chore(deps): update https://github.com/taiki-e/install-action digest to eea29cf

2026-04-15 19:06:18 +00:00 · 2026-04-15 05:03:09 +00:00
30 changed files with 382 additions and 260 deletions
--- a/.forgejo/actions/rust-toolchain/action.yml
+++ b/.forgejo/actions/rust-toolchain/action.yml
@@ -33,7 +33,7 @@ runs:
        echo "version=$(rustup --version)" >> $GITHUB_OUTPUT
    - name: Cache rustup toolchains
      if: steps.rustup-version.outputs.version == ''
-      uses: actions/cache@v5
+      uses: actions/cache@6f8efc29b200d32929f49075959781ed54ec270c # v3
      with:
        path: |
          ~/.rustup
--- a/.forgejo/actions/setup-llvm-with-apt/action.yml
+++ b/.forgejo/actions/setup-llvm-with-apt/action.yml
@@ -57,7 +57,7 @@ runs:
    - name: Check for LLVM cache
      id: cache
-      uses: actions/cache@v5
+      uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
      with:
        path: |
          /usr/bin/clang-*
--- a/.forgejo/actions/setup-rust/action.yml
+++ b/.forgejo/actions/setup-rust/action.yml
@@ -65,7 +65,7 @@ runs:
    - name: Cache toolchain binaries
      id: toolchain-cache
-      uses: actions/cache@v5
+      uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
      with:
        path: |
          .cargo/bin
@@ -76,7 +76,7 @@ runs:
    - name: Cache Cargo registry and git
      id: registry-cache
-      uses: actions/cache@v5
+      uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
      with:
        path: |
          .cargo/registry/index
--- a/.forgejo/actions/timelord/action.yml
+++ b/.forgejo/actions/timelord/action.yml
@@ -31,7 +31,7 @@ runs:
    - name: Restore binary cache
      id: binary-cache
-      uses: actions/cache/restore@v5
+      uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
      with:
        path: |
          /usr/share/rust/.cargo/bin
@@ -77,7 +77,7 @@ runs:
    - name: Save binary cache
      if: steps.check-binaries.outputs.need-install == 'true'
-      uses: actions/cache/save@v5
+      uses: actions/cache/save@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
      with:
        path: |
          /usr/share/rust/.cargo/bin
@@ -87,7 +87,7 @@ runs:
    - name: Restore timelord cache with fallbacks
      id: timelord-restore
-      uses: actions/cache/restore@v5
+      uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
      with:
        path: ${{ env.TIMELORD_CACHE_PATH }}
        key: ${{ env.TIMELORD_KEY }}
@@ -114,7 +114,7 @@ runs:
        timelord sync --source-dir ${{ env.TIMELORD_PATH }} --cache-dir ${{ env.TIMELORD_CACHE_PATH }}
    - name: Save updated timelord cache immediately
-      uses: actions/cache/save@v5
+      uses: actions/cache/save@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
      with:
        path: ${{ env.TIMELORD_CACHE_PATH }}
        key: ${{ env.TIMELORD_KEY }}
--- a/.forgejo/workflows/build-debian.yml
+++ b/.forgejo/workflows/build-debian.yml
@@ -60,7 +60,7 @@ jobs:
          ref: ${{ github.ref_name }}
      - name: Cache Cargo registry
-        uses: actions/cache@v5
+        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
        with:
          path: |
            ~/.cargo/registry
--- a/.forgejo/workflows/build-fedora.yml
+++ b/.forgejo/workflows/build-fedora.yml
@@ -37,7 +37,7 @@ jobs:
      - name: Cache DNF packages
-        uses: actions/cache@v5
+        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
        with:
          path: |
            /var/cache/dnf
@@ -47,7 +47,7 @@ jobs:
            dnf-fedora${{ steps.fedora.outputs.version }}-
      - name: Cache Cargo registry
-        uses: actions/cache@v5
+        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
        with:
          path: |
            ~/.cargo/registry
@@ -57,7 +57,7 @@ jobs:
            cargo-fedora${{ steps.fedora.outputs.version }}-
      - name: Cache Rust build dependencies
-        uses: actions/cache@v5
+        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
        with:
          path: |
            ~/rpmbuild/BUILD/*/target/release/deps
--- a/.forgejo/workflows/check-changelog.yml
+++ b/.forgejo/workflows/check-changelog.yml
@@ -4,6 +4,11 @@ on:
  pull_request_target:
    types: [opened, synchronize, reopened, ready_for_review, labeled, unlabeled]
 concurrency:
  group: "${{ github.workflow }}-${{ github.ref }}"
  cancel-in-progress: true
 permissions:
  contents: read
  pull-requests: write
--- a/.forgejo/workflows/documentation.yml
+++ b/.forgejo/workflows/documentation.yml
@@ -37,7 +37,7 @@ jobs:
          node-version: 22
      - name: Cache npm dependencies
-        uses: actions/cache@v5
+        uses: actions/cache@6f8efc29b200d32929f49075959781ed54ec270c # v3
        with:
          path: ~/.npm
          key: continuwuity-rspress-${{ steps.runner-env.outputs.slug }}-${{ steps.runner-env.outputs.arch }}-node-${{ steps.runner-env.outputs.node_version }}-${{ hashFiles('package-lock.json') }}
--- a/.forgejo/workflows/mirror-images.yml
+++ b/.forgejo/workflows/mirror-images.yml
@@ -55,7 +55,7 @@ jobs:
