feat: Enable console feature by default

This fixes a vulnerability where an attacker with a malicious remote
server and a user on the local server can trick the local server into
signing arbitrary events. The attacker issue a remote leave as the local
user to a room on the malicious server. Without any validation of the
make_leave response, the local server would sign the attacker-controlled
event and pass it back to the malicious server with send_leave.

The join and knock endpoints are also fixed in this commit, but are less
useful for exploitation because the local server replaces the "content"
field returned by the remote server. Remote invites are unaffected
because we already check that the event returned from /invite has the
same event ID as the event passed to it.

Co-authored-by: timedout <git@nexy7574.co.uk>
Co-authored-by: Jade Ellis <jade@ellis.link>
Co-authored-by: Ginger <ginger@gingershaped.computer>

.forgejo/actions/create-docker-manifest/action.yml

@@ -64,6 +64,7 @@ runs:
       uses: docker/metadata-action@v5
       with:
         flavor: |
+          latest=auto
           suffix=${{ inputs.tag_suffix }},onlatest=true
         tags: |
           type=semver,pattern={{version}},prefix=v
@@ -72,7 +73,6 @@ runs:
           type=ref,event=branch,prefix=${{ format('refs/heads/{0}', github.event.repository.default_branch) != github.ref && 'branch-' || '' }},
           type=ref,event=pr
           type=sha,format=short
-          type=raw,value=latest${{ inputs.tag_suffix }},enable=${{ startsWith(github.ref, 'refs/tags/v') }},priority=1100
         images: ${{ inputs.images }}
         # default labels & annotations: https://github.com/docker/metadata-action/blob/master/src/meta.ts#L509
       env:

.forgejo/workflows/build-debian.yml

@@ -59,10 +59,9 @@ jobs:
           # Aggressive GC since cache restores don't increment counter
           echo "CARGO_INCREMENTAL_GC_TRIGGER=5" >> $GITHUB_ENV
 
-      - name: Setup Rust nightly
+      - name: Setup Rust
         uses: ./.forgejo/actions/setup-rust
         with:
-          rust-version: nightly
           github-token: ${{ secrets.GH_PUBLIC_RO }}
 
       - name: Get package version and component

.typos.toml

@@ -24,3 +24,4 @@ extend-ignore-re = [
 "continuwuity" = "continuwuity"
 "continuwity" = "continuwuity"
 "execuse" = "execuse"
+"oltp" = "OTLP"

CHANGELOG.md

@@ -0,0 +1,12 @@
+# Continuwuity 0.5.0 (2025-12-30)
+
+**This release contains a CRITICAL vulnerability patch, and you must update as soon as possible**
+
+## Features
+
+- Enabled the OTLP exporter in default builds, and allow configuring the exporter protocol. (@Jade). (#1251)
+
+## Bug Fixes
+
+- Don't allow admin room upgrades, as this can break the admin room (@timedout) (#1245)
+- Fix invalid creators in power levels during upgrade to v12 (@timedout) (#1245)

Cargo.lock

@@ -940,7 +940,7 @@ dependencies = [
 
 [[package]]
 name = "conduwuit"
-version = "0.5.0"
+version = "0.5.1"
 dependencies = [
  "clap",
  "conduwuit_admin",
@@ -972,7 +972,7 @@ dependencies = [
 
 [[package]]
 name = "conduwuit_admin"
-version = "0.5.0"
+version = "0.5.1"
 dependencies = [
  "clap",
  "conduwuit_api",
@@ -994,7 +994,7 @@ dependencies = [
 
 [[package]]
 name = "conduwuit_api"
-version = "0.5.0"
+version = "0.5.1"
 dependencies = [
  "async-trait",
  "axum 0.7.9",
@@ -1027,14 +1027,14 @@ dependencies = [
 
 [[package]]
 name = "conduwuit_build_metadata"
-version = "0.5.0"
+version = "0.5.1"
 dependencies = [
  "built",
 ]
 
 [[package]]
 name = "conduwuit_core"
-version = "0.5.0"
+version = "0.5.1"
 dependencies = [
  "argon2",
  "arrayvec",
@@ -1095,7 +1095,7 @@ dependencies = [
 
 [[package]]
 name = "conduwuit_database"
-version = "0.5.0"
+version = "0.5.1"
 dependencies = [
  "async-channel",
  "conduwuit_core",
@@ -1114,7 +1114,7 @@ dependencies = [
 
