fix(v12): Create tombstone event on room upgrade

Build and publish RPM packages for Fedora using rpkg and official
rust-packaging macros. Packages are automatically signed by Forgejo's
built-in package registry (introduced in v9.0).

Publishes packages to organised groups:
- continuwuity (binary): base group (stable/dev/branch-name)
- continuwuity-debuginfo: GROUP-debug
- continuwuity (source RPM): GROUP-src

Workflow triggers on pushes to relevant paths and version tags (v*).
Tagged releases use clean version numbers (v1.2.3 becomes 1.2.3-1)
while branch builds use sanitised branch name versioning.

Uses dnf builddep to install build dependencies directly from the
generated SRPM, ensuring consistency between CI and spec file without
duplication. This also prevents hiding packaging issues that could
occur with --nodeps fallbacks.

.forgejo/actions/create-docker-manifest/action.yml

@@ -61,8 +61,8 @@ runs:
       id: meta
       uses: docker/metadata-action@v5
       with:
-        flavour: |
-          suffix=${{ inputs.tag_suffix }}
+        flavor: |
+          suffix=${{ inputs.tag_suffix }},onlatest=true
         tags: |
           type=semver,pattern={{version}},prefix=v
           type=semver,pattern={{major}}.{{minor}},enable=${{ !startsWith(github.ref, 'refs/tags/v0.0.') }},prefix=v

.forgejo/actions/detect-runner-os/action.yml

@@ -1,58 +0,0 @@
-name: detect-runner-os
-description: |
-  Detect the actual OS name and version of the runner.
-  Provides separate outputs for name, version, and a combined slug.
-
-outputs:
-  name:
-    description: 'OS name (e.g. Ubuntu, Debian)'
-    value: ${{ steps.detect.outputs.name }}
-  version:
-    description: 'OS version (e.g. 22.04, 11)'
-    value: ${{ steps.detect.outputs.version }}
-  slug:
-    description: 'Combined OS slug (e.g. Ubuntu-22.04)'
-    value: ${{ steps.detect.outputs.slug }}
-  node_major:
-    description: 'Major version of Node.js if available (e.g. 22)'
-    value: ${{ steps.detect.outputs.node_major }}
-  node_version:
-    description: 'Full Node.js version if available (e.g. 22.19.0)'
-    value: ${{ steps.detect.outputs.node_version }}
-
-runs:
-  using: composite
-  steps:
-    - name: Detect runner OS
-      id: detect
-      shell: bash
-      run: |
-        # Detect OS version (try lsb_release first, fall back to /etc/os-release)
-        OS_VERSION=$(lsb_release -rs 2>/dev/null || grep VERSION_ID /etc/os-release | cut -d'"' -f2)
-
-        # Detect OS name and capitalise (try lsb_release first, fall back to /etc/os-release)
-        OS_NAME=$(lsb_release -is 2>/dev/null || grep "^ID=" /etc/os-release | cut -d'=' -f2 | tr -d '"' | sed 's/\b\(.\)/\u\1/g')
-
-        # Create combined slug
-        OS_SLUG="${OS_NAME}-${OS_VERSION}"
-
-        # Detect Node.js version if available
-        if command -v node >/dev/null 2>&1; then
-          NODE_VERSION=$(node --version | sed 's/v//')
-          NODE_MAJOR=$(echo $NODE_VERSION | cut -d. -f1)
-          echo "node_version=${NODE_VERSION}" >> $GITHUB_OUTPUT
-          echo "node_major=${NODE_MAJOR}" >> $GITHUB_OUTPUT
-          echo "🔍 Detected Node.js: v${NODE_VERSION}"
-        else
-          echo "node_version=" >> $GITHUB_OUTPUT
-          echo "node_major=" >> $GITHUB_OUTPUT
-          echo "🔍 Node.js not found"
-        fi
-
-        # Set OS outputs
-        echo "name=${OS_NAME}" >> $GITHUB_OUTPUT
-        echo "version=${OS_VERSION}" >> $GITHUB_OUTPUT
-        echo "slug=${OS_SLUG}" >> $GITHUB_OUTPUT
-
-        # Log detection results
-        echo "🔍 Detected Runner OS: ${OS_NAME} ${OS_VERSION}"

.forgejo/actions/prepare-docker-build/action.yml

@@ -121,7 +121,7 @@ runs:
           .cargo/git/checkouts
           .cargo/registry
           .cargo/registry/src
-        key: rust-registry-image-${{hashFiles('**/Cargo.lock') }}
+        key: continuwuity-rust-registry-image-${{hashFiles('**/Cargo.lock') }}
 
     - name: Cache cargo target
       if: ${{ env.BUILDKIT_ENDPOINT == '' }}
@@ -130,7 +130,7 @@ runs:
       with:
         path: |
           cargo-target${{ env.CPU_SUFFIX }}-${{ inputs.slug }}-${{ inputs.profile }}
-        key: cargo-target${{ env.CPU_SUFFIX }}-${{ inputs.slug }}-${{ inputs.profile }}-${{hashFiles('**/Cargo.lock') }}-${{steps.rust-toolchain.outputs.rustc_version}}
+        key: continuwuity-cargo-target${{ env.CPU_SUFFIX }}-${{ inputs.slug }}-${{ inputs.profile }}-${{hashFiles('**/Cargo.lock') }}-${{steps.rust-toolchain.outputs.rustc_version}}
 
     - name: Cache apt cache
       if: ${{ env.BUILDKIT_ENDPOINT == '' }}
@@ -139,7 +139,7 @@ runs:
       with:
         path: |
           var-cache-apt-${{ inputs.slug }}
-        key: var-cache-apt-${{ inputs.slug }}
+        key: continuwuity-var-cache-apt-${{ inputs.slug }}
 
     - name: Cache apt lib
       if: ${{ env.BUILDKIT_ENDPOINT == '' }}
@@ -148,7 +148,7 @@ runs:
       with:
         path: |
           var-lib-apt-${{ inputs.slug }}
-        key: var-lib-apt-${{ inputs.slug }}
+        key: continuwuity-var-lib-apt-${{ inputs.slug }}
 
     - name: inject cache into docker
       if: ${{ env.BUILDKIT_ENDPOINT == '' }}

.forgejo/actions/rust-toolchain/action.yml

@@ -40,7 +40,7 @@ runs:
           !~/.rustup/tmp
           !~/.rustup/downloads
         # Requires repo to be cloned if toolchain is not specified
-        key: ${{ runner.os }}-rustup-${{ inputs.toolchain || hashFiles('**/rust-toolchain.toml') }}
+        key: continuwuity-${{ runner.os }}-rustup-${{ inputs.toolchain || hashFiles('**/rust-toolchain.toml') }}
     - name: Install Rust toolchain
       if: steps.rustup-version.outputs.version == ''
       shell: bash

.forgejo/actions/setup-llvm-with-apt/action.yml

@@ -29,7 +29,7 @@ runs:
   steps:
     - name: Detect runner OS
       id: runner-os
-      uses: ./.forgejo/actions/detect-runner-os
+      uses: https://git.tomfos.tr/actions/detect-versions@v1
 
     - name: Configure cross-compilation architecture
       if: inputs.dpkg-arch != ''
@@ -69,7 +69,7 @@ runs:
           /usr/lib/x86_64-linux-gnu/libclang*.so*
           /etc/apt/sources.list.d/archive_uri-*
           /etc/apt/trusted.gpg.d/apt.llvm.org.asc
-        key: llvm-${{ steps.runner-os.outputs.slug }}-v${{ inputs.llvm-version }}-v3-${{ hashFiles('**/Cargo.lock', 'rust-toolchain.toml') }}
+        key: continuwuity-llvm-${{ steps.runner-os.outputs.slug }}-${{ steps.runner-os.outputs.arch }}-v${{ inputs.llvm-version }}-${{ hashFiles('**/Cargo.lock', 'rust-toolchain.toml') }}
 
