3478
+      protocol: tcp
+      secret: "COTURN_SECRET"
+    - host: coturn.example.com
+      port: 5349
+      protocol: tls # Only if you have already set up TLS in your coturn
+      secret: "COTURN_SECRET"
+```
+
+Restart LiveKit and coturn to apply these changes.
+
+## Testing
+
+To test that LiveKit is successfully integrated with Continuwuity, you will need to replicate its [Token Exchange Flow](https://github.com/element-hq/lk-jwt-service#%EF%B8%8F-how-it-works--token-exchange-flow).
+
+First, you will need an access token for your current login session. These can be found in your client's settings or obtained via [this website](https://timedout.uk/mxtoken.html).
+
+Then, using that token, request another OpenID token for use with the lk-jwt-service:
+
+```bash
+~$ curl -X POST -H "Authorization: Bearer <session-access-token>" \
+  https://matrix.example.com/_matrix/client/v3/user/@user:example.com/openid/request_token
+{"access_token":"<openid_access_token>","token_type":"Bearer","matrix_server_name":"example.com","expires_in":3600}
+```
+
+Next, create a `payload.json` file with the following content:
+
+<details>
+
+<summary>`payload.json`</summary>
+
+```json
+{
+    "room_id": "abc",
+    "slot_id": "xyz",
+    "openid_token": {
+        "matrix_server_name": "example.com",
+        "access_token": "<openid_access_token>",
+        "token_type": "Bearer"
+    },
+    "member": {
+        "id": "xyz",
+        "claimed_device_id": "DEVICEID",
+        "claimed_user_id": "@user:example.com"
+    }
+}
+```
+
+Replace `matrix_server_name` and `claimed_user_id` with your information, and `<openid_access_token>` with the one you got from the previous step. Other values can be left as-is.
+
+</details>
+
+You can then send this payload to the lk-jwt-service:
+
+```bash
+~$ curl -X POST -d @payload.json https://livekit.example.com/get_token
+{"url":"wss://livekit.example.com","jwt":"a_really_really_long_string"}
+```
+
+The lk-jwt-service will, after checking against Continuwuity, answer with a `jwt` token to create a LiveKit media room. Use this token to test at the [LiveKit Connection Tester](https://livekit.io/connection-test). If everything works there, then you have set up LiveKit successfully!
+
+## Troubleshooting
+
+To debug any issues, you can place a call or redo the Testing instructions, and check the container logs for any specific errors. Use `docker-compose logs --follow` to follow them in real-time.
+
+### Common errors in Element Call UI
+
+- `MISSING_MATRIX_RTC_FOCUS`: LiveKit is missing from Continuwuity's config file
+- "Waiting for media" popup always showing: a LiveKit URL has been configured in Continuwuity, but your client cannot connect to it for some reason
+
+### Docker loopback networking issues
+
+Some distros do not allow Docker containers to connect to its host's public IP by default. This would cause `lk-jwt-service` to fail connecting to `livekit` or `continuwuity` on the same host. As a result, you would see connection refused/connection timeouts log entries in the JWT service, even when `LIVEKIT_URL` has been configured correctly.
+
+To alleviate this, you can try one of the following workarounds:
+
+- Use `network_mode: host` for the `lk-jwt-service` container (instead of the default bridge networking).
+
+- Add an `extra_hosts` file mapping livekit's (and continuwuity's) domain name to a localhost address:
+
+    ```diff
+    # in docker-compose.yaml
+    services:
+      lk-jwt-service:
+        ...
+    +    extra_hosts:
+    +     - "livekit.example.com:127.0.0.1"
+    +     - "matrix.example.com:127.0.0.1"
+    ```
+
+- (**untested, use at your own risk**) Implement an iptables workaround as shown [here](https://forums.docker.com/t/unable-to-connect-to-host-service-from-inside-docker-container/145749/6).
+
+After implementing the changes and restarting your compose, you can test whether the connection works by cURLing from a sidecar container:
+
+```bash
+~$ docker run --rm --net container:lk-jwt-service docker.io/curlimages/curl https://livekit.example.com
+OK
+```
+
+### Workaround for non-federating servers
+
+When deploying on servers with federation disabled (`allow_federation = false`), LiveKit will fail as it can't fetch the required [OpenID endpoint](https://spec.matrix.org/v1.17/server-server-api/#get_matrixfederationv1openiduserinfo) via federation paths.
+
+As a workaround, you can enable federation, but forbid all remote servers via the following config parameters:
+
+```toml
+### in your continuwuity.toml file ###
+allow_federation = true
+forbidden_remote_server_names = [".*"]
+```
+
+Subscribe to issue [!1440](https://forgejo.ellis.link/continuwuation/continuwuity/issues/1440) for future updates on this matter.
+
+## Related Documentation
+
+Guides:
+
+- [Element Call self-hosting documentation](https://github.com/element-hq/element-call/blob/livekit/docs/self-hosting.md)
+- [Community guide with overview of LiveKit's mechanisms](https://tomfos.tr/matrix/livekit/)
+- [Community guide using systemd](https://blog.kimiblock.top/2024/12/24/hosting-element-call/)
+
+Specifications:
+
+- [MatrixRTC proposal](https://github.com/matrix-org/matrix-spec-proposals/pull/4143)
+- [LiveKit proposal](https://github.com/matrix-org/matrix-spec-proposals/pull/4195)
+
+Source code:
+
+- [Element Call](https://github.com/element-hq/element-call)
+- [lk-jwt-service](https://github.com/element-hq/lk-jwt-service)
+- [LiveKit server](https://github.com/livekit/livekit)

docs/community/guidelines.mdx

@@ -1,17 +1,12 @@
 # Continuwuity Community Guidelines
 
-Welcome to the Continuwuity commuwunity! We're excited to have you here. Continuwuity is a
-continuation of the conduwuit homeserver, which in turn is a hard-fork of the Conduit homeserver,
-aimed at making Matrix more accessible and inclusive for everyone.
+Welcome to the Continuwuity commuwunity! We're excited to have you here.
 
-This space is dedicated to fostering a positive, supportive, and welcoming environment for everyone.
-These guidelines apply to all Continuwuity spaces, including our Matrix rooms and any other
-community channels that reference them. We've written these guidelines to help us all create an
-environment where everyone feels safe and respected.
+Our project aims to make Matrix more accessible and inclusive for everyone. To that end, we are dedicated to fostering a positive, supportive, safe and welcoming environment for our community.
 
-For code and contribution guidelines, please refer to the
-[Contributor's Covenant](https://forgejo.ellis.link/continuwuation/continuwuity/src/branch/main/CODE_OF_CONDUCT.md).
-Below are additional guidelines specific to the Continuwuity community.
+These guidelines apply to all Continuwuity spaces, including our Matrix rooms and code forge.
+
+Our community spaces are intended for individuals aged 16 or over, because we expect maturity and respect from our community members.
 
 ## Our Values and Expected Behaviors
 
@@ -29,17 +24,21 @@ ## Our Values and Expected Behaviors
 
 3. **Communicate Clearly and Kindly**: Our community includes neurodivergent individuals and those
    who may not appreciate sarcasm or subtlety. Communicate clearly and kindly. Avoid ambiguity and
-   ensure your messages can be easily understood by all. Avoid placing the burden of education on
+   ensure your messages can be easily understood by all.
+
+4. **Be Considerate and Proactive**: Not everyone has the same time, resource and experience to spare.
+   Don't expect others to give up their time and labour for you; be thankful for what you have already been given.
+   Avoid placing the burden of education on
    marginalized groups; please make an effort to look into your questions before asking others for
    detailed explanations.
 
-4. **Be Open to Improving Inclusivity**: Actively participate in making our community more inclusive.
+5. **Be Engaged and Open-Minded**: Actively participate in making our community more inclusive.
    Report behaviour that contradicts these guidelines (see Reporting and Enforcement below) and be
    open to constructive feedback aimed at improving our community. Understand that discussing
    negative experiences can be emotionally taxing; focus on the message, not the tone.
 
-5. **Commit to Our Values**: Building an inclusive community requires ongoing effort from everyone.
-   Recognise that addressing bias and discrimination is a continuous process that needs commitment
+6. **Commit to Our Values**: Building an inclusive community requires ongoing effort from everyone.
+   Recognise that creating a welcoming and open community is a continuous process that needs commitment
    and action from all members.
 
 ## Unacceptable Behaviors
@@ -72,36 +71,6 @@ ## Unacceptable Behaviors
 This is not an exhaustive list. Any behaviour that makes others feel unsafe or unwelcome may be
 subject to enforcement action.
 
-## Matrix Community
-
-These Community Guidelines apply to the entire
-[Continuwuity Matrix Space](https://matrix.to/#/#space:continuwuity.org?via=continuwuity.org&via=ellis.link&via=explodie.org&via=matrix.org) and its rooms, including:
-
-### [#continuwuity:continuwuity.org](https://matrix.to/#/#continuwuity:continuwuity.org?via=continuwuity.org&via=ellis.link&via=explodie.org&via=matrix.org)
-
-This room is for support and discussions about Continuwuity. Ask questions, share insights, and help
-each other out while adhering to these guidelines.
-
-We ask that this room remain focused on the Continuwuity software specifically: the team are
-typically happy to engage in conversations about related subjects in the off-topic room.
-
-### [#offtopic:continuwuity.org](https://matrix.to/#/#offtopic:continuwuity.org?via=continuwuity.org&via=ellis.link&via=explodie.org&via=matrix.org)
-
-For off-topic community conversations about any subject. While this room allows for a wide range of
-topics, the same guidelines apply. Please keep discussions respectful and inclusive, and avoid
-divisive or stressful subjects like specific country/world politics unless handled with exceptional
-care and respect for diverse viewpoints.
-
-General topics, such as world events, are welcome as long as they follow the guidelines. If a member
-of the team asks for the conversation to end, please respect their decision.
-
-### [#dev:continuwuity.org](https://matrix.to/#/#dev:continuwuity.org?via=continuwuity.org&via=ellis.link&via=explodie.org&via=matrix.org)
-
-This room is dedicated to discussing active development of Continuwuity, including ongoing issues or
-code development. Collaboration here must follow these guidelines, and please consider raising
-[an issue](https://forgejo.ellis.link/continuwuation/continuwuity/issues) on the repository to help
-track progress.
-
 ## Reporting and Enforcement
 
 We take these Community Guidelines seriously to protect our community members. If you witness or
@@ -114,6 +83,7 @@ ## Reporting and Enforcement
   will immediately alert all available moderators.
 * **Direct Message:** If you're not comfortable raising the issue publicly, please send a direct
   message (DM) to one of the room moderators.
+* **Email**: Please email Jade and/or Nex at `jade@continuwuity.org` and `nex@continuwuity.org` respectively, or email `team@continuwuity.org`.
 
 Reports will be handled with discretion. We will investigate promptly and thoroughly.
 

docs/configuration.mdx

@@ -2,66 +2,90 @@ # Configuration
 
 This chapter describes various ways to configure Continuwuity.
 
-## Basics
+## Configuration file
 
-Continuwuity uses a config file for the majority of the settings, but also supports
-setting individual config options via commandline.
+Continuwuity uses a TOML config file for all of its settings. This is the recommended way to configure Continuwuity. Please refer to the [example config file](./reference/config.mdx) for all of these settings.
 
-Please refer to the [example config
-file](./reference/config.mdx) for all of those
-settings.
+You can specify the config file to be used by Continuwuity with the command-line flag `-c` or `--config`:
 
-The config file to use can be specified on the commandline when running
-Continuwuity by specifying the `-c`, `--config` flag. Alternatively, you can use
-the environment variable `CONTINUWUITY_CONFIG` to specify the config file to be
-used; see [the section on environment variables](#environment-variables) for
-more information.
+```bash
+./conduwuit -c /path/to/continuwuity.toml
+```
 
-## Option commandline flag
+Alternatively, you can use the environment variable `CONTINUWUITY_CONFIG` to specify the config file to be used; see [the section on environment variables](#environment-variables) for more information.
 
-Continuwuity supports setting individual config options in TOML format from the
-`-O` / `--option` flag. For example, you can set your server name via `-O
-server_name=\"example.com\"`.
+## Environment variables
+
+All of the options in the config file can also be specified by using environment variables. This is ideal for containerised deployments and infrastructure-as-code scenarios.
+
+The environment variable names are represented in all caps and prefixed with `CONTINUWUITY_`. They are mapped to config options in the ways demonstrated below:
+
+```bash
+# Top-level options (those inside the [global] section) are simply capitalised
+CONTINUWUITY_SERVER_NAME="matrix.example.com"
+CONTINUWUITY_PORT="8008"
+CONTINUWUITY_DATABASE_PATH="/var/lib/continuwuity"
+
+# Nested config sections use double underscores `__`
+
+# This maps to the `server` field of the [global.well_known] section in TOML
+CONTINUWUITY_WELL_KNOWN__SERVER="example.com:443"
+
+# This maps to the `base_url` field of the `[global.antispam.draupnir]` section in TOML
+CONTINUWUITY_ANTISPAM__DRAUPNIR__BASE_URL="https://draupnir.example.com"
+
+# Alternatively, you can pass a (quoted) struct to define an entire section
+# This maps to the [global.well_known] section
+CONTINUWUITY_WELL_KNOWN="{ client=https://example.com,server=example.com:443 }"
+```
+
+### Alternative prefixes
+
+For backwards compatibility, Continuwuity also supports the following environment variable prefixes, in order of descending priority:
+
+- `CONDUWUIT_*` (compatibility)
+- `CONDUIT_*` (legacy)
+
+As an example, the environment variable `CONTINUWUITY_CONFIG` can also be expressed as `CONDUWUIT_CONFIG` or `CONDUIT_CONFIG`.
+
+## Option command-line flag
+
+Continuwuity also supports setting individual config options in TOML format from the `-O` / `--option` flag. For example, you can set your server name via `-O server_name=\"example.com\"`.
+
+Note that the config is parsed as TOML, and shells like `bash` will remove quotes. Therefore, if the config option is a string, quote escapes must be properly handled. If the config option is a number or a boolean, this does not apply.
 
-Note that the config is parsed as TOML, and shells like bash will remove quotes.
-So unfortunately it is required to escape quotes if the config option takes a
-string. This does not apply to options that take booleans or numbers:
 - `--option allow_registration=true` works ✅
 - `-O max_request_size=99999999` works ✅
 - `-O server_name=example.com` does not work ❌
 - `--option log=\"debug\"` works ✅
 - `--option server_name='"example.com'"` works ✅
 
-## Execute commandline flag
+## Order of priority
 
-Continuwuity supports running admin commands on startup using the commandline
-argument `--execute`. The most notable use for this is to create an admin user
-on first startup.
+The above configuration methods are prioritised, in descending order, as below:
 
-The syntax of this is a standard admin command without the prefix such as
-`./conduwuit --execute "users create_user june"`
+- Command-line `-o`/`--option` flags
+- Environment variables
+    - `CONTINUWUITY_*` variables
+    - `CONDUWUIT_*` variables
+    - `CONDUIT_*` variables
+- Config file
 
