CI: Remove the clang detection

tomfos.tr act-runner image removed the possibility to install the latest LLVM using an installer script, so let us also remove the detection and just live with the distro's clang image.

.forgejo/workflows/build-debian.yml

@@ -41,17 +41,6 @@ jobs:
       #    else
       #      echo "No workaround needed for llvm-project#153385"
       #    fi
-      - name: Pick compatible clang version
-        id: clang-version
-        run: |
-          # both latest need to use clang-23, but oldstable and previous can just use clang
-          if [[ "${{ matrix.container }}" == "ubuntu-latest" ]]; then
-            echo "Using clang-23 package for ${{ matrix.container }}"
-            echo "version=clang-23" >> $GITHUB_OUTPUT
-          else
-            echo "Using default clang package for ${{ matrix.container }}"
-            echo "version=clang" >> $GITHUB_OUTPUT
-          fi
 
       - name: Checkout repository with full history
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
@@ -130,7 +119,7 @@ jobs:
         run: |
           apt-get update -y
           # Build dependencies for rocksdb
-          apt-get install -y liburing-dev ${{ steps.clang-version.outputs.version }}
+          apt-get install -y liburing-dev clang
 
       - name: Run cargo-deb
         id: cargo-deb

.forgejo/workflows/build-nix.yml

@@ -0,0 +1,71 @@
+name: Build / Static via Nix
+
+concurrency:
+  group: "build-nix-${{ forge.ref }}"
+  cancel-in-progress: true
+
+on:
+  push:
+    tags:
+      - "v*.*.*"
+  workflow_dispatch:
+  schedule:
+    - cron: '30 0 * * *'
+
+jobs:
+  build:
+    name: "Build ${{ matrix.filename }} Binary"
+    runs-on: ubuntu-latest
+
+    strategy:
+      matrix:
+        include:
+          - package: default-static-x86_64
+            filename: conduwuit-linux-static-amd64
+          - package: default-static-aarch64
+            filename: conduwuit-linux-static-arm64
+
+          - package: max-perf-static-aarch64
+            filename: conduwuit-linux-static-arm64-maxperf
+          - package: max-perf-haswell-static-x86_64
+            filename: conduwuit-haswell-linux-static-amd64-maxperf
+
+    steps:
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10
+
+      - name: Install Lix
+        uses: https://github.com/samueldr/lix-gha-installer-action@a0fee77b2a98bb7c5c0ed7ae6d6ad4903dbdad0d
+        with:
+          extra_nix_config: experimental-features = nix-command flakes flake-self-attrs
+
+      - name: Build static binary
+        run: |
+          nix build .#${{ matrix.package }}
+          install -D result/bin/conduwuit /tmp/binaries/${{ matrix.filename }}
+
+      - name: Upload binary artifact
+        uses: forgejo/upload-artifact@v4
+        with:
+          name: ${{ matrix.filename }}
+          path: /tmp/binaries/${{ matrix.filename }}
+
+  release-binaries:
+    name: "Release Binaries"
+    runs-on: ubuntu-latest
+    needs:
+      - build
+    permissions:
+      contents: write
+    if: startsWith(github.ref, 'refs/tags/')
+    steps:
+      - name: Download binary artifacts
+        uses: forgejo/download-artifact@v4
+        with:
+          pattern: conduwuit*
+          path: binaries
+          merge-multiple: true
+      - name: Create Release and Upload
+        uses: https://github.com/softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda # v3
+        with:
+          draft: true
+          files: binaries/*

CHANGELOG.md

@@ -1,88 +1,148 @@
+# Continuwuity 0.5.10 (2026-06-20)
+
+## Security
+
+- Fixed a bug that allowed a remote server to send to-device messages to a non-local user. Reported
+  by [echoray](https://github.com/raidenrayray).
+- Fixed a bug that allowed local users to request URL previews of explicitly forbidden domains. Reported
+  by [echoray](https://github.com/raidenrayray).
+- Fixed a bug that permitted authentication as a dehydrated device. Reported by @stratself.
+
+# Continuwuity 0.5.9 (2026-05-07)
+
+## Security
+
+- Fixed a bug that caused the server to drop events during processing if several events for the same room were sent in a
+  singular transaction. Contributed by @nex. (#1711)
+- Fixed a bug that caused the server to panic while handling transactions with malformed events, resulting in a
+  deadlock that prevented the remote server from federating with us until the server was restarted. Contributed by @nex.
+- Fixed a bug that resulted in the `m.federate` field of `m.room.create` being ignored in v12 rooms, allowing remote
+  servers to participate in local-only rooms. Contributed by @nex, reported
+  by [@mat:emzee.ee](matrix:u/mat:emzee.ee?action=chat).
+
 # Continuwuity 0.5.8 (2026-04-24)
 
