fix(ci): Don't use shallow clone when we're comparing git history

- Limit renovate updates to mondays
- Don't group lock updates
- Update checksums if possible

.forgejo/actions/create-docker-manifest/action.yml

@@ -61,8 +61,8 @@ runs:
       id: meta
       uses: docker/metadata-action@v5
       with:
-        flavour: |
-          suffix=${{ inputs.tag_suffix }}
+        flavor: |
+          suffix=${{ inputs.tag_suffix }},onlatest=true
         tags: |
           type=semver,pattern={{version}},prefix=v
           type=semver,pattern={{major}}.{{minor}},enable=${{ !startsWith(github.ref, 'refs/tags/v0.0.') }},prefix=v

.forgejo/actions/detect-runner-os/action.yml

@@ -1,58 +0,0 @@
-name: detect-runner-os
-description: |
-  Detect the actual OS name and version of the runner.
-  Provides separate outputs for name, version, and a combined slug.
-
-outputs:
-  name:
-    description: 'OS name (e.g. Ubuntu, Debian)'
-    value: ${{ steps.detect.outputs.name }}
-  version:
-    description: 'OS version (e.g. 22.04, 11)'
-    value: ${{ steps.detect.outputs.version }}
-  slug:
-    description: 'Combined OS slug (e.g. Ubuntu-22.04)'
-    value: ${{ steps.detect.outputs.slug }}
-  node_major:
-    description: 'Major version of Node.js if available (e.g. 22)'
-    value: ${{ steps.detect.outputs.node_major }}
-  node_version:
-    description: 'Full Node.js version if available (e.g. 22.19.0)'
-    value: ${{ steps.detect.outputs.node_version }}
-
-runs:
-  using: composite
-  steps:
-    - name: Detect runner OS
-      id: detect
-      shell: bash
-      run: |
-        # Detect OS version (try lsb_release first, fall back to /etc/os-release)
-        OS_VERSION=$(lsb_release -rs 2>/dev/null || grep VERSION_ID /etc/os-release | cut -d'"' -f2)
-
-        # Detect OS name and capitalise (try lsb_release first, fall back to /etc/os-release)
-        OS_NAME=$(lsb_release -is 2>/dev/null || grep "^ID=" /etc/os-release | cut -d'=' -f2 | tr -d '"' | sed 's/\b\(.\)/\u\1/g')
-
-        # Create combined slug
-        OS_SLUG="${OS_NAME}-${OS_VERSION}"
-
-        # Detect Node.js version if available
-        if command -v node >/dev/null 2>&1; then
-          NODE_VERSION=$(node --version | sed 's/v//')
-          NODE_MAJOR=$(echo $NODE_VERSION | cut -d. -f1)
-          echo "node_version=${NODE_VERSION}" >> $GITHUB_OUTPUT
-          echo "node_major=${NODE_MAJOR}" >> $GITHUB_OUTPUT
-          echo "🔍 Detected Node.js: v${NODE_VERSION}"
-        else
-          echo "node_version=" >> $GITHUB_OUTPUT
-          echo "node_major=" >> $GITHUB_OUTPUT
-          echo "🔍 Node.js not found"
-        fi
-
-        # Set OS outputs
-        echo "name=${OS_NAME}" >> $GITHUB_OUTPUT
-        echo "version=${OS_VERSION}" >> $GITHUB_OUTPUT
-        echo "slug=${OS_SLUG}" >> $GITHUB_OUTPUT
-
-        # Log detection results
-        echo "🔍 Detected Runner OS: ${OS_NAME} ${OS_VERSION}"

.forgejo/actions/prepare-docker-build/action.yml

@@ -121,7 +121,7 @@ runs:
           .cargo/git/checkouts
           .cargo/registry
           .cargo/registry/src
-        key: rust-registry-image-${{hashFiles('**/Cargo.lock') }}
+        key: continuwuity-rust-registry-image-${{hashFiles('**/Cargo.lock') }}
 
     - name: Cache cargo target
       if: ${{ env.BUILDKIT_ENDPOINT == '' }}
@@ -130,7 +130,7 @@ runs:
       with:
         path: |
           cargo-target${{ env.CPU_SUFFIX }}-${{ inputs.slug }}-${{ inputs.profile }}
-        key: cargo-target${{ env.CPU_SUFFIX }}-${{ inputs.slug }}-${{ inputs.profile }}-${{hashFiles('**/Cargo.lock') }}-${{steps.rust-toolchain.outputs.rustc_version}}
+        key: continuwuity-cargo-target${{ env.CPU_SUFFIX }}-${{ inputs.slug }}-${{ inputs.profile }}-${{hashFiles('**/Cargo.lock') }}-${{steps.rust-toolchain.outputs.rustc_version}}
 
     - name: Cache apt cache
       if: ${{ env.BUILDKIT_ENDPOINT == '' }}
@@ -139,7 +139,7 @@ runs:
       with:
         path: |
           var-cache-apt-${{ inputs.slug }}
-        key: var-cache-apt-${{ inputs.slug }}
+        key: continuwuity-var-cache-apt-${{ inputs.slug }}
 
     - name: Cache apt lib
       if: ${{ env.BUILDKIT_ENDPOINT == '' }}
@@ -148,7 +148,7 @@ runs:
       with:
         path: |
           var-lib-apt-${{ inputs.slug }}
-        key: var-lib-apt-${{ inputs.slug }}
+        key: continuwuity-var-lib-apt-${{ inputs.slug }}
 
     - name: inject cache into docker
       if: ${{ env.BUILDKIT_ENDPOINT == '' }}

.forgejo/actions/rust-toolchain/action.yml

@@ -40,7 +40,7 @@ runs:
           !~/.rustup/tmp
           !~/.rustup/downloads
         # Requires repo to be cloned if toolchain is not specified
-        key: ${{ runner.os }}-rustup-${{ inputs.toolchain || hashFiles('**/rust-toolchain.toml') }}
+        key: continuwuity-${{ runner.os }}-rustup-${{ inputs.toolchain || hashFiles('**/rust-toolchain.toml') }}
     - name: Install Rust toolchain
       if: steps.rustup-version.outputs.version == ''
       shell: bash

.forgejo/actions/setup-llvm-with-apt/action.yml

@@ -29,7 +29,7 @@ runs:
   steps:
     - name: Detect runner OS
       id: runner-os
-      uses: ./.forgejo/actions/detect-runner-os
+      uses: https://git.tomfos.tr/actions/detect-versions@v1
 
     - name: Configure cross-compilation architecture
       if: inputs.dpkg-arch != ''
@@ -69,7 +69,7 @@ runs:
           /usr/lib/x86_64-linux-gnu/libclang*.so*
           /etc/apt/sources.list.d/archive_uri-*
           /etc/apt/trusted.gpg.d/apt.llvm.org.asc
-        key: llvm-${{ steps.runner-os.outputs.slug }}-v${{ inputs.llvm-version }}-v3-${{ hashFiles('**/Cargo.lock', 'rust-toolchain.toml') }}
+        key: continuwuity-llvm-${{ steps.runner-os.outputs.slug }}-${{ steps.runner-os.outputs.arch }}-v${{ inputs.llvm-version }}-${{ hashFiles('**/Cargo.lock', 'rust-toolchain.toml') }}
 
     - name: End LLVM cache group
       shell: bash

.forgejo/actions/setup-rust/action.yml

@@ -39,7 +39,7 @@ runs:
   steps:
     - name: Detect runner OS
       id: runner-os
-      uses: ./.forgejo/actions/detect-runner-os
+      uses: https://git.tomfos.tr/actions/detect-versions@v1
 
     - name: Configure Cargo environment
       shell: bash
@@ -73,9 +73,9 @@ runs:
           .cargo/git/db
         # Registry cache saved per workflow, restored from any workflow's cache
         # Each workflow maintains its own registry that accumulates its needed crates
-        key: cargo-registry-${{ steps.runner-os.outputs.slug }}-${{ github.workflow }}
+        key: continuwuity-cargo-registry-${{ steps.runner-os.outputs.slug }}-${{ steps.runner-os.outputs.arch }}-${{ github.workflow }}
         restore-keys: |
-          cargo-registry-${{ steps.runner-os.outputs.slug }}-
+          continuwuity-cargo-registry-${{ steps.runner-os.outputs.slug }}-${{ steps.runner-os.outputs.arch }}-
 
     - name: Cache toolchain binaries
       id: toolchain-cache
@@ -86,29 +86,42 @@ runs:
           .rustup/toolchains
           .rustup/update-hashes
         # Shared toolchain cache across all Rust versions
-        key: toolchain-${{ steps.runner-os.outputs.slug }}
+        key: continuwuity-toolchain-${{ steps.runner-os.outputs.slug }}-${{ steps.runner-os.outputs.arch }}
 
 
     - name: Setup sccache
       uses: https://git.tomfos.tr/tom/sccache-action@v1
 
-    - name: Cache build artifacts
-      id: build-cache
+    - name: Cache dependencies
+      id: deps-cache
       uses: actions/cache@v4
       with:
         path: |
-          target/**/deps
-          !target/**/deps/*.rlib
-          target/**/build
           target/**/.fingerprint
-          target/**/incremental
+          target/**/deps
           target/**/*.d
+          target/**/.cargo-lock
+          target/**/CACHEDIR.TAG
+          target/**/.rustc_info.json
           /timelord/
-        # Build artifacts - cache per code change, restore from deps when code changes
+        # Dependencies cache - based on Cargo.lock, survives source code changes
         key: >-
-          build-${{ steps.runner-os.outputs.slug }}-${{ inputs.rust-version }}${{ inputs.cache-key-suffix && format('-{0}', inputs.cache-key-suffix) || '' }}-${{ hashFiles('rust-toolchain.toml', '**/Cargo.lock') }}-${{ hashFiles('**/*.rs', '**/Cargo.toml') }}
+          continuwuity-deps-${{ steps.runner-os.outputs.slug }}-${{ steps.runner-os.outputs.arch }}-${{ inputs.rust-version }}${{ inputs.cache-key-suffix && format('-{0}', inputs.cache-key-suffix) || '' }}-${{ hashFiles('rust-toolchain.toml', '**/Cargo.lock') }}
         restore-keys: |
-          build-${{ steps.runner-os.outputs.slug }}-${{ inputs.rust-version }}${{ inputs.cache-key-suffix && format('-{0}', inputs.cache-key-suffix) || '' }}-${{ hashFiles('rust-toolchain.toml', '**/Cargo.lock') }}-
+          continuwuity-deps-${{ steps.runner-os.outputs.slug }}-${{ steps.runner-os.outputs.arch }}-${{ inputs.rust-version }}${{ inputs.cache-key-suffix && format('-{0}', inputs.cache-key-suffix) || '' }}-
+
+    - name: Cache incremental compilation
+      id: incremental-cache
+      uses: actions/cache@v4
+      with:
+        path: |
+          target/**/incremental
+        # Incremental cache - based on source code changes
+        key: >-
+          continuwuity-incremental-${{ steps.runner-os.outputs.slug }}-${{ steps.runner-os.outputs.arch }}-${{ inputs.rust-version }}${{ inputs.cache-key-suffix && format('-{0}', inputs.cache-key-suffix) || '' }}-${{ hashFiles('rust-toolchain.toml', '**/Cargo.lock') }}-${{ hashFiles('**/*.rs', '**/Cargo.toml') }}
+        restore-keys: |
+          continuwuity-incremental-${{ steps.runner-os.outputs.slug }}-${{ steps.runner-os.outputs.arch }}-${{ inputs.rust-version }}${{ inputs.cache-key-suffix && format('-{0}', inputs.cache-key-suffix) || '' }}-${{ hashFiles('rust-toolchain.toml', '**/Cargo.lock') }}-
+          continuwuity-incremental-${{ steps.runner-os.outputs.slug }}-${{ steps.runner-os.outputs.arch }}-${{ inputs.rust-version }}${{ inputs.cache-key-suffix && format('-{0}', inputs.cache-key-suffix) || '' }}-
 
     - name: End cache restore group
       shell: bash

.forgejo/actions/timelord/action.yml

@@ -36,7 +36,7 @@ runs:
         path: |
           /usr/share/rust/.cargo/bin
           ~/.cargo/bin
-        key: timelord-binaries-v3
+        key: continuwuity-timelord-binaries
 
     - name: Check if binaries need installation
       shell: bash
@@ -82,7 +82,7 @@ runs:
         path: |
           /usr/share/rust/.cargo/bin
           ~/.cargo/bin
-        key: timelord-binaries-v3
+        key: continuwuity-timelord-binaries
 
 
     - name: Restore timelord cache with fallbacks
@@ -92,7 +92,7 @@ runs:
         path: ${{ env.TIMELORD_CACHE_PATH }}
         key: ${{ env.TIMELORD_KEY }}
         restore-keys: |
-          timelord-v1-${{ github.repository }}-
+          continuwuity-timelord-${{ github.repository }}-
 
     - name: Initialize timestamps on complete cache miss
       if: steps.timelord-restore.outputs.cache-hit != 'true'

