chore(deps): update https://github.com/taiki-e/install-action digest to 787505c

chore: Admin announcement
chore: Release
2026-04-25 10:12:10 +00:00 · 2026-04-25 05:03:35 +00:00 · 2026-04-24 20:33:07 +00:00 · 2026-04-24 15:21:47 -04:00 · 2026-04-24 15:21:40 -04:00 · 2026-04-24 16:22:46 +01:00
207 changed files with 6668 additions and 5121 deletions
--- a/.envrc
+++ b/.envrc
@@ -2,7 +2,7 @@
 dotenv_if_exists
-if [ -f /etc/os-release ] && grep -q '^ID=nixos' /etc/os-release; then
+if command -v nix >/dev/null 2>&1; then
    use flake ".#${DIRENV_DEVSHELL:-default}"
 fi
--- a/.forgejo/actions/create-docker-manifest/action.yml
+++ b/.forgejo/actions/create-docker-manifest/action.yml
@@ -44,7 +44,7 @@ runs:
    - name: Login to builtin registry
      if: ${{ env.BUILTIN_REGISTRY_ENABLED == 'true' }}
-      uses: docker/login-action@v4
+      uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4
      with:
        registry: ${{ env.BUILTIN_REGISTRY }}
        username: ${{ inputs.registry_user }}
@@ -52,7 +52,7 @@ runs:
    - name: Set up Docker Buildx
      if: ${{ env.BUILTIN_REGISTRY_ENABLED == 'true' }}
-      uses: docker/setup-buildx-action@v4
+      uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4
      with:
        # Use persistent BuildKit if BUILDKIT_ENDPOINT is set (e.g. tcp://buildkit:8125)
        driver: ${{ env.BUILDKIT_ENDPOINT != '' && 'remote' || 'docker-container' }}
@@ -61,7 +61,7 @@ runs:
    - name: Extract metadata (tags) for Docker
      if: ${{ env.BUILTIN_REGISTRY_ENABLED == 'true' }}
      id: meta
-      uses: docker/metadata-action@v6
+      uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6
      with:
        flavor: |
          latest=auto
--- a/.forgejo/actions/prepare-docker-build/action.yml
+++ b/.forgejo/actions/prepare-docker-build/action.yml
@@ -67,7 +67,7 @@ runs:
      uses: ./.forgejo/actions/rust-toolchain
    - name: Set up Docker Buildx
-      uses: docker/setup-buildx-action@v4
+      uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4
      with:
        # Use persistent BuildKit if BUILDKIT_ENDPOINT is set (e.g. tcp://buildkit:8125)
        driver: ${{ env.BUILDKIT_ENDPOINT != '' && 'remote' || 'docker-container' }}
@@ -75,11 +75,11 @@ runs:
    - name: Set up QEMU
      if: ${{ env.BUILDKIT_ENDPOINT == '' }}
-      uses: docker/setup-qemu-action@v4
+      uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4
    - name: Login to builtin registry
      if: ${{ env.BUILTIN_REGISTRY_ENABLED == 'true' }}
-      uses: docker/login-action@v4
+      uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4
      with:
        registry: ${{ env.BUILTIN_REGISTRY }}
        username: ${{ inputs.registry_user }}
@@ -87,7 +87,7 @@ runs:
    - name: Extract metadata (labels, annotations) for Docker
      id: meta
-      uses: docker/metadata-action@v6
+      uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6
      with:
        images: ${{ inputs.images }}
        # default labels & annotations: https://github.com/docker/metadata-action/blob/master/src/meta.ts#L509
@@ -111,59 +111,3 @@ runs:
    - uses: ./.forgejo/actions/timelord
      id: timelord
    - name: Cache Rust registry
      if: ${{ env.BUILDKIT_ENDPOINT == '' }}
      uses: actions/cache@v3
      with:
        path: |
          .cargo/git
          .cargo/git/checkouts
          .cargo/registry
          .cargo/registry/src
        key: continuwuity-rust-registry-image-${{hashFiles('**/Cargo.lock') }}
    - name: Cache cargo target
      if: ${{ env.BUILDKIT_ENDPOINT == '' }}
      id: cache-cargo-target
      uses: actions/cache@v3
      with:
        path: |
          cargo-target${{ env.CPU_SUFFIX }}-${{ inputs.slug }}-${{ inputs.profile }}
        key: continuwuity-cargo-target${{ env.CPU_SUFFIX }}-${{ inputs.slug }}-${{ inputs.profile }}-${{hashFiles('**/Cargo.lock') }}-${{steps.rust-toolchain.outputs.rustc_version}}
    - name: Cache apt cache
      if: ${{ env.BUILDKIT_ENDPOINT == '' }}
      id: cache-apt
      uses: actions/cache@v3
      with:
        path: |
          var-cache-apt-${{ inputs.slug }}
        key: continuwuity-var-cache-apt-${{ inputs.slug }}
    - name: Cache apt lib
      if: ${{ env.BUILDKIT_ENDPOINT == '' }}
      id: cache-apt-lib
      uses: actions/cache@v3
      with:
        path: |
          var-lib-apt-${{ inputs.slug }}
        key: continuwuity-var-lib-apt-${{ inputs.slug }}
    - name: inject cache into docker
      if: ${{ env.BUILDKIT_ENDPOINT == '' }}
      uses: https://github.com/reproducible-containers/buildkit-cache-dance@v3.3.2
      with:
        cache-map: |
          {
            ".cargo/registry": "/usr/local/cargo/registry",
            ".cargo/git/db": "/usr/local/cargo/git/db",
            "cargo-target${{ env.CPU_SUFFIX }}-${{ inputs.slug }}-${{ inputs.profile }}": {
              "target": "/app/target",
              "id": "cargo-target${{ env.CPU_SUFFIX }}-${{ inputs.slug }}-${{ inputs.profile }}"
            },
            "var-cache-apt-${{ inputs.slug }}": "/var/cache/apt",
            "var-lib-apt-${{ inputs.slug }}": "/var/lib/apt",
            "${{ steps.timelord.outputs.database-path }}":"/timelord"
          }
        skip-extraction: ${{ steps.cache.outputs.cache-hit }}
--- a/.forgejo/actions/rust-toolchain/action.yml
+++ b/.forgejo/actions/rust-toolchain/action.yml
@@ -33,7 +33,7 @@ runs:
        echo "version=$(rustup --version)" >> $GITHUB_OUTPUT
    - name: Cache rustup toolchains
      if: steps.rustup-version.outputs.version == ''
-      uses: actions/cache@v3
+      uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5
      with:
        path: |
          ~/.rustup
--- a/.forgejo/actions/sccache/action.yml
+++ b/.forgejo/actions/sccache/action.yml
@@ -9,7 +9,7 @@ runs:
  - name: Install sccache
    uses: https://git.tomfos.tr/tom/sccache-action@v1
  - name: Configure sccache
-    uses: https://github.com/actions/github-script@v8
+    uses: https://github.com/actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9
    with:
      script: |
        core.exportVariable('ACTIONS_RESULTS_URL', process.env.ACTIONS_RESULTS_URL || '');
--- a/.forgejo/actions/setup-llvm-with-apt/action.yml
+++ b/.forgejo/actions/setup-llvm-with-apt/action.yml
@@ -57,7 +57,7 @@ runs:
    - name: Check for LLVM cache
      id: cache
-      uses: actions/cache@v4
+      uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5
      with:
        path: |
          /usr/bin/clang-*
@@ -120,7 +120,7 @@ runs:
    - name: Install additional packages
      if: inputs.extra-packages != ''
-      uses: https://github.com/awalsh128/cache-apt-pkgs-action@latest
+      uses: https://github.com/awalsh128/cache-apt-pkgs-action@2c09a5e66da6c8016428a2172bd76e5e4f14bb17 # latest
      with:
        packages: ${{ inputs.extra-packages }}
        version: 1.0
--- a/.forgejo/actions/setup-rust/action.yml
+++ b/.forgejo/actions/setup-rust/action.yml
@@ -65,7 +65,7 @@ runs:
    - name: Cache toolchain binaries
      id: toolchain-cache
-      uses: actions/cache@v4
+      uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5
      with:
        path: |
          .cargo/bin
@@ -76,7 +76,7 @@ runs:
    - name: Cache Cargo registry and git
      id: registry-cache
-      uses: actions/cache@v4
+      uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5
      with:
        path: |
          .cargo/registry/index
@@ -149,37 +149,6 @@ runs:
    - name: Setup sccache
      uses: https://git.tomfos.tr/tom/sccache-action@v1
    - name: Cache dependencies
      id: deps-cache
      uses: actions/cache@v4
      with:
        path: |
          target/**/.fingerprint
          target/**/deps
          target/**/*.d
          target/**/.cargo-lock
          target/**/CACHEDIR.TAG
          target/**/.rustc_info.json
          /timelord/
        # Dependencies cache - based on Cargo.lock, survives source code changes
        key: >-
          continuwuity-deps-${{ steps.runner-os.outputs.slug }}-${{ steps.runner-os.outputs.arch }}-${{ steps.rust-setup.outputs.version }}${{ inputs.cache-key-suffix && format('-{0}', inputs.cache-key-suffix) || '' }}-${{ hashFiles('rust-toolchain.toml', '**/Cargo.lock') }}
        restore-keys: |
          continuwuity-deps-${{ steps.runner-os.outputs.slug }}-${{ steps.runner-os.outputs.arch }}-${{ steps.rust-setup.outputs.version }}${{ inputs.cache-key-suffix && format('-{0}', inputs.cache-key-suffix) || '' }}-
    - name: Cache incremental compilation
      id: incremental-cache
      uses: actions/cache@v4
      with:
        path: |
          target/**/incremental
        # Incremental cache - based on source code changes
        key: >-
          continuwuity-incremental-${{ steps.runner-os.outputs.slug }}-${{ steps.runner-os.outputs.arch }}-${{ steps.rust-setup.outputs.version }}${{ inputs.cache-key-suffix && format('-{0}', inputs.cache-key-suffix) || '' }}-${{ hashFiles('rust-toolchain.toml', '**/Cargo.lock') }}-${{ hashFiles('**/*.rs', '**/Cargo.toml') }}
        restore-keys: |
          continuwuity-incremental-${{ steps.runner-os.outputs.slug }}-${{ steps.runner-os.outputs.arch }}-${{ steps.rust-setup.outputs.version }}${{ inputs.cache-key-suffix && format('-{0}', inputs.cache-key-suffix) || '' }}-${{ hashFiles('rust-toolchain.toml', '**/Cargo.lock') }}-
          continuwuity-incremental-${{ steps.runner-os.outputs.slug }}-${{ steps.runner-os.outputs.arch }}-${{ steps.rust-setup.outputs.version }}${{ inputs.cache-key-suffix && format('-{0}', inputs.cache-key-suffix) || '' }}-
    - name: End build cache restore group
      shell: bash
      run: echo "::endgroup::"
--- a/.forgejo/actions/timelord/action.yml
+++ b/.forgejo/actions/timelord/action.yml
@@ -31,7 +31,7 @@ runs:
    - name: Restore binary cache
      id: binary-cache
-      uses: actions/cache/restore@v4
+      uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5
      with:
        path: |
          /usr/share/rust/.cargo/bin
@@ -71,13 +71,13 @@ runs:
    - name: Install timelord-cli and git-warp-time
      if: steps.check-binaries.outputs.need-install == 'true'
-      uses: https://github.com/taiki-e/install-action@v2
+      uses: https://github.com/taiki-e/install-action@787505cde8a44ea468a00478fe52baf23b15bccd # v2
      with:
        tool: git-warp-time,timelord-cli@3.0.1
    - name: Save binary cache
      if: steps.check-binaries.outputs.need-install == 'true'
-      uses: actions/cache/save@v4
+      uses: actions/cache/save@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5
      with:
        path: |
          /usr/share/rust/.cargo/bin
@@ -87,7 +87,7 @@ runs:
    - name: Restore timelord cache with fallbacks
      id: timelord-restore
-      uses: actions/cache/restore@v4
+      uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5
      with:
        path: ${{ env.TIMELORD_CACHE_PATH }}
        key: ${{ env.TIMELORD_KEY }}
@@ -114,7 +114,7 @@ runs:
        timelord sync --source-dir ${{ env.TIMELORD_PATH }} --cache-dir ${{ env.TIMELORD_CACHE_PATH }}
    - name: Save updated timelord cache immediately
-      uses: actions/cache/save@v4
+      uses: actions/cache/save@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5
      with:
        path: ${{ env.TIMELORD_CACHE_PATH }}
        key: ${{ env.TIMELORD_KEY }}
--- a/.forgejo/workflows/auto-labeler.yml
+++ b/.forgejo/workflows/auto-labeler.yml
@@ -0,0 +1,56 @@
 name: Auto Labeler
 on:
  pull_request_target:
    types: [opened, reopened]
 permissions:
  contents: read
  pull-requests: write
  issues: write
 jobs:
  auto-label:
    name: Apply labels based on changed files
    runs-on: ubuntu-latest
    steps:
      - name: Apply PR Labels
        uses: https://github.com/actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9
        with:
          script: |
            const allFiles = await github.paginate(github.rest.pulls.listFiles, {
              owner: context.repo.owner,
              repo: context.repo.repo,
              pull_number: context.issue.number,
            });
            const fileNames = allFiles.map(f => f.filename);
            const labelsToAdd = new Set();
            for (const file of fileNames) {
              if (file.startsWith('docs/') || file.startsWith('theme/') || file.endsWith('.md') || file == 'rspress.config.ts') {
                labelsToAdd.add('Documentation');
              }
              if (file.startsWith('.forgejo/')) {
                labelsToAdd.add('Meta/CI');
              }
              if (file.startsWith('pkg/') || file.startsWith('nix/') || file === 'flake.nix' || file === 'flake.lock' || file.startsWith('docker/')) {
                labelsToAdd.add('Meta/Packaging');
              }
              if (file === 'Cargo.lock') {
                labelsToAdd.add('Dependencies');
              }
            }
            if (labelsToAdd.size > 0) {
              const labelsArray = Array.from(labelsToAdd);
              console.log('Adding labels:', labelsArray);
              await github.rest.issues.addLabels({
                owner: context.repo.owner,
                repo: context.repo.repo,
                issue_number: context.issue.number,
                labels: labelsArray,
              });
            } else {
              console.log('No files changed that require auto-labeling.');
            }
--- a/.forgejo/workflows/build-debian.yml
+++ b/.forgejo/workflows/build-debian.yml
@@ -54,13 +54,13 @@ jobs:
          fi
      - name: Checkout repository with full history
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
        with:
          fetch-depth: 0
          ref: ${{ github.ref_name }}
      - name: Cache Cargo registry
-        uses: actions/cache@v4
+        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5
        with:
          path: |
            ~/.cargo/registry
@@ -92,10 +92,13 @@ jobs:
          BASE_VERSION=$(cargo metadata --no-deps --format-version 1 | jq -r ".packages[] | select(.name == \"conduwuit\").version" | sed 's/[^a-zA-Z0-9.+]/~/g')
          # VERSION is the package version, COMPONENT is used in
          # apt's repository config like a git repo branch
-          if [[ "${{ forge.ref }}" == "refs/tags/"* ]]; then
+          VERSION=$BASE_VERSION
-            # Use the "stable" component for tagged releases
+          if [[ ${{ forge.ref_name }} =~ ^v+[0-9]\.+[0-9]\.+[0-9]$ ]]; then
            # Use the "stable" component for tagged semver releases
            COMPONENT="stable"
-            VERSION=$BASE_VERSION
+          elif [[ ${{ forge.ref }} =~ ^refs/tags/^v+[0-9]\.+[0-9]\.+[0-9] ]]; then
            # Use the "unstable" component for tagged semver pre-releases
            COMPONENT="unstable"
          else
            # Use the "dev" component for development builds
            SHA=$(echo "${{ forge.sha }}" | cut -c1-7)
--- a/.forgejo/workflows/build-fedora.yml
+++ b/.forgejo/workflows/build-fedora.yml
@@ -30,14 +30,14 @@ jobs:
          echo "Fedora version: $VERSION"
      - name: Checkout repository with full history
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
        with:
          fetch-depth: 0
          ref: ${{ github.ref_name }}
      - name: Cache DNF packages
-        uses: actions/cache@v4
+        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5
        with:
          path: |
            /var/cache/dnf
@@ -47,7 +47,7 @@ jobs:
            dnf-fedora${{ steps.fedora.outputs.version }}-
      - name: Cache Cargo registry
-        uses: actions/cache@v4
+        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5
        with:
          path: |
            ~/.cargo/registry
@@ -57,7 +57,7 @@ jobs:
            cargo-fedora${{ steps.fedora.outputs.version }}-
      - name: Cache Rust build dependencies
-        uses: actions/cache@v4
+        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5
        with:
          path: |
            ~/rpmbuild/BUILD/*/target/release/deps
--- a/.forgejo/workflows/check-changelog.yml
+++ b/.forgejo/workflows/check-changelog.yml
@@ -1,13 +1,8 @@
-name: Check Changelog
+name: Checks / Changelog
 on:
  pull_request_target:
-    types: [opened, synchronize, reopened, ready_for_review]
+    types: [opened, synchronize, reopened, ready_for_review, labeled, unlabeled]
 concurrency:
  group: "${{ github.workflow }}-${{ github.ref }}"
  cancel-in-progress: true
 permissions:
  contents: read
@@ -16,11 +11,11 @@ permissions:
 jobs:
  check-changelog:
-    name: Check for changelog
+    name: Check changelog is added
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
        with:
          ref: ${{ github.event.pull_request.head.sha }}
          fetch-depth: 0
@@ -33,9 +28,9 @@ jobs:
          git fetch origin ${GITHUB_BASE_REF}
          # Check for Added (A) or Modified (M) files in changelog.d
-          CHANGELOG_CHANGES=$(git diff --name-status origin/${GITHUB_BASE_REF} HEAD -- changelog.d/)
+          CHANGELOG_CHANGES=$(git diff --name-status origin/${GITHUB_BASE_REF}...HEAD -- changelog.d/)
-          SRC_CHANGES=$(git diff --name-status origin/${GITHUB_BASE_REF} HEAD -- src/)
+          SRC_CHANGES=$(git diff --name-status origin/${GITHUB_BASE_REF}...HEAD -- src/)
          echo "Changes in changelog.d/:"
          echo "$CHANGELOG_CHANGES"
@@ -54,8 +49,8 @@ jobs:
            echo "src_changed=false" >> $GITHUB_OUTPUT
          fi
-      - name: Manage PR Comment
+      - name: Manage PR Labels
-        uses: https://github.com/actions/github-script@v8
+        uses: https://github.com/actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9
        env:
          HAS_CHANGELOG: ${{ steps.check_files.outputs.has_changelog }}
          SRC_CHANGED: ${{ steps.check_files.outputs.src_changed }}
@@ -63,41 +58,37 @@ jobs:
          script: |
            const hasChangelog = process.env.HAS_CHANGELOG === 'true';
            const srcChanged = process.env.SRC_CHANGED === 'true';
            const commentSignature = '<!-- changelog-check-action -->';
            const commentBody = `${commentSignature}\nPlease add a changelog fragment to \`changelog.d/\` describing your changes.`;
-            const { data: currentUser } = await github.rest.users.getAuthenticated();
+            const { data: pullRequest } = await github.rest.pulls.get({
            const { data: comments } = await github.rest.issues.listComments({
              owner: context.repo.owner,
              repo: context.repo.repo,
-              issue_number: context.issue.number,
+              pull_number: context.issue.number,
            });
-            const botComment = comments.find(comment =>
+            const currentLabels = pullRequest.labels.map(l => l.name);
              comment.user.id === currentUser.id &&
              comment.body.includes(commentSignature)
            );
-            const shouldWarn = srcChanged && !hasChangelog;
+            if (hasChangelog) {
-
+              console.log('PR has changelog');
-            if (!shouldWarn) {
+              await github.rest.issues.addLabels({
-              if (botComment) {
+                owner: context.repo.owner,
-                console.log('Changelog found or not required. Deleting existing warning comment.');
+                repo: context.repo.repo,
-                await github.rest.issues.deleteComment({
+                issue_number: context.issue.number,
-                  owner: context.repo.owner,
+                labels: ['Changelog/Added'],
-                  repo: context.repo.repo,
+              });
-                  comment_id: botComment.id,
+            } else if (currentLabels.includes('Changelog/None')) {
-                });
+              console.log('PR has Changelog/None label, skipping.');
-              }
+            } else if (srcChanged) {
              console.log('PR is missing changelog');
              await github.rest.issues.addLabels({
                owner: context.repo.owner,
                repo: context.repo.repo,
                issue_number: context.issue.number,
                labels: ['Changelog/Missing'],
              });
              core.setFailed("Missing changelog entry (detected)");
            } else if (currentLabels.includes('Changelog/Missing')) {
              core.setFailed("Missing changelog entry (label)");
            } else {
-              if (!botComment) {
+              console.log('Changelog not needed');
-                console.log('Changelog missing and required. Creating warning comment.');
+              // Changelog is probably not needed
                await github.rest.issues.createComment({
                  owner: context.repo.owner,
                  repo: context.repo.repo,
                  issue_number: context.issue.number,
                  body: commentBody,
                });
              }
            }
--- a/.forgejo/workflows/documentation.yml
+++ b/.forgejo/workflows/documentation.yml
@@ -21,7 +21,7 @@ jobs:
    steps:
      - name: Sync repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
        with:
          persist-credentials: false
          fetch-depth: 0
@@ -32,12 +32,12 @@ jobs:
      - name: Setup Node.js
        if: steps.runner-env.outputs.node_major == '' || steps.runner-env.outputs.node_major < '20'
-        uses: https://github.com/actions/setup-node@v6
+        uses: https://github.com/actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
        with:
          node-version: 22
      - name: Cache npm dependencies
-        uses: actions/cache@v3
+        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5
        with:
          path: ~/.npm
          key: continuwuity-rspress-${{ steps.runner-env.outputs.slug }}-${{ steps.runner-env.outputs.arch }}-node-${{ steps.runner-env.outputs.node_version }}-${{ hashFiles('package-lock.json') }}
@@ -56,7 +56,7 @@ jobs:
      - name: Deploy to Cloudflare Pages (Production)
        if: github.ref == 'refs/heads/main' && vars.CLOUDFLARE_PROJECT_NAME != ''
-        uses: https://github.com/cloudflare/wrangler-action@v3
+        uses: https://github.com/cloudflare/wrangler-action@9acf94ace14e7dc412b076f2c5c20b8ce93c79cd # v3
        with:
          accountId: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
          apiToken: ${{ secrets.CLOUDFLARE_API_TOKEN }}
@@ -64,7 +64,7 @@ jobs:
      - name: Deploy to Cloudflare Pages (Preview)
        if: github.ref != 'refs/heads/main' && vars.CLOUDFLARE_PROJECT_NAME != ''
-        uses: https://github.com/cloudflare/wrangler-action@v3
+        uses: https://github.com/cloudflare/wrangler-action@9acf94ace14e7dc412b076f2c5c20b8ce93c79cd # v3
        with:
          accountId: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
          apiToken: ${{ secrets.CLOUDFLARE_API_TOKEN }}
--- a/.forgejo/workflows/element.yml
+++ b/.forgejo/workflows/element.yml
@@ -24,7 +24,7 @@ jobs:
    steps:
      - name: 📦 Setup Node.js
-        uses: https://github.com/actions/setup-node@v6
+        uses: https://github.com/actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
        with:
          node-version: "22"
@@ -121,7 +121,7 @@ jobs:
      - name: 🚀 Deploy to Cloudflare Pages
        if: vars.CLOUDFLARE_PROJECT_NAME != ''
        id: deploy
-        uses: https://github.com/cloudflare/wrangler-action@v3
+        uses: https://github.com/cloudflare/wrangler-action@9acf94ace14e7dc412b076f2c5c20b8ce93c79cd # v3
        with:
          accountId: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
          apiToken: ${{ secrets.CLOUDFLARE_API_TOKEN }}
--- a/.forgejo/workflows/mirror-images.yml
+++ b/.forgejo/workflows/mirror-images.yml
@@ -2,8 +2,11 @@ name: Mirror Container Images
 on:
  schedule:
-    # Run every 2 hours
+    # Run nightly
-    - cron: "0 */2 * * *"
+    - cron: "25 2 * * *"
  workflow_call:
  workflow_dispatch:
    inputs:
      dry_run:
@@ -38,7 +41,7 @@ jobs:
      DOCKER_MIRROR_TOKEN: ${{ secrets.DOCKER_MIRROR_TOKEN }}
    steps:
      - name: Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
        with:
          persist-credentials: false
@@ -51,10 +54,8 @@ jobs:
      #     owner: continuwuity
      #     repositories: continuwuity
-      - name: Install regctl
+      - name: Install regsync
-        uses: https://forgejo.ellis.link/continuwuation/regclient-actions/regctl-installer@main
+        uses: https://github.com/regclient/actions/regsync-installer@f3c6d87835906c175eb6ccfc18b348b69bb447e7 # main
        with:
          binary: regsync
      - name: Check what images need mirroring
        run: |
--- a/.forgejo/workflows/prek-checks.yml
+++ b/.forgejo/workflows/prek-checks.yml
@@ -9,6 +9,7 @@ on:
 permissions:
  contents: read
  pull-requests: read
 jobs:
  fast-checks:
@@ -16,7 +17,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
        with:
          persist-credentials: false
@@ -40,14 +41,36 @@ jobs:
          cargo +nightly fmt --all -- --check && \
            echo "✅ Formatting check passed" || \
            exit 1
  check-changes:
    name: Check changed files
    runs-on: ubuntu-latest
    outputs:
      rust: ${{ steps.filter.outputs.rust }}
    steps:
      - name: Checkout repository
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
        with:
          persist-credentials: false
      - name: Check for file changes
        uses: https://github.com/dorny/paths-filter@v4
        id: filter
        with:
          filters: |
            rust:
              - '**/*.rs'
              - '**/Cargo.toml'
              - '**/Cargo.lock'
  clippy-and-tests:
    name: Clippy and Cargo Tests
    runs-on: ubuntu-latest
    needs: check-changes
    if: needs.check-changes.outputs.rust == 'true'
    steps:
      - name: Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
        with:
          persist-credentials: false
--- a/.forgejo/workflows/release-image.yml
+++ b/.forgejo/workflows/release-image.yml
@@ -9,6 +9,9 @@ on:
    paths-ignore:
      - "*.md"
      - "**/*.md"
      - "*.mdx"
      - "**/*.mdx"
      - "changelog.d/**"
      - ".gitlab-ci.yml"
      - ".gitignore"
      - "renovate.json"
@@ -43,7 +46,7 @@ jobs:
    steps:
      - name: Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
        with:
          persist-credentials: false
      - name: Prepare Docker build environment
@@ -59,7 +62,7 @@ jobs:
          registry_password: ${{ secrets.BUILTIN_REGISTRY_PASSWORD || secrets.GITHUB_TOKEN }}
      - name: Build and push Docker image by digest
        id: build
-        uses: docker/build-push-action@v7
+        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7
        with:
          context: .
          file: "docker/Dockerfile"
@@ -97,7 +100,7 @@ jobs:
    needs: build-release
    steps:
      - name: Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
        with:
          persist-credentials: false
      - name: Create multi-platform manifest
@@ -130,7 +133,7 @@ jobs:
    steps:
      - name: Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
        with:
          persist-credentials: false
      - name: Prepare max-perf Docker build environment
@@ -146,7 +149,7 @@ jobs:
          registry_password: ${{ secrets.BUILTIN_REGISTRY_PASSWORD || secrets.GITHUB_TOKEN }}
      - name: Build and push max-perf Docker image by digest
        id: build
-        uses: docker/build-push-action@v7
+        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7
        with:
          context: .