     - name: End LLVM cache group
       shell: bash

.forgejo/actions/setup-rust/action.yml

@@ -39,7 +39,7 @@ runs:
   steps:
     - name: Detect runner OS
       id: runner-os
-      uses: ./.forgejo/actions/detect-runner-os
+      uses: https://git.tomfos.tr/actions/detect-versions@v1
 
     - name: Configure Cargo environment
       shell: bash
@@ -73,9 +73,9 @@ runs:
           .cargo/git/db
         # Registry cache saved per workflow, restored from any workflow's cache
         # Each workflow maintains its own registry that accumulates its needed crates
-        key: cargo-registry-${{ steps.runner-os.outputs.slug }}-${{ github.workflow }}
+        key: continuwuity-cargo-registry-${{ steps.runner-os.outputs.slug }}-${{ steps.runner-os.outputs.arch }}-${{ github.workflow }}
         restore-keys: |
-          cargo-registry-${{ steps.runner-os.outputs.slug }}-
+          continuwuity-cargo-registry-${{ steps.runner-os.outputs.slug }}-${{ steps.runner-os.outputs.arch }}-
 
     - name: Cache toolchain binaries
       id: toolchain-cache
@@ -86,29 +86,42 @@ runs:
           .rustup/toolchains
           .rustup/update-hashes
         # Shared toolchain cache across all Rust versions
-        key: toolchain-${{ steps.runner-os.outputs.slug }}
+        key: continuwuity-toolchain-${{ steps.runner-os.outputs.slug }}-${{ steps.runner-os.outputs.arch }}
 
 
     - name: Setup sccache
       uses: https://git.tomfos.tr/tom/sccache-action@v1
 
-    - name: Cache build artifacts
-      id: build-cache
+    - name: Cache dependencies
+      id: deps-cache
       uses: actions/cache@v4
       with:
         path: |
-          target/**/deps
-          !target/**/deps/*.rlib
-          target/**/build
           target/**/.fingerprint
-          target/**/incremental
+          target/**/deps
           target/**/*.d
+          target/**/.cargo-lock
+          target/**/CACHEDIR.TAG
+          target/**/.rustc_info.json
           /timelord/
-        # Build artifacts - cache per code change, restore from deps when code changes
+        # Dependencies cache - based on Cargo.lock, survives source code changes
         key: >-
-          build-${{ steps.runner-os.outputs.slug }}-${{ inputs.rust-version }}${{ inputs.cache-key-suffix && format('-{0}', inputs.cache-key-suffix) || '' }}-${{ hashFiles('rust-toolchain.toml', '**/Cargo.lock') }}-${{ hashFiles('**/*.rs', '**/Cargo.toml') }}
+          continuwuity-deps-${{ steps.runner-os.outputs.slug }}-${{ steps.runner-os.outputs.arch }}-${{ inputs.rust-version }}${{ inputs.cache-key-suffix && format('-{0}', inputs.cache-key-suffix) || '' }}-${{ hashFiles('rust-toolchain.toml', '**/Cargo.lock') }}
         restore-keys: |
-          build-${{ steps.runner-os.outputs.slug }}-${{ inputs.rust-version }}${{ inputs.cache-key-suffix && format('-{0}', inputs.cache-key-suffix) || '' }}-${{ hashFiles('rust-toolchain.toml', '**/Cargo.lock') }}-
+          continuwuity-deps-${{ steps.runner-os.outputs.slug }}-${{ steps.runner-os.outputs.arch }}-${{ inputs.rust-version }}${{ inputs.cache-key-suffix && format('-{0}', inputs.cache-key-suffix) || '' }}-
+
+    - name: Cache incremental compilation
+      id: incremental-cache
+      uses: actions/cache@v4
+      with:
+        path: |
+          target/**/incremental
+        # Incremental cache - based on source code changes
+        key: >-
+          continuwuity-incremental-${{ steps.runner-os.outputs.slug }}-${{ steps.runner-os.outputs.arch }}-${{ inputs.rust-version }}${{ inputs.cache-key-suffix && format('-{0}', inputs.cache-key-suffix) || '' }}-${{ hashFiles('rust-toolchain.toml', '**/Cargo.lock') }}-${{ hashFiles('**/*.rs', '**/Cargo.toml') }}
+        restore-keys: |
+          continuwuity-incremental-${{ steps.runner-os.outputs.slug }}-${{ steps.runner-os.outputs.arch }}-${{ inputs.rust-version }}${{ inputs.cache-key-suffix && format('-{0}', inputs.cache-key-suffix) || '' }}-${{ hashFiles('rust-toolchain.toml', '**/Cargo.lock') }}-
+          continuwuity-incremental-${{ steps.runner-os.outputs.slug }}-${{ steps.runner-os.outputs.arch }}-${{ inputs.rust-version }}${{ inputs.cache-key-suffix && format('-{0}', inputs.cache-key-suffix) || '' }}-
 
     - name: End cache restore group
       shell: bash

.forgejo/actions/timelord/action.yml

@@ -36,7 +36,7 @@ runs:
         path: |
           /usr/share/rust/.cargo/bin
           ~/.cargo/bin
-        key: timelord-binaries-v3
+        key: continuwuity-timelord-binaries
 
     - name: Check if binaries need installation
       shell: bash
@@ -82,7 +82,7 @@ runs:
         path: |
           /usr/share/rust/.cargo/bin
           ~/.cargo/bin
-        key: timelord-binaries-v3
+        key: continuwuity-timelord-binaries
 
 
     - name: Restore timelord cache with fallbacks
@@ -92,7 +92,7 @@ runs:
         path: ${{ env.TIMELORD_CACHE_PATH }}
         key: ${{ env.TIMELORD_KEY }}
         restore-keys: |
-          timelord-v1-${{ github.repository }}-
+          continuwuity-timelord-${{ github.repository }}-
 
     - name: Initialize timestamps on complete cache miss
       if: steps.timelord-restore.outputs.cache-hit != 'true'

