docs: Changelog

Co-authored-by: Jade Ellis <jade@ellis.link>
Signed-off-by: Jason Volk <jason@zemos.net>

.dockerignore

@@ -1,9 +1,9 @@
 # Local build and dev artifacts
 target/
+!target/debug/conduwuit
 
 # Docker files
 Dockerfile*
-docker/
 
 # IDE files
 .vscode

.forgejo/actions/create-docker-manifest/action.yml

@@ -64,6 +64,7 @@ runs:
       uses: docker/metadata-action@v5
       with:
         flavor: |
+          latest=auto
           suffix=${{ inputs.tag_suffix }},onlatest=true
         tags: |
           type=semver,pattern={{version}},prefix=v
@@ -72,7 +73,6 @@ runs:
           type=ref,event=branch,prefix=${{ format('refs/heads/{0}', github.event.repository.default_branch) != github.ref && 'branch-' || '' }},
           type=ref,event=pr
           type=sha,format=short
-          type=raw,value=latest${{ inputs.tag_suffix }},enable=${{ startsWith(github.ref, 'refs/tags/v') }},priority=1100
         images: ${{ inputs.images }}
         # default labels & annotations: https://github.com/docker/metadata-action/blob/master/src/meta.ts#L509
       env:

.forgejo/pull_request_template.md

@@ -0,0 +1,82 @@
+---
+name: 'New pull request'
+about: 'Open a new pull request to contribute to continuwuity'
+ref: 'main'
+---
+
+<!--
+In order to help reviewers know what your pull request does at a glance, you should ensure that
+
+1. Your PR title is a short, single sentence describing what you changed
+2. You have described in more detail what you have changed, why you have changed it, what the
+   intended effect is, and why you think this will be beneficial to the project.
+
+If you have made any potentially strange/questionable design choices, but didn't feel they'd benefit
+from code comments, please don't mention them here - after opening your pull request,
+go to "files changed", and click on the "+" symbol in the line number gutter,
+and attach comments to the lines that you think would benefit from some clarification.
+-->
+
+This pull request...
+
+<!-- Example:
+This pull request allows us to warp through time and space ten times faster than before by
+double-inverting the warp drive with hyperheated jump fluid, both making the drive faster and more
+efficient. This resolves the common issue where we have to wait more than 10 milliseconds to
+engage, use, and disengage the warp drive when travelling between galaxies.
+-->
+
+<!-- Closes: #... -->
+<!-- Fixes: #...  -->
+<!-- Uncomment the above line(s) if your pull request fixes an issue or closes another pull request
+by superseding it. Replace `#...` with the issue/pr number, such as `#123`. -->
+
+**Pull request checklist:**
+
+<!-- You need to complete these before your PR can be considered.
+If you aren't sure about some, feel free to ask for clarification in #dev:continuwuity.org. -->
+- [ ] This pull request targets the `main` branch, and the branch is named something other than
+      `main`.
+- [ ] I have written an appropriate pull request title and my description is clear.
+- [ ] I understand I am responsible for the contents of this pull request.
+- I have followed the [contributing guidelines][c1]:
+  - [ ] My contribution follows the [code style][c2], if applicable.
+  - [ ] I ran [pre-commit checks][c1pc] before opening/drafting this pull request.
+  - [ ] I have [tested my contribution][c1t] (or proof-read it for documentation-only changes)
+        myself, if applicable. This includes ensuring code compiles.
+  - [ ] My commit messages follow the [commit message format][c1cm] and are descriptive.
+  - [ ] I have written a [news fragment][n1] for this PR, if applicable<!--(can be done after hitting open!)-->.
+
+<!--
+Notes on these requirements:
+
+- While not required, we encourage you to sign your commits with GPG or SSH to attest the
+  authenticity of your changes.
+- While we allow LLM-assisted contributions, we do not appreciate contributions that are
+  low quality, which is typical of machine-generated contributions that have not had a lot of love
+  and care from a human. Please do not open a PR if all you have done is asked ChatGPT to tidy up
+  the codebase with a +-100,000 diff.
+- In the case of code style violations, reviewers may leave review comments/change requests
+  indicating what the ideal change would look like. For example, a reviewer may suggest you lower
+  a log level, or use `match` instead of `if/else` etc.
+- In the case of code style violations, pre-commit check failures, minor things like typos/spelling
+  errors, and in some cases commit format violations, reviewers may modify your branch directly,
+  typically by making changes and adding a commit. Particularly in the latter case, a reviewer may
+  rebase your commits to squash "spammy" ones (like "fix", "fix", "actually fix"), and reword
+  commit messages that don't satisfy the format.
+- Pull requests MUST pass the `Checks` CI workflows to be capable of being merged. This can only be
+  bypassed in exceptional circumstances.
+  If your CI flakes, let us know in matrix:r/dev:continuwuity.org.
+- Pull requests have to be based on the latest `main` commit before being merged. If the main branch
+  changes while you're making your changes, you should make sure you rebase on main before
+  opening a PR. Your branch will be rebased on main before it is merged if it has fallen behind.
+- We typically only do fast-forward merges, so your entire commit log will be included. Once in
+  main, it's difficult to get out cleanly, so put on your best dress, smile for the cameras!
+-->
+
+[c1]: https://forgejo.ellis.link/continuwuation/continuwuity/src/branch/main/CONTRIBUTING.md
+[c2]: https://forgejo.ellis.link/continuwuation/continuwuity/src/branch/main/docs/development/code_style.mdx
+[c1pc]: https://forgejo.ellis.link/continuwuation/continuwuity/src/branch/main/CONTRIBUTING.md#pre-commit-checks
+[c1t]: https://forgejo.ellis.link/continuwuation/continuwuity/src/branch/main/CONTRIBUTING.md#running-tests-locally
+[c1cm]: https://forgejo.ellis.link/continuwuation/continuwuity/src/branch/main/CONTRIBUTING.md#commit-messages
+[n1]: https://towncrier.readthedocs.io/en/stable/tutorial.html#creating-news-fragments

.forgejo/workflows/build-debian.yml

@@ -17,7 +17,7 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        container: ["ubuntu-latest", "ubuntu-previous", "debian-latest", "debian-oldstable"]
+        container: [ "ubuntu-latest", "ubuntu-previous", "debian-latest", "debian-oldstable" ]
     container:
       image: "ghcr.io/tcpipuk/act-runner:${{ matrix.container }}"
 
@@ -30,6 +30,28 @@ jobs:
           echo "version=$VERSION" >> $GITHUB_OUTPUT
           echo "distribution=$DISTRIBUTION" >> $GITHUB_OUTPUT
           echo "Debian distribution: $DISTRIBUTION ($VERSION)"
+      - name: Work around llvm-project#153385
+        id: llvm-workaround
+        run: |
+          if [ -f /usr/share/apt/default-sequoia.config ]; then
+            echo "Applying workaround for llvm-project#153385"
+            mkdir -p /etc/crypto-policies/back-ends/
+            cp /usr/share/apt/default-sequoia.config /etc/crypto-policies/back-ends/apt-sequoia.config
+            sed -i 's/\(sha1\.second_preimage_resistance = \)2026-02-01/\12026-06-01/' /etc/crypto-policies/back-ends/apt-sequoia.config
+          else
+            echo "No workaround needed for llvm-project#153385"
+          fi
+      - name: Pick compatible clang version
+        id: clang-version
+        run: |
+          # both latest need to use clang-23, but oldstable and previous can just use clang
+          if [[ "${{ matrix.container }}" == "ubuntu-latest" || "${{ matrix.container }}" == "debian-latest" ]]; then
+            echo "Using clang-23 package for ${{ matrix.container }}"
+            echo "version=clang-23" >> $GITHUB_OUTPUT
+          else
+            echo "Using default clang package for ${{ matrix.container }}"
+            echo "version=clang" >> $GITHUB_OUTPUT
+          fi
 
       - name: Checkout repository with full history
         uses: actions/checkout@v6
@@ -59,10 +81,9 @@ jobs:
           # Aggressive GC since cache restores don't increment counter
           echo "CARGO_INCREMENTAL_GC_TRIGGER=5" >> $GITHUB_ENV
 
-      - name: Setup Rust nightly
+      - name: Setup Rust
         uses: ./.forgejo/actions/setup-rust
         with:
-          rust-version: nightly
           github-token: ${{ secrets.GH_PUBLIC_RO }}
 
       - name: Get package version and component
@@ -106,7 +127,7 @@ jobs:
         run: |
           apt-get update -y
           # Build dependencies for rocksdb
-          apt-get install -y clang liburing-dev
+          apt-get install -y liburing-dev ${{ steps.clang-version.outputs.version }}
 
       - name: Run cargo-deb
         id: cargo-deb

.forgejo/workflows/renovate.yml

@@ -43,7 +43,7 @@ jobs:
     name: Renovate
     runs-on: ubuntu-latest
     container:
-      image: ghcr.io/renovatebot/renovate:42.11.0@sha256:656c1e5b808279eac16c37b89562fb4c699e02fc7e219244f4a1fc2f0a7ce367
+      image: ghcr.io/renovatebot/renovate:42.70.2@sha256:3c2ac1b94fa92ef2fa4d1a0493f2c3ba564454720a32fdbcac2db2846ff1ee47
       options: --tmpfs /tmp:exec
     steps:
       - name: Checkout

.forgejo/workflows/update-flake-hashes.yml

@@ -23,7 +23,7 @@ jobs:
           persist-credentials: true
           token: ${{ secrets.FORGEJO_TOKEN }}
 
-      - uses: https://github.com/cachix/install-nix-action@7ab6e7fd29da88e74b1e314a4ae9ac6b5cda3801 # v31.8.0
+      - uses: https://github.com/cachix/install-nix-action@4e002c8ec80594ecd40e759629461e26c8abed15 # v31.9.0
         with:
           nix_path: nixpkgs=channel:nixos-unstable
 

.github/FUNDING.yml

@@ -1,4 +1,4 @@
-github: [JadedBlueEyes, nexy7574]
+github: [JadedBlueEyes, nexy7574, gingershaped]
 custom:
   - https://ko-fi.com/nexy7574
   - https://ko-fi.com/JadedBlueEyes

.mailmap

@@ -2,6 +2,7 @@ AlexPewMaster <git@alex.unbox.at> <68469103+AlexPewMaster@users.noreply.github.c
 Daniel Wiesenberg <weasy@hotmail.de> <weasy666@gmail.com>
 Devin Ragotzy <devin.ragotzy@gmail.com> <d6ragotzy@wmich.edu>
 Devin Ragotzy <devin.ragotzy@gmail.com> <dragotzy7460@mail.kvcc.edu>
+Ginger <ginger@gingershaped.computer> <75683114+gingershaped@users.noreply.github.com>
 Jonas Platte <jplatte+git@posteo.de> <jplatte+gitlab@posteo.de>
 Jonas Zohren <git-pbkyr@jzohren.de> <gitlab-jfowl-0ux98@sh14.de>
 Jonathan de Jong <jonathan@automatia.nl> <jonathandejong02@gmail.com>
@@ -12,5 +13,6 @@ Olivia Lee <olivia@computer.surgery> <benjamin@computer.surgery>
 Rudi Floren <rudi.floren@gmail.com> <rudi.floren@googlemail.com>
 Tamara Schmitz <tamara.zoe.schmitz@posteo.de> <15906939+tamara-schmitz@users.noreply.github.com>
 Timo Kösters <timo@koesters.xyz>
+nexy7574 <git@nexy7574.co.uk> <nex@noreply.forgejo.ellis.link>
+nexy7574 <git@nexy7574.co.uk> <nex@noreply.localhost>
 x4u <xi.zhu@protonmail.ch> <14617923-x4u@users.noreply.gitlab.com>
-Ginger <ginger@gingershaped.computer> <75683114+gingershaped@users.noreply.github.com>

.pre-commit-config.yaml

@@ -23,7 +23,7 @@ repos:
         - id: check-added-large-files
 
   - repo: https://github.com/crate-ci/typos
-    rev: v1.40.0
+    rev: v1.43.5
     hooks:
       - id: typos
       - id: typos
@@ -31,7 +31,7 @@ repos:
         stages: [commit-msg]
 
   - repo: https://github.com/crate-ci/committed
-    rev: v1.1.8
+    rev: v1.1.10
     hooks:
     - id: committed
 

.typos.toml

@@ -6,14 +6,13 @@ extend-exclude = ["*.csr", "*.lock", "pnpm-lock.yaml"]
 extend-ignore-re = [
     "(?Rm)^.*(#|//|<!--)\\s*spellchecker:disable-line(\\s*-->)$", # Ignore a line by making it trail with a `spellchecker:disable-line` comment
     "^[0-9a-f]{7,}$", # Commit hashes
-
+    "4BA7",
     # some heuristics for base64 strings
     "[A-Za-z0-9+=]{72,}",
     "([A-Za-z0-9+=]|\\\\\\s\\*){72,}",
     "[0-9+][A-Za-z0-9+]{30,}[a-z0-9+]",
     "\\$[A-Z0-9+][A-Za-z0-9+]{6,}[a-z0-9+]",
     "\\b[a-z0-9+/=][A-Za-z0-9+/=]{7,}[a-z0-9+/=][A-Z]\\b",
-
     # In the renovate config
     ".ontainer"
 ]
@@ -24,3 +23,6 @@ extend-ignore-re = [
 "continuwuity" = "continuwuity"
 "continuwity" = "continuwuity"
 "execuse" = "execuse"
+"oltp" = "OTLP"
+
+rememvering = "remembering"

.vscode/settings.json

@@ -7,6 +7,5 @@
         "continuwuity",
         "homeserver",
         "homeservers"
-    ],
-    "rust-analyzer.cargo.features": ["full"]
+    ]
 }

CHANGELOG.md

@@ -0,0 +1,150 @@
+# Continuwuity v0.5.5 (2026-02-15)
+
+## Features
+
+- Added unstable support for [MSC4406:
+  `M_SENDER_IGNORED`](https://github.com/matrix-org/matrix-spec-proposals/pull/4406).
+  Contributed by @nex ([#1308](https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1308))
+- Introduce a resolver command to allow flushing a server from the cache or to flush the complete cache. Contributed by
+  @Omar007 ([#1349](https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1349))
+- Improved the handling of restricted join rules and improved the performance of local-first joins. Contributed by
+  @nex. ([#1368](https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1368))
+- You can now set a custom User Agent for URL previews; the default one has been modified to be less likely to be
+  rejected. Contributed by @trashpanda ([#1372](https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1372))
+- Improved the first-time setup experience for new homeserver administrators:
+    - Account registration is disabled on the first run, except for with a new special registration token that is logged
+      to the console.
+    - Other helpful information is logged to the console as well, including a giant warning if open registration is
+      enabled.
+    - The default index page now says to check the console for setup instructions if no accounts have been created.
+    - Once the first admin account is created, an improved welcome message is sent to the admin room.
+
+  Contributed by @ginger.
+
+## Bugfixes
+
+- Fixed invites sent to other users in the same homeserver not being properly sent down sync. Users with missing or
+  broken invites should clear their client caches after updating to make them appear. ([#1249](https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1249))
+- LDAP-enabled servers will no longer have all admins demoted when LDAP-controlled admins are not configured.
+  Contributed by @Jade ([#1307](https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1307))
+- Fixed sliding sync not resolving wildcard state key requests, enabling Video/Audio calls in Element X. ([#1370](https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1370))
+
+## Misc
+
+- #1344
+
+# Continuwuity v0.5.4 (2026-02-08)
+
+## Features
+
+- The announcement checker will now announce errors it encounters in the first run to the admin room, plus a few other
+  misc improvements. Contributed by @Jade ([#1288](https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1288))
+- Drastically improved the performance and reliability of account deactivations. Contributed by
+  @nex ([#1314](https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1314))
+- Refuse to process requests for and events in rooms that we no longer have any local users in (reduces state resets
+  and improves performance). Contributed by
+  @nex ([#1316](https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1316))
+- Added server-specific admin API routes to ban and unban rooms, for use with moderation bots. Contributed by @nex
+  ([#1301](https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1301))
+
+## Bugfixes
+
+- Fix the generated configuration containing uncommented optional sections. Contributed by
+  @Jade ([#1290](https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1290))
+- Fixed specification non-compliance when handling remote media errors. Contributed by
+  @nex ([#1298](https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1298))
+- UIAA requests which check for out-of-band success (sent by matrix-js-sdk) will no longer create unhelpful errors in
+  the logs. Contributed by @ginger ([#1305](https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1305))
+- Use exists instead of contains to save writing to a buffer in `src/service/users/mod.rs`: `is_login_disabled`.
+  Contributed
+  by @aprilgrimoire. ([#1340](https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1340))
+- Fixed backtraces being swallowed during panics. Contributed by
+  @jade ([#1337](https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1337))
+- Fixed a potential vulnerability that could allow an evil remote server to return malicious events during the room join
+  and knock process. Contributed by @nex, reported by violet & [mat](https://matdoes.dev).
+- Fixed a race condition that could result in outlier PDUs being incorrectly marked as visible to a remote server.
+  Contributed by @nex, reported by violet & [mat](https://matdoes.dev).
+- ACLs are no longer case-sensitive. Contributed by @nex, reported by [vel](matrix:u/vel:nhjkl.com?action=chat).
+
+## Docs
+
+- Fixed Fedora install instructions. Contributed by
+  @julian45 ([#1342](https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1342))
+
+# Continuwuity 0.5.3 (2026-01-12)
+
+## Features
+
+- Improve the display of nested configuration with the `!admin server show-config` command. Contributed by
+  @Jade ([#1279](https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1279))
+
+## Bugfixes
+
+- Fixed `M_BAD_JSON` error when sending invites to other servers or when providing joins. Contributed by
+  @nex ([#1286](https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1286))
+
+## Docs
+
+- Improve admin command documentation generation. Contributed by
+  @ginger ([#1280](https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1280))
+
+## Misc
+
+- Improve timeout-related code for federation and URL previews. Contributed by
+  @Jade ([#1278](https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1278))
+
+# Continuwuity 0.5.2 (2026-01-09)
+
+## Features
+
+- Added support for issuing additional registration tokens, stored in the database, which supplement the existing
+  registration token hardcoded in the config file. These tokens may optionally expire after a certain number of uses or
+  after a certain amount of time has passed. Additionally, the `registration_token_file` configuration option is
+  superseded by this feature and **has been removed**. Use the new `!admin token` command family to manage registration
+  tokens. Contributed by @ginger (#783).
+- Implemented a configuration defined admin list independent of the admin room. Contributed by
+  @Terryiscool160. ([#1253](https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1253))
+- Added support for invite and join anti-spam via Draupnir and Meowlnir, similar to that of synapse-http-antispam.
+  Contributed by @nex. ([#1263](https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1263))
+- Implemented account locking functionality, to complement user suspension. Contributed by
+  @nex. ([#1266](https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1266))
+- Added admin command to forcefully log out all of a user's existing sessions. Contributed by
+  @nex. ([#1271](https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1271))
+- Implemented toggling the ability for an account to log in without mutating any of its data. Contributed by @nex. (
+  [#1272](https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1272))
+- Add support for custom room create event timestamps, to allow generating custom prefixes in hashed room IDs.
+  Contributed by @nex. ([#1277](https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1277))
+- Certain potentially dangerous admin commands are now restricted to only be usable in the admin room and server
+  console. Contributed by @ginger.
+
+## Bugfixes
+
+- Fixed unreliable room summary fetching and improved error messages. Contributed by
+  @nex. ([#1257](https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1257))
+- Client requested timeout parameter is now applied to e2ee key lookups and claims. Related federation requests are now
+  also concurrent. Contributed by @nex. ([#1261](https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1261))
+- Fixed the whoami endpoint returning HTTP 404 instead of HTTP 403, which confused some appservices. Contributed by
+  @nex. ([#1276](https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1276))
+
+## Misc
+
+- The `console` feature is now enabled by default, allowing the server console to be used for running admin commands
+  directly. To automatically open the console on startup, set the `admin_console_automatic` config option to `true`.
+  Contributed by @ginger.
+- We now (finally) document our container image mirrors. Contributed by @Jade
+
+# Continuwuity 0.5.0 (2025-12-30)
+
+**This release contains a CRITICAL vulnerability patch, and you must update as soon as possible**
+
+## Features
+
+- Enabled the OTLP exporter in default builds, and allow configuring the exporter protocol. (
+  @Jade). ([#1251](https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1251))
+
+## Bug Fixes
+
+- Don't allow admin room upgrades, as this can break the admin room (
+  @timedout) ([#1245](https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1245))
+- Fix invalid creators in power levels during upgrade to v12 (
+  @timedout) ([#1245](https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1245))

CONTRIBUTING.md

@@ -85,24 +85,31 @@ ### Matrix tests
 
 ### Writing documentation
 
-Continuwuity's website uses [`mdbook`][mdbook] and is deployed via CI using Cloudflare Pages
+Continuwuity's website uses [`rspress`][rspress] and is deployed via CI using Cloudflare Pages
 in the [`documentation.yml`][documentation.yml] workflow file. All documentation is in the `docs/`
 directory at the top level.
 