 [[package]]
 name = "conduwuit_macros"
-version = "0.5.0"
+version = "0.5.1"
 dependencies = [
  "itertools 0.14.0",
  "proc-macro2",
@@ -1124,7 +1124,7 @@ dependencies = [
 
 [[package]]
 name = "conduwuit_router"
-version = "0.5.0"
+version = "0.5.1"
 dependencies = [
  "axum 0.7.9",
  "axum-client-ip",
@@ -1159,7 +1159,7 @@ dependencies = [
 
 [[package]]
 name = "conduwuit_service"
-version = "0.5.0"
+version = "0.5.1"
 dependencies = [
  "async-trait",
  "base64 0.22.1",
@@ -1200,7 +1200,7 @@ dependencies = [
 
 [[package]]
 name = "conduwuit_web"
-version = "0.5.0"
+version = "0.5.1"
 dependencies = [
  "askama",
  "axum 0.7.9",
@@ -3305,6 +3305,8 @@ dependencies = [
  "prost",
  "reqwest",
  "thiserror 2.0.17",
+ "tokio",
+ "tonic",
  "tracing",
 ]
 
@@ -6204,7 +6206,7 @@ dependencies = [
 
 [[package]]
 name = "xtask"
-version = "0.5.0"
+version = "0.5.1"
 dependencies = [
  "clap",
  "serde",
@@ -6213,7 +6215,7 @@ dependencies = [
 
 [[package]]
 name = "xtask-generate-commands"
-version = "0.5.0"
+version = "0.5.1"
 dependencies = [
  "clap-markdown",
  "clap_builder",

Cargo.toml

@@ -21,7 +21,7 @@ license = "Apache-2.0"
 readme = "README.md"
 repository = "https://forgejo.ellis.link/continuwuation/continuwuity"
 rust-version = "1.86.0"
-version = "0.5.0"
+version = "0.5.1"
 
 [workspace.metadata.crane]
 name = "conduwuit"
@@ -426,7 +426,7 @@ features = ["rt-tokio"]
 
 [workspace.dependencies.opentelemetry-otlp]
 version = "0.31.0"
-features = ["http", "trace", "logs", "metrics"]
+features = ["http", "grpc-tonic", "trace", "logs", "metrics"]
 
 
 

changelog.d/+6de5f7b2.misc.md

@@ -0,0 +1 @@
+The `console` feature is now enabled by default, allowing the server console to be used for running admin commands directly.

conduwuit-example.toml

@@ -26,8 +26,8 @@
 # Also see the `[global.well_known]` config section at the very bottom.
 #
 # Examples of delegation:
-# - https://puppygock.gay/.well-known/matrix/server
-# - https://puppygock.gay/.well-known/matrix/client
+# - https://continuwuity.org/.well-known/matrix/server
+# - https://continuwuity.org/.well-known/matrix/client
 #
 # YOU NEED TO EDIT THIS. THIS CANNOT BE CHANGED AFTER WITHOUT A DATABASE
 # WIPE.
@@ -608,6 +608,11 @@
 #
 #otlp_filter = "info"
 
+# Protocol to use for OTLP tracing export. Options are "http" or "grpc".
+# The HTTP protocol uses port 4318 by default, while gRPC uses port 4317.
+#
+#otlp_protocol = "http"
+
 # If the 'perf_measurements' compile-time feature is enabled, enables
 # collecting folded stack trace profile of tracing spans using
 # tracing_flame. The resulting profile can be visualized with inferno[1],
@@ -1533,7 +1538,7 @@
 # a normal continuwuity admin command. The reply will be publicly visible
 # to the room, originating from the sender.
 #
-# example: \\!admin debug ping puppygock.gay
+# example: \\!admin debug ping continuwuity.org
 #
 #admin_escape_commands = true
 