      #     repositories: continuwuity
      - name: Install regsync
-        uses: https://github.com/regclient/actions/regsync-installer@f3c6d87835906c175eb6ccfc18b348b69bb447e7 # main
+        uses: https://github.com/regclient/actions/regsync-installer@f07124ffba4b0cbf96b2a666d481ed9d44b5e7e4 # main
      - name: Check what images need mirroring
        run: |
--- a/.forgejo/workflows/release-image.yml
+++ b/.forgejo/workflows/release-image.yml
@@ -9,9 +9,6 @@ on:
    paths-ignore:
      - "*.md"
      - "**/*.md"
      - "*.mdx"
      - "**/*.mdx"
      - "changelog.d/**"
      - ".gitlab-ci.yml"
      - ".gitignore"
      - "renovate.json"
@@ -200,9 +197,8 @@ jobs:
          registry_password: ${{ secrets.BUILTIN_REGISTRY_PASSWORD || secrets.GITHUB_TOKEN }}
  mirror_images:
    name: "Mirror Images"
    runs-on: ubuntu-latest
    needs:
      - merge-maxperf
      - merge-release
    runs-on: ubuntu-latest
    uses: ./.forgejo/workflows/mirror-images.yml
--- a/.forgejo/workflows/renovate.yml
+++ b/.forgejo/workflows/renovate.yml
@@ -55,7 +55,7 @@ jobs:
        run: /usr/local/renovate/node -e 'console.log(`node heap limit = ${require("v8").getHeapStatistics().heap_size_limit / (1024 * 1024)} Mb`)'
      - name: Restore renovate repo cache
-        uses: actions/cache/restore@v5
+        uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
        with:
          path: |
            /tmp/renovate/cache/renovate/repository
@@ -64,7 +64,7 @@ jobs:
            renovate-repo-cache-
      - name: Restore renovate package cache
-        uses: actions/cache/restore@v5
+        uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
        with:
          path: |
            /tmp/renovate/cache/renovate/renovate-cache-sqlite
@@ -73,7 +73,7 @@ jobs:
            renovate-package-cache-
      - name: Restore renovate OSV cache
-        uses: actions/cache/restore@v5
+        uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
        with:
          path: |
            /tmp/osv
@@ -109,7 +109,7 @@ jobs:
      - name: Save renovate repo cache
        if: always()
        uses:
-          actions/cache/save@v5
+          actions/cache/save@v4
        with:
          path: |
            /tmp/renovate/cache/renovate/repository
@@ -117,7 +117,7 @@ jobs:
      - name: Save renovate package cache
        if: always()
-        uses: actions/cache/save@v5
+        uses: actions/cache/save@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
        with:
          path: |
            /tmp/renovate/cache/renovate/renovate-cache-sqlite
@@ -125,7 +125,7 @@ jobs:
      - name: Save renovate OSV cache
        if: always()
-        uses: actions/cache/save@v5
+        uses: actions/cache/save@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
        with:
          path: |
            /tmp/osv
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -24,7 +24,7 @@ repos:
        - id: check-added-large-files
  - repo: https://github.com/crate-ci/typos
-    rev: v1.45.1
+    rev: v1.45.0
    hooks:
      - id: typos
      - id: typos
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -1203,7 +1203,7 @@ dependencies = [
 "serde",
 "serde-saphyr",
 "serde_json",
- "sha2 0.11.0",
+ "sha2",
 "termimad",
 "tokio",
 "tracing",
@@ -1813,7 +1813,7 @@ dependencies = [
 "ed25519",
 "rand_core 0.6.4",
 "serde",
- "sha2 0.10.9",
+ "sha2",
 "subtle",
 "zeroize",
 ]
@@ -4773,7 +4773,7 @@ dependencies = [
 "rand_core 0.6.4",
 "ruma-common",
 "serde_json",
- "sha2 0.10.9",
+ "sha2",
 "subslice",
 "thiserror 2.0.18",
 ]
@@ -5314,17 +5314,6 @@ dependencies = [
 "digest 0.10.7",
 ]
 [[package]]
 name = "sha2"
 version = "0.11.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "446ba717509524cb3f22f17ecc096f10f4822d76ab5c0b9822c5f9c284e825f4"
 dependencies = [
 "cfg-if",
 "cpufeatures 0.3.0",
 "digest 0.11.2",
 ]
 [[package]]
 name = "sha256"
 version = "1.6.0"
@@ -5334,7 +5323,7 @@ dependencies = [
 "async-trait",
 "bytes",
 "hex",
- "sha2 0.10.9",
+ "sha2",
 "tokio",
 ]
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -400,7 +400,7 @@ features = [
 ]
 [workspace.dependencies.sha2]
-version = "0.11.0"
+version = "0.10.8"
 default-features = false
 [workspace.dependencies.sha1]
--- a/changelog.d/1624.feature
+++ b/changelog.d/1624.feature
@@ -1 +0,0 @@
 Implemented option to deprioritize servers for room join requests. Contributed by @ezera.
--- a/conduwuit-example.toml
+++ b/conduwuit-example.toml
@@ -1409,20 +1409,6 @@
 #
 #ignore_messages_from_server_names = []
 # List of server names that continuwuity will deprioritize (try last) when
 # a client requests to join a room.
 #
 # This can be used to potentially speed up room join requests, by
 # deprioritizing sending join requests through servers that are known to
 # be large or slow.
 #
 # continuwuity will still send join requests to servers in this list if
 # the room couldn't be joined via other servers it federates with.
 #
 # example: ["example.com"]
 #
 #deprioritize_joins_through_servers = []