.forgejo/workflows/build-debian.yml

@@ -0,0 +1,148 @@
+name: Build / Debian DEB
+
+concurrency:
+  group: "build-debian-${{ forge.ref }}"
+  cancel-in-progress: true
+
+on:
+  push:
+    tags:
+      - "v*.*.*"
+  workflow_dispatch:
+  schedule:
+    - cron: '30 0 * * *'
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        container: ["ubuntu-latest", "ubuntu-previous", "debian-latest", "debian-oldstable"]
+    container:
+      image: "ghcr.io/tcpipuk/act-runner:${{ matrix.container }}"
+
+    steps:
+      - name: Get Debian version
+        id: debian-version
+        run: |
+          VERSION=$(cat /etc/debian_version)
+          DISTRIBUTION=$(lsb_release -sc 2>/dev/null)
+          echo "version=$VERSION" >> $GITHUB_OUTPUT
+          echo "distribution=$DISTRIBUTION" >> $GITHUB_OUTPUT
+          echo "Debian distribution: $DISTRIBUTION ($VERSION)"
+
+      - name: Checkout repository with full history
+        uses: https://code.forgejo.org/actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Cache Cargo registry
+        uses: https://code.forgejo.org/actions/cache@v4
+        with:
+          path: |
+            ~/.cargo/registry
+            ~/.cargo/git
+          key: cargo-debian-${{ steps.debian-version.outputs.distribution }}-${{ hashFiles('**/Cargo.lock') }}
+          restore-keys: |
+            cargo-debian-${{ steps.debian-version.outputs.distribution }}-
+
+      - name: Setup sccache
+        uses: https://git.tomfos.tr/tom/sccache-action@v1
+
+      - name: Configure sccache environment
+        run: |
+          echo "RUSTC_WRAPPER=sccache" >> $GITHUB_ENV
+          echo "CMAKE_C_COMPILER_LAUNCHER=sccache" >> $GITHUB_ENV
+          echo "CMAKE_CXX_COMPILER_LAUNCHER=sccache" >> $GITHUB_ENV
+          echo "SCCACHE_CACHE_SIZE=10G" >> $GITHUB_ENV
+          # Aggressive GC since cache restores don't increment counter
+          echo "CARGO_INCREMENTAL_GC_TRIGGER=5" >> $GITHUB_ENV
+
+      - name: Setup Rust nightly
+        uses: ./.forgejo/actions/setup-rust
+        with:
+          rust-version: nightly
+          github-token: ${{ secrets.GH_PUBLIC_RO }}
+
+      - name: Get package version and component
+        id: package-meta
+        run: |
+          BASE_VERSION=$(cargo metadata --no-deps --format-version 1 | jq -r ".packages[] | select(.name == \"conduwuit\").version" | sed 's/[^a-zA-Z0-9.+]/~/g')
+          # VERSION is the package version, COMPONENT is used in
+          # apt's repository config like a git repo branch
+          if [[ "${{ forge.ref }}" == "refs/tags/"* ]]; then
+            # Use the "stable" component for tagged releases
+            COMPONENT="stable"
+            VERSION=$BASE_VERSION
+          else
+            # Use the "dev" component for development builds
+            SHA=$(echo "${{ forge.sha }}" | cut -c1-7)
+            DATE=$(date +%Y%m%d)
+            if [ "${{ forge.ref_name }}" = "main" ]; then
+              COMPONENT="dev"
+            else
+              # Use the sanitized ref name as the component for feature branches
+              COMPONENT="dev-$(echo '${{ forge.ref_name }}' | sed 's/[^a-zA-Z0-9.+]/-/g' | tr '[:upper:]' '[:lower:]' | cut -c1-30)"
+            fi
+            CLEAN_COMPONENT=$(echo $COMPONENT | sed 's/[^a-zA-Z0-9.+]/~/g')
+            VERSION="$BASE_VERSION~git$DATE.$SHA-$CLEAN_COMPONENT"
+          fi
+          echo "component=$COMPONENT" >> $GITHUB_OUTPUT
+          echo "version=$VERSION" >> $GITHUB_OUTPUT
+          echo "Component: $COMPONENT"
+          echo "Version: $VERSION"
+
+      - name: Install cargo-deb
+        run: |
+          if command -v cargo-deb &> /dev/null; then
+            echo "cargo-deb already available"
+          else
+            echo "Installing cargo-deb"
+            cargo-binstall -y --no-symlinks cargo-deb
+          fi
+
+      - name: Install build dependencies
+        run: |
+          apt-get update -y
+          # Build dependencies for rocksdb
+          apt-get install -y clang liburing-dev
+
+      - name: Run cargo-deb
+        id: cargo-deb
+        run: |
+          DEB_PATH=$(cargo deb --deb-version ${{ steps.package-meta.outputs.version }})
+          echo "path=$DEB_PATH" >> $GITHUB_OUTPUT
+
+      - name: Test deb installation
+        run: |
+          echo "Installing: ${{ steps.cargo-deb.outputs.path }}"
+
+          apt-get install -y ${{ steps.cargo-deb.outputs.path }}
+
+          dpkg -s continuwuity
+
+          [ -f /usr/bin/conduwuit ] && echo "✅ Binary installed successfully"
+          [ -f /usr/lib/systemd/system/conduwuit.service ] && echo "✅ Systemd service installed"
+          [ -f /etc/conduwuit/conduwuit.toml ] && echo "✅ Config file installed"
+
+      - name: Upload deb artifact
+        uses: https://code.forgejo.org/actions/upload-artifact@v3
+        with:
+          name: continuwuity-${{ steps.debian-version.outputs.distribution }}
+          path: ${{ steps.cargo-deb.outputs.path }}
+
+      - name: Publish to Forgejo package registry
+        if: ${{ forge.event_name == 'push' || forge.event_name == 'workflow_dispatch' }}
+        run: |
+          OWNER="continuwuation"
+          DISTRIBUTION=${{ steps.debian-version.outputs.distribution }}
+          COMPONENT=${{ steps.package-meta.outputs.component }}
+          DEB=${{ steps.cargo-deb.outputs.path }}
+
+          echo "Publishing: $DEB in component $COMPONENT for distribution $DISTRIBUTION"
+
+          curl --fail-with-body \
+            -X PUT \
+            -H "Authorization: token ${{ secrets.BUILTIN_REGISTRY_PASSWORD || secrets.GITHUB_TOKEN }}" \
+            --upload-file "$DEB" \
+            "${{ forge.server_url }}/api/packages/$OWNER/debian/pool/$DISTRIBUTION/$COMPONENT/upload"