          file: "docker/Dockerfile"
@@ -184,7 +187,7 @@ jobs:
    needs: build-maxperf
    steps:
      - name: Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
        with:
          persist-credentials: false
      - name: Create max-perf manifest
@@ -195,3 +198,12 @@ jobs:
          images: ${{ env.IMAGE_PATH }}
          registry_user: ${{ vars.BUILTIN_REGISTRY_USER || github.actor }}
          registry_password: ${{ secrets.BUILTIN_REGISTRY_PASSWORD || secrets.GITHUB_TOKEN }}
  mirror_images:
    name: "Mirror Images"
    runs-on: ubuntu-latest
    needs:
      - merge-maxperf
      - merge-release
    secrets: inherit
    uses: ./.forgejo/workflows/mirror-images.yml
--- a/.forgejo/workflows/renovate.yml
+++ b/.forgejo/workflows/renovate.yml
@@ -43,11 +43,11 @@ jobs:
    name: Renovate
    runs-on: ubuntu-latest
    container:
-      image: ghcr.io/renovatebot/renovate:43.59.4@sha256:f951508dea1e7d71cbe6deca298ab0a05488e7631229304813f630cc06010892
+      image: ghcr.io/renovatebot/renovate:43.140.0@sha256:61303c28b10a491c559529fb6f41745850e4755a43a54c04c3ae6848d6eaf5cc
      options: --tmpfs /tmp:exec
    steps:
      - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
        with:
          show-progress: false
@@ -55,7 +55,7 @@ jobs:
        run: /usr/local/renovate/node -e 'console.log(`node heap limit = ${require("v8").getHeapStatistics().heap_size_limit / (1024 * 1024)} Mb`)'
      - name: Restore renovate repo cache
-        uses: actions/cache/restore@v4
+        uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5
        with:
          path: |
            /tmp/renovate/cache/renovate/repository
@@ -64,7 +64,7 @@ jobs:
            renovate-repo-cache-
      - name: Restore renovate package cache
-        uses: actions/cache/restore@v4
+        uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5
        with:
          path: |
            /tmp/renovate/cache/renovate/renovate-cache-sqlite
@@ -73,7 +73,7 @@ jobs:
            renovate-package-cache-
      - name: Restore renovate OSV cache
-        uses: actions/cache/restore@v4
+        uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5
        with:
          path: |
            /tmp/osv
@@ -90,12 +90,12 @@ jobs:
          RENOVATE_PLATFORM: forgejo
          RENOVATE_ENDPOINT: ${{ github.server_url }}
          RENOVATE_AUTODISCOVER: 'false'
-          RENOVATE_REPOSITORIES: '["${{ github.repository }}"]'
+          RENOVATE_REPOSITORIES: '["${{ github.repository }}", "continuwuation/resolvematrix"]'
          RENOVATE_GIT_TIMEOUT: 60000
          RENOVATE_REQUIRE_CONFIG: 'required'
-          RENOVATE_ONBOARDING: 'false'
+          # RENOVATE_ONBOARDING: 'false'
          RENOVATE_INHERIT_CONFIG: 'true'
          RENOVATE_GITHUB_TOKEN_WARN: 'false'
@@ -109,7 +109,7 @@ jobs:
      - name: Save renovate repo cache
        if: always()
        uses:
-          actions/cache/save@v4
+          actions/cache/save@v5
        with:
          path: |
            /tmp/renovate/cache/renovate/repository
@@ -117,7 +117,7 @@ jobs:
      - name: Save renovate package cache
        if: always()
-        uses: actions/cache/save@v4
+        uses: actions/cache/save@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5
        with:
          path: |
            /tmp/renovate/cache/renovate/renovate-cache-sqlite
@@ -125,7 +125,7 @@ jobs:
      - name: Save renovate OSV cache
        if: always()
-        uses: actions/cache/save@v4
+        uses: actions/cache/save@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5
        with:
          path: |
            /tmp/osv
--- a/.forgejo/workflows/update-flake-hashes.yml
+++ b/.forgejo/workflows/update-flake-hashes.yml
@@ -14,50 +14,21 @@ jobs:
  update-flake-hashes:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
        with:
          fetch-depth: 0
          fetch-tags: false
          fetch-single-branch: true
          submodules: false
          persist-credentials: true
          token: ${{ secrets.FORGEJO_TOKEN }}
-      - uses: https://github.com/cachix/install-nix-action@19effe9fe722874e6d46dd7182e4b8b7a43c4a99 # v31.10.0
+      - name: Install Lix
        uses: https://github.com/samueldr/lix-gha-installer-action@f5e94192f565f53d84f41a056956dc0d3183b343
        with:
-          nix_path: nixpkgs=channel:nixos-unstable
+          extra_nix_config: experimental-features = nix-command flakes flake-self-attrs
        # We can skip getting a toolchain hash if this was ran as a dispatch with the intent
        # to update just the rocksdb hash. If this was ran as a dispatch and the toolchain
        # files are changed, we still update them, as well as the rocksdb import.
      - name: Detect changed files
        id: changes
        run: |
          git fetch origin ${{ github.base_ref }} --depth=1 || true
          if [ -n "${{ github.event.pull_request.base.sha }}" ]; then
            base=${{ github.event.pull_request.base.sha }}
          else
            base=$(git rev-parse HEAD~1)
          fi
          echo "Base: $base"
          echo "HEAD: $(git rev-parse HEAD)"
          git diff --name-only $base HEAD > changed_files.txt
          echo "detected changes in $(cat changed_files.txt)"
          # Join files with commas
          files=$(paste -sd, changed_files.txt)
          echo "files=$files" >> $FORGEJO_OUTPUT
      - name: Debug output
        run: |
          echo "State of output"
          echo "Changed files: ${{ steps.changes.outputs.files }}"
      - name: Get new toolchain hash
        if: contains(steps.changes.outputs.files, 'Cargo.toml') || contains(steps.changes.outputs.files, 'Cargo.lock') || contains(steps.changes.outputs.files, 'rust-toolchain.toml')
        run: |
          # Set the current sha256 to an empty hash to make `nix build` calculate a new one
-          awk '/fromToolchainFile *\{/{found=1; print; next} found && /sha256 =/{sub(/sha256 = .*/, "sha256 = lib.fakeSha256;"); found=0} 1' nix/packages/rust.nix > temp.nix
+          awk '/fromToolchainFile *\{/{found=1; print; next} found && /sha256 =/{sub(/sha256 = .*/, "sha256 = lib.fakeSha256;"); found=0} 1' nix/rust.nix > temp.nix
-          mv temp.nix nix/packages/rust.nix
+          mv temp.nix nix/rust.nix
          # Build continuwuity and filter for the new hash
          # We do `|| true` because we want this to fail without stopping the workflow
@@ -65,36 +36,17 @@ jobs:
          # Place the new hash in place of the empty hash
          new_hash=$(cat new_toolchain_hash.txt)
-          sed -i "s|lib.fakeSha256|\"$new_hash\"|" nix/packages/rust.nix
+          sed -i "s|lib.fakeSha256|\"$new_hash\"|" nix/rust.nix
          echo "New hash:"
-          awk -F'"' '/fromToolchainFile/{found=1; next} found && /sha256 =/{print $2; found=0}' nix/packages/rust.nix
+          awk -F'"' '/fromToolchainFile/{found=1; next} found && /sha256 =/{print $2; found=0}' nix/rust.nix
          echo "Expected new hash:"
          cat new_toolchain_hash.txt
          rm new_toolchain_hash.txt
-      - name: Get new rocksdb hash
+      - name: Update rocksdb
-        if: contains(steps.changes.outputs.files, '.nix') || contains(steps.changes.outputs.files, 'flake.lock')
+        run: nix run .#update-rocksdb
        run: |
          # Set the current sha256 to an empty hash to make `nix build` calculate a new one
          awk '/repo = "rocksdb";/{found=1; print; next} found && /sha256 =/{sub(/sha256 = .*/, "sha256 = lib.fakeSha256;"); found=0} 1' nix/packages/rocksdb/package.nix > temp.nix
          mv temp.nix nix/packages/rocksdb/package.nix
          # Build continuwuity and filter for the new hash
          # We do `|| true` because we want this to fail without stopping the workflow
          nix build .#default 2>&1 | tee >(grep 'got:' | awk '{print $2}' > new_rocksdb_hash.txt) || true
          # Place the new hash in place of the empty hash
          new_hash=$(cat new_rocksdb_hash.txt)
          sed -i "s|lib.fakeSha256|\"$new_hash\"|" nix/packages/rocksdb/package.nix
          echo "New hash:"
          awk -F'"' '/repo = "rocksdb";/{found=1; next} found && /sha256 =/{print $2; found=0}' nix/packages/rocksdb/package.nix
          echo "Expected new hash:"
          cat new_rocksdb_hash.txt
          rm new_rocksdb_hash.txt
      - name: Show diff
        run: git diff flake.nix nix
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -24,7 +24,7 @@ repos:
        - id: check-added-large-files
  - repo: https://github.com/crate-ci/typos
-    rev: v1.44.0
+    rev: v1.45.1
    hooks:
      - id: typos
      - id: typos
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,62 @@
 # Continuwuity 0.5.8 (2026-04-24)
 ## Features
 - LDAP can now optionally be connected to using StartTLS, and you may unsafely skip verification. Contributed by @getz (#1389)
 - Users will now be prevented from removing their email if the server is configured to require an email when registering an account.
 ## Bugfixes
 - Fixed a situation where multiple email addresses could be associated with one user when that user changes their email address.
 ## Improved Documentation
 - Updated config docs to state we support room version 12, and set it as default. Contributed by @ezera. (#1622)
 - Improve instructions for generic deployments, removing unnecessary parts and documenting the new initial registration token flow. Contributed by @stratself (#1677)
 # Continuwuity v0.5.7 (2026-04-17)
 ## Features
 - Re-added support for reading registration tokens from a file. Contributed by @ginger and @benbot. (#1371)
 - Add new config option to allow or disallow search engine indexing through a `<meta ../>` tag. Defaults to blocking indexing (`content="noindex"`). Contributed by @s1lv3r and @ginger. (#1527)
 - Add new config option for [MSC4439](https://github.com/matrix-org/matrix-spec-proposals/pull/4439)
  PGP key URIs. Contributed by LogN. (#1609)
 - Added `!admin users reset-push-rules` command to reset the notification settings of users. Contributed by @nex. (#1613)
 - Notification pushers are now automatically removed when their associated device is. Admin commands now exist for manual cleanup too. Contributed by @nex. (#1614)
 - Implemented option to deprioritize servers for room join requests. Contributed by @ezera. (#1624)
 - Added admin commands to get build information and features. Contributed by @Jade (#1629)
 - Added support for associating email addresses with accounts, requiring email addresses for registration, and resetting passwords via email. Contributed by @ginger
 - Added support for requiring users to accept terms and conditions when registering.
 - Added support for using an admin command to issue self-service password reset links.
 ## Bugfixes
 - Fixed corrupted appservice registrations causing the server to enter a crash loop. Contributed by @nex. (#1265)
 - Prevent removing the admin room alias (`#admins`) to avoid accidentally breaking admin room functionality. Contributed by @0xnim (#1448)
 - Stripped `join_authorised_via_users_server` from json if user is already in room (@partha:cxy.run) (#1542)
 - Fixed internal server errors for fetching thumbnails. Contributed by @PerformativeJade (#1572)
 - Fixed error 500 when joining non-existent rooms. Contributed by @ezera. (#1579)
 - Refactored nix package. Breaking, since `all-features` package no longer exists. Continuwuity is now built with jemalloc and liburing by default. Contributed by @Henry-Hiles (QuadRadical). (#1596)
 - Fixed resolving IP of servers that only use SRV delegation. Contributed by @tulir. (#1615)
 - Fixed "Sender must be a local user" error for make_join, make_knock, and make_leave federation routes. Contributed by @nex. (#1623)
 - Fixed restricted joins not being signed when we are being used as an authorising server. Contributed by @nex, reported by [vel](matrix:u/vel:nhjkl.com?action=chat). (#1630)
 - Fixed room alias deletion so removing one local alias no longer removes other aliases from room alias listings.
 - Stopped left rooms from being unconditionally sent on initial sync, hopefully fixing spurious appearances of left rooms in some clients (and making sync faster as a bonus). Contributed by @ginger
 - Correct the response field name for MatrixRTC transports. Contributed by @spaetz
 ## Improved Documentation
 - Added Testing and Troubleshooting instructions for Livekit documentation. Contributed by @stratself. (#1429)
 - Refactored docker docs to include new initial token workflow, and add Caddyfile example. Contributed by @stratself. (#1594)
 - Add DNS tuning guide for Continuwuity. Users are recommended to set up a local caching resolver following the guide's advice. Contributed by @stratself (#1601)
 ## Misc
 - Fixed compiler warning in cf_opts.rs when building in release. Contributed by @ezera. (#1620)
 # Continuwuity 0.5.6 (2026-03-03)
 ## Security
--- a/Cargo.lock
+++ b/Cargo.lock
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -12,7 +12,7 @@ license = "Apache-2.0"
 # See also `rust-toolchain.toml`
 readme = "README.md"
 repository = "https://forgejo.ellis.link/continuwuation/continuwuity"
-version = "0.5.7-alpha.1"
+version = "0.5.8"
 [workspace.metadata.crane]
 name = "conduwuit"
@@ -36,10 +36,10 @@ version = "0.3"
 features = ["ffi", "std", "union"]
 [workspace.dependencies.const-str]
-version = "0.7.0"
+version = "1.1.0"
 [workspace.dependencies.ctor]
-version = "0.6.0"
+version = "0.10.0"
 [workspace.dependencies.cargo_toml]
 version = "0.22"
@@ -47,9 +47,9 @@ default-features = false
 features = ["features"]
 [workspace.dependencies.toml]
-version = "0.9.5"
+version = "1.1.2"
 default-features = false
-features = ["parse"]
+features = ["parse", "serde"]
 [workspace.dependencies.sanitize-filename]
 version = "0.6.0"
@@ -60,7 +60,7 @@ default-features = false
 # used for TURN server authentication
 [workspace.dependencies.hmac]
-version = "0.12.1"
+version = "0.13.0"
 default-features = false
 # used for checking if an IP is in specific subnets / CIDR ranges easier
@@ -102,15 +102,18 @@ default-features = false
 features = ["typed-header", "tracing", "cookie"]
 [workspace.dependencies.axum-server]
-version = "0.7.2"
+version = "0.8.0"
 default-features = false
 # to listen on both HTTP and HTTPS if listening on TLS dierctly from conduwuit for complement or sytest
 [workspace.dependencies.axum-server-dual-protocol]
-version = "0.7"
+# version = "0.7"
 git = "https://github.com/vinchona/axum-server-dual-protocol.git"
 rev = "ca6db055254255b74238673ce4135698e347d71c" # feat!: bump axum_server to 0.8.0
 default-features = false
 [workspace.dependencies.axum-client-ip]
-version = "0.7"
+version = "1.3"
 [workspace.dependencies.tower]
 version = "0.5.2"
@@ -134,13 +137,12 @@ features = [
 [workspace.dependencies.rustls]
 version = "0.23.25"
 default-features = false
 features = ["aws_lc_rs"]
 [workspace.dependencies.reqwest]
-version = "0.12.15"
+version = "0.13.2"
 default-features = false
 features = [
-    "rustls-tls-native-roots",
+    "rustls-no-provider",
    "socks",
    "hickory-dns",
    "http2",
@@ -159,7 +161,7 @@ features = ["raw_value"]
 # Used for appservice registration files
 [workspace.dependencies.serde-saphyr]
-version = "0.0.21"
+version = "0.0.24"
 # Used to load forbidden room/user regex from config
 [workspace.dependencies.serde_regex]
@@ -167,7 +169,7 @@ version = "1.1.0"
 # Used for ruma wrapper
 [workspace.dependencies.serde_html_form]
-version = "0.2.6"
+version = "0.4.0"
 # Used for password hashing
 [workspace.dependencies.argon2]
@@ -251,7 +253,7 @@ features = [
 ]
 [workspace.dependencies.tokio-metrics]
-version = "0.4.0"
+version = "0.5.0"
 [workspace.dependencies.libloading]
 version = "0.9.0"
@@ -344,7 +346,7 @@ version = "0.1.2"
 [workspace.dependencies.ruma]
 git = "https://forgejo.ellis.link/continuwuation/ruwuma"
 #branch = "conduwuit-changes"
-rev = "a97b91adcc012ef04991d823b8b5a79c6686ae48"
+rev = "d00b51a8669b21689c4eb47fb81f3a8b27c3e371"
 features = [
    "compat",
    "rand",
@@ -383,7 +385,8 @@ features = [
    "unstable-pdu",
    "unstable-msc4155",
    "unstable-msc4143", # livekit well_known response
-    "unstable-msc4284"
+    "unstable-msc4284",
    "unstable-msc4439", # pgp_key in .well_known/matrix/support
 ]
 [workspace.dependencies.rust-rocksdb]
@@ -399,11 +402,11 @@ features = [
 ]
 [workspace.dependencies.sha2]
-version = "0.10.8"
+version = "0.11.0"
 default-features = false
 [workspace.dependencies.sha1]
-version = "0.10.6"
+version = "0.11.0"
 default-features = false
 # optional opentelemetry, performance measurements, flamegraphs, etc for performance measurements and monitoring
@@ -428,14 +431,13 @@ features = ["http", "grpc-tonic", "trace", "logs", "metrics"]
 # optional sentry metrics for crash/panic reporting
 [workspace.dependencies.sentry]
-version = "0.46.0"
+version = "0.47.0"
 default-features = false
 features = [
    "backtrace",
    "contexts",
    "debug-images",
    "panic",
    "rustls",
    "tower",
    "tower-http",
    "tracing",
@@ -444,9 +446,9 @@ features = [
 ]
 [workspace.dependencies.sentry-tracing]
-version = "0.46.0"
+version = "0.47.0"
 [workspace.dependencies.sentry-tower]
-version = "0.46.0"
+version = "0.47.0"
 # jemalloc usage
 [workspace.dependencies.tikv-jemalloc-sys]
@@ -480,7 +482,7 @@ default-features = false
 features = ["resource"]
 [workspace.dependencies.sd-notify]
-version = "0.4.5"
+version = "0.5.0"
 default-features = false
 [workspace.dependencies.hardened_malloc-rs]
@@ -556,6 +558,19 @@ version = "1.0.1"
 [workspace.dependencies.askama]
 version = "0.15.0"
 [workspace.dependencies.lettre]
 version = "0.11.19"
 default-features = false
 features = ["smtp-transport", "pool", "hostname", "builder", "rustls", "rustls-native-certs", "tokio1", "rustls-no-provider", "tokio1-rustls", "tracing", "serde"]
 [workspace.dependencies.governor]
 version = "0.10.4"
 default-features = false
 features = ["std"]
 [workspace.dependencies.nonzero_ext]
 version = "0.3.0"
 #
 # Patches
 #
@@ -916,7 +931,6 @@ fn_to_numeric_cast_any = "warn"
 format_push_string = "warn"
 get_unwrap = "warn"
 impl_trait_in_params = "warn"
 let_underscore_untyped = "warn"
 lossy_float_literal = "warn"
 mem_forget = "warn"
 missing_assert_message = "warn"
--- a/3
+++ b/3
@@ -1,4 +1,3 @@
                                 Apache License
                           Version 2.0, January 2004
                        http://www.apache.org/licenses/
@@ -187,7 +186,7 @@
      same "printed page" as the copyright notice for easier
      identification within third-party archives.
-   Copyright 2023 June
+   Copyright 2023 Continuwuity Team and contributors
   Licensed under the Apache License, Version 2.0 (the "License");
   you may not use this file except in compliance with the License.
--- a/changelog.d/+6368729a.feature.md
+++ b/changelog.d/+6368729a.feature.md
@@ -1 +0,0 @@
 Added support for using an admin command to issue self-service password reset links.
--- a/changelog.d/+6e57599d.bugfix.md
+++ b/changelog.d/+6e57599d.bugfix.md
@@ -1 +0,0 @@
 Stopped left rooms from being unconditionally sent on initial sync, hopefully fixing spurious appearances of left rooms in some clients (and making sync faster as a bonus). Contributed by @ginger
--- a/changelog.d/+alias-enumeration-delete.bugfix.md
+++ b/changelog.d/+alias-enumeration-delete.bugfix.md
@@ -1 +0,0 @@
 Fixed room alias deletion so removing one local alias no longer removes other aliases from room alias listings.
--- a/changelog.d/1265.bugfix
+++ b/changelog.d/1265.bugfix
@@ -1 +0,0 @@
 Fixed corrupted appservice registrations causing the server to enter a crash loop. Contributed by @nex.
--- a/changelog.d/1371.feature.md
+++ b/changelog.d/1371.feature.md
@@ -1 +0,0 @@
 Re-added support for reading registration tokens from a file. Contributed by @ginger and @benbot.
--- a/changelog.d/1429.doc
+++ b/changelog.d/1429.doc
@@ -1 +0,0 @@
 Added Testing and Troubleshooting instructions for Livekit documentation. Contributed by @stratself.
--- a/changelog.d/1448.bugfix
+++ b/changelog.d/1448.bugfix
@@ -1 +0,0 @@
 Prevent removing the admin room alias (`#admins`) to avoid accidentally breaking admin room functionality. Contributed by @0xnim
--- a/changelog.d/1527.feature.md
+++ b/changelog.d/1527.feature.md
@@ -1 +0,0 @@
 Add new config option to allow or disallow search engine indexing through a `<meta ../>` tag. Defaults to blocking indexing (`content="noindex"`). Contributed by @s1lv3r and @ginger.
--- a/changelog.d/1542.bugfix.md
+++ b/changelog.d/1542.bugfix.md
@@ -1 +0,0 @@
 Stripped `join_authorised_via_users_server` from json if user is already in room (@partha:cxy.run)
--- a/changelog.d/1572.bugfix
+++ b/changelog.d/1572.bugfix
@@ -1 +0,0 @@
 Fixed internal server errors for fetching thumbnails. Contributed by @PerformativeJade
--- a/changelog.d/1671.docs
+++ b/changelog.d/1671.docs
@@ -0,0 +1 @@
 Explain accessing Continuwuity's server console when deployed via Docker.
--- a/conduwuit-example.toml
+++ b/conduwuit-example.toml
@@ -523,6 +523,18 @@
 #
 #recaptcha_private_site_key =
 # Policy documents, such as terms and conditions or a privacy policy,
 # which users must agree to when registering an account.
 #
 # Example:
 # ```ignore
 # [global.registration_terms.privacy_policy]
 # en = { name = "Privacy Policy", url = "https://homeserver.example/en/privacy_policy.html" }
 # es = { name = "Política de Privacidad", url = "https://homeserver.example/es/privacy_policy.html" }
 # ```
 #
 #registration_terms = {}
 # Controls whether encrypted rooms and events are allowed.
 #
 #allow_encryption = true
@@ -607,7 +619,7 @@
 # Set to false to disable users from joining or creating room versions
 # that aren't officially supported by continuwuity.
 #
-# continuwuity officially supports room versions 6 - 11.
+# continuwuity officially supports room versions 6 - 12.
 #
 # continuwuity has slightly experimental (though works fine in practice)
 # support for versions 3 - 5.
@@ -619,9 +631,9 @@
 # rather than an integer. Forgetting the quotes will make the server fail
 # to start!
 #
-# Per spec, room version "11" is the default.
+# Per spec, room version "12" is the default.
 #
-#default_room_version = "11"
+#default_room_version = "12"
 # Enable OpenTelemetry OTLP tracing export. This replaces the deprecated
 # Jaeger exporter. Traces will be sent via OTLP to a collector (such as
@@ -1397,6 +1409,20 @@
 #
 #ignore_messages_from_server_names = []
 # List of server names that continuwuity will deprioritize (try last) when
 # a client requests to join a room.
 #
 # This can be used to potentially speed up room join requests, by
 # deprioritizing sending join requests through servers that are known to
 # be large or slow.
 #
 # continuwuity will still send join requests to servers in this list if
 # the room couldn't be joined via other servers it federates with.
 #
 # example: ["example.com"]
 #
 #deprioritize_joins_through_servers = []
 # Send messages from users that the user has ignored to the client.
 #
 # There is no way for clients to receive messages sent while a user was
@@ -1869,6 +1895,11 @@
 #
 #support_mxid =
 # PGP key URI for server support contacts, to be served as part of the
 # MSC1929 server support endpoint.
 #
 #support_pgp_key =
 # **DEPRECATED**: Use `[global.matrix_rtc].foci` instead.
 #
 # A list of MatrixRTC foci URLs which will be served as part of the
@@ -1935,6 +1966,14 @@
 #
 #uri = ""
 # StartTLS for LDAP connections.
 #
 #use_starttls = false
 # Skip TLS certificate verification, possibly dangerous.
 #
 #disable_tls_verification = false
 # Root of the searches.
 #
 # example: "ou=users,dc=example,dc=org"
@@ -2041,3 +2080,44 @@
 # web->synapseHTTPAntispam->authorization
 #
 #secret =
 #[global.smtp]
 # A `smtp://`` URI which will be used to connect to a mail server.
 # Uncommenting the [global.smtp] group and setting this option enables
 # features which depend on the ability to send email,
 # such as self-service password resets.
 #
 # For most modern mail servers, format the URI like this:
 # 	`smtps://username:password@hostname:port`
 # Note that you will need to URL-encode the username and password. If your
 # username _is_ your email address, you will need to replace the `@` with
 # `%40`.
 #
 # For a guide on the accepted URI syntax, consult Lettre's documentation:
 # https://docs.rs/lettre/latest/lettre/transport/smtp/struct.AsyncSmtpTransport.html#method.from_url
 #
 #connection_uri =
 # The outgoing address which will be used for sending emails.
 #
 # For a syntax guide, see https://datatracker.ietf.org/doc/html/rfc2822#section-3.4
 #
 # ...or if you don't want to read the RFC, for some reason:
 # - `Name <address@domain.org>` to specify a sender name
 # - `address@domain.org` to not use a name
 #
 #sender =
 # Whether to require that users provide an email address when they
 # register.
 #
 # If either this option or `require_email_for_token_registration` are set,
 # users will not be allowed to remove their email address.
 #
 #require_email_for_registration = false
 # Whether to require that users who register with a registration token
 # provide an email address.
 #
 #require_email_for_token_registration = false
--- a/docker/Dockerfile
+++ b/docker/Dockerfile
@@ -15,14 +15,16 @@ ARG LLVM_VERSION=21
 # Install repo tools
 # Line one: compiler tools
-# Line two: curl, for downloading binaries
+# Line two: curl, for downloading binaries and wget because llvm.sh is broken with curl
 # Line three: for xx-verify
 # golang, cmake: For aws-lc-rs bindgen
 RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
    --mount=type=cache,target=/var/lib/apt,sharing=locked \
    apt-get update && apt-get install -y \
    pkg-config make jq \
-    curl git software-properties-common \
+    wget curl git software-properties-common \
    file
    # golang cmake
 # LLVM packages
 RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
@@ -48,7 +50,7 @@ EOF
 # Developer tool versions
 # renovate: datasource=github-releases depName=cargo-bins/cargo-binstall
-ENV BINSTALL_VERSION=1.17.8
+ENV BINSTALL_VERSION=1.18.1
 # renovate: datasource=github-releases depName=psastras/sbom-rs
 ENV CARGO_SBOM_VERSION=0.9.1
 # renovate: datasource=crate depName=lddtree
@@ -162,7 +164,7 @@ ENV CONDUWUIT_VERSION_EXTRA=$CONDUWUIT_VERSION_EXTRA
 ENV CONTINUWUITY_VERSION_EXTRA=$CONTINUWUITY_VERSION_EXTRA
 ARG RUST_PROFILE=release
-ARG CARGO_FEATURES="default,http3"
+ARG CARGO_FEATURES="default"
 # Build the binary
 RUN --mount=type=cache,target=/usr/local/cargo/registry \
--- a/docker/musl.Dockerfile
+++ b/docker/musl.Dockerfile
@@ -18,7 +18,7 @@ RUN --mount=type=cache,target=/etc/apk/cache apk add \
 # Developer tool versions
 # renovate: datasource=github-releases depName=cargo-bins/cargo-binstall
-ENV BINSTALL_VERSION=1.17.8
+ENV BINSTALL_VERSION=1.18.1
 # renovate: datasource=github-releases depName=psastras/sbom-rs
 ENV CARGO_SBOM_VERSION=0.9.1
 # renovate: datasource=crate depName=lddtree
--- a/docs/_meta.json
+++ b/docs/_meta.json
@@ -69,11 +69,6 @@
        "label": "Configuration Reference",
        "name": "/reference/config"
    },
    {
        "type": "file",
        "label": "Environment Variables",
        "name": "/reference/environment-variables"
    },
    {
        "type": "dir",
        "label": "Admin Command Reference",
--- a/docs/advanced/_meta.json
+++ b/docs/advanced/_meta.json
@@ -3,5 +3,11 @@
        "type": "file",
        "name": "delegation",
        "label": "Delegation / split-domain"
    },
    {
        "type": "file",
        "name": "dns",
        "label": "DNS tuning (recommended)"
    }
 ]
--- a/docs/advanced/delegation.mdx
+++ b/docs/advanced/delegation.mdx
@@ -18,12 +18,14 @@ ## Configuration
 ```toml
 [global.well_known]
 # defaults to port :443 if not specified
 client = "https://matrix.example.com"
 # port number MUST be specified
 server = "matrix.example.com:443"
 # (optional) customize your support contacts
 # Defaults to members of the admin room if unset
 #support_page =
 #support_role = "m.role.admin"
 #support_email =
@@ -42,9 +44,11 @@ # (optional) customize your support contacts
        client=https://matrix.example.com,
        server=matrix.example.com:443
        }
 ```
-## Serving with a reverse proxy
+      # You can also configure individual `.well-knowns` like this
      # CONTINUWUITY_WELL_KNOWN__CLIENT: https://matrix.example.com
      # CONTINUWUITY_WELL_KNOWN__SERVER: matrix.example.com:443
 ```
 After doing the steps above, Continuwuity will serve these 3 JSON files:
@@ -54,9 +58,11 @@ ## Serving with a reverse proxy
 To enable full discovery, you will need to reverse proxy these paths from the base domain back to Continuwuity.
 ## Reverse proxying well-known files to Continuwuity
 <details>
-<summary>For Caddy</summary>
+<summary>For **Caddy**</summary>
 ```
 matrix.example.com:443 {
@@ -72,7 +78,7 @@ ## Serving with a reverse proxy
 <details>
-<summary>For Traefik (via Docker labels)</summary>
+<summary>For **Traefik** (via Docker labels)</summary>
 ```
 services:
@@ -87,16 +93,17 @@ ## Serving with a reverse proxy
 </details>
-Restart Continuwuity and your reverse proxy. Once that's done, visit these routes and check that the responses match the examples below:
+
 For **Docker** users, consult the compose files in the [Appendix section](#docker-compose-examples).