-An example output of a success is:
-```
+Therefore, you can use environment variables or the options flags to override values in the config file.
+
+---
+
+## Executing startup commands
+
+Continuwuity supports running admin commands on startup using the command-line flag `--execute`. This is treated as a standard admin command, without the need for the `!admin` prefix. For example, to create a new user:
+
+```bash
+# Equivalent to `!admin users create_user june`
+./conduwuit --execute "users create_user june"
 INFO conduwuit_service::admin::startup: Startup command #0 completed:
 Created user with user_id: @june:girlboss.ceo and password: `<redacted>`
 ```
 
-This commandline argument can be paired with the `--option` flag.
+Alternatively, you can configure `CONTINUWUITY_ADMIN_EXECUTE` or the config file value `admin_execute` with a list of commands.
 
-## Environment variables
-
-All of the settings that are found in the config file can be specified by using
-environment variables. The environment variable names should be all caps and
-prefixed with `CONTINUWUITY_`.
-
-For example, if the setting you are changing is `max_request_size`, then the
-environment variable to set is `CONTINUWUITY_MAX_REQUEST_SIZE`.
-
-To modify config options not in the `[global]` context such as
-`[global.well_known]`, use the `__` suffix split:
-`CONTINUWUITY_WELL_KNOWN__SERVER`
-
-Conduit and conduwuit's environment variables are also supported for backwards
-compatibility, via the `CONDUIT_` and `CONDUWUIT_` prefixes respectively (e.g.
-`CONDUIT_SERVER_NAME`).
+This command-line argument can be paired with the `--option` flag.

docs/contributing.mdx

@@ -1 +0,0 @@
-../CONTRIBUTING.md

docs/deploying/docker-compose.for-traefik.yml

@@ -1,76 +0,0 @@
-# Continuwuity - Behind Traefik Reverse Proxy
-
-services:
-  homeserver:
-    ### If you already built the continuwuity image with 'docker build' or want to use the Docker Hub image,
-    ### then you are ready to go.
-    image: forgejo.ellis.link/continuwuation/continuwuity:latest
-    restart: unless-stopped
-    command: /sbin/conduwuit
-    volumes:
-      - db:/var/lib/continuwuity
-      #- ./continuwuity.toml:/etc/continuwuity.toml
-    networks:
-      - proxy
-    labels:
-      - "traefik.enable=true"
-      - "traefik.http.routers.continuwuity.rule=(Host(`matrix.example.com`) || (Host(`example.com`) && PathPrefix(`/.well-known/matrix`)))"
-      - "traefik.http.routers.continuwuity.entrypoints=websecure" # your HTTPS entry point
-      - "traefik.http.routers.continuwuity.tls=true"
-      - "traefik.http.routers.continuwuity.service=continuwuity"
-      - "traefik.http.services.continuwuity.loadbalancer.server.port=6167"
-      # possibly, depending on your config:
-      # - "traefik.http.routers.continuwuity.tls.certresolver=letsencrypt"
-    environment:
-      CONTINUWUITY_SERVER_NAME: your.server.name.example # EDIT THIS
-      CONTINUWUITY_DATABASE_PATH: /var/lib/continuwuity
-      CONTINUWUITY_PORT: 6167 # should match the loadbalancer traefik label
-      CONTINUWUITY_MAX_REQUEST_SIZE: 20000000 # in bytes, ~20 MB
-      CONTINUWUITY_ALLOW_REGISTRATION: 'true'
-      CONTINUWUITY_REGISTRATION_TOKEN: 'YOUR_TOKEN' # A registration token is required when registration is allowed.
-      #CONTINUWUITY_YES_I_AM_VERY_VERY_SURE_I_WANT_AN_OPEN_REGISTRATION_SERVER_PRONE_TO_ABUSE: 'true'
-      CONTINUWUITY_ALLOW_FEDERATION: 'true'
-      CONTINUWUITY_ALLOW_CHECK_FOR_UPDATES: 'true'
-      CONTINUWUITY_TRUSTED_SERVERS: '["matrix.org"]'
-      #CONTINUWUITY_LOG: warn,state_res=warn
-      CONTINUWUITY_ADDRESS: 0.0.0.0
-      #CONTINUWUITY_CONFIG: '/etc/continuwuity.toml' # Uncomment if you mapped config toml above
-
-      # We need some way to serve the client and server .well-known json. The simplest way is via the CONTINUWUITY_WELL_KNOWN
-      # variable / config option, there are multiple ways to do this, e.g. in the continuwuity.toml file, and in a separate
-      # see the override file for more information about delegation
-      CONTINUWUITY_WELL_KNOWN: |
-        {
-        client=https://your.server.name.example,
-        server=your.server.name.example:443
-        }
-    #cpuset: "0-4" # Uncomment to limit to specific CPU cores
-    ulimits: # Continuwuity uses quite a few file descriptors, and on some systems it defaults to 1024, so you can tell docker to increase it
-      nofile:
-        soft: 1048567
-        hard: 1048567
-
-    ### Uncomment if you want to use your own Element-Web App.
-    ### Note: You need to provide a config.json for Element and you also need a second
-    ###       Domain or Subdomain for the communication between Element and Continuwuity
-    ### Config-Docs: https://github.com/vector-im/element-web/blob/develop/docs/config.md
-    # element-web:
-    #     image: vectorim/element-web:latest
-    #     restart: unless-stopped
-    #     volumes:
-    #         - ./element_config.json:/app/config.json
-    #     networks:
-    #         - proxy
-    #     depends_on:
-    #         - homeserver
-
-volumes:
-  db:
-
-networks:
-  # This is the network Traefik listens to, if your network has a different
-  # name, don't forget to change it here and in the docker-compose.override.yml
-  proxy:
-    external: true
-
-# vim: ts=2:sw=2:expandtab

docs/deploying/docker-compose.with-caddy.yml

@@ -1,60 +0,0 @@
-services:
-    caddy:
-    # This compose file uses caddy-docker-proxy as the reverse proxy for Continuwuity!
-    # For more info, visit https://github.com/lucaslorentz/caddy-docker-proxy
-        image: lucaslorentz/caddy-docker-proxy:ci-alpine
-        ports:
-            - 80:80
-            - 443:443
-        environment:
-            - CADDY_INGRESS_NETWORKS=caddy
-        networks:
-            - caddy
-        volumes:
-            - /var/run/docker.sock:/var/run/docker.sock
-            - ./data:/data
-        restart: unless-stopped
-        labels:
-            caddy: example.com
-            caddy.reverse_proxy: /.well-known/matrix/* homeserver:6167
-
-    homeserver:
-        ### If you already built the Continuwuity image with 'docker build' or want to use a registry image,
-        ### then you are ready to go.
-        image: forgejo.ellis.link/continuwuation/continuwuity:latest
-        restart: unless-stopped
-        command: /sbin/conduwuit
-        volumes:
-            - db:/var/lib/continuwuity
-            - /etc/resolv.conf:/etc/resolv.conf:ro # Use the host's DNS resolver rather than Docker's.
-            #- ./continuwuity.toml:/etc/continuwuity.toml
-        environment:
-            CONTINUWUITY_SERVER_NAME: example.com # EDIT THIS
-            CONTINUWUITY_DATABASE_PATH: /var/lib/continuwuity
-            CONTINUWUITY_PORT: 6167
-            CONTINUWUITY_MAX_REQUEST_SIZE: 20000000 # in bytes, ~20 MB
-            CONTINUWUITY_ALLOW_REGISTRATION: 'true'
-            CONTINUWUITY_REGISTRATION_TOKEN: 'YOUR_TOKEN' # A registration token is required when registration is allowed.
-            #CONTINUWUITY_YES_I_AM_VERY_VERY_SURE_I_WANT_AN_OPEN_REGISTRATION_SERVER_PRONE_TO_ABUSE: 'true'
-            CONTINUWUITY_ALLOW_FEDERATION: 'true'
-            CONTINUWUITY_ALLOW_CHECK_FOR_UPDATES: 'true'
-            CONTINUWUITY_TRUSTED_SERVERS: '["matrix.org"]'
-            #CONTINUWUITY_LOG: warn,state_res=warn
-            CONTINUWUITY_ADDRESS: 0.0.0.0
-            #CONTINUWUITY_CONFIG: '/etc/continuwuity.toml' # Uncomment if you mapped config toml above
-
-            # Required for .well-known delegation - edit these according to your chosen domain
-            CONTINUWUITY_WELL_KNOWN__CLIENT: https://matrix.example.com
-            CONTINUWUITY_WELL_KNOWN__SERVER: matrix.example.com:443
-        networks:
-            - caddy
-        labels:
-            caddy: matrix.example.com
-            caddy.reverse_proxy: "{{upstreams 6167}}"
-
-volumes:
-    db:
-
-networks:
-    caddy:
-        external: true

docs/deploying/docker-compose.with-traefik.yml

@@ -1,160 +0,0 @@
-# Continuwuity - Behind Traefik Reverse Proxy
-
-services:
-  homeserver:
-    ### If you already built the Continuwuity image with 'docker build' or want to use the Docker Hub image,
-    ### then you are ready to go.
-    image: forgejo.ellis.link/continuwuation/continuwuity:latest
-    restart: unless-stopped
-    command: /sbin/conduwuit
-    volumes:
-      - db:/var/lib/continuwuity
-      - /etc/resolv.conf:/etc/resolv.conf:ro # Use the host's DNS resolver rather than Docker's.
-      #- ./continuwuity.toml:/etc/continuwuity.toml
-    networks:
-      - proxy
-    labels:
-      - "traefik.enable=true"
-      - "traefik.http.routers.continuwuity.rule=(Host(`matrix.example.com`) || (Host(`example.com`) && PathPrefix(`/.well-known/matrix`)))"
-      - "traefik.http.routers.continuwuity.entrypoints=websecure"
-      - "traefik.http.routers.continuwuity.tls.certresolver=letsencrypt"
-      - "traefik.http.services.continuwuity.loadbalancer.server.port=6167"
-      # Uncomment and adjust the following if you want to use middleware
-      # - "traefik.http.routers.continuwuity.middlewares=secureHeaders@file"
-    environment:
-      CONTINUWUITY_SERVER_NAME: your.server.name.example # EDIT THIS
-      CONTINUWUITY_TRUSTED_SERVERS: '["matrix.org"]'
-      CONTINUWUITY_ALLOW_REGISTRATION: 'false' # After setting a secure registration token, you can enable this
-      CONTINUWUITY_REGISTRATION_TOKEN: "" # This is a token you can use to register on the server
-      #CONTINUWUITY_REGISTRATION_TOKEN_FILE: "" # Alternatively you can configure a path to a token file to read
-      CONTINUWUITY_ADDRESS: 0.0.0.0
-      CONTINUWUITY_PORT: 6167 # you need to match this with the traefik load balancer label if you're want to change it
-      CONTINUWUITY_DATABASE_PATH: /var/lib/continuwuity
-      #CONTINUWUITY_CONFIG: '/etc/continuwuity.toml' # Uncomment if you mapped config toml above
-      ### Uncomment and change values as desired, note that Continuwuity has plenty of config options, so you should check out the example example config too
-      # Available levels are: error, warn, info, debug, trace - more info at: https://docs.rs/env_logger/*/env_logger/#enabling-logging
-      # CONTINUWUITY_LOG: info  # default is: "warn,state_res=warn"
-      # CONTINUWUITY_ALLOW_ENCRYPTION: 'true'
-      # CONTINUWUITY_ALLOW_FEDERATION: 'true'
-      # CONTINUWUITY_ALLOW_CHECK_FOR_UPDATES: 'true'
-      # CONTINUWUITY_ALLOW_INCOMING_PRESENCE: true
-      # CONTINUWUITY_ALLOW_OUTGOING_PRESENCE: true
-      # CONTINUWUITY_ALLOW_LOCAL_PRESENCE: true
-      # CONTINUWUITY_WORKERS: 10
-      # CONTINUWUITY_MAX_REQUEST_SIZE: 20000000  # in bytes, ~20 MB
-      # CONTINUWUITY_NEW_USER_DISPLAYNAME_SUFFIX = "🏳<200d>⚧"
-
-      # We need some way to serve the client and server .well-known json. The simplest way is via the CONTINUWUITY_WELL_KNOWN
-      # variable / config option, there are multiple ways to do this, e.g. in the continuwuity.toml file, and in a separate
-      # reverse proxy, but since you do not have a reverse proxy and following this guide, this example is included
-      CONTINUWUITY_WELL_KNOWN: |
-        {
-          client=https://your.server.name.example,
-          server=your.server.name.example:443
-        }
-    #cpuset: "0-4" # Uncomment to limit to specific CPU cores
-    ulimits: # Continuwuity uses quite a few file descriptors, and on some systems it defaults to 1024, so you can tell docker to increase it
-      nofile:
-        soft: 1048567
-        hard: 1048567
-
-    ### Uncomment if you want to use your own Element-Web App.
-    ### Note: You need to provide a config.json for Element and you also need a second
-    ###       Domain or Subdomain for the communication between Element and Continuwuity
-    ### Config-Docs: https://github.com/vector-im/element-web/blob/develop/docs/config.md
-    # element-web:
-    #     image: vectorim/element-web:latest
-    #     restart: unless-stopped
-    #     volumes:
-    #         - ./element_config.json:/app/config.json
-    #     networks:
-    #         - proxy
-    #     depends_on:
-    #         - homeserver
-
-  traefik:
-    image: "traefik:latest"
-    container_name: "traefik"
-    restart: "unless-stopped"
-    ports:
-      - "80:80"
-      - "443:443"
-    volumes:
-      - "/var/run/docker.sock:/var/run/docker.sock:z"
-      - "acme:/etc/traefik/acme"
-      #- "./traefik_config:/etc/traefik:z"
-    labels:
-      - "traefik.enable=true"
-
-      # middleware redirect
-      - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
-      # global redirect to https
-      - "traefik.http.routers.redirs.rule=hostregexp(`{host:.+}`)"
-      - "traefik.http.routers.redirs.entrypoints=web"
-      - "traefik.http.routers.redirs.middlewares=redirect-to-https"
-
-    configs:
-      - source: dynamic.yml
-        target: /etc/traefik/dynamic.yml
-
-    environment:
-      TRAEFIK_LOG_LEVEL: DEBUG
-      TRAEFIK_ENTRYPOINTS_WEB: true
-      TRAEFIK_ENTRYPOINTS_WEB_ADDRESS: ":80"
-      TRAEFIK_ENTRYPOINTS_WEB_HTTP_REDIRECTIONS_ENTRYPOINT_TO: websecure
-
-      TRAEFIK_ENTRYPOINTS_WEBSECURE: true
-      TRAEFIK_ENTRYPOINTS_WEBSECURE_ADDRESS: ":443"
-      TRAEFIK_ENTRYPOINTS_WEBSECURE_HTTP_TLS_CERTRESOLVER: letsencrypt
-      #TRAEFIK_ENTRYPOINTS_WEBSECURE_HTTP_MIDDLEWARES: secureHeaders@file # if you want to enabled STS
-
-      TRAEFIK_CERTIFICATESRESOLVERS_LETSENCRYPT: true
-      TRAEFIK_CERTIFICATESRESOLVERS_LETSENCRYPT_ACME_EMAIL: # Set this to the email you want to receive certificate expiration emails for
-      TRAEFIK_CERTIFICATESRESOLVERS_LETSENCRYPT_ACME_KEYTYPE: EC384
-      TRAEFIK_CERTIFICATESRESOLVERS_LETSENCRYPT_ACME_HTTPCHALLENGE: true
-      TRAEFIK_CERTIFICATESRESOLVERS_LETSENCRYPT_ACME_HTTPCHALLENGE_ENTRYPOINT: web
-      TRAEFIK_CERTIFICATESRESOLVERS_LETSENCRYPT_ACME_STORAGE: "/etc/traefik/acme/acme.json"
-
-      # Since Traefik 3.6.3, paths with certain "encoded characters" are now blocked by default; we need a couple, or else things *will* break
-      TRAEFIK_ENTRYPOINTS_WEBSECURE_HTTP_ENCODEDCHARACTERS_ALLOWENCODEDSLASH: true
-      TRAEFIK_ENTRYPOINTS_WEBSECURE_HTTP_ENCODEDCHARACTERS_ALLOWENCODEDHASH: true
-
-      TRAEFIK_PROVIDERS_DOCKER: true
-      TRAEFIK_PROVIDERS_DOCKER_ENDPOINT: "unix:///var/run/docker.sock"
-      TRAEFIK_PROVIDERS_DOCKER_EXPOSEDBYDEFAULT: false
-
-      TRAEFIK_PROVIDERS_FILE: true
-      TRAEFIK_PROVIDERS_FILE_FILENAME: "/etc/traefik/dynamic.yml"
-
-configs:
-  dynamic.yml:
-    content: |
-      # Optionally set STS headers, like in https://hstspreload.org
-      # http:
-      #   middlewares:
-      #     secureHeaders:
-      #       headers:
-      #         forceSTSHeader: true
-      #         stsIncludeSubdomains: true
-      #         stsPreload: true
-      #         stsSeconds: 31536000
-      tls:
-        options:
-          default:
-            cipherSuites:
-              - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
-              - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
-              - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
-              - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
-              - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
-              - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
-            minVersion: VersionTLS12
-
-volumes:
-    db:
-    acme:
-
-networks:
-    proxy:
-
-# vim: ts=2:sw=2:expandtab

docs/deploying/docker-compose.yml

@@ -1,45 +0,0 @@
-# Continuwuity
-
-services:
-    homeserver:
-        ### If you already built the Continuwuity image with 'docker build' or want to use a registry image,
-        ### then you are ready to go.
-        image: forgejo.ellis.link/continuwuation/continuwuity:latest
-        restart: unless-stopped
-        command: /sbin/conduwuit
-        ports:
-            - 8448:6167
-        volumes:
-            - db:/var/lib/continuwuity
-            #- ./continuwuity.toml:/etc/continuwuity.toml
-        environment:
-            CONTINUWUITY_SERVER_NAME: your.server.name # EDIT THIS
-            CONTINUWUITY_DATABASE_PATH: /var/lib/continuwuity
-            CONTINUWUITY_PORT: 6167
-            CONTINUWUITY_MAX_REQUEST_SIZE: 20000000 # in bytes, ~20 MB
-            CONTINUWUITY_ALLOW_REGISTRATION: 'true'
-            CONTINUWUITY_REGISTRATION_TOKEN: 'YOUR_TOKEN' # A registration token is required when registration is allowed.
-            #CONTINUWUITY_YES_I_AM_VERY_VERY_SURE_I_WANT_AN_OPEN_REGISTRATION_SERVER_PRONE_TO_ABUSE: 'true'
-            CONTINUWUITY_ALLOW_FEDERATION: 'true'
-            CONTINUWUITY_ALLOW_CHECK_FOR_UPDATES: 'true'
-            CONTINUWUITY_TRUSTED_SERVERS: '["matrix.org"]'
-            #CONTINUWUITY_LOG: warn,state_res=warn
-            CONTINUWUITY_ADDRESS: 0.0.0.0
-            #CONTINUWUITY_CONFIG: '/etc/continuwuity.toml' # Uncomment if you mapped config toml above
-    #
-    ### Uncomment if you want to use your own Element-Web App.
-    ### Note: You need to provide a config.json for Element and you also need a second
-    ###       Domain or Subdomain for the communication between Element and Continuwuity
-    ### Config-Docs: https://github.com/vector-im/element-web/blob/develop/docs/config.md
-    # element-web:
-    #     image: vectorim/element-web:latest
-    #     restart: unless-stopped
-    #     ports:
-    #         - 8009:80
-    #     volumes:
-    #         - ./element_config.json:/app/config.json
-    #     depends_on:
-    #         - homeserver
-
-volumes:
-    db:

docs/deploying/docker.mdx

@@ -1,257 +1,251 @@
 # Continuwuity for Docker
 
-## Docker
+## Preparation
 
-To run Continuwuity with Docker, you can either build the image yourself or pull
-it from a registry.
+### Choose an image
 
-### Use a registry
+The following OCI images are available for Continuwuity:
 
-Available OCI images:
+| Image                                                                                        | Notes                                                                                                     |
+| ------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------- |
+| [https://forgejo.ellis.link/continuwuation/continuwuity:**latest**][latest]                 | Latest tagged release. (recommended)                                                                      |
+| [https://forgejo.ellis.link/continuwuation/continuwuity:**main**][main]                     | Latest `main` branch commit.                                                                              |
+| [https://forgejo.ellis.link/continuwuation/continuwuity:**latest-maxperf**][latest-maxperf] | Latest tagged release, [performance optimised version](./generic.mdx#performance-optimised-builds).       |
+| [https://forgejo.ellis.link/continuwuation/continuwuity:**main-maxperf**][main-maxperf]     | Latest `main` branch commit, [performance optimised version](./generic.mdx#performance-optimised-builds). |
 
-| Registry         | Image                                                                                                                                                       | Notes                                                                        |
-| ---------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------- |
-| Forgejo Registry | [forgejo.ellis.link/continuwuation/continuwuity:latest](https://forgejo.ellis.link/continuwuation/-/packages/container/continuwuity/latest)                 | Latest tagged image.                                                         |
-| Forgejo Registry | [forgejo.ellis.link/continuwuation/continuwuity:main](https://forgejo.ellis.link/continuwuation/-/packages/container/continuwuity/main)                     | Main branch image.                                                           |
-| Forgejo Registry | [forgejo.ellis.link/continuwuation/continuwuity:latest-maxperf](https://forgejo.ellis.link/continuwuation/-/packages/container/continuwuity/latest-maxperf) | [Performance optimised version.](./generic.mdx#performance-optimised-builds) |
-| Forgejo Registry | [forgejo.ellis.link/continuwuation/continuwuity:main-maxperf](https://forgejo.ellis.link/continuwuation/-/packages/container/continuwuity/main-maxperf)     | [Performance optimised version.](./generic.mdx#performance-optimised-builds) |
+[latest]: https://forgejo.ellis.link/continuwuation/-/packages/container/continuwuity/latest
+[main]: https://forgejo.ellis.link/continuwuation/-/packages/container/continuwuity/main
+[latest-maxperf]: https://forgejo.ellis.link/continuwuation/-/packages/container/continuwuity/latest-maxperf
+[main-maxperf]: https://forgejo.ellis.link/continuwuation/-/packages/container/continuwuity/main-maxperf
 
-**Example:**
+If you want a specific version or commit hash, you can browse for them [here][oci-all-versions].
 
-```bash
-docker image pull forgejo.ellis.link/continuwuation/continuwuity:main-maxperf
-```
+Images are also mirrored to these locations automatically, on a schedule:
 
-#### Mirrors
+- `ghcr.io/continuwuity/continuwuity` ([Github Registry][ghcr-io])
+- `docker.io/jadedblueeyes/continuwuity` ([Docker Hub][docker-hub])
+- `registry.gitlab.com/continuwuity/continuwuity` ([Gitlab Registry][gitlab-registry])
+- `git.nexy7574.co.uk/mirrored/continuwuity` ([Nexy's forge][nexy-forge]. Releases only, no `main` tags)
 
-Images are mirrored to multiple locations automatically, on a schedule:
+[oci-all-versions]: https://forgejo.ellis.link/continuwuation/-/packages/container/continuwuity/versions
+[ghcr-io]: https://github.com/continuwuity/continuwuity/pkgs/container/continuwuity/versions?filters%5Bversion_type%5D=tagged
+[docker-hub]: https://hub.docker.com/r/jadedblueeyes/continuwuity/
+[gitlab-registry]: https://gitlab.com/continuwuity/continuwuity/container_registry/8871720
+[nexy-forge]: https://git.nexy7574.co.uk/mirrored/-/packages/container/continuwuity/versions
 
-- `ghcr.io/continuwuity/continuwuity`
-- `docker.io/jadedblueeyes/continuwuity`
-- `registry.gitlab.com/continuwuity/continuwuity`
-- `git.nexy7574.co.uk/mirrored/continuwuity` (releases only, no `main`)
-
-### Quick Run
-
-Get a working Continuwuity server with an admin user in four steps:
-
-#### Prerequisites
+### Prerequisites
 
 Continuwuity requires HTTPS for Matrix federation. You'll need:
 
-- A domain name pointing to your server
-- A reverse proxy with SSL/TLS certificates (Traefik, Caddy, nginx, etc.)
+- A domain name pointing to your server's IP address - we will be using `example.com` in this guide.
+- A reverse proxy with SSL/TLS certificates (Traefik, Caddy, nginx, etc.) - see [Docker Compose](#docker-compose) for complete examples.
+- Port `:443` (for Client-Server traffic) and `:8448` (for federation traffic) opened on your server's firewall.
 
-See [Docker Compose](#docker-compose) for complete examples.
+    - Alternatively, if you want both client and federation traffic on `:443`, you can configure `CONTINUWUITY_WELL_KNOWN` following some of the [examples](#choose-your-reverse-proxy) below.
 
-#### Environment Variables
-
-- `CONTINUWUITY_SERVER_NAME` - Your Matrix server's domain name
-- `CONTINUWUITY_DATABASE_PATH` - Where to store your database (must match the
-  volume mount)
-- `CONTINUWUITY_ADDRESS` - Bind address (use `0.0.0.0` to listen on all
-  interfaces)
-- `CONTINUWUITY_ALLOW_REGISTRATION` - Set to `false` to disable registration, or
-  use with `CONTINUWUITY_REGISTRATION_TOKEN` to require a token (see
-  [reference](../reference/environment-variables.mdx#registration--user-configuration)
-  for details)
-
-See the
-[Environment Variables Reference](../reference/environment-variables.mdx) for
-more configuration options.
-
-#### 1. Pull the image
-
-```bash
-docker pull forgejo.ellis.link/continuwuation/continuwuity:latest
-```
-
-#### 2. Start the server with initial admin user
-
-```bash
-docker run -d \
-  -p 6167:6167 \
-  -v continuwuity_db:/var/lib/continuwuity \
-  -e CONTINUWUITY_SERVER_NAME="matrix.example.com" \
-  -e CONTINUWUITY_DATABASE_PATH="/var/lib/continuwuity" \
-  -e CONTINUWUITY_ADDRESS="0.0.0.0" \
-  -e CONTINUWUITY_ALLOW_REGISTRATION="false" \
-  --name continuwuity \
-  forgejo.ellis.link/continuwuation/continuwuity:latest \
-  /sbin/conduwuit --execute "users create-user admin"
-```
-
-Replace `matrix.example.com` with your actual server name and `admin` with
-your preferred username.
-
-#### 3. Get your admin password
-
-```bash
-docker logs continuwuity 2>&1 | grep "Created user"
-```
-
-You'll see output like:
-
-```
-Created user with user_id: @admin:matrix.example.com and password: `[auto-generated-password]`
-```
-
-#### 4. Configure your reverse proxy
-
-Configure your reverse proxy to forward HTTPS traffic to Continuwuity. See
-[Docker Compose](#docker-compose) for examples.
-
-Once configured, log in with any Matrix client using `@admin:matrix.example.com`
-and the generated password. You'll automatically be invited to the admin room
-where you can manage your server.
-
-### Docker Compose
-
-Docker Compose is the recommended deployment method. These examples include
-reverse proxy configurations for Matrix federation.
-
-#### Matrix Federation Requirements
-
-For Matrix federation to work, you need to serve `.well-known/matrix/client` and
-`.well-known/matrix/server` endpoints. You can achieve this either by:
-
-1. **Using a well-known service** - The compose files below include an nginx
-   container to serve these files
-2. **Using Continuwuity's built-in delegation** (easier for Traefik) - Configure
-   delegation files in your config, then proxy `/.well-known/matrix/*` to
-   Continuwuity
-
-**Traefik example using built-in delegation:**
-
-```yaml
-labels:
-  traefik.http.routers.continuwuity.rule: >-
-    (Host(`matrix.example.com`) ||
-     (Host(`example.com`) && PathPrefix(`/.well-known/matrix`)))
-```
-
-This routes your Matrix domain and well-known paths to Continuwuity.
-
-#### Creating Your First Admin User
-
-Add the `--execute` command to create an admin user on first startup. In your
-compose file, add under the `continuwuity` service:
-
-```yaml
-services:
-    continuwuity:
-        image: forgejo.ellis.link/continuwuation/continuwuity:latest
-        command: /sbin/conduwuit --execute "users create-user admin"
-        # ... rest of configuration
-```
-
-Then retrieve the auto-generated password:
-
-```bash
-docker compose logs continuwuity | grep "Created user"
-```
-
-#### Choose Your Reverse Proxy
-
-Select the compose file that matches your setup:
-
-:::note DNS Performance
-Docker's default DNS resolver can cause performance issues with Matrix
-federation. If you experience slow federation or DNS timeouts, you may need to
-use your host's DNS resolver instead. Add this volume mount to the
-`continuwuity` service:
-
-```yaml
-volumes:
-  - /etc/resolv.conf:/etc/resolv.conf:ro
-```
-
-See [Troubleshooting - DNS Issues](../troubleshooting.mdx#potential-dns-issues-when-using-docker)
-for more details and alternative solutions.
+:::tip Split-domain setups
+For more setups with `.well-known` delegation and split-domain deployments, consult the [Delegation/Split-domain](../advanced/delegation) page.
 :::
 
-##### For existing Traefik setup
+## Docker Compose
+
+Docker Compose is the recommended deployment method for Continuwuity containers. The following environment variables will be set:
+
+- `CONTINUWUITY_SERVER_NAME` - Your Matrix server's domain name. **This CANNOT be changed later without a data wipe.**
+- `CONTINUWUITY_DATABASE_PATH` - Where to store your database. This must match the docker volume mount.
+- `CONTINUWUITY_ADDRESS` - Bind address (for Docker, use `0.0.0.0` to listen on all interfaces).
+
+Alternatively, you can specify a path to mount the configuration file using the `CONTINUWUITY_CONFIG` environment variable.
+
+See the [reference configuration](../reference/config) page for all config options, and the [Configuration page](../configuration#environment-variables) on how to convert them into Environment Variables.
+
+### Choose Your Reverse Proxy
+
+These examples include reverse proxy configurations for Matrix federation, which will route your Matrix domain (and optionally .well-known paths) to Continuwuity.
+
+:::note Docker DNS Performance
+Docker's default DNS resolver are known to [cause timeout issues](../troubleshooting#dns-issues) for Matrix federation. To bypass it and use a more performant resolver, mount a custom `/etc/resolv.conf` config file into the Continuwuity container.
+
+```yaml title='docker-compose.yml'
+services:
+  homeserver:
+    # ...
+    volumes:
+      - ./continuwuity-resolv.conf:/etc/resolv.conf
+```
+
+```txt title='continuwuity-resolv.conf'
+nameserver 1.0.0.1
+nameserver 1.1.1.1
+```
+
+Consult the [**DNS tuning guide (recommended)**](../advanced/dns.mdx) for full solutions to this issue.
+:::
+
+#### Caddy (using Caddyfile)
 
 <details>
-<summary>docker-compose.for-traefik.yml</summary>
+<summary>docker-compose.with-caddy.yml ([view raw](/deploying/docker-compose.with-caddy.yml))</summary>
 
-```yaml file="./docker-compose.for-traefik.yml"
+```yaml file="../public/deploying/docker-compose.with-caddy.yml"
 