.forgejo/workflows/build-debian.yml

@@ -0,0 +1,148 @@
+name: Build / Debian DEB
+
+concurrency:
+  group: "build-debian-${{ forge.ref }}"
+  cancel-in-progress: true
+
+on:
+  push:
+    tags:
+      - "v*.*.*"
+  workflow_dispatch:
+  schedule:
+    - cron: '30 0 * * *'
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        container: ["ubuntu-latest", "ubuntu-previous", "debian-latest", "debian-oldstable"]
+    container:
+      image: "ghcr.io/tcpipuk/act-runner:${{ matrix.container }}"
+
+    steps:
+      - name: Get Debian version
+        id: debian-version
+        run: |
+          VERSION=$(cat /etc/debian_version)
+          DISTRIBUTION=$(lsb_release -sc 2>/dev/null)
+          echo "version=$VERSION" >> $GITHUB_OUTPUT
+          echo "distribution=$DISTRIBUTION" >> $GITHUB_OUTPUT
+          echo "Debian distribution: $DISTRIBUTION ($VERSION)"
+
+      - name: Checkout repository with full history
+        uses: https://code.forgejo.org/actions/checkout@v5
+        with:
+          fetch-depth: 0
+
+      - name: Cache Cargo registry
+        uses: https://code.forgejo.org/actions/cache@v4
+        with:
+          path: |
+            ~/.cargo/registry
+            ~/.cargo/git
+          key: cargo-debian-${{ steps.debian-version.outputs.distribution }}-${{ hashFiles('**/Cargo.lock') }}
+          restore-keys: |
+            cargo-debian-${{ steps.debian-version.outputs.distribution }}-
+
+      - name: Setup sccache
+        uses: https://git.tomfos.tr/tom/sccache-action@v1
+
+      - name: Configure sccache environment
+        run: |
+          echo "RUSTC_WRAPPER=sccache" >> $GITHUB_ENV
+          echo "CMAKE_C_COMPILER_LAUNCHER=sccache" >> $GITHUB_ENV
+          echo "CMAKE_CXX_COMPILER_LAUNCHER=sccache" >> $GITHUB_ENV
+          echo "SCCACHE_CACHE_SIZE=10G" >> $GITHUB_ENV
+          # Aggressive GC since cache restores don't increment counter
+          echo "CARGO_INCREMENTAL_GC_TRIGGER=5" >> $GITHUB_ENV
+
+      - name: Setup Rust nightly
+        uses: ./.forgejo/actions/setup-rust
+        with:
+          rust-version: nightly
+          github-token: ${{ secrets.GH_PUBLIC_RO }}
+
+      - name: Get package version and component
+        id: package-meta
+        run: |
+          BASE_VERSION=$(cargo metadata --no-deps --format-version 1 | jq -r ".packages[] | select(.name == \"conduwuit\").version" | sed 's/[^a-zA-Z0-9.+]/~/g')
+          # VERSION is the package version, COMPONENT is used in
+          # apt's repository config like a git repo branch
+          if [[ "${{ forge.ref }}" == "refs/tags/"* ]]; then
+            # Use the "stable" component for tagged releases
+            COMPONENT="stable"
+            VERSION=$BASE_VERSION
+          else
+            # Use the "dev" component for development builds
+            SHA=$(echo "${{ forge.sha }}" | cut -c1-7)
+            DATE=$(date +%Y%m%d)
+            if [ "${{ forge.ref_name }}" = "main" ]; then
+              COMPONENT="dev"
+            else
+              # Use the sanitized ref name as the component for feature branches
+              COMPONENT="dev-$(echo '${{ forge.ref_name }}' | sed 's/[^a-zA-Z0-9.+]/-/g' | tr '[:upper:]' '[:lower:]' | cut -c1-30)"
+            fi
+            CLEAN_COMPONENT=$(echo $COMPONENT | sed 's/[^a-zA-Z0-9.+]/~/g')
+            VERSION="$BASE_VERSION~git$DATE.$SHA-$CLEAN_COMPONENT"
+          fi
+          echo "component=$COMPONENT" >> $GITHUB_OUTPUT
+          echo "version=$VERSION" >> $GITHUB_OUTPUT
+          echo "Component: $COMPONENT"
+          echo "Version: $VERSION"
+
+      - name: Install cargo-deb
+        run: |
+          if command -v cargo-deb &> /dev/null; then
+            echo "cargo-deb already available"
+          else
+            echo "Installing cargo-deb"
+            cargo-binstall -y --no-symlinks cargo-deb
+          fi
+
+      - name: Install build dependencies
+        run: |
+          apt-get update -y
+          # Build dependencies for rocksdb
+          apt-get install -y clang liburing-dev
+
+      - name: Run cargo-deb
+        id: cargo-deb
+        run: |
+          DEB_PATH=$(cargo deb --deb-version ${{ steps.package-meta.outputs.version }})
+          echo "path=$DEB_PATH" >> $GITHUB_OUTPUT
+
+      - name: Test deb installation
+        run: |
+          echo "Installing: ${{ steps.cargo-deb.outputs.path }}"
+
+          apt-get install -y ${{ steps.cargo-deb.outputs.path }}
+
+          dpkg -s continuwuity
+
+          [ -f /usr/bin/conduwuit ] && echo "✅ Binary installed successfully"
+          [ -f /usr/lib/systemd/system/conduwuit.service ] && echo "✅ Systemd service installed"
+          [ -f /etc/conduwuit/conduwuit.toml ] && echo "✅ Config file installed"
+
+      - name: Upload deb artifact
+        uses: https://code.forgejo.org/actions/upload-artifact@v3
+        with:
+          name: continuwuity-${{ steps.debian-version.outputs.distribution }}
+          path: ${{ steps.cargo-deb.outputs.path }}
+
+      - name: Publish to Forgejo package registry
+        if: ${{ forge.event_name == 'push' || forge.event_name == 'workflow_dispatch' || forge.event_name == 'schedule' }}
+        run: |
+          OWNER="continuwuation"
+          DISTRIBUTION=${{ steps.debian-version.outputs.distribution }}
+          COMPONENT=${{ steps.package-meta.outputs.component }}
+          DEB=${{ steps.cargo-deb.outputs.path }}
+
+          echo "Publishing: $DEB in component $COMPONENT for distribution $DISTRIBUTION"
+
+          curl --fail-with-body \
+            -X PUT \
+            -H "Authorization: token ${{ secrets.BUILTIN_REGISTRY_PASSWORD || secrets.GITHUB_TOKEN }}" \
+            --upload-file "$DEB" \
+            "${{ forge.server_url }}/api/packages/$OWNER/debian/pool/$DISTRIBUTION/$COMPONENT/upload"