-To build the documentation locally:
+To load the documentation locally:
+
+1. Install NodeJS and npm from their [official website][nodejs-download] or via your package manager of choice
+
+2. From the project's root directory, install the relevant npm modules
 
-1. Install mdbook if you don't have it already:
    ```bash
-   cargo install mdbook # or cargo binstall, or another method
+   npm ci
    ```
 
-2. Build the documentation:
+3. Make changes to the document pages as you see fit
+
+4. Generate a live preview of the documentation
+
    ```bash
-   mdbook build
+   npm run docs:dev
    ```
 
-The output of the mdbook generation is in `public/`. You can open the HTML files directly in your browser without needing a web server.
+   A webserver for the docs will be spun up for you (e.g. at `http://localhost:3000`). Any changes you make to the documentation will be live-reloaded on the webpage.
 
+Alternatively, you can build the documentation using `npm run docs:build` - the output of this will be in the `/doc_build` directory. Once you're happy with your documentation updates, you can commit the changes.
 
 ### Commit Messages
 
@@ -169,5 +176,6 @@ ### Creating pull requests
 [continuwuity-matrix]: https://matrix.to/#/#continuwuity:continuwuity.org?via=continuwuity.org&via=ellis.link&via=explodie.org&via=matrix.org
 [complement]: https://github.com/matrix-org/complement/
 [sytest]: https://github.com/matrix-org/sytest/
-[mdbook]: https://rust-lang.github.io/mdBook/
+[nodejs-download]: https://nodejs.org/en/download
+[rspress]: https://rspress.rs/
 [documentation.yml]: https://forgejo.ellis.link/continuwuation/continuwuity/src/branch/main/.forgejo/workflows/documentation.yml

Cargo.toml

@@ -1,27 +1,18 @@
-#cargo-features = ["profile-rustflags"]
-
 [workspace]
 resolver = "2"
-members = ["src/*", "xtask/*"]
+members = ["src/*", "xtask/"]
 default-members = ["src/*"]
 
 [workspace.package]
-authors = [
-    "June Clementine Strawberry <june@girlboss.ceo>",
-    "strawberry <strawberry@puppygock.gay>", # woof
-    "Jason Volk <jason@zemos.net>",
-]
-categories = ["network-programming"]
-description = "a very cool Matrix chat homeserver written in Rust"
+authors = ["Continuwuity Team and contributors <team@continuwuity.org>"]
+description = "A Matrix homeserver written in Rust, the official continuation of the conduwuit homeserver."
 edition = "2024"
 homepage = "https://continuwuity.org/"
-keywords = ["chat", "matrix", "networking", "server", "uwu"]
 license = "Apache-2.0"
 # See also `rust-toolchain.toml`
 readme = "README.md"
 repository = "https://forgejo.ellis.link/continuwuation/continuwuity"
-rust-version = "1.86.0"
-version = "0.5.0-rc.8.1"
+version = "0.5.5"
 
 [workspace.metadata.crane]
 name = "conduwuit"
@@ -33,11 +24,11 @@ features = ["serde"]
 [workspace.dependencies.smallvec]
 version = "1.14.0"
 features = [
-	"const_generics",
-	"const_new",
-	"serde",
-	"union",
-	"write",
+    "const_generics",
+    "const_new",
+    "serde",
+    "union",
+    "write",
 ]
 
 [workspace.dependencies.smallstr]
@@ -77,7 +68,7 @@ default-features = false
 version = "0.1.3"
 
 [workspace.dependencies.rand]
-version = "0.8.5"
+version = "0.10.0"
 
 # Used for the http request / response body type for Ruma endpoints used with reqwest
 [workspace.dependencies.bytes]
@@ -93,20 +84,20 @@ version = "1.3.1"
 version = "1.11.1"
 
 [workspace.dependencies.axum]
-version = "0.7.9"
+version = "0.8.8"
 default-features = false
 features = [
-	"form",
-	"http1",
-	"http2",
-	"json",
-	"matched-path",
-	"tokio",
-	"tracing",
+    "form",
+    "http1",
+    "http2",
+    "json",
+    "matched-path",
+    "tokio",
+    "tracing",
 ]
 
 [workspace.dependencies.axum-extra]
-version = "0.9.6"
+version = "0.12.0"
 default-features = false
 features = ["typed-header", "tracing"]
 
@@ -119,7 +110,7 @@ default-features = false
 version = "0.7"
 
 [workspace.dependencies.axum-client-ip]
-version = "0.6.1"
+version = "0.7"
 
 [workspace.dependencies.tower]
 version = "0.5.2"
@@ -127,7 +118,7 @@ default-features = false
 features = ["util"]
 
 [workspace.dependencies.tower-http]
-version = "0.6.2"
+version = "0.6.8"
 default-features = false
 features = [
     "add-extension",
@@ -149,10 +140,10 @@ features = ["aws_lc_rs"]
 version = "0.12.15"
 default-features = false
 features = [
-	"rustls-tls-native-roots",
-	"socks",
-	"hickory-dns",
-	"http2",
+    "rustls-tls-native-roots",
+    "socks",
+    "hickory-dns",
+    "http2",
 ]
 
 [workspace.dependencies.serde]
@@ -167,7 +158,7 @@ features = ["raw_value"]
 
 # Used for appservice registration files
 [workspace.dependencies.serde-saphyr]
-version = "0.0.10"
+version = "0.0.19"
 
 # Used to load forbidden room/user regex from config
 [workspace.dependencies.serde_regex]
@@ -188,18 +179,18 @@ default-features = false
 version = "0.25.5"
 default-features = false
 features = [
-	"jpeg",
-	"png",
-	"gif",
-	"webp",
+    "jpeg",
+    "png",
+    "gif",
+    "webp",
 ]
 
 [workspace.dependencies.blurhash]
 version = "0.2.3"
 default-features = false
 features = [
-	"fast-linear-to-srgb",
-	"image",
+    "fast-linear-to-srgb",
+    "image",
 ]
 
 # logging
@@ -229,13 +220,13 @@ default-features = false
 version = "4.5.35"
 default-features = false
 features = [
-	"derive",
-	"env",
-	"error-context",
-	"help",
-	"std",
-	"string",
-	"usage",
+    "derive",
+    "env",
+    "error-context",
+    "help",
+    "std",
+    "string",
+    "usage",
 ]
 
 [workspace.dependencies.futures]
@@ -247,22 +238,22 @@ features = ["std", "async-await"]
 version = "1.44.2"
 default-features = false
 features = [
-	"fs",
-	"net",
-	"macros",
-	"sync",
-	"signal",
-	"time",
-	"rt-multi-thread",
-	"io-util",
-	"tracing",
+    "fs",
+    "net",
+    "macros",
+    "sync",
+    "signal",
+    "time",
+    "rt-multi-thread",
+    "io-util",
+    "tracing",
 ]
 
 [workspace.dependencies.tokio-metrics]
 version = "0.4.0"
 
 [workspace.dependencies.libloading]
-version = "0.8.6"
+version = "0.9.0"
 
 # Validating urls in config, was already a transitive dependency
 [workspace.dependencies.url]
@@ -280,18 +271,18 @@ default-features = false
 version = "1.6.0"
 default-features = false
 features = [
-	"server",
-	"http1",
-	"http2",
+    "server",
+    "http1",
+    "http2",
 ]
 
 [workspace.dependencies.hyper-util]
 version = "=0.1.17"
 default-features = false
 features = [
-	"server-auto",
-	"server-graceful",
-	"tokio",
+    "server-auto",
+    "server-graceful",
+    "tokio",
 ]
 
 # to support multiple variations of setting a config option
@@ -307,12 +298,12 @@ default-features = false
 features = ["env", "toml"]
 
 [workspace.dependencies.hickory-resolver]
-version = "0.25.1"
+version = "0.25.2"
 default-features = false
 features = [
-	"serde",
-	"system-config",
-	"tokio",
+    "serde",
+    "system-config",
+    "tokio",
 ]
 
 # Used for conduwuit::Error type
@@ -351,7 +342,8 @@ version = "0.1.2"
 # Used for matrix spec type definitions and helpers
 [workspace.dependencies.ruma]
 git = "https://forgejo.ellis.link/continuwuation/ruwuma"
-rev = "27abe0dcd33fd4056efc94bab3582646b31b6ce9"
+#branch = "conduwuit-changes"
+rev = "bb12ed288a31a23aa11b10ba0fad22b7f985eb88"
 features = [
     "compat",
     "rand",
@@ -371,6 +363,7 @@ features = [
     "unstable-msc2870",
     "unstable-msc3026",
     "unstable-msc3061",
+    "unstable-msc3814",
     "unstable-msc3245",
     "unstable-msc3266",
     "unstable-msc3381", # polls
@@ -381,13 +374,15 @@ features = [
     "unstable-msc4095",
     "unstable-msc4121",
     "unstable-msc4125",
-	"unstable-msc4155",
+    "unstable-msc4155",
     "unstable-msc4186",
     "unstable-msc4203", # sending to-device events to appservices
     "unstable-msc4210", # remove legacy mentions
     "unstable-extensible-events",
     "unstable-pdu",
-	"unstable-msc4155"
+    "unstable-msc4155",
+    "unstable-msc4143", # livekit well_known response
+    "unstable-msc4284"
 ]
 
 [workspace.dependencies.rust-rocksdb]
@@ -395,11 +390,11 @@ git = "https://forgejo.ellis.link/continuwuation/rust-rocksdb-zaidoon1"
 rev = "61d9d23872197e9ace4a477f2617d5c9f50ecb23"
 default-features = false
 features = [
-	"multi-threaded-cf",
-	"mt_static",
-	"lz4",
-	"zstd",
-	"bzip2",
+    "multi-threaded-cf",
+    "mt_static",
+    "lz4",
+    "zstd",
+    "bzip2",
 ]
 
 [workspace.dependencies.sha2]
@@ -426,13 +421,13 @@ features = ["rt-tokio"]
 
 [workspace.dependencies.opentelemetry-otlp]
 version = "0.31.0"
-features = ["http", "trace", "logs", "metrics"]
+features = ["http", "grpc-tonic", "trace", "logs", "metrics"]
 
 
 
 # optional sentry metrics for crash/panic reporting
 [workspace.dependencies.sentry]
-version = "0.45.0"
+version = "0.46.0"
 default-features = false
 features = [
     "backtrace",
@@ -448,9 +443,9 @@ features = [
 ]
 
 [workspace.dependencies.sentry-tracing]
-version = "0.45.0"
+version = "0.46.0"
 [workspace.dependencies.sentry-tower]
-version = "0.45.0"
+version = "0.46.0"
 
 # jemalloc usage
 [workspace.dependencies.tikv-jemalloc-sys]
@@ -458,16 +453,16 @@ git = "https://forgejo.ellis.link/continuwuation/jemallocator"
 rev = "82af58d6a13ddd5dcdc7d4e91eae3b63292995b8"
 default-features = false
 features = [
-	"background_threads_runtime_support",
-	"unprefixed_malloc_on_supported_platforms",
+    "background_threads_runtime_support",
+    "unprefixed_malloc_on_supported_platforms",
 ]
 [workspace.dependencies.tikv-jemallocator]
 git = "https://forgejo.ellis.link/continuwuation/jemallocator"
 rev = "82af58d6a13ddd5dcdc7d4e91eae3b63292995b8"
 default-features = false
 features = [
-	"background_threads_runtime_support",
-	"unprefixed_malloc_on_supported_platforms",
+    "background_threads_runtime_support",
+    "unprefixed_malloc_on_supported_platforms",
 ]
 [workspace.dependencies.tikv-jemalloc-ctl]
 git = "https://forgejo.ellis.link/continuwuation/jemallocator"
@@ -479,7 +474,7 @@ features = ["use_std"]
 version = "0.5"
 
 [workspace.dependencies.nix]
-version = "0.30.1"
+version = "0.31.0"
 default-features = false
 features = ["resource"]
 
@@ -491,9 +486,9 @@ default-features = false
 version = "0.1.2"
 default-features = false
 features = [
-	"static",
-	"gcc",
-	"light",
+    "static",
+    "gcc",
+    "light",
 ]
 
 [workspace.dependencies.rustyline-async]
@@ -557,6 +552,12 @@ features = ["sync", "tls-rustls", "rustls-provider"]
 [workspace.dependencies.resolv-conf]
 version = "0.7.5"
 
+[workspace.dependencies.yansi]
+version = "1.0.1"
+
+[workspace.dependencies.askama]
+version = "0.15.0"
+
 #
 # Patches
 #
@@ -848,6 +849,8 @@ unknown_lints = "allow"
 
 ###################
 cargo = { level = "warn", priority = -1 }
+# Nobody except for us should be consuming these crates, they don't need metadata
+cargo_common_metadata = { level = "allow" }
 
 ## some sadness
 multiple_crate_versions = { level = "allow", priority = 1 }

README.md

@@ -59,7 +59,13 @@ ### Can I try it out?
 
 Check out the [documentation](https://continuwuity.org) for installation instructions.
 
-There are currently no open registration Continuwuity instances available.
+If you want to try it out as a user, we have some partnered homeservers you can use:
+* You can head over to [https://federated.nexus](https://federated.nexus/) in your browser.
+  * Hit the `Apply to Join` button. Once your request has been accepted, you will receive an email with your username and password.
+  * Head over to [https://app.federated.nexus](https://app.federated.nexus/) and you can sign in there, or use any other matrix chat client you wish elsewhere.
+  * Your username for matrix will be in the form of `@username:federated.nexus`, however you can simply use the `username` part to log in. Your password is your password.
+
+* There's also [https://continuwuity.rocks/](https://continuwuity.rocks/). You can register a new account using Cinny via [this convenient link](https://app.cinny.in/register/continuwuity.rocks), or you can use Element or another matrix client *that supports registration*.
 
 ### What are we working on?
 

bin/complement

@@ -2,11 +2,7 @@
 
 set -euo pipefail
 
-# Path to Complement's source code
-#
-# The `COMPLEMENT_SRC` environment variable is set in the Nix dev shell, which
-# points to a store path containing the Complement source code. It's likely you
-# want to just pass that as the first argument to use it here.
+# The root path where complement is available.
 COMPLEMENT_SRC="${COMPLEMENT_SRC:-$1}"
 
 # A `.jsonl` file to write test logs to
@@ -15,7 +11,10 @@ LOG_FILE="${2:-complement_test_logs.jsonl}"
 # A `.jsonl` file to write test results to
 RESULTS_FILE="${3:-complement_test_results.jsonl}"
 
-COMPLEMENT_BASE_IMAGE="${COMPLEMENT_BASE_IMAGE:-complement-conduwuit:main}"
+# The base docker image to use for complement tests
+# You can build the default with `docker build -t continuwuity:complement -f ./docker/complement.Dockerfile .`
+# after running `cargo build`. Only the debug binary is used.
+COMPLEMENT_BASE_IMAGE="${COMPLEMENT_BASE_IMAGE:-continuwuity:complement}"
 
 # Complement tests that are skipped due to flakiness/reliability issues or we don't implement such features and won't for a long time
 SKIPPED_COMPLEMENT_TESTS='TestPartialStateJoin.*|TestRoomDeleteAlias/Parallel/Regular_users_can_add_and_delete_aliases_when_m.*|TestRoomDeleteAlias/Parallel/Can_delete_canonical_alias|TestUnbanViaInvite.*|TestRoomState/Parallel/GET_/publicRooms_lists.*"|TestRoomDeleteAlias/Parallel/Users_with_sufficient_power-level_can_delete_other.*'
@@ -34,25 +33,6 @@ toplevel="$(git rev-parse --show-toplevel)"
 
 pushd "$toplevel" > /dev/null
 
-if [ ! -f "complement_oci_image.tar.gz" ]; then
-    echo "building complement conduwuit image"
-
-    # if using macOS, use linux-complement
-    #bin/nix-build-and-cache just .#linux-complement
-    bin/nix-build-and-cache just .#complement
-    #nix build -L .#complement
-
-    echo "complement conduwuit image tar.gz built at \"result\""
-
-    echo "loading into docker"
-    docker load < result
-    popd > /dev/null
-else
-    echo "skipping building a complement conduwuit image as complement_oci_image.tar.gz was already found, loading this"
-
-    docker load < complement_oci_image.tar.gz
-    popd > /dev/null
-fi
 
 echo ""
 echo "running go test with:"
@@ -72,24 +52,16 @@ env \
 set -o pipefail
 
 # Post-process the results into an easy-to-compare format, sorted by Test name for reproducible results
-cat "$LOG_FILE" | jq -s -c 'sort_by(.Test)[]' | jq -c '
+jq -s -c 'sort_by(.Test)[]' < "$LOG_FILE" | jq -c '
     select(
         (.Action == "pass" or .Action == "fail" or .Action == "skip")
         and .Test != null
     ) | {Action: .Action, Test: .Test}
     ' > "$RESULTS_FILE"
 
-#if command -v gotestfmt &> /dev/null; then
-#    echo "using gotestfmt on $LOG_FILE"
-#    grep '{"Time":' "$LOG_FILE" | gotestfmt > "complement_test_logs_gotestfmt.log"
-#fi
-
 echo ""
 echo ""
 echo "complement logs saved at $LOG_FILE"
 echo "complement results saved at $RESULTS_FILE"
-#if command -v gotestfmt &> /dev/null; then
-#    echo "complement logs in gotestfmt pretty format outputted at complement_test_logs_gotestfmt.log (use an editor/terminal/pager that interprets ANSI colours and UTF-8 emojis)"
-#fi
 echo ""
 echo ""

changelog.d/1393.bugfix

@@ -0,0 +1 @@
+Removed non-compliant nor functional room alias lookups over federation. Contributed by @nex

changelog.d/1399.feature

@@ -0,0 +1 @@
+Outgoing presence is now disabled by default, and the config option documentation has been adjusted to more accurately represent the weight of presence, typing indicators, and read receipts. Contributed by @nex.

changelog.d/1418.bugfix

@@ -0,0 +1 @@
+Removed ability to set rocksdb as read only. Doing so would cause unintentional and buggy behaviour. Contributed by @Terryiscool160.

changelog.d/1421.bugfix

@@ -0,0 +1 @@
+Fixed a startup crash in the sender service if we can't detect the number of CPU cores, even if the `sender_workers' config option is set correctly. Contributed by @katie.

changelog.d/1428.feature

@@ -0,0 +1 @@
+Improved the concurrency handling of federation transactions, vastly improving performance and reliability by more accurately handling inbound transactions and reducing the amount of repeated wasted work. Contributed by @nex and @Jade.

changelog.d/1435.feature.md

@@ -0,0 +1 @@
+Added MSC3202 Device masquerading (not all of MSC3202). This should fix issues with enabling MSC4190 for some Mautrix bridges. Contributed by @Jade

changelog.d/1436.feature.md

@@ -0,0 +1 @@
+Added MSC3814 Dehydrated Devices - you can now decrypt messages sent while all devices were logged out.

changelog.d/1441.bugfix

@@ -0,0 +1 @@
+Removed the `allow_public_room_directory_without_auth` config option. Contributed by @0xnim.

changelog.d/1442.feature

@@ -0,0 +1 @@
+Implement MSC4143 MatrixRTC transport discovery endpoint. Move RTC foci configuration from `[global.well_known]` to a new `[global.matrix_rtc]` section with a `foci` field. Contributed by @0xnim

changelog.d/1445.bugfix

@@ -0,0 +1 @@
+Fixed sliding sync v5 list ranges always starting from 0, causing extra rooms to be unnecessarily processed and returned. Contributed by @0xnim

changelog.d/list-backups-formatting.feature

@@ -0,0 +1 @@
+Updated `list-backups` admin command to output one backup per line.

changelog.d/url-preview-fix.feature

@@ -0,0 +1 @@
+Improved URL preview fetching with a more compatible user agent for sites like YouTube Music. Added `!admin media delete-url-preview <url>` command to clear cached URL previews that were stuck and broken.

complement/complement-entrypoint.sh

@@ -0,0 +1,67 @@
+#!/usr/bin/env bash
+set -xe
+# If we have no $SERVER_NAME set, abort
+if [ -z "$SERVER_NAME" ]; then
+  echo "SERVER_NAME is not set, aborting"
+  exit 1
+fi
+
+# If /complement/ca/ca.crt or /complement/ca/ca.key are missing, abort
+if [ ! -f /complement/ca/ca.crt ] || [ ! -f /complement/ca/ca.key ]; then
+  echo "/complement/ca/ca.crt or /complement/ca/ca.key is missing, aborting"
+  exit 1
+fi
+
+# Add the root cert to the local trust store
+echo 'Installing Complement CA certificate to local trust store'
+cp /complement/ca/ca.crt /usr/local/share/ca-certificates/complement-ca.crt
+update-ca-certificates
+
+# Sign a certificate for our $SERVER_NAME
+echo "Generating and signing certificate for $SERVER_NAME"
+openssl genrsa -out "/$SERVER_NAME.key" 2048
+
+echo "Generating CSR for $SERVER_NAME"
+openssl req -new -sha256 \
+  -key "/$SERVER_NAME.key" \
+  -out "/$SERVER_NAME.csr" \
+  -subj "/C=US/ST=CA/O=Continuwuity, Inc./CN=$SERVER_NAME"\
+  -addext "subjectAltName=DNS:$SERVER_NAME"
+openssl req -in "$SERVER_NAME.csr" -noout -text
+
+echo "Signing certificate for $SERVER_NAME with Complement CA"
+cat <<EOF > ./cert.ext
+authorityKeyIdentifier=keyid,issuer
+basicConstraints = CA:FALSE
+keyUsage = digitalSignature, keyEncipherment, dataEncipherment, nonRepudiation
+extendedKeyUsage = serverAuth
+subjectAltName = @alt_names
+[alt_names]
+DNS.1 = *.docker.internal
+DNS.2 = hs1
+DNS.3 = hs2
+DNS.4 = hs3
+DNS.5 = hs4
+DNS.6 = $SERVER_NAME
+IP.1 = 127.0.0.1
+EOF
+openssl x509 \
+  -req \
+  -in "/$SERVER_NAME.csr" \
+  -CA /complement/ca/ca.crt \
+  -CAkey /complement/ca/ca.key \
+  -CAcreateserial \
+  -out "/$SERVER_NAME.crt" \
+  -days 1 \
+  -sha256 \
+  -extfile ./cert.ext
+
+# Tell continuwuity where to find the certs
+export CONTINUWUITY_TLS__KEY="/$SERVER_NAME.key"
+export CONTINUWUITY_TLS__CERTS="/$SERVER_NAME.crt"
+# And who it is
+export CONTINUWUITY_SERVER_NAME="$SERVER_NAME"
+
+echo "Starting Continuwuity with SERVER_NAME=$SERVER_NAME"
+# Start continuwuity
+/usr/local/bin/conduwuit --config /etc/continuwuity/config.toml

complement/complement.config.toml

@@ -0,0 +1,52 @@
+# ============================================= #
+# Complement pre-filled configuration file      #
+#
+# DANGER: THIS FILE FORCES INSECURE VALUES.     #
+# DO NOT USE OUTSIDE THE TEST SUITE ENV!        #
+# ============================================= #
+[global]
+address = "0.0.0.0"
+allow_device_name_federation = true
+allow_guest_registration = true
+allow_public_room_directory_over_federation = true
+allow_registration = true
+database_path = "/database"
+log = "trace,h2=debug,hyper=debug"
+port = [8008, 8448]
+trusted_servers = []
+only_query_trusted_key_servers = false
+query_trusted_key_servers_first = false
+query_trusted_key_servers_first_on_join = false
+yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse = true
+ip_range_denylist = []
+url_preview_domain_contains_allowlist = ["*"]
+url_preview_domain_explicit_denylist = ["*"]
+media_compat_file_link = false
+media_startup_check = true
+prune_missing_media = true
+log_colors = true
+admin_room_notices = false
+allow_check_for_updates = false
+intentionally_unknown_config_option_for_testing = true
+rocksdb_log_level = "info"
+rocksdb_max_log_files = 1
+rocksdb_recovery_mode = 0
+rocksdb_paranoid_file_checks = true
+log_guest_registrations = false
+allow_legacy_media = true
+startup_netburst = true
+startup_netburst_keep = -1
+allow_invalid_tls_certificates_yes_i_know_what_the_fuck_i_am_doing_with_this_and_i_know_this_is_insecure = true
+dns_timeout = 60
+dns_attempts = 20
+request_conn_timeout = 60
+request_timeout = 120
+well_known_conn_timeout = 60
+well_known_timeout = 60
+federation_idle_timeout = 300
+sender_timeout = 300
+sender_idle_timeout = 300
+sender_retry_backoff_limit = 300
+
+[global.tls]
+dual_protocol = true

conduwuit-example.toml

@@ -26,8 +26,8 @@
 # Also see the `[global.well_known]` config section at the very bottom.
 #
 # Examples of delegation:
-# - https://puppygock.gay/.well-known/matrix/server
-# - https://puppygock.gay/.well-known/matrix/client
+# - https://continuwuity.org/.well-known/matrix/server
+# - https://continuwuity.org/.well-known/matrix/client
 #
 # YOU NEED TO EDIT THIS. THIS CANNOT BE CHANGED AFTER WITHOUT A DATABASE
 # WIPE.
@@ -290,6 +290,25 @@
 #
 #max_fetch_prev_events = 192
 
+# How many incoming federation transactions the server is willing to be
+# processing at any given time before it becomes overloaded and starts
+# rejecting further transactions until some slots become available.
+#
+# Setting this value too low or too high may result in unstable
+# federation, and setting it too high may cause runaway resource usage.
+#
+#max_concurrent_inbound_transactions = 150
+
+# Maximum age (in seconds) for cached federation transaction responses.
+# Entries older than this will be removed during cleanup.
+#
+#transaction_id_cache_max_age_secs = 7200 (2 hours)
+
+# Maximum number of cached federation transaction responses.
+# When the cache exceeds this limit, older entries will be removed.
+#
+#transaction_id_cache_max_entries = 8192
+
 # Default/base connection timeout (seconds). This is used only by URL
 # previews and update/news endpoint checks.
 #
@@ -340,7 +359,9 @@
 # this to be high to account for extremely large room joins, slow
 # homeservers, your own resources etc.
 #
-#federation_timeout = 300
+# Joins have 6x the timeout.
+#
+#federation_timeout = 60
 
 # MSC4284 Policy server request timeout (seconds). Generally policy
 # servers should respond near instantly, however may slow down under
@@ -389,7 +410,15 @@
 #
 #appservice_idle_timeout = 300
 
-# Notification gateway pusher idle connection pool timeout.
+# Notification gateway pusher request connection timeout (seconds).
+#
+#pusher_conn_timeout = 15
+
+# Notification gateway pusher total request timeout (seconds).
+#
+#pusher_timeout = 60
+
+# Notification gateway pusher idle connection pool timeout (seconds).
 #
 #pusher_idle_timeout = 15
 
@@ -421,9 +450,9 @@
 # `yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse`
 #
 # If you would like registration only via token reg, please configure
-# `registration_token` or `registration_token_file`.
+# `registration_token`.
 #
-#allow_registration = false
+#allow_registration = true
 
 # If registration is enabled, and this setting is true, new users
 # registered after the first admin user will be automatically suspended
@@ -452,22 +481,13 @@
 # `yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse`
 # to true to allow open registration without any conditions.
 #
-# YOU NEED TO EDIT THIS OR USE registration_token_file.
+# If you do not want to set a static token, the `!admin token` commands
+# may also be used to manage registration tokens.
 #
 # example: "o&^uCtes4HPf0Vu@F20jQeeWE7"
 #
 #registration_token =
 
-# Path to a file on the system that gets read for additional registration
-# tokens. Multiple tokens can be added if you separate them with
-# whitespace
-#
-# continuwuity must be able to access the file, and it must not be empty
-#
-# example: "/etc/continuwuity/.reg_token"
-#
-#registration_token_file =
-
 # The public site key for reCaptcha. If this is provided, reCaptcha
 # becomes required during registration. If both captcha *and*
 # registration token are enabled, both will be required during
@@ -526,12 +546,6 @@
 #
 #allow_public_room_directory_over_federation = false
 
-# Set this to true to allow your server's public room directory to be
-# queried without client authentication (access token) through the Client
-# APIs. Set this to false to protect against /publicRooms spiders.
-#
-#allow_public_room_directory_without_auth = false
-
 # Allow guests/unauthenticated users to access TURN credentials.
 #
 # This is the equivalent of Synapse's `turn_allow_guests` config option.
@@ -608,6 +622,11 @@
 #
 #otlp_filter = "info"
 
+# Protocol to use for OTLP tracing export. Options are "http" or "grpc".
+# The HTTP protocol uses port 4318 by default, while gRPC uses port 4317.
+#
+#otlp_protocol = "http"
+
 # If the 'perf_measurements' compile-time feature is enabled, enables
 # collecting folded stack trace profile of tracing spans using
 # tracing_flame. The resulting profile can be visualized with inferno[1],
@@ -1050,14 +1069,6 @@
 #
 #rocksdb_repair = false
 
-# This item is undocumented. Please contribute documentation for it.
-#
-#rocksdb_read_only = false
-
-# This item is undocumented. Please contribute documentation for it.
-#
-#rocksdb_secondary = false
-
 # Enables idle CPU priority for compaction thread. This is not enabled by
 # default to prevent compaction from falling too far behind on busy
 # systems.
@@ -1114,27 +1125,34 @@
 
 # Allow local (your server only) presence updates/requests.
 #
-# Note that presence on continuwuity is very fast unlike Synapse's. If
-# using outgoing presence, this MUST be enabled.
+# Local presence must be enabled for outgoing presence to function.
+#
+# Note that local presence is not as heavy on the CPU as federated
+# presence, but will still become more expensive the more local users you
+# have.
 #
 #allow_local_presence = true
 
-# Allow incoming federated presence updates/requests.
+# Allow incoming federated presence updates.
 #
-# This option receives presence updates from other servers, but does not
-# send any unless `allow_outgoing_presence` is true. Note that presence on
-# continuwuity is very fast unlike Synapse's.
+# This option enables processing inbound presence updates from other
+# servers. Without it, remote users will appear as if they are always
+# offline to your local users. This does not affect typing indicators or
+# read receipts.
 #
 #allow_incoming_presence = true
 
 # Allow outgoing presence updates/requests.
 #
-# This option sends presence updates to other servers, but does not
-# receive any unless `allow_incoming_presence` is true. Note that presence
-# on continuwuity is very fast unlike Synapse's. If using outgoing
-# presence, you MUST enable `allow_local_presence` as well.
+# This option sends presence updates to other servers, and requires that
+# `allow_local_presence` is also enabled.
 #
-#allow_outgoing_presence = true
+# Note that outgoing presence is very heavy on the CPU and network, and
+# will typically cause extreme strain and slowdowns for no real benefit.
+# There are only a few clients that even implement presence, so you
+# probably don't want to enable this.
+#
+#allow_outgoing_presence = false
 
 # How many seconds without presence updates before you become idle.
 # Defaults to 5 minutes.
@@ -1168,6 +1186,10 @@
 
 # Allow sending read receipts to remote servers.
 #
+# Note that sending read receipts to remote servers in large rooms with
+# lots of other homeservers may cause additional strain on the CPU and
+# network.
+#
 #allow_outgoing_read_receipts = true
 
 # Allow local typing updates.
@@ -1179,6 +1201,10 @@
 
 # Allow outgoing typing updates to federation.
 #
+# Note that sending typing indicators to remote servers in large rooms
+# with lots of other homeservers may cause additional strain on the CPU
+# and network.
+#
 #allow_outgoing_typing = true
 
 # Allow incoming typing updates from federation.
@@ -1312,7 +1338,7 @@
 # sender user's server name, inbound federation X-Matrix origin, and
 # outbound federation handler.
 #
-# You can set this to ["*"] to block all servers by default, and then
+# You can set this to [".*"] to block all servers by default, and then
 # use `allowed_remote_server_names` to allow only specific servers.
 #
 # example: ["badserver\\.tld$", "badphrase", "19dollarfortnitecards"]
@@ -1450,6 +1476,11 @@
 #
 #url_preview_max_spider_size = 256000
 
+# Total request timeout for URL previews (seconds). This includes
+# connection, request, and response body reading time.
+#
+#url_preview_timeout = 120
+
 # Option to decide whether you would like to run the domain allowlist
 # checks (contains and explicit) on the root domain or not. Does not apply
 # to URL contains allowlist. Defaults to false.
@@ -1463,6 +1494,10 @@
 #
 #url_preview_check_root_domain = false
 
+# User agent that is used specifically when fetching url previews.
+#
+#url_preview_user_agent = "continuwuity/<version> (bot; +https://continuwuity.org)"
+
 # List of forbidden room aliases and room IDs as strings of regex
 # patterns.
 #
@@ -1533,7 +1568,7 @@
 # a normal continuwuity admin command. The reply will be publicly visible
 # to the room, originating from the sender.
 #
-# example: \\!admin debug ping puppygock.gay
+# example: \\!admin debug ping continuwuity.org
 #
 #admin_escape_commands = true
 
@@ -1551,7 +1586,8 @@
 # For example: `./continuwuity --execute "server admin-notice continuwuity
 # has started up at $(date)"`
 #
-# example: admin_execute = ["debug ping puppygock.gay", "debug echo hi"]`
+# example: admin_execute = ["debug ping continuwuity.org", "debug echo
+# hi"]`
 #
 #admin_execute = []
 
@@ -1584,6 +1620,18 @@
 #
 #admin_room_tag = "m.server_notice"
 
+# A list of Matrix IDs that are qualified as server admins.
+#
+# Any Matrix IDs within this list are regarded as an admin
+# regardless of whether they are in the admin room or not
+#
+#admins_list = []
+
+# Defines whether those within the admin room are added to the
+# admins_list.
+#
+#admins_from_room = true
+
 # Sentry.io crash/panic reporting, performance monitoring/metrics, etc.
 # This is NOT enabled by default.
 #
@@ -1629,7 +1677,7 @@
 