 ```
 
 </details>
 
-##### With Traefik included
+#### Caddy (using labels)
 
 <details>
-<summary>docker-compose.with-traefik.yml</summary>
+<summary>docker-compose.with-caddy-labels.yml ([view raw](/deploying/docker-compose.with-caddy-labels.yml))</summary>
 
-```yaml file="./docker-compose.with-traefik.yml"
+```yaml file="../public/deploying/docker-compose.with-caddy-labels.yml"
 
 ```
 
 </details>
 
-##### With Caddy Docker Proxy
+#### Traefik (for existing setup)
 
 <details>
-<summary>docker-compose.with-caddy.yml</summary>
+<summary>docker-compose.for-traefik.yml ([view raw](/deploying/docker-compose.for-traefik.yml))</summary>
 
-Replace all `example.com` placeholders with your own domain.
-
-```yaml file="./docker-compose.with-caddy.yml"
-
-```
-
-If you don't already have a network for Caddy to monitor, create one first:
-
-```bash
-docker network create caddy
-```
-
-</details>
-
-##### For other reverse proxies
-
-<details>
-<summary>docker-compose.yml</summary>
-
-```yaml file="./docker-compose.yml"
+```yaml file="../public/deploying/docker-compose.for-traefik.yml"
 
 ```
 
 </details>
 
-##### Override file for customisation
+#### Traefik included
 
 <details>
-<summary>docker-compose.override.yml</summary>
+<summary>docker-compose.with-traefik.yml ([view raw](/deploying/docker-compose.with-traefik.yml))</summary>
 
-```yaml file="./docker-compose.override.yml"
+```yaml file="../public/deploying/docker-compose.with-traefik.yml"
 
 ```
 
 </details>
 
-#### Starting Your Server
+#### Traefik (as override file)
 
-1. Choose your compose file and rename it to `docker-compose.yml`
+<details>
+<summary>docker-compose.override.yml ([view raw](/deploying/docker-compose.override.yml))</summary>
+
+```yaml file="../public/deploying/docker-compose.override.yml"
+
+```
+
+</details>
+
+#### For other reverse proxies
+
+<details>
+<summary>docker-compose.yml ([view raw](/deploying/docker-compose.yml))</summary>
+
+```yaml file="../public/deploying/docker-compose.yml"
+
+```
+
+</details>
+
+You will then need to point your reverse proxy towards Continuwuity at `127.0.0.1:8008`. See the [Other reverse proxies](generic.mdx#setting-up-the-reverse-proxy) section of the Generic page for further routing details.
+
+### Starting Your Server
+
+1. Choose your compose file from the above, and rename it to `docker-compose.yml`. Replace `example.com` with your homeserver's domain name, and edit other values as you see fit.
 2. If using the override file, rename it to `docker-compose.override.yml` and
-   edit your values
+   edit your values.
 3. Start the server:
 
-```bash
-docker compose up -d
-```
+    ```bash
+    docker compose up -d
+    ```
+
+4. Check your server logs for a registration token:
+
+    ```bash
+    docker-compose logs continuwuity 2>&1
+    ```
+
+    You'll see output as below.
+
+    ```
+    In order to use your new homeserver, you need to create its
+    first user account.
+    Open your Matrix client of choice and register an account
+    on example.com using registration token x5keUZ811RqvLsNa .
+    Pick your own username and password!
+    ```
+
+5. Log in to your server with any Matrix client, and register for an account with the registration token from step 4. You'll automatically be invited to the admin room where you can [manage your server](../reference/admin).
 
 See the [generic deployment guide](generic.mdx) for more deployment options.
 
-### Building Custom Images
+## Testing
+
+Test that your setup works by following these [instructions](./generic.mdx#how-do-i-know-it-works)
+
+## Other deployment methods
+
+### Docker - Quick Run
+
+:::note For testing only
+The instructions below are only meant for a quick demo of Continuwuity.
+For production deployment, we recommend using [Docker Compose](#docker-compose)
+:::
+
+Get a working Continuwuity server with an admin user in four steps:
+
+1. Pull the image
+
+    ```bash
+    docker pull forgejo.ellis.link/continuwuation/continuwuity:latest
+    ```
+
+2. Start the server for the first time. Replace `example.com` with your actual server name.
+
+    ```bash
+    docker run -d \
+      -p 8008:8008 \
+      -v continuwuity_db:/var/lib/continuwuity \
+      -e CONTINUWUITY_SERVER_NAME="example.com" \
+      -e CONTINUWUITY_DATABASE_PATH="/var/lib/continuwuity" \
+      -e CONTINUWUITY_ADDRESS="0.0.0.0" \
+      -e CONTINUWUITY_ALLOW_REGISTRATION="false" \
+      --name continuwuity \
+      forgejo.ellis.link/continuwuation/continuwuity:latest \
+      /sbin/conduwuit
+    ```
+
+3. Fetch the one-time initial registration token
+
+    ```bash
+    docker logs continuwuity 2>&1
+    ```
+
+    You'll see output as below.
+
+    ```
+    In order to use your new homeserver, you need to create its
+    first user account.
+    Open your Matrix client of choice and register an account
+    on example.com using registration token x5keUZ811RqvLsNa .
+    Pick your own username and password!
+    ```
+
+4. Configure your reverse proxy to forward HTTPS traffic to Continuwuity at port 8008. See [Docker Compose](#docker-compose) for examples.
+
+Once configured, log in to your server with any Matrix client, and register for an account with the registration token from step 3. You'll automatically be invited to the admin room where you can [manage your server](../reference/admin).
+
+### (Optional) Building Custom Images
 
 For information on building your own Continuwuity Docker images, see the
 [Building Docker Images](../development/index.mdx#building-docker-images)
 section in the development documentation.
 
-## Voice communication
+## Next steps
 
-See the [Calls](../calls.mdx) page.
+- For smooth federation, set up a caching resolver according to the [**DNS tuning guide**](../advanced/dns.mdx) (recommended)
+- To set up Audio/Video communication, see the [**Calls**](../calls.mdx) page.
+- If you want to set up an appservice, take a look at the [**Appservice
+Guide**](../appservices.mdx).

docs/deploying/generic.mdx

@@ -14,6 +14,7 @@ ### Prebuilt binary
 run the `uname -m` to check which you need.
 
 Prebuilt binaries are available from:
+
 - **Tagged releases**: [Latest release page](https://forgejo.ellis.link/continuwuation/continuwuity/releases/latest)
 - **Development builds**: CI artifacts from the `main` branch
   (includes Debian/Ubuntu packages)
@@ -42,32 +43,36 @@ #### Performance-optimised builds
 [link-time optimisation (LTO)](https://doc.rust-lang.org/cargo/reference/profiles.html#lto)
 and, for amd64, target the haswell CPU architecture.
 
+### Nix
+
+Theres a Nix package defined in our flake, available for Linux and MacOS. Add continuwuity as an input to your flake, and use `inputs.continuwuity.packages.${system}.default` to get a working Continuwuity package.
+
+If you simply wish to generate a binary using Nix, you can run `nix build git+https://forgejo.ellis.link/continuwuation/continuwuity` to generate a binary in `result/bin/conduwuit`.
+
 ### Compiling
 
 Alternatively, you may compile the binary yourself.
 
-### Building with the Rust toolchain
+#### Using Docker
 
-If wanting to build using standard Rust toolchains, make sure you install:
+If you would like to build using docker, you can run the command `docker build -f ./docker/Dockerfile -t forgejo.ellis.link/continuwuation/continuwuity:main .` to compile continuwuity.
 
-- (On linux) `liburing-dev` on the compiling machine, and `liburing` on the target host
-- (On linux) `pkg-config` on the compiling machine to allow finding `liburing`
-- A C++ compiler and (on linux) `libclang` for RocksDB
+#### Manual
+
+##### Dependencies
+
+- Run `nix develop` to get a devshell with everything you need
+- Or, install the following:
+    - (On linux) `liburing-dev` on the compiling machine, and `liburing` on the target host
+    - (On linux) `pkg-config` on the compiling machine to allow finding `liburing`
+    - A C++ compiler and (on linux) `libclang` for RocksDB
+
+##### Build
 
 You can build Continuwuity using `cargo build --release`.
 
 Continuwuity supports various optional features that can be enabled during compilation. Please see the Cargo.toml file for a comprehensive list, or ask in our rooms.
 
-### Building with Nix
-
-If you prefer, you can use Nix (or [Lix](https://lix.systems)) to build Continuwuity. This provides improved reproducibility and makes it easy to set up a build environment and generate output. This approach also allows for easy cross-compilation.
-
-You can run the `nix build -L .#static-x86_64-linux-musl-all-features` or
-`nix build -L .#static-aarch64-linux-musl-all-features` commands based
-on architecture to cross-compile the necessary static binary located at
-`result/bin/conduwuit`. This is reproducible with the static binaries produced
-in our CI.
-
 ## Adding a Continuwuity user
 
 While Continuwuity can run as any user, it is better to use dedicated users for
@@ -128,13 +133,11 @@ ## Setting up a systemd service
 ReadWritePaths=/path/to/custom/database/path
 ```
 
-
 ### Example systemd Unit File
 
 <details>
 <summary>Click to expand systemd unit file (conduwuit.service)</summary>
 
-
 ```ini file="../../pkg/conduwuit.service"
 
 ```
@@ -202,23 +205,27 @@ ### Other Reverse Proxies
 As we prefer our users to use Caddy, we do not provide configuration files for other proxies.
 