 ## Features
 
-- LDAP can now optionally be connected to using StartTLS, and you may unsafely skip verification. Contributed by @getz (#1389)
-- Users will now be prevented from removing their email if the server is configured to require an email when registering an account.
+- LDAP can now optionally be connected to using StartTLS, and you may unsafely skip verification. Contributed by @getz (
+  #1389)
+- Users will now be prevented from removing their email if the server is configured to require an email when registering
+  an account.
 
 ## Bugfixes
 
-- Fixed a situation where multiple email addresses could be associated with one user when that user changes their email address.
+- Fixed a situation where multiple email addresses could be associated with one user when that user changes their email
+  address.
 
 ## Improved Documentation
 
 - Updated config docs to state we support room version 12, and set it as default. Contributed by @ezera. (#1622)
-- Improve instructions for generic deployments, removing unnecessary parts and documenting the new initial registration token flow. Contributed by @stratself (#1677)
-
+- Improve instructions for generic deployments, removing unnecessary parts and documenting the new initial registration
+  token flow. Contributed by @stratself (#1677)
 
 # Continuwuity v0.5.7 (2026-04-17)
 
 ## Features
 
 - Re-added support for reading registration tokens from a file. Contributed by @ginger and @benbot. (#1371)
-- Add new config option to allow or disallow search engine indexing through a `<meta ../>` tag. Defaults to blocking indexing (`content="noindex"`). Contributed by @s1lv3r and @ginger. (#1527)
+- Add new config option to allow or disallow search engine indexing through a `<meta ../>` tag. Defaults to blocking
+  indexing (`content="noindex"`). Contributed by @s1lv3r and @ginger. (#1527)
 - Add new config option for [MSC4439](https://github.com/matrix-org/matrix-spec-proposals/pull/4439)
   PGP key URIs. Contributed by LogN. (#1609)
-- Added `!admin users reset-push-rules` command to reset the notification settings of users. Contributed by @nex. (#1613)
-- Notification pushers are now automatically removed when their associated device is. Admin commands now exist for manual cleanup too. Contributed by @nex. (#1614)
+- Added `!admin users reset-push-rules` command to reset the notification settings of users. Contributed by @nex. (
+  #1613)
+- Notification pushers are now automatically removed when their associated device is. Admin commands now exist for
+  manual cleanup too. Contributed by @nex. (#1614)
 - Implemented option to deprioritize servers for room join requests. Contributed by @ezera. (#1624)
 - Added admin commands to get build information and features. Contributed by @Jade (#1629)
-- Added support for associating email addresses with accounts, requiring email addresses for registration, and resetting passwords via email. Contributed by @ginger
+- Added support for associating email addresses with accounts, requiring email addresses for registration, and resetting
+  passwords via email. Contributed by @ginger
 - Added support for requiring users to accept terms and conditions when registering.
 - Added support for using an admin command to issue self-service password reset links.
 