 # Enable the tokio-console. This option is only relevant to developers.
 #
-#	For more information, see:
+#    For more information, see:
 # https://continuwuity.org/development.html#debugging-with-tokio-console
 #
 #tokio_console = false
@@ -1735,10 +1783,6 @@
 #
 #config_reload_signal = true
 
-# This item is undocumented. Please contribute documentation for it.
-#
-#ldap = false
-
 [global.tls]
 
 # Path to a valid TLS certificate file.
@@ -1800,6 +1844,16 @@
 #
 #support_mxid =
 
+# **DEPRECATED**: Use `[global.matrix_rtc].foci` instead.
+#
+# A list of MatrixRTC foci URLs which will be served as part of the
+# MSC4143 client endpoint at /.well-known/matrix/client.
+#
+# This option is deprecated and will be removed in a future release.
+# Please migrate to the new `[global.matrix_rtc]` config section.
+#
+#rtc_focus_server_urls = []
+
 [global.blurhashing]
 
 # blurhashing x component, 4 is recommended by https://blurha.sh/
@@ -1818,6 +1872,23 @@
 #
 #blurhash_max_raw_size = 33554432
 
+[global.matrix_rtc]
+
+# A list of MatrixRTC foci (transports) which will be served via the
+# MSC4143 RTC transports endpoint at
+# `/_matrix/client/v1/rtc/transports`. If you're setting up livekit,
+# you'd want something like:
+# ```toml
+# [global.matrix_rtc]
+# foci = [
+#     { type = "livekit", livekit_service_url = "https://livekit.example.com" },
+# ]
+# ```
+#
+# To disable, set this to an empty list (`[]`).
+#
+#foci = []
+
 [global.ldap]
 
 # Whether to enable LDAP login.
@@ -1905,3 +1976,43 @@
 # example: "(objectClass=conduwuitAdmin)" or "(uid={username})"
 #
 #admin_filter = ""
+
+#[global.antispam]
+
+#[global.antispam.meowlnir]
+
+# The base URL on which to contact Meowlnir (before /_meowlnir/antispam).
+#
+# Example: "http://127.0.0.1:29339"
+#
+#base_url =
+
+# The authentication secret defined in antispam->secret. Required for
+# continuwuity to talk to Meowlnir.
+#
+#secret =
+
+# The management room for which to send requests
+#
+#management_room =
+
+# If enabled run all federated join attempts (both federated and local)
+# through the Meowlnir anti-spam checks.
+#
+# By default, only join attempts for rooms with the `fi.mau.spam_checker`
+# restricted join rule are checked.
+#
+#check_all_joins = false
+
+#[global.antispam.draupnir]
+
+# The base URL on which to contact Draupnir (before /api/).
+#
+# Example: "http://127.0.0.1:29339"
+#
+#base_url =
+
+# The authentication secret defined in
+# web->synapseHTTPAntispam->authorization
+#
+#secret =

docker/Dockerfile

@@ -48,11 +48,11 @@ EOF
 
 # Developer tool versions
 # renovate: datasource=github-releases depName=cargo-bins/cargo-binstall
-ENV BINSTALL_VERSION=1.16.2
+ENV BINSTALL_VERSION=1.17.5
 # renovate: datasource=github-releases depName=psastras/sbom-rs
 ENV CARGO_SBOM_VERSION=0.9.1
 # renovate: datasource=crate depName=lddtree
-ENV LDDTREE_VERSION=0.3.7
+ENV LDDTREE_VERSION=0.5.0
 # renovate: datasource=crate depName=timelord-cli
 ENV TIMELORD_VERSION=3.0.1
 
@@ -162,6 +162,7 @@ ENV CONDUWUIT_VERSION_EXTRA=$CONDUWUIT_VERSION_EXTRA
 ENV CONTINUWUITY_VERSION_EXTRA=$CONTINUWUITY_VERSION_EXTRA
 
 ARG RUST_PROFILE=release
+ARG CARGO_FEATURES="default,http3"
 
 # Build the binary
 RUN --mount=type=cache,target=/usr/local/cargo/registry \
@@ -171,18 +172,32 @@ RUN --mount=type=cache,target=/usr/local/cargo/registry \
     set -o allexport
     set -o xtrace
     . /etc/environment
+
+    # Check if http3 feature is enabled and set appropriate RUSTFLAGS
+    if echo "${CARGO_FEATURES}" | grep -q "http3"; then
+        export RUSTFLAGS="${RUSTFLAGS} --cfg reqwest_unstable"
+    else
+        export RUSTFLAGS="${RUSTFLAGS}"
+    fi
+
+    RUST_PROFILE_DIR="${RUST_PROFILE}"
+    if [[ "${RUST_PROFILE}" == "dev" ]]; then
+        RUST_PROFILE_DIR="debug"
+    fi
+
     TARGET_DIR=($(cargo metadata --no-deps --format-version 1 | \
             jq -r ".target_directory"))
     mkdir /out/sbin
     PACKAGE=conduwuit
     xx-cargo build --locked --profile ${RUST_PROFILE} \
+        --no-default-features --features ${CARGO_FEATURES} \
         -p $PACKAGE;
     BINARIES=($(cargo metadata --no-deps --format-version 1 | \
         jq -r ".packages[] | select(.name == \"$PACKAGE\") | .targets[] | select( .kind | map(. == \"bin\") | any ) | .name"))
     for BINARY in "${BINARIES[@]}"; do
         echo $BINARY
-        xx-verify $TARGET_DIR/$(xx-cargo --print-target-triple)/${RUST_PROFILE}/$BINARY
-        cp $TARGET_DIR/$(xx-cargo --print-target-triple)/${RUST_PROFILE}/$BINARY /out/sbin/$BINARY
+        xx-verify $TARGET_DIR/$(xx-cargo --print-target-triple)/${RUST_PROFILE_DIR}/$BINARY
+        cp $TARGET_DIR/$(xx-cargo --print-target-triple)/${RUST_PROFILE_DIR}/$BINARY /out/sbin/$BINARY
     done
 EOF
 

docker/complement.Dockerfile

@@ -0,0 +1,11 @@
+FROM ubuntu:latest
+EXPOSE 8008
+EXPOSE 8448
+RUN apt-get update && apt-get install -y ca-certificates liburing2 && rm -rf /var/lib/apt/lists/*
+RUN mkdir -p /etc/continuwuity /var/lib/continuwuity /usr/local/bin/
+COPY complement/complement-entrypoint.sh /usr/local/bin/complement-entrypoint.sh
+COPY complement/complement.config.toml /etc/continuwuity/config.toml
+COPY target/debug/conduwuit /usr/local/bin/conduwuit
+RUN chmod +x /usr/local/bin/conduwuit /usr/local/bin/complement-entrypoint.sh
+#HEALTHCHECK --interval=30s --timeout=5s CMD curl --fail http://localhost:8008/_continuwuity/server_version || exit 1
+ENTRYPOINT ["/usr/local/bin/complement-entrypoint.sh"]

docker/musl.Dockerfile

@@ -18,11 +18,11 @@ RUN --mount=type=cache,target=/etc/apk/cache apk add \
 
 # Developer tool versions
 # renovate: datasource=github-releases depName=cargo-bins/cargo-binstall
-ENV BINSTALL_VERSION=1.16.2
+ENV BINSTALL_VERSION=1.17.5
 # renovate: datasource=github-releases depName=psastras/sbom-rs
 ENV CARGO_SBOM_VERSION=0.9.1
 # renovate: datasource=crate depName=lddtree
-ENV LDDTREE_VERSION=0.3.7
+ENV LDDTREE_VERSION=0.5.0
 
 # Install unpackaged tools
 RUN <<EOF

docs/_meta.json

@@ -15,9 +15,9 @@
         "label": "Deploying"
     },
     {
-        "type": "file",
-        "name": "turn",
-        "label": "TURN"
+        "type": "dir",
+        "name": "calls",
+        "label": "Calls"
     },
     {
         "type": "file",
@@ -34,6 +34,14 @@
         "name": "troubleshooting",
         "label": "Troubleshooting"
     },
+    "security",
+    {
+        "type": "dir-section-header",
+        "name": "community",
+        "label": "Community",
+        "collapsible": true,
+        "collapsed": false
+    },
     {
         "type": "divider"
     },
@@ -57,18 +65,11 @@
         "name": "/reference/config"
     },
     {
-        "type": "file",
+        "type": "dir",
         "label": "Admin Command Reference",
-        "name": "/reference/admin"
-    },
-    {
-        "type": "file",
-        "label": "Server Reference",
-        "name": "/reference/server"
+        "name": "/reference/admin/"
     },
     {
         "type": "divider"
-    },
-    "community",
-    "security"
+    }
 ]

docs/_nav.json

@@ -2,7 +2,7 @@
     {
         "text": "Guide",
         "link": "/introduction",
-        "activeMatch": "^/(introduction|configuration|deploying|turn|appservices|maintenance|troubleshooting)"
+        "activeMatch": "^/(introduction|configuration|deploying|calls|appservices|maintenance|troubleshooting)"
     },
     {
         "text": "Development",
@@ -18,17 +18,22 @@
             },
             {
                 "text": "Admin Command Reference",
-                "link": "/reference/admin"
-            },
-            {
-                "text": "Server Reference",
-                "link": "/reference/server"
+                "link": "/reference/admin/"
             }
         ]
     },
     {
         "text": "Community",
-        "link": "/community"
+        "items": [
+            {
+                "text": "Community Guidelines",
+                "link": "/community/guidelines"
+            },
+            {
+                "text": "Become a Partnered Homeserver!",
+                "link": "/community/ops-guidelines"
+            }
+        ]
     },
     {
         "text": "Security",

docs/calls.mdx

@@ -0,0 +1,13 @@
+# Calls
+
+Matrix supports two types of calls:
+
+- Element Call powered by [MatrixRTC](https://half-shot.github.io/msc-crafter/#msc/4143) and [LiveKit](https://github.com/livekit/livekit)
+- Legacy calls, sometimes using Jitsi
+
+Both types of calls are supported by different sets of clients, but most clients are moving towards MatrixRTC / Element Call.
+
+For either one to work correctly, you have to do some additional setup.
+
+- For legacy calls to work, you need to set up a TURN/STUN server. [Read the TURN guide for tips on how to set up coturn](./calls/turn.mdx)
+- For MatrixRTC / Element Call to work, you have to set up the LiveKit backend (foci). LiveKit also uses TURN/STUN to increase reliability, so you might want to configure your TURN server first. [Read the LiveKit guide](./calls/livekit.mdx)

docs/calls/_meta.json

@@ -0,0 +1,12 @@
+[
+    {
+        "type": "file",
+        "name": "turn",
+        "label": "TURN"
+    },
+    {
+        "type": "file",
+        "name": "livekit",
+        "label": "MatrixRTC / LiveKit"
+    }
+]

docs/calls/livekit.mdx

@@ -0,0 +1,240 @@
+# Matrix RTC/Element Call Setup
+
+:::info
+This guide assumes that you are using docker compose for deployment. LiveKit only provides Docker images.
+:::
+
+## Instructions
+
+### 1. Domain
+
+LiveKit should live on its own domain or subdomain. In this guide we use `livekit.example.com` - this should be replaced with a domain you control.
+
+Make sure the DNS record for the (sub)domain you plan to use is pointed to your server.
+
+### 2. Services
+
+Using LiveKit with Matrix requires two services - Livekit itself, and a service (`lk-jwt-service`) that grants Matrix users permission to connect to it.
+
+You must generate a key and secret to allow the Matrix service to authenticate with LiveKit. `LK_MATRIX_KEY` should be around 20 random characters, and `LK_MATRIX_SECRET` should be around 64. Remember to replace these with the actual values!
+
+:::tip Generating the secrets
+LiveKit provides a utility to generate secure random keys
+```bash
+docker run --rm livekit/livekit-server:latest generate-keys
+```
+:::
+
+```yaml
+services:
+  lk-jwt-service:
+    image: ghcr.io/element-hq/lk-jwt-service:latest
+    container_name: lk-jwt-service
+    environment:
+      - LIVEKIT_JWT_BIND=:8081
+      - LIVEKIT_URL=wss://livekit.example.com
+      - LIVEKIT_KEY=LK_MATRIX_KEY
+      - LIVEKIT_SECRET=LK_MATRIX_SECRET
+      - LIVEKIT_FULL_ACCESS_HOMESERVERS=example.com
+    restart: unless-stopped
+    ports:
+      - "8081:8081"
+
+  livekit:
+    image: livekit/livekit-server:latest
+    container_name: livekit
+    command: --config /etc/livekit.yaml
+    restart: unless-stopped
+    volumes:
+      - ./livekit.yaml:/etc/livekit.yaml:ro
+    network_mode: "host" # /!\ LiveKit binds to all addresses by default.
+    # Make sure port 7880 is blocked by your firewall to prevent access bypassing your reverse proxy
+    # Alternatively, uncomment the lines below and comment `network_mode: "host"` above to specify port mappings.
+#    ports:
+#      - "127.0.0.1:7880:7880/tcp"
+#      - "7881:7881/tcp"
+#      - "50100-50200:50100-50200/udp"
+```
+
+Next, we need to configure LiveKit. In the same directory, create `livekit.yaml` with the following content - remembering to replace `LK_MATRIX_KEY` and `LK_MATRIX_SECRET` with the values you generated:
+
+```yaml
+port: 7880
+bind_addresses:
+  - ""
+rtc:
+  tcp_port: 7881
+  port_range_start: 50100
+  port_range_end: 50200
+  use_external_ip: true
+  enable_loopback_candidate: false
+keys:
+  LK_MATRIX_KEY: LK_MATRIX_SECRET
+```
+
+#### Firewall hints
+
+You will need to allow ports `7881/tcp` and `50100:50200/udp` through your firewall. If you use UFW, the commands are: `ufw allow 7881/tcp` and `ufw allow 50100:50200/udp`.
+
+### 3. Telling clients where to find LiveKit
+
+To tell clients where to find LiveKit, you need to add the address of your `lk-jwt-service` to the `[global.matrix_rtc]` config section using the `foci` option.
+
+The variable should be a list of servers serving as MatrixRTC endpoints. Clients discover these via the `/_matrix/client/v1/rtc/transports` endpoint (MSC4143).
+
+```toml
+[global.matrix_rtc]
+foci = [
+    { type = "livekit", livekit_service_url = "https://livekit.example.com" },
+]
+```
+
+Remember to replace the URL with the address you are deploying your instance of lk-jwt-service to.
+
+### 4. Configure your Reverse Proxy
+
+Reverse proxies can be configured in many different ways - so we can't provide a step by step for this.
+
+By default, all routes should be forwarded to Livekit with the exception of the following path prefixes, which should be forwarded to the JWT/Authentication service:
+
+- `/sfu/get`
+- `/healthz`
+- `/get_token`
+
+<details>
+    <summary>Example caddy config</summary>
+    ```
+    matrix-rtc.example.com {
+
+        # for lk-jwt-service
+        @lk-jwt-service path /sfu/get* /healthz* /get_token*
+        route @lk-jwt-service {
+            reverse_proxy 127.0.0.1:8081
+        }
+
+        # for livekit
+        reverse_proxy 127.0.0.1:7880
+    }
+    ```
+</details>
+
+<details>
+    <summary>Example nginx config</summary>
+    ```
+    server {
+        server_name matrix-rtc.example.com;
+
+        # for lk-jwt-service
+        location ~ ^/(sfu/get|healthz|get_token) {
+            proxy_pass http://127.0.0.1:8081$request_uri;
+            proxy_set_header X-Forwarded-For $remote_addr;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header Host $http_host;
+            proxy_buffering off;
+        }
+
+        # for livekit
+        location / {
+            proxy_pass http://127.0.0.1:7880$request_uri;
+            proxy_set_header X-Forwarded-For $remote_addr;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header Host $http_host;
+            proxy_buffering off;
+
+            # websocket
+            proxy_http_version 1.1;
+            proxy_set_header Upgrade $http_upgrade;
+            proxy_set_header Connection $connection_upgrade;
+        }
+    }
+    ```
+
+    Note that for websockets to work, you need to have this somewhere outside your server block:
+    ```
+    map $http_upgrade $connection_upgrade {
+        default upgrade;
+        ''      close;
+    }
+    ```
+</details>
+
+<details>
+    <summary>Example traefik router</summary>
+    ```
+    # on LiveKit itself
+    traefik.http.routers.livekit.rule=Host(`livekit.example.com`)
+    # on the JWT service
+    traefik.http.routers.livekit-jwt.rule=Host(`livekit.example.com`) && (PathPrefix(`/sfu/get`) || PathPrefix(`/healthz`) || PathPrefix(`/get_token`))
+    ```
+</details>
+
+
+### 6. Start Everything
+
+Start up the services using your usual method - for example `docker compose up -d`.
+
+## Additional Configuration
+
+### TURN Integration
+
+If you've already set up coturn, there may be a port clash between the two services. To fix this, make sure the `min-port` and `max-port` for coturn so it doesn't overlap with LiveKit's range:
+
+```ini
+min-port=50201
+max-port=65535
+```
+
+To improve LiveKit's reliability, you can configure it to use your coturn server.
+
+Generate a long random secret for LiveKit, and add it to your coturn config under the `static-auth-secret` option. You can add as many secrets as you want - so set a different one for each thing using your TURN server.
+
+Then configure livekit, making sure to replace `COTURN_SECRET`:
+
+```yaml
+# livekit.yaml
+rtc:
+  turn_servers:
+    - host: coturn.ellis.link
+      port: 3478
+      protocol: tcp
+      secret: "COTURN_SECRET"
+    - host: coturn.ellis.link
+      port: 5349
+      protocol: tls # Only if you've set up TLS in your coturn
+      secret: "COTURN_SECRET"
+    - host: coturn.ellis.link
+      port: 3478
+      protocol: udp
+      secret: "COTURN_SECRET"
+```
+
+## LiveKit's built in TURN server
+
+Livekit includes a built in TURN server which can be used in place of an external option. This TURN server will only work with Livekit, so you can't use it for legacy Matrix calling - or anything else.
+
+If you don't want to set up a separate TURN server, you can enable this with the following changes:
+
+```yaml
+### add this to livekit.yaml ###
+turn:
+  enabled: true
+  udp_port: 3478
+  relay_range_start: 50300
+  relay_range_end: 50400
+  domain: matrix-rtc.example.com
+```
+
+```yaml
+### Add these to docker-compose ###
+- "3478:3478/udp"
+- "50300-50400:50300-50400/udp"
+```
+
+### Related Documentation
+
+- [LiveKit GitHub](https://github.com/livekit/livekit)
+- [LiveKit Connection Tester](https://livekit.io/connection-test) - use with the token returned by `/sfu/get` or `/get_token`
+- [MatrixRTC proposal](https://half-shot.github.io/msc-crafter/#msc/4143)
+- [Synapse documentation](https://github.com/element-hq/element-call/blob/livekit/docs/self-hosting.md)
+- [Community guide](https://tomfos.tr/matrix/livekit/)
+- [Community guide](https://blog.kimiblock.top/2024/12/24/hosting-element-call/)

docs/calls/turn.mdx

@@ -0,0 +1,214 @@
+# Setting up TURN/STUN
+
+[TURN](https://en.wikipedia.org/wiki/Traversal_Using_Relays_around_NAT) and [STUN](https://en.wikipedia.org/wiki/STUN) are used as a component in many calling systems. Matrix uses them directly for legacy calls and indirectly for MatrixRTC via Livekit.
+
+Continuwuity recommends using [Coturn](https://github.com/coturn/coturn) as your TURN/STUN server, which is available as a Docker image or a distro package.
+
+## Installing Coturn
+
+### Configuration
+
+Create a configuration file called `coturn.conf` containing:
+
+```ini
+use-auth-secret
+static-auth-secret=<a secret key>
+realm=<your server domain>
+```
+
+:::tip Generating a secure secret
+A common way to generate a suitable alphanumeric secret key is by using:
+```bash
+pwgen -s 64 1
+```
+:::
+
+#### Port Configuration
+
+By default, coturn uses the following ports:
+- `3478` (UDP/TCP): Standard TURN/STUN port
+- `5349` (UDP/TCP): TURN/STUN over TLS
+- `49152-65535` (UDP): Media relay ports
+
+If you're also running LiveKit, you'll need to avoid port conflicts. Configure non-overlapping port ranges:
+
+```ini
+# In coturn.conf
+min-port=50201
+max-port=65535
+```
+
+This leaves ports `50100-50200` available for LiveKit's default configuration.
+
+### Running with Docker
+
+Run the [Coturn](https://hub.docker.com/r/coturn/coturn) image using:
+
+```bash
+docker run -d --network=host \
+  -v $(pwd)/coturn.conf:/etc/coturn/turnserver.conf \
+  coturn/coturn
+```
+
+### Running with Docker Compose
+
+Create a `docker-compose.yml` file and run `docker compose up -d`:
+
+```yaml
+version: '3'
+services:
+  turn:
+    container_name: coturn-server
+    image: docker.io/coturn/coturn
+    restart: unless-stopped
+    network_mode: "host"
+    volumes:
+      - ./coturn.conf:/etc/coturn/turnserver.conf
+```
+
+:::info Why host networking?
+Coturn uses host networking mode because it needs to bind to multiple ports and work with various network protocols. Using host networking is better for performance, and reduces configuration complexity. To understand alternative configuration options, visit [Coturn's Docker documentation](https://github.com/coturn/coturn/blob/master/docker/coturn/README.md).
+:::
+
+### Security Recommendations
+
+For security best practices, see Synapse's [Coturn documentation](https://element-hq.github.io/synapse/latest/turn-howto.html), which includes important firewall and access control recommendations.
+
+## Configuring Continuwuity
+
+Once your TURN server is running, configure Continuwuity to provide credentials to clients. Add the following to your Continuwuity configuration file:
+
+### Shared Secret Authentication (Recommended)
+
+This is the most secure method and generates time-limited credentials automatically:
+
+```toml
+# TURN URIs that clients should connect to
+turn_uris = [
+    "turn:coturn.example.com?transport=udp",
+    "turn:coturn.example.com?transport=tcp",
+    "turns:coturn.example.com?transport=udp",
+    "turns:coturn.example.com?transport=tcp"
+]
+
+# Shared secret for generating credentials (must match coturn's static-auth-secret)
+turn_secret = "<your coturn static-auth-secret>"
+
+# Optional: Read secret from a file instead (takes priority over turn_secret)
+# turn_secret_file = "/etc/continuwuity/.turn_secret"
+
+# TTL for generated credentials in seconds (default: 86400 = 24 hours)
+turn_ttl = 86400
+```
+
+:::tip Using TLS
+The `turns:` URI prefix instructs clients to connect to TURN over TLS, which is highly recommended for security. Make sure you've configured TLS in your coturn server first.
+:::
+
+### Static Credentials (Alternative)
+
+If you prefer static username/password credentials instead of shared secrets:
+
+```toml
+turn_uris = [
+    "turn:coturn.example.com?transport=udp",
+    "turn:coturn.example.com?transport=tcp"
+]
+
+turn_username = "your_username"
+turn_password = "your_password"
+```
+
+:::warning
+Static credentials are less secure than shared secrets because they don't expire and must be configured in coturn separately. It is strongly advised you use shared secret authentication.
+:::
+
+### Guest Access
+
+By default, TURN credentials require client authentication. To allow unauthenticated access:
+
+```toml
+turn_allow_guests = true
+```
+
+:::caution
+This is not recommended as it allows unauthenticated users to access your TURN server, potentially enabling abuse by bots. All major Matrix clients that support legacy calls *also* support authenticated TURN access.
+:::
+
+### Important Notes
+
+- Replace `coturn.example.com` with your actual TURN server domain (the `realm` from coturn.conf)
+- The `turn_secret` must match the `static-auth-secret` in your coturn configuration
+- Restart or reload Continuwuity after making configuration changes
+
+## Testing Your TURN Server
+
+### Testing Credentials
+
+Verify that Continuwuity is correctly serving TURN credentials to clients:
+
+```bash
+curl "https://matrix.example.com/_matrix/client/r0/voip/turnServer" \
+  -H "Authorization: Bearer <your_client_token>" | jq
+```
+
+You should receive a response like this:
+
+```json
+{
+  "username": "1752792167:@jade:example.com",
+  "password": "KjlDlawdPbU9mvP4bhdV/2c/h65=",
+  "uris": [
+    "turns:coturn.example.com?transport=udp",
+    "turns:coturn.example.com?transport=tcp",
+    "turn:coturn.example.com?transport=udp",
+    "turn:coturn.example.com?transport=tcp"
+  ],
+  "ttl": 86400
+}
+```
+
+:::note MSC4166 Compliance
+If no TURN URIs are configured (`turn_uris` is empty), Continuwuity will return a 404 Not Found response, as specified in MSC4166.
+:::
+
+### Testing Connectivity
+
+Use [Trickle ICE](https://webrtc.github.io/samples/src/content/peerconnection/trickle-ice/) to verify that the TURN credentials actually work:
+
+1. Copy the credentials from the response above
+2. Paste them into the Trickle ICE testing tool
+3. Click "Gather candidates"
+4. Look for successful `relay` candidates in the results
+
+If you see relay candidates, your TURN server is working correctly!
+
+## Troubleshooting
+
+### Clients can't connect to TURN server
+
+- Verify firewall rules allow the necessary ports (3478, 5349, and your media port range)
+- Check that DNS resolves correctly for your TURN domain
+- Ensure your `turn_secret` matches coturn's `static-auth-secret`
+- Test with Trickle ICE to isolate the issue
+
+### Port conflicts with LiveKit
+
+- Make sure coturn's `min-port` starts above LiveKit's `port_range_end` (default: 50200)
+- Or adjust LiveKit's port range to avoid coturn's default range
+
+### 404 when calling turnServer endpoint
+
+- Verify that `turn_uris` is not empty in your Continuwuity config
+- This behavior is correct per MSC4166 if no TURN URIs are configured
+
+### Credentials expire too quickly
+
+- Adjust the `turn_ttl` value in your Continuwuity configuration
+- Default is 86400 seconds (24 hours)
+
+### Related Documentation
+
+- [MatrixRTC/LiveKit Setup](./livekit.mdx) - Configure group calling with LiveKit
+- [Coturn GitHub](https://github.com/coturn/coturn) - Official coturn repository
+- [Synapse TURN Guide](https://element-hq.github.io/synapse/latest/turn-howto.html) - Additional security recommendations

docs/community/_meta.json

@@ -0,0 +1,12 @@
+[
+    {
+        "type": "file",
+        "name": "guidelines",
+        "label": "Community Guidelines"
+    },
+    {
+        "type": "file",
+        "name": "ops-guidelines",
+        "label": "Partnered Homeserver Guidelines"
+    }
+]

docs/community/ops-guidelines.mdx

@@ -0,0 +1,32 @@
+# Partnered Homeserver Operator Requirements
+> _So you want to be an officially sanctioned public Continuwuity homeserver operator?_
+
+Thank you for your interest in the project! There's a few things we need from you first to make sure your homeserver meets our quality standards and that you are prepared to handle the additional workload introduced by operating a public chat service.
+
+## Stuff you must have
+if you don't do these things we will tell you to go away
+
+- Your homeserver must be running an up-to-date version of Continuwuity
+- You must have a CAPTCHA, external registration system, or apply-to-join system that provides one-time-use invite codes (we do not accept fully open nor static token registration)
+- Your homeserver must have support details listed in [`/.well-known/matrix/support`](https://spec.matrix.org/v1.17/client-server-api/#getwell-knownmatrixsupport)
+- Your rules and guidelines must align with [the project's own code of conduct](guidelines).
+- You must be reasonably responsive (i.e. don't leave us hanging for a week if we alert you to an issue on your server)
+- Your homeserver's community rooms (if any) must be protected by a moderation bot subscribed to policy lists like the Community Moderation Effort (you can get one from https://asgard.chat if you don't want to run your own)
+
+## Stuff we encourage you to have
+not strictly required but we will consider your request more strongly if you have it
+
+- You should have automated moderation tooling that can automatically suspend abusive users on your homeserver who are added to policy lists
+- You should have multiple server administrators (increased bus factor)
+- You should have a terms of service and privacy policy prominently available
+
+## Stuff you get
+
+- Prominent listing in our README!
+- A gold star sticker
+- Access to a low noise room for more direct communication with maintainers and collaboration with fellow operators
+- Read-only access to the continuwuity internal ban list
+- Early notice of upcoming releases
+
+## Sound good?
+To get started, ping a team member in [our main chatroom](https://matrix.to/#/#continuwuity:continuwuity.org) and ask to be added to the list.

docs/deploying/docker-compose.with-traefik.yml

@@ -114,6 +114,10 @@ services:
       TRAEFIK_CERTIFICATESRESOLVERS_LETSENCRYPT_ACME_HTTPCHALLENGE_ENTRYPOINT: web
       TRAEFIK_CERTIFICATESRESOLVERS_LETSENCRYPT_ACME_STORAGE: "/etc/traefik/acme/acme.json"
 
+      # Since Traefik 3.6.3, paths with certain "encoded characters" are now blocked by default; we need a couple, or else things *will* break
+      TRAEFIK_ENTRYPOINTS_WEBSECURE_HTTP_ENCODEDCHARACTERS_ALLOWENCODEDSLASH: true
+      TRAEFIK_ENTRYPOINTS_WEBSECURE_HTTP_ENCODEDCHARACTERS_ALLOWENCODEDHASH: true
+
       TRAEFIK_PROVIDERS_DOCKER: true
       TRAEFIK_PROVIDERS_DOCKER_ENDPOINT: "unix:///var/run/docker.sock"
       TRAEFIK_PROVIDERS_DOCKER_EXPOSEDBYDEFAULT: false

docs/deploying/docker.mdx

@@ -11,10 +11,10 @@ ### Use a registry
 
 | Registry        | Image                                                           | Notes                  |
 | --------------- | --------------------------------------------------------------- | -----------------------|
-| Forgejo Registry| [forgejo.ellis.link/continuwuation/continuwuity:latest][fj]     | Latest tagged image.   |
-| Forgejo Registry| [forgejo.ellis.link/continuwuation/continuwuity:main][fj]       | Main branch image.     |
-
-[fj]: https://forgejo.ellis.link/continuwuation/-/packages/container/continuwuity
+| Forgejo Registry| [forgejo.ellis.link/continuwuation/continuwuity:latest](https://forgejo.ellis.link/continuwuation/-/packages/container/continuwuity/latest)     | Latest tagged image.   |
+| Forgejo Registry| [forgejo.ellis.link/continuwuation/continuwuity:main](https://forgejo.ellis.link/continuwuation/-/packages/container/continuwuity/main)       | Main branch image.     |
+| Forgejo Registry| [forgejo.ellis.link/continuwuation/continuwuity:latest-maxperf](https://forgejo.ellis.link/continuwuation/-/packages/container/continuwuity/latest-maxperf) | [Performance optimised version.](./generic.mdx#performance-optimised-builds) |
+| Forgejo Registry| [forgejo.ellis.link/continuwuation/continuwuity:main-maxperf](https://forgejo.ellis.link/continuwuation/-/packages/container/continuwuity/main-maxperf)   | [Performance optimised version.](./generic.mdx#performance-optimised-builds) |
 
 Use
 
@@ -24,6 +24,15 @@ ### Use a registry
 
 to pull it to your machine.
 
+#### Mirrors
+
+Images are mirrored to multiple locations automatically, on a schedule:
+
+- `ghcr.io/continuwuity/continuwuity`
+- `docker.io/jadedblueeyes/continuwuity`
+- `registry.gitlab.com/continuwuity/continuwuity`
+- `git.nexy7574.co.uk/mirrored/continuwuity` (releases only, no `main`)
+
 ### Run
 
 When you have the image, you can simply run it with
@@ -49,7 +58,7 @@ ### Run
 flag, which cleans up everything related to your container after you stop
 it.
 
-### Docker-compose
+### Docker Compose
 
 If the `docker run` command is not suitable for you or your setup, you can also use one
 of the provided `docker-compose` files.
@@ -158,8 +167,19 @@ # Build for the current platform and load into the local Docker daemon
 # Example: Build for specific platforms and push to a registry.
 # docker buildx build --platform linux/amd64,linux/arm64 --tag registry.io/org/continuwuity:latest -f docker/Dockerfile . --push
 
-# Example: Build binary optimized for the current CPU
-# docker buildx build --load --tag continuwuity:latest --build-arg TARGET_CPU=native -f docker/Dockerfile .
+# Example: Build binary optimised for the current CPU (standard release profile)
+# docker buildx build --load \
+#   --tag continuwuity:latest \
+#   --build-arg TARGET_CPU=native \
+#   -f docker/Dockerfile .
+
+# Example: Build maxperf variant (release-max-perf profile with LTO)
+# Optimised for runtime performance and smaller binary size, but requires longer build time
+# docker buildx build --load \
+#   --tag continuwuity:latest-maxperf \
+#   --build-arg TARGET_CPU=native \
+#   --build-arg RUST_PROFILE=release-max-perf \
+#   -f docker/Dockerfile .
 ```
 