 # Send messages from users that the user has ignored to the client.
 #
 # There is no way for clients to receive messages sent while a user was
--- a/docker/Dockerfile
+++ b/docker/Dockerfile
@@ -48,7 +48,7 @@ EOF
 # Developer tool versions
 # renovate: datasource=github-releases depName=cargo-bins/cargo-binstall
-ENV BINSTALL_VERSION=1.18.1
+ENV BINSTALL_VERSION=1.18.0
 # renovate: datasource=github-releases depName=psastras/sbom-rs
 ENV CARGO_SBOM_VERSION=0.9.1
 # renovate: datasource=crate depName=lddtree
--- a/docker/musl.Dockerfile
+++ b/docker/musl.Dockerfile
@@ -18,7 +18,7 @@ RUN --mount=type=cache,target=/etc/apk/cache apk add \
 # Developer tool versions
 # renovate: datasource=github-releases depName=cargo-bins/cargo-binstall
-ENV BINSTALL_VERSION=1.18.1
+ENV BINSTALL_VERSION=1.18.0
 # renovate: datasource=github-releases depName=psastras/sbom-rs
 ENV CARGO_SBOM_VERSION=0.9.1
 # renovate: datasource=crate depName=lddtree
--- a/docs/_meta.json
+++ b/docs/_meta.json
@@ -69,6 +69,11 @@
        "label": "Configuration Reference",
        "name": "/reference/config"
    },
    {
        "type": "file",
        "label": "Environment Variables",
        "name": "/reference/environment-variables"
    },
    {
        "type": "dir",
        "label": "Admin Command Reference",
--- a/docs/advanced/delegation.mdx
+++ b/docs/advanced/delegation.mdx
@@ -18,14 +18,12 @@ ## Configuration
 ```toml
 [global.well_known]
 # defaults to port :443 if not specified
 client = "https://matrix.example.com"
 # port number MUST be specified
 server = "matrix.example.com:443"
 # (optional) customize your support contacts
 # Defaults to members of the admin room if unset
 #support_page =
 #support_role = "m.role.admin"
 #support_email =
@@ -44,13 +42,9 @@ # Defaults to members of the admin room if unset
        client=https://matrix.example.com,
        server=matrix.example.com:443
        }
      # You can also configure individual `.well-knowns` like this
      # CONTINUWUITY_WELL_KNOWN__CLIENT: https://matrix.example.com
      # CONTINUWUITY_WELL_KNOWN__SERVER: matrix.example.com:443
 ```
-## Reverse proxying well-known files to Continuwuity
+## Serving with a reverse proxy
 After doing the steps above, Continuwuity will serve these 3 JSON files:
@@ -100,7 +94,9 @@ ## Reverse proxying well-known files to Continuwuity
 <summary>`https://example.com/.well-known/matrix/server`</summary>
 ```json
-{ "m.server": "matrix.example.com:443" }
+{
  "m.server": "matrix.example.com:443"
 }
 ```
 </details>
@@ -119,57 +115,12 @@ ## Reverse proxying well-known files to Continuwuity
 </details>
 ### Serving well-known files manually
 Instead of configuring `[global.well_known]` options and reverse proxying well-known URIs, you can serve these files directly as static JSON that match the ones above. This is useful if your base domain points to a different physical server, and reverse proxying isn't feasible.
 <details>
 <summary>Example Caddyfile **for the base domain**</summary>
 ```
 https://example.com {
    respond /.well-known/matrix/server 200 {
        body `{"m.server":"matrix.example.com:443"}`
    }
    handle /.well-known/matrix/client {
    header Access-Control-Allow-Origin *
    respond <<JSON
    {
        "m.homeserver": {
            "base_url": "https://matrix.example.com/"
        }
    }
    JSON
    }
 }
 ```
 </details>
 Remember to set the `Access-Control-Allow-Origin: *` header in your `/.well-known/matrix/client` path for web clients to work.
 ## Troubleshooting
 Check with the [Matrix Connectivity Tester][federation-tester] to see that it's working.
 [federation-tester]: https://federationtester.mtrnord.blog/
 ### Cannot log in with web clients
 Make sure there is an `Access-Control-Allow-Origin: *` header in your `/.well-known/matrix/client` path. While Continuwuity serves this header by default, it may be dropped by reverse proxies or other middlewares.
 ### Issues with alternative setups
 As Matrix clients prioritize well-known URIs for their destination, this can lead to issues with alternative methods of accessing the server that doesn't use a publicly routeable IP and domain name. You will probably find yourself connecting to non-existent/undesired URLs in certain cases like:
 - Accessing to the server via localhost IPs (e.g. for testing purposes)
 - Accessing the server from behind a VPN, or from alternative networks (such as from an onionsite)
 In these scenarios, further configurations would be needed. Refer to the [Related Documentation](#related-documentation) section for resolution steps and see how they could apply to your use case.
 ---
 ## Using SRV records (not recommended)
--- a/docs/configuration.mdx
+++ b/docs/configuration.mdx
@@ -2,90 +2,66 @@ # Configuration
 This chapter describes various ways to configure Continuwuity.
-## Configuration file
+## Basics
-Continuwuity uses a TOML config file for all of its settings. This is the recommended way to configure Continuwuity. Please refer to the [example config file](./reference/config.mdx) for all of these settings.
+Continuwuity uses a config file for the majority of the settings, but also supports
 setting individual config options via commandline.
-You can specify the config file to be used by Continuwuity with the command-line flag `-c` or `--config`:
+Please refer to the [example config
 file](./reference/config.mdx) for all of those
 settings.
-```bash
+The config file to use can be specified on the commandline when running
-./conduwuit -c /path/to/continuwuity.toml
+Continuwuity by specifying the `-c`, `--config` flag. Alternatively, you can use
-```
+the environment variable `CONTINUWUITY_CONFIG` to specify the config file to be
 used; see [the section on environment variables](#environment-variables) for
 more information.
-Alternatively, you can use the environment variable `CONTINUWUITY_CONFIG` to specify the config file to be used; see [the section on environment variables](#environment-variables) for more information.
+## Option commandline flag
-## Environment variables
+Continuwuity supports setting individual config options in TOML format from the
-
+`-O` / `--option` flag. For example, you can set your server name via `-O
-All of the options in the config file can also be specified by using environment variables. This is ideal for containerised deployments and infrastructure-as-code scenarios.
+server_name=\"example.com\"`.