 After applying these changes, restart Continuwuity and your reverse proxy.Visit these routes and check that the responses match the examples below:
 <details open>
 <summary>`https://example.com/.well-known/matrix/server`</summary>
 ```json
-{
+{ "m.server": "matrix.example.com:443" }
  "m.server": "matrix.example.com:443"
 }
 ```
 </details>
@@ -115,12 +122,57 @@ ## Serving with a reverse proxy
 </details>
 ### Serving well-known files manually
 Instead of configuring `[global.well_known]` options and reverse proxying well-known URIs, you can serve these files directly as static JSON that match the ones above. This is useful if your base domain points to a different physical server, and reverse proxying isn't feasible.
 <details>
 <summary>Example Caddyfile **for the base domain**</summary>
 ```
 https://example.com {
    respond /.well-known/matrix/server 200 {
        body `{"m.server":"matrix.example.com:443"}`
    }
    handle /.well-known/matrix/client {
    header Access-Control-Allow-Origin *
    respond <<JSON
    {
        "m.homeserver": {
            "base_url": "https://matrix.example.com/"
        }
    }
    JSON
    }
 }
 ```
 </details>
 Remember to set the `Access-Control-Allow-Origin: *` header in your `/.well-known/matrix/client` path for web clients to work.
 ## Troubleshooting
 Check with the [Matrix Connectivity Tester][federation-tester] to see that it's working.
 [federation-tester]: https://federationtester.mtrnord.blog/
 ### Cannot log in with web clients
 Make sure there is an `Access-Control-Allow-Origin: *` header in your `/.well-known/matrix/client` path. While Continuwuity serves this header by default, it may be dropped by reverse proxies or other middlewares.
 ### Issues with alternative setups
 As Matrix clients prioritize well-known URIs for their destination, this can lead to issues with alternative methods of accessing the server that doesn't use a publicly routeable IP and domain name. You will probably find yourself connecting to non-existent/undesired URLs in certain cases like:
 - Accessing to the server via localhost IPs (e.g. for testing purposes)
 - Accessing the server from behind a VPN, or from alternative networks (such as from an onionsite)
 In these scenarios, further configurations would be needed. Refer to the [Related Documentation](#related-documentation) section for resolution steps and see how they could apply to your use case.
 ---
 ## Using SRV records (not recommended)
@@ -204,3 +256,45 @@ ## Related Documentation
 - [Server-to-Server resolution](https://spec.matrix.org/v1.17/server-server-api/#resolving-server-names) (see this for more information on SRV records)
 - [Client-to-Server resolution](https://spec.matrix.org/v1.17/client-server-api/#server-discovery)
 - [MSC1929: Homeserver Admin Contact and Support page](https://github.com/matrix-org/matrix-spec-proposals/pull/1929)
 ## Appendix
 ### Docker Compose examples
 The following Compose files are taken from [Docker instructions](../deploying/docker.mdx) and reconfigured to support split-domain delegation. Note the updated `CONTINUWUITY_WELL_KNOWN` variable and relevant changes in reverse proxy rules.
 <details>
 <summary>Caddy (using Caddyfile) - delegated.docker-compose.with-caddy.yml ([view raw](/advanced/delegated.docker-compose.with-caddy.yml))</summary>
 ```yaml file="../public/advanced/delegated.docker-compose.with-caddy.yml"
 ```
 </details>
 <details>
 <summary>Caddy (using labels) - delegated.docker-compose.with-caddy-labels.yml ([view raw](/advanced/delegated.docker-compose.with-caddy-labels.yml))</summary>
 ```yaml file="../public/advanced/delegated.docker-compose.with-caddy-labels.yml"
 ```
 </details>
 <details>
 <summary>Traefik (for existing setup) - delegated.docker-compose.for-traefik.yml ([view raw](/advanced/delegated.docker-compose.for-traefik.yml))</summary>
 ```yaml file="../public/advanced/delegated.docker-compose.for-traefik.yml"
 ```
 </details>
 <details>
 <summary>Traefik included - delegated.docker-compose.with-traefik.yml ([view raw](/advanced/delegated.docker-compose.with-traefik.yml))</summary>
 ```yaml file="../public/advanced/delegated.docker-compose.with-traefik.yml"
 ```
 </details>
--- a/docs/advanced/dns.mdx
+++ b/docs/advanced/dns.mdx
@@ -0,0 +1,165 @@
 # DNS Tuning (recommended)
 For federation, Matrix homeservers conduct an enormous amount of DNS requests, sometimes up to thousands of queries per minute. Normal DNS resolvers are simply not designed for this load, and running Continuwuity with them will likely result in various [DNS and federation errors](../troubleshooting#dns-issues).
 To solve this issue, it is strongly recommended to self-host a high-quality, external caching DNS resolver for Continuwuity. This guide will use [Unbound][unbound] as the recommended example, but the general principle applies to any resolver.
 [unbound]: https://wiki.archlinux.org/title/Unbound
 ## Overview
 For generic deployments, install your resolver of choice and configure `/etc/resolv.conf` to point to it. The resolver should ideally reside on the same host as Continuwuity.
 ```txt title="/etc/resolv.conf"
 nameserver 127.0.0.1
 ```
 **Avoid using `systemd-resolved`** as it does **not** perform very well under high load, and we have identified its DNS caching to not be very effective.
 ### For Docker users
 Docker bridge networks uses a non-performant resolver to intercept and respond to container hostnames, and **this should also be avoided**. Instead, mount a custom `/etc/resolv.conf` file into the container, and hardcode a resolver address to bypass Docker's.
 It is recommended to run a dedicated resolver container for Continuwuity, as to separate from the host's resolver setup. To do this, create a custom bridge network and IP range, and explicitly define an IP address for the resolver container.
 <details>
 <summary>Example Docker deployment with unbound</summary>
 ```yaml title="docker-compose.yml"
 networks:
  matrix_net:
    ipam:
      driver: default
      config:
        - subnet: "10.10.10.0/24"
 services:
    homeserver:
        # ...
        volume:
            - ./continuwuity-resolv.conf:/etc/resolv.conf:ro
    unbound:
        # ...
        networks:
            matrix_net:
                ipv4_address: 10.10.10.20
 ```
 ```txt title="continuwuity-resolv.conf"
 nameserver 10.10.10.20
 ```
 </details>
 ### For IPv4-only users
 If you don't have IPv6 connectivity, changing `ip_lookup_strategy` to only resolve for IPv4 will reduce unnecessary AAAA queries.
 ```toml title="continuwuity.toml"
 [global]
 # 1 - Ipv4Only (Only query for A records, no AAAA/IPv6)
 ip_lookup_strategy = 1
 ```
 ## Unbound
 [Unbound][unbound] is the recommended resolver to run with Continuwuity. For Docker users, the `docker.io/madnuttah/unbound` image ([Github repo][madnuttah-unbound-repo]) can be used.
 After installation, you can tune `/etc/unbound/unbound.conf` values according to your needs. While Continuwuity cannot recommend a "works-for-everyone" Unbound DNS setup guide, the official [Unbound tuning guide][unbound-tuning-guide] and the [Unbound Arch Linux wiki page][unbound-arch-linux] may be of interest.
 Some values that are commonly tuned include:
 - Increase `rrset-cache-size` and `msg-cache-size` to something much higher than the default `4M`, such as `64M`.
 - Increase `discard-timeout` to something like `4800` to wait longer for upstream resolvers, as recursion can take a long time to respond to some domains. Continuwuity default to `dns_timeout = 10` seconds, so dropping requests early would lead to unnecessary retries and/or failures.
 ### Using a forwarder (optional)
 Unbound by default employs **recursive resolution** and contacts many servers around the world. If this is not performant enough, consider forwarding your queries to public resolvers to benefit from their CDNs and get faster responses.
 However, most popular upstreams (such as Google DNS or Quad9) employ IP ratelimiting, so a generous cache is still needed to avoid making too many queries.
 DNS-over-TLS forwarders may also be used should you need on-the-wire encryption, but TLS overhead causes some speed penalties.
 If you want to use forwarders, configure it as follows:
 <details>
 <summary>unbound.conf</summary>
 ```
 # Use cloudflare public resolvers as an example
 forward-zone:
    name: "."
    forward-addr: 1.0.0.1@53
    forward-addr: 1.1.1.1@53
    # Also use IPv6 ones if you're dual-stack
    # forward-addr: 2606:4700:4700::1001@53
    # forward-addr: 2606:4700:4700::1111@53
 # alternatively, use DNS-over-TLS for forwarders.
 # forward-zone:
    # name: "."
    # forward-tls-upstream: yes
    # forward-addr: 1.0.0.1@853#cloudflare-dns.com
    # forward-addr: 1.1.1.1@853#cloudflare-dns.com
    # forward-addr: 2606:4700:4700::1001@853#cloudflare-dns.com
    # forward-addr: 2606:4700:4700::1111@853#cloudflare-dns.com
 ```
 </details>
 [madnuttah-unbound-repo]: https://github.com/madnuttah/unbound-docker/
 [unbound-tuning-guide]: https://unbound.docs.nlnetlabs.nl/en/latest/topics/core/performance.html
 [unbound-arch-linux]: https://wiki.archlinux.org/title/Unbound
 ## Other resolvers
 ### dnsproxy
 [Dnsproxy][dnsproxy] and its sister product [AdGuard Home][adguard-home] are known to work with Continuwuity and has an official Docker image. They have support for DNS-over-HTTPS as well as DNS-over-QUIC, but not recursion.
 To best utilise dnsproxy, you should enable proper caching with `--cache` and set `--cache-size` to something bigger, like `64000000`.
 [dnsproxy]: https://github.com/AdguardTeam/dnsproxy
 [adguard-home]: https://github.com/AdguardTeam/AdGuardHome
 ### dnsmasq
 [dnsmasq][arch-linux-dnsmasq] can possibly work with Continuwuity, though it only supports forwarding rather than recursion. Increase the `cache-size` to something like `30000` for better caching performance.
 However, `dnsmasq` does not support TCP fallback which can be problematic when receiving large DNS responses such as from large SRV records. If you still want to use dnsmasq, make sure you disable `dns_tcp_fallback` in Continuwuity config.
 [arch-linux-dnsmasq]: https://wiki.archlinux.org/title/Dnsmasq
 ### Technitium
 [Technitium][technitium] supports recursion as well as a myriad of forwarding protocols, allows saving cache to disk natively, and does work well with Continuwuity. Its default configurations however ratelimits single-IP requests by a lot, and hence must be changed. You may consult this [community guide][technitium-continuwuity] for more details on setting up a dedicated Technitium for Continuwuity.
 [technitium]: https://github.com/TechnitiumSoftware/DnsServer
 [technitium-continuwuity]: https://muoi.me/~stratself/articles/technitium-continuwuity/
 ## Testing
 As a rough stress test, you can run `!admin query resolver flush-cache -a` or `!admin server clear-caches` to trigger a netburst of DNS queries. If your resolver can handle these loads without problem, then it should be ready for regular Continuwuity activity.
 To test connectivity against a specific server, use `!admin debug ping <SERVER_NAME>` and `!admin debug resolve-true-destination <SERVER_NAME>`.
 Note that it is expected that not all servers will be resolved, as some of them may be temporarily offline, have broken DNS and/or discovery configuration, or have been decommissioned.
 ## Further steps
 - (Recommended) Set **`dns_cache_entries = 0`** inside Continuwuity and fully rely on the more performant external resolver.
 - Consider employing **persistent cache to disk**, so your resolver can still run without hassle after a restart. Unbound, via [Cache DB module][unbound-cachedb], can use Redis as a storage backend for this feature.
 - Consider [enabling **Serve Stale**][unbound-serve-stale] functionality to serve expired data beyond DNS TTLs. Since most Matrix homeservers have static IPs, this should help improve federation with them especially when upstream resolvers have timed out. For dnsproxy, this corresponds to its [optimistic caching options][dnsproxy-usage].
 - If you still experience DNS performance issues, another step could be to **disable DNSSEC** (which is computationally expensive) at a cost of slightly decreased security. On Unbound this is done by commenting out `trust-anchors` config options and removing the `validator` module.
 - Some users have reported that setting `query_over_tcp_only = true` in Continuwuity has improved DNS reliability at a slight performance cost due to TCP overhead. Generally this is not needed if your resolver and homeserver is on the same machine.
 [unbound-cachedb]: https://unbound.docs.nlnetlabs.nl/en/latest/manpages/unbound.conf.html#cache-db-module-options
 [unbound-serve-stale]: https://wiki.archlinux.org/title/Unbound#Serving_expired_records
 [dnsproxy-usage]: https://github.com/AdguardTeam/dnsproxy#usage
--- a/docs/calls.mdx
+++ b/docs/calls.mdx
@@ -11,7 +11,3 @@ # Calls
 - For legacy calls to work, you need to set up a TURN/STUN server. [Read the TURN guide for tips on how to set up coturn](./calls/turn.mdx)
 - For MatrixRTC / Element Call to work, you have to set up the LiveKit backend (foci). LiveKit also uses TURN/STUN to increase reliability - you can set up its built-in TURN server, or integrate with an existing one. [Read the LiveKit guide](./calls/livekit.mdx)
 :::info
 Our [`#matrixrtc:continuwuity.org`](https://matrix.to/#/#matrixrtc:continuwuity.org) room is all about calling on matrix. Join there if you have any questions!
 :::
--- a/docs/calls/livekit.mdx
+++ b/docs/calls/livekit.mdx
@@ -5,7 +5,7 @@ # Matrix RTC/Element Call Setup
 :::
 :::tip
-You can find help setting up Matrix RTC in our dedicated room - [#matrixrtc:continuwuity.org](https://matrix.to/#/%23matrixrtc%3Acontinuwuity.org)
+You can find help setting up MatrixRTC in our dedicated room - [#matrixrtc:continuwuity.org](https://matrix.to/#/%23matrixrtc%3Acontinuwuity.org)
 :::
 ## Instructions
@@ -91,7 +91,7 @@ ### 3. Telling clients where to find LiveKit
 To tell clients where to find LiveKit, you need to add the address of your `lk-jwt-service` to the `[global.matrix_rtc]` config section using the `foci` option.
-The variable should be a list of servers serving as MatrixRTC endpoints. Clients discover these via the `/_matrix/client/v1/rtc/transports` endpoint (MSC4143).
+The variable should be a list of servers serving as MatrixRTC endpoints. Replace the URL with the address you are deploying your instance of lk-jwt-service to:
 ```toml
 [global.matrix_rtc]
@@ -100,7 +100,10 @@ ### 3. Telling clients where to find LiveKit
 ]
 ```
-Remember to replace the URL with the address you are deploying your instance of lk-jwt-service to.
+This will expose LiveKit information on the following endpoints for clients to discover:
 - `/_matrix/client/unstable/org.matrix.msc4143/rtc/transports` (MSC4143 unstable, behind auth)
 - `/.well-known/matrix/client` (fallback, not behind auth. Only enabled if `[global.well_known].client` is set)
 ### 4. Configure your Reverse Proxy
@@ -114,6 +117,7 @@ ### 4. Configure your Reverse Proxy
 <details>
    <summary>Example caddy config</summary>
    ```
    livekit.example.com {
@@ -127,10 +131,12 @@ ### 4. Configure your Reverse Proxy
        reverse_proxy 127.0.0.1:7880
    }
    ```
 </details>
 <details>
    <summary>Example nginx config</summary>
    ```
    server {
        server_name livekit.example.com;
@@ -167,16 +173,19 @@ ### 4. Configure your Reverse Proxy
        ''      close;
    }
    ```
 </details>
 <details>
    <summary>Example traefik router</summary>
    ```
    # on LiveKit itself
    traefik.http.routers.livekit.rule=Host(`livekit.example.com`)
    # on the JWT service
    traefik.http.routers.livekit-jwt.rule=Host(`livekit.example.com`) && (PathPrefix(`/sfu/get`) || PathPrefix(`/healthz`) || PathPrefix(`/get_token`))
    ```
 </details>
@@ -210,7 +219,7 @@ ### add these to livekit's docker-compose ###
 ### if you're using `network_mode: host`, you can skip this part
 ```
-Recreate the LiveKit container (with `docker-compose up -d livekit`) to apply these changes. Remember to allow the new `3478/udp` and `50100:50200/udp` ports through your firewall.
+Recreate the LiveKit container (with `docker-compose up -d livekit`) to apply these changes. Remember to allow the new `3478/udp` and `50300:50400/udp` ports through your firewall.
 ### Integration with an external TURN server
@@ -257,11 +266,25 @@ ## Testing
 First, you will need an access token for your current login session. These can be found in your client's settings or obtained via [this website](https://timedout.uk/mxtoken.html).
-Then, using that token, request another OpenID token for use with the lk-jwt-service:
+Then, using that token, fetch the discovery endpoints for MatrixRTC services
 ```bash
-~$ curl -X POST -H "Authorization: Bearer <session-access-token>" \
+curl -X POST -H "Authorization: Bearer <session-access-token>" \
  https://matrix.example.com/_matrix/client/unstable/org.matrix.msc4143/rtc/transports
 ```
 In the output, you should see the LiveKit URL matching the one [configured above](#3-telling-clients-where-to-find-livekit).
 With the same token, request another OpenID token for use with the lk-jwt-service:
 ```bash
 curl -X POST -H "Authorization: Bearer <session-access-token>" \
  https://matrix.example.com/_matrix/client/v3/user/@user:example.com/openid/request_token
 ```
 You will see a response as below:
 ```json
 {"access_token":"<openid_access_token>","token_type":"Bearer","matrix_server_name":"example.com","expires_in":3600}
 ```
@@ -296,10 +319,15 @@ ## Testing
 ```bash
 ~$ curl -X POST -d @payload.json https://livekit.example.com/get_token
 ```
 The lk-jwt-service will, after checking against Continuwuity, answer with a `jwt` token to create a LiveKit media room:
 ```json
 {"url":"wss://livekit.example.com","jwt":"a_really_really_long_string"}
 ```
-The lk-jwt-service will, after checking against Continuwuity, answer with a `jwt` token to create a LiveKit media room. Use this token to test at the [LiveKit Connection Tester](https://livekit.io/connection-test). If everything works there, then you have set up LiveKit successfully!
+Use this token to test at the [LiveKit Connection Tester](https://livekit.io/connection-test). If everything works there, then you have set up LiveKit successfully!
 ## Troubleshooting
@@ -363,8 +391,8 @@ ## Related Documentation
 Specifications:
- [MatrixRTC proposal](https://github.com/matrix-org/matrix-spec-proposals/pull/4143)
+- [MSC4143 - MatrixRTC proposal](https://github.com/matrix-org/matrix-spec-proposals/pull/4143)
- [LiveKit proposal](https://github.com/matrix-org/matrix-spec-proposals/pull/4195)
+- [MSC4195 - LiveKit proposal](https://github.com/matrix-org/matrix-spec-proposals/pull/4195)
 Source code:
--- a/docs/configuration.mdx
+++ b/docs/configuration.mdx
@@ -2,66 +2,90 @@ # Configuration
 This chapter describes various ways to configure Continuwuity.
-## Basics
+## Configuration file
-Continuwuity uses a config file for the majority of the settings, but also supports
+Continuwuity uses a TOML config file for all of its settings. This is the recommended way to configure Continuwuity. Please refer to the [example config file](./reference/config.mdx) for all of these settings.
 setting individual config options via commandline.
-Please refer to the [example config
+You can specify the config file to be used by Continuwuity with the command-line flag `-c` or `--config`:
 file](./reference/config.mdx) for all of those
 settings.
-The config file to use can be specified on the commandline when running
+```bash
-Continuwuity by specifying the `-c`, `--config` flag. Alternatively, you can use
+./conduwuit -c /path/to/continuwuity.toml
-the environment variable `CONTINUWUITY_CONFIG` to specify the config file to be
+```
 used; see [the section on environment variables](#environment-variables) for
 more information.
-## Option commandline flag
+Alternatively, you can use the environment variable `CONTINUWUITY_CONFIG` to specify the config file to be used; see [the section on environment variables](#environment-variables) for more information.
-Continuwuity supports setting individual config options in TOML format from the
+## Environment variables
-`-O` / `--option` flag. For example, you can set your server name via `-O
+
-server_name=\"example.com\"`.
+All of the options in the config file can also be specified by using environment variables. This is ideal for containerised deployments and infrastructure-as-code scenarios.
 The environment variable names are represented in all caps and prefixed with `CONTINUWUITY_`. They are mapped to config options in the ways demonstrated below:
 ```bash
 # Top-level options (those inside the [global] section) are simply capitalised
 CONTINUWUITY_SERVER_NAME="matrix.example.com"
 CONTINUWUITY_PORT="8008"
 CONTINUWUITY_DATABASE_PATH="/var/lib/continuwuity"
 # Nested config sections use double underscores `__`
 # This maps to the `server` field of the [global.well_known] section in TOML
 CONTINUWUITY_WELL_KNOWN__SERVER="example.com:443"
 # This maps to the `base_url` field of the `[global.antispam.draupnir]` section in TOML
 CONTINUWUITY_ANTISPAM__DRAUPNIR__BASE_URL="https://draupnir.example.com"
 # Alternatively, you can pass a (quoted) struct to define an entire section
 # This maps to the [global.well_known] section
 CONTINUWUITY_WELL_KNOWN="{ client=https://example.com,server=example.com:443 }"
 ```
 ### Alternative prefixes
 For backwards compatibility, Continuwuity also supports the following environment variable prefixes, in order of descending priority:
 - `CONDUWUIT_*` (compatibility)
 - `CONDUIT_*` (legacy)
 As an example, the environment variable `CONTINUWUITY_CONFIG` can also be expressed as `CONDUWUIT_CONFIG` or `CONDUIT_CONFIG`.
 ## Option command-line flag
 Continuwuity also supports setting individual config options in TOML format from the `-O` / `--option` flag. For example, you can set your server name via `-O server_name=\"example.com\"`.
 Note that the config is parsed as TOML, and shells like `bash` will remove quotes. Therefore, if the config option is a string, quote escapes must be properly handled. If the config option is a number or a boolean, this does not apply.
 Note that the config is parsed as TOML, and shells like bash will remove quotes.
 So unfortunately it is required to escape quotes if the config option takes a
 string. This does not apply to options that take booleans or numbers:
 - `--option allow_registration=true` works ✅
 - `-O max_request_size=99999999` works ✅
 - `-O server_name=example.com` does not work ❌
 - `--option log=\"debug\"` works ✅
 - `--option server_name='"example.com'"` works ✅
-## Execute commandline flag
+## Order of priority
-Continuwuity supports running admin commands on startup using the commandline
+The above configuration methods are prioritised, in descending order, as below:
 argument `--execute`. The most notable use for this is to create an admin user
 on first startup.
-The syntax of this is a standard admin command without the prefix such as
+- Command-line `-o`/`--option` flags
-`./conduwuit --execute "users create_user june"`
+- Environment variables
    - `CONTINUWUITY_*` variables
    - `CONDUWUIT_*` variables
    - `CONDUIT_*` variables
 - Config file
-An example output of a success is:
+Therefore, you can use environment variables or the options flags to override values in the config file.
-```
+
 ---
 ## Executing startup commands
 Continuwuity supports running admin commands on startup using the command-line flag `--execute`. This is treated as a standard admin command, without the need for the `!admin` prefix. For example, to create a new user:
 ```bash
 # Equivalent to `!admin users create_user june`
 ./conduwuit --execute "users create_user june"
 INFO conduwuit_service::admin::startup: Startup command #0 completed:
 Created user with user_id: @june:girlboss.ceo and password: `<redacted>`
 ```
-This commandline argument can be paired with the `--option` flag.
+Alternatively, you can configure `CONTINUWUITY_ADMIN_EXECUTE` or the config file value `admin_execute` with a list of commands.
-## Environment variables
+This command-line argument can be paired with the `--option` flag.
 All of the settings that are found in the config file can be specified by using
 environment variables. The environment variable names should be all caps and
 prefixed with `CONTINUWUITY_`.
 For example, if the setting you are changing is `max_request_size`, then the
 environment variable to set is `CONTINUWUITY_MAX_REQUEST_SIZE`.
 To modify config options not in the `[global]` context such as
 `[global.well_known]`, use the `__` suffix split:
 `CONTINUWUITY_WELL_KNOWN__SERVER`
 Conduit and conduwuit's environment variables are also supported for backwards
 compatibility, via the `CONDUIT_` and `CONDUWUIT_` prefixes respectively (e.g.
 `CONDUIT_SERVER_NAME`).
--- a/docs/deploying/_meta.json
+++ b/docs/deploying/_meta.json
@@ -34,6 +34,11 @@
        "name": "kubernetes",
        "label": "Kubernetes"
    },
    {
        "type": "file",
        "name": "nomad",
        "label": "Nomad"
    },
    {
        "type": "file",
        "name": "freebsd",
--- a/docs/deploying/docker-compose.for-traefik.yml
+++ b/docs/deploying/docker-compose.for-traefik.yml
@@ -1,76 +0,0 @@
 # Continuwuity - Behind Traefik Reverse Proxy
 services:
  homeserver:
    ### If you already built the continuwuity image with 'docker build' or want to use the Docker Hub image,
    ### then you are ready to go.
    image: forgejo.ellis.link/continuwuation/continuwuity:latest
    restart: unless-stopped
    command: /sbin/conduwuit
    volumes:
      - db:/var/lib/continuwuity
      #- ./continuwuity.toml:/etc/continuwuity.toml
    networks:
      - proxy
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.continuwuity.rule=(Host(`matrix.example.com`) || (Host(`example.com`) && PathPrefix(`/.well-known/matrix`)))"
      - "traefik.http.routers.continuwuity.entrypoints=websecure" # your HTTPS entry point
      - "traefik.http.routers.continuwuity.tls=true"
      - "traefik.http.routers.continuwuity.service=continuwuity"
      - "traefik.http.services.continuwuity.loadbalancer.server.port=6167"
      # possibly, depending on your config:
      # - "traefik.http.routers.continuwuity.tls.certresolver=letsencrypt"
    environment:
      CONTINUWUITY_SERVER_NAME: your.server.name.example # EDIT THIS
      CONTINUWUITY_DATABASE_PATH: /var/lib/continuwuity
      CONTINUWUITY_PORT: 6167 # should match the loadbalancer traefik label
      CONTINUWUITY_MAX_REQUEST_SIZE: 20000000 # in bytes, ~20 MB
      CONTINUWUITY_ALLOW_REGISTRATION: 'true'
      CONTINUWUITY_REGISTRATION_TOKEN: 'YOUR_TOKEN' # A registration token is required when registration is allowed.
      #CONTINUWUITY_YES_I_AM_VERY_VERY_SURE_I_WANT_AN_OPEN_REGISTRATION_SERVER_PRONE_TO_ABUSE: 'true'
      CONTINUWUITY_ALLOW_FEDERATION: 'true'
      CONTINUWUITY_ALLOW_CHECK_FOR_UPDATES: 'true'
      CONTINUWUITY_TRUSTED_SERVERS: '["matrix.org"]'
      #CONTINUWUITY_LOG: warn,state_res=warn
      CONTINUWUITY_ADDRESS: 0.0.0.0
      #CONTINUWUITY_CONFIG: '/etc/continuwuity.toml' # Uncomment if you mapped config toml above
      # We need some way to serve the client and server .well-known json. The simplest way is via the CONTINUWUITY_WELL_KNOWN
      # variable / config option, there are multiple ways to do this, e.g. in the continuwuity.toml file, and in a separate
      # see the override file for more information about delegation
      CONTINUWUITY_WELL_KNOWN: |
        {
        client=https://your.server.name.example,
        server=your.server.name.example:443
        }
    #cpuset: "0-4" # Uncomment to limit to specific CPU cores
    ulimits: # Continuwuity uses quite a few file descriptors, and on some systems it defaults to 1024, so you can tell docker to increase it
      nofile:
        soft: 1048567
        hard: 1048567
    ### Uncomment if you want to use your own Element-Web App.
    ### Note: You need to provide a config.json for Element and you also need a second
    ###       Domain or Subdomain for the communication between Element and Continuwuity
    ### Config-Docs: https://github.com/vector-im/element-web/blob/develop/docs/config.md
    # element-web:
    #     image: vectorim/element-web:latest
    #     restart: unless-stopped
    #     volumes:
    #         - ./element_config.json:/app/config.json
    #     networks:
    #         - proxy
    #     depends_on:
    #         - homeserver
 volumes:
  db:
 networks:
  # This is the network Traefik listens to, if your network has a different
  # name, don't forget to change it here and in the docker-compose.override.yml
  proxy:
    external: true
 # vim: ts=2:sw=2:expandtab
--- a/docs/deploying/docker-compose.override.yml
+++ b/docs/deploying/docker-compose.override.yml
@@ -1,36 +0,0 @@
 # Continuwuity - Traefik Reverse Proxy Labels
 services:
  homeserver:
    labels:
      - "traefik.enable=true"
      - "traefik.docker.network=proxy"  # Change this to the name of your Traefik docker proxy network
      - "traefik.http.routers.to-continuwuity.rule=Host(`<SUBDOMAIN>.<DOMAIN>`)"  # Change to the address on which Continuwuity is hosted
      - "traefik.http.routers.to-continuwuity.tls=true"
      - "traefik.http.routers.to-continuwuity.tls.certresolver=letsencrypt"
      - "traefik.http.routers.to-continuwuity.middlewares=cors-headers@docker"
      - "traefik.http.services.to_continuwuity.loadbalancer.server.port=6167"
      - "traefik.http.middlewares.cors-headers.headers.accessControlAllowOriginList=*"
      - "traefik.http.middlewares.cors-headers.headers.accessControlAllowHeaders=Origin, X-Requested-With, Content-Type, Accept, Authorization"
      - "traefik.http.middlewares.cors-headers.headers.accessControlAllowMethods=GET, POST, PUT, DELETE, OPTIONS"
      # If you want to have your account on <DOMAIN>, but host Continuwuity on a subdomain,
      # you can let it only handle the well known file on that domain instead
      #- "traefik.http.routers.to-matrix-wellknown.rule=Host(`<DOMAIN>`) && PathPrefix(`/.well-known/matrix`)"
      #- "traefik.http.routers.to-matrix-wellknown.tls=true"
      #- "traefik.http.routers.to-matrix-wellknown.tls.certresolver=letsencrypt"
      #- "traefik.http.routers.to-matrix-wellknown.middlewares=cors-headers@docker"
  ### Uncomment this if you uncommented Element-Web App in the docker-compose.yml
  # element-web:
  #     labels:
  #         - "traefik.enable=true"
  #         - "traefik.docker.network=proxy"  # Change this to the name of your Traefik docker proxy network
  #         - "traefik.http.routers.to-element-web.rule=Host(`<SUBDOMAIN>.<DOMAIN>`)"  # Change to the address on which Element-Web is hosted
  #         - "traefik.http.routers.to-element-web.tls=true"
  #         - "traefik.http.routers.to-element-web.tls.certresolver=letsencrypt"
 # vim: ts=2:sw=2:expandtab
--- a/docs/deploying/docker-compose.with-caddy.yml
+++ b/docs/deploying/docker-compose.with-caddy.yml
@@ -1,60 +0,0 @@
 services:
    caddy:
    # This compose file uses caddy-docker-proxy as the reverse proxy for Continuwuity!
    # For more info, visit https://github.com/lucaslorentz/caddy-docker-proxy
        image: lucaslorentz/caddy-docker-proxy:ci-alpine
        ports:
            - 80:80
            - 443:443
        environment:
            - CADDY_INGRESS_NETWORKS=caddy
        networks:
            - caddy
        volumes:
            - /var/run/docker.sock:/var/run/docker.sock
            - ./data:/data
        restart: unless-stopped
        labels:
            caddy: example.com
            caddy.reverse_proxy: /.well-known/matrix/* homeserver:6167
    homeserver:
        ### If you already built the Continuwuity image with 'docker build' or want to use a registry image,
        ### then you are ready to go.
        image: forgejo.ellis.link/continuwuation/continuwuity:latest
        restart: unless-stopped
        command: /sbin/conduwuit
        volumes:
            - db:/var/lib/continuwuity
            - /etc/resolv.conf:/etc/resolv.conf:ro # Use the host's DNS resolver rather than Docker's.