.forgejo/workflows/build-fedora.yml

@@ -0,0 +1,389 @@
+name: Build / Fedora RPM
+
+concurrency:
+  group: "build-fedora-${{ github.ref }}"
+  cancel-in-progress: true
+
+on:
+  push:
+    tags:
+      - "v*.*.*"
+    # paths:
+    #   - 'pkg/fedora/**'
+    #   - 'src/**'
+    #   - 'Cargo.toml'
+    #   - 'Cargo.lock'
+    #   - '.forgejo/workflows/build-fedora.yml'
+  workflow_dispatch:
+  schedule:
+    - cron: '30 0 * * *'
+
+jobs:
+  build:
+    runs-on: fedora-latest
+    steps:
+      - name: Detect Fedora version
+        id: fedora
+        run: |
+          VERSION=$(rpm -E %fedora)
+          echo "version=$VERSION" >> $GITHUB_OUTPUT
+          echo "Fedora version: $VERSION"
+
+      - name: Checkout repository with full history
+        uses: https://code.forgejo.org/actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+
+      - name: Cache DNF packages
+        uses: https://code.forgejo.org/actions/cache@v4
+        with:
+          path: |
+            /var/cache/dnf
+            /var/cache/yum
+          key: dnf-fedora${{ steps.fedora.outputs.version }}-${{ hashFiles('pkg/fedora/continuwuity.spec.rpkg') }}-v1
+          restore-keys: |
+            dnf-fedora${{ steps.fedora.outputs.version }}-
+
+      - name: Cache Cargo registry
+        uses: https://code.forgejo.org/actions/cache@v4
+        with:
+          path: |
+            ~/.cargo/registry
+            ~/.cargo/git
+          key: cargo-fedora${{ steps.fedora.outputs.version }}-${{ hashFiles('**/Cargo.lock') }}
+          restore-keys: |
+            cargo-fedora${{ steps.fedora.outputs.version }}-
+
+      - name: Cache Rust build dependencies
+        uses: https://code.forgejo.org/actions/cache@v4
+        with:
+          path: |
+            ~/rpmbuild/BUILD/*/target/release/deps
+            ~/rpmbuild/BUILD/*/target/release/build
+            ~/rpmbuild/BUILD/*/target/release/.fingerprint
+            ~/rpmbuild/BUILD/*/target/release/incremental
+          key: rust-deps-fedora${{ steps.fedora.outputs.version }}-${{ hashFiles('**/Cargo.lock') }}
+          restore-keys: |
+            rust-deps-fedora${{ steps.fedora.outputs.version }}-
+
+      - name: Setup sccache
+        uses: https://git.tomfos.tr/tom/sccache-action@v1
+
+      - name: Configure sccache environment
+        run: |
+          echo "RUSTC_WRAPPER=sccache" >> $GITHUB_ENV
+          echo "CMAKE_C_COMPILER_LAUNCHER=sccache" >> $GITHUB_ENV
+          echo "CMAKE_CXX_COMPILER_LAUNCHER=sccache" >> $GITHUB_ENV
+          echo "SCCACHE_CACHE_SIZE=10G" >> $GITHUB_ENV
+          # Aggressive GC since cache restores don't increment counter
+          echo "CARGO_INCREMENTAL_GC_TRIGGER=5" >> $GITHUB_ENV
+
+      - name: Install base RPM tools
+        run: |
+          dnf install -y --setopt=keepcache=1 \
+            fedora-packager \
+            python3-pip \
+            rpm-sign \
+            rpkg \
+            wget
+
+      - name: Setup build environment and build SRPM
+        run: |
+          git config --global --add safe.directory "$GITHUB_WORKSPACE"
+          git config --global user.email "ci@continuwuity.org"
+          git config --global user.name "Continuwuity"
+
+          rpmdev-setuptree
+
+          cd "$GITHUB_WORKSPACE"
+
+          # Determine release suffix and version based on ref type and branch
+          if [[ "${{ github.ref }}" == "refs/tags/"* ]]; then
+            # Tags get clean version numbers for stable releases
+            RELEASE_SUFFIX=""
+            TAG_NAME="${{ github.ref_name }}"
+            # Extract version from tag (remove v prefix if present)
+            TAG_VERSION=$(echo "$TAG_NAME" | sed 's/^v//')
+
+            # Create spec file with tag version
+            sed -e "s/^Version:.*$/Version:        $TAG_VERSION/" \
+                -e "s/^Release:.*$/Release:        1%{?dist}/" \
+                pkg/fedora/continuwuity.spec.rpkg > continuwuity.spec.rpkg
+          elif [ "${{ github.ref_name }}" = "main" ]; then
+            # Main branch gets .dev suffix
+            RELEASE_SUFFIX=".dev"
+
+            # Replace the Release line to include our suffix
+            sed "s/^Release:.*$/Release:        1${RELEASE_SUFFIX}%{?dist}/" \
+              pkg/fedora/continuwuity.spec.rpkg > continuwuity.spec.rpkg
+          else
+            # Other branches get sanitized branch name as suffix
+            SAFE_BRANCH=$(echo "${{ github.ref_name }}" | sed 's/[^a-zA-Z0-9]/_/g' | cut -c1-20)
+            RELEASE_SUFFIX=".${SAFE_BRANCH}"
+
+            # Replace the Release line to include our suffix
+            sed "s/^Release:.*$/Release:        1${RELEASE_SUFFIX}%{?dist}/" \
+              pkg/fedora/continuwuity.spec.rpkg > continuwuity.spec.rpkg
+          fi
+
+          rpkg srpm --outdir "$HOME/rpmbuild/SRPMS"
+
+          ls -la $HOME/rpmbuild/SRPMS/
+
+
+      - name: Install build dependencies from SRPM
+        run: |
+          SRPM=$(find "$HOME/rpmbuild/SRPMS" -name "*.src.rpm" | head -1)
+
+          if [ -z "$SRPM" ]; then
+            echo "Error: No SRPM file found"
+            exit 1
+          fi
+
+          echo "Installing build dependencies from: $(basename $SRPM)"
+          dnf builddep -y "$SRPM"
+
+      - name: Build RPM from SRPM
+        run: |
+          SRPM=$(find "$HOME/rpmbuild/SRPMS" -name "*.src.rpm" | head -1)
+
+          if [ -z "$SRPM" ]; then
+            echo "Error: No SRPM file found"
+            exit 1
+          fi
+
+          echo "Building from SRPM: $SRPM"
+
+          rpmbuild --rebuild "$SRPM" \
+            --define "_topdir $HOME/rpmbuild" \
+            --define "_sourcedir $GITHUB_WORKSPACE" \
+            --nocheck  # Skip %check section to avoid test dependencies
+
+
+      - name: Test RPM installation
+        run: |
+          # Find the main binary RPM (exclude debug and source RPMs)
+          RPM=$(find "$HOME/rpmbuild/RPMS" -name "continuwuity-*.rpm" \
+            ! -name "*debuginfo*" \
+            ! -name "*debugsource*" \
+            ! -name "*.src.rpm" | head -1)
+
+          if [ -z "$RPM" ]; then
+            echo "Error: No binary RPM file found"
+            exit 1
+          fi
+
+          echo "Testing installation of: $RPM"
+
+          # Dry run first
+          rpm -qpi "$RPM"
+          echo ""
+          rpm -qpl "$RPM"
+
+          # Actually install it
+          dnf install -y "$RPM"
+
+          # Verify installation
+          rpm -qa | grep continuwuity
+
+          # Check that the binary exists
+          [ -f /usr/bin/conduwuit ] && echo "✅ Binary installed successfully"
+          [ -f /usr/lib/systemd/system/conduwuit.service ] && echo "✅ Systemd service installed"
+          [ -f /etc/conduwuit/conduwuit.toml ] && echo "✅ Config file installed"
+
+      - name: List built packages
+        run: |
+          echo "Binary RPMs:"
+          find "$HOME/rpmbuild/RPMS" -name "*.rpm" -type f -exec ls -la {} \;
+
+          echo ""
+          echo "Source RPMs:"
+          find "$HOME/rpmbuild/SRPMS" -name "*.rpm" -type f -exec ls -la {} \;
+
+      - name: Collect artifacts
+        run: |
+          mkdir -p artifacts
+
+          find "$HOME/rpmbuild/RPMS" -name "*.rpm" -type f -exec cp {} artifacts/ \;
+          find "$HOME/rpmbuild/SRPMS" -name "*.rpm" -type f -exec cp {} artifacts/ \;
+
+          cd artifacts
+          echo "Build Information:" > BUILD_INFO.txt
+          echo "==================" >> BUILD_INFO.txt
+          echo "Git commit: ${{ github.sha }}" >> BUILD_INFO.txt
+          echo "Git branch: ${{ github.ref_name }}" >> BUILD_INFO.txt
+          echo "Build date: $(date -u +%Y-%m-%d_%H:%M:%S_UTC)" >> BUILD_INFO.txt
+          echo "" >> BUILD_INFO.txt
+          echo "Package contents:" >> BUILD_INFO.txt
+          echo "-----------------" >> BUILD_INFO.txt
+          for rpm in *.rpm; do
+            echo "" >> BUILD_INFO.txt