 ## Bugfixes
 
 - Fixed corrupted appservice registrations causing the server to enter a crash loop. Contributed by @nex. (#1265)
-- Prevent removing the admin room alias (`#admins`) to avoid accidentally breaking admin room functionality. Contributed by @0xnim (#1448)
+- Prevent removing the admin room alias (`#admins`) to avoid accidentally breaking admin room functionality. Contributed
+  by @0xnim (#1448)
 - Stripped `join_authorised_via_users_server` from json if user is already in room (@partha:cxy.run) (#1542)
 - Fixed internal server errors for fetching thumbnails. Contributed by @PerformativeJade (#1572)
 - Fixed error 500 when joining non-existent rooms. Contributed by @ezera. (#1579)
-- Refactored nix package. Breaking, since `all-features` package no longer exists. Continuwuity is now built with jemalloc and liburing by default. Contributed by @Henry-Hiles (QuadRadical). (#1596)
+- Refactored nix package. Breaking, since `all-features` package no longer exists. Continuwuity is now built with
+  jemalloc and liburing by default. Contributed by @Henry-Hiles (QuadRadical). (#1596)
 - Fixed resolving IP of servers that only use SRV delegation. Contributed by @tulir. (#1615)
-- Fixed "Sender must be a local user" error for make_join, make_knock, and make_leave federation routes. Contributed by @nex. (#1623)
-- Fixed restricted joins not being signed when we are being used as an authorising server. Contributed by @nex, reported by [vel](matrix:u/vel:nhjkl.com?action=chat). (#1630)
+- Fixed "Sender must be a local user" error for make_join, make_knock, and make_leave federation routes. Contributed by
+  @nex. (#1623)
+- Fixed restricted joins not being signed when we are being used as an authorising server. Contributed by @nex, reported
+  by [vel](matrix:u/vel:nhjkl.com?action=chat). (#1630)
 - Fixed room alias deletion so removing one local alias no longer removes other aliases from room alias listings.
-- Stopped left rooms from being unconditionally sent on initial sync, hopefully fixing spurious appearances of left rooms in some clients (and making sync faster as a bonus). Contributed by @ginger
+- Stopped left rooms from being unconditionally sent on initial sync, hopefully fixing spurious appearances of left
+  rooms in some clients (and making sync faster as a bonus). Contributed by @ginger
 - Correct the response field name for MatrixRTC transports. Contributed by @spaetz
 
 ## Improved Documentation
 
 - Added Testing and Troubleshooting instructions for Livekit documentation. Contributed by @stratself. (#1429)
-- Refactored docker docs to include new initial token workflow, and add Caddyfile example. Contributed by @stratself. (#1594)
-- Add DNS tuning guide for Continuwuity. Users are recommended to set up a local caching resolver following the guide's advice. Contributed by @stratself (#1601)
+- Refactored docker docs to include new initial token workflow, and add Caddyfile example. Contributed by @stratself. (
+  #1594)
+- Add DNS tuning guide for Continuwuity. Users are recommended to set up a local caching resolver following the guide's
+  advice. Contributed by @stratself (#1601)
 
 ## Misc
 
 - Fixed compiler warning in cf_opts.rs when building in release. Contributed by @ezera. (#1620)
 
-
 # Continuwuity 0.5.6 (2026-03-03)
 
 ## Security
 
-- Admin escape commands received over federation will never be executed, as this is never valid in a genuine situation. Contributed by @Jade.
-- Fixed data amplification vulnerability (CWE-409) that affected configurations with server-side compression enabled (non-default). Contributed by @nex.
+- Admin escape commands received over federation will never be executed, as this is never valid in a genuine situation.
+  Contributed by @Jade.
+- Fixed data amplification vulnerability (CWE-409) that affected configurations with server-side compression enabled (
+  non-default). Contributed by @nex.
 
 ## Features
 
-- Outgoing presence is now disabled by default, and the config option documentation has been adjusted to more accurately represent the weight of presence, typing indicators, and read receipts. Contributed by @nex. ([#1399](https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1399))
-- Improved the concurrency handling of federation transactions, vastly improving performance and reliability by more accurately handling inbound transactions and reducing the amount of repeated wasted work. Contributed by @nex and @Jade. ([#1428](https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1428))
-- Added [MSC3202](https://github.com/matrix-org/matrix-spec-proposals/pull/3202) Device masquerading (not all of MSC3202). This should fix issues with enabling [MSC4190](https://github.com/matrix-org/matrix-spec-proposals/pull/4190) for some Mautrix bridges. Contributed by @Jade ([#1435](https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1435))
-- Added [MSC3814](https://github.com/matrix-org/matrix-spec-proposals/pull/3814) Dehydrated Devices - you can now decrypt messages sent while all devices were logged out. ([#1436](https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1436))
-- Implement [MSC4143](https://github.com/matrix-org/matrix-spec-proposals/pull/4143) MatrixRTC transport discovery endpoint. Move RTC foci configuration from `[global.well_known]` to a new `[global.matrix_rtc]` section with a `foci` field. Contributed by @0xnim ([#1442](https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1442))
-- Updated `list-backups` admin command to output one backup per line. ([#1394](https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1394))
-- Improved URL preview fetching with a more compatible user agent for sites like YouTube Music. Added `!admin media delete-url-preview <url>` command to clear cached URL previews that were stuck and broken. ([#1434](https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1434))
+- Outgoing presence is now disabled by default, and the config option documentation has been adjusted to more accurately
+  represent the weight of presence, typing indicators, and read receipts. Contributed by
+  @nex. ([#1399](https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1399))
+- Improved the concurrency handling of federation transactions, vastly improving performance and reliability by more
+  accurately handling inbound transactions and reducing the amount of repeated wasted work. Contributed by @nex and
+  @Jade. ([#1428](https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1428))
+- Added [MSC3202](https://github.com/matrix-org/matrix-spec-proposals/pull/3202) Device masquerading (not all of
+  MSC3202). This should fix issues with
+  enabling [MSC4190](https://github.com/matrix-org/matrix-spec-proposals/pull/4190) for some Mautrix bridges.
+  Contributed by @Jade ([#1435](https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1435))
+- Added [MSC3814](https://github.com/matrix-org/matrix-spec-proposals/pull/3814) Dehydrated Devices - you can now
+  decrypt messages sent while all devices were logged
+  out. ([#1436](https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1436))
+- Implement [MSC4143](https://github.com/matrix-org/matrix-spec-proposals/pull/4143) MatrixRTC transport discovery
+  endpoint. Move RTC foci configuration from `[global.well_known]` to a new `[global.matrix_rtc]` section with a `foci`
+  field. Contributed by @0xnim ([#1442](https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1442))
+- Updated `list-backups` admin command to output one backup per
+  line. ([#1394](https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1394))
+- Improved URL preview fetching with a more compatible user agent for sites like YouTube Music. Added
+  `!admin media delete-url-preview <url>` command to clear cached URL previews that were stuck and
+  broken. ([#1434](https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1434))
 