 The environment variable names are represented in all caps and prefixed with `CONTINUWUITY_`. They are mapped to config options in the ways demonstrated below:
 ```bash
 # Top-level options (those inside the [global] section) are simply capitalised
 CONTINUWUITY_SERVER_NAME="matrix.example.com"
 CONTINUWUITY_PORT="8008"
 CONTINUWUITY_DATABASE_PATH="/var/lib/continuwuity"
 # Nested config sections use double underscores `__`
 # This maps to the `server` field of the [global.well_known] section in TOML
 CONTINUWUITY_WELL_KNOWN__SERVER="example.com:443"
 # This maps to the `base_url` field of the `[global.antispam.draupnir]` section in TOML
 CONTINUWUITY_ANTISPAM__DRAUPNIR__BASE_URL="https://draupnir.example.com"
 # Alternatively, you can pass a (quoted) struct to define an entire section
 # This maps to the [global.well_known] section
 CONTINUWUITY_WELL_KNOWN="{ client=https://example.com,server=example.com:443 }"
 ```
 ### Alternative prefixes
 For backwards compatibility, Continuwuity also supports the following environment variable prefixes, in order of descending priority:
 - `CONDUWUIT_*` (compatibility)
 - `CONDUIT_*` (legacy)
 As an example, the environment variable `CONTINUWUITY_CONFIG` can also be expressed as `CONDUWUIT_CONFIG` or `CONDUIT_CONFIG`.
 ## Option command-line flag
 Continuwuity also supports setting individual config options in TOML format from the `-O` / `--option` flag. For example, you can set your server name via `-O server_name=\"example.com\"`.
 Note that the config is parsed as TOML, and shells like `bash` will remove quotes. Therefore, if the config option is a string, quote escapes must be properly handled. If the config option is a number or a boolean, this does not apply.
 Note that the config is parsed as TOML, and shells like bash will remove quotes.
 So unfortunately it is required to escape quotes if the config option takes a
 string. This does not apply to options that take booleans or numbers:
 - `--option allow_registration=true` works ✅
 - `-O max_request_size=99999999` works ✅
 - `-O server_name=example.com` does not work ❌
 - `--option log=\"debug\"` works ✅
 - `--option server_name='"example.com'"` works ✅
-## Order of priority
+## Execute commandline flag
-The above configuration methods are prioritised, in descending order, as below:
+Continuwuity supports running admin commands on startup using the commandline
 argument `--execute`. The most notable use for this is to create an admin user
 on first startup.
- Command-line `-o`/`--option` flags
+The syntax of this is a standard admin command without the prefix such as
- Environment variables
+`./conduwuit --execute "users create_user june"`
    - `CONTINUWUITY_*` variables
    - `CONDUWUIT_*` variables
    - `CONDUIT_*` variables
 - Config file
-Therefore, you can use environment variables or the options flags to override values in the config file.
+An example output of a success is:
-
+```
 ---
 ## Executing startup commands
 Continuwuity supports running admin commands on startup using the command-line flag `--execute`. This is treated as a standard admin command, without the need for the `!admin` prefix. For example, to create a new user:
 ```bash
 # Equivalent to `!admin users create_user june`
 ./conduwuit --execute "users create_user june"
 INFO conduwuit_service::admin::startup: Startup command #0 completed:
 Created user with user_id: @june:girlboss.ceo and password: `<redacted>`
 ```
-Alternatively, you can configure `CONTINUWUITY_ADMIN_EXECUTE` or the config file value `admin_execute` with a list of commands.
+This commandline argument can be paired with the `--option` flag.
-This command-line argument can be paired with the `--option` flag.
+## Environment variables
 All of the settings that are found in the config file can be specified by using
 environment variables. The environment variable names should be all caps and
 prefixed with `CONTINUWUITY_`.
 For example, if the setting you are changing is `max_request_size`, then the
 environment variable to set is `CONTINUWUITY_MAX_REQUEST_SIZE`.
 To modify config options not in the `[global]` context such as
 `[global.well_known]`, use the `__` suffix split:
 `CONTINUWUITY_WELL_KNOWN__SERVER`
 Conduit and conduwuit's environment variables are also supported for backwards
 compatibility, via the `CONDUIT_` and `CONDUWUIT_` prefixes respectively (e.g.
 `CONDUIT_SERVER_NAME`).
--- a/docs/deploying/docker.mdx
+++ b/docs/deploying/docker.mdx
@@ -152,7 +152,7 @@ #### For other reverse proxies
 ### Starting Your Server
-1. Choose your compose file from the above, and rename it to `docker-compose.yml`. Replace `example.com` with your homeserver's domain name, and edit other values as you see fit.
+1. Choose your compose file from the above, and rename it to `docker-compose.yml`. Edit values as you see fit.
 2. If using the override file, rename it to `docker-compose.override.yml` and
   edit your values.