            #- ./continuwuity.toml:/etc/continuwuity.toml
        environment:
            CONTINUWUITY_SERVER_NAME: example.com # EDIT THIS
            CONTINUWUITY_DATABASE_PATH: /var/lib/continuwuity
            CONTINUWUITY_PORT: 6167
            CONTINUWUITY_MAX_REQUEST_SIZE: 20000000 # in bytes, ~20 MB
            CONTINUWUITY_ALLOW_REGISTRATION: 'true'
            CONTINUWUITY_REGISTRATION_TOKEN: 'YOUR_TOKEN' # A registration token is required when registration is allowed.
            #CONTINUWUITY_YES_I_AM_VERY_VERY_SURE_I_WANT_AN_OPEN_REGISTRATION_SERVER_PRONE_TO_ABUSE: 'true'
            CONTINUWUITY_ALLOW_FEDERATION: 'true'
            CONTINUWUITY_ALLOW_CHECK_FOR_UPDATES: 'true'
            CONTINUWUITY_TRUSTED_SERVERS: '["matrix.org"]'
            #CONTINUWUITY_LOG: warn,state_res=warn
            CONTINUWUITY_ADDRESS: 0.0.0.0
            #CONTINUWUITY_CONFIG: '/etc/continuwuity.toml' # Uncomment if you mapped config toml above
            # Required for .well-known delegation - edit these according to your chosen domain
            CONTINUWUITY_WELL_KNOWN__CLIENT: https://matrix.example.com
            CONTINUWUITY_WELL_KNOWN__SERVER: matrix.example.com:443
        networks:
            - caddy
        labels:
            caddy: matrix.example.com
            caddy.reverse_proxy: "{{upstreams 6167}}"
 volumes:
    db:
 networks:
    caddy:
        external: true
--- a/docs/deploying/docker-compose.with-traefik.yml
+++ b/docs/deploying/docker-compose.with-traefik.yml
@@ -1,160 +0,0 @@
 # Continuwuity - Behind Traefik Reverse Proxy
 services:
  homeserver:
    ### If you already built the Continuwuity image with 'docker build' or want to use the Docker Hub image,
    ### then you are ready to go.
    image: forgejo.ellis.link/continuwuation/continuwuity:latest
    restart: unless-stopped
    command: /sbin/conduwuit
    volumes:
      - db:/var/lib/continuwuity
      - /etc/resolv.conf:/etc/resolv.conf:ro # Use the host's DNS resolver rather than Docker's.
      #- ./continuwuity.toml:/etc/continuwuity.toml
    networks:
      - proxy
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.continuwuity.rule=(Host(`matrix.example.com`) || (Host(`example.com`) && PathPrefix(`/.well-known/matrix`)))"
      - "traefik.http.routers.continuwuity.entrypoints=websecure"
      - "traefik.http.routers.continuwuity.tls.certresolver=letsencrypt"
      - "traefik.http.services.continuwuity.loadbalancer.server.port=6167"
      # Uncomment and adjust the following if you want to use middleware
      # - "traefik.http.routers.continuwuity.middlewares=secureHeaders@file"
    environment:
      CONTINUWUITY_SERVER_NAME: your.server.name.example # EDIT THIS
      CONTINUWUITY_TRUSTED_SERVERS: '["matrix.org"]'
      CONTINUWUITY_ALLOW_REGISTRATION: 'false' # After setting a secure registration token, you can enable this
      CONTINUWUITY_REGISTRATION_TOKEN: "" # This is a token you can use to register on the server
      #CONTINUWUITY_REGISTRATION_TOKEN_FILE: "" # Alternatively you can configure a path to a token file to read
      CONTINUWUITY_ADDRESS: 0.0.0.0
      CONTINUWUITY_PORT: 6167 # you need to match this with the traefik load balancer label if you're want to change it
      CONTINUWUITY_DATABASE_PATH: /var/lib/continuwuity
      #CONTINUWUITY_CONFIG: '/etc/continuwuity.toml' # Uncomment if you mapped config toml above
      ### Uncomment and change values as desired, note that Continuwuity has plenty of config options, so you should check out the example example config too
      # Available levels are: error, warn, info, debug, trace - more info at: https://docs.rs/env_logger/*/env_logger/#enabling-logging
      # CONTINUWUITY_LOG: info  # default is: "warn,state_res=warn"
      # CONTINUWUITY_ALLOW_ENCRYPTION: 'true'
      # CONTINUWUITY_ALLOW_FEDERATION: 'true'
      # CONTINUWUITY_ALLOW_CHECK_FOR_UPDATES: 'true'
      # CONTINUWUITY_ALLOW_INCOMING_PRESENCE: true
      # CONTINUWUITY_ALLOW_OUTGOING_PRESENCE: true
      # CONTINUWUITY_ALLOW_LOCAL_PRESENCE: true
      # CONTINUWUITY_WORKERS: 10
      # CONTINUWUITY_MAX_REQUEST_SIZE: 20000000  # in bytes, ~20 MB
      # CONTINUWUITY_NEW_USER_DISPLAYNAME_SUFFIX = "🏳<200d>⚧"
      # We need some way to serve the client and server .well-known json. The simplest way is via the CONTINUWUITY_WELL_KNOWN
      # variable / config option, there are multiple ways to do this, e.g. in the continuwuity.toml file, and in a separate
      # reverse proxy, but since you do not have a reverse proxy and following this guide, this example is included
      CONTINUWUITY_WELL_KNOWN: |
        {
          client=https://your.server.name.example,
          server=your.server.name.example:443
        }
    #cpuset: "0-4" # Uncomment to limit to specific CPU cores
    ulimits: # Continuwuity uses quite a few file descriptors, and on some systems it defaults to 1024, so you can tell docker to increase it
      nofile:
        soft: 1048567
        hard: 1048567
    ### Uncomment if you want to use your own Element-Web App.
    ### Note: You need to provide a config.json for Element and you also need a second
    ###       Domain or Subdomain for the communication between Element and Continuwuity
    ### Config-Docs: https://github.com/vector-im/element-web/blob/develop/docs/config.md
    # element-web:
    #     image: vectorim/element-web:latest
    #     restart: unless-stopped
    #     volumes:
    #         - ./element_config.json:/app/config.json
    #     networks:
    #         - proxy
    #     depends_on:
    #         - homeserver
  traefik:
    image: "traefik:latest"
    container_name: "traefik"
    restart: "unless-stopped"
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock:z"
      - "acme:/etc/traefik/acme"
      #- "./traefik_config:/etc/traefik:z"
    labels:
      - "traefik.enable=true"
      # middleware redirect
      - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
      # global redirect to https
      - "traefik.http.routers.redirs.rule=hostregexp(`{host:.+}`)"
      - "traefik.http.routers.redirs.entrypoints=web"
      - "traefik.http.routers.redirs.middlewares=redirect-to-https"
    configs:
      - source: dynamic.yml
        target: /etc/traefik/dynamic.yml
    environment:
      TRAEFIK_LOG_LEVEL: DEBUG
      TRAEFIK_ENTRYPOINTS_WEB: true
      TRAEFIK_ENTRYPOINTS_WEB_ADDRESS: ":80"
      TRAEFIK_ENTRYPOINTS_WEB_HTTP_REDIRECTIONS_ENTRYPOINT_TO: websecure
      TRAEFIK_ENTRYPOINTS_WEBSECURE: true
      TRAEFIK_ENTRYPOINTS_WEBSECURE_ADDRESS: ":443"
      TRAEFIK_ENTRYPOINTS_WEBSECURE_HTTP_TLS_CERTRESOLVER: letsencrypt
      #TRAEFIK_ENTRYPOINTS_WEBSECURE_HTTP_MIDDLEWARES: secureHeaders@file # if you want to enabled STS
      TRAEFIK_CERTIFICATESRESOLVERS_LETSENCRYPT: true
      TRAEFIK_CERTIFICATESRESOLVERS_LETSENCRYPT_ACME_EMAIL: # Set this to the email you want to receive certificate expiration emails for
      TRAEFIK_CERTIFICATESRESOLVERS_LETSENCRYPT_ACME_KEYTYPE: EC384
      TRAEFIK_CERTIFICATESRESOLVERS_LETSENCRYPT_ACME_HTTPCHALLENGE: true
      TRAEFIK_CERTIFICATESRESOLVERS_LETSENCRYPT_ACME_HTTPCHALLENGE_ENTRYPOINT: web
      TRAEFIK_CERTIFICATESRESOLVERS_LETSENCRYPT_ACME_STORAGE: "/etc/traefik/acme/acme.json"
      # Since Traefik 3.6.3, paths with certain "encoded characters" are now blocked by default; we need a couple, or else things *will* break
      TRAEFIK_ENTRYPOINTS_WEBSECURE_HTTP_ENCODEDCHARACTERS_ALLOWENCODEDSLASH: true
      TRAEFIK_ENTRYPOINTS_WEBSECURE_HTTP_ENCODEDCHARACTERS_ALLOWENCODEDHASH: true
      TRAEFIK_PROVIDERS_DOCKER: true
      TRAEFIK_PROVIDERS_DOCKER_ENDPOINT: "unix:///var/run/docker.sock"
      TRAEFIK_PROVIDERS_DOCKER_EXPOSEDBYDEFAULT: false
      TRAEFIK_PROVIDERS_FILE: true
      TRAEFIK_PROVIDERS_FILE_FILENAME: "/etc/traefik/dynamic.yml"
 configs:
  dynamic.yml:
    content: |
      # Optionally set STS headers, like in https://hstspreload.org
      # http:
      #   middlewares:
      #     secureHeaders:
      #       headers:
      #         forceSTSHeader: true
      #         stsIncludeSubdomains: true
      #         stsPreload: true
      #         stsSeconds: 31536000
      tls:
        options:
          default:
            cipherSuites:
              - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
              - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
              - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
              - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
              - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
              - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
            minVersion: VersionTLS12
 volumes:
    db:
    acme:
 networks:
    proxy:
 # vim: ts=2:sw=2:expandtab
--- a/docs/deploying/docker-compose.yml
+++ b/docs/deploying/docker-compose.yml
@@ -1,45 +0,0 @@
 # Continuwuity
 services:
    homeserver:
        ### If you already built the Continuwuity image with 'docker build' or want to use a registry image,
        ### then you are ready to go.
        image: forgejo.ellis.link/continuwuation/continuwuity:latest
        restart: unless-stopped
        command: /sbin/conduwuit
        ports:
            - 8448:6167
        volumes:
            - db:/var/lib/continuwuity
            #- ./continuwuity.toml:/etc/continuwuity.toml
        environment:
            CONTINUWUITY_SERVER_NAME: your.server.name # EDIT THIS
            CONTINUWUITY_DATABASE_PATH: /var/lib/continuwuity
            CONTINUWUITY_PORT: 6167
            CONTINUWUITY_MAX_REQUEST_SIZE: 20000000 # in bytes, ~20 MB
            CONTINUWUITY_ALLOW_REGISTRATION: 'true'
            CONTINUWUITY_REGISTRATION_TOKEN: 'YOUR_TOKEN' # A registration token is required when registration is allowed.
            #CONTINUWUITY_YES_I_AM_VERY_VERY_SURE_I_WANT_AN_OPEN_REGISTRATION_SERVER_PRONE_TO_ABUSE: 'true'
            CONTINUWUITY_ALLOW_FEDERATION: 'true'
            CONTINUWUITY_ALLOW_CHECK_FOR_UPDATES: 'true'
            CONTINUWUITY_TRUSTED_SERVERS: '["matrix.org"]'
            #CONTINUWUITY_LOG: warn,state_res=warn
            CONTINUWUITY_ADDRESS: 0.0.0.0
            #CONTINUWUITY_CONFIG: '/etc/continuwuity.toml' # Uncomment if you mapped config toml above
    #
    ### Uncomment if you want to use your own Element-Web App.
    ### Note: You need to provide a config.json for Element and you also need a second
    ###       Domain or Subdomain for the communication between Element and Continuwuity
    ### Config-Docs: https://github.com/vector-im/element-web/blob/develop/docs/config.md
    # element-web:
    #     image: vectorim/element-web:latest
    #     restart: unless-stopped
    #     ports:
    #         - 8009:80
    #     volumes:
    #         - ./element_config.json:/app/config.json
    #     depends_on:
    #         - homeserver
 volumes:
    db:
--- a/docs/deploying/docker.mdx
+++ b/docs/deploying/docker.mdx
@@ -1,257 +1,272 @@
 # Continuwuity for Docker
-## Docker
+## Preparation
-To run Continuwuity with Docker, you can either build the image yourself or pull
+### Choose an image
 it from a registry.
-### Use a registry
+The following OCI images are available for Continuwuity:
-Available OCI images:
+| Image                                                                                        | Notes                                                                                                     |
 | ------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------- |
 | [https://forgejo.ellis.link/continuwuation/continuwuity:**latest**][latest]                 | Latest tagged release. (recommended)                                                                      |
 | [https://forgejo.ellis.link/continuwuation/continuwuity:**main**][main]                     | Latest `main` branch commit.                                                                              |
 | [https://forgejo.ellis.link/continuwuation/continuwuity:**latest-maxperf**][latest-maxperf] | Latest tagged release, [performance optimised version](./generic.mdx#performance-optimised-builds).       |
 | [https://forgejo.ellis.link/continuwuation/continuwuity:**main-maxperf**][main-maxperf]     | Latest `main` branch commit, [performance optimised version](./generic.mdx#performance-optimised-builds). |
-| Registry         | Image                                                                                                                                                       | Notes                                                                        |
+[latest]: https://forgejo.ellis.link/continuwuation/-/packages/container/continuwuity/latest
-| ---------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------- |
+[main]: https://forgejo.ellis.link/continuwuation/-/packages/container/continuwuity/main
-| Forgejo Registry | [forgejo.ellis.link/continuwuation/continuwuity:latest](https://forgejo.ellis.link/continuwuation/-/packages/container/continuwuity/latest)                 | Latest tagged image.                                                         |
+[latest-maxperf]: https://forgejo.ellis.link/continuwuation/-/packages/container/continuwuity/latest-maxperf
-| Forgejo Registry | [forgejo.ellis.link/continuwuation/continuwuity:main](https://forgejo.ellis.link/continuwuation/-/packages/container/continuwuity/main)                     | Main branch image.                                                           |
+[main-maxperf]: https://forgejo.ellis.link/continuwuation/-/packages/container/continuwuity/main-maxperf
 | Forgejo Registry | [forgejo.ellis.link/continuwuation/continuwuity:latest-maxperf](https://forgejo.ellis.link/continuwuation/-/packages/container/continuwuity/latest-maxperf) | [Performance optimised version.](./generic.mdx#performance-optimised-builds) |
 | Forgejo Registry | [forgejo.ellis.link/continuwuation/continuwuity:main-maxperf](https://forgejo.ellis.link/continuwuation/-/packages/container/continuwuity/main-maxperf)     | [Performance optimised version.](./generic.mdx#performance-optimised-builds) |
-**Example:**
+If you want a specific version or commit hash, you can browse for them [here][oci-all-versions].
-```bash
+Images are also mirrored to these locations automatically, on a schedule:
 docker image pull forgejo.ellis.link/continuwuation/continuwuity:main-maxperf
 ```
-#### Mirrors
+- `ghcr.io/continuwuity/continuwuity` ([Github Registry][ghcr-io])
 - `docker.io/jadedblueeyes/continuwuity` ([Docker Hub][docker-hub])
 - `registry.gitlab.com/continuwuity/continuwuity` ([Gitlab Registry][gitlab-registry])
 - `git.nexy7574.co.uk/mirrored/continuwuity` ([Nexy's forge][nexy-forge]. Releases only, no `main` tags)
-Images are mirrored to multiple locations automatically, on a schedule:
+[oci-all-versions]: https://forgejo.ellis.link/continuwuation/-/packages/container/continuwuity/versions
 [ghcr-io]: https://github.com/continuwuity/continuwuity/pkgs/container/continuwuity/versions?filters%5Bversion_type%5D=tagged
 [docker-hub]: https://hub.docker.com/r/jadedblueeyes/continuwuity/
 [gitlab-registry]: https://gitlab.com/continuwuity/continuwuity/container_registry/8871720
 [nexy-forge]: https://git.nexy7574.co.uk/mirrored/-/packages/container/continuwuity/versions
- `ghcr.io/continuwuity/continuwuity`
+### Prerequisites
 - `docker.io/jadedblueeyes/continuwuity`
 - `registry.gitlab.com/continuwuity/continuwuity`
 - `git.nexy7574.co.uk/mirrored/continuwuity` (releases only, no `main`)
 ### Quick Run
 Get a working Continuwuity server with an admin user in four steps:
 #### Prerequisites
 Continuwuity requires HTTPS for Matrix federation. You'll need:
- A domain name pointing to your server
+- A domain name pointing to your server's IP address - we will be using `example.com` in this guide.
- A reverse proxy with SSL/TLS certificates (Traefik, Caddy, nginx, etc.)
+- A reverse proxy with SSL/TLS certificates (Traefik, Caddy, nginx, etc.) - see [Docker Compose](#docker-compose) for complete examples.
 - Port `:443` (for Client-Server traffic) and `:8448` (for federation traffic) opened on your server's firewall.
-See [Docker Compose](#docker-compose) for complete examples.
+    - Alternatively, if you want both client and federation traffic on `:443`, you can configure `CONTINUWUITY_WELL_KNOWN` following some of the [examples](#choose-your-reverse-proxy) below.
-#### Environment Variables
+:::tip Split-domain setups
-
+For more setups with `.well-known` delegation and split-domain deployments, consult the [Delegation/Split-domain](../advanced/delegation) page.
 - `CONTINUWUITY_SERVER_NAME` - Your Matrix server's domain name
 - `CONTINUWUITY_DATABASE_PATH` - Where to store your database (must match the
  volume mount)
 - `CONTINUWUITY_ADDRESS` - Bind address (use `0.0.0.0` to listen on all
  interfaces)
 - `CONTINUWUITY_ALLOW_REGISTRATION` - Set to `false` to disable registration, or
  use with `CONTINUWUITY_REGISTRATION_TOKEN` to require a token (see
  [reference](../reference/environment-variables.mdx#registration--user-configuration)
  for details)
 See the
 [Environment Variables Reference](../reference/environment-variables.mdx) for
 more configuration options.
 #### 1. Pull the image
 ```bash
 docker pull forgejo.ellis.link/continuwuation/continuwuity:latest
 ```
 #### 2. Start the server with initial admin user
 ```bash
 docker run -d \
  -p 6167:6167 \
  -v continuwuity_db:/var/lib/continuwuity \
  -e CONTINUWUITY_SERVER_NAME="matrix.example.com" \
  -e CONTINUWUITY_DATABASE_PATH="/var/lib/continuwuity" \
  -e CONTINUWUITY_ADDRESS="0.0.0.0" \
  -e CONTINUWUITY_ALLOW_REGISTRATION="false" \
  --name continuwuity \
  forgejo.ellis.link/continuwuation/continuwuity:latest \
  /sbin/conduwuit --execute "users create-user admin"
 ```
 Replace `matrix.example.com` with your actual server name and `admin` with
 your preferred username.
 #### 3. Get your admin password
 ```bash
 docker logs continuwuity 2>&1 | grep "Created user"
 ```
 You'll see output like:
 ```
 Created user with user_id: @admin:matrix.example.com and password: `[auto-generated-password]`
 ```
 #### 4. Configure your reverse proxy
 Configure your reverse proxy to forward HTTPS traffic to Continuwuity. See
 [Docker Compose](#docker-compose) for examples.
 Once configured, log in with any Matrix client using `@admin:matrix.example.com`
 and the generated password. You'll automatically be invited to the admin room
 where you can manage your server.
 ### Docker Compose
 Docker Compose is the recommended deployment method. These examples include
 reverse proxy configurations for Matrix federation.
 #### Matrix Federation Requirements
 For Matrix federation to work, you need to serve `.well-known/matrix/client` and
 `.well-known/matrix/server` endpoints. You can achieve this either by:
 1. **Using a well-known service** - The compose files below include an nginx
   container to serve these files
 2. **Using Continuwuity's built-in delegation** (easier for Traefik) - Configure
   delegation files in your config, then proxy `/.well-known/matrix/*` to
   Continuwuity
 **Traefik example using built-in delegation:**
 ```yaml
 labels:
  traefik.http.routers.continuwuity.rule: >-
    (Host(`matrix.example.com`) ||
     (Host(`example.com`) && PathPrefix(`/.well-known/matrix`)))
 ```
 This routes your Matrix domain and well-known paths to Continuwuity.
 #### Creating Your First Admin User
 Add the `--execute` command to create an admin user on first startup. In your
 compose file, add under the `continuwuity` service:
 ```yaml
 services:
    continuwuity:
        image: forgejo.ellis.link/continuwuation/continuwuity:latest
        command: /sbin/conduwuit --execute "users create-user admin"
        # ... rest of configuration
 ```
 Then retrieve the auto-generated password:
 ```bash
 docker compose logs continuwuity | grep "Created user"
 ```
 #### Choose Your Reverse Proxy
 Select the compose file that matches your setup:
 :::note DNS Performance
 Docker's default DNS resolver can cause performance issues with Matrix
 federation. If you experience slow federation or DNS timeouts, you may need to
 use your host's DNS resolver instead. Add this volume mount to the
 `continuwuity` service:
 ```yaml
 volumes:
  - /etc/resolv.conf:/etc/resolv.conf:ro
 ```
 See [Troubleshooting - DNS Issues](../troubleshooting.mdx#potential-dns-issues-when-using-docker)
 for more details and alternative solutions.
 :::
-##### For existing Traefik setup
+## Docker Compose
 Docker Compose is the recommended deployment method for Continuwuity containers. The following environment variables will be set:
 - `CONTINUWUITY_SERVER_NAME` - Your Matrix server's domain name. **This CANNOT be changed later without a data wipe.**
 - `CONTINUWUITY_DATABASE_PATH` - Where to store your database. This must match the docker volume mount.
 - `CONTINUWUITY_ADDRESS` - Bind address (for Docker, use `0.0.0.0` to listen on all interfaces).
 Alternatively, you can specify a path to mount the configuration file using the `CONTINUWUITY_CONFIG` environment variable.
 See the [reference configuration](../reference/config) page for all config options, and the [Configuration page](../configuration#environment-variables) on how to convert them into Environment Variables.
 ### Choose Your Reverse Proxy
 These examples include reverse proxy configurations for Matrix federation, which will route your Matrix domain (and optionally .well-known paths) to Continuwuity.
 :::note Docker DNS Performance
 Docker's default DNS resolver are known to [cause timeout issues](../troubleshooting#dns-issues) for Matrix federation. To bypass it and use a more performant resolver, mount a custom `/etc/resolv.conf` config file into the Continuwuity container.
 ```yaml title='docker-compose.yml'
 services:
  homeserver:
    # ...
    volumes:
      - ./continuwuity-resolv.conf:/etc/resolv.conf
 ```
 ```txt title='continuwuity-resolv.conf'
 nameserver 1.0.0.1
 nameserver 1.1.1.1
 ```
 Consult the [**DNS tuning guide (recommended)**](../advanced/dns.mdx) for full solutions to this issue.
 :::
 #### Caddy (using Caddyfile)
 <details>
-<summary>docker-compose.for-traefik.yml</summary>
+<summary>docker-compose.with-caddy.yml ([view raw](/deploying/docker-compose.with-caddy.yml))</summary>
-```yaml file="./docker-compose.for-traefik.yml"
+```yaml file="../public/deploying/docker-compose.with-caddy.yml"
 ```
 </details>
-##### With Traefik included
+#### Caddy (using labels)
 <details>
-<summary>docker-compose.with-traefik.yml</summary>
+<summary>docker-compose.with-caddy-labels.yml ([view raw](/deploying/docker-compose.with-caddy-labels.yml))</summary>
-```yaml file="./docker-compose.with-traefik.yml"
+```yaml file="../public/deploying/docker-compose.with-caddy-labels.yml"
 ```
 </details>
-##### With Caddy Docker Proxy
+#### Traefik (for existing setup)
 <details>
-<summary>docker-compose.with-caddy.yml</summary>
+<summary>docker-compose.for-traefik.yml ([view raw](/deploying/docker-compose.for-traefik.yml))</summary>
-Replace all `example.com` placeholders with your own domain.
+```yaml file="../public/deploying/docker-compose.for-traefik.yml"
 ```yaml file="./docker-compose.with-caddy.yml"
 ```
 If you don't already have a network for Caddy to monitor, create one first:
 ```bash
 docker network create caddy
 ```
 </details>
 ##### For other reverse proxies
 <details>
 <summary>docker-compose.yml</summary>
 ```yaml file="./docker-compose.yml"
 ```
 </details>
-##### Override file for customisation
+#### Traefik included
 <details>
-<summary>docker-compose.override.yml</summary>
+<summary>docker-compose.with-traefik.yml ([view raw](/deploying/docker-compose.with-traefik.yml))</summary>
-```yaml file="./docker-compose.override.yml"
+```yaml file="../public/deploying/docker-compose.with-traefik.yml"
 ```
 </details>
-#### Starting Your Server
+#### Traefik (as override file)
-1. Choose your compose file and rename it to `docker-compose.yml`
+<details>
 <summary>docker-compose.override.yml ([view raw](/deploying/docker-compose.override.yml))</summary>
 ```yaml file="../public/deploying/docker-compose.override.yml"
 ```
 </details>
 #### For other reverse proxies
 <details>
 <summary>docker-compose.yml ([view raw](/deploying/docker-compose.yml))</summary>
 ```yaml file="../public/deploying/docker-compose.yml"
 ```
 </details>
 See the [Other reverse proxies](generic.mdx#setting-up-the-reverse-proxy) section of the Generic page for further routing details.
 ### Starting Your Server
 1. Choose your compose file from the above, and rename it to `docker-compose.yml`. Replace `example.com` with your homeserver's domain name, and edit other values as you see fit.
 2. If using the override file, rename it to `docker-compose.override.yml` and
-   edit your values
+   edit your values.
 3. Start the server:
-```bash
+    ```bash
-docker compose up -d
+    docker compose up -d
-```
+    ```
 4. Check your server logs for a registration token:
    ```bash
    docker-compose logs continuwuity 2>&1
    ```
    You'll see output as below.
    ```
    In order to use your new homeserver, you need to create its
    first user account.
    Open your Matrix client of choice and register an account
    on example.com using registration token x5keUZ811RqvLsNa .
    Pick your own username and password!
    ```
 5. Log in to your server with any Matrix client, and register for an account with the registration token from step 4. You'll automatically be invited to the admin room where you can [manage your server](../reference/admin).
 See the [generic deployment guide](generic.mdx) for more deployment options.
-### Building Custom Images
+## Testing
 Test that your setup works by following these [instructions](./generic.mdx#how-do-i-know-it-works)
 ## Other deployment methods
 ### Docker - Quick Run
 :::note For testing only
 The instructions below are only meant for a quick demo of Continuwuity.