 Refer to the Docker Buildx documentation for more advanced build options.
@@ -197,6 +217,4 @@ ### Use Traefik as Proxy
 
 ## Voice communication
 
-See the [TURN](../turn.md) page.
-
-[nix-buildlayeredimage]: https://ryantm.github.io/nixpkgs/builders/images/dockertools/#ssec-pkgs-dockerTools-buildLayeredImage
+See the [Calls](../calls.mdx) page.

docs/deploying/fedora.mdx

@@ -1,17 +1,18 @@
 # RPM Installation Guide
 
-Continuwuity is available as RPM packages for Fedora, RHEL, and compatible distributions.
+Continuwuity is available as RPM packages for Fedora and compatible distributions.
+We do not currently have infrastructure to build RPMs for RHEL and compatible distributions, but this is a work in progress.
 
 The RPM packaging files are maintained in the `fedora/` directory:
 - `continuwuity.spec.rpkg` - RPM spec file using rpkg macros for building from git
 - `continuwuity.service` - Systemd service file for the server
 - `RPM-GPG-KEY-continuwuity.asc` - GPG public key for verifying signed packages
 
-RPM packages built by CI are signed with our GPG key (Ed25519, ID: `5E0FF73F411AAFCA`).
+RPM packages built by CI are signed with our GPG key (RSA, ID: `6595 E8DB 9191 D39A 46D6 A514 4BA7 F590 DF0B AA1D`). # spellchecker:disable-line
 
 ```bash
 # Import the signing key
-sudo rpm --import https://forgejo.ellis.link/continuwuation/continuwuity/raw/branch/main/fedora/RPM-GPG-KEY-continuwuity.asc
+sudo rpm --import https://forgejo.ellis.link/api/packages/continuwuation/rpm/repository.key
 
 # Verify a downloaded package
 rpm --checksig continuwuity-*.rpm
@@ -23,7 +24,7 @@ ## Installation methods
 
 ```bash
 # Add the repository and install
-sudo dnf config-manager addrepo --from-repofile=https://forgejo.ellis.link/api/packages/continuwuation/rpm/stable/continuwuation.repo
+sudo dnf config-manager addrepo --from-repofile=https://forgejo.ellis.link/api/packages/continuwuation/rpm/stable.repo
 sudo dnf install continuwuity
 ```
 
@@ -31,7 +32,7 @@ # Add the repository and install
 
 ```bash
 # Add the dev repository and install
-sudo dnf config-manager addrepo --from-repofile=https://forgejo.ellis.link/api/packages/continuwuation/rpm/dev/continuwuation.repo
+sudo dnf config-manager addrepo --from-repofile=https://forgejo.ellis.link/api/packages/continuwuation/rpm/dev.repo
 sudo dnf install continuwuity
 ```
 
@@ -39,23 +40,10 @@ # Add the dev repository and install
 
 ```bash
 # Branch names are sanitized (slashes become hyphens, lowercase only)
-sudo dnf config-manager addrepo --from-repofile=https://forgejo.ellis.link/api/packages/continuwuation/rpm/tom-new-feature/continuwuation.repo
+sudo dnf config-manager addrepo --from-repofile=https://forgejo.ellis.link/api/packages/continuwuation/rpm/tom-new-feature.repo
 sudo dnf install continuwuity
 ```
 
-**Direct installation** without adding repository
-
-```bash
-# Latest stable release
-sudo dnf install https://forgejo.ellis.link/api/packages/continuwuation/rpm/stable/continuwuity
-
-# Latest development build
-sudo dnf install https://forgejo.ellis.link/api/packages/continuwuation/rpm/dev/continuwuity
-
-# Specific feature branch
-sudo dnf install https://forgejo.ellis.link/api/packages/continuwuation/rpm/branch-name/continuwuity
-```
-
 **Manual repository configuration** (alternative method)
 
 ```bash
@@ -65,7 +53,7 @@ # Specific feature branch
 baseurl=https://forgejo.ellis.link/api/packages/continuwuation/rpm/stable
 enabled=1
 gpgcheck=1
-gpgkey=https://forgejo.ellis.link/continuwuation/continuwuity/raw/branch/main/fedora/RPM-GPG-KEY-continuwuity.asc
+gpgkey=https://forgejo.ellis.link/api/packages/continuwuation/rpm/repository.key
 EOF
 
 sudo dnf install continuwuity

docs/deploying/freebsd.mdx

@@ -3,3 +3,5 @@ # Continuwuity for FreeBSD
 Continuwuity currently does not provide FreeBSD builds or FreeBSD packaging. However, Continuwuity does build and work on FreeBSD using the system-provided RocksDB.
 