+            echo "File: $rpm" >> BUILD_INFO.txt
+            rpm -qpi "$rpm" 2>/dev/null | grep -E "^(Name|Version|Release|Architecture|Size)" >> BUILD_INFO.txt
+          done
+
+          ls -la
+
+      - name: Upload binary RPM artifact
+        run: |
+          # Find the main binary RPM (exclude debug and source RPMs)
+          BIN_RPM=$(find artifacts -name "continuwuity-*.rpm" \
+            ! -name "*debuginfo*" \
+            ! -name "*debugsource*" \
+            ! -name "*.src.rpm" \
+            -type f)
+
+          mkdir -p upload-bin
+          cp $BIN_RPM upload-bin/
+
+      - name: Upload binary RPM
+        uses: https://code.forgejo.org/actions/upload-artifact@v3
+        with:
+          name: continuwuity
+          path: upload-bin/
+
+      - name: Upload debug RPM artifact
+        uses: https://code.forgejo.org/actions/upload-artifact@v3
+        with:
+          name: continuwuity-debug
+          path: artifacts/*debuginfo*.rpm
+
+      - name: Publish to RPM Package Registry
+        if: ${{ github.event_name == 'push' || github.event_name == 'workflow_dispatch' }}
+        run: |
+          # Find the main binary RPM (exclude debug and source RPMs)
+          RPM=$(find artifacts -name "continuwuity-*.rpm" \
+            ! -name "*debuginfo*" \
+            ! -name "*debugsource*" \
+            ! -name "*.src.rpm" \
+            -type f | head -1)
+
+          if [ -z "$RPM" ]; then
+            echo "No binary RPM found to publish"
+            exit 0
+          fi
+
+          RPM_BASENAME=$(basename "$RPM")
+          echo "Publishing: $RPM_BASENAME"
+
+          # Determine the group based on ref type and branch
+          if [[ "${{ github.ref }}" == "refs/tags/"* ]]; then
+            GROUP="stable"
+            # For tags, extract the tag name for version info
+            TAG_NAME="${{ github.ref_name }}"
+          elif [ "${{ github.ref_name }}" = "main" ]; then
+            GROUP="dev"
+          else
+            # Use sanitized branch name as group for feature branches
+            GROUP=$(echo "${{ github.ref_name }}" | sed 's/[^a-zA-Z0-9]/-/g' | tr '[:upper:]' '[:lower:]' | cut -c1-30)
+          fi
+
+          PACKAGE_INFO=$(rpm -qpi "$RPM" 2>/dev/null)
+          PACKAGE_NAME=$(echo "$PACKAGE_INFO" | grep "^Name" | awk '{print $3}')
+          PACKAGE_VERSION=$(echo "$PACKAGE_INFO" | grep "^Version" | awk '{print $3}')
+          PACKAGE_RELEASE=$(echo "$PACKAGE_INFO" | grep "^Release" | awk '{print $3}')
+          PACKAGE_ARCH=$(echo "$PACKAGE_INFO" | grep "^Architecture" | awk '{print $2}')
+
+          # Full version includes release
+          FULL_VERSION="${PACKAGE_VERSION}-${PACKAGE_RELEASE}"
+
+          # Forgejo's RPM registry cannot overwrite existing packages, so we must delete first
+          # 404 is OK if package doesn't exist yet
+          echo "Removing any existing package: $PACKAGE_NAME-$FULL_VERSION.$PACKAGE_ARCH"
+          RESPONSE=$(curl -s -w "\n%{http_code}" -X DELETE \
+            -H "Authorization: token ${{ secrets.BUILTIN_REGISTRY_PASSWORD || secrets.GITHUB_TOKEN }}" \
+            "https://forgejo.ellis.link/api/packages/continuwuation/rpm/$GROUP/package/$PACKAGE_NAME/$FULL_VERSION/$PACKAGE_ARCH")
+          HTTP_CODE=$(echo "$RESPONSE" | tail -n1)
+
+          if [ "$HTTP_CODE" != "204" ] && [ "$HTTP_CODE" != "404" ]; then
+            echo "ERROR: Failed to delete package (HTTP $HTTP_CODE)"
+            echo "$RESPONSE" | head -n -1
+            exit 1
+          fi
+
+          curl --fail-with-body \
+            -X PUT \
+            -H "Authorization: token ${{ secrets.BUILTIN_REGISTRY_PASSWORD || secrets.GITHUB_TOKEN }}" \
+            -H "Content-Type: application/x-rpm" \
+            -T "$RPM" \
+            "https://forgejo.ellis.link/api/packages/continuwuation/rpm/$GROUP/upload?sign=true"
+
+          echo ""
+          echo "✅ Published binary RPM to: https://forgejo.ellis.link/continuwuation/-/packages/rpm/continuwuity/"
+          echo "Group: $GROUP"
+
+          # Upload debug RPMs to separate group
+          DEBUG_RPMS=$(find artifacts -name "*debuginfo*.rpm")
+          if [ -n "$DEBUG_RPMS" ]; then
+            echo ""
+            echo "Publishing debug RPMs to group: ${GROUP}-debug"
+
+            for DEBUG_RPM in $DEBUG_RPMS; do
+              echo "Publishing: $(basename "$DEBUG_RPM")"
+
+              DEBUG_INFO=$(rpm -qpi "$DEBUG_RPM" 2>/dev/null)
+              DEBUG_NAME=$(echo "$DEBUG_INFO" | grep "^Name" | awk '{print $3}')
+              DEBUG_VERSION=$(echo "$DEBUG_INFO" | grep "^Version" | awk '{print $3}')
+              DEBUG_RELEASE=$(echo "$DEBUG_INFO" | grep "^Release" | awk '{print $3}')
+              DEBUG_ARCH=$(echo "$DEBUG_INFO" | grep "^Architecture" | awk '{print $2}')
+              DEBUG_FULL_VERSION="${DEBUG_VERSION}-${DEBUG_RELEASE}"
+
+              # Must delete existing package first (Forgejo limitation)
+              RESPONSE=$(curl -s -w "\n%{http_code}" -X DELETE \
+                -H "Authorization: token ${{ secrets.BUILTIN_REGISTRY_PASSWORD || secrets.GITHUB_TOKEN }}" \
+                "https://forgejo.ellis.link/api/packages/continuwuation/rpm/${GROUP}-debug/package/$DEBUG_NAME/$DEBUG_FULL_VERSION/$DEBUG_ARCH")
+              HTTP_CODE=$(echo "$RESPONSE" | tail -n1)
+
+              if [ "$HTTP_CODE" != "204" ] && [ "$HTTP_CODE" != "404" ]; then
+                echo "ERROR: Failed to delete debug package (HTTP $HTTP_CODE)"
+                echo "$RESPONSE" | head -n -1
+                exit 1
+              fi
+
+              curl --fail-with-body \
+                -X PUT \
+                -H "Authorization: token ${{ secrets.BUILTIN_REGISTRY_PASSWORD || secrets.GITHUB_TOKEN }}" \
+                -H "Content-Type: application/x-rpm" \
+                -T "$DEBUG_RPM" \
+                "https://forgejo.ellis.link/api/packages/continuwuation/rpm/${GROUP}-debug/upload?sign=true"
+            done
+
+            echo "✅ Published debug RPMs to group: ${GROUP}-debug"
+          fi
+
+          # Also upload the SRPM to separate group
+          SRPM=$(find artifacts -name "*.src.rpm" | head -1)
+          if [ -n "$SRPM" ]; then
+            echo ""
+            echo "Publishing source RPM: $(basename "$SRPM")"
+            echo "Publishing to group: ${GROUP}-src"
+
+            SRPM_INFO=$(rpm -qpi "$SRPM" 2>/dev/null)
+            SRPM_NAME=$(echo "$SRPM_INFO" | grep "^Name" | awk '{print $3}')
+            SRPM_VERSION=$(echo "$SRPM_INFO" | grep "^Version" | awk '{print $3}')
+            SRPM_RELEASE=$(echo "$SRPM_INFO" | grep "^Release" | awk '{print $3}')
+            SRPM_FULL_VERSION="${SRPM_VERSION}-${SRPM_RELEASE}"
+
+            # Must delete existing SRPM first (Forgejo limitation)
+            echo "Removing any existing SRPM: $SRPM_NAME-$SRPM_FULL_VERSION.src"
+            RESPONSE=$(curl -s -w "\n%{http_code}" -X DELETE \
+              -H "Authorization: token ${{ secrets.BUILTIN_REGISTRY_PASSWORD || secrets.GITHUB_TOKEN }}" \
+              "https://forgejo.ellis.link/api/packages/continuwuation/rpm/${GROUP}-src/package/$SRPM_NAME/$SRPM_FULL_VERSION/src")
+            HTTP_CODE=$(echo "$RESPONSE" | tail -n1)
+
+            if [ "$HTTP_CODE" != "204" ] && [ "$HTTP_CODE" != "404" ]; then
+              echo "ERROR: Failed to delete SRPM (HTTP $HTTP_CODE)"
+              echo "$RESPONSE" | head -n -1
+              exit 1
+            fi
+
+            curl --fail-with-body \
+              -X PUT \
+              -H "Authorization: token ${{ secrets.BUILTIN_REGISTRY_PASSWORD || secrets.GITHUB_TOKEN }}" \
+              -H "Content-Type: application/x-rpm" \
+              -T "$SRPM" \
+              "https://forgejo.ellis.link/api/packages/continuwuation/rpm/${GROUP}-src/upload?sign=true"
+
+            echo "✅ Published source RPM to group: ${GROUP}-src"
+          fi