.forgejo/workflows/build-fedora.yml

@@ -0,0 +1,389 @@
+name: Build / Fedora RPM
+
+concurrency:
+  group: "build-fedora-${{ github.ref }}"
+  cancel-in-progress: true
+
+on:
+  push:
+    tags:
+      - "v*.*.*"
+    # paths:
+    #   - 'pkg/fedora/**'
+    #   - 'src/**'
+    #   - 'Cargo.toml'
+    #   - 'Cargo.lock'
+    #   - '.forgejo/workflows/build-fedora.yml'
+  workflow_dispatch:
+  schedule:
+    - cron: '30 0 * * *'
+
+jobs:
+  build:
+    runs-on: fedora-latest
+    steps:
+      - name: Detect Fedora version
+        id: fedora
+        run: |
+          VERSION=$(rpm -E %fedora)
+          echo "version=$VERSION" >> $GITHUB_OUTPUT
+          echo "Fedora version: $VERSION"
+
+      - name: Checkout repository with full history
+        uses: https://code.forgejo.org/actions/checkout@v5
+        with:
+          fetch-depth: 0
+
+
+      - name: Cache DNF packages
+        uses: https://code.forgejo.org/actions/cache@v4
+        with:
+          path: |
+            /var/cache/dnf
+            /var/cache/yum
+          key: dnf-fedora${{ steps.fedora.outputs.version }}-${{ hashFiles('pkg/fedora/continuwuity.spec.rpkg') }}-v1
+          restore-keys: |
+            dnf-fedora${{ steps.fedora.outputs.version }}-
+
+      - name: Cache Cargo registry
+        uses: https://code.forgejo.org/actions/cache@v4
+        with:
+          path: |
+            ~/.cargo/registry
+            ~/.cargo/git
+          key: cargo-fedora${{ steps.fedora.outputs.version }}-${{ hashFiles('**/Cargo.lock') }}
+          restore-keys: |
+            cargo-fedora${{ steps.fedora.outputs.version }}-
+
+      - name: Cache Rust build dependencies
+        uses: https://code.forgejo.org/actions/cache@v4
+        with:
+          path: |
+            ~/rpmbuild/BUILD/*/target/release/deps
+            ~/rpmbuild/BUILD/*/target/release/build
+            ~/rpmbuild/BUILD/*/target/release/.fingerprint
+            ~/rpmbuild/BUILD/*/target/release/incremental
+          key: rust-deps-fedora${{ steps.fedora.outputs.version }}-${{ hashFiles('**/Cargo.lock') }}
+          restore-keys: |
+            rust-deps-fedora${{ steps.fedora.outputs.version }}-
+
+      - name: Setup sccache
+        uses: https://git.tomfos.tr/tom/sccache-action@v1
+
+      - name: Configure sccache environment
+        run: |
+          echo "RUSTC_WRAPPER=sccache" >> $GITHUB_ENV
+          echo "CMAKE_C_COMPILER_LAUNCHER=sccache" >> $GITHUB_ENV
+          echo "CMAKE_CXX_COMPILER_LAUNCHER=sccache" >> $GITHUB_ENV
+          echo "SCCACHE_CACHE_SIZE=10G" >> $GITHUB_ENV
+          # Aggressive GC since cache restores don't increment counter
+          echo "CARGO_INCREMENTAL_GC_TRIGGER=5" >> $GITHUB_ENV
+
+      - name: Install base RPM tools
+        run: |
+          dnf install -y --setopt=keepcache=1 \
+            fedora-packager \
+            python3-pip \
+            rpm-sign \
+            rpkg \
+            wget
+
+      - name: Setup build environment and build SRPM
+        run: |
+          git config --global --add safe.directory "$GITHUB_WORKSPACE"
+          git config --global user.email "ci@continuwuity.org"
+          git config --global user.name "Continuwuity"
+
+          rpmdev-setuptree
+
+          cd "$GITHUB_WORKSPACE"
+
+          # Determine release suffix and version based on ref type and branch
+          if [[ "${{ github.ref }}" == "refs/tags/"* ]]; then
+            # Tags get clean version numbers for stable releases
+            RELEASE_SUFFIX=""
+            TAG_NAME="${{ github.ref_name }}"
+            # Extract version from tag (remove v prefix if present)
+            TAG_VERSION=$(echo "$TAG_NAME" | sed 's/^v//')
+
+            # Create spec file with tag version
+            sed -e "s/^Version:.*$/Version:        $TAG_VERSION/" \
+                -e "s/^Release:.*$/Release:        1%{?dist}/" \
+                pkg/fedora/continuwuity.spec.rpkg > continuwuity.spec.rpkg
+          elif [ "${{ github.ref_name }}" = "main" ]; then
+            # Main branch gets .dev suffix
+            RELEASE_SUFFIX=".dev"
+
+            # Replace the Release line to include our suffix
+            sed "s/^Release:.*$/Release:        1${RELEASE_SUFFIX}%{?dist}/" \
+              pkg/fedora/continuwuity.spec.rpkg > continuwuity.spec.rpkg
+          else
+            # Other branches get sanitized branch name as suffix
+            SAFE_BRANCH=$(echo "${{ github.ref_name }}" | sed 's/[^a-zA-Z0-9]/_/g' | cut -c1-20)
+            RELEASE_SUFFIX=".${SAFE_BRANCH}"
+
+            # Replace the Release line to include our suffix
+            sed "s/^Release:.*$/Release:        1${RELEASE_SUFFIX}%{?dist}/" \
+              pkg/fedora/continuwuity.spec.rpkg > continuwuity.spec.rpkg
+          fi
+
+          rpkg srpm --outdir "$HOME/rpmbuild/SRPMS"
+
+          ls -la $HOME/rpmbuild/SRPMS/
+
+
+      - name: Install build dependencies from SRPM
+        run: |
+          SRPM=$(find "$HOME/rpmbuild/SRPMS" -name "*.src.rpm" | head -1)
+
+          if [ -z "$SRPM" ]; then
+            echo "Error: No SRPM file found"
+            exit 1
+          fi
+
+          echo "Installing build dependencies from: $(basename $SRPM)"
+          dnf builddep -y "$SRPM"
+
+      - name: Build RPM from SRPM
+        run: |
+          SRPM=$(find "$HOME/rpmbuild/SRPMS" -name "*.src.rpm" | head -1)
+
+          if [ -z "$SRPM" ]; then
+            echo "Error: No SRPM file found"
+            exit 1
+          fi
+
+          echo "Building from SRPM: $SRPM"
+
+          rpmbuild --rebuild "$SRPM" \
+            --define "_topdir $HOME/rpmbuild" \
+            --define "_sourcedir $GITHUB_WORKSPACE" \
+            --nocheck  # Skip %check section to avoid test dependencies
+
+
+      - name: Test RPM installation
+        run: |
+          # Find the main binary RPM (exclude debug and source RPMs)
+          RPM=$(find "$HOME/rpmbuild/RPMS" -name "continuwuity-*.rpm" \
+            ! -name "*debuginfo*" \
+            ! -name "*debugsource*" \
+            ! -name "*.src.rpm" | head -1)
+
+          if [ -z "$RPM" ]; then
+            echo "Error: No binary RPM file found"
+            exit 1
+          fi
+
+          echo "Testing installation of: $RPM"
+
+          # Dry run first
+          rpm -qpi "$RPM"
+          echo ""
+          rpm -qpl "$RPM"
+
+          # Actually install it
+          dnf install -y "$RPM"
+
+          # Verify installation
+          rpm -qa | grep continuwuity
+
+          # Check that the binary exists
+          [ -f /usr/bin/conduwuit ] && echo "✅ Binary installed successfully"
+          [ -f /usr/lib/systemd/system/conduwuit.service ] && echo "✅ Systemd service installed"
+          [ -f /etc/conduwuit/conduwuit.toml ] && echo "✅ Config file installed"
+
+      - name: List built packages
+        run: |
+          echo "Binary RPMs:"
+          find "$HOME/rpmbuild/RPMS" -name "*.rpm" -type f -exec ls -la {} \;
+
+          echo ""
+          echo "Source RPMs:"
+          find "$HOME/rpmbuild/SRPMS" -name "*.rpm" -type f -exec ls -la {} \;
+
+      - name: Collect artifacts
+        run: |
+          mkdir -p artifacts
+
+          find "$HOME/rpmbuild/RPMS" -name "*.rpm" -type f -exec cp {} artifacts/ \;
+          find "$HOME/rpmbuild/SRPMS" -name "*.rpm" -type f -exec cp {} artifacts/ \;
+
+          cd artifacts
+          echo "Build Information:" > BUILD_INFO.txt
+          echo "==================" >> BUILD_INFO.txt
+          echo "Git commit: ${{ github.sha }}" >> BUILD_INFO.txt
+          echo "Git branch: ${{ github.ref_name }}" >> BUILD_INFO.txt
+          echo "Build date: $(date -u +%Y-%m-%d_%H:%M:%S_UTC)" >> BUILD_INFO.txt
+          echo "" >> BUILD_INFO.txt
+          echo "Package contents:" >> BUILD_INFO.txt
+          echo "-----------------" >> BUILD_INFO.txt
+          for rpm in *.rpm; do
+            echo "" >> BUILD_INFO.txt
+            echo "File: $rpm" >> BUILD_INFO.txt
+            rpm -qpi "$rpm" 2>/dev/null | grep -E "^(Name|Version|Release|Architecture|Size)" >> BUILD_INFO.txt
+          done
+
+          ls -la
+
+      - name: Upload binary RPM artifact
+        run: |
+          # Find the main binary RPM (exclude debug and source RPMs)
+          BIN_RPM=$(find artifacts -name "continuwuity-*.rpm" \
+            ! -name "*debuginfo*" \
+            ! -name "*debugsource*" \
+            ! -name "*.src.rpm" \
+            -type f)
+
+          mkdir -p upload-bin
+          cp $BIN_RPM upload-bin/
+
+      - name: Upload binary RPM
+        uses: https://code.forgejo.org/actions/upload-artifact@v3
+        with:
+          name: continuwuity
+          path: upload-bin/
+
+      - name: Upload debug RPM artifact
+        uses: https://code.forgejo.org/actions/upload-artifact@v3
+        with:
+          name: continuwuity-debug
+          path: artifacts/*debuginfo*.rpm
+
+      - name: Publish to RPM Package Registry
+        if: ${{ github.event_name == 'push' || github.event_name == 'workflow_dispatch' || github.event_name == 'schedule' }}
+        run: |
+          # Find the main binary RPM (exclude debug and source RPMs)
+          RPM=$(find artifacts -name "continuwuity-*.rpm" \
+            ! -name "*debuginfo*" \
+            ! -name "*debugsource*" \
+            ! -name "*.src.rpm" \
+            -type f | head -1)
+
+          if [ -z "$RPM" ]; then
+            echo "No binary RPM found to publish"
+            exit 0
+          fi
+
+          RPM_BASENAME=$(basename "$RPM")
+          echo "Publishing: $RPM_BASENAME"
+
+          # Determine the group based on ref type and branch
+          if [[ "${{ github.ref }}" == "refs/tags/"* ]]; then
+            GROUP="stable"
+            # For tags, extract the tag name for version info
+            TAG_NAME="${{ github.ref_name }}"
+          elif [ "${{ github.ref_name }}" = "main" ]; then
+            GROUP="dev"
+          else
+            # Use sanitized branch name as group for feature branches
+            GROUP=$(echo "${{ github.ref_name }}" | sed 's/[^a-zA-Z0-9]/-/g' | tr '[:upper:]' '[:lower:]' | cut -c1-30)
+          fi
+
+          PACKAGE_INFO=$(rpm -qpi "$RPM" 2>/dev/null)
+          PACKAGE_NAME=$(echo "$PACKAGE_INFO" | grep "^Name" | awk '{print $3}')
+          PACKAGE_VERSION=$(echo "$PACKAGE_INFO" | grep "^Version" | awk '{print $3}')
+          PACKAGE_RELEASE=$(echo "$PACKAGE_INFO" | grep "^Release" | awk '{print $3}')
+          PACKAGE_ARCH=$(echo "$PACKAGE_INFO" | grep "^Architecture" | awk '{print $2}')
+
+          # Full version includes release
+          FULL_VERSION="${PACKAGE_VERSION}-${PACKAGE_RELEASE}"
+
+          # Forgejo's RPM registry cannot overwrite existing packages, so we must delete first
+          # 404 is OK if package doesn't exist yet
+          echo "Removing any existing package: $PACKAGE_NAME-$FULL_VERSION.$PACKAGE_ARCH"
+          RESPONSE=$(curl -s -w "\n%{http_code}" -X DELETE \
+            -H "Authorization: token ${{ secrets.BUILTIN_REGISTRY_PASSWORD || secrets.GITHUB_TOKEN }}" \
+            "https://forgejo.ellis.link/api/packages/continuwuation/rpm/$GROUP/package/$PACKAGE_NAME/$FULL_VERSION/$PACKAGE_ARCH")
+          HTTP_CODE=$(echo "$RESPONSE" | tail -n1)
+
+          if [ "$HTTP_CODE" != "204" ] && [ "$HTTP_CODE" != "404" ]; then
+            echo "ERROR: Failed to delete package (HTTP $HTTP_CODE)"
+            echo "$RESPONSE" | head -n -1
+            exit 1
+          fi
+
+          curl --fail-with-body \
+            -X PUT \
+            -H "Authorization: token ${{ secrets.BUILTIN_REGISTRY_PASSWORD || secrets.GITHUB_TOKEN }}" \
+            -H "Content-Type: application/x-rpm" \
+            -T "$RPM" \
+            "https://forgejo.ellis.link/api/packages/continuwuation/rpm/$GROUP/upload?sign=true"
+
+          echo ""
+          echo "✅ Published binary RPM to: https://forgejo.ellis.link/continuwuation/-/packages/rpm/continuwuity/"
+          echo "Group: $GROUP"
+
+          # Upload debug RPMs to separate group
+          DEBUG_RPMS=$(find artifacts -name "*debuginfo*.rpm")
+          if [ -n "$DEBUG_RPMS" ]; then
+            echo ""
+            echo "Publishing debug RPMs to group: ${GROUP}-debug"
+
+            for DEBUG_RPM in $DEBUG_RPMS; do
+              echo "Publishing: $(basename "$DEBUG_RPM")"
+
+              DEBUG_INFO=$(rpm -qpi "$DEBUG_RPM" 2>/dev/null)
+              DEBUG_NAME=$(echo "$DEBUG_INFO" | grep "^Name" | awk '{print $3}')
+              DEBUG_VERSION=$(echo "$DEBUG_INFO" | grep "^Version" | awk '{print $3}')
+              DEBUG_RELEASE=$(echo "$DEBUG_INFO" | grep "^Release" | awk '{print $3}')
+              DEBUG_ARCH=$(echo "$DEBUG_INFO" | grep "^Architecture" | awk '{print $2}')
+              DEBUG_FULL_VERSION="${DEBUG_VERSION}-${DEBUG_RELEASE}"
+
+              # Must delete existing package first (Forgejo limitation)
+              RESPONSE=$(curl -s -w "\n%{http_code}" -X DELETE \
+                -H "Authorization: token ${{ secrets.BUILTIN_REGISTRY_PASSWORD || secrets.GITHUB_TOKEN }}" \
+                "https://forgejo.ellis.link/api/packages/continuwuation/rpm/${GROUP}-debug/package/$DEBUG_NAME/$DEBUG_FULL_VERSION/$DEBUG_ARCH")
+              HTTP_CODE=$(echo "$RESPONSE" | tail -n1)
+
+              if [ "$HTTP_CODE" != "204" ] && [ "$HTTP_CODE" != "404" ]; then
+                echo "ERROR: Failed to delete debug package (HTTP $HTTP_CODE)"
+                echo "$RESPONSE" | head -n -1
+                exit 1
+              fi
+
+              curl --fail-with-body \
+                -X PUT \
+                -H "Authorization: token ${{ secrets.BUILTIN_REGISTRY_PASSWORD || secrets.GITHUB_TOKEN }}" \
+                -H "Content-Type: application/x-rpm" \
+                -T "$DEBUG_RPM" \
+                "https://forgejo.ellis.link/api/packages/continuwuation/rpm/${GROUP}-debug/upload?sign=true"
+            done
+
+            echo "✅ Published debug RPMs to group: ${GROUP}-debug"
+          fi
+
+          # Also upload the SRPM to separate group
+          SRPM=$(find artifacts -name "*.src.rpm" | head -1)
+          if [ -n "$SRPM" ]; then
+            echo ""
+            echo "Publishing source RPM: $(basename "$SRPM")"
+            echo "Publishing to group: ${GROUP}-src"
+
+            SRPM_INFO=$(rpm -qpi "$SRPM" 2>/dev/null)
+            SRPM_NAME=$(echo "$SRPM_INFO" | grep "^Name" | awk '{print $3}')
+            SRPM_VERSION=$(echo "$SRPM_INFO" | grep "^Version" | awk '{print $3}')
+            SRPM_RELEASE=$(echo "$SRPM_INFO" | grep "^Release" | awk '{print $3}')
+            SRPM_FULL_VERSION="${SRPM_VERSION}-${SRPM_RELEASE}"
+
+            # Must delete existing SRPM first (Forgejo limitation)
+            echo "Removing any existing SRPM: $SRPM_NAME-$SRPM_FULL_VERSION.src"
+            RESPONSE=$(curl -s -w "\n%{http_code}" -X DELETE \
+              -H "Authorization: token ${{ secrets.BUILTIN_REGISTRY_PASSWORD || secrets.GITHUB_TOKEN }}" \
+              "https://forgejo.ellis.link/api/packages/continuwuation/rpm/${GROUP}-src/package/$SRPM_NAME/$SRPM_FULL_VERSION/src")
+            HTTP_CODE=$(echo "$RESPONSE" | tail -n1)
+
+            if [ "$HTTP_CODE" != "204" ] && [ "$HTTP_CODE" != "404" ]; then
+              echo "ERROR: Failed to delete SRPM (HTTP $HTTP_CODE)"
+              echo "$RESPONSE" | head -n -1
+              exit 1
+            fi
+
+            curl --fail-with-body \
+              -X PUT \
+              -H "Authorization: token ${{ secrets.BUILTIN_REGISTRY_PASSWORD || secrets.GITHUB_TOKEN }}" \
+              -H "Content-Type: application/x-rpm" \
+              -T "$SRPM" \
+              "https://forgejo.ellis.link/api/packages/continuwuation/rpm/${GROUP}-src/upload?sign=true"
+
+            echo "✅ Published source RPM to group: ${GROUP}-src"
+          fi

.forgejo/workflows/documentation.yml

@@ -51,7 +51,7 @@ jobs:
 
       - name: Detect runner environment
         id: runner-env
-        uses: ./.forgejo/actions/detect-runner-os
+        uses: https://git.tomfos.tr/actions/detect-versions@v1
 
       - name: Setup Node.js
         if: steps.runner-env.outputs.node_major == '' || steps.runner-env.outputs.node_major < '20'
@@ -63,9 +63,7 @@ jobs:
         uses: actions/cache@v3
         with:
           path: ~/.npm
-          key: ${{ steps.runner-env.outputs.slug }}-node-${{ hashFiles('**/package-lock.json') }}
-          restore-keys: |
-            ${{ steps.runner-env.outputs.slug }}-node-
+          key: continuwuity-${{ steps.runner-env.outputs.slug }}-${{ steps.runner-env.outputs.arch }}-node-${{ steps.runner-env.outputs.node_version }}
 
       - name: Install dependencies
         run: npm install --save-dev wrangler@latest

.forgejo/workflows/renovate.yml

@@ -43,7 +43,7 @@ jobs:
     name: Renovate
     runs-on: ubuntu-latest
     container:
-      image: ghcr.io/renovatebot/renovate:41.122.3@sha256:1ea1fb8fc3e3cc5cec1340c6b25ac0de53c41662c7d65f46aeb8ca42282c93e9
+      image: ghcr.io/renovatebot/renovate:41.146.4@sha256:bb70194b7405faf10a6f279b60caa10403a440ba37d158c5a4ef0ae7b67a0f92
       options: --tmpfs /tmp:exec
     steps:
       - name: Checkout
@@ -59,27 +59,27 @@ jobs:
         with:
           path: |
             /tmp/renovate/cache/renovate/repository
-          key: repo-cache-${{ github.run_id }}
+          key: renovate-repo-cache-${{ github.run_id }}
           restore-keys: |
-            repo-cache-
+            renovate-repo-cache-
 
       - name: Restore renovate package cache
         uses: actions/cache/restore@v4
         with:
           path: |
             /tmp/renovate/cache/renovate/renovate-cache-sqlite
-          key: package-cache-${{ github.run_id }}
+          key: renovate-package-cache-${{ github.run_id }}
           restore-keys: |
-            package-cache-
+            renovate-package-cache-
 
       - name: Restore renovate OSV cache
         uses: actions/cache/restore@v4
         with:
           path: |
             /tmp/osv
-          key: osv-cache-${{ github.run_id }}
+          key: renovate-osv-cache-${{ github.run_id }}
           restore-keys: |
-            osv-cache-
+            renovate-osv-cache-
 
       - name: Self-hosted Renovate
         run: renovate
@@ -113,7 +113,7 @@ jobs:
         with:
           path: |
             /tmp/renovate/cache/renovate/repository
-          key: repo-cache-${{ github.run_id }}
+          key: renovate-repo-cache-${{ github.run_id }}
 