 Contributions to get Continuwuity packaged for FreeBSD are welcome.
+
+Please join our [Continuwuity BSD](https://matrix.to/#/%23bsd:continuwuity.org) community room.

docs/deploying/generic.mdx

@@ -8,29 +8,39 @@ # Generic deployment documentation
 
 ## Installing Continuwuity
 
-### Static prebuilt binary
+### Prebuilt binary
 
-You may simply download the binary that fits your machine architecture (x86_64
-or aarch64). Run `uname -m` to see what you need.
+Download the binary for your architecture (x86_64 or aarch64) -
+run the `uname -m` to check which you need.
 
-You can download prebuilt fully static musl binaries from the latest tagged
-release [here](https://forgejo.ellis.link/continuwuation/continuwuity/releases/latest) or
-from the `main` CI branch workflow artifact output. These also include Debian/Ubuntu
-packages.
+Prebuilt binaries are available from:
+- **Tagged releases**: [Latest release page](https://forgejo.ellis.link/continuwuation/continuwuity/releases/latest)
+- **Development builds**: CI artifacts from the `main` branch
+  (includes Debian/Ubuntu packages)
 
-You can download these directly using curl. The `ci-bins` are CI workflow binaries organized by commit
-hash/revision, and `releases` are tagged releases. Sort by descending last
-modified date to find the latest.
+When browsing CI artifacts, `ci-bins` contains binaries organised
+by commit hash, while `releases` contains tagged versions. Sort
+by last modified date to find the most recent builds.
 
-These binaries have jemalloc and io_uring statically linked and included with
-them, so no additional dynamic dependencies need to be installed.
+The binaries require jemalloc and io_uring on the host system. Currently
+we can't cross-build static binaries - contributions are welcome here.
 
-For the **best** performance: if you are using an `x86_64` CPU made in the last ~15 years,
-we recommend using the `-haswell-` optimized binaries. These set
-`-march=haswell`, which provides the most compatible and highest performance with
-optimized binaries. The database backend, RocksDB, benefits most from this as it
-uses hardware-accelerated CRC32 hashing/checksumming, which is critical
-for performance.
+#### Performance-optimised builds
+
+For x86_64 systems with CPUs from the last ~15 years, use the
+`-haswell-` optimised binaries for best performance. These
+binaries enable hardware-accelerated CRC32 checksumming in
+RocksDB, which significantly improves database performance.
+The haswell instruction set provides an excellent balance of
+compatibility and speed.
+
+If you're using Docker instead, equivalent performance-optimised
+images are available with the `-maxperf` suffix (e.g.
+`forgejo.ellis.link/continuwuation/continuwuity:latest-maxperf`).
+These images use the `release-max-perf`
+build profile with
+[link-time optimisation (LTO)](https://doc.rust-lang.org/cargo/reference/profiles.html#lto)
+and, for amd64, target the haswell CPU architecture.
 
 ### Compiling
 
@@ -46,6 +56,8 @@ ### Building with the Rust toolchain
 
 You can build Continuwuity using `cargo build --release`.
 
+Continuwuity supports various optional features that can be enabled during compilation. Please see the Cargo.toml file for a comprehensive list, or ask in our rooms.
+
 ### Building with Nix
 
 If you prefer, you can use Nix (or [Lix](https://lix.systems)) to build Continuwuity. This provides improved reproducibility and makes it easy to set up a build environment and generate output. This approach also allows for easy cross-compilation.
@@ -259,7 +271,7 @@ # If federation is enabled
 ```
 
 - To check if your server can communicate with other homeservers, use the
-[Matrix Federation Tester](https://federationtester.matrix.org/). If you can
+[Matrix Federation Tester](https://federationtester.mtrnord.blog/). If you can
 register but cannot join federated rooms, check your configuration and verify
 that port 8448 is open and forwarded correctly.
 
@@ -267,7 +279,7 @@ # What's next?
 
 ## Audio/Video calls
 
-For Audio/Video call functionality see the [TURN Guide](../turn.md).
+For Audio/Video call functionality see the [Calls](../calls.md) page.
 
 ## Appservices
 

docs/deploying/kubernetes.mdx

@@ -1,7 +1,109 @@
 # Continuwuity for Kubernetes
 
 Continuwuity doesn't support horizontal scalability or distributed loading
-natively. However, [a community-maintained Helm Chart is available here to run
+natively. However, a deployment in Kubernetes is very similar to the docker
+setup. This is because Continuwuity can be fully configured using environment
+variables. A sample StatefulSet is shared below. The only thing missing is
+a PVC definition (named `continuwuity-data`) for the volume mounted to
+the StatefulSet, an Ingress resources to point your webserver to the
+Continuwuity Pods, and a Service resource (targeting `app.kubernetes.io/name: continuwuity`)
+to glue the Ingress and Pod together.
+
+Carefully go through the `env` section and add, change, and remove any env vars you like using the [Configuration reference](https://continuwuity.org/reference/config.html)
+
+```yaml
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: continuwuity
+  namespace: matrix
+  labels:
+    app.kubernetes.io/name: continuwuity
+spec:
+  replicas: 1
+  serviceName: continuwuity
+  podManagementPolicy: Parallel
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: continuwuity
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: continuwuity
+    spec:
+      securityContext:
+        sysctls:
+          - name: net.ipv4.ip_unprivileged_port_start
+            value: "0"
+      containers:
+        - name: continuwuity
+          # use a sha hash <3
+          image: forgejo.ellis.link/continuwuation/continuwuity:latest
+          imagePullPolicy: IfNotPresent
+          ports:
+            - name: http
+              containerPort: 80
+          volumeMounts:
+            - mountPath: /data
+              name: data
+              subPath: data
+          securityContext:
+            capabilities:
+              add:
+                - NET_BIND_SERVICE
+          env:
+            - name: TOKIO_WORKER_THREADS
+              value: "2"
+            - name: CONTINUWUITY_SERVER_NAME
+              value: "example.com"
+            - name: CONTINUWUITY_DATABASE_PATH
+              value: "/data/db"
+            - name: CONTINUWUITY_DATABASE_BACKEND
+              value: "rocksdb"
+            - name: CONTINUWUITY_PORT
+              value: "80"
+            - name: CONTINUWUITY_MAX_REQUEST_SIZE
+              value: "20000000"
+            - name: CONTINUWUITY_ALLOW_FEDERATION
+              value: "true"
+            - name: CONTINUWUITY_TRUSTED_SERVERS
+              value: '["matrix.org"]'
+            - name: CONTINUWUITY_ADDRESS
+              value: "0.0.0.0"
+            - name: CONTINUWUITY_ROCKSDB_PARALLELISM_THREADS
+              value: "1"
+            - name: CONTINUWUITY_WELL_KNOWN__SERVER
+              value: "matrix.example.com:443"
+            - name: CONTINUWUITY_WELL_KNOWN__CLIENT
+              value: "https://matrix.example.com"
+            - name: CONTINUWUITY_ALLOW_REGISTRATION
+              value: "false"
+            - name: RUST_LOG
+              value: info
+          readinessProbe:
+            httpGet:
+              path: /_matrix/federation/v1/version
+              port: http
+            periodSeconds: 4
+            failureThreshold: 5
+          resources:
+            # Continuwuity might use quite some RAM :3
+            requests:
+              cpu: "2"
+              memory: "512Mi"
+            limits:
+              cpu: "4"
+              memory: "2048Mi"
+      volumes:
+        - name: data
+          persistentVolumeClaim:
+            claimName: continuwuity-data
+```
+
+---
+
+Apart from manually configuring the containers,
+[a community-maintained Helm Chart is available here to run
 conduwuit on Kubernetes](https://gitlab.cronce.io/charts/conduwuit)
 
 This should be compatible with Continuwuity, but you will need to change the image reference.

docs/development/code_style.mdx

@@ -128,7 +128,7 @@ ### Log Levels
 ```rs
 // Good
 error!(
-    error = %err,
+    error = ?err,
     room_id = %room_id,
     "Failed to send event to room"
 );
@@ -264,7 +264,7 @@ ### Code Comments
                 warn!(
                     destination = %destination,
                     attempt = attempt,
-                    error = %err,
+                    error = ?err,
                     retry_delay_ms = retry_delay.as_millis(),
                     "Federation request failed, retrying"
                 );

docs/development/contributing.mdx

@@ -149,11 +149,12 @@ ### Creating pull requests
 *looks* done.
 
 Before submitting a pull request, please ensure:
-1. Your code passes all CI checks (formatting, linting, typo detection, etc.)
+1. Your code passes all CI checks (formatting, linting, typo detection, etc.). Run pre-commit for this.
 2. Your code follows the [code style guide](./code_style)
 3. Your commit messages follow the conventional commits format
 4. Tests are added for new functionality
 5. Documentation is updated if needed
+6. You have written a [news fragment](#writing-news-fragments) for your changes
 
 Direct all PRs/MRs to the `main` branch.
 
@@ -171,3 +172,32 @@ ### Creating pull requests
 [sytest]: https://github.com/matrix-org/sytest/
 [mdbook]: https://rust-lang.github.io/mdBook/
 [documentation.yml]: https://forgejo.ellis.link/continuwuation/continuwuity/src/branch/main/.forgejo/workflows/documentation.yml
+
+#### Writing news fragments
+
+In order to make writing our changelogs easier, we make use of [Towncrier]. Towncrier builds changelogs based on
+"news fragments", which are little markdown files in the `changelog.d/` directory that describe individual changes.
+
+When you make a pull request that changes functionality, fixes a bug, or adds documentation, please add a news fragment
+describing your change. The file name *MUST* be in the format of `{pull_request_number}.{type}`, where `{type}` is one
+of the following:
+
+- `feature` - for new features
+- `bugfix` - for bug fixes
+- `doc` - for documentation changes
+- `misc` - for other changes that don't fit the above categories
+
+For example:
+
+```bash
+$ echo "Fixed the quantum flux stabiliser. Contributed by @alice." > changelog.d/42.bugfix
+```
+
+(Note: If you want to credit yourself, you should reference your forgejo handle, however links to other platforms are also acceptable.)
+
+When the next release is made, Towncrier will automatically include your news fragment in the changelog.
+
+You can read more about writing news fragments in the [Towncrier tutorial][tt].
+
+[Towncrier]: https://towncrier.readthedocs.io/
+[tt]: https://towncrier.readthedocs.io/en/stable/tutorial.html#creating-news-fragments

docs/index.mdx

@@ -19,6 +19,16 @@
     src: /assets/logo.svg
     alt: continuwuity logo
 
+beforeFeatures:
+  - title: Matrix for Discord users
+    details: New to Matrix? Learn how Matrix compares to Discord
+    link: https://joinmatrix.org/guide/matrix-vs-discord/
+    buttonText: Find Out the Difference
+  - title: How Matrix Works
+    details: Learn how Matrix works under the hood, and what that means
+    link: https://matrix.org/docs/matrix-concepts/elements-of-matrix/
+    buttonText: Read the Guide
+
 features:
   - title: 🚀 High Performance
     details: Built with Rust for exceptional speed and efficiency. Designed to run smoothly even on modest hardware.

docs/introduction.mdx

@@ -51,7 +51,13 @@ ## Can I try it out?
 
 Check out the [documentation](https://continuwuity.org) for installation instructions.
 
-There are currently no open registration continuwuity instances available.
+If you want to try it out as a user, we have some partnered homeservers you can use:
+* You can head over to [https://federated.nexus](https://federated.nexus/) in your browser.
+  * Hit the `Apply to Join` button. Once your request has been accepted, you will receive an email with your username and password.
+  * Head over to [https://app.federated.nexus](https://app.federated.nexus/) and you can sign in there, or use any other matrix chat client you wish elsewhere.
+  * Your username for matrix will be in the form of `@username:federated.nexus`, however you can simply use the `username` part to log in. Your password is your password.
+
+* There's also [https://continuwuity.rocks/](https://continuwuity.rocks/). You can register a new account using Cinny via [this convenient link](https://app.cinny.in/register/continuwuity.rocks), or you can use Element or another matrix client *that supports registration*.
 
 ## What are we working on?
 

docs/public/.well-known/continuwuity/announcements

@@ -6,12 +6,10 @@
             "message": "Welcome to Continuwuity! Important announcements about the project will appear here."
         },
         {
-            "id": 3,
-            "message": "_taps microphone_ The Continuwuity 0.5.0-rc.7 release is now available, and it's better than ever! **177 commits**, **35 pull requests**, **11 contributors,** and a lot of new stuff!\n\nFor highlights, we've got:\n\n* 🕵️ Full Policy Server support to fight spam!\n* 🚀 Smarter room & space upgrades.\n* 🚫 User suspension tools for better moderation.\n* 🤖 reCaptcha support for safer open registration.\n* 🔍 Ability to disable read receipts & typing indicators.\n* ⚡ Sweeping performance improvements!\n\nGet the [full changelog and downloads on our Forgejo](https://forgejo.ellis.link/continuwuation/continuwuity/releases/tag/v0.5.0-rc.7) - and make sure you're in the [Announcements room](https://matrix.to/#/!releases:continuwuity.org/$hN9z6L2_dTAlPxFLAoXVfo_g8DyYXu4cpvWsSrWhmB0) to get stuff like this sooner."
-        },
-        {
-            "id": 5,
-            "message": "It's a bird! It's a plane! No, it's 0.5.0-rc.8.1!\n\nThis is a minor bugfix update to the rc8 which backports some important fixes from the latest main branch. If you still haven't updated to rc8, you should skip to main. Otherwise, you should upgrade to this bugfix release as soon as possible.\n\nBugfixes backported to this version:\n\n- Resolved several issues with state resolution v2.1 (room version 12)\n- Fixed issues with the `restricted` and `knock_restricted` join rules that would sometimes incorrectly disallow a valid join\n- Fixed the automatic support contact listing being a no-op\n- Fixed upgrading pre-v12 rooms to v12 rooms\n- Fixed policy servers sending the incorrect JSON objects (resulted in false positives)\n- Fixed debug build panic during MSC4133 migration\n\nIt is recommended, if you can and are comfortable with doing so, following updates to the main branch - we're in the run up to the full 0.5.0 release, and more and more bugfixes and new features are being pushed constantly. Please don't forget to join [#announcements:continuwuity.org](https://matrix.to/#/#announcements:continuwuity.org) to receive this news faster and be alerted to other important updates!"
+            "id": 9,
+            "mention_room": false,
+            "date": "2026-02-09",
+            "message": "Yesterday we released [v0.5.4](https://forgejo.ellis.link/continuwuation/continuwuity/releases/tag/v0.5.4). Bugfixes, performance improvements and more moderation features! There's also a security fix, so please update as soon as possible. Don't forget to join [our announcements channel](https://matrix.to/#/!jIdNjSM5X-V5JVx2h2kAhUZIIQ08GyzPL55NFZAH1vM/%2489TY9CqRg4-ff1MGo3Ulc5r5X4pakfdzT-99RD8Docc?via=ellis.link&via=explodie.org&via=matrix.org) to get important information sooner <3 "
         }
     ]
 }

docs/reference/_meta.json

@@ -8,10 +8,5 @@
         "type": "file",
         "name": "admin",
         "label": "Admin Commands"
-    },
-    {
-        "type": "file",
-        "name": "server",
-        "label": "Server command"
     }
 ]

docs/reference/admin/appservices.md

@@ -0,0 +1,29 @@
+<!-- This file is generated by `cargo xtask generate-docs`. Do not edit. -->
+# `!admin appservices`
+
+Commands for managing appservices
+
+
+## `!admin appservices register`
+
+Register an appservice using its registration YAML
+
+This command needs a YAML generated by an appservice (such as a bridge), which must be provided in a Markdown code block below the command.
+
+Registering a new bridge using the ID of an existing bridge will replace the old one.
+
+## `!admin appservices unregister`
+
+Unregister an appservice using its ID
+
+You can find the ID using the `list-appservices` command.
+
+## `!admin appservices show-appservice-config`
+
+Show an appservice's config using its ID
+
+You can find the ID using the `list-appservices` command.
+
+## `!admin appservices list-registered`
+
+List all the currently registered appservices

docs/reference/admin/check.md

@@ -0,0 +1,9 @@
+<!-- This file is generated by `cargo xtask generate-docs`. Do not edit. -->
+# `!admin check`
+
+Commands for checking integrity
+
+
+## `!admin check check-all-users`
+
+Uses the iterator in `src/database/key_value/users.rs` to iterator over every user in our database (remote and local). Reports total count, any errors if there were any, etc

docs/reference/admin/debug.md

@@ -0,0 +1,135 @@
+<!-- This file is generated by `cargo xtask generate-docs`. Do not edit. -->
+# `!admin debug`
+
+Commands for debugging things
+
+
+## `!admin debug echo`
+
+Echo input of admin command
+
+## `!admin debug get-auth-chain`
+
+Get the auth_chain of a PDU
+
+## `!admin debug parse-pdu`
+
+Parse and print a PDU from a JSON
+
+The PDU event is only checked for validity and is not added to the database.
+
+This command needs a JSON blob provided in a Markdown code block below the command.
+
+## `!admin debug get-pdu`
+
+Retrieve and print a PDU by EventID from the Continuwuity database
+
+## `!admin debug get-short-pdu`
+
+Retrieve and print a PDU by PduId from the Continuwuity database
+
+## `!admin debug get-remote-pdu`
+
+Attempts to retrieve a PDU from a remote server. **Does not** insert it into the database or persist it anywhere
+
+## `!admin debug get-remote-pdu-list`
+
+Same as `get-remote-pdu` but accepts a codeblock newline delimited list of PDUs and a single server to fetch from
+
+## `!admin debug get-room-state`
+
+Gets all the room state events for the specified room.
+
+This is functionally equivalent to `GET /_matrix/client/v3/rooms/{roomid}/state`, except the admin command does *not* check if the sender user is allowed to see state events. This is done because it's implied that server admins here have database access and can see/get room info themselves anyways if they were malicious admins.
+
+Of course the check is still done on the actual client API.
+
+## `!admin debug get-signing-keys`
+
+Get and display signing keys from local cache or remote server
+
+## `!admin debug get-verify-keys`
+
+Get and display signing keys from local cache or remote server
+
+## `!admin debug ping`
+
+Sends a federation request to the remote server's `/_matrix/federation/v1/version` endpoint and measures the latency it took for the server to respond
+
+## `!admin debug force-device-list-updates`
+
+Forces device lists for all local and remote users to be updated (as having new keys available)
+
+## `!admin debug change-log-level`
+
+Change tracing log level/filter on the fly
+
+This accepts the same format as the `log` config option.
+
+## `!admin debug verify-json`
+
+Verify JSON signatures
+
+This command needs a JSON blob provided in a Markdown code block below the command.
+
+## `!admin debug verify-pdu`
+
+Verify PDU
+
+This re-verifies a PDU existing in the database found by ID.
+
+## `!admin debug first-pdu-in-room`
+
+Prints the very first PDU in the specified room (typically m.room.create)
+
+## `!admin debug latest-pdu-in-room`
+
+Prints the latest ("last") PDU in the specified room (typically a message)
+
+## `!admin debug force-set-room-state-from-server`
+
+Forcefully replaces the room state of our local copy of the specified room, with the copy (auth chain and room state events) the specified remote server says.
+
+A common desire for room deletion is to simply "reset" our copy of the room. While this admin command is not a replacement for that, if you know you have split/broken room state and you know another server in the room that has the best/working room state, this command can let you use their room state. Such example is your server saying users are in a room, but other servers are saying they're not in the room in question.
+
+This command will get the latest PDU in the room we know about, and request the room state at that point in time via `/_matrix/federation/v1/state/{roomId}`.
+
+## `!admin debug resolve-true-destination`
+
+Runs a server name through Continuwuity's true destination resolution process
+
+Useful for debugging well-known issues
+
+## `!admin debug memory-stats`
+
+Print extended memory usage
+
+Optional argument is a character mask (a sequence of characters in any order) which enable additional extended statistics. Known characters are "abdeglmx". For convenience, a '*' will enable everything.
+
+## `!admin debug runtime-metrics`
+
+Print general tokio runtime metric totals
+
+## `!admin debug runtime-interval`
+
+Print detailed tokio runtime metrics accumulated since last command invocation
+
+## `!admin debug time`
+
+Print the current time
+
+## `!admin debug database-stats`
+
+Get database statistics
+
+## `!admin debug trim-memory`
+
+Trim memory usage
+
+## `!admin debug database-files`
+
+List database files
+
+## `!admin debug tester`
+
+Developer test stubs

docs/reference/admin/federation.md

@@ -0,0 +1,29 @@
+<!-- This file is generated by `cargo xtask generate-docs`. Do not edit. -->
+# `!admin federation`
+
+Commands for managing federation
+
+
+## `!admin federation incoming-federation`
+
+List all rooms we are currently handling an incoming pdu from
+
+## `!admin federation disable-room`
+
+Disables incoming federation handling for a room
+
+## `!admin federation enable-room`
+
+Enables incoming federation handling for a room again
+
+## `!admin federation fetch-support-well-known`
+
+Fetch `/.well-known/matrix/support` from the specified server
+
+Despite the name, this is not a federation endpoint and does not go through the federation / server resolution process as per-spec this is supposed to be served at the server_name.
+
+Respecting homeservers put this file here for listing administration, moderation, and security inquiries. This command provides a way to easily fetch that information.
+
+## `!admin federation remote-user-in-rooms`
+
+Lists all the rooms we share/track with the specified *remote* user

docs/reference/admin/index.md

@@ -0,0 +1,23 @@
+<!-- This file is generated by `cargo xtask generate-docs`. Do not edit. -->
+# Admin Command Reference
+
+Admin commands allow server administrators to manage the server from within their Matrix client. "Server administrators" by default means only those users which are members of the admin room, but additional server admins may be added using the `admins_list` configuration option.
+
+## Running commands
+
+* All commands listed here may be used by server administrators in the admin room by sending them as messages.
+* If the `admin_escape_commands` configuration option is enabled, server administrators may run certain commands in public rooms by prefixing them with a single backslash. These commands will only run on _their_ homeserver, even if they are a member of another homeserver's admin room. Some sensitive commands cannot be used outside the admin room and will return an error.
+* All commands listed here may be used in the server's console, if it is enabled. Commands entered in the console do not require the `!admin` prefix.
+
+## Categories
+
+- [`!admin appservices`](appservices/): Commands for managing appservices
+- [`!admin users`](users/): Commands for managing local users
+- [`!admin token`](token/): Commands for managing registration tokens
+- [`!admin rooms`](rooms/): Commands for managing rooms
+- [`!admin federation`](federation/): Commands for managing federation
+- [`!admin server`](server/): Commands for managing the server
+- [`!admin media`](media/): Commands for managing media
+- [`!admin check`](check/): Commands for checking integrity
+- [`!admin debug`](debug/): Commands for debugging things
+- [`!admin query`](query/): Low-level queries for database getters and iterators