 You will need to reverse proxy everything under the following routes:
+
 - `/_matrix/` - core Matrix C-S and S-S APIs
 - `/_conduwuit/` and/or `/_continuwuity/` - ad-hoc Continuwuity routes such as `/local_user_count` and
-`/server_version`
+  `/server_version`
 
 You can optionally reverse proxy the following individual routes:
+
 - `/.well-known/matrix/client` and `/.well-known/matrix/server` if using
-Continuwuity to perform delegation (see the `[global.well_known]` config section)
+  Continuwuity to perform delegation (see the `[global.well_known]` config section)
 - `/.well-known/matrix/support` if using Continuwuity to send the homeserver admin
-contact and support page (formerly known as MSC1929)
+  contact and support page (formerly known as MSC1929)
 - `/` if you would like to see `hewwo from conduwuit woof!` at the root
 
 See the following spec pages for more details on these files:
+
 - [`/.well-known/matrix/server`](https://spec.matrix.org/latest/client-server-api/#getwell-knownmatrixserver)
 - [`/.well-known/matrix/client`](https://spec.matrix.org/latest/client-server-api/#getwell-knownmatrixclient)
 - [`/.well-known/matrix/support`](https://spec.matrix.org/latest/client-server-api/#getwell-knownmatrixsupport)
 
 Examples of delegation:
+
 - https://continuwuity.org/.well-known/matrix/server
 - https://continuwuity.org/.well-known/matrix/client
 - https://ellis.link/.well-known/matrix/server
@@ -232,6 +239,7 @@ ### Other Reverse Proxies
 If using Apache, you need to use `nocanon` in your `ProxyPass` directive to prevent httpd from interfering with the `X-Matrix` header (note that Apache is not ideal as a general reverse proxy, so we discourage using it if alternatives are available).
 
 If using Nginx, you need to pass the request URI to Continuwuity using `$request_uri`, like this:
+
 - `proxy_pass http://127.0.0.1:6167$request_uri;`
 - `proxy_pass http://127.0.0.1:6167;`
 
@@ -271,17 +279,17 @@ # If federation is enabled
 ```
 
 - To check if your server can communicate with other homeservers, use the
-[Matrix Federation Tester](https://federationtester.mtrnord.blog/). If you can
-register but cannot join federated rooms, check your configuration and verify
-that port 8448 is open and forwarded correctly.
+  [Matrix Federation Tester](https://federationtester.mtrnord.blog/). If you can
+  register but cannot join federated rooms, check your configuration and verify
+  that port 8448 is open and forwarded correctly.
 
-# What's next?
+## What's next?
 
-## Audio/Video calls
+### Audio/Video calls
 
 For Audio/Video call functionality see the [Calls](../calls.md) page.
 
-## Appservices
+### Appservices
 
 If you want to set up an appservice, take a look at the [Appservice
 Guide](../appservices.md).

docs/deploying/nixos.mdx

@@ -1,40 +1,40 @@
 # Continuwuity for NixOS
 
-NixOS packages Continuwuity as `matrix-continuwuity`. This package includes both the Continuwuity software and a dedicated NixOS module for configuration and deployment.
+## Nix package
 
-## Installation methods
+You can get a Nix package for Continuwuity from the following sources:
 
-You can acquire Continuwuity with Nix (or [Lix][lix]) from these sources:
+- Directly from Nixpkgs: `pkgs.matrix-continuwuity`
+- Or, using `continuwuity.packages.${system}.default` from:
+    - The `flake.nix` at the root of the Continuwuity repo, by adding Continuwuity to your flake inputs:
 
-* Directly from Nixpkgs using the official package (`pkgs.matrix-continuwuity`)
-* The `flake.nix` at the root of the Continuwuity repo
-* The `default.nix` at the root of the Continuwuity repo
+    ```nix
+    inputs.continuwuity.url = "git+https://forgejo.ellis.link/continuwuation/continuwuity";
+    ```
+
+    - The `default.nix` at the root of the Continuwuity repo
 
 ## NixOS module
 
-Continuwuity now has an official NixOS module that simplifies configuration and deployment. The module is available in Nixpkgs as `services.matrix-continuwuity` from NixOS 25.05.
+Continuwuity has an official NixOS module that simplifies configuration and deployment. The module is available in Nixpkgs as `services.matrix-continuwuity`.
 
 Here's a basic example of how to use the module:
 
 ```nix
-{ config, pkgs, ... }:
+services.matrix-continuwuity = {
+  enable = true;
+  settings = {
+    global = {
+      server_name = "example.com";
 
-{
-  services.matrix-continuwuity = {
-    enable = true;
-    settings = {
-      global = {
-        server_name = "example.com";
-        # Listening on localhost by default
-        # address and port are handled automatically
-        allow_registration = false;
-        allow_encryption = true;
-        allow_federation = true;
-        trusted_servers = [ "matrix.org" ];
-      };
+      # Continuwuity listens on localhost by default,
+      # address and port are handled automatically
+
+      # You can add any further configuration here, e.g.
+	  # trusted_servers = [ "matrix.org" ];
     };
   };
-}
+};
 ```
 
 ### Available options
@@ -45,86 +45,30 @@ ### Available options
 - `user`: The user to run Continuwuity as (defaults to "continuwuity")
 - `group`: The group to run Continuwuity as (defaults to "continuwuity")
 - `extraEnvironment`: Extra environment variables to pass to the Continuwuity server
-- `package`: The Continuwuity package to use
-- `settings`: The Continuwuity configuration (in TOML format)
+- `package`: The Continuwuity package to use, defaults to `pkgs.matrix-continuwuity`
+    - You may want to override this to be from our flake, for faster updates and unstable versions:
+    ```nix
+    package = inputs.continuwuity.packages.${pkgs.stdenv.hostPlatform.system}.default;
+    ```
+- `admin.enable`: Whether to add the `conduwuit` binary to `PATH` for administration (enabled by default)
+- `settings`: The Continuwuity configuration
 
 Use the `settings` option to configure Continuwuity itself. See the [example configuration file](../reference/config.mdx) for all available options.
 
-### UNIX sockets
-
-The NixOS module natively supports UNIX sockets through the `global.unix_socket_path` option. When using UNIX sockets, set `global.address` to `null`:
+Settings are automatically translated from Nix to TOML. For example, the following line of Nix:
 
 ```nix
-services.matrix-continuwuity = {
-  enable = true;
-  settings = {
-    global = {
-      server_name = "example.com";
-      address = null; # Must be null when using unix_socket_path
-      unix_socket_path = "/run/continuwuity/continuwuity.sock";
-      unix_socket_perms = 660; # Default permissions for the socket
-      # ...
-    };
-  };
-};
+settings.global.well_known.client = "https://matrix.example.com";
 ```
 
-The module automatically sets the correct `RestrictAddressFamilies` in the systemd service configuration to allow access to UNIX sockets.
+Would become this equivalent TOML configuration:
 
-### RocksDB database
-
-Continuwuity exclusively uses RocksDB as its database backend. The system configures the database path automatically to `/var/lib/continuwuity/` and you cannot change it due to the service's reliance on systemd's StateDir.
-
-If you're migrating from Conduit with SQLite, use this [tool to migrate a Conduit SQLite database to RocksDB](https://github.com/ShadowJonathan/conduit_toolbox/).
-
-### jemalloc and hardened profile
-
-Continuwuity uses jemalloc by default. This may interfere with the [`hardened.nix` profile][hardened.nix] because it uses `scudo` by default. Either disable/hide `scudo` from Continuwuity or disable jemalloc like this:
-
-```nix
-services.matrix-continuwuity = {
-  enable = true;
-  package = pkgs.matrix-continuwuity.override {
-    enableJemalloc = false;
-  };
-  # ...
-};
+```toml
+[global.well_known]
+client = "https://matrix.example.com"
 ```
 
-## Upgrading from Conduit
-
-If you previously used Conduit with the `services.matrix-conduit` module:
-
-1. Ensure your Conduit uses the RocksDB backend, or migrate from SQLite using the [migration tool](https://github.com/ShadowJonathan/conduit_toolbox/)
-2. Switch to the new module by changing `services.matrix-conduit` to `services.matrix-continuwuity` in your configuration
-3. Update any custom configuration to match the new module's structure
-
 ## Reverse proxy configuration
 
-You'll need to set up a reverse proxy (like nginx or caddy) to expose Continuwuity to the internet. Configure your reverse proxy to forward requests to `/_matrix` on port 443 and 8448 to your Continuwuity instance.
-
-Here's an example nginx configuration:
-
-```nginx
-server {
-    listen 443 ssl;
-    listen [::]:443 ssl;
-    listen 8448 ssl;
-    listen [::]:8448 ssl;
-
-    server_name example.com;
-
-    # SSL configuration here...
-
-    location /_matrix/ {
-        proxy_pass http://127.0.0.1:6167$request_uri;
-        proxy_set_header Host $host;
-        proxy_set_header X-Real-IP $remote_addr;
-        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-        proxy_set_header X-Forwarded-Proto $scheme;
-    }
-}
-```
-
-[lix]: https://lix.systems/
-[hardened.nix]: https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/profiles/hardened.nix
+You'll need to set up a reverse proxy (like NGINX or Caddy) to expose Continuwuity to the internet. You can configure your reverse proxy using NixOS options (e.g. `services.caddy`).
+See the [reverse proxy setup guide](./generic.mdx#setting-up-the-reverse-proxy) for information on correct reverse proxy configuration.

docs/development/contributing.mdx

@@ -1,203 +0,0 @@
-# Contributing guide
-
-This page is about contributing to Continuwuity. The
-[development](./index.mdx) and [code style guide](./code_style.mdx) pages may be of interest for you as well.
-
-If you would like to work on an [issue][issues] that is not assigned, preferably
-ask in the Matrix room first at [#continuwuity:continuwuity.org][continuwuity-matrix],
-and comment on it.
-
-### Code Style
-
-Please review and follow the [code style guide](./code_style) for formatting, linting, naming conventions, and other code standards.
-
-### Pre-commit Checks
-
-Continuwuity uses pre-commit hooks to enforce various coding standards and catch common issues before they're committed. These checks include:
-
-- Code formatting and linting
-- Typo detection (both in code and commit messages)
-- Checking for large files
-- Ensuring proper line endings and no trailing whitespace
-- Validating YAML, JSON, and TOML files
-- Checking for merge conflicts
-
-You can run these checks locally by installing [prefligit](https://github.com/j178/prefligit):
-
-
-```bash
-# Requires UV: https://docs.astral.sh/uv/getting-started/installation/
-# Mac/linux: curl -LsSf https://astral.sh/uv/install.sh | sh
-# Windows: powershell -ExecutionPolicy ByPass -c "irm https://astral.sh/uv/install.ps1 | iex"
-
-# Install prefligit using cargo-binstall
-cargo binstall prefligit
-
-# Install git hooks to run checks automatically
-prefligit install
-
-# Run all checks
-prefligit --all-files
-```
-
-Alternatively, you can use [pre-commit](https://pre-commit.com/):
-```bash
-# Requires python
-
-# Install pre-commit
-pip install pre-commit
-
-# Install the hooks
-pre-commit install
-
-# Run all checks manually
-pre-commit run --all-files
-```
-
-These same checks are run in CI via the prefligit-checks workflow to ensure consistency. These must pass before the PR is merged.
-
-### Running tests locally
-
-Tests, compilation, and linting can be run with standard Cargo commands:
-
-```bash
-# Run tests
-cargo test
-
-# Check compilation
-cargo check --workspace --features full
-
-# Run lints
-cargo clippy --workspace --features full
-# Auto-fix: cargo clippy --workspace --features full --fix --allow-staged;
-
-# Format code (must use nightly)
-cargo +nightly fmt
-```
-
-### Matrix tests
-
-Continuwuity uses [Complement][complement] for Matrix protocol compliance testing. Complement tests are run manually by developers, and documentation on how to run these tests locally is currently being developed.
-
-If your changes are done to fix Matrix tests, please note that in your pull request. If more Complement tests start failing from your changes, please review the logs and determine if they're intended or not.
-
-[Sytest][sytest] is currently unsupported.
-
-### Writing documentation
-
-Continuwuity's website uses [`mdbook`][mdbook] and is deployed via CI using Cloudflare Pages
-in the [`documentation.yml`][documentation.yml] workflow file. All documentation is in the `docs/`
-directory at the top level.
-
-To build the documentation locally:
-
-1. Install mdbook if you don't have it already:
-   ```bash
-   cargo install mdbook # or cargo binstall, or another method
-   ```
-
-2. Build the documentation:
-   ```bash
-   mdbook build
-   ```
-
-The output of the mdbook generation is in `public/`. You can open the HTML files directly in your browser without needing a web server.
-
-
-### Commit Messages
-
-Continuwuity follows the [Conventional Commits](https://www.conventionalcommits.org/) specification for commit messages. This provides a standardized format that makes the commit history more readable and enables automated tools to generate changelogs.
-
-The basic structure is:
-
-```
-<type>[(optional scope)]: <description>
-
-[optional body]
-
-[optional footer(s)]
-```
-
-The allowed types for commits are:
-- `fix`: Bug fixes
-- `feat`: New features
-- `docs`: Documentation changes
-- `style`: Changes that don't affect the meaning of the code (formatting, etc.)
-- `refactor`: Code changes that neither fix bugs nor add features
-- `perf`: Performance improvements
-- `test`: Adding or fixing tests
-- `build`: Changes to the build system or dependencies
-- `ci`: Changes to CI configuration
-- `chore`: Other changes that don't modify source or test files
-
-Examples:
-```
-feat: add user authentication
-fix(database): resolve connection pooling issue
-docs: update installation instructions
-```
-
-The project uses the `committed` hook to validate commit messages in pre-commit. This ensures all commits follow the conventional format.
-
-### Creating pull requests
-
-Please try to keep contributions to the Forgejo Instance. While the mirrors of continuwuity
-allow for pull/merge requests, there is no guarantee the maintainers will see them in a timely
-manner. Additionally, please mark WIP or unfinished or incomplete PRs as drafts.
-This prevents us from having to ping once in a while to double check the status
-of it, especially when the CI completed successfully and everything so it
-*looks* done.
-
-Before submitting a pull request, please ensure:
-1. Your code passes all CI checks (formatting, linting, typo detection, etc.). Run pre-commit for this.
-2. Your code follows the [code style guide](./code_style)
-3. Your commit messages follow the conventional commits format
-4. Tests are added for new functionality
-5. Documentation is updated if needed
-6. You have written a [news fragment](#writing-news-fragments) for your changes
-
-Direct all PRs/MRs to the `main` branch.
-
-By sending a pull request or patch, you are agreeing that your changes are
-allowed to be licenced under the Apache-2.0 licence and all of your conduct is
-in line with the Contributor's Covenant, and continuwuity's Code of Conduct.
-
-Contribution by users who violate either of these code of conducts may not have
-their contributions accepted. This includes users who have been banned from
-continuwuity Matrix rooms for Code of Conduct violations.
-
-[issues]: https://forgejo.ellis.link/continuwuation/continuwuity/issues
-[continuwuity-matrix]: https://matrix.to/#/#continuwuity:continuwuity.org?via=continuwuity.org&via=ellis.link&via=explodie.org&via=matrix.org
-[complement]: https://github.com/matrix-org/complement/
-[sytest]: https://github.com/matrix-org/sytest/
-[mdbook]: https://rust-lang.github.io/mdBook/
-[documentation.yml]: https://forgejo.ellis.link/continuwuation/continuwuity/src/branch/main/.forgejo/workflows/documentation.yml
-
-#### Writing news fragments
-
-In order to make writing our changelogs easier, we make use of [Towncrier]. Towncrier builds changelogs based on
-"news fragments", which are little markdown files in the `changelog.d/` directory that describe individual changes.
-
-When you make a pull request that changes functionality, fixes a bug, or adds documentation, please add a news fragment
-describing your change. The file name *MUST* be in the format of `{pull_request_number}.{type}`, where `{type}` is one
-of the following:
-
-- `feature` - for new features
-- `bugfix` - for bug fixes
-- `doc` - for documentation changes
-- `misc` - for other changes that don't fit the above categories
-
-For example:
-
-```bash
-$ echo "Fixed the quantum flux stabiliser. Contributed by @alice." > changelog.d/42.bugfix
-```
-
-(Note: If you want to credit yourself, you should reference your forgejo handle, however links to other platforms are also acceptable.)
-
-When the next release is made, Towncrier will automatically include your news fragment in the changelog.
-
-You can read more about writing news fragments in the [Towncrier tutorial][tt].
-
-[Towncrier]: https://towncrier.readthedocs.io/
-[tt]: https://towncrier.readthedocs.io/en/stable/tutorial.html#creating-news-fragments