       - name: Save renovate package cache
         if: always()
@@ -121,7 +121,7 @@ jobs:
         with:
           path: |
             /tmp/renovate/cache/renovate/renovate-cache-sqlite
-          key: package-cache-${{ github.run_id }}
+          key: renovate-package-cache-${{ github.run_id }}
 
       - name: Save renovate OSV cache
         if: always()
@@ -129,4 +129,4 @@ jobs:
         with:
           path: |
             /tmp/osv
-          key: osv-cache-${{ github.run_id }}
+          key: renovate-osv-cache-${{ github.run_id }}

.forgejo/workflows/update-flake-hashes.yml

@@ -7,6 +7,7 @@ on:
       - "Cargo.lock"
       - "Cargo.toml"
       - "rust-toolchain.toml"
+      - ".forgejo/workflows/update-flake-hashes.yml"
 
 jobs:
   update-flake-hashes:
@@ -14,13 +15,13 @@ jobs:
     steps:
       - uses: https://code.forgejo.org/actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
         with:
-          fetch-depth: 1
+          fetch-depth: 0
           fetch-tags: false
           fetch-single-branch: true
           submodules: false
           persist-credentials: false
 
-      - uses: https://github.com/cachix/install-nix-action@a809471b5c7c913aa67bec8f459a11a0decc3fce # v31.6.2
+      - uses: https://github.com/cachix/install-nix-action@7ab6e7fd29da88e74b1e314a4ae9ac6b5cda3801 # v31.8.0
         with:
           nix_path: nixpkgs=channel:nixos-unstable
 

Cargo.toml

@@ -551,9 +551,9 @@ features = ["std"]
 version = "1.0.2"
 
 [workspace.dependencies.ldap3]
-version = "0.11.5"
+version = "0.12.0"
 default-features = false
-features = ["sync", "tls-rustls"]
+features = ["sync", "tls-rustls", "rustls-provider"]
 
 [workspace.dependencies.resolv-conf]
 version = "0.7.5"

docker/Dockerfile

@@ -48,7 +48,7 @@ EOF
 
 # Developer tool versions
 # renovate: datasource=github-releases depName=cargo-bins/cargo-binstall
-ENV BINSTALL_VERSION=1.15.5
+ENV BINSTALL_VERSION=1.15.7
 # renovate: datasource=github-releases depName=psastras/sbom-rs
 ENV CARGO_SBOM_VERSION=0.9.1
 # renovate: datasource=crate depName=lddtree
@@ -166,7 +166,7 @@ ARG RUST_PROFILE=release
 # Build the binary
 RUN --mount=type=cache,target=/usr/local/cargo/registry \
     --mount=type=cache,target=/usr/local/cargo/git/db \
-    --mount=type=cache,target=/app/target,id=cargo-target-${TARGET_CPU}-${TARGETPLATFORM}-${RUST_PROFILE} \
+    --mount=type=cache,target=/app/target,id=continuwuity-cargo-target-${TARGET_CPU}-${TARGETPLATFORM}-${RUST_PROFILE} \
     bash <<'EOF'
     set -o allexport
     set -o xtrace

docker/musl.Dockerfile

@@ -18,7 +18,7 @@ RUN --mount=type=cache,target=/etc/apk/cache apk add \
 
 # Developer tool versions
 # renovate: datasource=github-releases depName=cargo-bins/cargo-binstall
-ENV BINSTALL_VERSION=1.15.5
+ENV BINSTALL_VERSION=1.15.7
 # renovate: datasource=github-releases depName=psastras/sbom-rs
 ENV CARGO_SBOM_VERSION=0.9.1
 # renovate: datasource=crate depName=lddtree
@@ -122,7 +122,7 @@ ARG RUST_PROFILE=release
 # Build the binary
 RUN --mount=type=cache,target=/usr/local/cargo/registry \
     --mount=type=cache,target=/usr/local/cargo/git/db \
-    --mount=type=cache,target=/app/target,id=cargo-target-${TARGET_CPU}-${TARGETPLATFORM}-musl-${RUST_PROFILE} \
+    --mount=type=cache,target=/app/target,id=continuwuity-cargo-target-${TARGET_CPU}-${TARGETPLATFORM}-musl-${RUST_PROFILE} \
     bash <<'EOF'
     set -o allexport
     set -o xtrace

docs/SUMMARY.md

@@ -10,6 +10,7 @@ # Summary
   - [Kubernetes](deploying/kubernetes.md)
   - [Arch Linux](deploying/arch-linux.md)
   - [Debian](deploying/debian.md)
+  - [Fedora](deploying/fedora.md)
   - [FreeBSD](deploying/freebsd.md)
 - [TURN](turn.md)
 - [Appservices](appservices.md)

docs/deploying/fedora.md

@@ -0,0 +1,201 @@
+# RPM Installation Guide
+
+Continuwuity is available as RPM packages for Fedora, RHEL, and compatible distributions.
+
+The RPM packaging files are maintained in the `fedora/` directory:
+- `continuwuity.spec.rpkg` - RPM spec file using rpkg macros for building from git
+- `continuwuity.service` - Systemd service file for the server
+- `RPM-GPG-KEY-continuwuity.asc` - GPG public key for verifying signed packages
+
+RPM packages built by CI are signed with our GPG key (Ed25519, ID: `5E0FF73F411AAFCA`).
+
+```bash
+# Import the signing key
+sudo rpm --import https://forgejo.ellis.link/continuwuation/continuwuity/raw/branch/main/fedora/RPM-GPG-KEY-continuwuity.asc
+
+# Verify a downloaded package
+rpm --checksig continuwuity-*.rpm
+```
+
+## Installation methods
+
+**Stable releases** (recommended)
+
+```bash
+# Add the repository and install
+sudo dnf config-manager addrepo --from-repofile=https://forgejo.ellis.link/api/packages/continuwuation/rpm/stable/continuwuation.repo
+sudo dnf install continuwuity
+```
+
+**Development builds** from main branch
+
+```bash
+# Add the dev repository and install
+sudo dnf config-manager addrepo --from-repofile=https://forgejo.ellis.link/api/packages/continuwuation/rpm/dev/continuwuation.repo
+sudo dnf install continuwuity
+```
+
+**Feature branch builds** (example: `tom/new-feature`)
+
+```bash
+# Branch names are sanitized (slashes become hyphens, lowercase only)
+sudo dnf config-manager addrepo --from-repofile=https://forgejo.ellis.link/api/packages/continuwuation/rpm/tom-new-feature/continuwuation.repo
+sudo dnf install continuwuity
+```
+
+**Direct installation** without adding repository
+
+```bash
+# Latest stable release
+sudo dnf install https://forgejo.ellis.link/api/packages/continuwuation/rpm/stable/continuwuity
+
+# Latest development build
+sudo dnf install https://forgejo.ellis.link/api/packages/continuwuation/rpm/dev/continuwuity
+
+# Specific feature branch
+sudo dnf install https://forgejo.ellis.link/api/packages/continuwuation/rpm/branch-name/continuwuity
+```
+
+**Manual repository configuration** (alternative method)
+
+```bash
+cat << 'EOF' | sudo tee /etc/yum.repos.d/continuwuity.repo
+[continuwuity]
+name=Continuwuity - Matrix homeserver
+baseurl=https://forgejo.ellis.link/api/packages/continuwuation/rpm/stable
+enabled=1
+gpgcheck=1
+gpgkey=https://forgejo.ellis.link/continuwuation/continuwuity/raw/branch/main/fedora/RPM-GPG-KEY-continuwuity.asc
+EOF
+
+sudo dnf install continuwuity
+```
+
+## Package management
+
+**Automatic updates** with DNF Automatic
+
+```bash
+# Install and configure
+sudo dnf install dnf-automatic
+sudo nano /etc/dnf/automatic.conf  # Set: apply_updates = yes
+sudo systemctl enable --now dnf-automatic.timer
+```
+
+**Manual updates**
+
+```bash
+# Check for updates
+sudo dnf check-update continuwuity
+
+# Update to latest version
+sudo dnf update continuwuity
+```
+
+**Switching channels** (stable/dev/feature branches)
+
+```bash
+# List enabled repositories
+dnf repolist | grep continuwuation
+
+# Disable current repository
+sudo dnf config-manager --set-disabled continuwuation-stable  # or -dev, or branch name
+
+# Enable desired repository
+sudo dnf config-manager --set-enabled continuwuation-dev  # or -stable, or branch name
+
+# Update to the new channel's version
+sudo dnf update continuwuity
+```
+
+**Verifying installation**
+
+```bash
+# Check installed version
+rpm -q continuwuity
+
+# View package information
+rpm -qi continuwuity
+
+# List installed files
+rpm -ql continuwuity
+
+# Verify package integrity
+rpm -V continuwuity
+```
+
+## Service management and removal
+
+**Systemd service commands**
+
+```bash
+# Start the service
+sudo systemctl start conduwuit
+
+# Enable on boot
+sudo systemctl enable conduwuit
+
+# Check status
+sudo systemctl status conduwuit
+
+# View logs
+sudo journalctl -u conduwuit -f
+```
+
+**Uninstallation**
+
+```bash
+# Stop and disable the service
+sudo systemctl stop conduwuit
+sudo systemctl disable conduwuit
+
+# Remove the package
+sudo dnf remove continuwuity
+
+# Remove the repository (optional)
+sudo rm /etc/yum.repos.d/continuwuation-*.repo
+```
+
+## Troubleshooting
+
+**GPG key errors**: Temporarily disable GPG checking
+
+```bash
+sudo dnf --nogpgcheck install continuwuity
+```
+
+**Repository metadata issues**: Clear and rebuild cache
+
+```bash
+sudo dnf clean all
+sudo dnf makecache
+```
+
+**Finding specific versions**
+
+```bash
+# List all available versions
+dnf --showduplicates list continuwuity
+
+# Install a specific version
+sudo dnf install continuwuity-<version>
+```
+
+## Building locally
+
+Build the RPM locally using rpkg:
+
+```bash
+# Install dependencies
+sudo dnf install rpkg rpm-build cargo-rpm-macros systemd-rpm-macros
+
+# Clone the repository
+git clone https://forgejo.ellis.link/continuwuation/continuwuity.git
+cd continuwuity
+
+# Build SRPM
+rpkg srpm
+
+# Build RPM
+rpmbuild --rebuild *.src.rpm
+```

flake.lock

@@ -10,11 +10,11 @@
         "nixpkgs-stable": "nixpkgs-stable"
       },
       "locked": {
-        "lastModified": 1757683818,
-        "narHash": "sha256-q7q0pWT+wu5AUU1Qlbwq8Mqb+AzHKhaMCVUq/HNZfo8=",
+        "lastModified": 1758711588,
+        "narHash": "sha256-0nZlCCDC5PfndsQJXXtcyrtrfW49I3KadGMDlutzaGU=",
         "owner": "zhaofengli",
         "repo": "attic",
-        "rev": "7c5d79ad62cda340cb8c80c99b921b7b7ffacf69",
+        "rev": "12cbeca141f46e1ade76728bce8adc447f2166c6",
         "type": "github"
       },
       "original": {
@@ -99,11 +99,11 @@
     },
     "crane_2": {
       "locked": {
-        "lastModified": 1757183466,
-        "narHash": "sha256-kTdCCMuRE+/HNHES5JYsbRHmgtr+l9mOtf5dpcMppVc=",
+        "lastModified": 1759893430,
+        "narHash": "sha256-yAy4otLYm9iZ+NtQwTMEbqHwswSFUbhn7x826RR6djw=",
         "owner": "ipetkov",
         "repo": "crane",
-        "rev": "d599ae4847e7f87603e7082d73ca673aa93c916d",
+        "rev": "1979a2524cb8c801520bd94c38bb3d5692419d93",
         "type": "github"
       },
       "original": {
@@ -152,11 +152,11 @@
         "rust-analyzer-src": "rust-analyzer-src"
       },
       "locked": {
-        "lastModified": 1758004879,
-        "narHash": "sha256-kV7tQzcNbmo58wg2uE2MQ/etaTx+PxBMHeNrLP8vOgk=",
+        "lastModified": 1760337631,
+        "narHash": "sha256-3nvEN2lEpWtM1x7nfuiwpYHLNDgEUiWeBbyvy4vtVw8=",
         "owner": "nix-community",
         "repo": "fenix",
-        "rev": "07e5ce53dd020e6b337fdddc934561bee0698fa2",
+        "rev": "fee7cf67cbd80a74460563388ac358b394014238",
         "type": "github"
       },
       "original": {
@@ -455,11 +455,11 @@
     },
     "nixpkgs_3": {
       "locked": {
-        "lastModified": 1758029226,
-        "narHash": "sha256-TjqVmbpoCqWywY9xIZLTf6ANFvDCXdctCjoYuYPYdMI=",
+        "lastModified": 1760256791,
+        "narHash": "sha256-uTpzDHRASEDeFUuToWSQ46Re8beXyG9dx4W36FQa0/c=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "08b8f92ac6354983f5382124fef6006cade4a1c1",
+        "rev": "832e3b6db48508ae436c2c7bfc0cf914eac6938e",
         "type": "github"
       },
       "original": {
@@ -484,11 +484,11 @@
     "rust-analyzer-src": {
       "flake": false,
       "locked": {
-        "lastModified": 1757362324,
-        "narHash": "sha256-/PAhxheUq4WBrW5i/JHzcCqK5fGWwLKdH6/Lu1tyS18=",
+        "lastModified": 1760260966,
+        "narHash": "sha256-pOVvZz/aa+laeaUKyE6PtBevdo4rywMwjhWdSZE/O1c=",
         "owner": "rust-lang",
         "repo": "rust-analyzer",
-        "rev": "9edc9cbe5d8e832b5864e09854fa94861697d2fd",
+        "rev": "c5181dbbe33af6f21b9d83e02fdb6fda298a3b65",
         "type": "github"
       },
       "original": {

flake.nix

@@ -65,10 +65,10 @@
                     domain = "forgejo.ellis.link";
                     owner = "continuwuation";
                     repo = "rocksdb";
-                    rev = "10.4.fb";
-                    sha256 = "sha256-/Hvy1yTH/0D5aa7bc+/uqFugCQq4InTdwlRw88vA5IY=";
+                    rev = "10.5.fb";
+                    sha256 = "sha256-X4ApGLkHF9ceBtBg77dimEpu720I79ffLoyPa8JMHaU=";
                   };
-                  version = "v10.4.fb";
+                  version = "v10.5.fb";
                   cmakeFlags =
                     pkgs.lib.subtractLists [
                       # No real reason to have snappy or zlib, no one uses this

pkg/debian/README.md

@@ -1,12 +1,28 @@
 # Continuwuity for Debian
 
-This document provides information about downloading and deploying the Debian package. You can also use this guide for other `apt`-based distributions such as Ubuntu.
+This document provides information about downloading and deploying the Debian package. You can also use this guide for other deb-based distributions such as Ubuntu.
 