docs/reference/admin/media.md

@@ -0,0 +1,42 @@
+<!-- This file is generated by `cargo xtask generate-docs`. Do not edit. -->
+# `!admin media`
+
+Commands for managing media
+
+
+## `!admin media delete`
+
+Deletes a single media file from our database and on the filesystem via a single MXC URL or event ID (not redacted)
+
+## `!admin media delete-list`
+
+Deletes a codeblock list of MXC URLs from our database and on the filesystem. This will always ignore errors
+
+## `!admin media delete-past-remote-media`
+
+Deletes all remote (and optionally local) media created before/after
+[duration] ago, using filesystem metadata first created at date, or
+fallback to last modified date. This will always ignore errors by
+default.
+
+* Examples:
+  * Delete all remote media older than a year:
+
+    `!admin media delete-past-remote-media -b 1y`
+
+  * Delete all remote and local media from 3 days ago, up until now:
+
+    `!admin media delete-past-remote-media -a 3d
+-yes-i-want-to-delete-local-media`
+
+## `!admin media delete-all-from-user`
+
+Deletes all the local media from a local user on our server. This will always ignore errors by default
+
+## `!admin media delete-all-from-server`
+
+Deletes all remote media from the specified remote server. This will always ignore errors by default
+
+## `!admin media delete-url-preview`
+
+Deletes a cached URL preview, forcing it to be re-fetched. Use --all to purge all cached URL previews

docs/reference/admin/query.md

@@ -0,0 +1,194 @@
+<!-- This file is generated by `cargo xtask generate-docs`. Do not edit. -->
+# `!admin query`
+
+Low-level queries for database getters and iterators
+
+
+## `!admin query account-data`
+
+account_data.rs iterators and getters
+
+### `!admin query account-data changes-since`
+
+Returns all changes to the account data that happened after `since`
+
+### `!admin query account-data account-data-get`
+
+Searches the account data for a specific kind
+
+## `!admin query appservice`
+
+appservice.rs iterators and getters
+
+### `!admin query appservice get-registration`
+
+Gets the appservice registration info/details from the ID as a string
+
+### `!admin query appservice all`
+
+Gets all appservice registrations with their ID and registration info
+
+## `!admin query presence`
+
+presence.rs iterators and getters
+
+### `!admin query presence get-presence`
+
+Returns the latest presence event for the given user
+
+### `!admin query presence presence-since`
+
+Iterator of the most recent presence updates that happened after the event with id `since`
+
+## `!admin query room-alias`
+
+rooms/alias.rs iterators and getters
+
+### `!admin query room-alias local-aliases-for-room`
+
+Iterator of all our local room aliases for the room ID
+
+### `!admin query room-alias all-local-aliases`
+
+Iterator of all our local aliases in our database with their room IDs
+
+## `!admin query room-state-cache`
+
+rooms/state_cache iterators and getters
+
+## `!admin query room-timeline`
+
+rooms/timeline iterators and getters
+
+## `!admin query globals`
+
+globals.rs iterators and getters
+
+### `!admin query globals signing-keys-for`
+
+This returns an empty `Ok(BTreeMap<..>)` when there are no keys found for the server
+
+## `!admin query sending`
+
+sending.rs iterators and getters
+
+### `!admin query sending active-requests`
+
+Queries database for all `servercurrentevent_data`
+
+### `!admin query sending active-requests-for`
+
+Queries database for `servercurrentevent_data` but for a specific destination
+
+This command takes only *one* format of these arguments:
+
+appservice_id server_name user_id AND push_key
+
+See src/service/sending/mod.rs for the definition of the `Destination` enum
+
+### `!admin query sending queued-requests`
+
+Queries database for `servernameevent_data` which are the queued up requests that will eventually be sent
+
+This command takes only *one* format of these arguments:
+
+appservice_id server_name user_id AND push_key
+
+See src/service/sending/mod.rs for the definition of the `Destination` enum
+
+## `!admin query users`
+
+users.rs iterators and getters
+
+## `!admin query resolver`
+
+resolver service
+
+### `!admin query resolver destinations-cache`
+
+Query the destinations cache
+
+### `!admin query resolver overrides-cache`
+
+Query the overrides cache
+
+### `!admin query resolver flush-cache`
+
+Flush a given server from the resolver caches or flush them completely
+
+* Examples:
+  * Flush a specific server:
+
+    `!admin query resolver flush-cache matrix.example.com`
+
+  * Flush all resolver caches completely:
+
+    `!admin query resolver flush-cache --all`
+
+## `!admin query pusher`
+
+pusher service
+
+### `!admin query pusher get-pushers`
+
+Returns all the pushers for the user
+
+## `!admin query short`
+
+short service
+
+## `!admin query raw`
+
+raw service
+
+### `!admin query raw raw-maps`
+
+List database maps
+
+### `!admin query raw raw-get`
+
+Raw database query
+
+### `!admin query raw raw-del`
+
+Raw database delete (for string keys)
+
+### `!admin query raw raw-keys`
+
+Raw database keys iteration
+
+### `!admin query raw raw-keys-sizes`
+
+Raw database key size breakdown
+
+### `!admin query raw raw-keys-total`
+
+Raw database keys total bytes
+
+### `!admin query raw raw-vals-sizes`
+
+Raw database values size breakdown
+
+### `!admin query raw raw-vals-total`
+
+Raw database values total bytes
+
+### `!admin query raw raw-iter`
+
+Raw database items iteration
+
+### `!admin query raw raw-keys-from`
+
+Raw database keys iteration
+
+### `!admin query raw raw-iter-from`
+
+Raw database items iteration
+
+### `!admin query raw raw-count`
+
+Raw database record count
+
+### `!admin query raw compact`
+
+Compact database

docs/reference/admin/rooms.md

@@ -0,0 +1,83 @@
+<!-- This file is generated by `cargo xtask generate-docs`. Do not edit. -->
+# `!admin rooms`
+
+Commands for managing rooms
+
+
+## `!admin rooms list-rooms`
+
+List all rooms the server knows about
+
+## `!admin rooms info`
+
+View information about a room we know about
+
+### `!admin rooms info list-joined-members`
+
+List joined members in a room
+
+### `!admin rooms info view-room-topic`
+
+Displays room topic
+
+Room topics can be huge, so this is in its own separate command
+
+## `!admin rooms moderation`
+
+Manage moderation of remote or local rooms
+
+### `!admin rooms moderation ban-room`
+
+Bans a room from local users joining and evicts all our local users (including server admins) from the room. Also blocks any invites (local and remote) for the banned room, and disables federation entirely with it
+
+### `!admin rooms moderation ban-list-of-rooms`
+
+Bans a list of rooms (room IDs and room aliases) from a newline delimited codeblock similar to `user deactivate-all`. Applies the same steps as ban-room
+
+### `!admin rooms moderation unban-room`
+
+Unbans a room to allow local users to join again
+
+### `!admin rooms moderation list-banned-rooms`
+
+List of all rooms we have banned
+
+## `!admin rooms alias`
+
+Manage rooms' aliases
+
+### `!admin rooms alias set`
+
+Make an alias point to a room
+
+### `!admin rooms alias remove`
+
+Remove a local alias
+
+### `!admin rooms alias which`
+
+Show which room is using an alias
+
+### `!admin rooms alias list`
+
+List aliases currently being used
+
+## `!admin rooms directory`
+
+Manage the room directory
+
+### `!admin rooms directory publish`
+
+Publish a room to the room directory
+
+### `!admin rooms directory unpublish`
+
+Unpublish a room to the room directory
+
+### `!admin rooms directory list`
+
+List rooms that are published
+
+## `!admin rooms exists`
+
+Check if we know about a room

docs/reference/admin/server.md

@@ -0,0 +1,49 @@
+<!-- This file is generated by `cargo xtask generate-docs`. Do not edit. -->
+# `!admin server`
+
+Commands for managing the server
+
+
+## `!admin server uptime`
+
+Time elapsed since startup
+
+## `!admin server show-config`
+
+Show configuration values
+
+## `!admin server reload-config`
+
+Reload configuration values
+
+## `!admin server memory-usage`
+
+Print database memory usage statistics
+
+## `!admin server clear-caches`
+
+Clears all of Continuwuity's caches
+
+## `!admin server backup-database`
+
+Performs an online backup of the database (only available for RocksDB at the moment)
+
+## `!admin server list-backups`
+
+List database backups
+
+## `!admin server admin-notice`
+
+Send a message to the admin room
+
+## `!admin server reload-mods`
+
+Hot-reload the server
+
+## `!admin server restart`
+
+Restart the server
+
+## `!admin server shutdown`
+
+Shutdown the server

docs/reference/admin/token.md

@@ -0,0 +1,17 @@
+<!-- This file is generated by `cargo xtask generate-docs`. Do not edit. -->
+# `!admin token`
+
+Commands for managing registration tokens
+
+
+## `!admin token issue`
+
+Issue a new registration token
+
+## `!admin token revoke`
+
+Revoke a registration token
+
+## `!admin token list`
+
+List all registration tokens

docs/reference/admin/users.md

@@ -0,0 +1,141 @@
+<!-- This file is generated by `cargo xtask generate-docs`. Do not edit. -->
+# `!admin users`
+
+Commands for managing local users
+
+
+## `!admin users create-user`
+
+Create a new user
+
+## `!admin users reset-password`
+
+Reset user password
+
+## `!admin users deactivate`
+
+Deactivate a user
+
+User will be removed from all rooms by default. Use --no-leave-rooms to not leave all rooms by default.
+
+## `!admin users deactivate-all`
+
+Deactivate a list of users
+
+Recommended to use in conjunction with list-local-users.
+
+Users will be removed from joined rooms by default.
+
+Can be overridden with --no-leave-rooms.
+
+Removing a mass amount of users from a room may cause a significant amount of leave events. The time to leave rooms may depend significantly on joined rooms and servers.
+
+This command needs a newline separated list of users provided in a Markdown code block below the command.
+
+## `!admin users logout`
+
+Forcefully log a user out of all of their devices.
+
+This will invalidate all access tokens for the specified user, effectively logging them out from all sessions. Note that this is destructive and may result in data loss for the user, such as encryption keys. Use with caution. Can only be used in the admin room.
+
+## `!admin users suspend`
+
+Suspend a user
+
+Suspended users are able to log in, sync, and read messages, but are not able to send events nor redact them, cannot change their profile, and are unable to join, invite to, or knock on rooms.
+
+Suspended users can still leave rooms and deactivate their account. Suspending them effectively makes them read-only.
+
+## `!admin users unsuspend`
+
+Unsuspend a user
+
+Reverses the effects of the `suspend` command, allowing the user to send messages, change their profile, create room invites, etc.
+
+## `!admin users lock`
+
+Lock a user
+
+Locked users are unable to use their accounts beyond logging out. This is akin to a temporary deactivation that does not change the user's password. This can be used to quickly prevent a user from accessing their account.
+
+## `!admin users unlock`
+
+Unlock a user
+
+Reverses the effects of the `lock` command, allowing the user to use their account again.
+
+## `!admin users enable-login`
+
+Enable login for a user
+
+## `!admin users disable-login`
+
+Disable login for a user
+
+Disables login for the specified user without deactivating or locking their account. This prevents the user from obtaining new access tokens, but does not invalidate existing sessions.
+
+## `!admin users list-users`
+
+List local users in the database
+
+## `!admin users list-joined-rooms`
+
+Lists all the rooms (local and remote) that the specified user is joined in
+
+## `!admin users force-join-room`
+
+Manually join a local user to a room
+
+## `!admin users force-leave-room`
+
+Manually leave a local user from a room
+
+## `!admin users force-leave-remote-room`
+
+Manually leave a remote room for a local user
+
+## `!admin users force-demote`
+
+Forces the specified user to drop their power levels to the room default, if their permissions allow and the auth check permits
+
+## `!admin users make-user-admin`
+
+Grant server-admin privileges to a user
+
+## `!admin users put-room-tag`
+
+Puts a room tag for the specified user and room ID.
+
+This is primarily useful if you'd like to set your admin room to the special "System Alerts" section in Element as a way to permanently see your admin room without it being buried away in your favourites or rooms. To do this, you would pass your user, your admin room's internal ID, and the tag name `m.server_notice`.
+
+## `!admin users delete-room-tag`
+
+Deletes the room tag for the specified user and room ID
+
+## `!admin users get-room-tags`
+
+Gets all the room tags for the specified user and room ID
+
+## `!admin users redact-event`
+
+Attempts to forcefully redact the specified event ID from the sender user
+
+This is only valid for local users
+
+## `!admin users force-join-list-of-local-users`
+
+Force joins a specified list of local users to join the specified room.
+
+Specify a codeblock of usernames.
+
+At least 1 server admin must be in the room to reduce abuse.
+
+Requires the `--yes-i-want-to-do-this` flag.
+
+## `!admin users force-join-all-local-users`
+
+Force joins all local users to the specified room.
+
+At least 1 server admin must be in the room to reduce abuse.
+
+Requires the `--yes-i-want-to-do-this` flag.

docs/reference/server.mdx

@@ -1,21 +0,0 @@
-# Command-Line Help for `continuwuity`
-
-This document contains the help content for the `continuwuity` command-line program.
-
-**Command Overview:**
-
-* [`continuwuity`↴](#continuwuity)
-
-## `continuwuity`
-
-a very cool Matrix chat homeserver written in Rust
-
-**Usage:** `continuwuity [OPTIONS]`
-
-###### **Options:**
-
-* `-c`, `--config <CONFIG>` — Path to the config TOML file (optional)
-* `-O`, `--option <OPTION>` — Override a configuration variable using TOML 'key=value' syntax
-* `--read-only` — Run in a stricter read-only --maintenance mode
-* `--maintenance` — Run in maintenance mode while refusing connections
-* `--execute <EXECUTE>` — Execute console command automatically after startup

docs/troubleshooting.mdx

@@ -1,13 +1,28 @@
 # Troubleshooting Continuwuity
 
-> **Docker users ⚠️**
->
-> Docker can be difficult to use and debug. It's common for Docker
-> misconfigurations to cause issues, particularly with networking and permissions.
-> Please check that your issues are not due to problems with your Docker setup.
+:::warning{title="Docker users:"}
+Docker can be difficult to use and debug. It's common for Docker
+misconfigurations to cause issues, particularly with networking and permissions.
+Please check that your issues are not due to problems with your Docker setup.
+:::
 
 ## Continuwuity and Matrix issues
 
+### Slow joins to rooms
+
+Some slowness is to be expected if you're the first person on your homserver to join a room (which will
+always be the case for single-user homeservers). In this situation, your homeserver has to verify the signatures of
+all of the state events sent by other servers before your join. To make this process as fast as possible, make sure you have
+multiple fast, trusted servers listed in `trusted_servers` in your configuration, and ensure
+`query_trusted_key_servers_first_on_join` is set to true (the default).
+If you need suggestions for trusted servers, ask in the Continuwuity main room.
+
+However, _very_ slow joins, especially to rooms with only a few users in them or rooms created by another user
+on your homeserver, may be caused by [issue !779](https://forgejo.ellis.link/continuwuation/continuwuity/issues/779),
+which is a longstanding bug with synchronizing room joins to clients. In this situation, you did succeed in joining the room, but
+the bug caused your homeserver to forget to tell your client. **To fix this, clear your client's cache.** Both Element and Cinny
+have a button to clear their cache in the "About" section of their settings.
+
 ### Lost access to admin room
 
 You can reinvite yourself to the admin room through the following methods:
@@ -20,6 +35,16 @@ ### Lost access to admin room
 
 ## General potential issues
 
+### Configuration not working as expected
+
+Sometimes you can make a mistake in your configuration that
+means things don't get passed to Continuwuity correctly.
+This is particularly easy to do with environment variables.
+To check what configuration Continuwuity actually sees, you can
+use the `!admin server show-config` command in your admin room.
+Beware that this prints out any secrets in your configuration,
+so you might want to delete the result afterwards!
+
 ### Potential DNS issues when using Docker
 
 Docker's DNS setup for containers in a non-default network intercepts queries to
@@ -139,7 +164,7 @@ ### Database corruption
 
 ## Debugging
 
-Note that users should not really be debugging things. If you find yourself
+Note that users should not really need to debug things. If you find yourself
 debugging and find the issue, please let us know and/or how we can fix it.
 Various debug commands can be found in `!admin debug`.
 
@@ -178,6 +203,31 @@ ### Pinging servers
 and simply fetches a string on a static JSON endpoint. It is very low cost both
 bandwidth and computationally.
 
+### Enabling backtraces for errors
+
+Continuwuity can capture backtraces (stack traces) for errors to help diagnose
+issues. Backtraces show the exact sequence of function calls that led to an
+error, which is invaluable for debugging.
+
+To enable backtraces, set the `RUST_BACKTRACE` environment variable before starting Continuwuity:
+
+```bash
+# For both panics and errors
+RUST_BACKTRACE=1 ./conduwuit
+
+```
+
+For systemd deployments, add this to your service file:
+
+```ini
+[Service]
+Environment="RUST_BACKTRACE=1"
+```
+
+Backtrace capture has a performance cost. Avoid leaving it on.
+You can also enable it only for panics by setting
+`RUST_BACKTRACE=1` and `RUST_LIB_BACKTRACE=0`.
+
 ### Allocator memory stats
 
 When using jemalloc with jemallocator's `stats` feature (`--enable-stats`), you

docs/turn.mdx

@@ -1,94 +0,0 @@
-# Setting up TURN/STURN
-
-In order to make or receive calls, a TURN server is required. Continuwuity suggests
-using [Coturn](https://github.com/coturn/coturn) for this purpose, which is also
-available as a Docker image.
-
-### Configuration
-
-Create a configuration file called `coturn.conf` containing:
-
-```
-use-auth-secret
-static-auth-secret=<a secret key>
-realm=<your server domain>
-```
-
-A common way to generate a suitable alphanumeric secret key is by using `pwgen
--s 64 1`.
-
-These same values need to be set in Continuwuity. See the [example
-config](./reference/config.mdx) in the TURN section for configuring these and
-restart Continuwuity after.
-
-`turn_secret` or a path to `turn_secret_file` must have a value of your
-coturn `static-auth-secret`, or use `turn_username` and `turn_password`
-if using legacy username:password TURN authentication (not preferred).
-
-`turn_uris` must be the list of TURN URIs you would like to send to the client.
-Typically you will just replace the example domain `example.turn.uri` with the
-`realm` you set from the example config.
-
-If you are using TURN over TLS, you can replace `turn:` with `turns:` in the
-`turn_uris` config option to instruct clients to attempt to connect to
-TURN over TLS. This is highly recommended.
-
-If you need unauthenticated access to the TURN URIs, or some clients may be
-having trouble, you can enable `turn_guest_access` in Continuwuity which disables
-authentication for the TURN URI endpoint `/_matrix/client/v3/voip/turnServer`
-
-### Run
-
-Run the [Coturn](https://hub.docker.com/r/coturn/coturn) image using
-
-```bash
-docker run -d --network=host -v
-$(pwd)/coturn.conf:/etc/coturn/turnserver.conf coturn/coturn
-```
-
-or docker-compose. For the latter, paste the following section into a file
-called `docker-compose.yml` and run `docker compose up -d` in the same
-directory.
-
-```yml
-version: 3
-services:
-    turn:
-      container_name: coturn-server
-      image: docker.io/coturn/coturn
-      restart: unless-stopped
-      network_mode: "host"
-      volumes:
-        - ./coturn.conf:/etc/coturn/turnserver.conf
-```
-
-To understand why the host networking mode is used and explore alternative
-configuration options, please visit [Coturn's Docker
-documentation](https://github.com/coturn/coturn/blob/master/docker/coturn/README.md).
-
-For security recommendations see Synapse's [Coturn
-documentation](https://element-hq.github.io/synapse/latest/turn-howto.html).
-
-### Testing
-
-To make sure turn credentials are being correctly served to clients, you can manually make a HTTP request to the turnServer endpoint.
-
-`curl "https://<matrix.example.com>/_matrix/client/r0/voip/turnServer" -H 'Authorization: Bearer <your_client_token>' | jq`
-
-You should get a response like this:
-
-```json
-{
-  "username": "1752792167:@jade:example.com",
-  "password": "KjlDlawdPbU9mvP4bhdV/2c/h65=",
-  "uris": [
-    "turns:coturn.example.com?transport=udp",
-    "turns:coturn.example.com?transport=tcp",
-    "turn:coturn.example.com?transport=udp",
-    "turn:coturn.example.com?transport=tcp"
-  ],
-  "ttl": 86400
-}
-```
-
-You can test these credentials work using [Trickle ICE](https://webrtc.github.io/samples/src/content/peerconnection/trickle-ice/)