.forgejo/workflows/documentation.yml

@@ -51,7 +51,7 @@ jobs:
 
       - name: Detect runner environment
         id: runner-env
-        uses: ./.forgejo/actions/detect-runner-os
+        uses: https://git.tomfos.tr/actions/detect-versions@v1
 
       - name: Setup Node.js
         if: steps.runner-env.outputs.node_major == '' || steps.runner-env.outputs.node_major < '20'
@@ -63,9 +63,7 @@ jobs:
         uses: actions/cache@v3
         with:
           path: ~/.npm
-          key: ${{ steps.runner-env.outputs.slug }}-node-${{ hashFiles('**/package-lock.json') }}
-          restore-keys: |
-            ${{ steps.runner-env.outputs.slug }}-node-
+          key: continuwuity-${{ steps.runner-env.outputs.slug }}-${{ steps.runner-env.outputs.arch }}-node-${{ steps.runner-env.outputs.node_version }}
 
       - name: Install dependencies
         run: npm install --save-dev wrangler@latest

.forgejo/workflows/renovate.yml

@@ -43,7 +43,7 @@ jobs:
     name: Renovate
     runs-on: ubuntu-latest
     container:
-      image: ghcr.io/renovatebot/renovate:41.122.3@sha256:1ea1fb8fc3e3cc5cec1340c6b25ac0de53c41662c7d65f46aeb8ca42282c93e9
+      image: ghcr.io/renovatebot/renovate:41.127.2@sha256:66bc84e2f889025fbb3c9df863500dcc18bc64ac85bcf629d015064377d77f31
       options: --tmpfs /tmp:exec
     steps:
       - name: Checkout
@@ -59,27 +59,27 @@ jobs:
         with:
           path: |
             /tmp/renovate/cache/renovate/repository
-          key: repo-cache-${{ github.run_id }}
+          key: renovate-repo-cache-${{ github.run_id }}
           restore-keys: |
-            repo-cache-
+            renovate-repo-cache-
 
       - name: Restore renovate package cache
         uses: actions/cache/restore@v4
         with:
           path: |
             /tmp/renovate/cache/renovate/renovate-cache-sqlite
-          key: package-cache-${{ github.run_id }}
+          key: renovate-package-cache-${{ github.run_id }}
           restore-keys: |
-            package-cache-
+            renovate-package-cache-
 
       - name: Restore renovate OSV cache
         uses: actions/cache/restore@v4
         with:
           path: |
             /tmp/osv
-          key: osv-cache-${{ github.run_id }}
+          key: renovate-osv-cache-${{ github.run_id }}
           restore-keys: |
-            osv-cache-
+            renovate-osv-cache-
 
       - name: Self-hosted Renovate
         run: renovate
@@ -113,7 +113,7 @@ jobs:
         with:
           path: |
             /tmp/renovate/cache/renovate/repository
-          key: repo-cache-${{ github.run_id }}
+          key: renovate-repo-cache-${{ github.run_id }}
 
       - name: Save renovate package cache
         if: always()
@@ -121,7 +121,7 @@ jobs:
         with:
           path: |
             /tmp/renovate/cache/renovate/renovate-cache-sqlite
-          key: package-cache-${{ github.run_id }}
+          key: renovate-package-cache-${{ github.run_id }}
 
       - name: Save renovate OSV cache
         if: always()
@@ -129,4 +129,4 @@ jobs:
         with:
           path: |
             /tmp/osv
-          key: osv-cache-${{ github.run_id }}
+          key: renovate-osv-cache-${{ github.run_id }}

docker/Dockerfile

@@ -166,7 +166,7 @@ ARG RUST_PROFILE=release
 # Build the binary
 RUN --mount=type=cache,target=/usr/local/cargo/registry \
     --mount=type=cache,target=/usr/local/cargo/git/db \
-    --mount=type=cache,target=/app/target,id=cargo-target-${TARGET_CPU}-${TARGETPLATFORM}-${RUST_PROFILE} \
+    --mount=type=cache,target=/app/target,id=continuwuity-cargo-target-${TARGET_CPU}-${TARGETPLATFORM}-${RUST_PROFILE} \
     bash <<'EOF'
     set -o allexport
     set -o xtrace

docker/musl.Dockerfile

@@ -122,7 +122,7 @@ ARG RUST_PROFILE=release
 # Build the binary
 RUN --mount=type=cache,target=/usr/local/cargo/registry \
     --mount=type=cache,target=/usr/local/cargo/git/db \
-    --mount=type=cache,target=/app/target,id=cargo-target-${TARGET_CPU}-${TARGETPLATFORM}-musl-${RUST_PROFILE} \
+    --mount=type=cache,target=/app/target,id=continuwuity-cargo-target-${TARGET_CPU}-${TARGETPLATFORM}-musl-${RUST_PROFILE} \
     bash <<'EOF'
     set -o allexport
     set -o xtrace

docs/SUMMARY.md

@@ -10,6 +10,7 @@ # Summary
   - [Kubernetes](deploying/kubernetes.md)
   - [Arch Linux](deploying/arch-linux.md)
   - [Debian](deploying/debian.md)
+  - [Fedora](deploying/fedora.md)
   - [FreeBSD](deploying/freebsd.md)
 - [TURN](turn.md)
 - [Appservices](appservices.md)

docs/deploying/fedora.md

@@ -0,0 +1,201 @@
+# RPM Installation Guide
+
+Continuwuity is available as RPM packages for Fedora, RHEL, and compatible distributions.
+
+The RPM packaging files are maintained in the `fedora/` directory:
+- `continuwuity.spec.rpkg` - RPM spec file using rpkg macros for building from git
+- `continuwuity.service` - Systemd service file for the server
+- `RPM-GPG-KEY-continuwuity.asc` - GPG public key for verifying signed packages
+
+RPM packages built by CI are signed with our GPG key (Ed25519, ID: `5E0FF73F411AAFCA`).
+
+```bash
+# Import the signing key
+sudo rpm --import https://forgejo.ellis.link/continuwuation/continuwuity/raw/branch/main/fedora/RPM-GPG-KEY-continuwuity.asc
+
+# Verify a downloaded package
+rpm --checksig continuwuity-*.rpm
+```
+
+## Installation methods
+
+**Stable releases** (recommended)
+
+```bash
+# Add the repository and install
+sudo dnf config-manager addrepo --from-repofile=https://forgejo.ellis.link/api/packages/continuwuation/rpm/stable/continuwuation.repo
+sudo dnf install continuwuity
+```
+
+**Development builds** from main branch
+
+```bash
+# Add the dev repository and install
+sudo dnf config-manager addrepo --from-repofile=https://forgejo.ellis.link/api/packages/continuwuation/rpm/dev/continuwuation.repo
+sudo dnf install continuwuity
+```
+
+**Feature branch builds** (example: `tom/new-feature`)
+
+```bash
+# Branch names are sanitized (slashes become hyphens, lowercase only)
+sudo dnf config-manager addrepo --from-repofile=https://forgejo.ellis.link/api/packages/continuwuation/rpm/tom-new-feature/continuwuation.repo
+sudo dnf install continuwuity
+```
+
+**Direct installation** without adding repository
+
+```bash
+# Latest stable release
+sudo dnf install https://forgejo.ellis.link/api/packages/continuwuation/rpm/stable/continuwuity
+
+# Latest development build
+sudo dnf install https://forgejo.ellis.link/api/packages/continuwuation/rpm/dev/continuwuity
+
+# Specific feature branch
+sudo dnf install https://forgejo.ellis.link/api/packages/continuwuation/rpm/branch-name/continuwuity
+```
+
+**Manual repository configuration** (alternative method)
+
+```bash
+cat << 'EOF' | sudo tee /etc/yum.repos.d/continuwuity.repo
+[continuwuity]
+name=Continuwuity - Matrix homeserver
+baseurl=https://forgejo.ellis.link/api/packages/continuwuation/rpm/stable
+enabled=1
+gpgcheck=1
+gpgkey=https://forgejo.ellis.link/continuwuation/continuwuity/raw/branch/main/fedora/RPM-GPG-KEY-continuwuity.asc
+EOF
+
+sudo dnf install continuwuity
+```
+
+## Package management
+
+**Automatic updates** with DNF Automatic
+
+```bash
+# Install and configure
+sudo dnf install dnf-automatic
+sudo nano /etc/dnf/automatic.conf  # Set: apply_updates = yes
+sudo systemctl enable --now dnf-automatic.timer
+```
+
+**Manual updates**
+
+```bash
+# Check for updates
+sudo dnf check-update continuwuity
+
+# Update to latest version
+sudo dnf update continuwuity
+```
+
+**Switching channels** (stable/dev/feature branches)
+
+```bash
+# List enabled repositories
+dnf repolist | grep continuwuation
+
+# Disable current repository
+sudo dnf config-manager --set-disabled continuwuation-stable  # or -dev, or branch name
+
+# Enable desired repository
+sudo dnf config-manager --set-enabled continuwuation-dev  # or -stable, or branch name
+
+# Update to the new channel's version
+sudo dnf update continuwuity
+```
+
+**Verifying installation**
+
+```bash
+# Check installed version
+rpm -q continuwuity
+
+# View package information
+rpm -qi continuwuity
+
+# List installed files
+rpm -ql continuwuity
+
+# Verify package integrity
+rpm -V continuwuity
+```
+
+## Service management and removal
+
+**Systemd service commands**
+
+```bash
+# Start the service
+sudo systemctl start conduwuit
+
+# Enable on boot
+sudo systemctl enable conduwuit
+
+# Check status
+sudo systemctl status conduwuit
+
+# View logs
+sudo journalctl -u conduwuit -f
+```
+
+**Uninstallation**
+
+```bash
+# Stop and disable the service
+sudo systemctl stop conduwuit
+sudo systemctl disable conduwuit
+
+# Remove the package
+sudo dnf remove continuwuity
+
+# Remove the repository (optional)
+sudo rm /etc/yum.repos.d/continuwuation-*.repo
+```
+
+## Troubleshooting
+
+**GPG key errors**: Temporarily disable GPG checking
+
+```bash
+sudo dnf --nogpgcheck install continuwuity
+```
+
+**Repository metadata issues**: Clear and rebuild cache
+
+```bash
+sudo dnf clean all
+sudo dnf makecache
+```
+
+**Finding specific versions**
+
+```bash
+# List all available versions
+dnf --showduplicates list continuwuity
+
+# Install a specific version
+sudo dnf install continuwuity-<version>
+```
+
+## Building locally
+
+Build the RPM locally using rpkg:
+
+```bash
+# Install dependencies
+sudo dnf install rpkg rpm-build cargo-rpm-macros systemd-rpm-macros
+
+# Clone the repository
+git clone https://forgejo.ellis.link/continuwuation/continuwuity.git
+cd continuwuity
+
+# Build SRPM
+rpkg srpm
+
+# Build RPM
+rpmbuild --rebuild *.src.rpm
+```