 ### Installation
 
-See the [generic deployment guide](../deploying/generic.md) for additional information about using the Debian package.
+To add the Continuwuation apt repository:
+```bash
+# Replace with `"dev"` for bleeding-edge builds at your own risk
+export COMPONENT="stable"
+# Import the Continuwuation signing key
+sudo curl https://forgejo.ellis.link/api/packages/continuwuation/debian/repository.key -o /etc/apt/keyrings/forgejo-continuwuation.asc
+# Add a new apt source list pointing to the repository
+echo "deb [signed-by=/etc/apt/keyrings/forgejo-continuwuation.asc] https://forgejo.ellis.link/api/packages/continuwuation/debian $(lsb_release -sc) $COMPONENT" | sudo tee /etc/apt/sources.list.d/continuwuation.list
+# Update remote package lists
+sudo apt update
+```
 
-No `apt` repository is currently available. This feature is in development.
+To install continuwuity:
+```bash
+sudo apt install continuwuity
+```
+The `continuwuity` package conflicts with the old `conduwuit` package and will remove it automatically when installed.
+
+See the [generic deployment guide](../deploying/generic.md) for additional information about using the Debian package.
 
 ### Configuration
 
@@ -16,7 +32,7 @@ ### Configuration
 
 ### Running
 
-The package uses the [`conduwuit.service`](../configuration/examples.md#example-systemd-unit-file) systemd unit file to start and stop Continuwuity. The binary installs at `/usr/sbin/conduwuit`.
+The package uses the [`conduwuit.service`](../configuration/examples.md#example-systemd-unit-file) systemd unit file to start and stop Continuwuity. The binary installs at `/usr/bin/conduwuit`.
 
 By default, this package assumes that Continuwuity runs behind a reverse proxy. The default configuration options apply (listening on `localhost` and TCP port `6167`). Matrix federation requires a valid domain name and TLS. To federate properly, you must set up TLS certificates and certificate renewal.
 

pkg/fedora/continuwuity.spec.rpkg

@@ -1,6 +1,5 @@
-# This should be run using rpkg-util: https://docs.pagure.org/rpkg-util
+# This should be run using rpkg: https://docs.pagure.org/rpkg
 # it requires Internet access and is not suitable for Fedora main repos
-# TODO: rpkg-util is no longer maintained, find a replacement
 
 Name:           continuwuity
 Version:        {{{ git_repo_version }}}

renovate.json

@@ -64,12 +64,8 @@
             "matchDatasources": ["docker"],
             "matchPackageNames": ["ghcr.io/renovatebot/renovate"],
             "automerge": true,
-            "automergeStrategy": "fast-forward"
-        },
-        {
-            "description": "Group lockfile updates into a single PR",
-            "matchUpdateTypes": ["lockFileMaintenance"],
-            "groupName": "lockfile-maintenance"
+            "automergeStrategy": "fast-forward",
+            "extends": ["schedule:earlyMondays"]
         }
     ],
     "customManagers": [
@@ -81,7 +77,7 @@
            "/(^|/|\\.)([Dd]ocker|[Cc]ontainer)file$/"
          ],
          "matchStrings": [
-           "# renovate: datasource=(?<datasource>[a-z-.]+?) depName=(?<depName>[^\\s]+?)(?: (lookupName|packageName)=(?<packageName>[^\\s]+?))?(?: versioning=(?<versioning>[^\\s]+?))?(?: extractVersion=(?<extractVersion>[^\\s]+?))?(?: registryUrl=(?<registryUrl>[^\\s]+?))?\\s+(?:ENV|ARG)\\s+[A-Za-z0-9_]+?_VERSION[ =][\"']?(?<currentValue>.+?)[\"']?\\s"
+           "# renovate: datasource=(?<datasource>[a-zA-Z0-9-._]+?) depName=(?<depName>[^\\s]+?)(?: (lookupName|packageName)=(?<packageName>[^\\s]+?))?(?: versioning=(?<versioning>[^\\s]+?))?(?: extractVersion=(?<extractVersion>[^\\s]+?))?(?: registryUrl=(?<registryUrl>[^\\s]+?))?\\s+(?:ENV\\s+|ARG\\s+)?[A-Za-z0-9_]+?_VERSION[ =][\"']?(?<currentValue>.+?)[\"']?\\s+(?:(?:ENV\\s+|ARG\\s+)?[A-Za-z0-9_]+?_CHECKSUM[ =][\"']?(?<currentDigest>.+?)[\"']?\\s)?"
          ]
        }
     ]

src/api/client/media.rs

@@ -64,10 +64,14 @@ pub(crate) async fn create_content_route(
 		media_id: &utils::random_string(MXC_LENGTH),
 	};
 
-	services
+	if let Err(e) = services
 		.media
 		.create(mxc, Some(user), Some(&content_disposition), content_type, &body.file)
-		.await?;
+		.await
+	{
+		err!("Failed to save uploaded media: {e}");
+		return Err!(Request(Unknown("Failed to save uploaded media")));
+	}
 
 	let blurhash = body.generate_blurhash.then(|| {
 		services

src/api/client/room/upgrade.rs

@@ -2,7 +2,7 @@
 
 use axum::extract::State;
 use conduwuit::{
-	Err, Error, Event, Result, debug, err, info,
+	Err, Error, Event, Result, RoomVersion, debug, err, info,
 	matrix::{StateKey, pdu::PduBuilder},
 };
 use futures::{FutureExt, StreamExt};
@@ -68,37 +68,77 @@ pub(crate) async fn upgrade_room_route(
 		return Err!(Request(UserSuspended("You cannot perform this action while suspended.")));
 	}
 
+	// First, check if the user has permission to upgrade the room (send tombstone
+	// event)
+	let old_room_state_lock = services.rooms.state.mutex.lock(&body.room_id).await;
+
+	// Check tombstone permission by attempting to create (but not send) the event
+	// Note that this does internally call the policy server with a fake room ID,
+	// which may not be good?
+	let tombstone_test_result = services
+		.rooms
+		.timeline
+		.create_hash_and_sign_event(
+			PduBuilder::state(StateKey::new(), &RoomTombstoneEventContent {
+				body: "This room has been replaced".to_owned(),
+				replacement_room: RoomId::new(services.globals.server_name()),
+			}),
+			sender_user,
+			Some(&body.room_id),
+			&old_room_state_lock,
+		)
+		.await;
+
+	if let Err(_e) = tombstone_test_result {
+		return Err!(Request(Forbidden("User does not have permission to upgrade this room.")));
+	}
+
+	drop(old_room_state_lock);
+
 	// Create a replacement room
-	let replacement_room = RoomId::new(services.globals.server_name());
+	let room_features = RoomVersion::new(&body.new_version)?;
+	let replacement_room_owned = if !room_features.room_ids_as_hashes {
+		Some(RoomId::new(services.globals.server_name()))
+	} else {
+		None
+	};
+	let replacement_room: Option<&RoomId> = replacement_room_owned.as_ref().map(AsRef::as_ref);
+	let replacement_room_tmp = match replacement_room {
+		| Some(v) => v,
+		| None => &RoomId::new(services.globals.server_name()),
+	};
 
 	let _short_id = services
 		.rooms
 		.short
-		.get_or_create_shortroomid(&replacement_room)
+		.get_or_create_shortroomid(replacement_room_tmp)
 		.await;
 
-	let state_lock = services.rooms.state.mutex.lock(&body.room_id).await;
-
-	// Send a m.room.tombstone event to the old room to indicate that it is not
-	// intended to be used any further Fail if the sender does not have the required
-	// permissions
-	let tombstone_event_id = services
-		.rooms
-		.timeline
-		.build_and_append_pdu(
-			PduBuilder::state(StateKey::new(), &RoomTombstoneEventContent {
-				body: "This room has been replaced".to_owned(),
-				replacement_room: replacement_room.clone(),
-			}),
-			sender_user,
-			Some(&body.room_id),
-			&state_lock,
-		)
-		.await?;
-
-	// Change lock to replacement room
-	drop(state_lock);
-	let state_lock = services.rooms.state.mutex.lock(&replacement_room).await;
+	// For pre-v12 rooms, send tombstone before creating replacement room
+	let tombstone_event_id = if !room_features.room_ids_as_hashes {
+		let state_lock = services.rooms.state.mutex.lock(&body.room_id).await;
+		// Send a m.room.tombstone event to the old room to indicate that it is not
+		// intended to be used any further
+		let tombstone_event_id = services
+			.rooms
+			.timeline
+			.build_and_append_pdu(
+				PduBuilder::state(StateKey::new(), &RoomTombstoneEventContent {
+					body: "This room has been replaced".to_owned(),
+					replacement_room: replacement_room.unwrap().to_owned(),
+				}),
+				sender_user,
+				Some(&body.room_id),
+				&state_lock,
+			)
+			.await?;
+		// Change lock to replacement room
+		drop(state_lock);
+		Some(tombstone_event_id)
+	} else {
+		None
+	};
+	let state_lock = services.rooms.state.mutex.lock(replacement_room_tmp).await;
 
 	// Get the old room creation event
 	let mut create_event_content: CanonicalJsonObject = services
@@ -111,7 +151,7 @@ pub(crate) async fn upgrade_room_route(
 	// Use the m.room.tombstone event as the predecessor
 	let predecessor = Some(ruma::events::room::create::PreviousRoom::new(
 		body.room_id.clone(),
-		Some(tombstone_event_id),
+		tombstone_event_id,
 	));
 
 	// Send a m.room.create event containing a predecessor field and the applicable
@@ -132,6 +172,7 @@ pub(crate) async fn upgrade_room_route(
 				// "creator" key no longer exists in V11 rooms
 				create_event_content.remove("creator");
 			},
+			// TODO(hydra): additional_creators
 		}
 	}
 
@@ -159,7 +200,7 @@ pub(crate) async fn upgrade_room_route(
 		return Err(Error::BadRequest(ErrorKind::BadJson, "Error forming creation event"));
 	}
 
-	services
+	let create_event_id = services
 		.rooms
 		.timeline
 		.build_and_append_pdu(
@@ -173,11 +214,18 @@ pub(crate) async fn upgrade_room_route(
 				timestamp: None,
 			},
 			sender_user,
-			Some(&replacement_room),
+			replacement_room,
 			&state_lock,
 		)
 		.boxed()
 		.await?;
+	let create_id = create_event_id.as_str().replace('$', "!");
+	let (replacement_room, state_lock) = if room_features.room_ids_as_hashes {
+		let parsed_room_id = RoomId::parse(&create_id)?;
+		(Some(parsed_room_id), services.rooms.state.mutex.lock(parsed_room_id).await)
+	} else {
+		(replacement_room, state_lock)
+	};
 
 	// Join the new room
 	services
@@ -204,7 +252,7 @@ pub(crate) async fn upgrade_room_route(
 				timestamp: None,
 			},
 			sender_user,
-			Some(&replacement_room),
+			replacement_room,
 			&state_lock,
 		)
 		.boxed()
@@ -243,7 +291,7 @@ pub(crate) async fn upgrade_room_route(
 						..Default::default()
 					},
 					sender_user,
-					Some(&replacement_room),
+					replacement_room,
 					&state_lock,
 				)
 				.boxed()
@@ -268,7 +316,7 @@ pub(crate) async fn upgrade_room_route(
 		services
 			.rooms
 			.alias
-			.set_alias(alias, &replacement_room, sender_user)?;
+			.set_alias(alias, replacement_room.unwrap(), sender_user)?;
 	}
 
 	// Get the old room power levels
@@ -310,6 +358,27 @@ pub(crate) async fn upgrade_room_route(
 
 	drop(state_lock);
 