 3. Start the server:
--- a/docs/public/deploying/docker-compose.for-traefik.yml
+++ b/docs/public/deploying/docker-compose.for-traefik.yml
@@ -13,7 +13,7 @@ services:
      - proxy
    labels:
      - "traefik.enable=true"
-      - "traefik.http.routers.continuwuity.rule=(Host(`example.com`))"
+      - "traefik.http.routers.continuwuity.rule=(Host(`matrix.example.com`) || (Host(`example.com`) && PathPrefix(`/.well-known/matrix`)))"
      - "traefik.http.routers.continuwuity.entrypoints=websecure" # your HTTPS entry point
      - "traefik.http.routers.continuwuity.tls=true"
      - "traefik.http.routers.continuwuity.service=continuwuity"
@@ -21,7 +21,7 @@ services:
      # possibly, depending on your config:
      # - "traefik.http.routers.continuwuity.tls.certresolver=letsencrypt"
    environment:
-      CONTINUWUITY_SERVER_NAME: example.com
+      CONTINUWUITY_SERVER_NAME: example.com # EDIT THIS
      CONTINUWUITY_DATABASE_PATH: /var/lib/continuwuity
      CONTINUWUITY_ADDRESS: 0.0.0.0
      CONTINUWUITY_PORT: 8008 # This must match with traefik's loadbalancer label
--- a/docs/public/deploying/docker-compose.override.yml
+++ b/docs/public/deploying/docker-compose.override.yml
@@ -6,7 +6,7 @@ services:
      - "traefik.enable=true"
      - "traefik.docker.network=proxy"  # Change this to the name of your Traefik docker proxy network
-      - "traefik.http.routers.to-continuwuity.rule=Host(`example.com`)"  # Change to the address on which Continuwuity is hosted
+      - "traefik.http.routers.to-continuwuity.rule=Host(`matrix.example.com`)"  # Change to the address on which Continuwuity is hosted
      - "traefik.http.routers.to-continuwuity.tls=true"
      - "traefik.http.routers.to-continuwuity.tls.certresolver=letsencrypt"
      - "traefik.http.routers.to-continuwuity.middlewares=cors-headers@docker"
--- a/docs/public/deploying/docker-compose.with-caddy-labels.yml
+++ b/docs/public/deploying/docker-compose.with-caddy-labels.yml
@@ -14,6 +14,9 @@ services:
            - /var/run/docker.sock:/var/run/docker.sock
            - ./data:/data
        restart: unless-stopped
        labels:
            caddy: example.com
            caddy.reverse_proxy: /.well-known/matrix/* homeserver:8008
    homeserver:
        image: forgejo.ellis.link/continuwuation/continuwuity:latest
@@ -24,7 +27,7 @@ services:
            - ./continuwuity-resolv.conf:/etc/resolv.conf # use custom resolvers rather than Docker's
            #- ./continuwuity.toml:/etc/continuwuity.toml
        environment:
-            CONTINUWUITY_SERVER_NAME: example.com
+            CONTINUWUITY_SERVER_NAME: example.com # EDIT THIS
            CONTINUWUITY_DATABASE_PATH: /var/lib/continuwuity
            CONTINUWUITY_ADDRESS: 0.0.0.0
            CONTINUWUITY_PORT: 8008
--- a/docs/public/deploying/docker-compose.with-traefik.yml
+++ b/docs/public/deploying/docker-compose.with-traefik.yml
@@ -13,12 +13,12 @@ services:
      - proxy
    labels:
      - "traefik.enable=true"
-      - "traefik.http.routers.continuwuity.rule=(Host(`example.com`))"
+      - "traefik.http.routers.continuwuity.rule=(Host(`matrix.example.com`) || (Host(`example.com`) && PathPrefix(`/.well-known/matrix`)))"
      - "traefik.http.routers.continuwuity.entrypoints=websecure"
      - "traefik.http.routers.continuwuity.tls.certresolver=letsencrypt"
      - "traefik.http.services.continuwuity.loadbalancer.server.port=8008"
    environment:
-      CONTINUWUITY_SERVER_NAME: example.com
+      CONTINUWUITY_SERVER_NAME: example.com # EDIT THIS
      CONTINUWUITY_DATABASE_PATH: /var/lib/continuwuity
      CONTINUWUITY_ADDRESS: 0.0.0.0
      CONTINUWUITY_PORT: 8008 # This must match with traefik's loadbalancer label
--- a/docs/reference/_meta.json
+++ b/docs/reference/_meta.json
@@ -4,6 +4,11 @@
        "name": "config",
        "label": "Configuration"
    },
    {
        "type": "file",
        "name": "environment-variables",
        "label": "Environment Variables"
    },
    {
        "type": "file",
        "name": "admin",
--- a/docs/reference/environment-variables.mdx
+++ b/docs/reference/environment-variables.mdx
@@ -0,0 +1,281 @@
 # Environment Variables
 Continuwuity can be configured entirely through environment variables, making it
 ideal for containerised deployments and infrastructure-as-code scenarios.
 This is a convenience reference and may not be exhaustive. The
 [Configuration Reference](./config.mdx) is the primary source for all
 configuration options.
 ## Prefix System
 Continuwuity supports three environment variable prefixes for backwards
 compatibility:
 - `CONTINUWUITY_*` (current, recommended)
 - `CONDUWUIT_*` (compatibility)
 - `CONDUIT_*` (legacy)
 All three prefixes work identically. Use double underscores (`__`) to represent
 nested configuration sections from the TOML config.