@@ -1551,7 +1556,8 @@
 # For example: `./continuwuity --execute "server admin-notice continuwuity
 # has started up at $(date)"`
 #
-# example: admin_execute = ["debug ping puppygock.gay", "debug echo hi"]`
+# example: admin_execute = ["debug ping continuwuity.org", "debug echo
+# hi"]`
 #
 #admin_execute = []
 

docker/Dockerfile

@@ -48,7 +48,7 @@ EOF
 
 # Developer tool versions
 # renovate: datasource=github-releases depName=cargo-bins/cargo-binstall
-ENV BINSTALL_VERSION=1.16.2
+ENV BINSTALL_VERSION=1.16.6
 # renovate: datasource=github-releases depName=psastras/sbom-rs
 ENV CARGO_SBOM_VERSION=0.9.1
 # renovate: datasource=crate depName=lddtree

docker/musl.Dockerfile

@@ -18,7 +18,7 @@ RUN --mount=type=cache,target=/etc/apk/cache apk add \
 
 # Developer tool versions
 # renovate: datasource=github-releases depName=cargo-bins/cargo-binstall
-ENV BINSTALL_VERSION=1.16.2
+ENV BINSTALL_VERSION=1.16.6
 # renovate: datasource=github-releases depName=psastras/sbom-rs
 ENV CARGO_SBOM_VERSION=0.9.1
 # renovate: datasource=crate depName=lddtree

docs/development/contributing.mdx

@@ -149,11 +149,12 @@ ### Creating pull requests
 *looks* done.
 
 Before submitting a pull request, please ensure:
-1. Your code passes all CI checks (formatting, linting, typo detection, etc.)
+1. Your code passes all CI checks (formatting, linting, typo detection, etc.). Run pre-commit for this.
 2. Your code follows the [code style guide](./code_style)
 3. Your commit messages follow the conventional commits format
 4. Tests are added for new functionality
 5. Documentation is updated if needed
+6. You have written a [news fragment](#writing-news-fragments) for your changes
 
 Direct all PRs/MRs to the `main` branch.
 
@@ -171,3 +172,32 @@ ### Creating pull requests
 [sytest]: https://github.com/matrix-org/sytest/
 [mdbook]: https://rust-lang.github.io/mdBook/
 [documentation.yml]: https://forgejo.ellis.link/continuwuation/continuwuity/src/branch/main/.forgejo/workflows/documentation.yml
+
+#### Writing news fragments
+
+In order to make writing our changelogs easier, we make use of [Towncrier]. Towncrier builds changelogs based on
+"news fragments", which are little markdown files in the `changelog.d/` directory that describe individual changes.
+
+When you make a pull request that changes functionality, fixes a bug, or adds documentation, please add a news fragment
+describing your change. The file name *MUST* be in the format of `{pull_request_number}.{type}`, where `{type}` is one
+of the following:
+
+- `feature` - for new features
+- `bugfix` - for bug fixes
+- `doc` - for documentation changes
+- `misc` - for other changes that don't fit the above categories
+
+For example:
+
+```bash
+$ echo "Fixed the quantum flux stabiliser. Contributed by @alice." > changelog.d/42.bugfix
+```
+
+(Note: If you want to credit yourself, you should reference your forgejo handle, however links to other platforms are also acceptable.)
+
+When the next release is made, Towncrier will automatically include your news fragment in the changelog.
+
+You can read more about writing news fragments in the [Towncrier tutorial][tt].
+
+[Towncrier]: https://towncrier.readthedocs.io/
+[tt]: https://towncrier.readthedocs.io/en/stable/tutorial.html#creating-news-fragments