+	// For v12 rooms, send tombstone AFTER creating replacement room
+	if room_features.room_ids_as_hashes {
+		let old_room_state_lock = services.rooms.state.mutex.lock(&body.room_id).await;
+		// For v12 rooms, no event reference in predecessor due to cyclic dependency -
+		// could best effort one maybe?
+		services
+			.rooms
+			.timeline
+			.build_and_append_pdu(
+				PduBuilder::state(StateKey::new(), &RoomTombstoneEventContent {
+					body: "This room has been replaced".to_owned(),
+					replacement_room: replacement_room.unwrap().to_owned(),
+				}),
+				sender_user,
+				Some(&body.room_id),
+				&old_room_state_lock,
+			)
+			.await?;
+		drop(old_room_state_lock);
+	}
+
 	// Check if the old room has a space parent, and if so, whether we should update
 	// it (m.space.parent, room_id)
 	let parents = services
@@ -334,8 +403,9 @@ pub(crate) async fn upgrade_room_route(
 			continue;
 		};
 		debug!(
-			"Updating space {space_id} child event for room {} to {replacement_room}",
-			&body.room_id
+			"Updating space {space_id} child event for room {} to {}",
+			&body.room_id,
+			replacement_room.unwrap()
 		);
 		// First, drop the space's child event
 		let state_lock = services.rooms.state.mutex.lock(space_id).await;
@@ -359,7 +429,10 @@ pub(crate) async fn upgrade_room_route(
 			.await
 			.ok();
 		// Now, add a new child event for the replacement room
-		debug!("Adding space child event for room {replacement_room} in space {space_id}");
+		debug!(
+			"Adding space child event for room {} in space {space_id}",
+			replacement_room.unwrap()
+		);
 		services
 			.rooms
 			.timeline
@@ -372,7 +445,7 @@ pub(crate) async fn upgrade_room_route(
 						suggested: child.suggested,
 					})
 					.expect("event is valid, we just created it"),
-					state_key: Some(replacement_room.as_str().into()),
+					state_key: Some(replacement_room.unwrap().as_str().into()),
 					..Default::default()
 				},
 				sender_user,
@@ -383,12 +456,15 @@ pub(crate) async fn upgrade_room_route(
 			.await
 			.ok();
 		debug!(
-			"Finished updating space {space_id} child event for room {} to {replacement_room}",
-			&body.room_id
+			"Finished updating space {space_id} child event for room {} to {}",
+			&body.room_id,
+			replacement_room.unwrap()
 		);
 		drop(state_lock);
 	}
 
 	// Return the replacement room id
-	Ok(upgrade_room::v3::Response { replacement_room })
+	Ok(upgrade_room::v3::Response {
+		replacement_room: replacement_room.unwrap().to_owned(),
+	})
 }

src/api/client/sync/v5.rs

@@ -320,6 +320,7 @@ async fn handle_lists<'a, Rooms, AllRooms>(
 
 		for mut range in ranges {
 			range.0 = uint!(0);
+			range.1 = range.1.checked_add(uint!(1)).unwrap_or(range.1);
 			range.1 = range
 				.1
 				.clamp(range.0, UInt::try_from(active_rooms.len()).unwrap_or(UInt::MAX));

src/api/router/request.rs

@@ -34,6 +34,19 @@ pub(super) async fn from(
 
 	let max_body_size = services.server.config.max_request_size;
 
+	// Check if the Content-Length header is present and valid, saves us streaming
+	// the response into memory
+	if let Some(content_length) = parts.headers.get(http::header::CONTENT_LENGTH) {
+		if let Ok(content_length) = content_length
+			.to_str()
+			.map(|s| s.parse::<usize>().unwrap_or_default())
+		{
+			if content_length > max_body_size {
+				return Err(err!(Request(TooLarge("Request body too large"))));
+			}
+		}
+	}
+
 	let body = axum::body::to_bytes(body, max_body_size)
 		.await
 		.map_err(|e| err!(Request(TooLarge("Request body too large: {e}"))))?;

src/core/matrix/state_res/event_auth.rs

@@ -200,11 +200,15 @@ pub async fn auth_check<E, F, Fut>(
 		if incoming_event.room_id().is_some() {
 			let Some(room_id_server_name) = incoming_event.room_id().unwrap().server_name()
 			else {
-				warn!("room ID has no servername");
+				warn!("legacy room ID has no server name");
 				return Ok(false);
 			};
 			if room_id_server_name != sender.server_name() {
-				warn!("servername of room ID does not match servername of sender");
+				warn!(
+					expected = %sender.server_name(),
+					received = %room_id_server_name,
+					"server name of legacy room ID does not match server name of sender"
+				);
 				return Ok(false);
 			}
 		}
@@ -215,12 +219,12 @@ pub async fn auth_check<E, F, Fut>(
 			.room_version
 			.is_some_and(|v| v.deserialize().is_err())
 		{
-			warn!("invalid room version found in m.room.create event");
+			warn!("unsupported room version found in m.room.create event");
 			return Ok(false);
 		}
 
 		if room_version.room_ids_as_hashes && incoming_event.room_id().is_some() {
-			warn!("room create event incorrectly claims a room ID");
+			warn!("room create event incorrectly claims to have a room ID when it should not");
 			return Ok(false);
 		}
 
@@ -229,7 +233,7 @@ pub async fn auth_check<E, F, Fut>(
 		{
 			// If content has no creator field, reject
 			if content.creator.is_none() {
-				warn!("no creator field found in m.room.create content");
+				warn!("m.room.create event incorrectly omits 'creator' field");
 				return Ok(false);
 			}
 		}
@@ -282,16 +286,19 @@ pub async fn auth_check<E, F, Fut>(
 		.room_version
 		.is_some_and(|v| v.deserialize().is_err())
 	{
-		warn!("invalid room version found in m.room.create event");
+		warn!(
+			create_event_id = %room_create_event.event_id(),
+			"unsupported room version found in m.room.create event"
+		);
 		return Ok(false);
 	}
 	let expected_room_id = room_create_event.room_id_or_hash();
 
-	if incoming_event.room_id().unwrap() != expected_room_id {
+	if incoming_event.room_id().expect("event must have a room ID") != expected_room_id {
 		warn!(
 			expected = %expected_room_id,
 			received = %incoming_event.room_id().unwrap(),
-			"room_id of incoming event ({}) does not match room_id of m.room.create event ({})",
+			"room_id of incoming event ({}) does not match that of the m.room.create event ({})",
 			incoming_event.room_id().unwrap(),
 			expected_room_id,
 		);
@@ -304,12 +311,15 @@ pub async fn auth_check<E, F, Fut>(
 		.auth_events()
 		.any(|id| id == room_create_event.event_id());
 	if room_version.room_ids_as_hashes && claims_create_event {
-		warn!("m.room.create event incorrectly found in auth events");
+		warn!("event incorrectly references m.room.create event in auth events");
 		return Ok(false);
 	} else if !room_version.room_ids_as_hashes && !claims_create_event {
 		// If the create event is not referenced in the event's auth events, and this is
 		// a v11 room, reject
-		warn!("no m.room.create event found in auth events");
+		warn!(
+			missing = %room_create_event.event_id(),
+			"event incorrectly did not reference an m.room.create in its auth events"
+		);
 		return Ok(false);
 	}
 
@@ -318,7 +328,7 @@ pub async fn auth_check<E, F, Fut>(
 			warn!(
 				expected = %expected_room_id,
 				received = %pe.room_id().unwrap(),
-				"room_id of power levels event does not match room_id of m.room.create event"
+				"room_id of referenced power levels event does not match that of the m.room.create event"
 			);
 			return Ok(false);
 		}
@@ -332,8 +342,9 @@ pub async fn auth_check<E, F, Fut>(
 		&& room_create_event.sender().server_name() != incoming_event.sender().server_name()
 	{
 		warn!(
-			"room is not federated and event's sender domain does not match create event's \
-			 sender domain"
+			sender = %incoming_event.sender(),
+			create_sender = %room_create_event.sender(),
+			"room is not federated and event's sender domain does not match create event's sender domain"
 		);
 		return Ok(false);
 	}
@@ -416,7 +427,6 @@ pub async fn auth_check<E, F, Fut>(
 			&user_for_join_auth_membership,
 			&room_create_event,
 		)? {
-			warn!("membership change not valid for some reason");
 			return Ok(false);
 		}
 
@@ -429,7 +439,7 @@ pub async fn auth_check<E, F, Fut>(
 	let sender_member_event = match sender_member_event {
 		| Some(mem) => mem,
 		| None => {
-			warn!("sender not found in room");
+			warn!("sender has no membership event");
 			return Ok(false);
 		},
 	};
@@ -440,7 +450,7 @@ pub async fn auth_check<E, F, Fut>(
 		!= expected_room_id
 	{
 		warn!(
-			"room_id of incoming event ({}) does not match room_id of m.room.create event ({})",
+			"room_id of incoming event ({}) does not match that of the m.room.create event ({})",
 			sender_member_event
 				.room_id()
 				.expect("event must have a room ID"),
@@ -453,8 +463,7 @@ pub async fn auth_check<E, F, Fut>(
 		from_json_str(sender_member_event.content().get())?;
 	let Some(membership_state) = sender_membership_event_content.membership else {
 		warn!(
-			sender_membership_event_content = format!("{sender_membership_event_content:?}"),
-			event_id = format!("{}", incoming_event.event_id()),
+			?sender_membership_event_content,
 			"Sender membership event content missing membership field"
 		);
 		return Err(Error::InvalidPdu("Missing membership field".to_owned()));
@@ -462,7 +471,11 @@ pub async fn auth_check<E, F, Fut>(
 	let membership_state = membership_state.deserialize()?;
 
 	if !matches!(membership_state, MembershipState::Join) {
-		warn!("sender's membership is not join");
+		warn!(
+			%sender,
+			?membership_state,
+			"sender cannot send events without being joined to the room"
+		);
 		return Ok(false);
 	}
 
@@ -522,7 +535,12 @@ pub async fn auth_check<E, F, Fut>(
 		};
 
 		if sender_power_level < invite_level {
-			warn!("sender's cannot send invites in this room");
+			warn!(
+				%sender,
+				has=?sender_power_level,
+				required=?invite_level,
+				"sender cannot send invites in this room"
+			);
 			return Ok(false);
 		}
 
@@ -534,7 +552,11 @@ pub async fn auth_check<E, F, Fut>(
 	// level, reject If the event has a state_key that starts with an @ and does
 	// not match the sender, reject.
 	if !can_send_event(incoming_event, power_levels_event.as_ref(), sender_power_level) {
-		warn!("user cannot send event");
+		warn!(
+			%sender,
+			event_type=?incoming_event.kind(),
+			"sender cannot send event"
+		);
 		return Ok(false);
 	}
 
@@ -579,6 +601,12 @@ pub async fn auth_check<E, F, Fut>(
 		};
 
 		if !check_redaction(room_version, incoming_event, sender_power_level, redact_level)? {
+			warn!(
+				%sender,
+				?sender_power_level,
+				?redact_level,
+				"redaction event was not allowed"
+			);
 			return Ok(false);
 		}
 	}
@@ -759,7 +787,7 @@ struct GetThirdPartyInvite {
 