docs/development/contributing.mdx

@@ -0,0 +1 @@
+../../CONTRIBUTING.md

docs/public/deploying/docker-compose.for-traefik.yml

@@ -0,0 +1,44 @@
+# Continuwuity - Behind Traefik Reverse Proxy
+
+services:
+  homeserver:
+    image: forgejo.ellis.link/continuwuation/continuwuity:latest
+    restart: unless-stopped
+    command: /sbin/conduwuit
+    volumes:
+      - db:/var/lib/continuwuity
+      - ./continuwuity-resolv.conf:/etc/resolv.conf # use custom resolvers rather than Docker's
+      #- ./continuwuity.toml:/etc/continuwuity.toml
+    networks:
+      - proxy
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.continuwuity.rule=(Host(`example.com`))"
+      - "traefik.http.routers.continuwuity.entrypoints=websecure" # your HTTPS entry point
+      - "traefik.http.routers.continuwuity.tls=true"
+      - "traefik.http.routers.continuwuity.service=continuwuity"
+      - "traefik.http.services.continuwuity.loadbalancer.server.port=8008"
+      # possibly, depending on your config:
+      # - "traefik.http.routers.continuwuity.tls.certresolver=letsencrypt"
+    environment:
+      CONTINUWUITY_SERVER_NAME: example.com
+      CONTINUWUITY_DATABASE_PATH: /var/lib/continuwuity
+      CONTINUWUITY_ADDRESS: 0.0.0.0
+      CONTINUWUITY_PORT: 8008 # This must match with traefik's loadbalancer label
+      #CONTINUWUITY_CONFIG: '/etc/continuwuity.toml' # Uncomment if you mapped config toml above
+
+      # Serve .well-known files to tell others to reach Continuwuity on port :443
+      CONTINUWUITY_WELL_KNOWN: |
+        {
+        client=https://example.com,
+        server=example.com:443
+        }
+
+volumes:
+  db:
+
+networks:
+  # This is the network Traefik listens to, if your network has a different
+  # name, don't forget to change it here and in the docker-compose.override.yml
+  proxy:
+    external: true

docs/public/deploying/docker-compose.override.yml

@@ -6,11 +6,13 @@ services:
       - "traefik.enable=true"
       - "traefik.docker.network=proxy"  # Change this to the name of your Traefik docker proxy network
 
-      - "traefik.http.routers.to-continuwuity.rule=Host(`<SUBDOMAIN>.<DOMAIN>`)"  # Change to the address on which Continuwuity is hosted
+      - "traefik.http.routers.to-continuwuity.rule=Host(`example.com`)"  # Change to the address on which Continuwuity is hosted
       - "traefik.http.routers.to-continuwuity.tls=true"
       - "traefik.http.routers.to-continuwuity.tls.certresolver=letsencrypt"
       - "traefik.http.routers.to-continuwuity.middlewares=cors-headers@docker"
-      - "traefik.http.services.to_continuwuity.loadbalancer.server.port=6167"
+
+      # This must match with CONTINUWUITY_PORT (default: 8008)
+      - "traefik.http.services.to_continuwuity.loadbalancer.server.port=8008"
 
       - "traefik.http.middlewares.cors-headers.headers.accessControlAllowOriginList=*"
       - "traefik.http.middlewares.cors-headers.headers.accessControlAllowHeaders=Origin, X-Requested-With, Content-Type, Accept, Authorization"
@@ -18,19 +20,7 @@ services:
 
       # If you want to have your account on <DOMAIN>, but host Continuwuity on a subdomain,
       # you can let it only handle the well known file on that domain instead
-      #- "traefik.http.routers.to-matrix-wellknown.rule=Host(`<DOMAIN>`) && PathPrefix(`/.well-known/matrix`)"
+      #- "traefik.http.routers.to-matrix-wellknown.rule=Host(`example.com`) && PathPrefix(`/.well-known/matrix`)"
       #- "traefik.http.routers.to-matrix-wellknown.tls=true"
       #- "traefik.http.routers.to-matrix-wellknown.tls.certresolver=letsencrypt"
       #- "traefik.http.routers.to-matrix-wellknown.middlewares=cors-headers@docker"
-
-  ### Uncomment this if you uncommented Element-Web App in the docker-compose.yml
-  # element-web:
-  #     labels:
-  #         - "traefik.enable=true"
-  #         - "traefik.docker.network=proxy"  # Change this to the name of your Traefik docker proxy network
-
-  #         - "traefik.http.routers.to-element-web.rule=Host(`<SUBDOMAIN>.<DOMAIN>`)"  # Change to the address on which Element-Web is hosted
-  #         - "traefik.http.routers.to-element-web.tls=true"
-  #         - "traefik.http.routers.to-element-web.tls.certresolver=letsencrypt"
-
-# vim: ts=2:sw=2:expandtab

docs/public/deploying/docker-compose.with-caddy-labels.yml

@@ -0,0 +1,49 @@
+services:
+    caddy:
+    # This compose file uses caddy-docker-proxy as the reverse proxy for Continuwuity!
+    # For more info, visit https://github.com/lucaslorentz/caddy-docker-proxy
+        image: lucaslorentz/caddy-docker-proxy:ci-alpine
+        ports:
+            - 80:80
+            - 443:443
+        environment:
+            - CADDY_INGRESS_NETWORKS=caddy
+        networks:
+            - caddy
+        volumes:
+            - /var/run/docker.sock:/var/run/docker.sock
+            - ./data:/data
+        restart: unless-stopped
+
+    homeserver:
+        image: forgejo.ellis.link/continuwuation/continuwuity:latest
+        restart: unless-stopped
+        command: /sbin/conduwuit
+        volumes:
+            - db:/var/lib/continuwuity
+            - ./continuwuity-resolv.conf:/etc/resolv.conf # use custom resolvers rather than Docker's
+            #- ./continuwuity.toml:/etc/continuwuity.toml
+        environment:
+            CONTINUWUITY_SERVER_NAME: example.com
+            CONTINUWUITY_DATABASE_PATH: /var/lib/continuwuity
+            CONTINUWUITY_ADDRESS: 0.0.0.0
+            CONTINUWUITY_PORT: 8008
+            #CONTINUWUITY_CONFIG: '/etc/continuwuity.toml' # Uncomment if you mapped config toml above
+
+            # Serve .well-known files to tell others to reach Continuwuity on port :443
+            CONTINUWUITY_WELL_KNOWN: |
+                {
+                client=https://example.com,
+                server=example.com:443
+                }
+
+        networks:
+            - caddy
+        labels:
+            caddy: example.com
+            caddy.reverse_proxy: "{{upstreams 8008}}"
+volumes:
+    db:
+
+networks:
+    caddy:

docs/public/deploying/docker-compose.with-caddy.yml

@@ -0,0 +1,55 @@
+services:
+    caddy:
+        image: docker.io/caddy:latest
+        ports:
+            - 80:80
+            - 443:443
+            - 8448:8448
+        networks:
+            - caddy
+        volumes:
+            - ./data:/data
+        restart: unless-stopped
+        configs:
+            - source: Caddyfile
+              target: /etc/caddy/Caddyfile
+
+    homeserver:
+        image: forgejo.ellis.link/continuwuation/continuwuity:latest
+        restart: unless-stopped
+        command: /sbin/conduwuit
+        volumes:
+            - db:/var/lib/continuwuity
+            - ./continuwuity-resolv.conf:/etc/resolv.conf # use custom resolvers rather than Docker's
+            #- ./continuwuity.toml:/etc/continuwuity.toml
+        environment:
+            CONTINUWUITY_SERVER_NAME: example.com
+            CONTINUWUITY_DATABASE_PATH: /var/lib/continuwuity
+            CONTINUWUITY_ADDRESS: 0.0.0.0
+            CONTINUWUITY_PORT: 8008
+            #CONTINUWUITY_CONFIG: '/etc/continuwuity.toml' # Uncomment if you mapped config toml above
+
+            ## (Optional) Serve .well-known files to tell others to reach Continuwuity on port :443
+            ## If you do this, remove all routes to port :8448 from the compose and Caddyfile
+            # CONTINUWUITY_WELL_KNOWN: |
+            #     {
+            #     client=https://example.com,
+            #     server=example.com:443
+            #     }
+
+
+        networks:
+            - caddy
+
+networks:
+    caddy:
+
+volumes:
+    db:
+
+configs:
+    dynamic.yml:
+        content: |
+            https://example.com, https://example.com:8448 {
+                reverse_proxy http://homeserver:8008
+            }

docs/public/deploying/docker-compose.with-traefik.yml

@@ -0,0 +1,84 @@
+# Continuwuity - Behind Traefik Reverse Proxy
+
+services:
+  homeserver:
+    image: forgejo.ellis.link/continuwuation/continuwuity:latest
+    restart: unless-stopped
+    command: /sbin/conduwuit
+    volumes:
+      - db:/var/lib/continuwuity
+      - ./continuwuity-resolv.conf:/etc/resolv.conf # use custom resolvers rather than Docker's
+      #- ./continuwuity.toml:/etc/continuwuity.toml
+    networks:
+      - proxy
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.continuwuity.rule=(Host(`example.com`))"
+      - "traefik.http.routers.continuwuity.entrypoints=websecure"
+      - "traefik.http.routers.continuwuity.tls.certresolver=letsencrypt"
+      - "traefik.http.services.continuwuity.loadbalancer.server.port=8008"
+    environment:
+      CONTINUWUITY_SERVER_NAME: example.com
+      CONTINUWUITY_DATABASE_PATH: /var/lib/continuwuity
+      CONTINUWUITY_ADDRESS: 0.0.0.0
+      CONTINUWUITY_PORT: 8008 # This must match with traefik's loadbalancer label
+      #CONTINUWUITY_CONFIG: '/etc/continuwuity.toml' # Uncomment if you mapped config toml above
+
+      # Serve .well-known files to tell others to reach Continuwuity on port :443
+      CONTINUWUITY_WELL_KNOWN: |
+        {
+          client=https://example.com,
+          server=example.com:443
+        }
+
+  traefik:
+    image: "traefik:latest"
+    container_name: "traefik"
+    restart: "unless-stopped"
+    ports:
+      - "80:80"
+      - "443:443"
+    volumes:
+      - "/var/run/docker.sock:/var/run/docker.sock:z"
+      - "acme:/etc/traefik/acme"
+    labels:
+      - "traefik.enable=true"
+
+      # middleware redirect
+      - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
+      # global redirect to https
+      - "traefik.http.routers.redirs.rule=hostregexp(`{host:.+}`)"
+      - "traefik.http.routers.redirs.entrypoints=web"
+      - "traefik.http.routers.redirs.middlewares=redirect-to-https"
+
+    environment:
+      TRAEFIK_LOG_LEVEL: DEBUG
+      TRAEFIK_ENTRYPOINTS_WEB: true
+      TRAEFIK_ENTRYPOINTS_WEB_ADDRESS: ":80"
+      TRAEFIK_ENTRYPOINTS_WEB_HTTP_REDIRECTIONS_ENTRYPOINT_TO: websecure
+
+      TRAEFIK_ENTRYPOINTS_WEBSECURE: true
+      TRAEFIK_ENTRYPOINTS_WEBSECURE_ADDRESS: ":443"
+      TRAEFIK_ENTRYPOINTS_WEBSECURE_HTTP_TLS_CERTRESOLVER: letsencrypt
+
+      TRAEFIK_CERTIFICATESRESOLVERS_LETSENCRYPT: true
+      # CHANGE THIS to desired email for ACME
+      TRAEFIK_CERTIFICATESRESOLVERS_LETSENCRYPT_ACME_EMAIL: user@example.com
+      TRAEFIK_CERTIFICATESRESOLVERS_LETSENCRYPT_ACME_HTTPCHALLENGE: true
+      TRAEFIK_CERTIFICATESRESOLVERS_LETSENCRYPT_ACME_HTTPCHALLENGE_ENTRYPOINT: web
+      TRAEFIK_CERTIFICATESRESOLVERS_LETSENCRYPT_ACME_STORAGE: "/etc/traefik/acme/acme.json"
+
+      # Since Traefik 3.6.3, paths with certain "encoded characters" are now blocked by default; we need a couple, or else things *will* break
+      TRAEFIK_ENTRYPOINTS_WEBSECURE_HTTP_ENCODEDCHARACTERS_ALLOWENCODEDSLASH: true
+      TRAEFIK_ENTRYPOINTS_WEBSECURE_HTTP_ENCODEDCHARACTERS_ALLOWENCODEDHASH: true
+
+      TRAEFIK_PROVIDERS_DOCKER: true
+      TRAEFIK_PROVIDERS_DOCKER_ENDPOINT: "unix:///var/run/docker.sock"
+      TRAEFIK_PROVIDERS_DOCKER_EXPOSEDBYDEFAULT: false
+
+volumes:
+  db:
+  acme:
+
+networks:
+  proxy:

docs/public/deploying/docker-compose.yml

@@ -0,0 +1,31 @@
+# Continuwuity
+
+services:
+    homeserver:
+        image: forgejo.ellis.link/continuwuation/continuwuity:latest
+        restart: unless-stopped
+        command: /sbin/conduwuit
+        ports:
+            - 127.0.0.1:8008:8008
+        volumes:
+            - db:/var/lib/continuwuity
+            - ./continuwuity-resolv.conf:/etc/resolv.conf # use custom resolvers rather than Docker's
+            #- ./continuwuity.toml:/etc/continuwuity.toml
+        environment:
+            CONTINUWUITY_SERVER_NAME: example.com # EDIT THIS
+            CONTINUWUITY_DATABASE_PATH: /var/lib/continuwuity
+            CONTINUWUITY_ADDRESS: 0.0.0.0
+            CONTINUWUITY_PORT: 8008
+            #CONTINUWUITY_CONFIG: '/etc/continuwuity.toml' # Uncomment if you mapped config toml above
+
+            ## (Optional) Serve .well-known files to tell others to reach Continuwuity on port :443
+            ## If you do this, remove all routes to port :8448 on your reverse proxy
+            # CONTINUWUITY_WELL_KNOWN: |
+            #     {
+            #     client=https://example.com,
+            #     server=example.com:443
+            #     }
+
+
+volumes:
+    db:

docs/public/schema/announcements.schema.json

@@ -1,6 +1,6 @@
 {
     "$schema": "http://json-schema.org/draft-04/schema#",
-    "$id": "https://continwuity.org/schema/announcements.schema.json",
+    "$id": "https://continuwuity.org/schema/announcements.schema.json",
     "type": "object",
     "properties": {
       "announcements": {

docs/reference/_meta.json

@@ -4,11 +4,6 @@
         "name": "config",
         "label": "Configuration"
     },
-    {
-        "type": "file",
-        "name": "environment-variables",
-        "label": "Environment Variables"
-    },
     {
         "type": "file",
         "name": "admin",

docs/reference/admin/debug.md

@@ -130,6 +130,10 @@ ## `!admin debug database-files`
 
 List database files
 
+## `!admin debug send-test-email`
+
+Send a test email to the invoking admin's email address
+
 ## `!admin debug tester`
 
 Developer test stubs

docs/reference/admin/query.md

@@ -133,6 +133,18 @@ ### `!admin query pusher get-pushers`
 
 Returns all the pushers for the user
 
+### `!admin query pusher delete-pusher`
+
+Deletes a specific pusher by ID
+
+### `!admin query pusher delete-all-user`
+
+Deletes all pushers for a user
+
+### `!admin query pusher delete-all-device`
+
+Deletes all pushers associated with a device ID
+
 ## `!admin query short`
 
 short service

docs/reference/admin/server.md

@@ -47,3 +47,11 @@ ## `!admin server restart`
 ## `!admin server shutdown`
 
 Shutdown the server
+
+## `!admin server list-features`
+
+List features built into the server
+
+## `!admin server build-info`
+
+Build information

docs/reference/admin/users.md

@@ -12,6 +12,24 @@ ## `!admin users reset-password`
 
 Reset user password
 
+## `!admin users issue-password-reset-link`
+
+Issue a self-service password reset link for a user
+
+## `!admin users get-email`
+
+Get a user's associated email address
+
+## `!admin users get-user-by-email`
+
+Get the user with the given email address
+
+## `!admin users change-email`
+
+Update or remove a user's email address.
+
+If `email` is not supplied, the user's existing address will be removed.
+
 ## `!admin users deactivate`
 
 Deactivate a user
@@ -139,3 +157,7 @@ ## `!admin users force-join-all-local-users`
 At least 1 server admin must be in the room to reduce abuse.
 