 ## Bugfixes
 
-- Removed non-compliant nor functional room alias lookups over federation. Contributed by @nex ([#1393](https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1393))
-- Removed ability to set rocksdb as read only. Doing so would cause unintentional and buggy behaviour. Contributed by @Terryiscool160. ([#1418](https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1418))
-- Fixed a startup crash in the sender service if we can't detect the number of CPU cores, even if the `sender_workers` config option is set correctly. Contributed by @katie. ([#1421](https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1421))
-- Removed the `allow_public_room_directory_without_auth` config option. Contributed by @0xnim. ([#1441](https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1441))
-- Fixed sliding sync v5 list ranges always starting from 0, causing extra rooms to be unnecessarily processed and returned. Contributed by @0xnim ([#1445](https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1445))
-- Fixed a bug that (repairably) caused a room split between continuwuity and non-continuwuity servers when the room had both `m.room.policy` and `org.matrix.msc4284.policy` in its room state. Contributed by @nex ([#1481](https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1481))
-- Fixed `!admin media delete --mxc <url>` responding with an error message when the media was deleted successfully. Contributed by @lynxize
+- Removed non-compliant nor functional room alias lookups over federation. Contributed by
+  @nex ([#1393](https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1393))
+- Removed ability to set rocksdb as read only. Doing so would cause unintentional and buggy behaviour. Contributed by
+  @Terryiscool160. ([#1418](https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1418))
+- Fixed a startup crash in the sender service if we can't detect the number of CPU cores, even if the `sender_workers`
+  config option is set correctly. Contributed by
+  @katie. ([#1421](https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1421))
+- Removed the `allow_public_room_directory_without_auth` config option. Contributed by
+  @0xnim. ([#1441](https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1441))
+- Fixed sliding sync v5 list ranges always starting from 0, causing extra rooms to be unnecessarily processed and
+  returned. Contributed by @0xnim ([#1445](https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1445))
+- Fixed a bug that (repairably) caused a room split between continuwuity and non-continuwuity servers when the room had
+  both `m.room.policy` and `org.matrix.msc4284.policy` in its room state. Contributed by
+  @nex ([#1481](https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1481))
+- Fixed `!admin media delete --mxc <url>` responding with an error message when the media was deleted successfully.
+  Contributed by @lynxize
 - Fixed spurious 404 media errors in the logs. Contributed by @benbot.
 - Fixed spurious warn about needed backfill via federation for non-federated rooms. Contributed by @kraem.
 