flake.lock

@@ -3,11 +3,11 @@
     "advisory-db": {
       "flake": false,
       "locked": {
-        "lastModified": 1761112158,
-        "narHash": "sha256-RIXu/7eyKpQHjsPuAUODO81I4ni8f+WYSb7K4mTG6+0=",
+        "lastModified": 1766324728,
+        "narHash": "sha256-9C+WyE5U3y5w4WQXxmb0ylRyMMsPyzxielWXSHrcDpE=",
         "owner": "rustsec",
         "repo": "advisory-db",
-        "rev": "58f3aaec0e1776f4a900737be8cd7cb00972210d",
+        "rev": "c88b88c62bda077be8aa621d4e89d8701e39cb5d",
         "type": "github"
       },
       "original": {
@@ -18,11 +18,11 @@
     },
     "crane": {
       "locked": {
-        "lastModified": 1760924934,
-        "narHash": "sha256-tuuqY5aU7cUkR71sO2TraVKK2boYrdW3gCSXUkF4i44=",
+        "lastModified": 1766194365,
+        "narHash": "sha256-4AFsUZ0kl6MXSm4BaQgItD0VGlEKR3iq7gIaL7TjBvc=",
         "owner": "ipetkov",
         "repo": "crane",
-        "rev": "c6b4d5308293d0d04fcfeee92705017537cad02f",
+        "rev": "7d8ec2c71771937ab99790b45e6d9b93d15d9379",
         "type": "github"
       },
       "original": {
@@ -39,11 +39,11 @@
         "rust-analyzer-src": "rust-analyzer-src"
       },
       "locked": {
-        "lastModified": 1761115517,
-        "narHash": "sha256-Fev/ag/c3Fp3JBwHfup3lpA5FlNXfkoshnQ7dssBgJ0=",
+        "lastModified": 1766299592,
+        "narHash": "sha256-7u+q5hexu2eAxL2VjhskHvaUKg+GexmelIR2ve9Nbb4=",
         "owner": "nix-community",
         "repo": "fenix",
-        "rev": "320433651636186ea32b387cff05d6bbfa30cea7",
+        "rev": "381579dee168d5ced412e2990e9637ecc7cf1c5d",
         "type": "github"
       },
       "original": {
@@ -55,11 +55,11 @@
     "flake-compat": {
       "flake": false,
       "locked": {
-        "lastModified": 1747046372,
-        "narHash": "sha256-CIVLLkVgvHYbgI2UpXvIIBJ12HWgX+fjA8Xf8PUmqCY=",
+        "lastModified": 1765121682,
+        "narHash": "sha256-4VBOP18BFeiPkyhy9o4ssBNQEvfvv1kXkasAYd0+rrA=",
         "owner": "edolstra",
         "repo": "flake-compat",
-        "rev": "9100a0f413b0c601e0533d1d94ffd501ce2e7885",
+        "rev": "65f23138d8d09a92e30f1e5c87611b23ef451bf3",
         "type": "github"
       },
       "original": {
@@ -74,11 +74,11 @@
         "nixpkgs-lib": "nixpkgs-lib"
       },
       "locked": {
-        "lastModified": 1760948891,
-        "narHash": "sha256-TmWcdiUUaWk8J4lpjzu4gCGxWY6/Ok7mOK4fIFfBuU4=",
+        "lastModified": 1765835352,
+        "narHash": "sha256-XswHlK/Qtjasvhd1nOa1e8MgZ8GS//jBoTqWtrS1Giw=",
         "owner": "hercules-ci",
         "repo": "flake-parts",
-        "rev": "864599284fc7c0ba6357ed89ed5e2cd5040f0c04",
+        "rev": "a34fae9c08a15ad73f295041fec82323541400a9",
         "type": "github"
       },
       "original": {
@@ -89,11 +89,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1760878510,
-        "narHash": "sha256-K5Osef2qexezUfs0alLvZ7nQFTGS9DL2oTVsIXsqLgs=",
+        "lastModified": 1766070988,
+        "narHash": "sha256-G/WVghka6c4bAzMhTwT2vjLccg/awmHkdKSd2JrycLc=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "5e2a59a5b1a82f89f2c7e598302a9cacebb72a67",
+        "rev": "c6245e83d836d0433170a16eb185cefe0572f8b8",
         "type": "github"
       },
       "original": {
@@ -105,11 +105,11 @@
     },
     "nixpkgs-lib": {
       "locked": {
-        "lastModified": 1754788789,
-        "narHash": "sha256-x2rJ+Ovzq0sCMpgfgGaaqgBSwY+LST+WbZ6TytnT9Rk=",
+        "lastModified": 1765674936,
+        "narHash": "sha256-k00uTP4JNfmejrCLJOwdObYC9jHRrr/5M/a/8L2EIdo=",
         "owner": "nix-community",
         "repo": "nixpkgs.lib",
-        "rev": "a73b9c743612e4244d865a2fdee11865283c04e6",
+        "rev": "2075416fcb47225d9b68ac469a5c4801a9c4dd85",
         "type": "github"
       },
       "original": {
@@ -132,11 +132,11 @@
     "rust-analyzer-src": {
       "flake": false,
       "locked": {
-        "lastModified": 1761077270,
-        "narHash": "sha256-O1uTuvI/rUlubJ8AXKyzh1WSWV3qCZX0huTFUvWLN4E=",
+        "lastModified": 1766253897,
+        "narHash": "sha256-ChK07B1aOlJ4QzWXpJo+y8IGAxp1V9yQ2YloJ+RgHRw=",
         "owner": "rust-lang",
         "repo": "rust-analyzer",
-        "rev": "39990a923c8bca38f5bd29dc4c96e20ee7808d5d",
+        "rev": "765b7bdb432b3740f2d564afccfae831d5a972e4",
         "type": "github"
       },
       "original": {
@@ -153,11 +153,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1760945191,
-        "narHash": "sha256-ZRVs8UqikBa4Ki3X4KCnMBtBW0ux1DaT35tgsnB1jM4=",
+        "lastModified": 1766000401,
+        "narHash": "sha256-+cqN4PJz9y0JQXfAK5J1drd0U05D5fcAGhzhfVrDlsI=",
         "owner": "numtide",
         "repo": "treefmt-nix",
-        "rev": "f56b1934f5f8fcab8deb5d38d42fd692632b47c2",
+        "rev": "42d96e75aa56a3f70cab7e7dc4a32868db28e8fd",
         "type": "github"
       },
       "original": {

nix/packages/uwulib/build.nix

@@ -20,7 +20,7 @@ rec {
       # we need to keep the `web` directory which would be filtered out by the regular source filtering function
       #
       # https://crane.dev/API.html#cranelibcleancargosource
-      isWebTemplate = path: _type: builtins.match ".*src/web.*" path != null;
+      isWebTemplate = path: _type: builtins.match ".*(src/(web|service)|docs).*" path != null;
       isRust = craneLib.filterCargoSources;
       isNix = path: _type: builtins.match ".+/nix.*" path != null;
       webOrRustNotNix = p: t: !(isNix p t) && (isWebTemplate p t || isRust p t);
@@ -77,7 +77,12 @@ rec {
     craneLib.buildDepsOnly (
       (commonAttrs commonAttrsArgs)
       // {
-        env = uwuenv.buildDepsOnlyEnv // (makeRocksDBEnv { inherit rocksdb; });
+        env = uwuenv.buildDepsOnlyEnv
+              // (makeRocksDBEnv { inherit rocksdb; })
+              // {
+                # required since we started using unstable reqwest apparently ... otherwise the all-features build will fail
+                RUSTFLAGS = "--cfg reqwest_unstable";
+              };
         inherit (features) cargoExtraArgs;
       }
 
@@ -102,7 +107,13 @@ rec {
         '';
         cargoArtifacts = deps;
         doCheck = true;
-        env = uwuenv.buildPackageEnv // rocksdbEnv;
+        env =
+          uwuenv.buildPackageEnv
+          // rocksdbEnv
+          // {
+            # required since we started using unstable reqwest apparently ... otherwise the all-features build will fail
+            RUSTFLAGS = "--cfg reqwest_unstable";
+          };
         passthru.env = uwuenv.buildPackageEnv // rocksdbEnv;
         meta.mainProgram = crateInfo.pname;
         inherit (features) cargoExtraArgs;

package.json

@@ -22,10 +22,9 @@
   "license": "ISC",
   "type": "commonjs",
   "devDependencies": {
-    "@rspress/core": "^2.0.0-rc.1",
-    "@rspress/plugin-client-redirects": "^2.0.0-alpha.12",
-    "@rspress/plugin-preview": "^2.0.0-beta.35",
-    "@rspress/plugin-sitemap": "^2.0.0-beta.23",
+    "@rspress/core": "^2.0.0",
+    "@rspress/plugin-client-redirects": "^2.0.0",
+    "@rspress/plugin-sitemap": "^2.0.0",
     "typescript": "^5.9.3"
   }
 }

pkg/fedora/continuwuity.spec.rpkg

@@ -4,7 +4,7 @@
 Name:           continuwuity
 Version:        {{{ git_repo_version }}}
 Release:        1%{?dist}
-Summary:        Very cool Matrix chat homeserver written in Rust
+Summary:        A Matrix homeserver written in Rust.
 
 License:        Apache-2.0 AND MIT
 
@@ -23,7 +23,7 @@ Requires:       glibc
 Requires:       libstdc++
 
 %global _description %{expand:
-A cool hard fork of Conduit, a Matrix homeserver written in Rust}
+A Matrix homeserver written in Rust, the official continuation of the conduwuit homeserver.}
 
 %description %{_description}
 

release.toml

@@ -0,0 +1,8 @@
+tag-message = "chore: Release v{{version}}"
+tag-prefix = ""
+shared-version = true
+
+publish = false
+
+sign-commit = true
+sign-tag = true

renovate.json

@@ -1,6 +1,7 @@
 {
     "$schema": "https://docs.renovatebot.com/renovate-schema.json",
     "extends": ["config:recommended", "replacements:all"],
+    "dependencyDashboard": true,
     "osvVulnerabilityAlerts": true,
     "lockFileMaintenance": {
         "enabled": true,
@@ -57,12 +58,25 @@
             "matchUpdateTypes": ["minor", "patch"],
             "groupName": "github-actions-non-major"
         },
+        {
+            "description": "Batch patch-level Node.js dependency updates",
+            "matchManagers": ["npm"],
+            "matchUpdateTypes": ["patch"],
+            "groupName": "node-patch-updates"
+        },
         {
             "description": "Pin forgejo artifact actions to prevent breaking changes",
             "matchManagers": ["github-actions"],
             "matchPackageNames": ["forgejo/upload-artifact", "forgejo/download-artifact"],
             "enabled": false
         },
+        {
+            "description": "Auto-merge crate-ci/typos minor updates",
+            "matchPackageNames": ["crate-ci/typos"],
+            "matchUpdateTypes": ["minor", "patch"],
+            "automerge": true,
+            "automergeStrategy": "fast-forward"
+        },
         {
             "description": "Auto-merge renovatebot docker image updates",
             "matchDatasources": ["docker"],

rspress.config.ts

@@ -1,5 +1,4 @@
 import { defineConfig } from '@rspress/core';
-import { pluginPreview } from '@rspress/plugin-preview';
 import { pluginSitemap } from '@rspress/plugin-sitemap';
 import { pluginClientRedirects } from '@rspress/plugin-client-redirects';
 
@@ -41,7 +40,7 @@ export default defineConfig({
         },
     },
 
-    plugins: [pluginPreview(), pluginSitemap({
+    plugins: [pluginSitemap({
         siteUrl: 'https://continuwuity.org', // TODO: Set automatically in build pipeline
     }),
     pluginClientRedirects({
@@ -54,6 +53,12 @@ export default defineConfig({
         }, {
             from: '/server_reference',
             to: '/reference/server'
+        }, {
+            from: '/community$',
+            to: '/community/guidelines'
+        }, {
+            from: "^/turn",
+            to: "/calls/turn",
         }
         ]
     })],

src/admin/Cargo.toml

@@ -1,9 +1,7 @@
 [package]
 name = "conduwuit_admin"
-categories.workspace = true
 description.workspace = true
 edition.workspace = true
-keywords.workspace = true
 license.workspace = true
 readme.workspace = true
 repository.workspace = true
@@ -89,7 +87,6 @@ serde-saphyr.workspace = true
 tokio.workspace = true
 tracing-subscriber.workspace = true
 tracing.workspace = true
-ctor.workspace = true
 
 [lints]
 workspace = true

src/admin/admin.rs

@@ -2,65 +2,93 @@
 use conduwuit::Result;
 
 use crate::{
-	appservice, appservice::AppserviceCommand, check, check::CheckCommand, context::Context,
-	debug, debug::DebugCommand, federation, federation::FederationCommand, media,
-	media::MediaCommand, query, query::QueryCommand, room, room::RoomCommand, server,
-	server::ServerCommand, user, user::UserCommand,
+	appservice::{self, AppserviceCommand},
+	check::{self, CheckCommand},
+	context::Context,
+	debug::{self, DebugCommand},
+	federation::{self, FederationCommand},
+	media::{self, MediaCommand},
+	query::{self, QueryCommand},
+	room::{self, RoomCommand},
+	server::{self, ServerCommand},
+	token::{self, TokenCommand},
+	user::{self, UserCommand},
 };
 
 #[derive(Debug, Parser)]
 #[command(name = conduwuit_core::name(), version = conduwuit_core::version())]
 pub enum AdminCommand {
 	#[command(subcommand)]
-	/// - Commands for managing appservices
+	/// Commands for managing appservices
 	Appservices(AppserviceCommand),
 
 	#[command(subcommand)]
-	/// - Commands for managing local users
+	/// Commands for managing local users
 	Users(UserCommand),
 
 	#[command(subcommand)]
-	/// - Commands for managing rooms
+	/// Commands for managing registration tokens
+	Token(TokenCommand),
+
+	#[command(subcommand)]
+	/// Commands for managing rooms
 	Rooms(RoomCommand),
 
 	#[command(subcommand)]
-	/// - Commands for managing federation
+	/// Commands for managing federation
 	Federation(FederationCommand),
 
 	#[command(subcommand)]
-	/// - Commands for managing the server
+	/// Commands for managing the server
 	Server(ServerCommand),
 
 	#[command(subcommand)]
-	/// - Commands for managing media
+	/// Commands for managing media
 	Media(MediaCommand),
 
 	#[command(subcommand)]
-	/// - Commands for checking integrity
+	/// Commands for checking integrity
 	Check(CheckCommand),
 
 	#[command(subcommand)]
-	/// - Commands for debugging things
+	/// Commands for debugging things
 	Debug(DebugCommand),
 
 	#[command(subcommand)]
-	/// - Low-level queries for database getters and iterators
+	/// Low-level queries for database getters and iterators
 	Query(QueryCommand),
 }
 
-#[tracing::instrument(skip_all, name = "command")]
+#[tracing::instrument(skip_all, name = "command", level = "info")]
 pub(super) async fn process(command: AdminCommand, context: &Context<'_>) -> Result {
 	use AdminCommand::*;
 
 	match command {
-		| Appservices(command) => appservice::process(command, context).await,
+		| Appservices(command) => {
+			// appservice commands are all restricted
+			context.bail_restricted()?;
+			appservice::process(command, context).await
+		},
 		| Media(command) => media::process(command, context).await,
-		| Users(command) => user::process(command, context).await,
+		| Users(command) => {
+			// user commands are all restricted
+			context.bail_restricted()?;
+			user::process(command, context).await
+		},
+		| Token(command) => {
+			// token commands are all restricted
+			context.bail_restricted()?;
+			token::process(command, context).await
+		},
 		| Rooms(command) => room::process(command, context).await,
 		| Federation(command) => federation::process(command, context).await,
 		| Server(command) => server::process(command, context).await,
 		| Debug(command) => debug::process(command, context).await,
-		| Query(command) => query::process(command, context).await,
+		| Query(command) => {
+			// query commands are all restricted
+			context.bail_restricted()?;
+			query::process(command, context).await
+		},
 		| Check(command) => check::process(command, context).await,
 	}
 }

src/admin/appservice/mod.rs

@@ -8,7 +8,7 @@
 #[derive(Debug, Subcommand)]
 #[admin_command_dispatch]
 pub enum AppserviceCommand {
-	/// - Register an appservice using its registration YAML
+	/// Register an appservice using its registration YAML
 	///
 	/// This command needs a YAML generated by an appservice (such as a bridge),
 	/// which must be provided in a Markdown code block below the command.
@@ -17,7 +17,7 @@ pub enum AppserviceCommand {
 	/// the old one.
 	Register,
 
-	/// - Unregister an appservice using its ID
+	/// Unregister an appservice using its ID
 	///
 	/// You can find the ID using the `list-appservices` command.
 	Unregister {
@@ -25,7 +25,7 @@ pub enum AppserviceCommand {
 		appservice_identifier: String,
 	},
 
-	/// - Show an appservice's config using its ID
+	/// Show an appservice's config using its ID
 	///
 	/// You can find the ID using the `list-appservices` command.
 	#[clap(alias("show"))]
@@ -34,7 +34,7 @@ pub enum AppserviceCommand {
 		appservice_identifier: String,
 	},
 
-	/// - List all the currently registered appservices
+	/// List all the currently registered appservices
 	#[clap(alias("list"))]
 	ListRegistered,
 }

src/admin/check/commands.rs

@@ -4,9 +4,6 @@
 
 use crate::Context;
 
-/// Uses the iterator in `src/database/key_value/users.rs` to iterator over
-/// every user in our database (remote and local). Reports total count, any
-/// errors if there were any, etc
 #[implement(Context, params = "<'_>")]
 pub(super) async fn check_all_users(&self) -> Result {
 	let timer = tokio::time::Instant::now();

src/admin/check/mod.rs

@@ -8,5 +8,8 @@
 #[admin_command_dispatch]
 #[derive(Debug, Subcommand)]
 pub enum CheckCommand {
+	/// Uses the iterator in `src/database/key_value/users.rs` to iterator over
+	/// every user in our database (remote and local). Reports total count, any
+	/// errors if there were any, etc
 	CheckAllUsers,
 }

src/admin/context.rs

@@ -1,6 +1,6 @@
 use std::{fmt, time::SystemTime};
 
-use conduwuit::Result;
+use conduwuit::{Err, Result};
 use conduwuit_service::Services;
 use futures::{
 	Future, FutureExt, TryFutureExt,
@@ -8,6 +8,7 @@
 	lock::Mutex,
 };
 use ruma::{EventId, UserId};
+use service::admin::InvocationSource;
 
 pub(crate) struct Context<'a> {
 	pub(crate) services: &'a Services,
@@ -16,6 +17,7 @@ pub(crate) struct Context<'a> {
 	pub(crate) reply_id: Option<&'a EventId>,
 	pub(crate) sender: Option<&'a UserId>,
 	pub(crate) output: Mutex<BufWriter<Vec<u8>>>,
+	pub(crate) source: InvocationSource,
 }
 
 impl Context<'_> {
@@ -43,4 +45,22 @@ pub(crate) fn sender_or_service_user(&self) -> &UserId {
 		self.sender
 			.unwrap_or_else(|| self.services.globals.server_user.as_ref())
 	}
+
+	/// Returns an Err if the [`Self::source`] of this context does not allow
+	/// restricted commands to be executed.
+	///
+	/// This is intended to be placed at the start of restricted commands'
+	/// implementations, like so:
+	///
+	/// ```ignore
+	/// self.bail_restricted()?;
+	/// // actual command impl
+	/// ```
+	pub(crate) fn bail_restricted(&self) -> Result {
+		if self.source.allows_restricted() {
+			Ok(())
+		} else {
+			Err!("This command can only be used in the admin room.")
+		}
+	}
 }

src/admin/debug/commands.rs

@@ -291,6 +291,8 @@ pub(super) async fn get_remote_pdu(
 
 #[admin_command]
 pub(super) async fn get_room_state(&self, room: OwnedRoomOrAliasId) -> Result {
+	self.bail_restricted()?;
+
 	let room_id = self.services.rooms.alias.resolve(&room).await?;
 	let room_state: Vec<Raw<AnyStateEvent>> = self
 		.services
@@ -417,27 +419,6 @@ pub(super) async fn change_log_level(&self, filter: Option<String>, reset: bool)
 	Err!("No log level was specified.")
 }
 
-#[admin_command]
-pub(super) async fn sign_json(&self) -> Result {
-	if self.body.len() < 2
-		|| !self.body[0].trim().starts_with("```")
-		|| self.body.last().unwrap_or(&"").trim() != "```"
-	{
-		return Err!("Expected code block in command body. Add --help for details.");
-	}
-
-	let string = self.body[1..self.body.len().checked_sub(1).unwrap()].join("\n");
-	match serde_json::from_str(&string) {
-		| Err(e) => return Err!("Invalid json: {e}"),
-		| Ok(mut value) => {
-			self.services.server_keys.sign_json(&mut value)?;
-			let json_text = serde_json::to_string_pretty(&value)?;
-			write!(self, "{json_text}")
-		},
-	}
-	.await
-}
-
 #[admin_command]
 pub(super) async fn verify_json(&self) -> Result {
 	if self.body.len() < 2
@@ -475,8 +456,10 @@ pub(super) async fn verify_pdu(&self, event_id: OwnedEventId) -> Result {
 }
 
 #[admin_command]
-#[tracing::instrument(skip(self))]
+#[tracing::instrument(skip(self), level = "info")]
 pub(super) async fn first_pdu_in_room(&self, room_id: OwnedRoomId) -> Result {
+	self.bail_restricted()?;
+
 	if !self
 		.services
 		.rooms
@@ -500,8 +483,10 @@ pub(super) async fn first_pdu_in_room(&self, room_id: OwnedRoomId) -> Result {
 }
 
 #[admin_command]
-#[tracing::instrument(skip(self))]
+#[tracing::instrument(skip(self), level = "info")]
 pub(super) async fn latest_pdu_in_room(&self, room_id: OwnedRoomId) -> Result {
+	self.bail_restricted()?;
+
 	if !self
 		.services
 		.rooms
@@ -525,13 +510,15 @@ pub(super) async fn latest_pdu_in_room(&self, room_id: OwnedRoomId) -> Result {
 }
 
 #[admin_command]
-#[tracing::instrument(skip(self))]
+#[tracing::instrument(skip(self), level = "info")]
 pub(super) async fn force_set_room_state_from_server(
 	&self,
 	room_id: OwnedRoomId,
 	server_name: OwnedServerName,
 	at_event: Option<OwnedEventId>,
 ) -> Result {
+	self.bail_restricted()?;
+
 	if !self
 		.services
 		.rooms
@@ -832,32 +819,6 @@ pub(super) async fn time(&self) -> Result {
 	self.write_str(&now).await
 }
 
-#[admin_command]
-pub(super) async fn list_dependencies(&self, names: bool) -> Result {
-	if names {
-		let out = info::cargo::dependencies_names().join(" ");
-		return self.write_str(&out).await;
-	}
-
-	let mut out = String::new();
-	let deps = info::cargo::dependencies();
-	writeln!(out, "| name | version | features |")?;
-	writeln!(out, "| ---- | ------- | -------- |")?;
-	for (name, dep) in deps {
-		let version = dep.try_req().unwrap_or("*");
-		let feats = dep.req_features();
-		let feats = if !feats.is_empty() {
-			feats.join(" ")
-		} else {
-			String::new()
-		};
-
-		writeln!(out, "| {name} | {version} | {feats} |")?;
-	}
-
-	self.write_str(&out).await
-}
-
 #[admin_command]
 pub(super) async fn database_stats(
 	&self,

src/admin/debug/mod.rs

@@ -12,18 +12,18 @@
 #[admin_command_dispatch]
 #[derive(Debug, Subcommand)]
 pub enum DebugCommand {
-	/// - Echo input of admin command
+	/// Echo input of admin command
 	Echo {
 		message: Vec<String>,
 	},
 
-	/// - Get the auth_chain of a PDU
+	/// Get the auth_chain of a PDU
 	GetAuthChain {
 		/// An event ID (the $ character followed by the base64 reference hash)
 		event_id: OwnedEventId,
 	},
 
-	/// - Parse and print a PDU from a JSON
+	/// Parse and print a PDU from a JSON
 	///
 	/// The PDU event is only checked for validity and is not added to the
 	/// database.
@@ -32,13 +32,13 @@ pub enum DebugCommand {
 	/// the command.
 	ParsePdu,
 
-	/// - Retrieve and print a PDU by EventID from the Continuwuity database
+	/// Retrieve and print a PDU by EventID from the Continuwuity database
 	GetPdu {
 		/// An event ID (a $ followed by the base64 reference hash)
 		event_id: OwnedEventId,
 	},
 
-	/// - Retrieve and print a PDU by PduId from the Continuwuity database
+	/// Retrieve and print a PDU by PduId from the Continuwuity database
 	GetShortPdu {
 		/// Shortroomid integer
 		shortroomid: ShortRoomId,
@@ -47,9 +47,9 @@ pub enum DebugCommand {
 		shorteventid: ShortEventId,
 	},
 
-	/// - Attempts to retrieve a PDU from a remote server. Inserts it into our
-	///   database/timeline if found and we do not have this PDU already
-	///   (following normal event auth rules, handles it as an incoming PDU).
+	/// Attempts to retrieve a PDU from a remote server. **Does not** insert
+	///   it into the database
+	/// or persist it anywhere.
 	GetRemotePdu {
 		/// An event ID (a $ followed by the base64 reference hash)
 		event_id: OwnedEventId,
@@ -59,7 +59,7 @@ pub enum DebugCommand {
 		server: OwnedServerName,
 	},
 