 For production deployment, we recommend using [Docker Compose](#docker-compose)
 :::
 Get a working Continuwuity server with an admin user in four steps:
 1. Pull the image
    ```bash
    docker pull forgejo.ellis.link/continuwuation/continuwuity:latest
    ```
 2. Start the server for the first time. Replace `example.com` with your actual server name.
    ```bash
    docker run -d \
      -p 8008:8008 \
      -v continuwuity_db:/var/lib/continuwuity \
      -e CONTINUWUITY_SERVER_NAME="example.com" \
      -e CONTINUWUITY_DATABASE_PATH="/var/lib/continuwuity" \
      -e CONTINUWUITY_ADDRESS="0.0.0.0" \
      -e CONTINUWUITY_ALLOW_REGISTRATION="false" \
      --name continuwuity \
      forgejo.ellis.link/continuwuation/continuwuity:latest \
      /sbin/conduwuit
    ```
 3. Fetch the one-time initial registration token
    ```bash
    docker logs continuwuity 2>&1
    ```
    You'll see output as below.
    ```
    In order to use your new homeserver, you need to create its
    first user account.
    Open your Matrix client of choice and register an account
    on example.com using registration token x5keUZ811RqvLsNa .
    Pick your own username and password!
    ```
 4. Configure your reverse proxy to forward HTTPS traffic to Continuwuity at port 8008. See [Docker Compose](#docker-compose) for examples.
 Once configured, log in to your server with any Matrix client, and register for an account with the registration token from step 3. You'll automatically be invited to the admin room where you can [manage your server](../reference/admin).
 ### (Optional) Building Custom Images
 For information on building your own Continuwuity Docker images, see the
 [Building Docker Images](../development/index.mdx#building-docker-images)
 section in the development documentation.
-## Voice communication
+### Accessing the Server's Console
-See the [Calls](../calls.mdx) page.
+Before you can access the server's console and [send admin commands](../reference/admin/index.md) from the CLI, you will need to make the container interactive and allocate a pseudo-tty. Make sure you set `admin_console_automatic` to `true` in [the config](../reference/config.mdx) as well for Continuwuity to activate the CLI on startup.
 For Docker Compose deployments this means adding `stdin_open: true` and `tty: true` to the container's declaration:
 ```yaml
 services:
    homeserver:
        stdin_open: true
        tty: true
        # ...
 ```
 If you choose to deploy via `docker run`, add the flags `-i`/`--interactive` and `-t`/`--tty` to the command.
 From there you can access the server's console by running `docker attach <container-name>`, which will show the server's prompt `uwu> `. To exit `docker attach`, press `CTRL+p` then `CTRL+q`.
 Note that using `CTRL+c` within `docker attach`'s context will forward the signal to the server, stopping it. See [Docker's reference][docker-attach-reference] for more information.
 [docker-attach-reference]: https://docs.docker.com/reference/cli/docker/container/attach/
 ## Next steps
 - For smooth federation, set up a caching resolver according to the [**DNS tuning guide**](../advanced/dns.mdx) (recommended)
 - To set up Audio/Video communication, see the [**Calls**](../calls.mdx) page.
 - If you want to set up an appservice, take a look at the [**Appservice Guide**](../appservices.mdx).
--- a/docs/deploying/generic.mdx
+++ b/docs/deploying/generic.mdx
@@ -1,10 +1,12 @@
 # Generic deployment documentation
-> ### Getting help
+:::tip Getting help
->
+If you run into any problems while setting up Continuwuity, ask us in
-> If you run into any problems while setting up Continuwuity, ask us in
+`#continuwuity:continuwuity.org` or [open an issue on
-> `#continuwuity:continuwuity.org` or [open an issue on
+Forgejo][forgejo-new-issue].
-> Forgejo](https://forgejo.ellis.link/continuwuation/continuwuity/issues/new).
+:::
 [forgejo-new-issue]: https://forgejo.ellis.link/continuwuation/continuwuity/issues/new
 ## Installing Continuwuity
@@ -14,17 +16,17 @@ ### Prebuilt binary
 run the `uname -m` to check which you need.
 Prebuilt binaries are available from:
 - **Tagged releases**: [Latest release page](https://forgejo.ellis.link/continuwuation/continuwuity/releases/latest)
 - **Development builds**: CI artifacts from the `main` branch
  (includes Debian/Ubuntu packages)
-When browsing CI artifacts, `ci-bins` contains binaries organised
+- **Tagged releases**: [see Release page][release-page]
-by commit hash, while `releases` contains tagged versions. Sort
+- **Development builds**: CI artifacts from the `main` branch,
-by last modified date to find the most recent builds.
+  [see `release-image.yml` for details][release-image]
 The binaries require jemalloc and io_uring on the host system. Currently
 we can't cross-build static binaries - contributions are welcome here.
 [release-page]: https://forgejo.ellis.link/continuwuation/continuwuity/releases/
 [release-image]: https://forgejo.ellis.link/continuwuation/continuwuity/actions/?workflow=release-image.yml
 #### Performance-optimised builds
 For x86_64 systems with CPUs from the last ~15 years, use the
@@ -37,37 +39,43 @@ #### Performance-optimised builds
 If you're using Docker instead, equivalent performance-optimised
 images are available with the `-maxperf` suffix (e.g.
 `forgejo.ellis.link/continuwuation/continuwuity:latest-maxperf`).
-These images use the `release-max-perf`
+These images use the `release-max-perf` build profile with
-build profile with
+[link-time optimisation (LTO)][lto-rust-docs]
 [link-time optimisation (LTO)](https://doc.rust-lang.org/cargo/reference/profiles.html#lto)
 and, for amd64, target the haswell CPU architecture.
 [lto-rust-docs]: https://doc.rust-lang.org/cargo/reference/profiles.html#lto
 ### Nix
 Theres a Nix package defined in our flake, available for Linux and MacOS. Add continuwuity as an input to your flake, and use `inputs.continuwuity.packages.${system}.default` to get a working Continuwuity package.
 If you simply wish to generate a binary using Nix, you can run `nix build git+https://forgejo.ellis.link/continuwuation/continuwuity` to generate a binary in `result/bin/conduwuit`.
 ### Compiling
 Alternatively, you may compile the binary yourself.
-### Building with the Rust toolchain
+#### Using Docker
-If wanting to build using standard Rust toolchains, make sure you install:
+See the [Building Docker Images](../development/index.mdx#building-docker-images)
 section in the development documentation.
- (On linux) `liburing-dev` on the compiling machine, and `liburing` on the target host
+#### Manual
 - (On linux) `pkg-config` on the compiling machine to allow finding `liburing`
 - A C++ compiler and (on linux) `libclang` for RocksDB
-You can build Continuwuity using `cargo build --release`.
+##### Dependencies
 - Run `nix develop` to get a devshell with everything you need
 - Or, install the following:
    - (On linux) `liburing-dev` on the compiling machine, and `liburing` on the target host
    - (On linux) `pkg-config` on the compiling machine to allow finding `liburing`
    - A C++ compiler and (on linux) `libclang` for RocksDB
 ##### Build
 You can now build Continuwuity using `cargo build --release`.
 Continuwuity supports various optional features that can be enabled during compilation. Please see the Cargo.toml file for a comprehensive list, or ask in our rooms.
 ### Building with Nix
 If you prefer, you can use Nix (or [Lix](https://lix.systems)) to build Continuwuity. This provides improved reproducibility and makes it easy to set up a build environment and generate output. This approach also allows for easy cross-compilation.
 You can run the `nix build -L .#static-x86_64-linux-musl-all-features` or
 `nix build -L .#static-aarch64-linux-musl-all-features` commands based
 on architecture to cross-compile the necessary static binary located at
 `result/bin/conduwuit`. This is reproducible with the static binaries produced
 in our CI.
 ## Adding a Continuwuity user
 While Continuwuity can run as any user, it is better to use dedicated users for
@@ -86,27 +94,6 @@ ## Adding a Continuwuity user
 sudo useradd -r --shell /usr/bin/nologin --no-create-home continuwuity
 ```
 ## Forwarding ports in the firewall or the router
 Matrix's default federation port is 8448, and clients must use port 443.
 If you would like to use only port 443 or a different port, you will need to set up
 delegation. Continuwuity has configuration options for delegation, or you can configure
 your reverse proxy to manually serve the necessary JSON files for delegation
 (see the `[global.well_known]` config section).
 If Continuwuity runs behind a router or in a container and has a different public
 IP address than the host system, you need to forward these public ports directly
 or indirectly to the port mentioned in the configuration.
 Note for NAT users: if you have trouble connecting to your server from inside
 your network, check if your router supports "NAT
 hairpinning" or "NAT loopback".
 If your router does not support this feature, you need to research doing local
 DNS overrides and force your Matrix DNS records to use your local IP internally.
 This can be done at the host level using `/etc/hosts`. If you need this to be
 on the network level, consider something like NextDNS or Pi-Hole.
 ## Setting up a systemd service
 You can find an example unit for continuwuity below.
@@ -118,7 +105,7 @@ ## Setting up a systemd service
 `/etc/rsyslog.conf` to allow color in logs.
 If you are using a different `database_path` than the systemd unit's
-configured default `/var/lib/conduwuit`, you need to add your path to the
+configured default (`/var/lib/conduwuit`), you need to add your path to the
 systemd unit's `ReadWritePaths=`. You can do this by either directly editing
 `conduwuit.service` and reloading systemd, or by running `systemctl edit conduwuit.service`
 and entering the following:
@@ -128,20 +115,20 @@ ## Setting up a systemd service
 ReadWritePaths=/path/to/custom/database/path
 ```
 ### Example systemd Unit File
 <details>
 <summary>Click to expand systemd unit file (conduwuit.service)</summary>
 ```ini file="../../pkg/conduwuit.service"
 ```
 </details>
-You can also [view the file on Foregejo](https://forgejo.ellis.link/continuwuation/continuwuity/src/branch/main/pkg/conduwuit.service).
+You can also [view the file on Foregejo][systemd-file].
 [systemd-file]: https://forgejo.ellis.link/continuwuation/continuwuity/src/branch/main/pkg/conduwuit.service
 ## Creating the Continuwuity configuration file
@@ -152,9 +139,7 @@ ## Creating the Continuwuity configuration file
 **Please take a moment to read the config. You need to change at least the
 server name.**
-RocksDB is the only supported database backend.
+### Setting the correct file permissions
 ## Setting the correct file permissions
 If you are using a dedicated user for Continuwuity, you need to allow it to
 read the configuration. To do this, run:
@@ -172,22 +157,29 @@ ## Setting the correct file permissions
 sudo chmod 700 /var/lib/conduwuit/
 ```
-## Setting up the Reverse Proxy
+## Exposing ports in the firewall or the router
-We recommend Caddy as a reverse proxy because it is trivial to use and handles TLS certificates, reverse proxy headers, etc. transparently with proper defaults.
+Matrix's default federation port is **:8448**, and clients use port **:443**. You will need to
-For other software, please refer to their respective documentation or online guides.
+expose these ports on your firewall or router. If you use UFW, the commands to allow them
 are: `ufw allow 8448/tcp` and `ufw allow 443/tcp`.
 :::tip Alternative port/domain setups
 If you would like to use only port 443, a different port, or a subdomain for the homeserver, you will need to set up `.well-known` delegation. Consult the `[global.well_known]` section of the config file, and the [**Delegation/Split-domain**](../advanced/delegation) page to learn more about these kinds of deployments.
 :::
 ## Setting up the Reverse Proxy
 ### Caddy
-After installing Caddy via your preferred method, create `/etc/caddy/conf.d/conduwuit_caddyfile`
+Caddy is the recommended reverse proxy as it is easy to use, has good defaults,
-and enter the following (substitute your actual server name):
+and handle TLS certificates automatically. After installing Caddy via your preferred
 method, create `/etc/caddy/conf.d/conduwuit_caddyfile` and enter the following
 (substitute `example.com` with your actual server name):
 ```
-your.server.name, your.server.name:8448 {
+example.com, example.com:8448 {
    # TCP reverse_proxy
-    reverse_proxy 127.0.0.1:6167
+    reverse_proxy 127.0.0.1:8008
    # UNIX socket
    #reverse_proxy unix//run/conduwuit/conduwuit.sock
 }
 ```
@@ -199,46 +191,45 @@ ### Caddy
 ### Other Reverse Proxies
-As we prefer our users to use Caddy, we do not provide configuration files for other proxies.
+Normally, your reverse proxy should route everything from port :8448 and :443 back to Continuwuity.
-You will need to reverse proxy everything under the following routes:
+For more granular controls, you will need to proxy everything under these following routes:
- `/_matrix/` - core Matrix C-S and S-S APIs
+
- `/_conduwuit/` and/or `/_continuwuity/` - ad-hoc Continuwuity routes such as `/local_user_count` and
+- `/_matrix/` - core Matrix APIs, which includes:
-`/server_version`
+
  - `/_matrix/federation` and `/_matrix/key` - core Server-Server APIs. These should be available on port :8448
  - `/_matrix/client` - core Client-Server APIs. These should be available on port :443
 - `/_conduwuit/` and `/_continuwuity/` - ad-hoc Continuwuity routes for password resets, email verification, and server details such as `/local_user_count` and `/server_version`.
 You can optionally reverse proxy the following individual routes:
 - `/.well-known/matrix/client` and `/.well-known/matrix/server` if using
-Continuwuity to perform delegation (see the `[global.well_known]` config section)
+  Continuwuity to perform delegation (see the `[global.well_known]` config section)
 - `/.well-known/matrix/support` if using Continuwuity to send the homeserver admin
-contact and support page (formerly known as MSC1929)
+  [contact and support page][well-known-support]
- `/` if you would like to see `hewwo from conduwuit woof!` at the root
+- `/` and `/_continuwuity/logo.svg` if you would like to see the Continuwuity landing page
-See the following spec pages for more details on these files:
+Refer to the respective software's documentation and online guides on how to do so.
 - [`/.well-known/matrix/server`](https://spec.matrix.org/latest/client-server-api/#getwell-knownmatrixserver)
 - [`/.well-known/matrix/client`](https://spec.matrix.org/latest/client-server-api/#getwell-knownmatrixclient)
 - [`/.well-known/matrix/support`](https://spec.matrix.org/latest/client-server-api/#getwell-knownmatrixsupport)
-Examples of delegation:
+[well-known-support]: https://spec.matrix.org/v1.18/client-server-api/#getwell-knownmatrixsupport
 - https://continuwuity.org/.well-known/matrix/server
 - https://continuwuity.org/.well-known/matrix/client
 - https://ellis.link/.well-known/matrix/server
 - https://ellis.link/.well-known/matrix/client
-For Apache and Nginx there are many examples available online.
+#### Caveats for specific reverse proxies
-Lighttpd is not supported as it appears to interfere with the `X-Matrix` Authorization
+- Lighttpd is not supported as it appears to interfere with the `X-Matrix` Authorization
 header, making federation non-functional. If you find a workaround, please share it so we can add it to this documentation.
-If using Apache, you need to use `nocanon` in your `ProxyPass` directive to prevent httpd from interfering with the `X-Matrix` header (note that Apache is not ideal as a general reverse proxy, so we discourage using it if alternatives are available).
+- If using Apache, you need to use `nocanon` in your `ProxyPass` directive to prevent httpd from interfering with the `X-Matrix` header (note that Apache is not ideal as a general reverse proxy, so we discourage using it if alternatives are available).
-If using Nginx, you need to pass the request URI to Continuwuity using `$request_uri`, like this:
+- If using Nginx, you need to pass the request URI to Continuwuity using `$request_uri`, like this:
 - `proxy_pass http://127.0.0.1:6167$request_uri;`
 - `proxy_pass http://127.0.0.1:6167;`
-Nginx users need to increase the `client_max_body_size` setting (default is 1M) to match the
+    - `proxy_pass http://127.0.0.1:6167$request_uri;`
-`max_request_size` defined in conduwuit.toml.
+    - `proxy_pass http://127.0.0.1:6167;`
-## You're done
+    Furthermore, Nginx users need to increase the `client_max_body_size` setting (default is 1M) to match the `max_request_size` defined in conduwuit.toml.
 ## Starting Your Server
 Now you can start Continuwuity with:
@@ -252,36 +243,53 @@ ## You're done
 sudo systemctl enable conduwuit
 ```
-## How do I know it works?
+Check Continuwuity logs with the following command:
 You can open [a Matrix client](https://matrix.org/ecosystem/clients), enter your
 homeserver address, and try to register.
 You can also use these commands as a quick health check (replace
 `your.server.name`).
 ```bash
-curl https://your.server.name/_conduwuit/server_version
+sudo journalctl -u conduwuit.service
 # If using port 8448
 curl https://your.server.name:8448/_conduwuit/server_version
 # If federation is enabled
 curl https://your.server.name:8448/_matrix/federation/v1/version
 ```
- To check if your server can communicate with other homeservers, use the
+If Continuwuity has successfully initialized, you'll see output as below.
 ```
 In order to use your new homeserver, you need to create its
 first user account.
 Open your Matrix client of choice and register an account
 on example.com using registration token x5keUZ811RqvLsNa .
 Pick your own username and password!
 ```
 You can then open [a Matrix client][matrix-clients],
 enter your homeserver address, and try to register with the provided token.
 By default, the first user is the instance's first admin. They will be added
 to the `#admin:example.com` room and be able to [issue admin commands](../reference/admin/index.md).
 [matrix-clients]: https://matrix.org/ecosystem/clients
 ## How do I know it works?
 To check if your server can communicate with other homeservers, use the
 [Matrix Federation Tester](https://federationtester.mtrnord.blog/). If you can
-register but cannot join federated rooms, check your configuration and verify
+register your account but cannot join federated rooms, check your configuration
-that port 8448 is open and forwarded correctly.
+and verify that your federation endpoints are opened and forwarded correctly.
-# What's next?
+As a quick health check, you can also use these cURL commands:
-## Audio/Video calls
+```bash
 curl https://example.com/_conduwuit/server_version
-For Audio/Video call functionality see the [Calls](../calls.md) page.
+# If using port 8448
 curl https://example.com:8448/_conduwuit/server_version
-## Appservices
+# If federation is enabled
 curl https://example.com:8448/_matrix/federation/v1/version
-If you want to set up an appservice, take a look at the [Appservice
+# For client-server endpoints
-Guide](../appservices.md).
+curl https://example.com/_matrix/client/versions
 ```
 ## What's next?
 - For smooth federation, set up a caching resolver according to the [**DNS tuning guide**](../advanced/dns.mdx) (recommended)
 - For Audio/Video call functionality see the [**Calls**](../calls.md) page.
 - If you want to set up an appservice, take a look at the [**Appservice Guide**](../appservices.md).
--- a/docs/deploying/nixos.mdx
+++ b/docs/deploying/nixos.mdx
@@ -1,40 +1,40 @@
 # Continuwuity for NixOS
-NixOS packages Continuwuity as `matrix-continuwuity`. This package includes both the Continuwuity software and a dedicated NixOS module for configuration and deployment.
+## Nix package
-## Installation methods
+You can get a Nix package for Continuwuity from the following sources:
-You can acquire Continuwuity with Nix (or [Lix][lix]) from these sources:
+- Directly from Nixpkgs: `pkgs.matrix-continuwuity`
 - Or, using `continuwuity.packages.${system}.default` from:
    - The `flake.nix` at the root of the Continuwuity repo, by adding Continuwuity to your flake inputs:
-* Directly from Nixpkgs using the official package (`pkgs.matrix-continuwuity`)
+    ```nix
-* The `flake.nix` at the root of the Continuwuity repo
+    inputs.continuwuity.url = "git+https://forgejo.ellis.link/continuwuation/continuwuity";
-* The `default.nix` at the root of the Continuwuity repo
+    ```
    - The `default.nix` at the root of the Continuwuity repo
 ## NixOS module
-Continuwuity now has an official NixOS module that simplifies configuration and deployment. The module is available in Nixpkgs as `services.matrix-continuwuity` from NixOS 25.05.
+Continuwuity has an official NixOS module that simplifies configuration and deployment. The module is available in Nixpkgs as `services.matrix-continuwuity`.
 Here's a basic example of how to use the module:
 ```nix
-{ config, pkgs, ... }:
+services.matrix-continuwuity = {
  enable = true;
  settings = {
    global = {
      server_name = "example.com";
-{
+      # Continuwuity listens on localhost by default,
-  services.matrix-continuwuity = {
+      # address and port are handled automatically
-    enable = true;
+
-    settings = {
+      # You can add any further configuration here, e.g.
-      global = {
+	  # trusted_servers = [ "matrix.org" ];
        server_name = "example.com";
        # Listening on localhost by default
        # address and port are handled automatically
        allow_registration = false;
        allow_encryption = true;
        allow_federation = true;
        trusted_servers = [ "matrix.org" ];
      };
    };
  };
-}
+};
 ```
 ### Available options
@@ -45,86 +45,30 @@ ### Available options
 - `user`: The user to run Continuwuity as (defaults to "continuwuity")
 - `group`: The group to run Continuwuity as (defaults to "continuwuity")
 - `extraEnvironment`: Extra environment variables to pass to the Continuwuity server
- `package`: The Continuwuity package to use
+- `package`: The Continuwuity package to use, defaults to `pkgs.matrix-continuwuity`
- `settings`: The Continuwuity configuration (in TOML format)
+    - You may want to override this to be from our flake, for faster updates and unstable versions:
    ```nix
    package = inputs.continuwuity.packages.${pkgs.stdenv.hostPlatform.system}.default;
    ```
 - `admin.enable`: Whether to add the `conduwuit` binary to `PATH` for administration (enabled by default)
 - `settings`: The Continuwuity configuration
 Use the `settings` option to configure Continuwuity itself. See the [example configuration file](../reference/config.mdx) for all available options.
-### UNIX sockets
+Settings are automatically translated from Nix to TOML. For example, the following line of Nix:
 The NixOS module natively supports UNIX sockets through the `global.unix_socket_path` option. When using UNIX sockets, set `global.address` to `null`:
 ```nix
-services.matrix-continuwuity = {
+settings.global.well_known.client = "https://matrix.example.com";
  enable = true;
  settings = {
    global = {
      server_name = "example.com";
      address = null; # Must be null when using unix_socket_path
      unix_socket_path = "/run/continuwuity/continuwuity.sock";
      unix_socket_perms = 660; # Default permissions for the socket
      # ...
    };
  };
 };
 ```
-The module automatically sets the correct `RestrictAddressFamilies` in the systemd service configuration to allow access to UNIX sockets.
+Would become this equivalent TOML configuration:
-### RocksDB database
+```toml
-
+[global.well_known]
-Continuwuity exclusively uses RocksDB as its database backend. The system configures the database path automatically to `/var/lib/continuwuity/` and you cannot change it due to the service's reliance on systemd's StateDir.
+client = "https://matrix.example.com"
 If you're migrating from Conduit with SQLite, use this [tool to migrate a Conduit SQLite database to RocksDB](https://github.com/ShadowJonathan/conduit_toolbox/).
 ### jemalloc and hardened profile
 Continuwuity uses jemalloc by default. This may interfere with the [`hardened.nix` profile][hardened.nix] because it uses `scudo` by default. Either disable/hide `scudo` from Continuwuity or disable jemalloc like this:
 ```nix
 services.matrix-continuwuity = {
  enable = true;
  package = pkgs.matrix-continuwuity.override {
    enableJemalloc = false;
  };
  # ...
 };
 ```
 ## Upgrading from Conduit
 If you previously used Conduit with the `services.matrix-conduit` module:
 1. Ensure your Conduit uses the RocksDB backend, or migrate from SQLite using the [migration tool](https://github.com/ShadowJonathan/conduit_toolbox/)
 2. Switch to the new module by changing `services.matrix-conduit` to `services.matrix-continuwuity` in your configuration
 3. Update any custom configuration to match the new module's structure
 ## Reverse proxy configuration
-You'll need to set up a reverse proxy (like nginx or caddy) to expose Continuwuity to the internet. Configure your reverse proxy to forward requests to `/_matrix` on port 443 and 8448 to your Continuwuity instance.
+You'll need to set up a reverse proxy (like NGINX or Caddy) to expose Continuwuity to the internet. You can configure your reverse proxy using NixOS options (e.g. `services.caddy`).
-
+See the [reverse proxy setup guide](./generic.mdx#setting-up-the-reverse-proxy) for information on correct reverse proxy configuration.
 Here's an example nginx configuration:
 ```nginx
 server {
    listen 443 ssl;
    listen [::]:443 ssl;
    listen 8448 ssl;
    listen [::]:8448 ssl;
    server_name example.com;
    # SSL configuration here...
    location /_matrix/ {
        proxy_pass http://127.0.0.1:6167$request_uri;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
 }
 ```
 [lix]: https://lix.systems/
 [hardened.nix]: https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/profiles/hardened.nix
--- a/docs/deploying/nomad.mdx
+++ b/docs/deploying/nomad.mdx
@@ -0,0 +1,118 @@
 # Continuwuity for Nomad
 You can either pass the configuration as environment variables or mount a file containing the configuration from consul.
 This given configuration assumes that you have a traefik reverse proxy running.
 ## Persistence
 The database being a RockDB file, it is recommended to use a volume to persist the data.
 The example below uses a volume, you need to configure the CSI driver on your cluster.
 | Volume Name | Mount Path | Purpose |
 |-------------|------------|---------|
 | continuwuity-volume | `/var/lib/continuwuity` | Store the database |
 | continuwuity-media-volume | `/var/lib/continuwuity/media` | Store uploaded media |
 ## Configuration
 ### Using environment variables
 ```hcl
 job "continuwuity" {
  datacenters = ["dc1"]
  type      = "service"
  node_pool = "default"
  group "continuwuity" {
    count = 1
    network {
      port "http" {
        static = 6167
      }
    }
    service {
      name = "continuwuity"
      port = "http"
      tags = [
        "traefik.enable=true",
        "traefik.http.routers.continuwuity.rule=(Host(`matrix.example.com`) || (Host(`example.com`) && PathPrefix(`/.well-known/matrix`)))",
        "traefik.http.routers.continuwuity.entrypoints=https",
        "traefik.http.routers.continuwuity.tls=true",
        "traefik.http.routers.continuwuity.tls.certresolver=letsencrypt",
        "traefik.http.routers.continuwuity-http.rule=(Host(`matrix.example.com`) || (Host(`example.com`) && PathPrefix(`/.well-known/matrix`)))",
        "traefik.http.routers.continuwuity-http.entrypoints=http",
        "traefik.http.routers.continuwuity-http.middlewares=continuwuity-redirect",
        "traefik.http.middlewares.continuwuity-redirect.redirectscheme.scheme=https",
        "traefik.http.middlewares.continuwuity-redirect.redirectscheme.permanent=true",
      ]
    }
    volume "continuwuity-volume" {
      type            = "csi"
      read_only       = false
      source          = "continuwuity-volume"
      attachment_mode = "file-system"
      access_mode     = "single-node-writer"
      per_alloc       = false
    }
    volume "continuwuity-media-volume" {
      type            = "csi"
      read_only       = false
      source          = "continuwuity-media-volume"
      attachment_mode = "file-system"
      access_mode     = "single-node-writer"
      per_alloc       = false
      mount_options {
        mount_flags = []
      }
    }
    task "continuwuity" {
      driver = "docker"
      env {
        CONTINUWUITY_SERVER_NAME        = "matrix.example.com"
        CONTINUWUITY_TRUSTED_SERVERS    = "[\"matrix.org\", \"mozilla.org\"]"
        CONTINUWUITY_ALLOW_REGISTRATION = false
        CONTINUWUITY_ADDRESS            = "0.0.0.0"
        CONTINUWUITY_PORT               = 6167
        CONTINUWUITY_DATABASE_PATH      = "/var/lib/continuwuity"
        CONTINUWUITY_WELL_KNOWN         = <<EOF
 {
 client=https://matrix.example.com,
 server=matrix.example.com:443
 }
 EOF
      }
      config {
        image = "forgejo.ellis.link/continuwuation/continuwuity:latest"
        ports = ["http"]
      }
      volume_mount {
        volume      = "continuwuity-volume"
        destination = "/var/lib/continuwuity"
      }
      volume_mount {
        volume      = "continuwuity-media-volume"
        destination = "/var/lib/continuwuity/media"
      }
    }
  }
 }
 ```
 ### Using consul
 ```hcl
 ...
      template {
        data = <<EOF
 {{key "config/continuwuity"}}
 EOF
        destination = "local/conduwuit.toml"
      }
 ...
 ```
--- a/docs/public/.well-known/continuwuity/announcements
+++ b/docs/public/.well-known/continuwuity/announcements
@@ -6,10 +6,10 @@
            "message": "Welcome to Continuwuity! Important announcements about the project will appear here."
        },
        {
-            "id": 10,
+            "id": 12,
            "mention_room": false,
-            "date": "2026-03-03",
+            "date": "2026-04-24",
-            "message": "We've just released [v0.5.6](https://forgejo.ellis.link/continuwuation/continuwuity/releases/tag/v0.5.6), which contains a few  security improvements - plus significant reliability and performance improvements. Please update as soon as possible. \n\nWe released [v0.5.5](https://forgejo.ellis.link/continuwuation/continuwuity/releases/tag/v0.5.5) two weeks ago, but it skipped your admin room straight to [our announcements channel](https://matrix.to/#/!jIdNjSM5X-V5JVx2h2kAhUZIIQ08GyzPL55NFZAH1vM?via=ellis.link&via=gingershaped.computer&via=matrix.org). Make sure you're there to get important information as soon as we announce it! [Our space](https://matrix.to/#/!8cR4g-i9ucof69E4JHNg9LbPVkGprHb3SzcrGBDDJgk?via=continuwuity.org&via=ellis.link&via=matrix.org) has also gained a bunch of new and interesting rooms - be there or be square."