@@ -112,10 +172,12 @@ ## Features
 ## Bugfixes
 
 - Fixed invites sent to other users in the same homeserver not being properly sent down sync. Users with missing or
-  broken invites should clear their client caches after updating to make them appear. ([#1249](https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1249))
+  broken invites should clear their client caches after updating to make them
+  appear. ([#1249](https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1249))
 - LDAP-enabled servers will no longer have all admins demoted when LDAP-controlled admins are not configured.
   Contributed by @Jade ([#1307](https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1307))
-- Fixed sliding sync not resolving wildcard state key requests, enabling Video/Audio calls in Element X. ([#1370](https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1370))
+- Fixed sliding sync not resolving wildcard state key requests, enabling Video/Audio calls in Element
+  X. ([#1370](https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1370))
 
 ## Misc
 

Cargo.lock

@@ -960,7 +960,7 @@ dependencies = [
 
 [[package]]
 name = "conduwuit"
-version = "0.5.8"
+version = "0.5.10"
 dependencies = [
  "aws-lc-rs",
  "clap",
@@ -997,7 +997,7 @@ dependencies = [
 
 [[package]]
 name = "conduwuit_admin"
-version = "0.5.8"
+version = "0.5.10"
 dependencies = [
  "clap",
  "conduwuit_api",
@@ -1020,7 +1020,7 @@ dependencies = [
 
 [[package]]
 name = "conduwuit_api"
-version = "0.5.8"
+version = "0.5.10"
 dependencies = [
  "async-trait",
  "axum",
@@ -1055,7 +1055,7 @@ dependencies = [
 
 [[package]]
 name = "conduwuit_build_metadata"
-version = "0.5.8"
+version = "0.5.10"
 dependencies = [
  "built",
  "cargo_metadata",
@@ -1063,7 +1063,7 @@ dependencies = [
 
 [[package]]
 name = "conduwuit_core"
-version = "0.5.8"
+version = "0.5.10"
 dependencies = [
  "argon2",
  "arrayvec",
@@ -1127,7 +1127,7 @@ dependencies = [
 
 [[package]]
 name = "conduwuit_database"
-version = "0.5.8"
+version = "0.5.10"
 dependencies = [
  "async-channel",
  "conduwuit_core",
@@ -1147,7 +1147,7 @@ dependencies = [
 
 [[package]]
 name = "conduwuit_macros"
-version = "0.5.8"
+version = "0.5.10"
 dependencies = [
  "cargo_toml",
  "itertools 0.14.0",
@@ -1158,7 +1158,7 @@ dependencies = [
 
 [[package]]
 name = "conduwuit_router"
-version = "0.5.8"
+version = "0.5.10"
 dependencies = [
  "axum",
  "axum-client-ip",
@@ -1194,7 +1194,7 @@ dependencies = [
 
 [[package]]
 name = "conduwuit_service"
-version = "0.5.8"
+version = "0.5.10"
 dependencies = [
  "askama",
  "async-trait",
@@ -1242,7 +1242,7 @@ dependencies = [
 
 [[package]]
 name = "conduwuit_web"
-version = "0.5.8"
+version = "0.5.10"
 dependencies = [
  "askama",
  "async-trait",
@@ -7017,7 +7017,7 @@ dependencies = [
 
 [[package]]
 name = "xtask"
-version = "0.5.8"
+version = "0.5.10"
 dependencies = [
  "askama",
  "cargo_metadata",

Cargo.toml

@@ -12,7 +12,7 @@ license = "Apache-2.0"
 # See also `rust-toolchain.toml`
 readme = "README.md"
 repository = "https://forgejo.ellis.link/continuwuation/continuwuity"
-version = "0.5.8"
+version = "0.5.10"
 
 [workspace.metadata.crane]
 name = "conduwuit"

changelog.d/1711.bugfix

@@ -1 +0,0 @@
-Fixed a bug that caused the server to drop events during processing if several events for the same room were sent in a singular transaction. Contributed by @nex.

changelog.d/1853.feature

@@ -0,0 +1 @@
+Added static builds using Nix, allowing for Continuwuity on musl. During this, we also introduced a `max-perf-haswell` package, separating it from `max-perf`, so you may want to swap to this if you are on NixOS. Contributed by @Henry-Hiles (QuadRadical).

docs/deploying/generic.mdx

@@ -47,9 +47,15 @@ #### Performance-optimised builds
 
 ### Nix
 
-Theres a Nix package defined in our flake, available for Linux and MacOS. Add continuwuity as an input to your flake, and use `inputs.continuwuity.packages.${system}.default` to get a working Continuwuity package.
+If you wish to generate a static binary, you can do so using Nix: `nix build git+https://forgejo.ellis.link/continuwuation/continuwuity#packageName`, where `packageName` is one of:
 
-If you simply wish to generate a binary using Nix, you can run `nix build git+https://forgejo.ellis.link/continuwuation/continuwuity` to generate a binary in `result/bin/conduwuit`.
+- `default-static-x86_64`
+- `default-static-aarch64`
+- `max-perf-static-x86_64`
+- `max-perf-haswell-static-x86_64`
+- `max-perf-static-aarch64`
+
+`max-perf` takes longer to build, but has more runtime optimizations. Haswell builds are optimized for modern CPUs.
 