docs/public/.well-known/continuwuity/announcements

@@ -6,10 +6,10 @@
             "message": "Welcome to Continuwuity! Important announcements about the project will appear here."
         },
         {
-            "id": 6,
+            "id": 7,
             "mention_room": true,
-            "date": "2025-12-22",
-            "message": "Continuwuity v0.5.0 has been released. **The release contains a fix for the critical vulnerability [GHSA-22fw-4jq7-g8r8](https://github.com/continuwuity/continuwuity/security/advisories/GHSA-22fw-4jq7-g8r8). Update as soon as possible.**\n\nThis has been *actively exploited* to create fake leave events in the Continuwuity rooms. Please leave and rejoin the rooms to fix any issues this may have caused. \n\n - [Continuwuity (space)](https://matrix.to/#/!PxtzompFuodlyzdCDtV5lzjXs10XIHeOOaq_FYodHyk?via=ellis.link&via=gingershaped.computer&via=continuwuity.org)\n - [Continuwuity](https://matrix.to/#/!kn3VQSLcgWGUFm0FFRid4MinJ_aeZPjHQ0irXbHa3bU?via=ellis.link&via=gingershaped.computer&via=continuwuity.org)\n - [Continuwuity Announcements](https://matrix.to/#/!d7zDZg1Vu5nhkCi50jNfOIObD5fpfGhfl48SZWZek7k?via=ellis.link)\n - [Continuwuity Offtopic](https://matrix.to/#/!QlOomq-suHC9rJHfDFVdbcGg4HS2ojSQ0bo4W2JOGMM?via=ellis.link&via=gingershaped.computer&via=continuwuity.org)\n - [Continuwuity Development](https://matrix.to/#/!aAvealFbgiKTJGzumNbjuwDgt1tOkBKwiyfYqE3ouk0?via=ellis.link&via=explodie.org&via=continuwuity.org)\n"
+            "date": "2025-12-30",
+            "message": "Continuwuity v0.5.1 has been released. **The release contains a fix for the critical vulnerability [GHSA-m5p2-vccg-8c9v](https://github.com/continuwuity/continuwuity/security/advisories/GHSA-m5p2-vccg-8c9v) (embargoed) affecting all Conduit-derived servers. Update as soon as possible.**\n\nThis has been *actively exploited* to attempt account takeover and forge events bricking the Continuwuity rooms. The new space is accessible at [Continuwuity (room list)](https://matrix.to/#/!8cR4g-i9ucof69E4JHNg9LbPVkGprHb3SzcrGBDDJgk?via=continuwuity.org&via=starstruck.systems&via=gingershaped.computer)\n"
         }
     ]
 }

release.toml

@@ -0,0 +1 @@
+tag-message = "chore: Release v{{version}}"

src/api/client/membership/join.rs

@@ -48,7 +48,7 @@
 	},
 };
 
-use super::banned_room_check;
+use super::{banned_room_check, validate_remote_member_event_stub};
 use crate::Ruma;
 
 /// # `POST /_matrix/client/r0/rooms/{roomId}/join`
@@ -837,6 +837,13 @@ async fn join_room_by_id_helper_local(
 			err!(BadServerResponse("Invalid make_join event json received from server: {e:?}"))
 		})?;
 
+	validate_remote_member_event_stub(
+		&MembershipState::Join,
+		sender_user,
+		room_id,
+		&join_event_stub,
+	)?;
+
 	let join_authorized_via_users_server = join_event_stub
 		.get("content")
 		.map(|s| {

src/api/client/membership/knock.rs

@@ -38,7 +38,7 @@
 	},
 };
 
-use super::{banned_room_check, join::join_room_by_id_helper};
+use super::{banned_room_check, join::join_room_by_id_helper, validate_remote_member_event_stub};
 use crate::Ruma;
 
 /// # `POST /_matrix/client/*/knock/{roomIdOrAlias}`
@@ -408,6 +408,13 @@ async fn knock_room_helper_local(
 		err!(BadServerResponse("Invalid make_knock event json received from server: {e:?}"))
 	})?;
 
+	validate_remote_member_event_stub(
+		&MembershipState::Knock,
+		sender_user,
+		room_id,
+		&knock_event_stub,
+	)?;
+
 	knock_event_stub.insert(
 		"origin".to_owned(),
 		CanonicalJsonValue::String(services.globals.server_name().as_str().to_owned()),

src/api/client/membership/leave.rs

@@ -21,6 +21,7 @@
 };
 use service::Services;
 
+use super::validate_remote_member_event_stub;
 use crate::Ruma;
 
 /// # `POST /_matrix/client/v3/rooms/{roomId}/leave`
@@ -324,6 +325,13 @@ pub async fn remote_leave_room<S: ::std::hash::BuildHasher>(
 		)))
 	})?;
 
+	validate_remote_member_event_stub(
+		&MembershipState::Leave,
+		user_id,
+		room_id,
+		&leave_event_stub,
+	)?;
+
 	// TODO: Is origin needed?
 	leave_event_stub.insert(
 		"origin".to_owned(),

src/api/client/membership/mod.rs

@@ -13,7 +13,14 @@
 use axum::extract::State;
 use conduwuit::{Err, Result, warn};
 use futures::{FutureExt, StreamExt};
-use ruma::{OwnedRoomId, RoomId, ServerName, UserId, api::client::membership::joined_rooms};
+use ruma::{
+	CanonicalJsonObject, OwnedRoomId, RoomId, ServerName, UserId,
+	api::client::membership::joined_rooms,
+	events::{
+		StaticEventContent,
+		room::member::{MembershipState, RoomMemberEventContent},
+	},
+};
 use service::Services;
 
 pub(crate) use self::{
@@ -153,3 +160,80 @@ pub(crate) async fn banned_room_check(
 