+            "message": "[v0.5.8](https://forgejo.ellis.link/continuwuation/continuwuity/releases/tag/v0.5.8) is out! This is a patch release which fixes a bug in 0.5.7's email support -- upgrade soon if you use that feature."
        }
    ]
 }
--- a/docs/public/advanced/delegated.docker-compose.for-traefik.yml
+++ b/docs/public/advanced/delegated.docker-compose.for-traefik.yml
@@ -0,0 +1,43 @@
 # Continuwuity - Behind Traefik Reverse Proxy
 services:
  homeserver:
    image: "forgejo.ellis.link/continuwuation/continuwuity:latest"
    restart: unless-stopped
    command: /sbin/conduwuit
    volumes:
      - db:/var/lib/continuwuity
      - ./continuwuity-resolv.conf:/etc/resolv.conf # use custom resolvers rather than Docker's
      #- ./continuwuity.toml:/etc/continuwuity.toml
    networks:
      - proxy
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.continuwuity.rule=(Host(`matrix.example.com`) || (Host(`example.com`) && PathPrefix(`/.well-known/matrix`)))"
      - "traefik.http.routers.continuwuity.entrypoints=websecure" # your HTTPS entry point
      - "traefik.http.routers.continuwuity.tls=true"
      - "traefik.http.routers.continuwuity.service=continuwuity"
      - "traefik.http.services.continuwuity.loadbalancer.server.port=8008"
      # possibly, depending on your config:
      # - "traefik.http.routers.continuwuity.tls.certresolver=letsencrypt"
    environment:
      CONTINUWUITY_SERVER_NAME: example.com # EDIT THIS
      CONTINUWUITY_DATABASE_PATH: /var/lib/continuwuity
      CONTINUWUITY_ADDRESS: 0.0.0.0
      CONTINUWUITY_PORT: 8008 # This must match with traefik's loadbalancer label
      #CONTINUWUITY_CONFIG: '/etc/continuwuity.toml' # Uncomment if you mapped config toml above
      # Serve .well-known files to tell others to reach Continuwuity on port :443
      CONTINUWUITY_WELL_KNOWN: |
        {
        client=https://matrix.example.com,
        server=matrix.example.com:443
        }
 volumes:
  db:
 networks:
  # This must match the network name that Traefik listens on
  proxy:
    external: true
--- a/docs/public/advanced/delegated.docker-compose.with-caddy-labels.yml
+++ b/docs/public/advanced/delegated.docker-compose.with-caddy-labels.yml
@@ -0,0 +1,54 @@
 # Continuwuity - With Caddy Labels
 services:
    caddy:
    # This compose file uses caddy-docker-proxy as the reverse proxy for Continuwuity!
    # For more info, visit https://github.com/lucaslorentz/caddy-docker-proxy
        image: "docker.io/lucaslorentz/caddy-docker-proxy:ci-alpine"
        ports:
            - 80:80
            - 443:443
        environment:
            - CADDY_INGRESS_NETWORKS=caddy
        networks:
            - caddy
        volumes:
            - /var/run/docker.sock:/var/run/docker.sock
            - ./data:/data
        restart: unless-stopped
        labels:
            caddy: example.com
            caddy.reverse_proxy: /.well-known/matrix/* homeserver:8008
    homeserver:
        image: "forgejo.ellis.link/continuwuation/continuwuity:latest"
        restart: unless-stopped
        command: /sbin/conduwuit
        volumes:
            - db:/var/lib/continuwuity
            - ./continuwuity-resolv.conf:/etc/resolv.conf # use custom resolvers rather than Docker's
            #- ./continuwuity.toml:/etc/continuwuity.toml
        environment:
            CONTINUWUITY_SERVER_NAME: example.com # EDIT THIS
            CONTINUWUITY_DATABASE_PATH: /var/lib/continuwuity
            CONTINUWUITY_ADDRESS: 0.0.0.0
            CONTINUWUITY_PORT: 8008
            #CONTINUWUITY_CONFIG: '/etc/continuwuity.toml' # Uncomment if you mapped config toml above
            # Serve .well-known files to tell others to reach Continuwuity on port :443
            CONTINUWUITY_WELL_KNOWN: |
                {
                client=https://matrix.example.com,
                server=matrix.example.com:443
                }
        networks:
            - caddy
        labels:
            caddy: matrix.example.com
            caddy.reverse_proxy: "{{upstreams 8008}}"
 volumes:
    db:
 networks:
    caddy:
--- a/docs/public/advanced/delegated.docker-compose.with-caddy.yml
+++ b/docs/public/advanced/delegated.docker-compose.with-caddy.yml
@@ -0,0 +1,57 @@
 # Continuwuity - Using Caddy Docker Image
 services:
    caddy:
        image: "docker.io/caddy:latest"
        ports:
            - 80:80
            - 443:443
        networks:
            - caddy
        volumes:
            - ./data:/data
        restart: unless-stopped
        configs:
            - source: Caddyfile
              target: /etc/caddy/Caddyfile
    homeserver:
        image: "forgejo.ellis.link/continuwuation/continuwuity:latest"
        restart: unless-stopped
        command: /sbin/conduwuit
        volumes:
            - db:/var/lib/continuwuity
            - ./continuwuity-resolv.conf:/etc/resolv.conf # use custom resolvers rather than Docker's
            #- ./continuwuity.toml:/etc/continuwuity.toml
        environment:
            CONTINUWUITY_SERVER_NAME: example.com
            CONTINUWUITY_DATABASE_PATH: /var/lib/continuwuity
            CONTINUWUITY_ADDRESS: 0.0.0.0
            CONTINUWUITY_PORT: 8008
            #CONTINUWUITY_CONFIG: '/etc/continuwuity.toml' # Uncomment if you mapped config toml above
            ## Serve .well-known files to tell others to reach Continuwuity on port :443
            CONTINUWUITY_WELL_KNOWN: |
                {
                client=https://matrix.example.com,
                server=matrix.example.com:443
                }
        networks:
            - caddy
 networks:
    caddy:
 volumes:
    db:
 configs:
    Caddyfile:
        content: |
            https://matrix.example.com:443 {
                reverse_proxy http://homeserver:8008
            }
            https://example.com:443 {
                reverse_proxy /.well-known/matrix* http://homeserver:8008
            }
--- a/docs/public/advanced/delegated.docker-compose.with-traefik.yml
+++ b/docs/public/advanced/delegated.docker-compose.with-traefik.yml
@@ -0,0 +1,85 @@
 # Continuwuity - With Traefik Reverse Proxy
 services:
  homeserver:
    image: "forgejo.ellis.link/continuwuation/continuwuity:latest"
    restart: unless-stopped
    command: /sbin/conduwuit
    volumes:
      - db:/var/lib/continuwuity
      - ./continuwuity-resolv.conf:/etc/resolv.conf # use custom resolvers rather than Docker's
      #- ./continuwuity.toml:/etc/continuwuity.toml
    networks:
      - proxy
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.continuwuity.rule=(Host(`matrix.example.com`) || (Host(`example.com`) && PathPrefix(`/.well-known/matrix`)))"
      - "traefik.http.routers.continuwuity.entrypoints=websecure"
      - "traefik.http.routers.continuwuity.tls.certresolver=letsencrypt"
      - "traefik.http.services.continuwuity.loadbalancer.server.port=8008"
    environment:
      CONTINUWUITY_SERVER_NAME: example.com # EDIT THIS
      CONTINUWUITY_DATABASE_PATH: /var/lib/continuwuity
      CONTINUWUITY_ADDRESS: 0.0.0.0
      CONTINUWUITY_PORT: 8008 # This must match with traefik's loadbalancer label
      #CONTINUWUITY_CONFIG: '/etc/continuwuity.toml' # Uncomment if you mapped config toml above
      # Serve .well-known files to tell others to reach Continuwuity on port :443
      CONTINUWUITY_WELL_KNOWN: |
        {
          client=https://matrix.example.com,
          server=matrix.example.com:443
        }
  traefik:
    image: "docker.io/traefik:latest"
    container_name: "traefik"
    restart: "unless-stopped"
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
      - "acme:/etc/traefik/acme"
    labels:
      - "traefik.enable=true"
      # middleware redirect
      - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
      # global redirect to https
      - "traefik.http.routers.redirs.rule=hostregexp(`{host:.+}`)"
      - "traefik.http.routers.redirs.entrypoints=web"
      - "traefik.http.routers.redirs.middlewares=redirect-to-https"
    environment:
      TRAEFIK_LOG_LEVEL: DEBUG
      TRAEFIK_ENTRYPOINTS_WEB: true
      TRAEFIK_ENTRYPOINTS_WEB_ADDRESS: ":80"
      TRAEFIK_ENTRYPOINTS_WEB_HTTP_REDIRECTIONS_ENTRYPOINT_TO: websecure
      TRAEFIK_ENTRYPOINTS_WEBSECURE: true
      TRAEFIK_ENTRYPOINTS_WEBSECURE_ADDRESS: ":443"
      TRAEFIK_ENTRYPOINTS_WEBSECURE_HTTP_TLS_CERTRESOLVER: letsencrypt
      TRAEFIK_CERTIFICATESRESOLVERS_LETSENCRYPT: true
      # CHANGE THIS to desired email for ACME
      TRAEFIK_CERTIFICATESRESOLVERS_LETSENCRYPT_ACME_EMAIL: user@example.com
      TRAEFIK_CERTIFICATESRESOLVERS_LETSENCRYPT_ACME_HTTPCHALLENGE: true
      TRAEFIK_CERTIFICATESRESOLVERS_LETSENCRYPT_ACME_HTTPCHALLENGE_ENTRYPOINT: web
      TRAEFIK_CERTIFICATESRESOLVERS_LETSENCRYPT_ACME_STORAGE: "/etc/traefik/acme/acme.json"
      # Since Traefik 3.6.3, paths with certain "encoded characters" are now blocked by default; we need a couple, or else things *will* break
      TRAEFIK_ENTRYPOINTS_WEBSECURE_HTTP_ENCODEDCHARACTERS_ALLOWENCODEDSLASH: true
      TRAEFIK_ENTRYPOINTS_WEBSECURE_HTTP_ENCODEDCHARACTERS_ALLOWENCODEDHASH: true
      TRAEFIK_PROVIDERS_DOCKER: true
      TRAEFIK_PROVIDERS_DOCKER_ENDPOINT: "unix:///var/run/docker.sock"
      TRAEFIK_PROVIDERS_DOCKER_EXPOSEDBYDEFAULT: false
 volumes:
  db:
  acme:
 networks:
  proxy:
--- a/docs/public/deploying/docker-compose.for-traefik.yml
+++ b/docs/public/deploying/docker-compose.for-traefik.yml
@@ -0,0 +1,43 @@
 # Continuwuity - Behind Traefik Reverse Proxy
 services:
  homeserver:
    image: "forgejo.ellis.link/continuwuation/continuwuity:latest"
    restart: unless-stopped
    command: /sbin/conduwuit
    volumes:
      - db:/var/lib/continuwuity
      - ./continuwuity-resolv.conf:/etc/resolv.conf # use custom resolvers rather than Docker's
      #- ./continuwuity.toml:/etc/continuwuity.toml
    networks:
      - proxy
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.continuwuity.rule=(Host(`example.com`))"
      - "traefik.http.routers.continuwuity.entrypoints=websecure" # your HTTPS entry point
      - "traefik.http.routers.continuwuity.tls=true"
      - "traefik.http.routers.continuwuity.service=continuwuity"
      - "traefik.http.services.continuwuity.loadbalancer.server.port=8008"
      # possibly, depending on your config:
      # - "traefik.http.routers.continuwuity.tls.certresolver=letsencrypt"
    environment:
      CONTINUWUITY_SERVER_NAME: example.com
      CONTINUWUITY_DATABASE_PATH: /var/lib/continuwuity
      CONTINUWUITY_ADDRESS: 0.0.0.0
      CONTINUWUITY_PORT: 8008 # This must match with traefik's loadbalancer label
      #CONTINUWUITY_CONFIG: '/etc/continuwuity.toml' # Uncomment if you mapped config toml above
      # Serve .well-known files to tell others to reach Continuwuity on port :443
      CONTINUWUITY_WELL_KNOWN: |
        {
        client=https://example.com,
        server=example.com:443
        }
 volumes:
  db:
 networks:
  # This must match the network name that Traefik listens on
  proxy:
    external: true
--- a/docs/public/deploying/docker-compose.override.yml
+++ b/docs/public/deploying/docker-compose.override.yml
@@ -0,0 +1,23 @@
 # Continuwuity - Traefik Reverse Proxy Labels (override file)
 services:
  homeserver:
    labels:
      - "traefik.enable=true"
      - "traefik.docker.network=proxy" # Change this to the name of your Traefik docker proxy network
      - "traefik.http.routers.to-continuwuity.rule=Host(`example.com`)"  # Change to the address on which Continuwuity is hosted
      - "traefik.http.routers.to-continuwuity.tls=true"
      - "traefik.http.routers.to-continuwuity.tls.certresolver=letsencrypt"
      - "traefik.http.routers.to-continuwuity.middlewares=cors-headers@docker"
      # This must match with CONTINUWUITY_PORT (default: 8008)
      - "traefik.http.services.to_continuwuity.loadbalancer.server.port=8008"
      # If you want to have your account on <DOMAIN>, but host Continuwuity on a subdomain,
      # you can let it only handle the well known file on the base domain instead
      #
      # - "traefik.http.routers.to-matrix-wellknown.rule=Host(`example.com`) && PathPrefix(`/.well-known/matrix`)"
      #- "traefik.http.routers.to-matrix-wellknown.tls=true"
      #- "traefik.http.routers.to-matrix-wellknown.tls.certresolver=letsencrypt"
      #- "traefik.http.routers.to-matrix-wellknown.middlewares=cors-headers@docker"
--- a/docs/public/deploying/docker-compose.with-caddy-labels.yml
+++ b/docs/public/deploying/docker-compose.with-caddy-labels.yml
@@ -0,0 +1,51 @@
 # Continuwuity - With Caddy Labels
 services:
    caddy:
    # This compose file uses caddy-docker-proxy as the reverse proxy for Continuwuity!
    # For more info, visit https://github.com/lucaslorentz/caddy-docker-proxy
        image: "docker.io/lucaslorentz/caddy-docker-proxy:ci-alpine"
        ports:
            - 80:80
            - 443:443
        environment:
            - CADDY_INGRESS_NETWORKS=caddy
        networks:
            - caddy
        volumes:
            - /var/run/docker.sock:/var/run/docker.sock
            - ./data:/data
        restart: unless-stopped
    homeserver:
        image: "forgejo.ellis.link/continuwuation/continuwuity:latest"
        restart: unless-stopped
        command: /sbin/conduwuit
        volumes:
            - db:/var/lib/continuwuity
            - ./continuwuity-resolv.conf:/etc/resolv.conf # use custom resolvers rather than Docker's
            #- ./continuwuity.toml:/etc/continuwuity.toml
        environment:
            CONTINUWUITY_SERVER_NAME: example.com
            CONTINUWUITY_DATABASE_PATH: /var/lib/continuwuity
            CONTINUWUITY_ADDRESS: 0.0.0.0
            CONTINUWUITY_PORT: 8008
            #CONTINUWUITY_CONFIG: '/etc/continuwuity.toml' # Uncomment if you mapped config toml above
            # Serve .well-known files to tell others to reach Continuwuity on port :443
            CONTINUWUITY_WELL_KNOWN: |
                {
                client=https://example.com,
                server=example.com:443
                }
        networks:
            - caddy
        labels:
            caddy: example.com
            caddy.reverse_proxy: "{{upstreams 8008}}"
 volumes:
    db:
 networks:
    caddy:
--- a/docs/public/deploying/docker-compose.with-caddy.yml
+++ b/docs/public/deploying/docker-compose.with-caddy.yml
@@ -0,0 +1,56 @@
 # Continuwuity - Using Caddy Docker Image
 services:
    caddy:
        image: "docker.io/caddy:latest"
        ports:
            - 80:80
            - 443:443
            - 8448:8448
        networks:
            - caddy
        volumes:
            - ./data:/data
        restart: unless-stopped
        configs:
            - source: Caddyfile
              target: /etc/caddy/Caddyfile
    homeserver:
        image: "forgejo.ellis.link/continuwuation/continuwuity:latest"
        restart: unless-stopped
        command: /sbin/conduwuit
        volumes:
            - db:/var/lib/continuwuity
            - ./continuwuity-resolv.conf:/etc/resolv.conf # use custom resolvers rather than Docker's
            #- ./continuwuity.toml:/etc/continuwuity.toml
        environment:
            CONTINUWUITY_SERVER_NAME: example.com
            CONTINUWUITY_DATABASE_PATH: /var/lib/continuwuity
            CONTINUWUITY_ADDRESS: 0.0.0.0
            CONTINUWUITY_PORT: 8008
            #CONTINUWUITY_CONFIG: '/etc/continuwuity.toml' # Uncomment if you mapped config toml above
            ## (Optional) Serve .well-known files to tell others to reach Continuwuity on port :443
            ## If you do this, remove all routes to port :8448 from the compose and Caddyfile
            # CONTINUWUITY_WELL_KNOWN: |
            #     {
            #     client=https://example.com,
            #     server=example.com:443
            #     }
        networks:
            - caddy
 networks:
    caddy:
 volumes:
    db:
 configs:
    Caddyfile:
        content: |
            https://example.com:443, https://example.com:8448 {
                reverse_proxy http://homeserver:8008
            }
--- a/docs/public/deploying/docker-compose.with-traefik.yml
+++ b/docs/public/deploying/docker-compose.with-traefik.yml
@@ -0,0 +1,85 @@
 # Continuwuity - With Traefik Reverse Proxy
 services:
  homeserver:
    image: "forgejo.ellis.link/continuwuation/continuwuity:latest"
    restart: unless-stopped
    command: /sbin/conduwuit
    volumes:
      - db:/var/lib/continuwuity
      - ./continuwuity-resolv.conf:/etc/resolv.conf # use custom resolvers rather than Docker's
      #- ./continuwuity.toml:/etc/continuwuity.toml
    networks:
      - proxy
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.continuwuity.rule=(Host(`example.com`))"
      - "traefik.http.routers.continuwuity.entrypoints=websecure"
      - "traefik.http.routers.continuwuity.tls.certresolver=letsencrypt"
      - "traefik.http.services.continuwuity.loadbalancer.server.port=8008"
    environment:
      CONTINUWUITY_SERVER_NAME: example.com
      CONTINUWUITY_DATABASE_PATH: /var/lib/continuwuity
      CONTINUWUITY_ADDRESS: 0.0.0.0
      CONTINUWUITY_PORT: 8008 # This must match with traefik's loadbalancer label
      #CONTINUWUITY_CONFIG: '/etc/continuwuity.toml' # Uncomment if you mapped config toml above
      # Serve .well-known files to tell others to reach Continuwuity on port :443
      CONTINUWUITY_WELL_KNOWN: |
        {
          client=https://example.com,
          server=example.com:443
        }
  traefik:
    image: "docker.io/traefik:latest"
    container_name: "traefik"
    restart: "unless-stopped"
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
      - "acme:/etc/traefik/acme"
    labels:
      - "traefik.enable=true"
      # middleware redirect
      - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
      # global redirect to https
      - "traefik.http.routers.redirs.rule=hostregexp(`{host:.+}`)"
      - "traefik.http.routers.redirs.entrypoints=web"
      - "traefik.http.routers.redirs.middlewares=redirect-to-https"
    environment:
      TRAEFIK_LOG_LEVEL: DEBUG
      TRAEFIK_ENTRYPOINTS_WEB: true
      TRAEFIK_ENTRYPOINTS_WEB_ADDRESS: ":80"
      TRAEFIK_ENTRYPOINTS_WEB_HTTP_REDIRECTIONS_ENTRYPOINT_TO: websecure
      TRAEFIK_ENTRYPOINTS_WEBSECURE: true
      TRAEFIK_ENTRYPOINTS_WEBSECURE_ADDRESS: ":443"
      TRAEFIK_ENTRYPOINTS_WEBSECURE_HTTP_TLS_CERTRESOLVER: letsencrypt
      TRAEFIK_CERTIFICATESRESOLVERS_LETSENCRYPT: true
      # CHANGE THIS to desired email for ACME
      TRAEFIK_CERTIFICATESRESOLVERS_LETSENCRYPT_ACME_EMAIL: user@example.com
      TRAEFIK_CERTIFICATESRESOLVERS_LETSENCRYPT_ACME_HTTPCHALLENGE: true
      TRAEFIK_CERTIFICATESRESOLVERS_LETSENCRYPT_ACME_HTTPCHALLENGE_ENTRYPOINT: web
      TRAEFIK_CERTIFICATESRESOLVERS_LETSENCRYPT_ACME_STORAGE: "/etc/traefik/acme/acme.json"
      # Since Traefik 3.6.3, paths with certain "encoded characters" are now blocked by default; we need a couple, or else things *will* break
      TRAEFIK_ENTRYPOINTS_WEBSECURE_HTTP_ENCODEDCHARACTERS_ALLOWENCODEDSLASH: true
      TRAEFIK_ENTRYPOINTS_WEBSECURE_HTTP_ENCODEDCHARACTERS_ALLOWENCODEDHASH: true
      TRAEFIK_PROVIDERS_DOCKER: true
      TRAEFIK_PROVIDERS_DOCKER_ENDPOINT: "unix:///var/run/docker.sock"
      TRAEFIK_PROVIDERS_DOCKER_EXPOSEDBYDEFAULT: false
 volumes:
  db:
  acme:
 networks:
  proxy:
--- a/docs/public/deploying/docker-compose.yml
+++ b/docs/public/deploying/docker-compose.yml
@@ -0,0 +1,41 @@
 # Continuwuity - Bare Configuration (for other reverse proxies)
 services:
    homeserver:
        image: "forgejo.ellis.link/continuwuation/continuwuity:latest"
        restart: unless-stopped
        command: /sbin/conduwuit
        ports:
            # If your reverse proxy is on the host, use this
            # and configure it to connect to `127.0.0.1:8008`
            - 127.0.0.1:8008:8008
            # If your reverse proxy is on another machine, use this
            # and configure it to connect to <this-machine-ip>:8008
            # - 8008:8008
            # If your reverse proxy is a docker container on the same network,
            # comment out the entire `ports` section, and configure it to connect to `continuwuity:8008`
        volumes:
            - db:/var/lib/continuwuity
            - ./continuwuity-resolv.conf:/etc/resolv.conf # use custom resolvers rather than Docker's
            #- ./continuwuity.toml:/etc/continuwuity.toml
        environment:
            CONTINUWUITY_SERVER_NAME: example.com # EDIT THIS
            CONTINUWUITY_DATABASE_PATH: /var/lib/continuwuity
            CONTINUWUITY_ADDRESS: 0.0.0.0
            CONTINUWUITY_PORT: 8008
            #CONTINUWUITY_CONFIG: '/etc/continuwuity.toml' # Uncomment if you mapped config toml above
            ## (Optional) Serve .well-known files to tell others to reach Continuwuity on port :443
            ## If you do this, remove all routes to port :8448 on your reverse proxy
            # CONTINUWUITY_WELL_KNOWN: |
            #     {
            #     client=https://example.com,
            #     server=example.com:443
            #     }
 volumes:
    db:
--- a/docs/reference/_meta.json
+++ b/docs/reference/_meta.json
@@ -4,11 +4,6 @@
        "name": "config",
        "label": "Configuration"
    },
    {
        "type": "file",
        "name": "environment-variables",
        "label": "Environment Variables"
    },
    {
        "type": "file",
        "name": "admin",
--- a/docs/reference/admin/debug.md
+++ b/docs/reference/admin/debug.md
@@ -130,6 +130,10 @@ ## `!admin debug database-files`
 List database files
 ## `!admin debug send-test-email`
 Send a test email to the invoking admin's email address
 ## `!admin debug tester`
 Developer test stubs
--- a/docs/reference/admin/index.md
+++ b/docs/reference/admin/index.md
@@ -7,7 +7,7 @@ ## Running commands
 * All commands listed here may be used by server administrators in the admin room by sending them as messages.
 * If the `admin_escape_commands` configuration option is enabled, server administrators may run certain commands in public rooms by prefixing them with a single backslash. These commands will only run on _their_ homeserver, even if they are a member of another homeserver's admin room. Some sensitive commands cannot be used outside the admin room and will return an error.
-* All commands listed here may be used in the server's console, if it is enabled. Commands entered in the console do not require the `!admin` prefix.
+* All commands listed here may be used in the server's console, if it is enabled. Commands entered in the console do not require the `!admin` prefix. If Continuwuity is deployed via Docker, be sure to set the appropriate options detailed in [the Docker deployment guide](../../deploying/docker.mdx#accessing-the-servers-console) to enable access to the server's console.
 ## Categories
--- a/docs/reference/admin/query.md
+++ b/docs/reference/admin/query.md
@@ -133,6 +133,18 @@ ### `!admin query pusher get-pushers`
 Returns all the pushers for the user
 ### `!admin query pusher delete-pusher`
 Deletes a specific pusher by ID
 ### `!admin query pusher delete-all-user`
 Deletes all pushers for a user
 ### `!admin query pusher delete-all-device`
 Deletes all pushers associated with a device ID
 ## `!admin query short`
 short service
--- a/docs/reference/admin/server.md
+++ b/docs/reference/admin/server.md
@@ -47,3 +47,11 @@ ## `!admin server restart`
 ## `!admin server shutdown`
 Shutdown the server
 ## `!admin server list-features`
 List features built into the server
 ## `!admin server build-info`
 Build information
--- a/docs/reference/admin/users.md
+++ b/docs/reference/admin/users.md
@@ -12,6 +12,24 @@ ## `!admin users reset-password`
 Reset user password
 ## `!admin users issue-password-reset-link`
 Issue a self-service password reset link for a user
 ## `!admin users get-email`
 Get a user's associated email address
 ## `!admin users get-user-by-email`
 Get the user with the given email address
 ## `!admin users change-email`
 Update or remove a user's email address.
 If `email` is not supplied, the user's existing address will be removed.
 ## `!admin users deactivate`
 Deactivate a user
@@ -139,3 +157,7 @@ ## `!admin users force-join-all-local-users`
 At least 1 server admin must be in the room to reduce abuse.
 Requires the `--yes-i-want-to-do-this` flag.
 ## `!admin users reset-push-rules`
 Resets the push-rules (notification settings) of the target user to the server defaults
--- a/docs/reference/environment-variables.mdx
+++ b/docs/reference/environment-variables.mdx
@@ -1,281 +0,0 @@
 # Environment Variables
 Continuwuity can be configured entirely through environment variables, making it
 ideal for containerised deployments and infrastructure-as-code scenarios.
 This is a convenience reference and may not be exhaustive. The
 [Configuration Reference](./config.mdx) is the primary source for all
 configuration options.
 ## Prefix System
 Continuwuity supports three environment variable prefixes for backwards
 compatibility:
 - `CONTINUWUITY_*` (current, recommended)
 - `CONDUWUIT_*` (compatibility)
 - `CONDUIT_*` (legacy)
 All three prefixes work identically. Use double underscores (`__`) to represent
 nested configuration sections from the TOML config.