 Requires the `--yes-i-want-to-do-this` flag.
+
+## `!admin users reset-push-rules`
+
+Resets the push-rules (notification settings) of the target user to the server defaults

docs/reference/environment-variables.mdx

@@ -1,281 +0,0 @@
-# Environment Variables
-
-Continuwuity can be configured entirely through environment variables, making it
-ideal for containerised deployments and infrastructure-as-code scenarios.
-
-This is a convenience reference and may not be exhaustive. The
-[Configuration Reference](./config.mdx) is the primary source for all
-configuration options.
-
-## Prefix System
-
-Continuwuity supports three environment variable prefixes for backwards
-compatibility:
-
-- `CONTINUWUITY_*` (current, recommended)
-- `CONDUWUIT_*` (compatibility)
-- `CONDUIT_*` (legacy)
-
-All three prefixes work identically. Use double underscores (`__`) to represent
-nested configuration sections from the TOML config.
-
-**Examples:**
-
-```bash
-# Simple top-level config
-CONTINUWUITY_SERVER_NAME="matrix.example.com"
-CONTINUWUITY_PORT="8008"
-
-# Nested config sections use double underscores
-# This maps to [database] section in TOML
-CONTINUWUITY_DATABASE__PATH="/var/lib/continuwuity"
-
-# This maps to [tls] section in TOML
-CONTINUWUITY_TLS__CERTS="/path/to/cert.pem"
-```
-
-## Configuration File Override
-
-You can specify a custom configuration file path:
-
-- `CONTINUWUITY_CONFIG` - Path to continuwuity.toml (current)
-- `CONDUWUIT_CONFIG` - Path to config file (compatibility)
-- `CONDUIT_CONFIG` - Path to config file (legacy)
-
-## Essential Variables
-
-These are the minimum variables needed for a working deployment:
-
-| Variable                     | Description                        | Default                |
-| ---------------------------- | ---------------------------------- | ---------------------- |
-| `CONTINUWUITY_SERVER_NAME`   | Your Matrix server's domain name   | Required               |
-| `CONTINUWUITY_DATABASE_PATH` | Path to RocksDB database directory | `/var/lib/conduwuit`   |
-| `CONTINUWUITY_ADDRESS`       | IP address to bind to              | `["127.0.0.1", "::1"]` |
-| `CONTINUWUITY_PORT`          | Port to listen on                  | `8008`                 |
-
-## Network Configuration
-
-| Variable                         | Description                                     | Default                |
-| -------------------------------- | ----------------------------------------------- | ---------------------- |
-| `CONTINUWUITY_ADDRESS`           | Bind address (use `0.0.0.0` for all interfaces) | `["127.0.0.1", "::1"]` |
-| `CONTINUWUITY_PORT`              | HTTP port                                       | `8008`                 |
-| `CONTINUWUITY_UNIX_SOCKET_PATH`  | UNIX socket path (alternative to TCP)           | -                      |
-| `CONTINUWUITY_UNIX_SOCKET_PERMS` | Socket permissions (octal)                      | `660`                  |
-
-## Database Configuration
-
-| Variable                                   | Description                 | Default              |
-| ------------------------------------------ | --------------------------- | -------------------- |
-| `CONTINUWUITY_DATABASE_PATH`               | RocksDB data directory      | `/var/lib/conduwuit` |
-| `CONTINUWUITY_DATABASE_BACKUP_PATH`        | Backup directory            | -                    |
-| `CONTINUWUITY_DATABASE_BACKUPS_TO_KEEP`    | Number of backups to retain | `1`                  |
-| `CONTINUWUITY_DB_CACHE_CAPACITY_MB`        | Database read cache (MB)    | -                    |
-| `CONTINUWUITY_DB_WRITE_BUFFER_CAPACITY_MB` | Write cache (MB)            | -                    |
-
-## Cache Configuration
-
-| Variable                                 | Description              |
-| ---------------------------------------- | ------------------------ |
-| `CONTINUWUITY_CACHE_CAPACITY_MODIFIER`   | LRU cache multiplier     |
-| `CONTINUWUITY_PDU_CACHE_CAPACITY`        | PDU cache entries        |
-| `CONTINUWUITY_AUTH_CHAIN_CACHE_CAPACITY` | Auth chain cache entries |
-
-## DNS Configuration
-
-Configure DNS resolution behaviour for federation and external requests.
-
-| Variable                             | Description                  | Default  |
-| ------------------------------------ | ---------------------------- | -------- |
-| `CONTINUWUITY_DNS_CACHE_ENTRIES`     | Max DNS cache entries        | `32768`  |
-| `CONTINUWUITY_DNS_MIN_TTL`           | Minimum cache TTL (seconds)  | `10800`  |
-| `CONTINUWUITY_DNS_MIN_TTL_NXDOMAIN`  | NXDOMAIN cache TTL (seconds) | `259200` |
-| `CONTINUWUITY_DNS_ATTEMPTS`          | Retry attempts               | -        |
-| `CONTINUWUITY_DNS_TIMEOUT`           | Query timeout (seconds)      | -        |
-| `CONTINUWUITY_DNS_TCP_FALLBACK`      | Allow TCP fallback           | -        |
-| `CONTINUWUITY_QUERY_ALL_NAMESERVERS` | Query all nameservers        | -        |
-| `CONTINUWUITY_QUERY_OVER_TCP_ONLY`   | TCP-only queries             | -        |
-
-## Request Configuration
-
-| Variable                             | Description                   |
-| ------------------------------------ | ----------------------------- |
-| `CONTINUWUITY_MAX_REQUEST_SIZE`      | Max HTTP request size (bytes) |
-| `CONTINUWUITY_REQUEST_CONN_TIMEOUT`  | Connection timeout (seconds)  |
-| `CONTINUWUITY_REQUEST_TIMEOUT`       | Overall request timeout       |
-| `CONTINUWUITY_REQUEST_TOTAL_TIMEOUT` | Total timeout                 |
-| `CONTINUWUITY_REQUEST_IDLE_TIMEOUT`  | Idle timeout                  |
-| `CONTINUWUITY_REQUEST_IDLE_PER_HOST` | Idle connections per host     |
-
-## Federation Configuration
-
-Control how your server federates with other Matrix servers.
-
-| Variable                                       | Description                   | Default |
-| ---------------------------------------------- | ----------------------------- | ------- |
-| `CONTINUWUITY_ALLOW_FEDERATION`                | Enable federation             | `true`  |
-| `CONTINUWUITY_FEDERATION_LOOPBACK`             | Allow loopback federation     | -       |
-| `CONTINUWUITY_FEDERATION_CONN_TIMEOUT`         | Connection timeout            | -       |
-| `CONTINUWUITY_FEDERATION_TIMEOUT`              | Request timeout               | -       |
-| `CONTINUWUITY_FEDERATION_IDLE_TIMEOUT`         | Idle timeout                  | -       |
-| `CONTINUWUITY_FEDERATION_IDLE_PER_HOST`        | Idle connections per host     | -       |
-| `CONTINUWUITY_TRUSTED_SERVERS`                 | JSON array of trusted servers | -       |
-| `CONTINUWUITY_QUERY_TRUSTED_KEY_SERVERS_FIRST` | Query trusted first           | -       |
-| `CONTINUWUITY_ONLY_QUERY_TRUSTED_KEY_SERVERS`  | Only query trusted            | -       |
-
-**Example:**
-
-```bash
-# Trust matrix.org for key verification
-CONTINUWUITY_TRUSTED_SERVERS='["matrix.org"]'
-```
-
-## Registration & User Configuration
-
-Control user registration and account creation behaviour.
-
-| Variable                                   | Description           | Default |
-| ------------------------------------------ | --------------------- | ------- |
-| `CONTINUWUITY_ALLOW_REGISTRATION`          | Enable registration   | `true`  |
-| `CONTINUWUITY_REGISTRATION_TOKEN`          | Token requirement     | -       |
-| `CONTINUWUITY_SUSPEND_ON_REGISTER`         | Suspend new accounts  | -       |
-| `CONTINUWUITY_NEW_USER_DISPLAYNAME_SUFFIX` | Display name suffix   | 🏳️‍⚧️      |
-| `CONTINUWUITY_RECAPTCHA_SITE_KEY`          | reCAPTCHA site key    | -       |
-| `CONTINUWUITY_RECAPTCHA_PRIVATE_SITE_KEY`  | reCAPTCHA private key | -       |
-
-**Example:**
-
-```bash
-# Disable open registration
-CONTINUWUITY_ALLOW_REGISTRATION="false"
-
-# Require a registration token
-CONTINUWUITY_REGISTRATION_TOKEN="your_secret_token_here"
-```
-
-## Feature Configuration
-
-| Variable                                                   | Description                | Default |
-| ---------------------------------------------------------- | -------------------------- | ------- |
-| `CONTINUWUITY_ALLOW_ENCRYPTION`                            | Enable E2EE                | `true`  |
-| `CONTINUWUITY_ALLOW_ROOM_CREATION`                         | Enable room creation       | -       |
-| `CONTINUWUITY_ALLOW_UNSTABLE_ROOM_VERSIONS`                | Allow unstable versions    | -       |
-| `CONTINUWUITY_DEFAULT_ROOM_VERSION`                        | Default room version       | `v11`   |
-| `CONTINUWUITY_REQUIRE_AUTH_FOR_PROFILE_REQUESTS`           | Auth for profiles          | -       |
-| `CONTINUWUITY_ALLOW_PUBLIC_ROOM_DIRECTORY_OVER_FEDERATION` | Federate directory         | -       |
-| `CONTINUWUITY_ALLOW_PUBLIC_ROOM_DIRECTORY_WITHOUT_AUTH`    | Unauth directory           | -       |
-| `CONTINUWUITY_ALLOW_DEVICE_NAME_FEDERATION`                | Device names in federation | -       |
-
-## TLS Configuration
-
-Built-in TLS support is primarily for testing. **For production deployments,
-especially when federating on the internet, use a reverse proxy** (Traefik,
-Caddy, nginx) to handle TLS termination.
-
-| Variable                          | Description               |
-| --------------------------------- | ------------------------- |
-| `CONTINUWUITY_TLS__CERTS`         | TLS certificate file path |
-| `CONTINUWUITY_TLS__KEY`           | TLS private key path      |
-| `CONTINUWUITY_TLS__DUAL_PROTOCOL` | Support TLS 1.2 + 1.3     |
-
-**Example (testing only):**
-
-```bash
-CONTINUWUITY_TLS__CERTS="/etc/letsencrypt/live/matrix.example.com/fullchain.pem"
-CONTINUWUITY_TLS__KEY="/etc/letsencrypt/live/matrix.example.com/privkey.pem"
-```
-
-## Logging Configuration
-
-Control log output format and verbosity.
-
-| Variable                       | Description        | Default |
-| ------------------------------ | ------------------ | ------- |
-| `CONTINUWUITY_LOG`             | Log filter level   | -       |
-| `CONTINUWUITY_LOG_COLORS`      | ANSI colours       | `true`  |
-| `CONTINUWUITY_LOG_SPAN_EVENTS` | Log span events    | `none`  |
-| `CONTINUWUITY_LOG_THREAD_IDS`  | Include thread IDs | -       |
-
-**Examples:**
-
-```bash
-# Set log level to info
-CONTINUWUITY_LOG="info"
-
-# Enable debug logging for specific modules
-CONTINUWUITY_LOG="warn,continuwuity::api=debug"
-
-# Disable colours for log aggregation
-CONTINUWUITY_LOG_COLORS="false"
-```
-
-## Observability Configuration
-
-| Variable                                 | Description           |
-| ---------------------------------------- | --------------------- |
-| `CONTINUWUITY_ALLOW_OTLP`                | Enable OpenTelemetry  |
-| `CONTINUWUITY_OTLP_FILTER`               | OTLP filter level     |
-| `CONTINUWUITY_OTLP_PROTOCOL`             | Protocol (http/grpc)  |
-| `CONTINUWUITY_TRACING_FLAME`             | Enable flame graphs   |
-| `CONTINUWUITY_TRACING_FLAME_FILTER`      | Flame graph filter    |
-| `CONTINUWUITY_TRACING_FLAME_OUTPUT_PATH` | Output directory      |
-| `CONTINUWUITY_SENTRY`                    | Enable Sentry         |
-| `CONTINUWUITY_SENTRY_ENDPOINT`           | Sentry DSN            |
-| `CONTINUWUITY_SENTRY_SEND_SERVER_NAME`   | Include server name   |
-| `CONTINUWUITY_SENTRY_TRACES_SAMPLE_RATE` | Sample rate (0.0-1.0) |
-
-## Admin Configuration
-
-Configure admin users and automated command execution.
-
-| Variable                                   | Description                      | Default           |
-| ------------------------------------------ | -------------------------------- | ----------------- |
-| `CONTINUWUITY_ADMINS_LIST`                 | JSON array of admin user IDs     | -                 |
-| `CONTINUWUITY_ADMINS_FROM_ROOM`            | Derive admins from room          | -                 |
-| `CONTINUWUITY_ADMIN_ESCAPE_COMMANDS`       | Allow `\` prefix in public rooms | -                 |
-| `CONTINUWUITY_ADMIN_CONSOLE_AUTOMATIC`     | Auto-activate console            | -                 |
-| `CONTINUWUITY_ADMIN_EXECUTE`               | JSON array of startup commands   | -                 |
-| `CONTINUWUITY_ADMIN_EXECUTE_ERRORS_IGNORE` | Ignore command errors            | -                 |
-| `CONTINUWUITY_ADMIN_SIGNAL_EXECUTE`        | Commands on SIGUSR2              | -                 |
-| `CONTINUWUITY_ADMIN_ROOM_TAG`              | Admin room tag                   | `m.server_notice` |
-
-**Examples:**
-
-```bash
-# Create admin user on startup
-CONTINUWUITY_ADMIN_EXECUTE='["users create-user admin", "users make-user-admin admin"]'
-
-# Specify admin users directly
-CONTINUWUITY_ADMINS_LIST='["@alice:example.com", "@bob:example.com"]'
-```
-
-## Media & URL Preview Configuration
-
-| Variable                                             | Description        |
-| ---------------------------------------------------- | ------------------ |
-| `CONTINUWUITY_URL_PREVIEW_BOUND_INTERFACE`           | Bind interface     |
-| `CONTINUWUITY_URL_PREVIEW_DOMAIN_CONTAINS_ALLOWLIST` | Domain allowlist   |
-| `CONTINUWUITY_URL_PREVIEW_DOMAIN_EXPLICIT_ALLOWLIST` | Explicit allowlist |
-| `CONTINUWUITY_URL_PREVIEW_DOMAIN_EXPLICIT_DENYLIST`  | Explicit denylist  |
-| `CONTINUWUITY_URL_PREVIEW_MAX_SPIDER_SIZE`           | Max fetch size     |
-| `CONTINUWUITY_URL_PREVIEW_TIMEOUT`                   | Fetch timeout      |
-| `CONTINUWUITY_IP_RANGE_DENYLIST`                     | IP range denylist  |
-
-## Tokio Runtime Configuration
-
-These can be set as environment variables or CLI arguments:
-
-| Variable                                  | Description                |
-| ----------------------------------------- | -------------------------- |
-| `TOKIO_WORKER_THREADS`                    | Worker thread count        |
-| `TOKIO_GLOBAL_QUEUE_INTERVAL`             | Global queue interval      |
-| `TOKIO_EVENT_INTERVAL`                    | Event interval             |
-| `TOKIO_MAX_IO_EVENTS_PER_TICK`            | Max I/O events per tick    |
-| `CONTINUWUITY_RUNTIME_HISTOGRAM_INTERVAL` | Histogram bucket size (μs) |
-| `CONTINUWUITY_RUNTIME_HISTOGRAM_BUCKETS`  | Bucket count               |
-| `CONTINUWUITY_RUNTIME_WORKER_AFFINITY`    | Enable worker affinity     |
-
-## See Also
-
-- [Configuration Reference](./config.mdx) - Complete TOML configuration
-  documentation
-- [Admin Commands](./admin/) - Admin command reference

docs/troubleshooting.mdx

@@ -45,75 +45,30 @@ ### Lost access to admin room
 
 ## DNS issues
 
-### Potential DNS issues when using Docker
+### DNS server overload
 
-Docker's DNS setup for containers in a non-default network intercepts queries to
-enable resolving of container hostnames to IP addresses. However, due to
-performance issues with Docker's built-in resolver, this can cause DNS queries
-to take a long time to resolve, resulting in federation issues.
+If your server experience any of the following symptoms:
 
-This is particularly common with Docker Compose, as custom networks are easily
-created and configured.
+- Spurious server log entries with "DNS No connections available", "mismatching responding nameservers", or "error sending request"
+- Excessively long room joins (30+ minutes) as seen from server logs
+- Partial or non-functional outbound federation
 
-Symptoms of this include excessively long room joins (30+ minutes) from very
-long DNS timeouts, log entries of "mismatching responding nameservers",
-and/or partial or non-functional inbound/outbound federation.
+This is likely due to your DNS server being overloaded. Most likely, these problems are encountered in the following scenarios:
 
-This is not a bug in continuwuity. Docker's default DNS resolver is not suitable
-for heavy DNS activity, which is normal for federated protocols like Matrix.
+- Homeservers hosted on a machine that uses `systemd-resolved`.
+- Docker deployments which use the bridge network's forwarding resolver.
 
-Workarounds:
+Matrix federation is extremely heavy and sends wild amounts of DNS requests. This makes normal resolvers like the ones above unsuitable for its activity. Ultimately, the best solution/fix for this is to selfhost a high quality caching DNS resolver such as Unbound, and configure Continuwuity to use it.
 
-- Use DNS over TCP via the config option `query_over_tcp_only = true`
-- Bypass Docker's default DNS setup and instead allow the container to use and communicate with your host's DNS servers. Typically, this can be done by mounting the host's `/etc/resolv.conf`.
+Follow the [**DNS tuning guide**](./advanced/dns) for details on setting it up.
 