 ### Compiling
 

docs/deploying/nixos.mdx

@@ -47,9 +47,16 @@ ### Available options
 - `extraEnvironment`: Extra environment variables to pass to the Continuwuity server
 - `package`: The Continuwuity package to use, defaults to `pkgs.matrix-continuwuity`
     - You may want to override this to be from our flake, for faster updates and unstable versions:
+
     ```nix
-    package = inputs.continuwuity.packages.${pkgs.stdenv.hostPlatform.system}.default;
+    package = inputs.continuwuity.packages.${pkgs.stdenv.hostPlatform.system}.packageName;
     ```
+
+    Where `packageName` is one of:
+    - `default`
+    - `max-perf`: Takes longer to build, but has more runtime optimizations
+    - `max-perf-haswell`: Optimized for modern CPUs, don't use if your CPU is not Haswell or later.
+
 - `admin.enable`: Whether to add the `conduwuit` binary to `PATH` for administration (enabled by default)
 - `settings`: The Continuwuity configuration
 

nix/packages/continuwuity.nix

@@ -5,11 +5,10 @@
   liburing,
   craneLib,
   pkg-config,
-  callPackage,
   rustPlatform,
   cargoExtraArgs ? "",
   rustflags ? "",
-  rocksdb ? callPackage ./rocksdb.nix { },
+  target_cpu ? null,
   profile ? "release",
 }:
 let
@@ -28,18 +27,24 @@ let
   };
 
   attrs = {
+    __structuredAttrs = true;
+    strictDeps = true;
+
     inherit src;
+
     nativeBuildInputs = [
       pkg-config
       rustPlatform.bindgenHook
     ];
     buildInputs = lib.optionals stdenv.hostPlatform.isLinux [ liburing ];
+    doCheck = false;
     env = {
-      ROCKSDB_INCLUDE_DIR = "${rocksdb}/include";
-      ROCKSDB_LIB_DIR = "${rocksdb}/lib";
       CARGO_PROFILE = profile;
       RUSTFLAGS = rustflags;
-    };
+    }
+    // (lib.optionalAttrs (target_cpu != null) {
+      TARGET_CPU = target_cpu;
+    });
   };
 in
 craneLib.buildPackage (
@@ -47,18 +52,6 @@ craneLib.buildPackage (
     inherit cargoExtraArgs;
     cargoArtifacts = craneLib.buildDepsOnly attrs;
 
-    # Needed to make continuwuity link to rocksdb
-    postFixup = lib.optionalString stdenv.hostPlatform.isLinux ''
-      old_rpath="$(patchelf --print-rpath $out/bin/conduwuit)"
-      extra_rpath="${
-        lib.makeLibraryPath [
-          rocksdb
-        ]
-      }"
-
-      patchelf  --set-rpath "$old_rpath:$extra_rpath" $out/bin/conduwuit
-    '';
-
     meta = {
       description = "A community-driven Matrix homeserver in Rust";
       mainProgram = "conduwuit";

nix/packages/default.nix

@@ -1,4 +1,5 @@
 {
+  inputs,
   self,
   ...
 }:
@@ -6,29 +7,77 @@
   perSystem =
     {
       self',
+      lib,
       pkgs,
+      system,
       craneLib,
       ...
     }:
     {
-      packages = {
-        rocksdb = pkgs.callPackage ./rocksdb.nix { };
-        default = pkgs.callPackage ./continuwuity.nix {
-          inherit self craneLib;
-          # extra features via `cargoExtraArgs`
-          cargoExtraArgs = "-F http3";
-          # extra RUSTFLAGS via `rustflags`
-          # the stuff below is required for http3
-          rustflags = "--cfg reqwest_unstable";
-        };
-        # users may also override this with other cargo profiles to build for other feature sets
-        #
-        # other examples include:
-        #
-        # - release-high-perf
-        max-perf = self'.packages.default.override {
-          profile = "release-max-perf";
-        };
-      };
+      packages =
+        let
+          mkPackages =
+            pkgs:
+            let
+              fnx = inputs.fenix.packages.${system};
+
+              isStatic = pkgs.stdenv.hostPlatform.isMusl;
+
+              craneLib = (inputs.crane.mkLib pkgs).overrideToolchain (
+                _:
+                if isStatic then
+                  fnx.combine [
+                    self'.packages.stable-toolchain
+                    (fnx.targets.${pkgs.stdenv.hostPlatform.config}.stable).rust-std