 **Examples:**
 ```bash
 # Simple top-level config
 CONTINUWUITY_SERVER_NAME="matrix.example.com"
 CONTINUWUITY_PORT="8008"
 # Nested config sections use double underscores
 # This maps to [database] section in TOML
 CONTINUWUITY_DATABASE__PATH="/var/lib/continuwuity"
 # This maps to [tls] section in TOML
 CONTINUWUITY_TLS__CERTS="/path/to/cert.pem"
 ```
 ## Configuration File Override
 You can specify a custom configuration file path:
 - `CONTINUWUITY_CONFIG` - Path to continuwuity.toml (current)
 - `CONDUWUIT_CONFIG` - Path to config file (compatibility)
 - `CONDUIT_CONFIG` - Path to config file (legacy)
 ## Essential Variables
 These are the minimum variables needed for a working deployment:
 | Variable                     | Description                        | Default                |
 | ---------------------------- | ---------------------------------- | ---------------------- |
 | `CONTINUWUITY_SERVER_NAME`   | Your Matrix server's domain name   | Required               |
 | `CONTINUWUITY_DATABASE_PATH` | Path to RocksDB database directory | `/var/lib/conduwuit`   |
 | `CONTINUWUITY_ADDRESS`       | IP address to bind to              | `["127.0.0.1", "::1"]` |
 | `CONTINUWUITY_PORT`          | Port to listen on                  | `8008`                 |
 ## Network Configuration
 | Variable                         | Description                                     | Default                |
 | -------------------------------- | ----------------------------------------------- | ---------------------- |
 | `CONTINUWUITY_ADDRESS`           | Bind address (use `0.0.0.0` for all interfaces) | `["127.0.0.1", "::1"]` |
 | `CONTINUWUITY_PORT`              | HTTP port                                       | `8008`                 |
 | `CONTINUWUITY_UNIX_SOCKET_PATH`  | UNIX socket path (alternative to TCP)           | -                      |
 | `CONTINUWUITY_UNIX_SOCKET_PERMS` | Socket permissions (octal)                      | `660`                  |
 ## Database Configuration
 | Variable                                   | Description                 | Default              |
 | ------------------------------------------ | --------------------------- | -------------------- |
 | `CONTINUWUITY_DATABASE_PATH`               | RocksDB data directory      | `/var/lib/conduwuit` |
 | `CONTINUWUITY_DATABASE_BACKUP_PATH`        | Backup directory            | -                    |
 | `CONTINUWUITY_DATABASE_BACKUPS_TO_KEEP`    | Number of backups to retain | `1`                  |
 | `CONTINUWUITY_DB_CACHE_CAPACITY_MB`        | Database read cache (MB)    | -                    |
 | `CONTINUWUITY_DB_WRITE_BUFFER_CAPACITY_MB` | Write cache (MB)            | -                    |
 ## Cache Configuration
 | Variable                                 | Description              |
 | ---------------------------------------- | ------------------------ |
 | `CONTINUWUITY_CACHE_CAPACITY_MODIFIER`   | LRU cache multiplier     |
 | `CONTINUWUITY_PDU_CACHE_CAPACITY`        | PDU cache entries        |
 | `CONTINUWUITY_AUTH_CHAIN_CACHE_CAPACITY` | Auth chain cache entries |
 ## DNS Configuration
 Configure DNS resolution behaviour for federation and external requests.
 | Variable                             | Description                  | Default  |
 | ------------------------------------ | ---------------------------- | -------- |
 | `CONTINUWUITY_DNS_CACHE_ENTRIES`     | Max DNS cache entries        | `32768`  |
 | `CONTINUWUITY_DNS_MIN_TTL`           | Minimum cache TTL (seconds)  | `10800`  |
 | `CONTINUWUITY_DNS_MIN_TTL_NXDOMAIN`  | NXDOMAIN cache TTL (seconds) | `259200` |
 | `CONTINUWUITY_DNS_ATTEMPTS`          | Retry attempts               | -        |
 | `CONTINUWUITY_DNS_TIMEOUT`           | Query timeout (seconds)      | -        |
 | `CONTINUWUITY_DNS_TCP_FALLBACK`      | Allow TCP fallback           | -        |
 | `CONTINUWUITY_QUERY_ALL_NAMESERVERS` | Query all nameservers        | -        |
 | `CONTINUWUITY_QUERY_OVER_TCP_ONLY`   | TCP-only queries             | -        |
 ## Request Configuration
 | Variable                             | Description                   |
 | ------------------------------------ | ----------------------------- |
 | `CONTINUWUITY_MAX_REQUEST_SIZE`      | Max HTTP request size (bytes) |
 | `CONTINUWUITY_REQUEST_CONN_TIMEOUT`  | Connection timeout (seconds)  |
 | `CONTINUWUITY_REQUEST_TIMEOUT`       | Overall request timeout       |
 | `CONTINUWUITY_REQUEST_TOTAL_TIMEOUT` | Total timeout                 |
 | `CONTINUWUITY_REQUEST_IDLE_TIMEOUT`  | Idle timeout                  |
 | `CONTINUWUITY_REQUEST_IDLE_PER_HOST` | Idle connections per host     |
 ## Federation Configuration
 Control how your server federates with other Matrix servers.
 | Variable                                       | Description                   | Default |
 | ---------------------------------------------- | ----------------------------- | ------- |
 | `CONTINUWUITY_ALLOW_FEDERATION`                | Enable federation             | `true`  |
 | `CONTINUWUITY_FEDERATION_LOOPBACK`             | Allow loopback federation     | -       |
 | `CONTINUWUITY_FEDERATION_CONN_TIMEOUT`         | Connection timeout            | -       |
 | `CONTINUWUITY_FEDERATION_TIMEOUT`              | Request timeout               | -       |
 | `CONTINUWUITY_FEDERATION_IDLE_TIMEOUT`         | Idle timeout                  | -       |
 | `CONTINUWUITY_FEDERATION_IDLE_PER_HOST`        | Idle connections per host     | -       |
 | `CONTINUWUITY_TRUSTED_SERVERS`                 | JSON array of trusted servers | -       |
 | `CONTINUWUITY_QUERY_TRUSTED_KEY_SERVERS_FIRST` | Query trusted first           | -       |
 | `CONTINUWUITY_ONLY_QUERY_TRUSTED_KEY_SERVERS`  | Only query trusted            | -       |
 **Example:**
 ```bash
 # Trust matrix.org for key verification
 CONTINUWUITY_TRUSTED_SERVERS='["matrix.org"]'
 ```
 ## Registration & User Configuration
 Control user registration and account creation behaviour.
 | Variable                                   | Description           | Default |
 | ------------------------------------------ | --------------------- | ------- |
 | `CONTINUWUITY_ALLOW_REGISTRATION`          | Enable registration   | `true`  |
 | `CONTINUWUITY_REGISTRATION_TOKEN`          | Token requirement     | -       |
 | `CONTINUWUITY_SUSPEND_ON_REGISTER`         | Suspend new accounts  | -       |
 | `CONTINUWUITY_NEW_USER_DISPLAYNAME_SUFFIX` | Display name suffix   | 🏳️‍⚧️      |
 | `CONTINUWUITY_RECAPTCHA_SITE_KEY`          | reCAPTCHA site key    | -       |
 | `CONTINUWUITY_RECAPTCHA_PRIVATE_SITE_KEY`  | reCAPTCHA private key | -       |
 **Example:**
 ```bash
 # Disable open registration
 CONTINUWUITY_ALLOW_REGISTRATION="false"
 # Require a registration token
 CONTINUWUITY_REGISTRATION_TOKEN="your_secret_token_here"
 ```
 ## Feature Configuration
 | Variable                                                   | Description                | Default |
 | ---------------------------------------------------------- | -------------------------- | ------- |
 | `CONTINUWUITY_ALLOW_ENCRYPTION`                            | Enable E2EE                | `true`  |
 | `CONTINUWUITY_ALLOW_ROOM_CREATION`                         | Enable room creation       | -       |
 | `CONTINUWUITY_ALLOW_UNSTABLE_ROOM_VERSIONS`                | Allow unstable versions    | -       |
 | `CONTINUWUITY_DEFAULT_ROOM_VERSION`                        | Default room version       | `v11`   |
 | `CONTINUWUITY_REQUIRE_AUTH_FOR_PROFILE_REQUESTS`           | Auth for profiles          | -       |
 | `CONTINUWUITY_ALLOW_PUBLIC_ROOM_DIRECTORY_OVER_FEDERATION` | Federate directory         | -       |
 | `CONTINUWUITY_ALLOW_PUBLIC_ROOM_DIRECTORY_WITHOUT_AUTH`    | Unauth directory           | -       |
 | `CONTINUWUITY_ALLOW_DEVICE_NAME_FEDERATION`                | Device names in federation | -       |
 ## TLS Configuration
 Built-in TLS support is primarily for testing. **For production deployments,
 especially when federating on the internet, use a reverse proxy** (Traefik,
 Caddy, nginx) to handle TLS termination.
 | Variable                          | Description               |
 | --------------------------------- | ------------------------- |
 | `CONTINUWUITY_TLS__CERTS`         | TLS certificate file path |
 | `CONTINUWUITY_TLS__KEY`           | TLS private key path      |
 | `CONTINUWUITY_TLS__DUAL_PROTOCOL` | Support TLS 1.2 + 1.3     |
 **Example (testing only):**
 ```bash
 CONTINUWUITY_TLS__CERTS="/etc/letsencrypt/live/matrix.example.com/fullchain.pem"
 CONTINUWUITY_TLS__KEY="/etc/letsencrypt/live/matrix.example.com/privkey.pem"
 ```
 ## Logging Configuration
 Control log output format and verbosity.
 | Variable                       | Description        | Default |
 | ------------------------------ | ------------------ | ------- |
 | `CONTINUWUITY_LOG`             | Log filter level   | -       |
 | `CONTINUWUITY_LOG_COLORS`      | ANSI colours       | `true`  |
 | `CONTINUWUITY_LOG_SPAN_EVENTS` | Log span events    | `none`  |
 | `CONTINUWUITY_LOG_THREAD_IDS`  | Include thread IDs | -       |
 **Examples:**
 ```bash
 # Set log level to info
 CONTINUWUITY_LOG="info"
 # Enable debug logging for specific modules
 CONTINUWUITY_LOG="warn,continuwuity::api=debug"
 # Disable colours for log aggregation
 CONTINUWUITY_LOG_COLORS="false"
 ```
 ## Observability Configuration
 | Variable                                 | Description           |
 | ---------------------------------------- | --------------------- |
 | `CONTINUWUITY_ALLOW_OTLP`                | Enable OpenTelemetry  |
 | `CONTINUWUITY_OTLP_FILTER`               | OTLP filter level     |
 | `CONTINUWUITY_OTLP_PROTOCOL`             | Protocol (http/grpc)  |
 | `CONTINUWUITY_TRACING_FLAME`             | Enable flame graphs   |
 | `CONTINUWUITY_TRACING_FLAME_FILTER`      | Flame graph filter    |
 | `CONTINUWUITY_TRACING_FLAME_OUTPUT_PATH` | Output directory      |
 | `CONTINUWUITY_SENTRY`                    | Enable Sentry         |
 | `CONTINUWUITY_SENTRY_ENDPOINT`           | Sentry DSN            |
 | `CONTINUWUITY_SENTRY_SEND_SERVER_NAME`   | Include server name   |
 | `CONTINUWUITY_SENTRY_TRACES_SAMPLE_RATE` | Sample rate (0.0-1.0) |
 ## Admin Configuration
 Configure admin users and automated command execution.
 | Variable                                   | Description                      | Default           |
 | ------------------------------------------ | -------------------------------- | ----------------- |
 | `CONTINUWUITY_ADMINS_LIST`                 | JSON array of admin user IDs     | -                 |
 | `CONTINUWUITY_ADMINS_FROM_ROOM`            | Derive admins from room          | -                 |
 | `CONTINUWUITY_ADMIN_ESCAPE_COMMANDS`       | Allow `\` prefix in public rooms | -                 |
 | `CONTINUWUITY_ADMIN_CONSOLE_AUTOMATIC`     | Auto-activate console            | -                 |
 | `CONTINUWUITY_ADMIN_EXECUTE`               | JSON array of startup commands   | -                 |
 | `CONTINUWUITY_ADMIN_EXECUTE_ERRORS_IGNORE` | Ignore command errors            | -                 |
 | `CONTINUWUITY_ADMIN_SIGNAL_EXECUTE`        | Commands on SIGUSR2              | -                 |
 | `CONTINUWUITY_ADMIN_ROOM_TAG`              | Admin room tag                   | `m.server_notice` |
 **Examples:**
 ```bash
 # Create admin user on startup
 CONTINUWUITY_ADMIN_EXECUTE='["users create-user admin", "users make-user-admin admin"]'
 # Specify admin users directly
 CONTINUWUITY_ADMINS_LIST='["@alice:example.com", "@bob:example.com"]'
 ```
 ## Media & URL Preview Configuration
 | Variable                                             | Description        |
 | ---------------------------------------------------- | ------------------ |
 | `CONTINUWUITY_URL_PREVIEW_BOUND_INTERFACE`           | Bind interface     |
 | `CONTINUWUITY_URL_PREVIEW_DOMAIN_CONTAINS_ALLOWLIST` | Domain allowlist   |
 | `CONTINUWUITY_URL_PREVIEW_DOMAIN_EXPLICIT_ALLOWLIST` | Explicit allowlist |
 | `CONTINUWUITY_URL_PREVIEW_DOMAIN_EXPLICIT_DENYLIST`  | Explicit denylist  |
 | `CONTINUWUITY_URL_PREVIEW_MAX_SPIDER_SIZE`           | Max fetch size     |
 | `CONTINUWUITY_URL_PREVIEW_TIMEOUT`                   | Fetch timeout      |
 | `CONTINUWUITY_IP_RANGE_DENYLIST`                     | IP range denylist  |
 ## Tokio Runtime Configuration
 These can be set as environment variables or CLI arguments:
 | Variable                                  | Description                |
 | ----------------------------------------- | -------------------------- |
 | `TOKIO_WORKER_THREADS`                    | Worker thread count        |
 | `TOKIO_GLOBAL_QUEUE_INTERVAL`             | Global queue interval      |
 | `TOKIO_EVENT_INTERVAL`                    | Event interval             |
 | `TOKIO_MAX_IO_EVENTS_PER_TICK`            | Max I/O events per tick    |
 | `CONTINUWUITY_RUNTIME_HISTOGRAM_INTERVAL` | Histogram bucket size (μs) |
 | `CONTINUWUITY_RUNTIME_HISTOGRAM_BUCKETS`  | Bucket count               |
 | `CONTINUWUITY_RUNTIME_WORKER_AFFINITY`    | Enable worker affinity     |
 ## See Also
 - [Configuration Reference](./config.mdx) - Complete TOML configuration
  documentation
 - [Admin Commands](./admin/) - Admin command reference
--- a/docs/troubleshooting.mdx
+++ b/docs/troubleshooting.mdx
@@ -45,75 +45,30 @@ ### Lost access to admin room
 ## DNS issues
-### Potential DNS issues when using Docker
+### DNS server overload
-Docker's DNS setup for containers in a non-default network intercepts queries to
+If your server experience any of the following symptoms:
 enable resolving of container hostnames to IP addresses. However, due to
 performance issues with Docker's built-in resolver, this can cause DNS queries
 to take a long time to resolve, resulting in federation issues.
-This is particularly common with Docker Compose, as custom networks are easily
+- Spurious server log entries with "DNS No connections available", "mismatching responding nameservers", or "error sending request"
-created and configured.
+- Excessively long room joins (30+ minutes) as seen from server logs
 - Partial or non-functional outbound federation
-Symptoms of this include excessively long room joins (30+ minutes) from very
+This is likely due to your DNS server being overloaded. Most likely, these problems are encountered in the following scenarios:
 long DNS timeouts, log entries of "mismatching responding nameservers",
 and/or partial or non-functional inbound/outbound federation.
-This is not a bug in continuwuity. Docker's default DNS resolver is not suitable
+- Homeservers hosted on a machine that uses `systemd-resolved`.
-for heavy DNS activity, which is normal for federated protocols like Matrix.
+- Docker deployments which use the bridge network's forwarding resolver.
-Workarounds:
+Matrix federation is extremely heavy and sends wild amounts of DNS requests. This makes normal resolvers like the ones above unsuitable for its activity. Ultimately, the best solution/fix for this is to selfhost a high quality caching DNS resolver such as Unbound, and configure Continuwuity to use it.
- Use DNS over TCP via the config option `query_over_tcp_only = true`
+Follow the [**DNS tuning guide**](./advanced/dns) for details on setting it up.
 - Bypass Docker's default DNS setup and instead allow the container to use and communicate with your host's DNS servers. Typically, this can be done by mounting the host's `/etc/resolv.conf`.
-### DNS No connections available error message
+### Intermittent federation failures to a specific server
-If you receive spurious amounts of error logs saying "DNS No connections
+There may be circumstances where servers fail to connect to each other, probably due to a bad DNS cache. In such cases, issuing `!admin debug ping <SERVER_NAME>` would return some errors.
 available", this is due to your DNS server (servers from `/etc/resolv.conf`)
 being overloaded and unable to handle typical Matrix federation volume. Some
 users have reported that the upstream servers are rate-limiting them as well
 when they get this error (e.g. popular upstreams like Google DNS).
-Matrix federation is extremely heavy and sends wild amounts of DNS requests.
+To fix this, you can run `!admin query resolver flush-cache <SERVER_NAME>` to clear the bad cache for that domain, and outbound requests should work again.
 Unfortunately this is by design and has only gotten worse with more
 server/destination resolution steps. Synapse also expects a very perfect DNS
 setup.
-There are some ways you can reduce the amount of DNS queries, but ultimately
+You may also use `!admin server clear-caches` or `!admin query resolver flush-cache -a` to clear all server/resolver caches, in case of failures with many domains. However, note that this significantly increases your server load for a short period.
 the best solution/fix is selfhosting a high quality caching DNS server like
 [Unbound][unbound-arch] without any upstream resolvers, and without DNSSEC
 validation enabled.
 DNSSEC validation is highly recommended to be **disabled** due to DNSSEC being
 very computationally expensive, and is extremely susceptible to denial of
 service, especially on Matrix. Many servers also strangely have broken DNSSEC
 setups and will result in non-functional federation.
 Continuwuity cannot provide a "works-for-everyone" Unbound DNS setup guide, but
 the [official Unbound tuning guide][unbound-tuning] and the [Unbound Arch Linux wiki page][unbound-arch]
 may be of interest. Disabling DNSSEC on Unbound is commenting out trust-anchors
 config options and removing the `validator` module.
 **Avoid** using `systemd-resolved` as it does **not** perform very well under
 high load, and we have identified its DNS caching to not be very effective.
 dnsmasq can possibly work, but it does **not** support TCP fallback which can be
 problematic when receiving large DNS responses such as from large SRV records.
 If you still want to use dnsmasq, make sure you **disable** `dns_tcp_fallback`
 in Continuwuity config.
 Raising `dns_cache_entries` in Continuwuity config from the default can also assist
 in DNS caching, but a full-fledged external caching resolver is better and more
 reliable.
 If you don't have IPv6 connectivity, changing `ip_lookup_strategy` to match
 your setup can help reduce unnecessary AAAA queries
 (`1 - Ipv4Only (Only query for A records, no AAAA/IPv6)`).
 If your DNS server supports it, some users have reported enabling
 `query_over_tcp_only` to force only TCP querying by default has improved DNS
 reliability at a slight performance cost due to TCP overhead.
 ## RocksDB / database issues
--- a/flake.lock
+++ b/flake.lock
@@ -3,11 +3,11 @@
    "advisory-db": {
      "flake": false,
      "locked": {
-        "lastModified": 1773786698,
+        "lastModified": 1775907537,
-        "narHash": "sha256-o/J7ZculgwSs1L4H4UFlFZENOXTJzq1X0n71x6oNNvY=",
+        "narHash": "sha256-vbeLNgmsx1Z6TwnlDV0dKyeBCcon3UpkV9yLr/yc6HM=",
        "owner": "rustsec",
        "repo": "advisory-db",
-        "rev": "99e9de91bb8b61f06ef234ff84e11f758ecd5384",
+        "rev": "d99f7b9eb81731bddebf80a355f8be7b2f8b1b28",
        "type": "github"
      },
      "original": {
@@ -18,11 +18,11 @@
    },
    "crane": {
      "locked": {
-        "lastModified": 1773189535,
+        "lastModified": 1775839657,
-        "narHash": "sha256-E1G/Or6MWeP+L6mpQ0iTFLpzSzlpGrITfU2220Gq47g=",
+        "narHash": "sha256-SPm9ck7jh3Un9nwPuMGbRU04UroFmOHjLP56T10MOeM=",
        "owner": "ipetkov",
        "repo": "crane",
-        "rev": "6fa2fb4cf4a89ba49fc9dd5a3eb6cde99d388269",
+        "rev": "7cf72d978629469c4bd4206b95c402514c1f6000",
        "type": "github"
      },
      "original": {
@@ -39,11 +39,11 @@
        "rust-analyzer-src": "rust-analyzer-src"
      },
      "locked": {
-        "lastModified": 1773732206,
+        "lastModified": 1775891769,
-        "narHash": "sha256-HKibxaUXyWd4Hs+ZUnwo6XslvaFqFqJh66uL9tphU4Q=",
+        "narHash": "sha256-EOfVlTKw2n8w1uhfh46GS4hEGnQ7oWrIWQfIY6utIkI=",
        "owner": "nix-community",
        "repo": "fenix",
-        "rev": "0aa13c1b54063a8d8679b28a5cd357ba98f4a56b",
+        "rev": "6fbc54dde15aee725bdc7aae5e478849685d5f56",
        "type": "github"
      },
      "original": {
@@ -74,11 +74,11 @@
        "nixpkgs-lib": "nixpkgs-lib"
      },
      "locked": {
-        "lastModified": 1772408722,
+        "lastModified": 1775087534,
-        "narHash": "sha256-rHuJtdcOjK7rAHpHphUb1iCvgkU3GpfvicLMwwnfMT0=",
+        "narHash": "sha256-91qqW8lhL7TLwgQWijoGBbiD4t7/q75KTi8NxjVmSmA=",
        "owner": "hercules-ci",
        "repo": "flake-parts",
-        "rev": "f20dc5d9b8027381c474144ecabc9034d6a839a3",
+        "rev": "3107b77cd68437b9a76194f0f7f9c55f2329ca5b",
        "type": "github"
      },
      "original": {
@@ -89,11 +89,11 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1773734432,
+        "lastModified": 1775710090,
-        "narHash": "sha256-IF5ppUWh6gHGHYDbtVUyhwy/i7D261P7fWD1bPefOsw=",
+        "narHash": "sha256-ar3rofg+awPB8QXDaFJhJ2jJhu+KqN/PRCXeyuXR76E=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "cda48547b432e8d3b18b4180ba07473762ec8558",
+        "rev": "4c1018dae018162ec878d42fec712642d214fdfa",
        "type": "github"
      },
      "original": {
@@ -105,11 +105,11 @@
    },
    "nixpkgs-lib": {
      "locked": {
-        "lastModified": 1772328832,
+        "lastModified": 1774748309,
-        "narHash": "sha256-e+/T/pmEkLP6BHhYjx6GmwP5ivonQQn0bJdH9YrRB+Q=",
+        "narHash": "sha256-+U7gF3qxzwD5TZuANzZPeJTZRHS29OFQgkQ2kiTJBIQ=",
        "owner": "nix-community",
        "repo": "nixpkgs.lib",
-        "rev": "c185c7a5e5dd8f9add5b2f8ebeff00888b070742",
+        "rev": "333c4e0545a6da976206c74db8773a1645b5870a",
        "type": "github"
      },
      "original": {
@@ -132,11 +132,11 @@
    "rust-analyzer-src": {
      "flake": false,
      "locked": {
-        "lastModified": 1773697963,
+        "lastModified": 1775843361,
-        "narHash": "sha256-xdKI77It9PM6eNrCcDZsnP4SKulZwk8VkDgBRVMnCb8=",
+        "narHash": "sha256-j53ZgyDvmYf3Sjh1IPvvTjqa614qUfVQSzj59+MpzkY=",
        "owner": "rust-lang",
        "repo": "rust-analyzer",
-        "rev": "2993637174252ff60a582fd1f55b9ab52c39db6d",
+        "rev": "9eb97ea96d8400e8957ddd56702e962614296583",
        "type": "github"
      },
      "original": {
@@ -153,11 +153,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1773297127,
+        "lastModified": 1775636079,
-        "narHash": "sha256-6E/yhXP7Oy/NbXtf1ktzmU8SdVqJQ09HC/48ebEGBpk=",
+        "narHash": "sha256-pc20NRoMdiar8oPQceQT47UUZMBTiMdUuWrYu2obUP0=",
        "owner": "numtide",
        "repo": "treefmt-nix",
-        "rev": "71b125cd05fbfd78cab3e070b73544abe24c5016",
+        "rev": "790751ff7fd3801feeaf96d7dc416a8d581265ba",
        "type": "github"
      },
      "original": {
--- a/flake.nix
+++ b/flake.nix
@@ -29,7 +29,6 @@
      url = "github:edolstra/flake-compat?ref=master";
      flake = false;
    };
  };
  outputs =
@@ -37,10 +36,10 @@
    flake-parts.lib.mkFlake { inherit inputs; } {
      imports = [ ./nix ];
      systems = [
        # good support
        "x86_64-linux"
        # support untested but theoretically there
        "aarch64-linux"
        # support untested but theoretically there
        "aarch64-darwin"
      ];
    };
 }
--- a/nix/checks/default.nix
+++ b/nix/checks/default.nix
@@ -1,107 +0,0 @@
 { inputs, ... }:
 {
  perSystem =
    {
      self',
      lib,
      pkgs,
      ...
    }:
    let
      uwulib = inputs.self.uwulib.init pkgs;
      rocksdbAllFeatures = self'.packages.rocksdb.override {
        enableJemalloc = true;
      };
      commonAttrs = (uwulib.build.commonAttrs { }) // {
        buildInputs = [
          pkgs.liburing
          pkgs.rust-jemalloc-sys-unprefixed
          rocksdbAllFeatures
        ];
        nativeBuildInputs = [
          pkgs.pkg-config
          # bindgen needs the build platform's libclang. Apparently due to "splicing
          # weirdness", pkgs.rustPlatform.bindgenHook on its own doesn't quite do the
          # right thing here.
          pkgs.rustPlatform.bindgenHook
        ];
        env = {
          LIBCLANG_PATH = lib.makeLibraryPath [ pkgs.llvmPackages.libclang.lib ];
          LD_LIBRARY_PATH = lib.makeLibraryPath [
            pkgs.liburing
            pkgs.rust-jemalloc-sys-unprefixed
            rocksdbAllFeatures
          ];
        }
        // uwulib.environment.buildPackageEnv
        // {
          ROCKSDB_INCLUDE_DIR = "${rocksdbAllFeatures}/include";
          ROCKSDB_LIB_DIR = "${rocksdbAllFeatures}/lib";
        };
      };
      cargoArtifacts = self'.packages.continuwuity-all-features-deps;
    in
    {
      # taken from
      #
      # https://crane.dev/examples/quick-start.html
      checks = {
        continuwuity-all-features-build = self'.packages.continuwuity-all-features-bin;
        continuwuity-all-features-clippy = uwulib.build.craneLibForChecks.cargoClippy (
          commonAttrs
          // {
            inherit cargoArtifacts;
            cargoClippyExtraArgs = "-- --deny warnings";
          }
        );
        continuwuity-all-features-docs = uwulib.build.craneLibForChecks.cargoDoc (
          commonAttrs
          // {
            inherit cargoArtifacts;
            # This can be commented out or tweaked as necessary, e.g. set to
            # `--deny rustdoc::broken-intra-doc-links` to only enforce that lint
            env.RUSTDOCFLAGS = "--deny warnings";
          }
        );
        # Check formatting
        continuwuity-all-features-fmt = uwulib.build.craneLibForChecks.cargoFmt {
          src = uwulib.build.src;
        };
        continuwuity-all-features-toml-fmt = uwulib.build.craneLibForChecks.taploFmt {
          src = pkgs.lib.sources.sourceFilesBySuffices uwulib.build.src [ ".toml" ];
          # taplo arguments can be further customized below as needed
          taploExtraArgs = "--config ${inputs.self}/taplo.toml";
        };
        # Audit dependencies
        continuwuity-all-features-audit = uwulib.build.craneLibForChecks.cargoAudit {
          inherit (inputs) advisory-db;
          src = uwulib.build.src;
        };
        # Audit licenses
        continuwuity-all-features-deny = uwulib.build.craneLibForChecks.cargoDeny {
          src = uwulib.build.src;
        };
        # Run tests with cargo-nextest
        # Consider setting `doCheck = false` on `continuwuity-all-features` if you do not want
        # the tests to run twice
        continuwuity-all-features-nextest = uwulib.build.craneLibForChecks.cargoNextest (
          commonAttrs
          // {
            inherit cargoArtifacts;
            partitions = 1;
            partitionType = "count";
            cargoNextestPartitionsExtraArgs = "--no-tests=pass";
          }
        );
      };
    };
 }
--- a/nix/crane.nix
+++ b/nix/crane.nix
@@ -0,0 +1,14 @@
 { inputs, ... }:
 {
  perSystem =
    {
      pkgs,
      self',
      ...
    }:
    {
      _module.args.craneLib = (inputs.crane.mkLib pkgs).overrideToolchain (
        pkgs: self'.packages.stable-toolchain
      );
    };
 }
--- a/nix/default.nix
+++ b/nix/default.nix
@@ -1,11 +1,10 @@
 {
  imports = [
-    ./checks
+    ./rust.nix
    ./crane.nix
    ./packages
-    ./shells
+    ./devshell.nix
    ./tests
    ./hydra.nix
    ./fmt.nix
    ./rocksdb-updater.nix
  ];
 }
--- a/nix/devshell.nix
+++ b/nix/devshell.nix
@@ -0,0 +1,42 @@
 {
  perSystem =
    {
      craneLib,
      self',
      lib,
      pkgs,
      ...