 **Examples:**
 ```bash
 # Simple top-level config
 CONTINUWUITY_SERVER_NAME="matrix.example.com"
 CONTINUWUITY_PORT="8008"
 # Nested config sections use double underscores
 # This maps to [database] section in TOML
 CONTINUWUITY_DATABASE__PATH="/var/lib/continuwuity"
 # This maps to [tls] section in TOML
 CONTINUWUITY_TLS__CERTS="/path/to/cert.pem"
 ```
 ## Configuration File Override
 You can specify a custom configuration file path:
 - `CONTINUWUITY_CONFIG` - Path to continuwuity.toml (current)
 - `CONDUWUIT_CONFIG` - Path to config file (compatibility)
 - `CONDUIT_CONFIG` - Path to config file (legacy)
 ## Essential Variables
 These are the minimum variables needed for a working deployment:
 | Variable                     | Description                        | Default                |
 | ---------------------------- | ---------------------------------- | ---------------------- |
 | `CONTINUWUITY_SERVER_NAME`   | Your Matrix server's domain name   | Required               |
 | `CONTINUWUITY_DATABASE_PATH` | Path to RocksDB database directory | `/var/lib/conduwuit`   |
 | `CONTINUWUITY_ADDRESS`       | IP address to bind to              | `["127.0.0.1", "::1"]` |
 | `CONTINUWUITY_PORT`          | Port to listen on                  | `8008`                 |
 ## Network Configuration
 | Variable                         | Description                                     | Default                |
 | -------------------------------- | ----------------------------------------------- | ---------------------- |
 | `CONTINUWUITY_ADDRESS`           | Bind address (use `0.0.0.0` for all interfaces) | `["127.0.0.1", "::1"]` |
 | `CONTINUWUITY_PORT`              | HTTP port                                       | `8008`                 |
 | `CONTINUWUITY_UNIX_SOCKET_PATH`  | UNIX socket path (alternative to TCP)           | -                      |
 | `CONTINUWUITY_UNIX_SOCKET_PERMS` | Socket permissions (octal)                      | `660`                  |
 ## Database Configuration
 | Variable                                   | Description                 | Default              |
 | ------------------------------------------ | --------------------------- | -------------------- |
 | `CONTINUWUITY_DATABASE_PATH`               | RocksDB data directory      | `/var/lib/conduwuit` |
 | `CONTINUWUITY_DATABASE_BACKUP_PATH`        | Backup directory            | -                    |
 | `CONTINUWUITY_DATABASE_BACKUPS_TO_KEEP`    | Number of backups to retain | `1`                  |
 | `CONTINUWUITY_DB_CACHE_CAPACITY_MB`        | Database read cache (MB)    | -                    |
 | `CONTINUWUITY_DB_WRITE_BUFFER_CAPACITY_MB` | Write cache (MB)            | -                    |
 ## Cache Configuration
 | Variable                                 | Description              |
 | ---------------------------------------- | ------------------------ |
 | `CONTINUWUITY_CACHE_CAPACITY_MODIFIER`   | LRU cache multiplier     |
 | `CONTINUWUITY_PDU_CACHE_CAPACITY`        | PDU cache entries        |
 | `CONTINUWUITY_AUTH_CHAIN_CACHE_CAPACITY` | Auth chain cache entries |
 ## DNS Configuration
 Configure DNS resolution behaviour for federation and external requests.
 | Variable                             | Description                  | Default  |
 | ------------------------------------ | ---------------------------- | -------- |
 | `CONTINUWUITY_DNS_CACHE_ENTRIES`     | Max DNS cache entries        | `32768`  |
 | `CONTINUWUITY_DNS_MIN_TTL`           | Minimum cache TTL (seconds)  | `10800`  |
 | `CONTINUWUITY_DNS_MIN_TTL_NXDOMAIN`  | NXDOMAIN cache TTL (seconds) | `259200` |
 | `CONTINUWUITY_DNS_ATTEMPTS`          | Retry attempts               | -        |
 | `CONTINUWUITY_DNS_TIMEOUT`           | Query timeout (seconds)      | -        |
 | `CONTINUWUITY_DNS_TCP_FALLBACK`      | Allow TCP fallback           | -        |
 | `CONTINUWUITY_QUERY_ALL_NAMESERVERS` | Query all nameservers        | -        |
 | `CONTINUWUITY_QUERY_OVER_TCP_ONLY`   | TCP-only queries             | -        |
 ## Request Configuration
 | Variable                             | Description                   |
 | ------------------------------------ | ----------------------------- |
 | `CONTINUWUITY_MAX_REQUEST_SIZE`      | Max HTTP request size (bytes) |
 | `CONTINUWUITY_REQUEST_CONN_TIMEOUT`  | Connection timeout (seconds)  |
 | `CONTINUWUITY_REQUEST_TIMEOUT`       | Overall request timeout       |
 | `CONTINUWUITY_REQUEST_TOTAL_TIMEOUT` | Total timeout                 |
 | `CONTINUWUITY_REQUEST_IDLE_TIMEOUT`  | Idle timeout                  |
 | `CONTINUWUITY_REQUEST_IDLE_PER_HOST` | Idle connections per host     |
 ## Federation Configuration
 Control how your server federates with other Matrix servers.
 | Variable                                       | Description                   | Default |
 | ---------------------------------------------- | ----------------------------- | ------- |
 | `CONTINUWUITY_ALLOW_FEDERATION`                | Enable federation             | `true`  |
 | `CONTINUWUITY_FEDERATION_LOOPBACK`             | Allow loopback federation     | -       |
 | `CONTINUWUITY_FEDERATION_CONN_TIMEOUT`         | Connection timeout            | -       |
 | `CONTINUWUITY_FEDERATION_TIMEOUT`              | Request timeout               | -       |
 | `CONTINUWUITY_FEDERATION_IDLE_TIMEOUT`         | Idle timeout                  | -       |
 | `CONTINUWUITY_FEDERATION_IDLE_PER_HOST`        | Idle connections per host     | -       |
 | `CONTINUWUITY_TRUSTED_SERVERS`                 | JSON array of trusted servers | -       |
 | `CONTINUWUITY_QUERY_TRUSTED_KEY_SERVERS_FIRST` | Query trusted first           | -       |
 | `CONTINUWUITY_ONLY_QUERY_TRUSTED_KEY_SERVERS`  | Only query trusted            | -       |
 **Example:**
 ```bash
 # Trust matrix.org for key verification
 CONTINUWUITY_TRUSTED_SERVERS='["matrix.org"]'
 ```
 ## Registration & User Configuration
 Control user registration and account creation behaviour.