flake.nix

@@ -65,10 +65,10 @@
                     domain = "forgejo.ellis.link";
                     owner = "continuwuation";
                     repo = "rocksdb";
-                    rev = "10.4.fb";
-                    sha256 = "sha256-/Hvy1yTH/0D5aa7bc+/uqFugCQq4InTdwlRw88vA5IY=";
+                    rev = "10.5.fb";
+                    sha256 = "sha256-X4ApGLkHF9ceBtBg77dimEpu720I79ffLoyPa8JMHaU=";
                   };
-                  version = "v10.4.fb";
+                  version = "v10.5.fb";
                   cmakeFlags =
                     pkgs.lib.subtractLists [
                       # No real reason to have snappy or zlib, no one uses this

pkg/debian/README.md

@@ -1,12 +1,28 @@
 # Continuwuity for Debian
 
-This document provides information about downloading and deploying the Debian package. You can also use this guide for other `apt`-based distributions such as Ubuntu.
+This document provides information about downloading and deploying the Debian package. You can also use this guide for other deb-based distributions such as Ubuntu.
 
 ### Installation
 
-See the [generic deployment guide](../deploying/generic.md) for additional information about using the Debian package.
+To add the Continuwuation apt repository:
+```bash
+# Replace with `"dev"` for bleeding-edge builds at your own risk
+export COMPONENT="stable"
+# Import the Continuwuation signing key
+sudo curl https://forgejo.ellis.link/api/packages/continuwuation/debian/repository.key -o /etc/apt/keyrings/forgejo-continuwuation.asc
+# Add a new apt source list pointing to the repository
+echo "deb [signed-by=/etc/apt/keyrings/forgejo-continuwuation.asc] https://forgejo.ellis.link/api/packages/continuwuation/debian $(lsb_release -sc) $COMPONENT" | sudo tee /etc/apt/sources.list.d/continuwuation.list
+# Update remote package lists
+sudo apt update
+```
 
-No `apt` repository is currently available. This feature is in development.
+To install continuwuity:
+```bash
+sudo apt install continuwuity
+```
+The `continuwuity` package conflicts with the old `conduwuit` package and will remove it automatically when installed.
+
+See the [generic deployment guide](../deploying/generic.md) for additional information about using the Debian package.
 
 ### Configuration
 
@@ -16,7 +32,7 @@ ### Configuration
 
 ### Running
 
-The package uses the [`conduwuit.service`](../configuration/examples.md#example-systemd-unit-file) systemd unit file to start and stop Continuwuity. The binary installs at `/usr/sbin/conduwuit`.
+The package uses the [`conduwuit.service`](../configuration/examples.md#example-systemd-unit-file) systemd unit file to start and stop Continuwuity. The binary installs at `/usr/bin/conduwuit`.
 
 By default, this package assumes that Continuwuity runs behind a reverse proxy. The default configuration options apply (listening on `localhost` and TCP port `6167`). Matrix federation requires a valid domain name and TLS. To federate properly, you must set up TLS certificates and certificate renewal.
 

pkg/fedora/continuwuity.spec.rpkg

@@ -1,6 +1,5 @@
-# This should be run using rpkg-util: https://docs.pagure.org/rpkg-util
+# This should be run using rpkg: https://docs.pagure.org/rpkg
 # it requires Internet access and is not suitable for Fedora main repos
-# TODO: rpkg-util is no longer maintained, find a replacement
 
 Name:           continuwuity
 Version:        {{{ git_repo_version }}}

src/api/client/room/upgrade.rs

@@ -2,7 +2,7 @@
 
 use axum::extract::State;
 use conduwuit::{
-	Err, Error, Event, Result, debug, err, info,
+	Err, Error, Event, Result, RoomVersion, debug, err, info,
 	matrix::{StateKey, pdu::PduBuilder},
 };
 use futures::{FutureExt, StreamExt};
@@ -68,37 +68,76 @@ pub(crate) async fn upgrade_room_route(
 		return Err!(Request(UserSuspended("You cannot perform this action while suspended.")));
 	}
 
+	// First, check if the user has permission to upgrade the room (send tombstone
+	// event)
+	let old_room_state_lock = services.rooms.state.mutex.lock(&body.room_id).await;
+
+	// Check tombstone permission by attempting to create (but not send) the event
+	// Note that this does internally call the policy server with a fake room ID,
+	// which may not be good?
+	let tombstone_test_result = services
+		.rooms
+		.timeline
+		.create_hash_and_sign_event(
+			PduBuilder::state(StateKey::new(), &RoomTombstoneEventContent {
+				body: "This room has been replaced".to_owned(),
+				replacement_room: RoomId::new(services.globals.server_name()),
+			}),
+			sender_user,
+			Some(&body.room_id),
+			&old_room_state_lock,
+		)
+		.await;
+
+	if let Err(_e) = tombstone_test_result {
+		return Err!(Request(Forbidden("User does not have permission to upgrade this room.")));
+	}
+
+	drop(old_room_state_lock);
+
 	// Create a replacement room
-	let replacement_room = RoomId::new(services.globals.server_name());
+	let room_features = RoomVersion::new(&body.new_version)?;
+	let replacement_room: Option<&RoomId> = if room_features.room_ids_as_hashes {
+		None
+	} else {
+		Some(&RoomId::new(services.globals.server_name()))
+	};
+	let replacement_room_tmp = match replacement_room {
+		| Some(v) => v,
+		| None => &RoomId::new(services.globals.server_name()),
+	};
 
 	let _short_id = services
 		.rooms
 		.short
-		.get_or_create_shortroomid(&replacement_room)
+		.get_or_create_shortroomid(replacement_room_tmp)
 		.await;
 