    }:
    {
      # basic nix shell containing all things necessary to build continuwuity in all flavors manually (on x86_64-linux)
      devShells.default = craneLib.devShell {
        packages = [
          self'.packages.rocksdb
          pkgs.nodejs
          pkgs.pkg-config
        ]
        ++ lib.optionals pkgs.stdenv.isLinux [
          pkgs.liburing
          pkgs.rust-jemalloc-sys-unprefixed
        ];
        env = {
          LIBCLANG_PATH = lib.makeLibraryPath [ pkgs.llvmPackages.libclang.lib ];
          LD_LIBRARY_PATH = lib.makeLibraryPath (
            [
              pkgs.stdenv.cc.cc.lib
            ]
            ++ lib.optionals pkgs.stdenv.isLinux [
              pkgs.liburing
              pkgs.jemalloc
            ]
          );
        }
        // lib.optionalAttrs pkgs.stdenv.isLinux {
          PKG_CONFIG_PATH = lib.makeSearchPath "lib/pkgconfig" [
            pkgs.liburing.dev
          ];
        };
      };
    };
 }
--- a/nix/hydra.nix
+++ b/nix/hydra.nix
@@ -1,9 +0,0 @@
 { inputs, ... }:
 let
  lib = inputs.nixpkgs.lib;
 in
 {
  flake.hydraJobs.packages = builtins.mapAttrs (
    _name: lib.hydraJob
  ) inputs.self.packages.x86_64-linux;
 }
--- a/nix/packages/continuwuity.nix
+++ b/nix/packages/continuwuity.nix
@@ -0,0 +1,69 @@
 {
  lib,
  self,
  stdenv,
  liburing,
  craneLib,
  pkg-config,
  callPackage,
  rustPlatform,
  cargoExtraArgs ? "",
  rustflags ? "",
  rocksdb ? callPackage ./rocksdb.nix { },
  profile ? "release",
 }:
 let
  # see https://crane.dev/API.html#cranelibfiltercargosources
  # we need to keep the `web` directory which would be filtered out by the regular source filtering function
  # https://crane.dev/API.html#cranelibcleancargosource
  isWebTemplate = path: _type: builtins.match ".*(src/(web|service)|docs).*" path != null;
  isRust = craneLib.filterCargoSources;
  isNix = path: _type: builtins.match ".+/nix.*" path != null;
  webOrRustNotNix = p: t: !(isNix p t) && (isWebTemplate p t || isRust p t);
  src = lib.cleanSourceWith {
    src = self;
    filter = webOrRustNotNix;
    name = "source";
  };
  attrs = {
    inherit src;
    nativeBuildInputs = [
      pkg-config
      rustPlatform.bindgenHook
    ];
    buildInputs = lib.optionals stdenv.hostPlatform.isLinux [ liburing ];
    env = {
      ROCKSDB_INCLUDE_DIR = "${rocksdb}/include";
      ROCKSDB_LIB_DIR = "${rocksdb}/lib";
      CARGO_PROFILE = profile;
      RUSTFLAGS = rustflags;
    };
  };
 in
 craneLib.buildPackage (
  lib.recursiveUpdate attrs {
    inherit cargoExtraArgs;
    cargoArtifacts = craneLib.buildDepsOnly attrs;
    # Needed to make continuwuity link to rocksdb
    postFixup = lib.optionalString stdenv.hostPlatform.isLinux ''
      old_rpath="$(patchelf --print-rpath $out/bin/conduwuit)"
      extra_rpath="${
        lib.makeLibraryPath [
          rocksdb
        ]
      }"
      patchelf  --set-rpath "$old_rpath:$extra_rpath" $out/bin/conduwuit
    '';
    meta = {
      description = "A community-driven Matrix homeserver in Rust";
      mainProgram = "conduwuit";
      platforms = lib.platforms.all;
      maintainers = with lib.maintainers; [ quadradical ];
    };
  }
 )
--- a/nix/packages/continuwuity/default.nix
+++ b/nix/packages/continuwuity/default.nix
@@ -1,59 +0,0 @@
 { inputs, ... }:
 {
  perSystem =
    {
      self',
      lib,
      pkgs,
      ...
    }:
    let
      uwulib = inputs.self.uwulib.init pkgs;
    in
    {
      packages =
        lib.pipe
          [
            # this is the default variant
            {
              variantName = "default";
              commonAttrsArgs.profile = "release";
              rocksdb = self'.packages.rocksdb;
              features = { };
            }
            # this is the variant with all features enabled (liburing + jemalloc)
            {
              variantName = "all-features";
              commonAttrsArgs.profile = "release";
              rocksdb = self'.packages.rocksdb.override {
                enableJemalloc = true;
              };
              features = {
                enabledFeatures = "all";
                disabledFeatures = uwulib.features.defaultDisabledFeatures ++ [ "bindgen-static" ];
              };
            }
          ]
          [
            (builtins.map (cfg: rec {
              deps = {
                name = "continuwuity-${cfg.variantName}-deps";
                value = uwulib.build.buildDeps {
                  features = uwulib.features.calcFeatures cfg.features;
                  inherit (cfg) commonAttrsArgs rocksdb;
                };
              };
              bin = {
                name = "continuwuity-${cfg.variantName}-bin";
                value = uwulib.build.buildPackage {
                  deps = self'.packages.${deps.name};
                  features = uwulib.features.calcFeatures cfg.features;
                  inherit (cfg) commonAttrsArgs rocksdb;
                };
              };
            }))
            (builtins.concatMap builtins.attrValues)
            builtins.listToAttrs
          ];
    };
 }
--- a/nix/packages/default.nix
+++ b/nix/packages/default.nix
@@ -1,14 +1,34 @@
 {
-  imports = [
+  self,
-    ./continuwuity
+  ...
-    ./rocksdb
+}:
-    ./rust.nix
+{
    ./uwulib
  ];
  perSystem =
    { self', ... }:
    {
-      packages.default = self'.packages.continuwuity-default-bin;
+      self',
      pkgs,
      craneLib,
      ...
    }:
    {
      packages = {
        rocksdb = pkgs.callPackage ./rocksdb.nix { };
        default = pkgs.callPackage ./continuwuity.nix {
          inherit self craneLib;
          # extra features via `cargoExtraArgs`
          cargoExtraArgs = "-F http3";
          # extra RUSTFLAGS via `rustflags`
          # the stuff below is required for http3
          rustflags = "--cfg reqwest_unstable";
        };
        # users may also override this with other cargo profiles to build for other feature sets
        #
        # other examples include:
        #
        # - release-high-perf
        max-perf = self'.packages.default.override {
          profile = "release-max-perf";
        };
      };
    };
 }
--- a/nix/packages/rocksdb.nix
+++ b/nix/packages/rocksdb.nix
@@ -0,0 +1,34 @@
 {
  stdenv,
  rocksdb,
  fetchFromGitea,
  rust-jemalloc-sys-unprefixed,
  ...
 }:
 (rocksdb.override {
  # rocksdb fails to build with prefixed jemalloc, which is required on
  # darwin due to [1]. In this case, fall back to building rocksdb with
  # libc malloc. This should not cause conflicts, because all of the
  # jemalloc symbols are prefixed.
  #
  # [1]: https://github.com/tikv/jemallocator/blob/ab0676d77e81268cd09b059260c75b38dbef2d51/jemalloc-sys/src/env.rs#L17
  jemalloc = rust-jemalloc-sys-unprefixed;
  enableJemalloc = stdenv.hostPlatform.isLinux;
 }).overrideAttrs
  ({
    version = "continuwuity-v0.5.0-unstable-2026-03-27";
    src = fetchFromGitea {
      domain = "forgejo.ellis.link";
      owner = "continuwuation";
      repo = "rocksdb";
      rev = "463f47afceebfe088f6922420265546bd237f249";
      hash = "sha256-1ef75IDMs5Hba4VWEyXPJb02JyShy5k4gJfzGDhopRk=";
    };
    # We have this already at https://forgejo.ellis.link/continuwuation/rocksdb/commit/a935c0273e1ba44eacf88ce3685a9b9831486155
    # Unsetting `patches` so we don't have to revert it and make this nix exclusive
    patches = [ ];
    # Unset postPatch, as our version override breaks version-specific sed calls in the original package
    postPatch = "";
  })
--- a/nix/packages/rocksdb/default.nix
+++ b/nix/packages/rocksdb/default.nix
@@ -1,12 +0,0 @@
 {
  perSystem =
    {
      pkgs,
      ...
    }:
    {
      packages = {
        rocksdb = pkgs.callPackage ./package.nix { };
      };
    };
 }
--- a/nix/packages/rocksdb/package.nix
+++ b/nix/packages/rocksdb/package.nix
@@ -1,87 +0,0 @@
 {
  lib,
  stdenv,
  rocksdb,
  liburing,
  rust-jemalloc-sys-unprefixed,
  enableJemalloc ? false,
  fetchFromGitea,
  ...
 }:
 let
  notDarwin = !stdenv.hostPlatform.isDarwin;
 in
 (rocksdb.override {
  # Override the liburing input for the build with our own so
  # we have it built with the library flag
  inherit liburing;
  jemalloc = rust-jemalloc-sys-unprefixed;
  # rocksdb fails to build with prefixed jemalloc, which is required on
  # darwin due to [1]. In this case, fall back to building rocksdb with
  # libc malloc. This should not cause conflicts, because all of the
  # jemalloc symbols are prefixed.
  #
  # [1]: https://github.com/tikv/jemallocator/blob/ab0676d77e81268cd09b059260c75b38dbef2d51/jemalloc-sys/src/env.rs#L17
  enableJemalloc = enableJemalloc && notDarwin;
  # for some reason enableLiburing in nixpkgs rocksdb is default true
  # which breaks Darwin entirely
  enableLiburing = notDarwin;
 }).overrideAttrs
  (old: {
    src = fetchFromGitea {
      domain = "forgejo.ellis.link";
      owner = "continuwuation";
      repo = "rocksdb";
      rev = "10.5.fb";
      sha256 = "sha256-X4ApGLkHF9ceBtBg77dimEpu720I79ffLoyPa8JMHaU=";
    };
    version = "10.5.fb";
    cmakeFlags =
      lib.subtractLists (builtins.map (flag: lib.cmakeBool flag true) [
        # No real reason to have snappy or zlib, no one uses this
        "WITH_SNAPPY"
        "ZLIB"
        "WITH_ZLIB"
        # We don't need to use ldb or sst_dump (core_tools)
        "WITH_CORE_TOOLS"
        # We don't need to build rocksdb tests
        "WITH_TESTS"
        # We use rust-rocksdb via C interface and don't need C++ RTTI
        "USE_RTTI"
        # This doesn't exist in RocksDB, and USE_SSE is deprecated for
        # PORTABLE=$(march)
        "FORCE_SSE42"
      ]) old.cmakeFlags
      ++ (builtins.map (flag: lib.cmakeBool flag false) [
        # No real reason to have snappy, no one uses this
        "WITH_SNAPPY"
        "ZLIB"
        "WITH_ZLIB"
        # We don't need to use ldb or sst_dump (core_tools)
        "WITH_CORE_TOOLS"
        # We don't need trace tools
        "WITH_TRACE_TOOLS"
        # We don't need to build rocksdb tests
        "WITH_TESTS"
        # We use rust-rocksdb via C interface and don't need C++ RTTI
        "USE_RTTI"
      ]);
    enableLiburing = notDarwin;
    # outputs has "tools" which we don't need or use
    outputs = [ "out" ];
    # preInstall hooks has stuff for messing with ldb/sst_dump which we don't need or use
    preInstall = "";
    # We have this already at https://forgejo.ellis.link/continuwuation/rocksdb/commit/a935c0273e1ba44eacf88ce3685a9b9831486155
    # Unsetting `patches` so we don't have to revert it and make this nix exclusive
    patches = [ ];
  })
--- a/nix/packages/uwulib/build.nix
+++ b/nix/packages/uwulib/build.nix
@@ -1,122 +0,0 @@
 args@{ pkgs, inputs, ... }:
 let
  inherit (pkgs) lib;
  uwuenv = import ./environment.nix args;
  selfpkgs = inputs.self.packages.${pkgs.stdenv.system};
 in
 rec {
  # basic, very minimal instance of the crane library with a minimal rust toolchain
  craneLib = (inputs.crane.mkLib pkgs).overrideToolchain (_: selfpkgs.build-toolchain);
  # the checks require more rust toolchain components, hence we have this separate instance of the crane library
  craneLibForChecks = (inputs.crane.mkLib pkgs).overrideToolchain (_: selfpkgs.dev-toolchain);
  # meta information (name, version, etc) of the rust crate based on the Cargo.toml
  crateInfo = craneLib.crateNameFromCargoToml { cargoToml = "${inputs.self}/Cargo.toml"; };
  src =
    let
      # see https://crane.dev/API.html#cranelibfiltercargosources
      #
      # we need to keep the `web` directory which would be filtered out by the regular source filtering function
      #
      # https://crane.dev/API.html#cranelibcleancargosource
      isWebTemplate = path: _type: builtins.match ".*(src/(web|service)|docs).*" path != null;
      isRust = craneLib.filterCargoSources;
      isNix = path: _type: builtins.match ".+/nix.*" path != null;
      webOrRustNotNix = p: t: !(isNix p t) && (isWebTemplate p t || isRust p t);
    in
    lib.cleanSourceWith {
      src = inputs.self;
      filter = webOrRustNotNix;
      name = "source";
    };
  # common attrs that are shared between building continuwuity's deps and the package itself
  commonAttrs =
    {
      profile ? "dev",
      ...
    }:
    {
      inherit (crateInfo)
        pname
        version
        ;
      inherit src;
      # this prevents unnecessary rebuilds
      strictDeps = true;
      dontStrip = profile == "dev" || profile == "test";
      dontPatchELF = profile == "dev" || profile == "test";
      doCheck = true;
      nativeBuildInputs = [
        # bindgen needs the build platform's libclang. Apparently due to "splicing
        # weirdness", pkgs.rustPlatform.bindgenHook on its own doesn't quite do the
        # right thing here.
        pkgs.rustPlatform.bindgenHook
      ];
    };
  makeRocksDBEnv =
    { rocksdb }:
    {
      ROCKSDB_INCLUDE_DIR = "${rocksdb}/include";
      ROCKSDB_LIB_DIR = "${rocksdb}/lib";
    };
  # function that builds the continuwuity dependencies derivation
  buildDeps =
    {
      rocksdb,
      features,
      commonAttrsArgs,
    }:
    craneLib.buildDepsOnly (
      (commonAttrs commonAttrsArgs)
      // {
        env = uwuenv.buildDepsOnlyEnv
              // (makeRocksDBEnv { inherit rocksdb; })
              // {
                # required since we started using unstable reqwest apparently ... otherwise the all-features build will fail
                RUSTFLAGS = "--cfg reqwest_unstable";
              };
        inherit (features) cargoExtraArgs;
      }
    );
  # function that builds the continuwuity package
  buildPackage =
    {
      deps,
      rocksdb,
      features,
      commonAttrsArgs,
    }:
    let
      rocksdbEnv = makeRocksDBEnv { inherit rocksdb; };
    in
    craneLib.buildPackage (
      (commonAttrs commonAttrsArgs)
      // {
        postFixup = ''
          patchelf --set-rpath "$(${pkgs.patchelf}/bin/patchelf --print-rpath $out/bin/${crateInfo.pname}):${rocksdb}/lib" $out/bin/${crateInfo.pname}
        '';
        cargoArtifacts = deps;
        doCheck = true;
        env =
          uwuenv.buildPackageEnv
          // rocksdbEnv
          // {
            # required since we started using unstable reqwest apparently ... otherwise the all-features build will fail
            RUSTFLAGS = "--cfg reqwest_unstable";
          };
        passthru.env = uwuenv.buildPackageEnv // rocksdbEnv;
        meta.mainProgram = crateInfo.pname;
        inherit (features) cargoExtraArgs;
      }
    );
 }
--- a/nix/packages/uwulib/default.nix
+++ b/nix/packages/uwulib/default.nix
@@ -1,10 +0,0 @@
 { inputs, ... }:
 {
  flake.uwulib = {
    init = pkgs: {
      features = import ./features.nix { inherit pkgs inputs; };
      environment = import ./environment.nix { inherit pkgs inputs; };
      build = import ./build.nix { inherit pkgs inputs; };
    };
  };
 }
--- a/nix/packages/uwulib/environment.nix
+++ b/nix/packages/uwulib/environment.nix
@@ -1,18 +0,0 @@
 args@{ pkgs, inputs, ... }:
 let
  uwubuild = import ./build.nix args;
 in
 rec {
  buildDepsOnlyEnv = {
    # https://crane.dev/faq/rebuilds-bindgen.html
    NIX_OUTPATH_USED_AS_RANDOM_SEED = "aaaaaaaaaa";
    CARGO_PROFILE = "release";
  }
  // uwubuild.craneLib.mkCrossToolchainEnv (p: pkgs.clangStdenv);
  buildPackageEnv = {
    GIT_COMMIT_HASH = inputs.self.rev or inputs.self.dirtyRev or "";
    GIT_COMMIT_HASH_SHORT = inputs.self.shortRev or inputs.self.dirtyShortRev or "";
  }
  // buildDepsOnlyEnv;
 }
--- a/nix/packages/uwulib/features.nix
+++ b/nix/packages/uwulib/features.nix
@@ -1,77 +0,0 @@
 { pkgs, inputs, ... }:
 let
  inherit (pkgs) lib;
 in
 rec {
  defaultDisabledFeatures = [
    # dont include experimental features
    "experimental"
    # jemalloc profiling/stats features are expensive and shouldn't
    # be expected on non-debug builds.
    "jemalloc_prof"
    "jemalloc_stats"
    # this is non-functional on nix for some reason
    "hardened_malloc"
    # conduwuit_mods is a development-only hot reload feature
    "conduwuit_mods"
    # we don't want to enable this feature set by default but be more specific about it
    "full"
  ];
  # We perform default-feature unification in nix, because some of the dependencies
  # on the nix side depend on feature values.
  calcFeatures =
    {
      tomlPath ? "${inputs.self}/src/main",
      # either a list of feature names or a string "all" which enables all non-default features
      enabledFeatures ? [ ],
      disabledFeatures ? defaultDisabledFeatures,
      default_features ? true,
      disable_release_max_log_level ? false,
    }:
    let
      # simple helper to get the contents of a Cargo.toml file in a nix format
      getToml = path: lib.importTOML "${path}/Cargo.toml";
      # get all the features except for the default features
      allFeatures = lib.pipe tomlPath [
        getToml
        (manifest: manifest.features)
        lib.attrNames
        (lib.remove "default")
      ];
      # get just the default enabled features
      allDefaultFeatures = lib.pipe tomlPath [
        getToml
        (manifest: manifest.features.default)
      ];
      # depending on the value of enabledFeatures choose just a set or all non-default features
      #
      # - [ list of features ] -> choose exactly the features listed
      # - "all" -> choose all non-default features
      additionalFeatures = if enabledFeatures == "all" then allFeatures else enabledFeatures;
      # unification with default features (if enabled)
      features = lib.unique (additionalFeatures ++ lib.optionals default_features allDefaultFeatures);
      # prepare the features that are subtracted from the set
      disabledFeatures' =
        disabledFeatures ++ lib.optionals disable_release_max_log_level [ "release_max_log_level" ];
      # construct the final feature set
      finalFeatures = lib.subtractLists disabledFeatures' features;
    in
    {
      # final feature set, useful for querying it
      features = finalFeatures;
      # crane flag with the relevant features
      cargoExtraArgs = builtins.concatStringsSep " " [
        "--no-default-features"
        "--locked"
        (lib.optionalString (finalFeatures != [ ]) "--features")
        (builtins.concatStringsSep "," finalFeatures)
      ];
    };
 }
--- a/nix/rocksdb-updater.nix
+++ b/nix/rocksdb-updater.nix
@@ -0,0 +1,14 @@
 {
  perSystem =
    { pkgs, ... }:
    {
      apps.update-rocksdb = {
        type = "app";
        program = pkgs.writeShellApplication {
          name = "update-rocksdb";
          runtimeInputs = [ pkgs.nix-update ];
          text = "nix-update rocksdb -F --version branch";
        };
      };
    };
 }
--- a/nix/packages/rust.nix
+++ b/nix/packages/rust.nix
@@ -4,6 +4,7 @@
    {
      system,
      lib,
      pkgs,
      ...
    }:
    {
@@ -11,7 +12,7 @@
        let
          fnx = inputs.fenix.packages.${system};
-          stable = fnx.fromToolchainFile {
+          stable-toolchain = fnx.fromToolchainFile {
            file = inputs.self + "/rust-toolchain.toml";
            # See also `rust-toolchain.toml`
@@ -19,11 +20,10 @@
          };
        in
        {
-          # used for building nix stuff (doesn't include rustfmt overhead)
+          inherit stable-toolchain;
-          build-toolchain = stable;
+
          # used for dev shells
          dev-toolchain = fnx.combine [
-            stable
+            stable-toolchain
            # use the nightly rustfmt because we use nightly features
            fnx.complete.rustfmt
          ];
--- a/nix/shells/default.nix
+++ b/nix/shells/default.nix
@@ -1,29 +0,0 @@
 { inputs, ... }:
 {
  perSystem =
    {
      self',
      lib,
      pkgs,
      ...
    }:
    let
      uwulib = inputs.self.uwulib.init pkgs;
      rocksdbAllFeatures = self'.packages.rocksdb.override {
        enableJemalloc = true;
      };
    in
    {
      # basic nix shell containing all things necessary to build continuwuity in all flavors manually (on x86_64-linux)
      devShells.default = uwulib.build.craneLib.devShell {
        packages = [
          pkgs.nodejs
          pkgs.pkg-config
          pkgs.liburing
          pkgs.rust-jemalloc-sys-unprefixed
          rocksdbAllFeatures
        ];
        env.LIBCLANG_PATH = lib.makeLibraryPath [ pkgs.llvmPackages.libclang.lib ];
      };
    };
 }
--- a/nix/tests/default.nix
+++ b/nix/tests/default.nix
@@ -1,150 +0,0 @@
 {
  perSystem =
    {
      self',
      lib,
      pkgs,
      ...
    }:
    let
      baseTestScript =
        pkgs.writers.writePython3Bin "do_test" { libraries = [ pkgs.python3Packages.matrix-nio ]; }
          ''
            import asyncio
            import nio
            async def main() -> None:
                # Connect to continuwuity
                client = nio.AsyncClient("http://continuwuity:6167", "alice")
                # Register as user alice
                response = await client.register("alice", "my-secret-password")
                # Log in as user alice
                response = await client.login("my-secret-password")
                # Create a new room
                response = await client.room_create(federate=False)
                print("Matrix room create response:", response)
                assert isinstance(response, nio.RoomCreateResponse)
                room_id = response.room_id
                # Join the room
                response = await client.join(room_id)
                print("Matrix join response:", response)
                assert isinstance(response, nio.JoinResponse)
                # Send a message to the room
                response = await client.room_send(
                    room_id=room_id,
                    message_type="m.room.message",
                    content={
                        "msgtype": "m.text",
                        "body": "Hello continuwuity!"
                    }
                )
                print("Matrix room send response:", response)
                assert isinstance(response, nio.RoomSendResponse)
                # Sync responses
                response = await client.sync(timeout=30000)
                print("Matrix sync response:", response)
                assert isinstance(response, nio.SyncResponse)
                # Check the message was received by continuwuity
                last_message = response.rooms.join[room_id].timeline.events[-1].body
                assert last_message == "Hello continuwuity!"
                # Leave the room
                response = await client.room_leave(room_id)
                print("Matrix room leave response:", response)
                assert isinstance(response, nio.RoomLeaveResponse)
                # Close the client
                await client.close()
            if __name__ == "__main__":
                asyncio.run(main())
          '';
    in
    {
      # run some nixos tests as checks
      checks = lib.pipe self'.packages [
        # we take all packages (names)
        builtins.attrNames
        # we filter out all packages that end with `-bin` (which we are interested in for testing)
        (builtins.filter (lib.hasSuffix "-bin"))
        # for each of these binaries we built the basic nixos test
        #
        # this test was initially yoinked from
        #
        # https://github.com/NixOS/nixpkgs/blob/960ce26339661b1b69c6f12b9063ca51b688615f/nixos/tests/matrix/continuwuity.nix
        (builtins.concatMap (
          name:
          builtins.map
            (
              { config, suffix }:
              {
                name = "test-${name}-${suffix}";
                value = pkgs.testers.runNixOSTest {
                  inherit name;
                  nodes = {
                    continuwuity = {
                      services.matrix-continuwuity = {
                        enable = true;
                        package = self'.packages.${name};
                        settings = config;
                        extraEnvironment.RUST_BACKTRACE = "yes";
                      };
                      networking.firewall.allowedTCPPorts = [ 6167 ];
                    };
                    client.environment.systemPackages = [ baseTestScript ];
                  };
                  testScript = ''
                    start_all()
                    with subtest("start continuwuity"):
                          continuwuity.wait_for_unit("continuwuity.service")
                          continuwuity.wait_for_open_port(6167)
                    with subtest("ensure messages can be exchanged"):
                          client.succeed("${lib.getExe baseTestScript} >&2")
                  '';
                };
              }
            )
            [
              {
                suffix = "base";
                config = {
                  global = {
                    server_name = name;
                    address = [ "0.0.0.0" ];
                    allow_registration = true;
                    yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse = true;
                  };
                };
              }
              {
                suffix = "with-room-version";
                config = {
                  global = {
                    server_name = name;
                    address = [ "0.0.0.0" ];
                    allow_registration = true;
                    yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse = true;
                    default_room_version = "12";
                  };
                };
              }
            ]
        ))
        builtins.listToAttrs
      ];
    };
 }
--- a/package-lock.json
+++ b/package-lock.json
--- a/pkg/debian/README.md
+++ b/pkg/debian/README.md
@@ -6,7 +6,9 @@ ### Installation
 To add the Continuwuation apt repository:
 ```bash
-# Replace with `"dev"` for bleeding-edge builds at your own risk
+# Component `"stable"` contains all tagged releases. Use `"stable unstable"` to additionally include all pre-releases (alpha, beta, rc,...)
 # Replace with `"dev"` for bleeding-edge builds at your own risk, these contain
 # automatic nightly builds and might or might not work.
 export COMPONENT="stable"
 # Import the Continuwuation signing key
 sudo curl https://forgejo.ellis.link/api/packages/continuwuation/debian/repository.key -o /etc/apt/keyrings/forgejo-continuwuation.asc
--- a/rspress.config.ts
+++ b/rspress.config.ts
@@ -11,6 +11,24 @@ export default defineConfig({
        light: '/assets/logo.svg',
        dark: '/assets/logo.svg',
    },
    markdown: {
        link: {
            checkDeadLinks: {
                excludes: [
                    '/deploying/docker-compose.with-caddy.yml',
                    '/deploying/docker-compose.with-caddy-labels.yml',
                    '/deploying/docker-compose.for-traefik.yml',
                    '/deploying/docker-compose.with-traefik.yml',
                    `/deploying/docker-compose.override.yml`,
                    `/deploying/docker-compose.yml`,
                    '/advanced/delegated.docker-compose.with-caddy.yml',
                    '/advanced/delegated.docker-compose.with-caddy-labels.yml',
                    '/advanced/delegated.docker-compose.for-traefik.yml',
                    '/advanced/delegated.docker-compose.with-traefik.yml',
                ]
            },
        },
    },
    themeConfig: {
        socialLinks: [
            {
--- a/src/admin/Cargo.toml
+++ b/src/admin/Cargo.toml
@@ -2,6 +2,7 @@
 name = "conduwuit_admin"
 description.workspace = true
 edition.workspace = true
 homepage.workspace = true
 license.workspace = true
 readme.workspace = true
 repository.workspace = true
@@ -79,7 +80,9 @@ conduwuit-database.workspace = true
 conduwuit-macros.workspace = true
 conduwuit-service.workspace = true
 const-str.workspace = true
 ctor.workspace = true
 futures.workspace = true
 lettre.workspace = true
 log.workspace = true
 ruma.workspace = true
 serde_json.workspace = true
--- a/src/admin/debug/commands.rs
+++ b/src/admin/debug/commands.rs
@@ -19,6 +19,7 @@
 	warn,
 };
 use futures::{FutureExt, StreamExt, TryStreamExt};
 use lettre::message::Mailbox;
 use ruma::{
 	CanonicalJsonObject, CanonicalJsonValue, EventId, OwnedEventId, OwnedRoomId,
 	OwnedRoomOrAliasId, OwnedServerName, RoomId, RoomVersionId,
@@ -876,3 +877,31 @@ pub(super) async fn trim_memory(&self) -> Result {
 	writeln!(self, "done").await
 }
 #[admin_command]
 pub(super) async fn send_test_email(&self) -> Result {
 	self.bail_restricted()?;
 	let mailer = self.services.mailer.expect_mailer()?;
 	let Some(sender) = self.sender else {
 		return Err!("No sender user provided in context");
 	};
 	let Some(email) = self
 		.services
 		.threepid
 		.get_email_for_localpart(sender.localpart())
 		.await
 	else {
 		return Err!("{} has no associated email address", sender);
 	};
 	mailer
 		.send(Mailbox::new(None, email.clone()), service::mailer::messages::Test)
 		.await?;
 	self.write_str(&format!("Test email successfully sent to {email}"))
 		.await?;
 	Ok(())
 }
--- a/Show More
+++ b/Show More
		`@@ -1 +0,0 @@`
			`Added support for using an admin command to issue self-service password reset links.`
		`@@ -1 +0,0 @@`
			`Stopped left rooms from being unconditionally sent on initial sync, hopefully fixing spurious appearances of left rooms in some clients (and making sync faster as a bonus). Contributed by @ginger`
		`@@ -1 +0,0 @@`
			`Fixed room alias deletion so removing one local alias no longer removes other aliases from room alias listings.`
		`@@ -1 +0,0 @@`
			`Fixed corrupted appservice registrations causing the server to enter a crash loop. Contributed by @nex.`
		`@@ -1 +0,0 @@`
			`Re-added support for reading registration tokens from a file. Contributed by @ginger and @benbot.`
		`@@ -1 +0,0 @@`
			`Added Testing and Troubleshooting instructions for Livekit documentation. Contributed by @stratself.`
		`@@ -1 +0,0 @@`
			Prevent removing the admin room alias (`#admins`) to avoid accidentally breaking admin room functionality. Contributed by @0xnim
		`@@ -1 +0,0 @@`
			Add new config option to allow or disallow search engine indexing through a `<meta ../>` tag. Defaults to blocking indexing (`content="noindex"`). Contributed by @s1lv3r and @ginger.
		`@@ -1 +0,0 @@`
			Stripped `join_authorised_via_users_server` from json if user is already in room (@partha:cxy.run)
		`@@ -1 +0,0 @@`
			`Fixed internal server errors for fetching thumbnails. Contributed by @PerformativeJade`