-### DNS No connections available error message
+### Intermittent federation failures to a specific server
 
-If you receive spurious amounts of error logs saying "DNS No connections
-available", this is due to your DNS server (servers from `/etc/resolv.conf`)
-being overloaded and unable to handle typical Matrix federation volume. Some
-users have reported that the upstream servers are rate-limiting them as well
-when they get this error (e.g. popular upstreams like Google DNS).
+There may be circumstances where servers fail to connect to each other, probably due to a bad DNS cache. In such cases, issuing `!admin debug ping <SERVER_NAME>` would return some errors.
 
-Matrix federation is extremely heavy and sends wild amounts of DNS requests.
-Unfortunately this is by design and has only gotten worse with more
-server/destination resolution steps. Synapse also expects a very perfect DNS
-setup.
+To fix this, you can run `!admin query resolver flush-cache <SERVER_NAME>` to clear the bad cache for that domain, and outbound requests should work again.
 
-There are some ways you can reduce the amount of DNS queries, but ultimately
-the best solution/fix is selfhosting a high quality caching DNS server like
-[Unbound][unbound-arch] without any upstream resolvers, and without DNSSEC
-validation enabled.
-
-DNSSEC validation is highly recommended to be **disabled** due to DNSSEC being
-very computationally expensive, and is extremely susceptible to denial of
-service, especially on Matrix. Many servers also strangely have broken DNSSEC
-setups and will result in non-functional federation.
-
-Continuwuity cannot provide a "works-for-everyone" Unbound DNS setup guide, but
-the [official Unbound tuning guide][unbound-tuning] and the [Unbound Arch Linux wiki page][unbound-arch]
-may be of interest. Disabling DNSSEC on Unbound is commenting out trust-anchors
-config options and removing the `validator` module.
-
-**Avoid** using `systemd-resolved` as it does **not** perform very well under
-high load, and we have identified its DNS caching to not be very effective.
-
-dnsmasq can possibly work, but it does **not** support TCP fallback which can be
-problematic when receiving large DNS responses such as from large SRV records.
-If you still want to use dnsmasq, make sure you **disable** `dns_tcp_fallback`
-in Continuwuity config.
-
-Raising `dns_cache_entries` in Continuwuity config from the default can also assist
-in DNS caching, but a full-fledged external caching resolver is better and more
-reliable.
-
-If you don't have IPv6 connectivity, changing `ip_lookup_strategy` to match
-your setup can help reduce unnecessary AAAA queries
-(`1 - Ipv4Only (Only query for A records, no AAAA/IPv6)`).
-
-If your DNS server supports it, some users have reported enabling
-`query_over_tcp_only` to force only TCP querying by default has improved DNS
-reliability at a slight performance cost due to TCP overhead.
+You may also use `!admin server clear-caches` or `!admin query resolver flush-cache -a` to clear all server/resolver caches, in case of failures with many domains. However, note that this significantly increases your server load for a short period.
 
 ## RocksDB / database issues
 

flake.lock

@@ -3,11 +3,11 @@
     "advisory-db": {
       "flake": false,
       "locked": {
-        "lastModified": 1773786698,
-        "narHash": "sha256-o/J7ZculgwSs1L4H4UFlFZENOXTJzq1X0n71x6oNNvY=",
+        "lastModified": 1775907537,
+        "narHash": "sha256-vbeLNgmsx1Z6TwnlDV0dKyeBCcon3UpkV9yLr/yc6HM=",
         "owner": "rustsec",
         "repo": "advisory-db",
-        "rev": "99e9de91bb8b61f06ef234ff84e11f758ecd5384",
+        "rev": "d99f7b9eb81731bddebf80a355f8be7b2f8b1b28",
         "type": "github"
       },
       "original": {
@@ -18,11 +18,11 @@
     },
     "crane": {
       "locked": {
-        "lastModified": 1773189535,
-        "narHash": "sha256-E1G/Or6MWeP+L6mpQ0iTFLpzSzlpGrITfU2220Gq47g=",
+        "lastModified": 1775839657,
+        "narHash": "sha256-SPm9ck7jh3Un9nwPuMGbRU04UroFmOHjLP56T10MOeM=",
         "owner": "ipetkov",
         "repo": "crane",
-        "rev": "6fa2fb4cf4a89ba49fc9dd5a3eb6cde99d388269",
+        "rev": "7cf72d978629469c4bd4206b95c402514c1f6000",
         "type": "github"
       },
       "original": {
@@ -39,11 +39,11 @@
         "rust-analyzer-src": "rust-analyzer-src"
       },
       "locked": {
-        "lastModified": 1773732206,
-        "narHash": "sha256-HKibxaUXyWd4Hs+ZUnwo6XslvaFqFqJh66uL9tphU4Q=",
+        "lastModified": 1775891769,
+        "narHash": "sha256-EOfVlTKw2n8w1uhfh46GS4hEGnQ7oWrIWQfIY6utIkI=",
         "owner": "nix-community",
         "repo": "fenix",
-        "rev": "0aa13c1b54063a8d8679b28a5cd357ba98f4a56b",
+        "rev": "6fbc54dde15aee725bdc7aae5e478849685d5f56",
         "type": "github"
       },
       "original": {
@@ -74,11 +74,11 @@
         "nixpkgs-lib": "nixpkgs-lib"
       },
       "locked": {
-        "lastModified": 1772408722,
-        "narHash": "sha256-rHuJtdcOjK7rAHpHphUb1iCvgkU3GpfvicLMwwnfMT0=",
+        "lastModified": 1775087534,
+        "narHash": "sha256-91qqW8lhL7TLwgQWijoGBbiD4t7/q75KTi8NxjVmSmA=",
         "owner": "hercules-ci",
         "repo": "flake-parts",
-        "rev": "f20dc5d9b8027381c474144ecabc9034d6a839a3",
+        "rev": "3107b77cd68437b9a76194f0f7f9c55f2329ca5b",
         "type": "github"
       },
       "original": {
@@ -89,11 +89,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1773734432,
-        "narHash": "sha256-IF5ppUWh6gHGHYDbtVUyhwy/i7D261P7fWD1bPefOsw=",
+        "lastModified": 1775710090,
+        "narHash": "sha256-ar3rofg+awPB8QXDaFJhJ2jJhu+KqN/PRCXeyuXR76E=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "cda48547b432e8d3b18b4180ba07473762ec8558",
+        "rev": "4c1018dae018162ec878d42fec712642d214fdfa",
         "type": "github"
       },
       "original": {
@@ -105,11 +105,11 @@
     },
     "nixpkgs-lib": {
       "locked": {
-        "lastModified": 1772328832,
-        "narHash": "sha256-e+/T/pmEkLP6BHhYjx6GmwP5ivonQQn0bJdH9YrRB+Q=",
+        "lastModified": 1774748309,
+        "narHash": "sha256-+U7gF3qxzwD5TZuANzZPeJTZRHS29OFQgkQ2kiTJBIQ=",
         "owner": "nix-community",
         "repo": "nixpkgs.lib",
-        "rev": "c185c7a5e5dd8f9add5b2f8ebeff00888b070742",
+        "rev": "333c4e0545a6da976206c74db8773a1645b5870a",
         "type": "github"
       },
       "original": {
@@ -132,11 +132,11 @@
     "rust-analyzer-src": {
       "flake": false,
       "locked": {
-        "lastModified": 1773697963,
-        "narHash": "sha256-xdKI77It9PM6eNrCcDZsnP4SKulZwk8VkDgBRVMnCb8=",
+        "lastModified": 1775843361,
+        "narHash": "sha256-j53ZgyDvmYf3Sjh1IPvvTjqa614qUfVQSzj59+MpzkY=",
         "owner": "rust-lang",
         "repo": "rust-analyzer",
-        "rev": "2993637174252ff60a582fd1f55b9ab52c39db6d",
+        "rev": "9eb97ea96d8400e8957ddd56702e962614296583",
         "type": "github"
       },
       "original": {
@@ -153,11 +153,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1773297127,
-        "narHash": "sha256-6E/yhXP7Oy/NbXtf1ktzmU8SdVqJQ09HC/48ebEGBpk=",
+        "lastModified": 1775636079,
+        "narHash": "sha256-pc20NRoMdiar8oPQceQT47UUZMBTiMdUuWrYu2obUP0=",
         "owner": "numtide",
         "repo": "treefmt-nix",
-        "rev": "71b125cd05fbfd78cab3e070b73544abe24c5016",
+        "rev": "790751ff7fd3801feeaf96d7dc416a8d581265ba",
         "type": "github"
       },
       "original": {

flake.nix

@@ -29,7 +29,6 @@
       url = "github:edolstra/flake-compat?ref=master";
       flake = false;
     };
-
   };
 
   outputs =
@@ -37,10 +36,10 @@
     flake-parts.lib.mkFlake { inherit inputs; } {
       imports = [ ./nix ];
       systems = [
-        # good support
         "x86_64-linux"
-        # support untested but theoretically there
         "aarch64-linux"
+        # support untested but theoretically there
+        "aarch64-darwin"
       ];
     };
 }

nix/checks/default.nix

@@ -1,107 +0,0 @@
-{ inputs, ... }:
-{
-  perSystem =
-    {
-      self',
-      lib,
-      pkgs,
-      ...
-    }:
-    let
-      uwulib = inputs.self.uwulib.init pkgs;
-
-      rocksdbAllFeatures = self'.packages.rocksdb.override {
-        enableJemalloc = true;
-      };
-
-      commonAttrs = (uwulib.build.commonAttrs { }) // {
-        buildInputs = [
-          pkgs.liburing
-          pkgs.rust-jemalloc-sys-unprefixed
-          rocksdbAllFeatures
-        ];
-        nativeBuildInputs = [
-          pkgs.pkg-config
-          # bindgen needs the build platform's libclang. Apparently due to "splicing
-          # weirdness", pkgs.rustPlatform.bindgenHook on its own doesn't quite do the
-          # right thing here.
-          pkgs.rustPlatform.bindgenHook
-        ];
-        env = {
-          LIBCLANG_PATH = lib.makeLibraryPath [ pkgs.llvmPackages.libclang.lib ];
-          LD_LIBRARY_PATH = lib.makeLibraryPath [
-            pkgs.liburing
-            pkgs.rust-jemalloc-sys-unprefixed
-            rocksdbAllFeatures
-          ];
-        }
-        // uwulib.environment.buildPackageEnv
-        // {
-          ROCKSDB_INCLUDE_DIR = "${rocksdbAllFeatures}/include";
-          ROCKSDB_LIB_DIR = "${rocksdbAllFeatures}/lib";
-        };
-      };
-      cargoArtifacts = self'.packages.continuwuity-all-features-deps;
-    in
-    {
-      # taken from
-      #
-      # https://crane.dev/examples/quick-start.html
-      checks = {
-        continuwuity-all-features-build = self'.packages.continuwuity-all-features-bin;
-
-        continuwuity-all-features-clippy = uwulib.build.craneLibForChecks.cargoClippy (
-          commonAttrs
-          // {
-            inherit cargoArtifacts;
-            cargoClippyExtraArgs = "-- --deny warnings";
-          }
-        );
-
-        continuwuity-all-features-docs = uwulib.build.craneLibForChecks.cargoDoc (
-          commonAttrs
-          // {
-            inherit cargoArtifacts;
-            # This can be commented out or tweaked as necessary, e.g. set to
-            # `--deny rustdoc::broken-intra-doc-links` to only enforce that lint
-            env.RUSTDOCFLAGS = "--deny warnings";
-          }
-        );
-
-        # Check formatting
-        continuwuity-all-features-fmt = uwulib.build.craneLibForChecks.cargoFmt {
-          src = uwulib.build.src;
-        };
-
-        continuwuity-all-features-toml-fmt = uwulib.build.craneLibForChecks.taploFmt {
-          src = pkgs.lib.sources.sourceFilesBySuffices uwulib.build.src [ ".toml" ];
-          # taplo arguments can be further customized below as needed
-          taploExtraArgs = "--config ${inputs.self}/taplo.toml";
-        };
-
-        # Audit dependencies
-        continuwuity-all-features-audit = uwulib.build.craneLibForChecks.cargoAudit {
-          inherit (inputs) advisory-db;
-          src = uwulib.build.src;
-        };
-
-        # Audit licenses
-        continuwuity-all-features-deny = uwulib.build.craneLibForChecks.cargoDeny {
-          src = uwulib.build.src;
-        };
-
-        # Run tests with cargo-nextest
-        # Consider setting `doCheck = false` on `continuwuity-all-features` if you do not want
-        # the tests to run twice
-        continuwuity-all-features-nextest = uwulib.build.craneLibForChecks.cargoNextest (
-          commonAttrs
-          // {
-            inherit cargoArtifacts;
-            partitions = 1;
-            partitionType = "count";
-            cargoNextestPartitionsExtraArgs = "--no-tests=pass";
-          }
-        );
-      };
-    };
-}

nix/crane.nix

@@ -0,0 +1,14 @@
+{ inputs, ... }:
+{
+  perSystem =
+    {
+      pkgs,
+      self',
+      ...
+    }:
+    {
+      _module.args.craneLib = (inputs.crane.mkLib pkgs).overrideToolchain (
+        pkgs: self'.packages.stable-toolchain
+      );
+    };
+}

nix/default.nix

@@ -1,11 +1,10 @@
 {
   imports = [
-    ./checks
+    ./rust.nix
+    ./crane.nix
     ./packages
-    ./shells
-    ./tests
-
-    ./hydra.nix
+    ./devshell.nix
     ./fmt.nix
+    ./rocksdb-updater.nix
   ];
 }

nix/devshell.nix

@@ -0,0 +1,42 @@
+{
+  perSystem =
+    {
+      craneLib,
+      self',
+      lib,
+      pkgs,
+      ...
+    }:
+    {
+      # basic nix shell containing all things necessary to build continuwuity in all flavors manually (on x86_64-linux)
+      devShells.default = craneLib.devShell {
+        packages = [
+          self'.packages.rocksdb
+          pkgs.nodejs
+          pkgs.pkg-config
+        ]
+        ++ lib.optionals pkgs.stdenv.isLinux [
+          pkgs.liburing
+          pkgs.rust-jemalloc-sys-unprefixed
+        ];
+
+        env = {
+          LIBCLANG_PATH = lib.makeLibraryPath [ pkgs.llvmPackages.libclang.lib ];
+          LD_LIBRARY_PATH = lib.makeLibraryPath (
+            [
+              pkgs.stdenv.cc.cc.lib
+            ]
+            ++ lib.optionals pkgs.stdenv.isLinux [
+              pkgs.liburing
+              pkgs.jemalloc
+            ]
+          );
+        }
+        // lib.optionalAttrs pkgs.stdenv.isLinux {
+          PKG_CONFIG_PATH = lib.makeSearchPath "lib/pkgconfig" [
+            pkgs.liburing.dev
+          ];
+        };
+      };
+    };
+}

nix/hydra.nix

@@ -1,9 +0,0 @@
-{ inputs, ... }:
-let
-  lib = inputs.nixpkgs.lib;
-in
-{
-  flake.hydraJobs.packages = builtins.mapAttrs (
-    _name: lib.hydraJob
-  ) inputs.self.packages.x86_64-linux;
-}

nix/packages/continuwuity.nix

@@ -0,0 +1,65 @@
+{
+  lib,
+  self,
+  stdenv,
+  liburing,
+  craneLib,
+  pkg-config,
+  callPackage,
+  rustPlatform,
+  cargoExtraArgs ? "",
+  rocksdb ? callPackage ./rocksdb.nix { },
+}:
+let
+  # see https://crane.dev/API.html#cranelibfiltercargosources
+  # we need to keep the `web` directory which would be filtered out by the regular source filtering function
+  # https://crane.dev/API.html#cranelibcleancargosource
+  isWebTemplate = path: _type: builtins.match ".*(src/(web|service)|docs).*" path != null;
+  isRust = craneLib.filterCargoSources;
+  isNix = path: _type: builtins.match ".+/nix.*" path != null;
+  webOrRustNotNix = p: t: !(isNix p t) && (isWebTemplate p t || isRust p t);
+
+  src = lib.cleanSourceWith {
+    src = self;
+    filter = webOrRustNotNix;
+    name = "source";
+  };
+
+  attrs = {
+    inherit src;
+    nativeBuildInputs = [
+      pkg-config
+      rustPlatform.bindgenHook
+    ];
+    buildInputs = lib.optionals stdenv.hostPlatform.isLinux [ liburing ];
+    env = {
+      ROCKSDB_INCLUDE_DIR = "${rocksdb}/include";
+      ROCKSDB_LIB_DIR = "${rocksdb}/lib";
+    };
+  };
+in
+craneLib.buildPackage (
+  lib.recursiveUpdate attrs {
+    inherit cargoExtraArgs;
+    cargoArtifacts = craneLib.buildDepsOnly attrs;
+
+    # Needed to make continuwuity link to rocksdb
+    postFixup = lib.optionalString stdenv.hostPlatform.isLinux ''
+      old_rpath="$(patchelf --print-rpath $out/bin/conduwuit)"
+      extra_rpath="${
+        lib.makeLibraryPath [
+          rocksdb
+        ]
+      }"
+
+      patchelf  --set-rpath "$old_rpath:$extra_rpath" $out/bin/conduwuit
+    '';
+
+    meta = {
+      description = "A community-driven Matrix homeserver in Rust";
+      mainProgram = "conduwuit";
+      platforms = lib.platforms.all;
+      maintainers = with lib.maintainers; [ quadradical ];
+    };
+  }
+)