 | Variable                                   | Description           | Default |
 | ------------------------------------------ | --------------------- | ------- |
 | `CONTINUWUITY_ALLOW_REGISTRATION`          | Enable registration   | `true`  |
 | `CONTINUWUITY_REGISTRATION_TOKEN`          | Token requirement     | -       |
 | `CONTINUWUITY_SUSPEND_ON_REGISTER`         | Suspend new accounts  | -       |
 | `CONTINUWUITY_NEW_USER_DISPLAYNAME_SUFFIX` | Display name suffix   | 🏳️‍⚧️      |
 | `CONTINUWUITY_RECAPTCHA_SITE_KEY`          | reCAPTCHA site key    | -       |
 | `CONTINUWUITY_RECAPTCHA_PRIVATE_SITE_KEY`  | reCAPTCHA private key | -       |
 **Example:**
 ```bash
 # Disable open registration
 CONTINUWUITY_ALLOW_REGISTRATION="false"
 # Require a registration token
 CONTINUWUITY_REGISTRATION_TOKEN="your_secret_token_here"
 ```
 ## Feature Configuration
 | Variable                                                   | Description                | Default |
 | ---------------------------------------------------------- | -------------------------- | ------- |
 | `CONTINUWUITY_ALLOW_ENCRYPTION`                            | Enable E2EE                | `true`  |
 | `CONTINUWUITY_ALLOW_ROOM_CREATION`                         | Enable room creation       | -       |
 | `CONTINUWUITY_ALLOW_UNSTABLE_ROOM_VERSIONS`                | Allow unstable versions    | -       |
 | `CONTINUWUITY_DEFAULT_ROOM_VERSION`                        | Default room version       | `v11`   |
 | `CONTINUWUITY_REQUIRE_AUTH_FOR_PROFILE_REQUESTS`           | Auth for profiles          | -       |
 | `CONTINUWUITY_ALLOW_PUBLIC_ROOM_DIRECTORY_OVER_FEDERATION` | Federate directory         | -       |
 | `CONTINUWUITY_ALLOW_PUBLIC_ROOM_DIRECTORY_WITHOUT_AUTH`    | Unauth directory           | -       |
 | `CONTINUWUITY_ALLOW_DEVICE_NAME_FEDERATION`                | Device names in federation | -       |
 ## TLS Configuration
 Built-in TLS support is primarily for testing. **For production deployments,
 especially when federating on the internet, use a reverse proxy** (Traefik,
 Caddy, nginx) to handle TLS termination.
 | Variable                          | Description               |
 | --------------------------------- | ------------------------- |
 | `CONTINUWUITY_TLS__CERTS`         | TLS certificate file path |
 | `CONTINUWUITY_TLS__KEY`           | TLS private key path      |
 | `CONTINUWUITY_TLS__DUAL_PROTOCOL` | Support TLS 1.2 + 1.3     |
 **Example (testing only):**
 ```bash
 CONTINUWUITY_TLS__CERTS="/etc/letsencrypt/live/matrix.example.com/fullchain.pem"
 CONTINUWUITY_TLS__KEY="/etc/letsencrypt/live/matrix.example.com/privkey.pem"
 ```
 ## Logging Configuration
 Control log output format and verbosity.
 | Variable                       | Description        | Default |
 | ------------------------------ | ------------------ | ------- |
 | `CONTINUWUITY_LOG`             | Log filter level   | -       |
 | `CONTINUWUITY_LOG_COLORS`      | ANSI colours       | `true`  |
 | `CONTINUWUITY_LOG_SPAN_EVENTS` | Log span events    | `none`  |
 | `CONTINUWUITY_LOG_THREAD_IDS`  | Include thread IDs | -       |
 **Examples:**
 ```bash
 # Set log level to info
 CONTINUWUITY_LOG="info"
 # Enable debug logging for specific modules
 CONTINUWUITY_LOG="warn,continuwuity::api=debug"
 # Disable colours for log aggregation
 CONTINUWUITY_LOG_COLORS="false"
 ```
 ## Observability Configuration
 | Variable                                 | Description           |
 | ---------------------------------------- | --------------------- |
 | `CONTINUWUITY_ALLOW_OTLP`                | Enable OpenTelemetry  |
 | `CONTINUWUITY_OTLP_FILTER`               | OTLP filter level     |
 | `CONTINUWUITY_OTLP_PROTOCOL`             | Protocol (http/grpc)  |
 | `CONTINUWUITY_TRACING_FLAME`             | Enable flame graphs   |
 | `CONTINUWUITY_TRACING_FLAME_FILTER`      | Flame graph filter    |
 | `CONTINUWUITY_TRACING_FLAME_OUTPUT_PATH` | Output directory      |
 | `CONTINUWUITY_SENTRY`                    | Enable Sentry         |
 | `CONTINUWUITY_SENTRY_ENDPOINT`           | Sentry DSN            |
 | `CONTINUWUITY_SENTRY_SEND_SERVER_NAME`   | Include server name   |
 | `CONTINUWUITY_SENTRY_TRACES_SAMPLE_RATE` | Sample rate (0.0-1.0) |
 ## Admin Configuration
 Configure admin users and automated command execution.