 	Ok(())
 }
+
+/// Validates that an event returned from a remote server by `/make_*`
+/// actually is a membership event with the expected fields.
+///
+/// Without checking this, the remote server could use the remote membership
+/// mechanism to trick our server into signing arbitrary malicious events.
+pub(crate) fn validate_remote_member_event_stub(
+	membership: &MembershipState,
+	user_id: &UserId,
+	room_id: &RoomId,
+	event_stub: &CanonicalJsonObject,
+) -> Result<()> {
+	let Some(event_type) = event_stub.get("type") else {
+		return Err!(BadServerResponse(
+			"Remote server returned member event with missing type field"
+		));
+	};
+	if event_type != &RoomMemberEventContent::TYPE {
+		return Err!(BadServerResponse(
+			"Remote server returned member event with invalid event type"
+		));
+	}
+
+	let Some(sender) = event_stub.get("sender") else {
+		return Err!(BadServerResponse(
+			"Remote server returned member event with missing sender field"
+		));
+	};
+	if sender != &user_id.as_str() {
+		return Err!(BadServerResponse(
+			"Remote server returned member event with incorrect sender"
+		));
+	}
+
+	let Some(state_key) = event_stub.get("state_key") else {
+		return Err!(BadServerResponse(
+			"Remote server returned member event with missing state_key field"
+		));
+	};
+	if state_key != &user_id.as_str() {
+		return Err!(BadServerResponse(
+			"Remote server returned member event with incorrect state_key"
+		));
+	}
+
+	let Some(event_room_id) = event_stub.get("room_id") else {
+		return Err!(BadServerResponse(
+			"Remote server returned member event with missing room_id field"
+		));
+	};
+	if event_room_id != &room_id.as_str() {
+		return Err!(BadServerResponse(
+			"Remote server returned member event with incorrect room_id"
+		));
+	}
+
+	let Some(content) = event_stub
+		.get("content")
+		.and_then(|content| content.as_object())
+	else {
+		return Err!(BadServerResponse(
+			"Remote server returned member event with missing content field"
+		));
+	};
+	let Some(event_membership) = content.get("membership") else {
+		return Err!(BadServerResponse(
+			"Remote server returned member event with missing membership field"
+		));
+	};
+	if event_membership != &membership.as_str() {
+		return Err!(BadServerResponse(
+			"Remote server returned member event with incorrect room_id"
+		));
+	}
+
+	Ok(())
+}

src/core/config/mod.rs

@@ -69,8 +69,8 @@ pub struct Config {
 	/// Also see the `[global.well_known]` config section at the very bottom.
 	///
 	/// Examples of delegation:
-	/// - https://puppygock.gay/.well-known/matrix/server
-	/// - https://puppygock.gay/.well-known/matrix/client
+	/// - https://continuwuity.org/.well-known/matrix/server
+	/// - https://continuwuity.org/.well-known/matrix/client
 	///
 	/// YOU NEED TO EDIT THIS. THIS CANNOT BE CHANGED AFTER WITHOUT A DATABASE
 	/// WIPE.
@@ -737,6 +737,13 @@ pub struct Config {
 	#[serde(default = "default_otlp_filter", alias = "jaeger_filter")]
 	pub otlp_filter: String,
 
+	/// Protocol to use for OTLP tracing export. Options are "http" or "grpc".
+	/// The HTTP protocol uses port 4318 by default, while gRPC uses port 4317.
+	///
+	/// default: "http"
+	#[serde(default = "default_otlp_protocol")]
+	pub otlp_protocol: String,
+
 	/// If the 'perf_measurements' compile-time feature is enabled, enables
 	/// collecting folded stack trace profile of tracing spans using
 	/// tracing_flame. The resulting profile can be visualized with inferno[1],
@@ -1752,7 +1759,7 @@ pub struct Config {
 	/// a normal continuwuity admin command. The reply will be publicly visible
 	/// to the room, originating from the sender.
 	///
-	/// example: \\!admin debug ping puppygock.gay
+	/// example: \\!admin debug ping continuwuity.org
 	#[serde(default = "true_fn")]
 	pub admin_escape_commands: bool,
 