 			if prev_event_is_create_event && no_more_prev_events {
 				trace!(
-					sender = %sender,
+					%sender,
 					target_user = %target_user,
 					?sender_creator,
 					?target_creator,
@@ -779,22 +807,33 @@ struct GetThirdPartyInvite {
 			);
 			if sender != target_user {
 				// If the sender does not match state_key, reject.
-				warn!("Can't make other user join");
+				warn!(
+					%sender,
+					target_user = %target_user,
+					"sender cannot join on behalf of another user"
+				);
 				false
 			} else if target_user_current_membership == MembershipState::Ban {
 				// If the sender is banned, reject.
-				warn!(?target_user_membership_event_id, "Banned user can't join");
+				warn!(
+					%sender,
+					membership_event_id = ?target_user_membership_event_id,
+					"sender cannot join as they are banned from the room"
+				);
 				false
 			} else {
 				match join_rules {
 					| JoinRule::Invite =>
 						if !membership_allows_join {
 							warn!(
-								membership=?target_user_current_membership,
-								"Join rule is invite but membership does not allow join"
+								%sender,
+								membership_event_id = ?target_user_membership_event_id,
+								membership = ?target_user_current_membership,
+								"sender cannot join as they are not invited to the invite-only room"
 							);
 							false
 						} else {
+							trace!(sender=%sender, "sender is invited to room, allowing join");
 							true
 						},
 					| JoinRule::Knock if !room_version.allow_knocking => {
@@ -804,11 +843,14 @@ struct GetThirdPartyInvite {
 					| JoinRule::Knock =>
 						if !membership_allows_join {
 							warn!(
+								%sender,
+								membership_event_id = ?target_user_membership_event_id,
 								membership=?target_user_current_membership,
-								"Join rule is knock but membership does not allow join"
+								"sender cannot join a knock room without being invited or already joined"
 							);
 							false
 						} else {
+							trace!(sender=%sender, "sender is invited or already joined to room, allowing join");
 							true
 						},
 					| JoinRule::KnockRestricted(_) if !room_version.knock_restricted_join_rule =>
@@ -820,33 +862,55 @@ struct GetThirdPartyInvite {
 					},
 					| JoinRule::KnockRestricted(_) => {
 						if membership_allows_join || user_for_join_auth_is_valid {
+							trace!(
+								%sender,
+								%membership_allows_join,
+								%user_for_join_auth_is_valid,
+								"sender is invited, already joined to, or authorised to join the room, allowing join"
+							);
 							true
 						} else {
 							warn!(
+								%sender,
+								membership_event_id = ?target_user_membership_event_id,
 								membership=?target_user_current_membership,
-								"Join rule is a restricted one, but no valid authorising user \
-								 was given and the sender's current membership does not permit \
-								 a join transition"
+								%user_for_join_auth_is_valid,
+								?user_for_join_auth,
+								"sender cannot join as they are not invited nor already joined to the room, nor was a \
+								 valid authorising user given to permit the join"
 							);
 							false
 						}
 					},
 					| JoinRule::Restricted(_) =>
 						if membership_allows_join || user_for_join_auth_is_valid {
+							trace!(
+								%sender,
+								%membership_allows_join,
+								%user_for_join_auth_is_valid,
+								"sender is invited, already joined to, or authorised to join the room, allowing join"
+							);
 							true
 						} else {
 							warn!(
-								"Join rule is a restricted one but no valid authorising user \
-								 was given"
+								%sender,
+								membership_event_id = ?target_user_membership_event_id,
+								membership=?target_user_current_membership,
+								%user_for_join_auth_is_valid,
+								?user_for_join_auth,
+								"sender cannot join as they are not invited nor already joined to the room, nor was a \
+								 valid authorising user given to permit the join"
 							);
 							false
 						},
-					| JoinRule::Public => true,
+					| JoinRule::Public => {
+						trace!(%sender, "join rule is public, allowing join");
+						true
+					},
 					| _ => {
 						warn!(
 							join_rule=?join_rules,
-							membership=?target_user_current_membership,
-							"Unknown join rule doesn't allow joining, or the rule's conditions were not met"
+							"Join rule is unknown, or the rule's conditions were not met"
 						);
 						false
 					},
@@ -873,16 +937,23 @@ struct GetThirdPartyInvite {
 						}
 						allow
 					},
-				| _ => {
-					if !sender_is_joined
-						|| target_user_current_membership == MembershipState::Join
-						|| target_user_current_membership == MembershipState::Ban
-					{
+				| _ =>
+					if !sender_is_joined {
+						warn!(
+							%sender,
+							?sender_membership_event_id,
+							?sender_membership,
+							"sender cannot produce an invite without being joined to the room",
+						);
+						false
+					} else if matches!(
+						target_user_current_membership,
+						MembershipState::Join | MembershipState::Ban
+					) {
 						warn!(
 							?target_user_membership_event_id,
-							?sender_membership_event_id,
-							"Can't invite user if sender not joined or the user is currently \
-							 joined or banned",
+							?target_user_current_membership,
+							"cannot invite a user who is banned or already joined",
 						);
 						false
 					} else {
@@ -892,56 +963,107 @@ struct GetThirdPartyInvite {
 								.is_some();
 						if !allow {
 							warn!(
-								?target_user_membership_event_id,
-								?power_levels_event_id,
-								"User does not have enough power to invite",
+								%sender,
+								has=?sender_power,
+								required=?power_levels.invite,
+								"sender does not have enough power to produce invites",
 							);
 						}
+						trace!(
+							%sender,
+							?sender_membership_event_id,
+							?sender_membership,
+							?target_user_membership_event_id,
+							?target_user_current_membership,
+							sender_pl=?sender_power,
+							required_pl=?power_levels.invite,
+							"allowing invite"
+						);
 						allow
-					}
-				},
+					},
 			}
 		},
-		| MembershipState::Leave =>
+		| MembershipState::Leave => {
+			let can_unban = if target_user_current_membership == MembershipState::Ban {
+				sender_creator || sender_power.filter(|&p| p < &power_levels.ban).is_some()
+			} else {
+				true
+			};
+			let can_kick = if !matches!(
+				target_user_current_membership,
+				MembershipState::Ban | MembershipState::Leave
+			) {
+				sender_creator || sender_power.filter(|&p| p < &power_levels.kick).is_some()
+			} else {
+				true
+			};
 			if sender == target_user {
-				let allow = target_user_current_membership == MembershipState::Join
-					|| target_user_current_membership == MembershipState::Invite
-					|| target_user_current_membership == MembershipState::Knock;
+				// self-leave
+				// let allow = target_user_current_membership == MembershipState::Join
+				// 	|| target_user_current_membership == MembershipState::Invite
+				// 	|| target_user_current_membership == MembershipState::Knock;
+				let allow = matches!(
+					target_user_current_membership,
+					MembershipState::Join | MembershipState::Invite | MembershipState::Knock
+				);
 				if !allow {
 					warn!(
-						?target_user_membership_event_id,
-						?target_user_current_membership,
-						"Can't leave if sender is not already invited, knocked, or joined"
+						%sender,
+						current_membership_event_id=?target_user_membership_event_id,
+						current_membership=?target_user_current_membership,
+						"sender cannot leave as they are not already knocking on, invited to, or joined to the room"
 					);
 				}
+				trace!(sender=%sender, "allowing leave");
 				allow
-			} else if !sender_is_joined
-				|| target_user_current_membership == MembershipState::Ban
-					&& (sender_creator
-						|| sender_power.filter(|&p| p < &power_levels.ban).is_some())
-			{
+			} else if !sender_is_joined {
 				warn!(
-					?target_user_membership_event_id,
+					%sender,
 					?sender_membership_event_id,
-					"Can't kick if sender not joined or user is already banned",
+					"sender cannot kick another user as they are not joined to the room",
+				);
+				false
+			} else if !can_unban {
+				// If the target is banned, only a room creator or someone with ban power
+				// level can unban them
+				warn!(
+					%sender,
+					?target_user_membership_event_id,
+					?power_levels_event_id,
+					"sender lacks the power level required to unban users",
+				);
+				false
+			} else if !can_kick {
+				warn!(
+					%sender,
+					%target_user,
+					?target_user_membership_event_id,
+					?target_user_current_membership,
+					?power_levels_event_id,
+					"sender does not have enough power to kick the target",
 				);
 				false
 			} else {
-				let allow = sender_creator
-					|| (sender_power.filter(|&p| p >= &power_levels.kick).is_some()
-						&& target_power < sender_power);
-				if !allow {
-					warn!(
-						?target_user_membership_event_id,
-						?power_levels_event_id,
-						"User does not have enough power to kick",
-					);
-				}
-				allow
-			},
+				trace!(
+					%sender,
+					%target_user,
+					?target_user_membership_event_id,
+					?target_user_current_membership,
+					sender_pl=?sender_power,
+					target_pl=?target_power,
+					required_pl=?power_levels.kick,
+					"allowing kick/unban",
+				);
+				true
+			}
+		},
 		| MembershipState::Ban =>
 			if !sender_is_joined {
-				warn!(?sender_membership_event_id, "Can't ban user if sender is not joined");
+				warn!(
+					%sender,
+					?sender_membership_event_id,
+					"sender cannot ban another user as they are not joined to the room",
+				);
 				false
 			} else {
 				let allow = sender_creator
@@ -949,9 +1071,11 @@ struct GetThirdPartyInvite {
 						&& target_power < sender_power);
 				if !allow {
 					warn!(
+						%sender,
+						%target_user,
 						?target_user_membership_event_id,
 						?power_levels_event_id,
-						"User does not have enough power to ban",
+						"sender does not have enough power to ban the target",
 					);
 				}
 				allow
@@ -977,9 +1101,9 @@ struct GetThirdPartyInvite {
 			} else if sender != target_user {
 				// 3. If `sender` does not match `state_key`, reject.
 				warn!(
-					?sender,
-					?target_user,
-					"Can't make another user knock, sender did not match target"
+					%sender,
+					%target_user,
+					"sender cannot knock on behalf of another user",
 				);
 				false
 			} else if matches!(
@@ -991,15 +1115,25 @@ struct GetThirdPartyInvite {
 				// 5. Otherwise, reject.
 				warn!(
 					?target_user_membership_event_id,
+					?sender_membership,
 					"Knocking with a membership state of ban, invite or join is invalid",
 				);
 				false
 			} else {
+				trace!(%sender, "allowing knock");
 				true
 			}
 		},
 		| _ => {
-			warn!("Unknown membership transition");
+			warn!(
+				%sender,
+				?target_membership,
+				%target_user,
+				%target_user_current_membership,
+				"Unknown or invalid membership transition {} -> {}",
+				target_user_current_membership,
+				target_membership
+			);
 			false
 		},
 	})
@@ -1029,6 +1163,13 @@ fn can_send_event(event: &impl Event, ple: Option<&impl Event>, user_level: Int)
 	if event.state_key().is_some_and(|k| k.starts_with('@'))
 		&& event.state_key() != Some(event.sender().as_str())
 	{
+		warn!(
+			%user_level,
+			required=?event_type_power_level,
+			state_key=?event.state_key(),
+			sender=%event.sender(),
+			"state_key starts with @ but does not match sender",
+		);
 		return false; // permission required to post in this room
 	}
 
@@ -1113,7 +1254,14 @@ fn check_power_levels(
 
 		// If the current value is equal to the sender's current power level, reject
 		if user != power_event.sender() && old_level == Some(&user_level) {
-			warn!("m.room.power_level cannot remove ops == to own");
+			warn!(
+				?old_level,
+				?new_level,
+				?user,
+				%user_level,
+				sender=%power_event.sender(),
+				"cannot alter the power level of a user with the same power level as sender's own"
+			);
 			return Some(false); // cannot remove ops level == to own
 		}
 
@@ -1121,8 +1269,26 @@ fn check_power_levels(
 		// If the new value is higher than the sender's current power level, reject
 		let old_level_too_big = old_level > Some(&user_level);
 		let new_level_too_big = new_level > Some(&user_level);
-		if old_level_too_big || new_level_too_big {
-			warn!("m.room.power_level failed to add ops > than own");
+		if old_level_too_big {
+			warn!(
+				?old_level,
+				?new_level,
+				?user,
+				%user_level,
+				sender=%power_event.sender(),
+				"cannot alter the power level of a user with a higher power level than sender's own"
+			);
+			return Some(false); // cannot add ops greater than own
+		}
+		if new_level_too_big {
+			warn!(
+				?old_level,
+				?new_level,
+				?user,
+				%user_level,
+				sender=%power_event.sender(),
+				"cannot set the power level of a user to a level higher than sender's own"
+			);
 			return Some(false); // cannot add ops greater than own
 		}
 	}
@@ -1139,8 +1305,26 @@ fn check_power_levels(
 		// If the new value is higher than the sender's current power level, reject
 		let old_level_too_big = old_level > Some(&user_level);
 		let new_level_too_big = new_level > Some(&user_level);
-		if old_level_too_big || new_level_too_big {
-			warn!("m.room.power_level failed to add ops > than own");
+		if old_level_too_big {
+			warn!(
+				?old_level,
+				?new_level,
+				?ev_type,
+				%user_level,
+				sender=%power_event.sender(),
+				"cannot alter the power level of an event with a higher power level than sender's own"
+			);
+			return Some(false); // cannot add ops greater than own
+		}
+		if new_level_too_big {
+			warn!(
+				?old_level,
+				?new_level,
+				?ev_type,
+				%user_level,
+				sender=%power_event.sender(),
+				"cannot set the power level of an event to a level higher than sender's own"
+			);
 			return Some(false); // cannot add ops greater than own
 		}
 	}
@@ -1155,7 +1339,13 @@ fn check_power_levels(
 			let old_level_too_big = old_level > user_level;
 			let new_level_too_big = new_level > user_level;
 			if old_level_too_big || new_level_too_big {
-				warn!("m.room.power_level failed to add ops > than own");
+				warn!(
+					?old_level,
+					?new_level,
+					%user_level,
+					sender=%power_event.sender(),
+					"cannot alter the power level of notifications greater than sender's own"
+				);
 				return Some(false); // cannot add ops greater than own
 			}
 		}
@@ -1179,7 +1369,14 @@ fn check_power_levels(
 			let new_level_too_big = new_lvl > user_level;
 
 			if old_level_too_big || new_level_too_big {
-				warn!("cannot add ops > than own");
+				warn!(
+					?old_lvl,
+					?new_lvl,
+					%user_level,
+					sender=%power_event.sender(),
+					action=%lvl_name,
+					"cannot alter the power level of action greater than sender's own",
+				);
 				return Some(false);
 			}
 		}

src/core/matrix/state_res/mod.rs

@@ -36,7 +36,7 @@
 	room_version::RoomVersion,
 };
 use crate::{
-	debug, debug_error,
+	debug, debug_error, err,
 	matrix::{Event, StateKey},
 	state_res::room_version::StateResolutionVersion,
 	trace,
@@ -319,8 +319,19 @@ async fn calculate_conflicted_subgraph<F, Fut, E>(
 			path.pop();
 			continue;
 		}
-		let evt = fetch_event(event_id.clone()).await?;
-		stack.push(evt.auth_events().map(ToOwned::to_owned).collect());
+		trace!(event_id = event_id.as_str(), "fetching event for its auth events");
+		let evt = fetch_event(event_id.clone()).await;
+		if evt.is_none() {
+			err!("could not fetch event {} to calculate conflicted subgraph", event_id);
+			path.pop();
+			continue;
+		}
+		stack.push(
+			evt.expect("checked")
+				.auth_events()
+				.map(ToOwned::to_owned)
+				.collect(),
+		);
 		seen.insert(event_id);
 	}
 	Some(subgraph)

src/main/Cargo.toml

@@ -22,11 +22,13 @@ crate-type = [
 ]
 
 [package.metadata.deb]
-name = "conduwuit"
-maintainer = "strawberry <strawberry@puppygock.gay>"
-copyright = "2024, strawberry <strawberry@puppygock.gay>"
+name = "continuwuity"
+maintainer = "continuwuity developers <contact@continuwuity.org>"
+copyright = "2024, continuwuity developers"
 license-file = ["../../LICENSE", "3"]
 depends = "$auto, ca-certificates"
+breaks = ["conduwuit (<<0.5.0)"]
+replaces = ["conduwuit (<<0.5.0)"]
 extended-description = """\
 a cool hard fork of Conduit, a Matrix homeserver written in Rust"""
 section = "net"
@@ -154,6 +156,7 @@ sentry_telemetry = [
 ]
 systemd = [
 	"conduwuit-router/systemd",
+	"conduwuit-service/systemd"
 ]
 journald = [ # This is a stub on non-unix platforms
 	"dep:tracing-journald",

src/router/Cargo.toml

@@ -40,7 +40,6 @@ io_uring = [
 	"conduwuit-admin/io_uring",
 	"conduwuit-api/io_uring",
 	"conduwuit-service/io_uring",
-	"conduwuit-api/io_uring",
 ]
 jemalloc = [
 	"conduwuit-admin/jemalloc",

src/router/run.rs

@@ -65,7 +65,7 @@ pub(crate) async fn start(server: Arc<Server>) -> Result<Arc<Services>> {
 	let services = Services::build(server).await?.start().await?;
 