+                  ]
+                else
+                  self'.packages.stable-toolchain
+              );
+
+              default = pkgs.callPackage ./continuwuity.nix {
+                inherit self craneLib;
+                liburing = (if isStatic then pkgs.pkgsStatic else pkgs).liburing;
+                # extra features via `cargoExtraArgs`
+                cargoExtraArgs = "-F http3";
+                # extra RUSTFLAGS via `rustflags`
+                # the stuff below is required for http3
+                rustflags = "--cfg reqwest_unstable";
+              };
+
+              # users may also override this with other cargo profiles to build for other feature sets
+              # for features configuration see `default` package which enables http3 by default
+
+              max-perf = default.override {
+                # compiles slower but with more thorough optimizations
+                profile = "release-max-perf";
+              };
+
+              max-perf-haswell = max-perf.override {
+                # compiles explicitly for haswell arch cpus
+                target_cpu = "haswell";
+              };
+            in
+            {
+              inherit default max-perf max-perf-haswell;
+
+            };
+        in
+        (mkPackages pkgs)
+        // (lib.mapAttrs' (name: value: lib.nameValuePair "${name}-static-x86_64" value) (
+          mkPackages (
+            import inputs.nixpkgs {
+              localSystem = system;
+              crossSystem = "x86_64-unknown-linux-musl";
+            }
+          )
+        ))
+        // (lib.mapAttrs' (name: value: lib.nameValuePair "${name}-static-aarch64" value) (
+          mkPackages (
+            import inputs.nixpkgs {
+              localSystem = system;
+              crossSystem = "aarch64-unknown-linux-musl";
+            }
+          )
+        ));
     };
 }

src/api/router/auth.rs

@@ -379,6 +379,9 @@ async fn find_token(services: &Services, token: Option<&str>) -> Result<Token> {
 	let Some(token) = token else {
 		return Ok(Token::None);
 	};
+	if token.is_empty() {
+		return Ok(Token::Invalid);
+	}
 
 	let user_token = services.users.find_from_token(token).map_ok(Token::User);
 

src/api/server/send.rs

@@ -671,6 +671,13 @@ async fn handle_edu_direct_to_device(
 	messages
 		.into_iter()
 		.stream()
+		.broad_filter_map(|(target_user_id, map)| async move {
+			services
+				.users
+				.is_active_local(&target_user_id)
+				.await
+				.then_some((target_user_id, map))
+		})
 		.for_each_concurrent(automatic_width(), |(target_user_id, map)| {
 			handle_edu_direct_to_device_user(services, target_user_id, sender, &ev_type, map)
 		})

src/core/matrix/state_res/event_auth.rs

@@ -332,8 +332,7 @@ pub async fn auth_check<E, F, Fut>(
 	// If the create event content has the field m.federate set to false and the
 	// sender domain of the event does not match the sender domain of the create
 	// event, reject.
-	if !room_version.room_ids_as_hashes
-		&& !room_create_content.federate
+	if !room_create_content.federate
 		&& room_create_event.sender().server_name() != incoming_event.sender().server_name()
 	{
 		warn!(

src/service/media/preview.rs

@@ -419,7 +419,7 @@ pub fn url_preview_allowed(&self, url: &Url) -> bool {
 							 url_preview_domain_explicit_denylist (check 1/3)",
 							&root_domain
 						);
-						return true;
+						return false;
 					}
 
 					if allowlist_domain_explicit.contains(&root_domain.to_owned()) {

src/service/users/mod.rs

@@ -339,6 +339,7 @@ pub async fn count(&self) -> usize { self.db.userid_password.count().await }
 
 	/// Find out which user an access token belongs to.
 	pub async fn find_from_token(&self, token: &str) -> Result<(OwnedUserId, OwnedDeviceId)> {
+		assert!(!token.is_empty(), "Empty access token");
 		self.db.token_userdeviceid.get(token).await.deserialized()
 	}