 | Variable                                   | Description                      | Default           |
 | ------------------------------------------ | -------------------------------- | ----------------- |
 | `CONTINUWUITY_ADMINS_LIST`                 | JSON array of admin user IDs     | -                 |
 | `CONTINUWUITY_ADMINS_FROM_ROOM`            | Derive admins from room          | -                 |
 | `CONTINUWUITY_ADMIN_ESCAPE_COMMANDS`       | Allow `\` prefix in public rooms | -                 |
 | `CONTINUWUITY_ADMIN_CONSOLE_AUTOMATIC`     | Auto-activate console            | -                 |
 | `CONTINUWUITY_ADMIN_EXECUTE`               | JSON array of startup commands   | -                 |
 | `CONTINUWUITY_ADMIN_EXECUTE_ERRORS_IGNORE` | Ignore command errors            | -                 |
 | `CONTINUWUITY_ADMIN_SIGNAL_EXECUTE`        | Commands on SIGUSR2              | -                 |
 | `CONTINUWUITY_ADMIN_ROOM_TAG`              | Admin room tag                   | `m.server_notice` |
 **Examples:**
 ```bash
 # Create admin user on startup
 CONTINUWUITY_ADMIN_EXECUTE='["users create-user admin", "users make-user-admin admin"]'
 # Specify admin users directly
 CONTINUWUITY_ADMINS_LIST='["@alice:example.com", "@bob:example.com"]'
 ```
 ## Media & URL Preview Configuration
 | Variable                                             | Description        |
 | ---------------------------------------------------- | ------------------ |
 | `CONTINUWUITY_URL_PREVIEW_BOUND_INTERFACE`           | Bind interface     |
 | `CONTINUWUITY_URL_PREVIEW_DOMAIN_CONTAINS_ALLOWLIST` | Domain allowlist   |
 | `CONTINUWUITY_URL_PREVIEW_DOMAIN_EXPLICIT_ALLOWLIST` | Explicit allowlist |
 | `CONTINUWUITY_URL_PREVIEW_DOMAIN_EXPLICIT_DENYLIST`  | Explicit denylist  |
 | `CONTINUWUITY_URL_PREVIEW_MAX_SPIDER_SIZE`           | Max fetch size     |
 | `CONTINUWUITY_URL_PREVIEW_TIMEOUT`                   | Fetch timeout      |
 | `CONTINUWUITY_IP_RANGE_DENYLIST`                     | IP range denylist  |
 ## Tokio Runtime Configuration
 These can be set as environment variables or CLI arguments:
 | Variable                                  | Description                |
 | ----------------------------------------- | -------------------------- |
 | `TOKIO_WORKER_THREADS`                    | Worker thread count        |
 | `TOKIO_GLOBAL_QUEUE_INTERVAL`             | Global queue interval      |
 | `TOKIO_EVENT_INTERVAL`                    | Event interval             |
 | `TOKIO_MAX_IO_EVENTS_PER_TICK`            | Max I/O events per tick    |
 | `CONTINUWUITY_RUNTIME_HISTOGRAM_INTERVAL` | Histogram bucket size (μs) |
 | `CONTINUWUITY_RUNTIME_HISTOGRAM_BUCKETS`  | Bucket count               |
 | `CONTINUWUITY_RUNTIME_WORKER_AFFINITY`    | Enable worker affinity     |
 ## See Also
 - [Configuration Reference](./config.mdx) - Complete TOML configuration
  documentation
 - [Admin Commands](./admin/) - Admin command reference
--- a/src/api/client/membership/join.rs
+++ b/src/api/client/membership/join.rs
@@ -113,7 +113,6 @@ pub(crate) async fn join_room_by_id_route(
 	servers.sort_unstable();
 	servers.dedup();
 	shuffle(&mut servers);
 	let servers = deprioritize(servers, &services.config.deprioritize_joins_through_servers);
 	join_room_by_id_helper(
 		&services,
@@ -242,7 +241,6 @@ pub(crate) async fn join_room_by_id_or_alias_route(
 		},
 	};
 	let servers = deprioritize(servers, &services.config.deprioritize_joins_through_servers);
 	let join_room_response = join_room_by_id_helper(
 		&services,
 		sender_user,
@@ -892,59 +890,3 @@ async fn make_join_request(
 	info!("All {} servers were unable to assist in joining {room_id} :(", servers.len());
 	Err!(BadServerResponse("No server available to assist in joining."))
 }
 /// Moves deprioritized servers (if any) to the back of the list.
 ///
 /// No-op if we aren't given any servers to deprioritize.
 fn deprioritize(
 	servers: Vec<OwnedServerName>,
 	deprioritized: &[OwnedServerName],
 ) -> Vec<OwnedServerName> {
 	if deprioritized.is_empty() {
 		return servers;
 	}
 	let (mut depr, mut servers): (Vec<_>, Vec<_>) =
 		servers.into_iter().partition(|s| deprioritized.contains(s));
 	servers.append(&mut depr);
 	servers
 }
 #[cfg(test)]
 mod tests {
 	use ruma::OwnedServerName;
 	use super::*;
 	#[test]
 	fn deprioritizing_servers_works() -> Result<(), Box<dyn std::error::Error>> {
 		let servers = vec![
 			"example.com".try_into()?,
 			"slow.invalid".try_into()?,
 			"example.org".try_into()?,
 		];
 		let depr = vec!["slow.invalid".try_into()?];
 		let expected: Vec<OwnedServerName> = vec![
 			"example.com".try_into()?,
 			"example.org".try_into()?,
 			"slow.invalid".try_into()?,
 		];
 		let servers = deprioritize(servers, &depr);
 		assert_eq!(servers, expected);
 		Ok(())
 	}
 	#[test]
 	fn empty_deprioritized_is_noop() -> Result<(), Box<dyn std::error::Error>> {
 		let servers = vec![
 			"example.com".try_into()?,
 			"slow.invalid".try_into()?,
 			"example.org".try_into()?,
 		];
 		let depr_servers = deprioritize(servers.clone(), &[]);
 		assert_eq!(depr_servers, servers);
 		Ok(())
 	}
 }
--- a/src/core/config/mod.rs
+++ b/src/core/config/mod.rs
@@ -1630,22 +1630,6 @@ pub struct Config {
 	#[serde(default, with = "serde_regex")]
 	pub ignore_messages_from_server_names: RegexSet,
 	/// List of server names that continuwuity will deprioritize (try last) when
 	/// a client requests to join a room.
 	///
 	/// This can be used to potentially speed up room join requests, by
 	/// deprioritizing sending join requests through servers that are known to
 	/// be large or slow.
 	///
 	/// continuwuity will still send join requests to servers in this list if
 	/// the room couldn't be joined via other servers it federates with.
 	///
 	/// example: ["example.com"]
 	///
 	/// default: []
 	#[serde(default = "Vec::new")]
 	pub deprioritize_joins_through_servers: Vec<OwnedServerName>,
 	/// Send messages from users that the user has ignored to the client.
 	///
 	/// There is no way for clients to receive messages sent while a user was
		`@@ -1 +0,0 @@`
			`Implemented option to deprioritize servers for room join requests. Contributed by @ezera.`