 	#[cfg(all(feature = "systemd", target_os = "linux"))]
-	sd_notify::notify(true, &[sd_notify::NotifyState::Ready])
+	sd_notify::notify(false, &[sd_notify::NotifyState::Ready])
 		.expect("failed to notify systemd of ready state");
 
 	debug!("Started");
@@ -78,7 +78,7 @@ pub(crate) async fn stop(services: Arc<Services>) -> Result<()> {
 	debug!("Shutting down...");
 
 	#[cfg(all(feature = "systemd", target_os = "linux"))]
-	sd_notify::notify(true, &[sd_notify::NotifyState::Stopping])
+	sd_notify::notify(false, &[sd_notify::NotifyState::Stopping])
 		.expect("failed to notify systemd of stopping state");
 
 	// Wait for all completions before dropping or we'll lose them to the module

src/service/Cargo.toml

@@ -67,6 +67,9 @@ release_max_log_level = [
 	"tracing/max_level_trace",
 	"tracing/release_max_level_info",
 ]
+systemd = [
+	"dep:sd-notify",
+]
 url_preview = [
 	"dep:image",
 	"dep:webpage",
@@ -119,5 +122,9 @@ blurhash.optional = true
 recaptcha-verify = { version = "0.1.5", default-features = false }
 ctor.workspace = true
 
+[target.'cfg(all(unix, target_os = "linux"))'.dependencies]
+sd-notify.workspace = true
+sd-notify.optional = true
+
 [lints]
 workspace = true

src/service/config/mod.rs

@@ -45,13 +45,16 @@ fn deref(&self) -> &Self::Target { &self.server.config }
 fn handle_reload(&self) -> Result {
 	if self.server.config.config_reload_signal {
 		#[cfg(all(feature = "systemd", target_os = "linux"))]
-		sd_notify::notify(true, &[sd_notify::NotifyState::Reloading])
-			.expect("failed to notify systemd of reloading state");
+		sd_notify::notify(false, &[
+			sd_notify::NotifyState::Reloading,
+			sd_notify::NotifyState::monotonic_usec_now().expect("Failed to read monotonic time"),
+		])
+		.expect("failed to notify systemd of reloading state");
 
 		self.reload(iter::empty())?;
 
 		#[cfg(all(feature = "systemd", target_os = "linux"))]
-		sd_notify::notify(true, &[sd_notify::NotifyState::Ready])
+		sd_notify::notify(false, &[sd_notify::NotifyState::Ready])
 			.expect("failed to notify systemd of ready state");
 	}
 

src/service/media/mod.rs

@@ -90,17 +90,22 @@ pub async fn create(
 		file: &[u8],
 	) -> Result<()> {
 		// Width, Height = 0 if it's not a thumbnail
-		let key = self.db.create_file_metadata(
-			mxc,
-			user,
-			&Dim::default(),
-			content_disposition,
-			content_type,
-		)?;
+		let key = self
+			.db
+			.create_file_metadata(mxc, user, &Dim::default(), content_disposition, content_type)
+			.map_err(|e| {
+				err!(Database(error!("Failed to create media metadata for MXC {mxc}: {e}")))
+			})?;
 
 		//TODO: Dangling metadata in database if creation fails
-		let mut f = self.create_media_file(&key).await?;
-		f.write_all(file).await?;
+		let mut f = self.create_media_file(&key).await.map_err(|e| {
+			err!(Database(error!(
+				"Failed to create media file for MXC {mxc} at key {key:?}: {e}"
+			)))
+		})?;
+		f.write_all(file).await.map_err(|e| {
+			err!(Database(error!("Failed to write media file for MXC {mxc} at key {key:?}: {e}")))
+		})?;
 
 		Ok(())
 	}

src/service/migrations.rs

@@ -9,6 +9,7 @@
 	},
 	warn,
 };
+use database::Json;
 use futures::{FutureExt, StreamExt, TryStreamExt};
 use itertools::Itertools;
 use ruma::{
@@ -606,7 +607,7 @@ async fn fix_corrupt_msc4133_fields(services: &Services) -> Result {
 						);
 					};
 
-					useridprofilekey_value.put((user, key), new_value);
+					useridprofilekey_value.put((user, key), Json(new_value));
 					fixed = fixed.saturating_add(1);
 				}
 				total = total.saturating_add(1);

src/service/rooms/event_handler/fetch_and_handle_outliers.rs

@@ -4,9 +4,8 @@
 };
 
 use conduwuit::{
-	Event, PduEvent, debug, debug_error, debug_warn, implement,
-	matrix::event::gen_event_id_canonical_json, trace, utils::continue_exponential_backoff_secs,
-	warn,
+	Event, PduEvent, debug, debug_warn, implement, matrix::event::gen_event_id_canonical_json,
+	trace, utils::continue_exponential_backoff_secs, warn,
 };
 use ruma::{
 	CanonicalJsonValue, EventId, OwnedEventId, RoomId, ServerName,
@@ -52,12 +51,14 @@ pub(super) async fn fetch_and_handle_outliers<'a, Pdu, Events>(
 	};
 
 	let mut events_with_auth_events = Vec::with_capacity(events.clone().count());
+	trace!("Fetching {} outlier pdus", events.clone().count());
 
 	for id in events {
 		// a. Look in the main timeline (pduid_pdu tree)
 		// b. Look at outlier pdu tree
 		// (get_pdu_json checks both)
 		if let Ok(local_pdu) = self.services.timeline.get_pdu(id).await {
+			trace!("Found {id} in main timeline or outlier tree");
 			events_with_auth_events.push((id.to_owned(), Some(local_pdu), vec![]));
 			continue;
 		}
@@ -104,7 +105,7 @@ pub(super) async fn fetch_and_handle_outliers<'a, Pdu, Events>(
 				continue;
 			}
 
-			debug!("Fetching {next_id} over federation.");
+			debug!("Fetching {next_id} over federation from {origin}.");
 			match self
 				.services
 				.sending
@@ -115,7 +116,7 @@ pub(super) async fn fetch_and_handle_outliers<'a, Pdu, Events>(
 				.await
 			{
 				| Ok(res) => {
-					debug!("Got {next_id} over federation");
+					debug!("Got {next_id} over federation from {origin}");
 					let Ok(room_version_id) = get_room_version_id(create_event) else {
 						back_off((*next_id).to_owned());
 						continue;
@@ -145,6 +146,9 @@ pub(super) async fn fetch_and_handle_outliers<'a, Pdu, Events>(
 								auth_event.clone().into(),
 							) {
 								| Ok(auth_event) => {
+									trace!(
+										"Found auth event id {auth_event} for event {next_id}"
+									);
 									todo_auth_events.push_back(auth_event);
 								},
 								| _ => {
@@ -160,7 +164,7 @@ pub(super) async fn fetch_and_handle_outliers<'a, Pdu, Events>(
 					events_all.insert(next_id);
 				},
 				| Err(e) => {
-					debug_error!("Failed to fetch event {next_id}: {e}");
+					warn!("Failed to fetch auth event {next_id} from {origin}: {e}");
 					back_off((*next_id).to_owned());
 				},
 			}
@@ -175,7 +179,7 @@ pub(super) async fn fetch_and_handle_outliers<'a, Pdu, Events>(
 		// b. Look at outlier pdu tree
 		// (get_pdu_json checks both)
 		if let Some(local_pdu) = local_pdu {
-			trace!("Found {id} in db");
+			trace!("Found {id} in main timeline or outlier tree");
 			pdus.push((local_pdu.clone(), None));
 		}
 
@@ -201,6 +205,7 @@ pub(super) async fn fetch_and_handle_outliers<'a, Pdu, Events>(
 				}
 			}
 
+			trace!("Handling outlier {next_id}");
 			match Box::pin(self.handle_outlier_pdu(
 				origin,
 				create_event,
@@ -213,6 +218,7 @@ pub(super) async fn fetch_and_handle_outliers<'a, Pdu, Events>(
 			{
 				| Ok((pdu, json)) =>
 					if next_id == *id {
+						trace!("Handled outlier {next_id} (original request)");
 						pdus.push((pdu, Some(json)));
 					},
 				| Err(e) => {
@@ -222,6 +228,6 @@ pub(super) async fn fetch_and_handle_outliers<'a, Pdu, Events>(
 			}
 		}
 	}
-
+	trace!("Fetched and handled {} outlier pdus", pdus.len());
 	pdus
 }

src/service/rooms/event_handler/handle_outlier_pdu.rs

@@ -1,11 +1,12 @@
 use std::collections::{BTreeMap, HashMap, hash_map};
 
 use conduwuit::{
-	Err, Event, PduEvent, Result, debug, debug_info, err, implement, state_res, trace, warn,
+	Err, Event, PduEvent, Result, debug, debug_info, debug_warn, err, implement, state_res, trace,
 };
 use futures::future::ready;
 use ruma::{
-	CanonicalJsonObject, CanonicalJsonValue, EventId, RoomId, ServerName, events::StateEventType,
+	CanonicalJsonObject, CanonicalJsonValue, EventId, OwnedEventId, RoomId, ServerName,
+	events::StateEventType,
 };
 
 use super::{check_room_id, get_room_version_id, to_room_version};
@@ -74,36 +75,73 @@ pub(super) async fn handle_outlier_pdu<'a, Pdu>(
 
 	check_room_id(room_id, &pdu_event)?;
 
-	if !auth_events_known {
-		// 4. fetch any missing auth events doing all checks listed here starting at 1.
-		//    These are not timeline events
-		// 5. Reject "due to auth events" if can't get all the auth events or some of
-		//    the auth events are also rejected "due to auth events"
-		// NOTE: Step 5 is not applied anymore because it failed too often
-		debug!("Fetching auth events");
-		Box::pin(self.fetch_and_handle_outliers(
-			origin,
-			pdu_event.auth_events(),
-			create_event,
-			room_id,
-		))
-		.await;
+	// Fetch all auth events
+	let mut auth_events: HashMap<OwnedEventId, PduEvent> = HashMap::new();
+
+	for aid in pdu_event.auth_events() {
+		if let Ok(auth_event) = self.services.timeline.get_pdu(aid).await {
+			check_room_id(room_id, &auth_event)?;
+			trace!("Found auth event {aid} for outlier event {event_id} locally");
+			auth_events.insert(aid.to_owned(), auth_event);
+		} else {
+			debug_warn!("Could not find auth event {aid} for outlier event {event_id} locally");
+		}
+	}
+
+	// Fetch any missing ones & reject invalid ones
+	let missing_auth_events = if auth_events_known {
+		pdu_event
+			.auth_events()
+			.filter(|id| !auth_events.contains_key(*id))
+			.collect::<Vec<_>>()
+	} else {
+		pdu_event.auth_events().collect::<Vec<_>>()
+	};
+	if !missing_auth_events.is_empty() || !auth_events_known {
+		debug_info!(
+			"Fetching {} missing auth events for outlier event {event_id}",
+			missing_auth_events.len()
+		);
+		for (pdu, _) in self
+			.fetch_and_handle_outliers(
+				origin,
+				missing_auth_events.iter().copied(),
+				create_event,
+				room_id,
+			)
+			.await
+		{
+			auth_events.insert(pdu.event_id().to_owned(), pdu);
+		}
+	} else {
+		debug!("No missing auth events for outlier event {event_id}");
+	}
+	// reject if we are still missing some
+	let still_missing = pdu_event
+		.auth_events()
+		.filter(|id| !auth_events.contains_key(*id))
+		.collect::<Vec<_>>();
+	if !still_missing.is_empty() {
+		return Err!(Request(InvalidParam(
+			"Could not fetch all auth events for outlier event {event_id}, still missing: \
+			 {still_missing:?}"
+		)));
 	}
 
 	// 6. Reject "due to auth events" if the event doesn't pass auth based on the
 	//    auth events
 	debug!("Checking based on auth events");
+	let mut auth_events_by_key: HashMap<_, _> = HashMap::with_capacity(auth_events.len());
 	// Build map of auth events
-	let mut auth_events = HashMap::with_capacity(pdu_event.auth_events().count());
 	for id in pdu_event.auth_events() {
-		let Ok(auth_event) = self.services.timeline.get_pdu(id).await else {
-			warn!("Could not find auth event {id}");
-			continue;
-		};
+		let auth_event = auth_events
+			.get(id)
+			.expect("we just checked that we have all auth events")
+			.to_owned();
 
 		check_room_id(room_id, &auth_event)?;
 
-		match auth_events.entry((
+		match auth_events_by_key.entry((
 			auth_event.kind.to_string().into(),
 			auth_event
 				.state_key
@@ -123,7 +161,7 @@ pub(super) async fn handle_outlier_pdu<'a, Pdu>(
 
 	// The original create event must be in the auth events
 	if !matches!(
-		auth_events.get(&(StateEventType::RoomCreate, String::new().into())),
+		auth_events_by_key.get(&(StateEventType::RoomCreate, String::new().into())),
 		Some(_) | None
 	) {
 		return Err!(Request(InvalidParam("Incoming event refers to wrong create event.")));
@@ -131,7 +169,7 @@ pub(super) async fn handle_outlier_pdu<'a, Pdu>(
 
 	let state_fetch = |ty: &StateEventType, sk: &str| {
 		let key = (ty.to_owned(), sk.into());
-		ready(auth_events.get(&key).map(ToOwned::to_owned))
+		ready(auth_events_by_key.get(&key).map(ToOwned::to_owned))
 	};
 
 	let auth_check = state_res::event_auth::auth_check(

src/service/rooms/timeline/create.rs

@@ -274,8 +274,6 @@ fn from_evt(
 	pdu_json.insert("event_id".into(), CanonicalJsonValue::String(pdu.event_id.clone().into()));
 
 	// Check with the policy server
-	// TODO(hydra): Skip this check for create events (why didnt we do this
-	// already?)
 	if room_id.is_some() {
 		trace!(
 			"Checking event {} in room {} with policy server",