-	/// - Same as `get-remote-pdu` but accepts a codeblock newline delimited
+	/// Same as `get-remote-pdu` but accepts a codeblock newline delimited
 	///   list of PDUs and a single server to fetch from
 	GetRemotePduList {
 		/// Argument for us to attempt to fetch all the events from the
@@ -71,7 +71,7 @@ pub enum DebugCommand {
 		force: bool,
 	},
 
-	/// - Gets all the room state events for the specified room.
+	/// Gets all the room state events for the specified room.
 	///
 	/// This is functionally equivalent to `GET
 	/// /_matrix/client/v3/rooms/{roomid}/state`, except the admin command does
@@ -86,7 +86,7 @@ pub enum DebugCommand {
 		room_id: OwnedRoomOrAliasId,
 	},
 
-	/// - Get and display signing keys from local cache or remote server.
+	/// Get and display signing keys from local cache or remote server.
 	GetSigningKeys {
 		server_name: Option<OwnedServerName>,
 
@@ -97,23 +97,23 @@ pub enum DebugCommand {
 		query: bool,
 	},
 
-	/// - Get and display signing keys from local cache or remote server.
+	/// Get and display signing keys from local cache or remote server.
 	GetVerifyKeys {
 		server_name: Option<OwnedServerName>,
 	},
 
-	/// - Sends a federation request to the remote server's
+	/// Sends a federation request to the remote server's
 	///   `/_matrix/federation/v1/version` endpoint and measures the latency it
 	///   took for the server to respond
 	Ping {
 		server: OwnedServerName,
 	},
 
-	/// - Forces device lists for all local and remote users to be updated (as
+	/// Forces device lists for all local and remote users to be updated (as
 	///   having new keys available)
 	ForceDeviceListUpdates,
 
-	/// - Change tracing log level/filter on the fly
+	/// Change tracing log level/filter on the fly
 	///
 	/// This accepts the same format as the `log` config option.
 	ChangeLogLevel {
@@ -125,40 +125,34 @@ pub enum DebugCommand {
 		reset: bool,
 	},
 
-	/// - Sign JSON blob
-	///
-	/// This command needs a JSON blob provided in a Markdown code block below
-	/// the command.
-	SignJson,
-
-	/// - Verify JSON signatures
+	/// Verify JSON signatures
 	///
 	/// This command needs a JSON blob provided in a Markdown code block below
 	/// the command.
 	VerifyJson,
 
-	/// - Verify PDU
+	/// Verify PDU
 	///
 	/// This re-verifies a PDU existing in the database found by ID.
 	VerifyPdu {
 		event_id: OwnedEventId,
 	},
 
-	/// - Prints the very first PDU in the specified room (typically
+	/// Prints the very first PDU in the specified room (typically
 	///   m.room.create)
 	FirstPduInRoom {
 		/// The room ID
 		room_id: OwnedRoomId,
 	},
 
-	/// - Prints the latest ("last") PDU in the specified room (typically a
+	/// Prints the latest ("last") PDU in the specified room (typically a
 	///   message)
 	LatestPduInRoom {
 		/// The room ID
 		room_id: OwnedRoomId,
 	},
 
-	/// - Forcefully replaces the room state of our local copy of the specified
+	/// Forcefully replaces the room state of our local copy of the specified
 	///   room, with the copy (auth chain and room state events) the specified
 	///   remote server says.
 	///
@@ -182,7 +176,7 @@ pub enum DebugCommand {
 		event_id: Option<OwnedEventId>,
 	},
 
-	/// - Runs a server name through Continuwuity's true destination resolution
+	/// Runs a server name through Continuwuity's true destination resolution
 	///   process
 	///
 	/// Useful for debugging well-known issues
@@ -193,7 +187,7 @@ pub enum DebugCommand {
 		no_cache: bool,
 	},
 
-	/// - Print extended memory usage
+	/// Print extended memory usage
 	///
 	/// Optional argument is a character mask (a sequence of characters in any
 	/// order) which enable additional extended statistics. Known characters are
@@ -202,23 +196,17 @@ pub enum DebugCommand {
 		opts: Option<String>,
 	},
 
-	/// - Print general tokio runtime metric totals.
+	/// Print general tokio runtime metric totals.
 	RuntimeMetrics,
 
-	/// - Print detailed tokio runtime metrics accumulated since last command
+	/// Print detailed tokio runtime metrics accumulated since last command
 	///   invocation.
 	RuntimeInterval,
 
-	/// - Print the current time
+	/// Print the current time
 	Time,
 
-	/// - List dependencies
-	ListDependencies {
-		#[arg(short, long)]
-		names: bool,
-	},
-
-	/// - Get database statistics
+	/// Get database statistics
 	DatabaseStats {
 		property: Option<String>,
 
@@ -226,10 +214,10 @@ pub enum DebugCommand {
 		map: Option<String>,
 	},
 
-	/// - Trim memory usage
+	/// Trim memory usage
 	TrimMemory,
 
-	/// - List database files
+	/// List database files
 	DatabaseFiles {
 		map: Option<String>,
 
@@ -237,7 +225,7 @@ pub enum DebugCommand {
 		level: Option<i32>,
 	},
 
-	/// - Developer test stubs
+	/// Developer test stubs
 	#[command(subcommand)]
 	#[allow(non_snake_case)]
 	#[clap(hide(true))]

src/admin/federation/commands.rs

@@ -8,12 +8,14 @@
 
 #[admin_command]
 pub(super) async fn disable_room(&self, room_id: OwnedRoomId) -> Result {
+	self.bail_restricted()?;
 	self.services.rooms.metadata.disable_room(&room_id, true);
 	self.write_str("Room disabled.").await
 }
 
 #[admin_command]
 pub(super) async fn enable_room(&self, room_id: OwnedRoomId) -> Result {
+	self.bail_restricted()?;
 	self.services.rooms.metadata.disable_room(&room_id, false);
 	self.write_str("Room enabled.").await
 }
@@ -28,12 +30,15 @@ pub(super) async fn incoming_federation(&self) -> Result {
 			.federation_handletime
 			.read();
 
-		let mut msg = format!("Handling {} incoming pdus:\n", map.len());
+		let mut msg = format!(
+			"Handling {} incoming PDUs across {} active transactions:\n",
+			map.len(),
+			self.services.transactions.txn_active_handle_count()
+		);
 		for (r, (e, i)) in map.iter() {
 			let elapsed = i.elapsed();
 			writeln!(msg, "{} {}: {}m{}s", r, e, elapsed.as_secs() / 60, elapsed.as_secs() % 60)?;
 		}
-
 		msg
 	};
 

src/admin/federation/mod.rs

@@ -9,20 +9,20 @@
 #[admin_command_dispatch]
 #[derive(Debug, Subcommand)]
 pub enum FederationCommand {
-	/// - List all rooms we are currently handling an incoming pdu from
+	/// List all rooms we are currently handling an incoming pdu from
 	IncomingFederation,
 
-	/// - Disables incoming federation handling for a room.
+	/// Disables incoming federation handling for a room.
 	DisableRoom {
 		room_id: OwnedRoomId,
 	},
 
-	/// - Enables incoming federation handling for a room again.
+	/// Enables incoming federation handling for a room again.
 	EnableRoom {
 		room_id: OwnedRoomId,
 	},
 
-	/// - Fetch `/.well-known/matrix/support` from the specified server
+	/// Fetch `/.well-known/matrix/support` from the specified server
 	///
 	/// Despite the name, this is not a federation endpoint and does not go
 	/// through the federation / server resolution process as per-spec this is
@@ -35,7 +35,7 @@ pub enum FederationCommand {
 		server_name: OwnedServerName,
 	},
 
-	/// - Lists all the rooms we share/track with the specified *remote* user
+	/// Lists all the rooms we share/track with the specified *remote* user
 	RemoteUserInRooms {
 		user_id: OwnedUserId,
 	},

src/admin/media/commands.rs

@@ -16,6 +16,8 @@ pub(super) async fn delete(
 	mxc: Option<OwnedMxcUri>,
 	event_id: Option<OwnedEventId>,
 ) -> Result {
+	self.bail_restricted()?;
+
 	if event_id.is_some() && mxc.is_some() {
 		return Err!("Please specify either an MXC or an event ID, not both.",);
 	}
@@ -27,7 +29,9 @@ pub(super) async fn delete(
 			.delete(&mxc.as_str().try_into()?)
 			.await?;
 
-		return Err!("Deleted the MXC from our database and on our filesystem.",);
+		return self
+			.write_str("Deleted the MXC from our database and on our filesystem.")
+			.await;
 	}
 
 	if let Some(event_id) = event_id {
@@ -176,6 +180,8 @@ pub(super) async fn delete(
 
 #[admin_command]
 pub(super) async fn delete_list(&self) -> Result {
+	self.bail_restricted()?;
+
 	if self.body.len() < 2
 		|| !self.body[0].trim().starts_with("```")
 		|| self.body.last().unwrap_or(&"").trim() != "```"
@@ -231,6 +237,8 @@ pub(super) async fn delete_past_remote_media(
 	after: bool,
 	yes_i_want_to_delete_local_media: bool,
 ) -> Result {
+	self.bail_restricted()?;
+
 	if before && after {
 		return Err!("Please only pick one argument, --before or --after.",);
 	}
@@ -273,6 +281,8 @@ pub(super) async fn delete_all_from_server(
 	server_name: OwnedServerName,
 	yes_i_want_to_delete_local_media: bool,
 ) -> Result {
+	self.bail_restricted()?;
+
 	if server_name == self.services.globals.server_name() && !yes_i_want_to_delete_local_media {
 		return Err!("This command only works for remote media by default.",);
 	}
@@ -380,3 +390,19 @@ pub(super) async fn get_remote_thumbnail(
 	self.write_str(&format!("```\n{result:#?}\nreceived {len} bytes for file content.\n```"))
 		.await
 }
+
+#[admin_command]
+pub(super) async fn delete_url_preview(&self, url: Option<String>, all: bool) -> Result {
+	if all {
+		self.services.media.clear_url_previews().await;
+
+		return self.write_str("Deleted all cached URL previews.").await;
+	}
+
+	let url = url.expect("clap enforces url is required unless --all");
+
+	self.services.media.remove_url_preview(&url).await?;
+
+	self.write_str(&format!("Deleted cached URL preview for: {url}"))
+		.await
+}

src/admin/media/mod.rs

@@ -10,20 +10,20 @@
 #[admin_command_dispatch]
 #[derive(Debug, Subcommand)]
 pub enum MediaCommand {
-	/// - Deletes a single media file from our database and on the filesystem
+	/// Deletes a single media file from our database and on the filesystem
 	///   via a single MXC URL or event ID (not redacted)
 	Delete {
 		/// The MXC URL to delete
 		#[arg(long)]
 		mxc: Option<OwnedMxcUri>,
 
-		/// - The message event ID which contains the media and thumbnail MXC
+		/// The message event ID which contains the media and thumbnail MXC
 		///   URLs
 		#[arg(long)]
 		event_id: Option<OwnedEventId>,
 	},
 
-	/// - Deletes a codeblock list of MXC URLs from our database and on the
+	/// Deletes a codeblock list of MXC URLs from our database and on the
 	///   filesystem. This will always ignore errors.
 	DeleteList,
 
@@ -40,33 +40,33 @@ pub enum MediaCommand {
 	///   * Delete all remote and local media from 3 days ago, up until now:
 	///
 	///     `!admin media delete-past-remote-media -a 3d
-	/// --yes-i-want-to-delete-local-media`
+	///-yes-i-want-to-delete-local-media`
 	#[command(verbatim_doc_comment)]
 	DeletePastRemoteMedia {
-		/// - The relative time (e.g. 30s, 5m, 7d) from now within which to
+		/// The relative time (e.g. 30s, 5m, 7d) from now within which to
 		///   search
 		duration: String,
 
-		/// - Only delete media created before [duration] ago
+		/// Only delete media created before [duration] ago
 		#[arg(long, short)]
 		before: bool,
 
-		/// - Only delete media created after [duration] ago
+		/// Only delete media created after [duration] ago
 		#[arg(long, short)]
 		after: bool,
 
-		/// - Long argument to additionally delete local media
+		/// Long argument to additionally delete local media
 		#[arg(long)]
 		yes_i_want_to_delete_local_media: bool,
 	},
 
-	/// - Deletes all the local media from a local user on our server. This will
+	/// Deletes all the local media from a local user on our server. This will
 	///   always ignore errors by default.
 	DeleteAllFromUser {
 		username: String,
 	},
 
-	/// - Deletes all remote media from the specified remote server. This will
+	/// Deletes all remote media from the specified remote server. This will
 	///   always ignore errors by default.
 	DeleteAllFromServer {
 		server_name: OwnedServerName,
@@ -108,4 +108,16 @@ pub enum MediaCommand {
 		#[arg(long, default_value("800"))]
 		height: u32,
 	},
+
+	/// Deletes a cached URL preview, forcing it to be re-fetched.
+	/// Use --all to purge all cached URL previews.
+	DeleteUrlPreview {
+		/// The URL to clear from the saved preview data
+		#[arg(required_unless_present = "all")]
+		url: Option<String>,
+
+		/// Purge all cached URL previews
+		#[arg(long, conflicts_with = "url")]
+		all: bool,
+	},
 }

src/admin/mod.rs

@@ -17,6 +17,7 @@
 pub(crate) mod query;
 pub(crate) mod room;
 pub(crate) mod server;
+pub(crate) mod token;
 pub(crate) mod user;
 
 extern crate conduwuit_api as api;
@@ -29,11 +30,8 @@
 
 pub(crate) const PAGE_SIZE: usize = 100;
 
-use ctor::{ctor, dtor};
-
 conduwuit::mod_ctor! {}
 conduwuit::mod_dtor! {}
-conduwuit::rustc_flags_capture! {}
 
 pub use crate::admin::AdminCommand;
 

src/admin/processor.rs

@@ -37,7 +37,7 @@ pub(super) fn dispatch(services: Arc<Services>, command: CommandInput) -> Proces
 	Box::pin(handle_command(services, command))
 }
 
-#[tracing::instrument(skip_all, name = "admin")]
+#[tracing::instrument(skip_all, name = "admin", level = "info")]
 async fn handle_command(services: Arc<Services>, command: CommandInput) -> ProcessorResult {
 	AssertUnwindSafe(Box::pin(process_command(services, &command)))
 		.catch_unwind()
@@ -59,6 +59,7 @@ async fn process_command(services: Arc<Services>, input: &CommandInput) -> Proce
 		reply_id: input.reply_id.as_deref(),
 		sender: input.sender.as_deref(),
 		output: BufWriter::new(Vec::new()).into(),
+		source: input.source,
 	};
 
 	let (result, mut logs) = process(&context, command, &args).await;

src/admin/query/account_data.rs

@@ -9,7 +9,7 @@
 #[derive(Debug, Subcommand)]
 /// All the getters and iterators from src/database/key_value/account_data.rs
 pub enum AccountDataCommand {
-	/// - Returns all changes to the account data that happened after `since`.
+	/// Returns all changes to the account data that happened after `since`.
 	ChangesSince {
 		/// Full user ID
 		user_id: OwnedUserId,
@@ -19,7 +19,7 @@ pub enum AccountDataCommand {
 		room_id: Option<OwnedRoomId>,
 	},
 
-	/// - Searches the account data for a specific kind.
+	/// Searches the account data for a specific kind.
 	AccountDataGet {
 		/// Full user ID
 		user_id: OwnedUserId,

src/admin/query/appservice.rs

@@ -7,13 +7,13 @@
 #[derive(Debug, Subcommand)]
 /// All the getters and iterators from src/database/key_value/appservice.rs
 pub enum AppserviceCommand {
-	/// - Gets the appservice registration info/details from the ID as a string
+	/// Gets the appservice registration info/details from the ID as a string
 	GetRegistration {
 		/// Appservice registration ID
 		appservice_id: String,
 	},
 
-	/// - Gets all appservice registrations with their ID and registration info
+	/// Gets all appservice registrations with their ID and registration info
 	All,
 }
 

src/admin/query/globals.rs

@@ -13,7 +13,7 @@ pub enum GlobalsCommand {
 
 	LastCheckForAnnouncementsId,
 
-	/// - This returns an empty `Ok(BTreeMap<..>)` when there are no keys found
+	/// This returns an empty `Ok(BTreeMap<..>)` when there are no keys found
 	///   for the server.
 	SigningKeysFor {
 		origin: OwnedServerName,

src/admin/query/mod.rs

@@ -28,55 +28,55 @@
 #[derive(Debug, Subcommand)]
 /// Query tables from database
 pub enum QueryCommand {
-	/// - account_data.rs iterators and getters
+	/// account_data.rs iterators and getters
 	#[command(subcommand)]
 	AccountData(AccountDataCommand),
 
-	/// - appservice.rs iterators and getters
+	/// appservice.rs iterators and getters
 	#[command(subcommand)]
 	Appservice(AppserviceCommand),
 
-	/// - presence.rs iterators and getters
+	/// presence.rs iterators and getters
 	#[command(subcommand)]
 	Presence(PresenceCommand),
 
-	/// - rooms/alias.rs iterators and getters
+	/// rooms/alias.rs iterators and getters
 	#[command(subcommand)]
 	RoomAlias(RoomAliasCommand),
 
-	/// - rooms/state_cache iterators and getters
+	/// rooms/state_cache iterators and getters
 	#[command(subcommand)]
 	RoomStateCache(RoomStateCacheCommand),
 
-	/// - rooms/timeline iterators and getters
+	/// rooms/timeline iterators and getters
 	#[command(subcommand)]
 	RoomTimeline(RoomTimelineCommand),
 
-	/// - globals.rs iterators and getters
+	/// globals.rs iterators and getters
 	#[command(subcommand)]
 	Globals(GlobalsCommand),
 
-	/// - sending.rs iterators and getters
+	/// sending.rs iterators and getters
 	#[command(subcommand)]
 	Sending(SendingCommand),
 
-	/// - users.rs iterators and getters
+	/// users.rs iterators and getters
 	#[command(subcommand)]
 	Users(UsersCommand),
 
-	/// - resolver service
+	/// resolver service
 	#[command(subcommand)]
 	Resolver(ResolverCommand),
 
-	/// - pusher service
+	/// pusher service
 	#[command(subcommand)]
 	Pusher(PusherCommand),
 
-	/// - short service
+	/// short service
 	#[command(subcommand)]
 	Short(ShortCommand),
 
-	/// - raw service
+	/// raw service
 	#[command(subcommand)]
 	Raw(RawCommand),
 }

src/admin/query/presence.rs

@@ -8,13 +8,13 @@
 #[derive(Debug, Subcommand)]
 /// All the getters and iterators from src/database/key_value/presence.rs
 pub enum PresenceCommand {
-	/// - Returns the latest presence event for the given user.
+	/// Returns the latest presence event for the given user.
 	GetPresence {
 		/// Full user ID
 		user_id: OwnedUserId,
 	},
 
-	/// - Iterator of the most recent presence updates that happened after the
+	/// Iterator of the most recent presence updates that happened after the
 	///   event with id `since`.
 	PresenceSince {
 		/// UNIX timestamp since (u64)

src/admin/query/pusher.rs

@@ -6,7 +6,7 @@
 
 #[derive(Debug, Subcommand)]
 pub enum PusherCommand {
-	/// - Returns all the pushers for the user.
+	/// Returns all the pushers for the user.
 	GetPushers {
 		/// Full user ID
 		user_id: OwnedUserId,

src/admin/query/raw.rs

@@ -20,10 +20,10 @@
 #[allow(clippy::enum_variant_names)]
 /// Query tables from database
 pub enum RawCommand {
-	/// - List database maps
+	/// List database maps
 	RawMaps,
 
-	/// - Raw database query
+	/// Raw database query
 	RawGet {
 		/// Map name
 		map: String,
@@ -32,7 +32,7 @@ pub enum RawCommand {
 		key: String,
 	},
 
-	/// - Raw database delete (for string keys)
+	/// Raw database delete (for string keys)
 	RawDel {
 		/// Map name
 		map: String,
@@ -41,7 +41,7 @@ pub enum RawCommand {
 		key: String,
 	},
 
-	/// - Raw database keys iteration
+	/// Raw database keys iteration
 	RawKeys {
 		/// Map name
 		map: String,
@@ -50,7 +50,7 @@ pub enum RawCommand {
 		prefix: Option<String>,
 	},
 
-	/// - Raw database key size breakdown
+	/// Raw database key size breakdown
 	RawKeysSizes {
 		/// Map name
 		map: Option<String>,
@@ -59,7 +59,7 @@ pub enum RawCommand {
 		prefix: Option<String>,
 	},
 
-	/// - Raw database keys total bytes
+	/// Raw database keys total bytes
 	RawKeysTotal {
 		/// Map name
 		map: Option<String>,
@@ -68,7 +68,7 @@ pub enum RawCommand {
 		prefix: Option<String>,
 	},
 
-	/// - Raw database values size breakdown
+	/// Raw database values size breakdown
 	RawValsSizes {
 		/// Map name
 		map: Option<String>,
@@ -77,7 +77,7 @@ pub enum RawCommand {
 		prefix: Option<String>,
 	},
 
-	/// - Raw database values total bytes
+	/// Raw database values total bytes
 	RawValsTotal {
 		/// Map name
 		map: Option<String>,
@@ -86,7 +86,7 @@ pub enum RawCommand {
 		prefix: Option<String>,
 	},
 
-	/// - Raw database items iteration
+	/// Raw database items iteration
 	RawIter {
 		/// Map name
 		map: String,
@@ -95,7 +95,7 @@ pub enum RawCommand {
 		prefix: Option<String>,
 	},
 
-	/// - Raw database keys iteration
+	/// Raw database keys iteration
 	RawKeysFrom {
 		/// Map name
 		map: String,
@@ -108,7 +108,7 @@ pub enum RawCommand {
 		limit: Option<usize>,
 	},
 
-	/// - Raw database items iteration
+	/// Raw database items iteration
 	RawIterFrom {
 		/// Map name
 		map: String,
@@ -121,7 +121,7 @@ pub enum RawCommand {
 		limit: Option<usize>,
 	},
 
-	/// - Raw database record count
+	/// Raw database record count
 	RawCount {
 		/// Map name
 		map: Option<String>,
@@ -130,7 +130,7 @@ pub enum RawCommand {
 		prefix: Option<String>,
 	},
 
-	/// - Compact database
+	/// Compact database
 	Compact {
 		#[arg(short, long, alias("column"))]
 		map: Option<Vec<String>>,
@@ -209,7 +209,7 @@ pub(super) async fn compact(
 	let parallelism = parallelism.unwrap_or(1);
 	let results = maps
 		.into_iter()
-		.try_stream()
+		.try_stream::<conduwuit::Error>()
 		.paralleln_and_then(runtime, parallelism, move |map| {
 			map.compact_blocking(options.clone())?;
 			Ok(map.name().to_owned())