-	let state_lock = services.rooms.state.mutex.lock(&body.room_id).await;
-
-	// Send a m.room.tombstone event to the old room to indicate that it is not
-	// intended to be used any further Fail if the sender does not have the required
-	// permissions
-	let tombstone_event_id = services
-		.rooms
-		.timeline
-		.build_and_append_pdu(
-			PduBuilder::state(StateKey::new(), &RoomTombstoneEventContent {
-				body: "This room has been replaced".to_owned(),
-				replacement_room: replacement_room.clone(),
-			}),
-			sender_user,
-			Some(&body.room_id),
-			&state_lock,
-		)
-		.await?;
-
-	// Change lock to replacement room
-	drop(state_lock);
-	let state_lock = services.rooms.state.mutex.lock(&replacement_room).await;
+	// For pre-v12 rooms, send tombstone before creating replacement room
+	let tombstone_event_id = if !room_features.room_ids_as_hashes {
+		let state_lock = services.rooms.state.mutex.lock(&body.room_id).await;
+		// Send a m.room.tombstone event to the old room to indicate that it is not
+		// intended to be used any further
+		let tombstone_event_id = services
+			.rooms
+			.timeline
+			.build_and_append_pdu(
+				PduBuilder::state(StateKey::new(), &RoomTombstoneEventContent {
+					body: "This room has been replaced".to_owned(),
+					replacement_room: replacement_room.unwrap().to_owned(),
+				}),
+				sender_user,
+				Some(&body.room_id),
+				&state_lock,
+			)
+			.await?;
+		// Change lock to replacement room
+		drop(state_lock);
+		Some(tombstone_event_id)
+	} else {
+		None
+	};
+	let state_lock = services.rooms.state.mutex.lock(replacement_room_tmp).await;
 
 	// Get the old room creation event
 	let mut create_event_content: CanonicalJsonObject = services
@@ -111,7 +150,7 @@ pub(crate) async fn upgrade_room_route(
 	// Use the m.room.tombstone event as the predecessor
 	let predecessor = Some(ruma::events::room::create::PreviousRoom::new(
 		body.room_id.clone(),
-		Some(tombstone_event_id),
+		tombstone_event_id,
 	));
 
 	// Send a m.room.create event containing a predecessor field and the applicable
@@ -132,6 +171,7 @@ pub(crate) async fn upgrade_room_route(
 				// "creator" key no longer exists in V11 rooms
 				create_event_content.remove("creator");
 			},
+			// TODO(hydra): additional_creators
 		}
 	}
 
@@ -159,7 +199,7 @@ pub(crate) async fn upgrade_room_route(
 		return Err(Error::BadRequest(ErrorKind::BadJson, "Error forming creation event"));
 	}
 
-	services
+	let create_event_id = services
 		.rooms
 		.timeline
 		.build_and_append_pdu(
@@ -173,11 +213,18 @@ pub(crate) async fn upgrade_room_route(
 				timestamp: None,
 			},
 			sender_user,
-			Some(&replacement_room),
+			replacement_room,
 			&state_lock,
 		)
 		.boxed()
 		.await?;
+	let create_id = create_event_id.as_str().replace('$', "!");
+	let (replacement_room, state_lock) = if room_features.room_ids_as_hashes {
+		let parsed_room_id = RoomId::parse(&create_id)?;
+		(Some(parsed_room_id), services.rooms.state.mutex.lock(parsed_room_id).await)
+	} else {
+		(replacement_room, state_lock)
+	};
 
 	// Join the new room
 	services
@@ -204,7 +251,7 @@ pub(crate) async fn upgrade_room_route(
 				timestamp: None,
 			},
 			sender_user,
-			Some(&replacement_room),
+			replacement_room,
 			&state_lock,
 		)
 		.boxed()
@@ -243,7 +290,7 @@ pub(crate) async fn upgrade_room_route(
 						..Default::default()
 					},
 					sender_user,
-					Some(&replacement_room),
+					replacement_room,
 					&state_lock,
 				)
 				.boxed()
@@ -268,7 +315,7 @@ pub(crate) async fn upgrade_room_route(
 		services
 			.rooms
 			.alias
-			.set_alias(alias, &replacement_room, sender_user)?;
+			.set_alias(alias, replacement_room.unwrap(), sender_user)?;
 	}
 
 	// Get the old room power levels
@@ -310,6 +357,27 @@ pub(crate) async fn upgrade_room_route(
 
 	drop(state_lock);
 
+	// For v12 rooms, send tombstone AFTER creating replacement room
+	if room_features.room_ids_as_hashes {
+		let old_room_state_lock = services.rooms.state.mutex.lock(&body.room_id).await;
+		// For v12 rooms, no event reference in predecessor due to cyclic dependency -
+		// could best effort one maybe?
+		services
+			.rooms
+			.timeline
+			.build_and_append_pdu(
+				PduBuilder::state(StateKey::new(), &RoomTombstoneEventContent {
+					body: "This room has been replaced".to_owned(),
+					replacement_room: replacement_room.unwrap().to_owned(),
+				}),
+				sender_user,
+				Some(&body.room_id),
+				&old_room_state_lock,
+			)
+			.await?;
+		drop(old_room_state_lock);
+	}
+
 	// Check if the old room has a space parent, and if so, whether we should update
 	// it (m.space.parent, room_id)
 	let parents = services
@@ -334,8 +402,9 @@ pub(crate) async fn upgrade_room_route(
 			continue;
 		};
 		debug!(
-			"Updating space {space_id} child event for room {} to {replacement_room}",
-			&body.room_id
+			"Updating space {space_id} child event for room {} to {}",
+			&body.room_id,
+			replacement_room.unwrap()
 		);
 		// First, drop the space's child event
 		let state_lock = services.rooms.state.mutex.lock(space_id).await;
@@ -359,7 +428,10 @@ pub(crate) async fn upgrade_room_route(
 			.await
 			.ok();
 		// Now, add a new child event for the replacement room
-		debug!("Adding space child event for room {replacement_room} in space {space_id}");
+		debug!(
+			"Adding space child event for room {} in space {space_id}",
+			replacement_room.unwrap()
+		);
 		services
 			.rooms
 			.timeline
@@ -372,7 +444,7 @@ pub(crate) async fn upgrade_room_route(
 						suggested: child.suggested,
 					})
 					.expect("event is valid, we just created it"),
-					state_key: Some(replacement_room.as_str().into()),
+					state_key: Some(replacement_room.unwrap().as_str().into()),
 					..Default::default()
 				},
 				sender_user,
@@ -383,12 +455,15 @@ pub(crate) async fn upgrade_room_route(
 			.await
 			.ok();
 		debug!(
-			"Finished updating space {space_id} child event for room {} to {replacement_room}",
-			&body.room_id
+			"Finished updating space {space_id} child event for room {} to {}",
+			&body.room_id,
+			replacement_room.unwrap()
 		);
 		drop(state_lock);
 	}
 
 	// Return the replacement room id
-	Ok(upgrade_room::v3::Response { replacement_room })
+	Ok(upgrade_room::v3::Response {
+		replacement_room: replacement_room.unwrap().to_owned(),
+	})
 }

src/main/Cargo.toml

@@ -22,11 +22,13 @@ crate-type = [
 ]
 
 [package.metadata.deb]
-name = "conduwuit"
-maintainer = "strawberry <strawberry@puppygock.gay>"
-copyright = "2024, strawberry <strawberry@puppygock.gay>"
+name = "continuwuity"
+maintainer = "continuwuity developers <contact@continuwuity.org>"
+copyright = "2024, continuwuity developers"
 license-file = ["../../LICENSE", "3"]
 depends = "$auto, ca-certificates"
+breaks = ["conduwuit (<<0.5.0)"]
+replaces = ["conduwuit (<<0.5.0)"]
 extended-description = """\
 a cool hard fork of Conduit, a Matrix homeserver written in Rust"""
 section = "net"

src/service/rooms/timeline/create.rs

@@ -274,8 +274,6 @@ fn from_evt(
 	pdu_json.insert("event_id".into(), CanonicalJsonValue::String(pdu.event_id.clone().into()));
 
 	// Check with the policy server
-	// TODO(hydra): Skip this check for create events (why didnt we do this
-	// already?)
 	if room_id.is_some() {
 		trace!(
 			"Checking event {} in room {} with policy server",