@@ -1770,7 +1777,8 @@ pub struct Config {
 	/// For example: `./continuwuity --execute "server admin-notice continuwuity
 	/// has started up at $(date)"`
 	///
-	/// example: admin_execute = ["debug ping puppygock.gay", "debug echo hi"]`
+	/// example: admin_execute = ["debug ping continuwuity.org", "debug echo
+	/// hi"]`
 	///
 	/// default: []
 	#[serde(default)]
@@ -2418,6 +2426,8 @@ fn default_otlp_filter() -> String {
 		.to_owned()
 }
 
+fn default_otlp_protocol() -> String { "http".to_owned() }
+
 fn default_tracing_flame_output_path() -> String { "./tracing.folded".to_owned() }
 
 fn default_trusted_servers() -> Vec<OwnedServerName> {

src/core/matrix/state_res/event_auth.rs

@@ -558,12 +558,19 @@ pub async fn auth_check<E, F, Fut>(
 	// If type is m.room.power_levels
 	if *incoming_event.event_type() == TimelineEventType::RoomPowerLevels {
 		debug!("starting m.room.power_levels check");
-
+		let mut creators = BTreeSet::new();
+		if room_version.explicitly_privilege_room_creators {
+			creators.insert(create_event.sender().to_owned());
+			for creator in room_create_content.additional_creators.iter().flatten() {
+				creators.insert(creator.deserialize()?);
+			}
+		}
 		match check_power_levels(
 			room_version,
 			incoming_event,
 			power_levels_event.as_ref(),
 			sender_power_level,
+			&creators,
 		) {
 			| Some(required_pwr_lvl) =>
 				if !required_pwr_lvl {
@@ -1221,8 +1228,8 @@ fn check_power_levels(
 	power_event: &impl Event,
 	previous_power_event: Option<&impl Event>,
 	user_level: Int,
+	creators: &BTreeSet<OwnedUserId>,
 ) -> Option<bool> {
-	// TODO(hydra): This function does not care about creators!
 	match power_event.state_key() {
 		| Some("") => {},
 		| Some(key) => {
@@ -1287,6 +1294,10 @@ fn check_power_levels(
 	for user in user_levels_to_check {
 		let old_level = old_state.users.get(user);
 		let new_level = new_state.users.get(user);
+		if new_level.is_some() && creators.contains(user) {
+			warn!("creators cannot appear in the users list of m.room.power_levels");
+			return Some(false); // cannot alter creator power level
+		}
 		if old_level.is_some() && new_level.is_some() && old_level == new_level {
 			continue;
 		}

src/main/Cargo.toml

@@ -63,15 +63,16 @@ standard = [
 	"systemd",
 	"url_preview",
 	"zstd_compression",
-    "sentry_telemetry"
+    "sentry_telemetry",
+    "otlp_telemetry",
+	"console",
 ]
 full = [
     "standard",
     # "hardened_malloc", # Conflicts with jemalloc
     "jemalloc_prof",
     "perf_measurements",
-    "tokio_console"
-    # sentry_telemetry
+    "tokio_console",
 ]
 
 blurhashing = [
@@ -124,12 +125,15 @@ ldap = [
 media_thumbnail = [
 	"conduwuit-service/media_thumbnail",
 ]
-perf_measurements = [
+otlp_telemetry = [
 	"dep:opentelemetry",
-	"dep:tracing-flame",
 	"dep:tracing-opentelemetry",
 	"dep:opentelemetry_sdk",
 	"dep:opentelemetry-otlp",
+]
+perf_measurements = [
+	"dep:tracing-flame",
+	"otlp_telemetry",
 	"conduwuit-core/perf_measurements",
 	"conduwuit-core/sentry_telemetry",
 ]

src/main/logging.rs

@@ -7,8 +7,10 @@
 	log::{ConsoleFormat, ConsoleWriter, LogLevelReloadHandles, capture, fmt_span},
 	result::UnwrapOrErr,
 };
-#[cfg(feature = "perf_measurements")]
+#[cfg(feature = "otlp_telemetry")]
 use opentelemetry::trace::TracerProvider;
+#[cfg(feature = "otlp_telemetry")]
+use opentelemetry_otlp::WithExportConfig;
 use tracing_subscriber::{EnvFilter, Layer, Registry, fmt, layer::SubscriberExt, reload};
 