nix/packages/continuwuity/default.nix

@@ -1,59 +0,0 @@
-{ inputs, ... }:
-{
-  perSystem =
-    {
-      self',
-      lib,
-      pkgs,
-      ...
-    }:
-    let
-      uwulib = inputs.self.uwulib.init pkgs;
-    in
-    {
-      packages =
-        lib.pipe
-          [
-            # this is the default variant
-            {
-              variantName = "default";
-              commonAttrsArgs.profile = "release";
-              rocksdb = self'.packages.rocksdb;
-              features = { };
-            }
-            # this is the variant with all features enabled (liburing + jemalloc)
-            {
-              variantName = "all-features";
-              commonAttrsArgs.profile = "release";
-              rocksdb = self'.packages.rocksdb.override {
-                enableJemalloc = true;
-              };
-              features = {
-                enabledFeatures = "all";
-                disabledFeatures = uwulib.features.defaultDisabledFeatures ++ [ "bindgen-static" ];
-              };
-            }
-          ]
-          [
-            (builtins.map (cfg: rec {
-              deps = {
-                name = "continuwuity-${cfg.variantName}-deps";
-                value = uwulib.build.buildDeps {
-                  features = uwulib.features.calcFeatures cfg.features;
-                  inherit (cfg) commonAttrsArgs rocksdb;
-                };
-              };
-              bin = {
-                name = "continuwuity-${cfg.variantName}-bin";
-                value = uwulib.build.buildPackage {
-                  deps = self'.packages.${deps.name};
-                  features = uwulib.features.calcFeatures cfg.features;
-                  inherit (cfg) commonAttrsArgs rocksdb;
-                };
-              };
-            }))
-            (builtins.concatMap builtins.attrValues)
-            builtins.listToAttrs
-          ];
-    };
-}

nix/packages/default.nix

@@ -1,14 +1,18 @@
 {
-  imports = [
-    ./continuwuity
-    ./rocksdb
-    ./rust.nix
-    ./uwulib
-  ];
-
+  self,
+  ...
+}:
+{
   perSystem =
-    { self', ... }:
     {
-      packages.default = self'.packages.continuwuity-default-bin;
+      pkgs,
+      craneLib,
+      ...
+    }:
+    {
+      packages = {
+        rocksdb = pkgs.callPackage ./rocksdb.nix { };
+        default = pkgs.callPackage ./continuwuity.nix { inherit self craneLib; };
+      };
     };
 }

nix/packages/rocksdb.nix

@@ -0,0 +1,34 @@
+{
+  stdenv,
+  rocksdb,
+  fetchFromGitea,
+  rust-jemalloc-sys-unprefixed,
+  ...
+}:
+(rocksdb.override {
+  # rocksdb fails to build with prefixed jemalloc, which is required on
+  # darwin due to [1]. In this case, fall back to building rocksdb with
+  # libc malloc. This should not cause conflicts, because all of the
+  # jemalloc symbols are prefixed.
+  #
+  # [1]: https://github.com/tikv/jemallocator/blob/ab0676d77e81268cd09b059260c75b38dbef2d51/jemalloc-sys/src/env.rs#L17
+  jemalloc = rust-jemalloc-sys-unprefixed;
+  enableJemalloc = stdenv.hostPlatform.isLinux;
+}).overrideAttrs
+  ({
+    version = "continuwuity-v0.5.0-unstable-2026-03-27";
+    src = fetchFromGitea {
+      domain = "forgejo.ellis.link";
+      owner = "continuwuation";
+      repo = "rocksdb";
+      rev = "463f47afceebfe088f6922420265546bd237f249";
+      hash = "sha256-1ef75IDMs5Hba4VWEyXPJb02JyShy5k4gJfzGDhopRk=";
+    };
+
+    # We have this already at https://forgejo.ellis.link/continuwuation/rocksdb/commit/a935c0273e1ba44eacf88ce3685a9b9831486155
+    # Unsetting `patches` so we don't have to revert it and make this nix exclusive
+    patches = [ ];
+
+    # Unset postPatch, as our version override breaks version-specific sed calls in the original package
+    postPatch = "";
+  })

nix/packages/rocksdb/default.nix

@@ -1,12 +0,0 @@
-{
-  perSystem =
-    {
-      pkgs,
-      ...
-    }:
-    {
-      packages = {
-        rocksdb = pkgs.callPackage ./package.nix { };
-      };
-    };
-}

nix/packages/rocksdb/package.nix

@@ -1,87 +0,0 @@
-{
-  lib,
-  stdenv,
-
-  rocksdb,
-  liburing,
-  rust-jemalloc-sys-unprefixed,
-
-  enableJemalloc ? false,
-
-  fetchFromGitea,
-
-  ...
-}:
-let
-  notDarwin = !stdenv.hostPlatform.isDarwin;
-in
-(rocksdb.override {
-  # Override the liburing input for the build with our own so
-  # we have it built with the library flag
-  inherit liburing;
-  jemalloc = rust-jemalloc-sys-unprefixed;
-
-  # rocksdb fails to build with prefixed jemalloc, which is required on
-  # darwin due to [1]. In this case, fall back to building rocksdb with
-  # libc malloc. This should not cause conflicts, because all of the
-  # jemalloc symbols are prefixed.
-  #
-  # [1]: https://github.com/tikv/jemallocator/blob/ab0676d77e81268cd09b059260c75b38dbef2d51/jemalloc-sys/src/env.rs#L17
-  enableJemalloc = enableJemalloc && notDarwin;
-
-  # for some reason enableLiburing in nixpkgs rocksdb is default true
-  # which breaks Darwin entirely
-  enableLiburing = notDarwin;
-}).overrideAttrs
-  (old: {
-    src = fetchFromGitea {
-      domain = "forgejo.ellis.link";
-      owner = "continuwuation";
-      repo = "rocksdb";
-      rev = "10.5.fb";
-      sha256 = "sha256-X4ApGLkHF9ceBtBg77dimEpu720I79ffLoyPa8JMHaU=";
-    };
-    version = "10.5.fb";
-    cmakeFlags =
-      lib.subtractLists (builtins.map (flag: lib.cmakeBool flag true) [
-        # No real reason to have snappy or zlib, no one uses this
-        "WITH_SNAPPY"
-        "ZLIB"
-        "WITH_ZLIB"
-        # We don't need to use ldb or sst_dump (core_tools)
-        "WITH_CORE_TOOLS"
-        # We don't need to build rocksdb tests
-        "WITH_TESTS"
-        # We use rust-rocksdb via C interface and don't need C++ RTTI
-        "USE_RTTI"
-        # This doesn't exist in RocksDB, and USE_SSE is deprecated for
-        # PORTABLE=$(march)
-        "FORCE_SSE42"
-      ]) old.cmakeFlags
-      ++ (builtins.map (flag: lib.cmakeBool flag false) [
-        # No real reason to have snappy, no one uses this
-        "WITH_SNAPPY"
-        "ZLIB"
-        "WITH_ZLIB"
-        # We don't need to use ldb or sst_dump (core_tools)
-        "WITH_CORE_TOOLS"
-        # We don't need trace tools
-        "WITH_TRACE_TOOLS"
-        # We don't need to build rocksdb tests
-        "WITH_TESTS"
-        # We use rust-rocksdb via C interface and don't need C++ RTTI
-        "USE_RTTI"
-      ]);
-
-    enableLiburing = notDarwin;
-
-    # outputs has "tools" which we don't need or use
-    outputs = [ "out" ];
-
-    # preInstall hooks has stuff for messing with ldb/sst_dump which we don't need or use
-    preInstall = "";
-
-    # We have this already at https://forgejo.ellis.link/continuwuation/rocksdb/commit/a935c0273e1ba44eacf88ce3685a9b9831486155
-    # Unsetting `patches` so we don't have to revert it and make this nix exclusive
-    patches = [ ];
-  })

nix/packages/uwulib/build.nix

@@ -1,122 +0,0 @@
-args@{ pkgs, inputs, ... }:
-let
-  inherit (pkgs) lib;
-  uwuenv = import ./environment.nix args;
-  selfpkgs = inputs.self.packages.${pkgs.stdenv.system};
-in
-rec {
-  # basic, very minimal instance of the crane library with a minimal rust toolchain
-  craneLib = (inputs.crane.mkLib pkgs).overrideToolchain (_: selfpkgs.build-toolchain);
-  # the checks require more rust toolchain components, hence we have this separate instance of the crane library
-  craneLibForChecks = (inputs.crane.mkLib pkgs).overrideToolchain (_: selfpkgs.dev-toolchain);
-
-  # meta information (name, version, etc) of the rust crate based on the Cargo.toml
-  crateInfo = craneLib.crateNameFromCargoToml { cargoToml = "${inputs.self}/Cargo.toml"; };
-
-  src =
-    let
-      # see https://crane.dev/API.html#cranelibfiltercargosources
-      #
-      # we need to keep the `web` directory which would be filtered out by the regular source filtering function
-      #
-      # https://crane.dev/API.html#cranelibcleancargosource
-      isWebTemplate = path: _type: builtins.match ".*(src/(web|service)|docs).*" path != null;
-      isRust = craneLib.filterCargoSources;
-      isNix = path: _type: builtins.match ".+/nix.*" path != null;
-      webOrRustNotNix = p: t: !(isNix p t) && (isWebTemplate p t || isRust p t);
-    in
-    lib.cleanSourceWith {
-      src = inputs.self;
-      filter = webOrRustNotNix;
-      name = "source";
-    };
-
-  # common attrs that are shared between building continuwuity's deps and the package itself
-  commonAttrs =
-    {
-      profile ? "dev",
-      ...
-    }:
-    {
-      inherit (crateInfo)
-        pname
-        version
-        ;
-      inherit src;
-
-      # this prevents unnecessary rebuilds
-      strictDeps = true;
-
-      dontStrip = profile == "dev" || profile == "test";
-      dontPatchELF = profile == "dev" || profile == "test";
-
-      doCheck = true;
-
-      nativeBuildInputs = [
-        # bindgen needs the build platform's libclang. Apparently due to "splicing
-        # weirdness", pkgs.rustPlatform.bindgenHook on its own doesn't quite do the
-        # right thing here.
-        pkgs.rustPlatform.bindgenHook
-      ];
-    };
-
-  makeRocksDBEnv =
-    { rocksdb }:
-    {
-      ROCKSDB_INCLUDE_DIR = "${rocksdb}/include";
-      ROCKSDB_LIB_DIR = "${rocksdb}/lib";
-    };
-
-  # function that builds the continuwuity dependencies derivation
-  buildDeps =
-    {
-      rocksdb,
-      features,
-      commonAttrsArgs,
-    }:
-    craneLib.buildDepsOnly (
-      (commonAttrs commonAttrsArgs)
-      // {
-        env = uwuenv.buildDepsOnlyEnv
-              // (makeRocksDBEnv { inherit rocksdb; })
-              // {
-                # required since we started using unstable reqwest apparently ... otherwise the all-features build will fail
-                RUSTFLAGS = "--cfg reqwest_unstable";
-              };
-        inherit (features) cargoExtraArgs;
-      }
-
-    );
-
-  # function that builds the continuwuity package
-  buildPackage =
-    {
-      deps,
-      rocksdb,
-      features,
-      commonAttrsArgs,
-    }:
-    let
-      rocksdbEnv = makeRocksDBEnv { inherit rocksdb; };
-    in
-    craneLib.buildPackage (
-      (commonAttrs commonAttrsArgs)
-      // {
-        postFixup = ''
-          patchelf --set-rpath "$(${pkgs.patchelf}/bin/patchelf --print-rpath $out/bin/${crateInfo.pname}):${rocksdb}/lib" $out/bin/${crateInfo.pname}
-        '';
-        cargoArtifacts = deps;
-        doCheck = true;
-        env =
-          uwuenv.buildPackageEnv
-          // rocksdbEnv
-          // {
-            # required since we started using unstable reqwest apparently ... otherwise the all-features build will fail
-            RUSTFLAGS = "--cfg reqwest_unstable";
-          };
-        passthru.env = uwuenv.buildPackageEnv // rocksdbEnv;
-        meta.mainProgram = crateInfo.pname;
-        inherit (features) cargoExtraArgs;
-      }
-    );
-}

nix/packages/uwulib/default.nix

@@ -1,10 +0,0 @@
-{ inputs, ... }:
-{
-  flake.uwulib = {
-    init = pkgs: {
-      features = import ./features.nix { inherit pkgs inputs; };
-      environment = import ./environment.nix { inherit pkgs inputs; };
-      build = import ./build.nix { inherit pkgs inputs; };
-    };
-  };
-}

nix/packages/uwulib/environment.nix

@@ -1,18 +0,0 @@
-args@{ pkgs, inputs, ... }:
-let
-  uwubuild = import ./build.nix args;
-in
-rec {
-  buildDepsOnlyEnv = {
-    # https://crane.dev/faq/rebuilds-bindgen.html
-    NIX_OUTPATH_USED_AS_RANDOM_SEED = "aaaaaaaaaa";
-    CARGO_PROFILE = "release";
-  }
-  // uwubuild.craneLib.mkCrossToolchainEnv (p: pkgs.clangStdenv);
-
-  buildPackageEnv = {
-    GIT_COMMIT_HASH = inputs.self.rev or inputs.self.dirtyRev or "";
-    GIT_COMMIT_HASH_SHORT = inputs.self.shortRev or inputs.self.dirtyShortRev or "";
-  }
-  // buildDepsOnlyEnv;
-}

nix/packages/uwulib/features.nix

@@ -1,77 +0,0 @@
-{ pkgs, inputs, ... }:
-let
-  inherit (pkgs) lib;
-in
-rec {
-  defaultDisabledFeatures = [
-    # dont include experimental features
-    "experimental"
-    # jemalloc profiling/stats features are expensive and shouldn't
-    # be expected on non-debug builds.
-    "jemalloc_prof"
-    "jemalloc_stats"
-    # this is non-functional on nix for some reason
-    "hardened_malloc"
-    # conduwuit_mods is a development-only hot reload feature
-    "conduwuit_mods"
-    # we don't want to enable this feature set by default but be more specific about it
-    "full"
-  ];
-  # We perform default-feature unification in nix, because some of the dependencies
-  # on the nix side depend on feature values.
-  calcFeatures =
-    {
-      tomlPath ? "${inputs.self}/src/main",
-      # either a list of feature names or a string "all" which enables all non-default features
-      enabledFeatures ? [ ],
-      disabledFeatures ? defaultDisabledFeatures,
-      default_features ? true,
-      disable_release_max_log_level ? false,
-    }:
-    let
-      # simple helper to get the contents of a Cargo.toml file in a nix format
-      getToml = path: lib.importTOML "${path}/Cargo.toml";
-
-      # get all the features except for the default features
-      allFeatures = lib.pipe tomlPath [
-        getToml
-        (manifest: manifest.features)
-        lib.attrNames
-        (lib.remove "default")
-      ];
-
-      # get just the default enabled features
-      allDefaultFeatures = lib.pipe tomlPath [
-        getToml
-        (manifest: manifest.features.default)
-      ];
-
-      # depending on the value of enabledFeatures choose just a set or all non-default features
-      #
-      # - [ list of features ] -> choose exactly the features listed
-      # - "all" -> choose all non-default features
-      additionalFeatures = if enabledFeatures == "all" then allFeatures else enabledFeatures;
-
-      # unification with default features (if enabled)
-      features = lib.unique (additionalFeatures ++ lib.optionals default_features allDefaultFeatures);
-
-      # prepare the features that are subtracted from the set
-      disabledFeatures' =
-        disabledFeatures ++ lib.optionals disable_release_max_log_level [ "release_max_log_level" ];
-
-      # construct the final feature set
-      finalFeatures = lib.subtractLists disabledFeatures' features;
-    in
-    {
-      # final feature set, useful for querying it
-      features = finalFeatures;
-
-      # crane flag with the relevant features
-      cargoExtraArgs = builtins.concatStringsSep " " [
-        "--no-default-features"
-        "--locked"
-        (lib.optionalString (finalFeatures != [ ]) "--features")
-        (builtins.concatStringsSep "," finalFeatures)
-      ];
-    };
-}

nix/rocksdb-updater.nix

@@ -0,0 +1,14 @@
+{
+  perSystem =
+    { pkgs, ... }:
+    {
+      apps.update-rocksdb = {
+        type = "app";
+        program = pkgs.writeShellApplication {
+          name = "update-rocksdb";
+          runtimeInputs = [ pkgs.nix-update ];
+          text = "nix-update rocksdb -F --version branch";
+        };
+      };
+    };
+}

nix/rust.nix

@@ -4,6 +4,7 @@
     {
       system,
       lib,
+      pkgs,
       ...
     }:
     {
@@ -11,19 +12,18 @@
         let
           fnx = inputs.fenix.packages.${system};
 
-          stable = fnx.fromToolchainFile {
+          stable-toolchain = fnx.fromToolchainFile {
             file = inputs.self + "/rust-toolchain.toml";
 
             # See also `rust-toolchain.toml`
-            sha256 = "sha256-SJwZ8g0zF2WrKDVmHrVG3pD2RGoQeo24MEXnNx5FyuI=";
+            sha256 = "sha256-sqSWJDUxc+zaz1nBWMAJKTAGBuGWP25GCftIOlCEAtA=";
           };
         in
         {
-          # used for building nix stuff (doesn't include rustfmt overhead)
-          build-toolchain = stable;
-          # used for dev shells
+          inherit stable-toolchain;
+
           dev-toolchain = fnx.combine [
-            stable
+            stable-toolchain
             # use the nightly rustfmt because we use nightly features
             fnx.complete.rustfmt
           ];

nix/shells/default.nix

@@ -1,28 +0,0 @@
-{ inputs, ... }:
-{
-  perSystem =
-    {
-      self',
-      lib,
-      pkgs,
-      ...
-    }:
-    let
-      uwulib = inputs.self.uwulib.init pkgs;
-      rocksdbAllFeatures = self'.packages.rocksdb.override {
-        enableJemalloc = true;
-      };
-    in
-    {
-      # basic nix shell containing all things necessary to build continuwuity in all flavors manually (on x86_64-linux)
-      devShells.default = uwulib.build.craneLib.devShell {
-        packages = [
-          pkgs.pkg-config
-          pkgs.liburing
-          pkgs.rust-jemalloc-sys-unprefixed
-          rocksdbAllFeatures
-        ];
-        env.LIBCLANG_PATH = lib.makeLibraryPath [ pkgs.llvmPackages.libclang.lib ];
-      };
-    };
-}