 #[cfg(feature = "perf_measurements")]
@@ -70,6 +72,57 @@ pub(crate) fn init(
 		subscriber.with(sentry_layer.with_filter(sentry_reload_filter))
 	};
 
+	#[cfg(feature = "otlp_telemetry")]
+	let subscriber = {
+		let otlp_filter = EnvFilter::try_new(&config.otlp_filter)
+			.map_err(|e| err!(Config("otlp_filter", "{e}.")))?;
+
+		let otlp_layer = config.allow_otlp.then(|| {
+			opentelemetry::global::set_text_map_propagator(
+				opentelemetry_sdk::propagation::TraceContextPropagator::new(),
+			);
+
+			let exporter = match config.otlp_protocol.as_str() {
+				| "grpc" => opentelemetry_otlp::SpanExporter::builder()
+					.with_tonic()
+					.with_protocol(opentelemetry_otlp::Protocol::Grpc)
+					.build()
+					.expect("Failed to create OTLP gRPC exporter"),
+				| "http" => opentelemetry_otlp::SpanExporter::builder()
+					.with_http()
+					.build()
+					.expect("Failed to create OTLP HTTP exporter"),
+				| protocol => {
+					debug_warn!(
+						"Invalid OTLP protocol '{}', falling back to HTTP. Valid options are \
+						 'http' or 'grpc'.",
+						protocol
+					);
+					opentelemetry_otlp::SpanExporter::builder()
+						.with_http()
+						.build()
+						.expect("Failed to create OTLP HTTP exporter")
+				},
+			};
+
+			let provider = opentelemetry_sdk::trace::SdkTracerProvider::builder()
+				.with_batch_exporter(exporter)
+				.build();
+
+			let tracer = provider.tracer(conduwuit_core::name());
+
+			let telemetry = tracing_opentelemetry::layer().with_tracer(tracer);
+
+			let (otlp_reload_filter, otlp_reload_handle) =
+				reload::Layer::new(otlp_filter.clone());
+			reload_handles.add("otlp", Box::new(otlp_reload_handle));
+
+			Some(telemetry.with_filter(otlp_reload_filter))
+		});
+
+		subscriber.with(otlp_layer)
+	};
+
 	#[cfg(feature = "perf_measurements")]
 	let (subscriber, flame_guard) = {
 		let (flame_layer, flame_guard) = if config.tracing_flame {
@@ -89,35 +142,7 @@ pub(crate) fn init(
 			(None, None)
 		};
 
-		let otlp_filter = EnvFilter::try_new(&config.otlp_filter)
-			.map_err(|e| err!(Config("otlp_filter", "{e}.")))?;
-
-		let otlp_layer = config.allow_otlp.then(|| {
-			opentelemetry::global::set_text_map_propagator(
-				opentelemetry_sdk::propagation::TraceContextPropagator::new(),
-			);
-
-			let exporter = opentelemetry_otlp::SpanExporter::builder()
-				.with_http()
-				.build()
-				.expect("Failed to create OTLP exporter");
-
-			let provider = opentelemetry_sdk::trace::SdkTracerProvider::builder()
-				.with_batch_exporter(exporter)
-				.build();
-
-			let tracer = provider.tracer(conduwuit_core::name());
-
-			let telemetry = tracing_opentelemetry::layer().with_tracer(tracer);
-
-			let (otlp_reload_filter, otlp_reload_handle) =
-				reload::Layer::new(otlp_filter.clone());
-			reload_handles.add("otlp", Box::new(otlp_reload_handle));
-
-			Some(telemetry.with_filter(otlp_reload_filter))
-		});
-
-		let subscriber = subscriber.with(flame_layer).with(otlp_layer);
+		let subscriber = subscriber.with(flame_layer);
 		(subscriber, flame_guard)
 	};
 

towncrier.toml

@@ -0,0 +1,4 @@
+[tool.towncrier]
+name = "Continuwuity"
+directory = "changelog.d"
+filename = "CHANGELOG.md"