fix: Fix registration_terms default in example config

.envrc

@@ -2,7 +2,7 @@
 
 dotenv_if_exists
 
-if command -v nix >/dev/null 2>&1; then
+if [ -f /etc/os-release ] && grep -q '^ID=nixos' /etc/os-release; then
     use flake ".#${DIRENV_DEVSHELL:-default}"
 fi
 

.forgejo/actions/create-docker-manifest/action.yml

@@ -44,7 +44,7 @@ runs:
 
     - name: Login to builtin registry
       if: ${{ env.BUILTIN_REGISTRY_ENABLED == 'true' }}
-      uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4
+      uses: docker/login-action@v4
       with:
         registry: ${{ env.BUILTIN_REGISTRY }}
         username: ${{ inputs.registry_user }}
@@ -52,7 +52,7 @@ runs:
 
     - name: Set up Docker Buildx
       if: ${{ env.BUILTIN_REGISTRY_ENABLED == 'true' }}
-      uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4
+      uses: docker/setup-buildx-action@v4
       with:
         # Use persistent BuildKit if BUILDKIT_ENDPOINT is set (e.g. tcp://buildkit:8125)
         driver: ${{ env.BUILDKIT_ENDPOINT != '' && 'remote' || 'docker-container' }}
@@ -61,7 +61,7 @@ runs:
     - name: Extract metadata (tags) for Docker
       if: ${{ env.BUILTIN_REGISTRY_ENABLED == 'true' }}
       id: meta
-      uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6
+      uses: docker/metadata-action@v6
       with:
         flavor: |
           latest=auto

.forgejo/actions/prepare-docker-build/action.yml

@@ -67,7 +67,7 @@ runs:
       uses: ./.forgejo/actions/rust-toolchain
 
     - name: Set up Docker Buildx
-      uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4
+      uses: docker/setup-buildx-action@v4
       with:
         # Use persistent BuildKit if BUILDKIT_ENDPOINT is set (e.g. tcp://buildkit:8125)
         driver: ${{ env.BUILDKIT_ENDPOINT != '' && 'remote' || 'docker-container' }}
@@ -75,11 +75,11 @@ runs:
 
     - name: Set up QEMU
       if: ${{ env.BUILDKIT_ENDPOINT == '' }}
-      uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4
+      uses: docker/setup-qemu-action@v4
 
     - name: Login to builtin registry
       if: ${{ env.BUILTIN_REGISTRY_ENABLED == 'true' }}
-      uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4
+      uses: docker/login-action@v4
       with:
         registry: ${{ env.BUILTIN_REGISTRY }}
         username: ${{ inputs.registry_user }}
@@ -87,7 +87,7 @@ runs:
 
     - name: Extract metadata (labels, annotations) for Docker
       id: meta
-      uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6
+      uses: docker/metadata-action@v6
       with:
         images: ${{ inputs.images }}
         # default labels & annotations: https://github.com/docker/metadata-action/blob/master/src/meta.ts#L509
@@ -111,3 +111,59 @@ runs:
 
     - uses: ./.forgejo/actions/timelord
       id: timelord
+
+    - name: Cache Rust registry
+      if: ${{ env.BUILDKIT_ENDPOINT == '' }}
+      uses: actions/cache@v3
+      with:
+        path: |
+          .cargo/git
+          .cargo/git/checkouts
+          .cargo/registry
+          .cargo/registry/src
+        key: continuwuity-rust-registry-image-${{hashFiles('**/Cargo.lock') }}
+
+    - name: Cache cargo target
+      if: ${{ env.BUILDKIT_ENDPOINT == '' }}
+      id: cache-cargo-target
+      uses: actions/cache@v3
+      with:
+        path: |
+          cargo-target${{ env.CPU_SUFFIX }}-${{ inputs.slug }}-${{ inputs.profile }}
+        key: continuwuity-cargo-target${{ env.CPU_SUFFIX }}-${{ inputs.slug }}-${{ inputs.profile }}-${{hashFiles('**/Cargo.lock') }}-${{steps.rust-toolchain.outputs.rustc_version}}
+
+    - name: Cache apt cache
+      if: ${{ env.BUILDKIT_ENDPOINT == '' }}
+      id: cache-apt
+      uses: actions/cache@v3
+      with:
+        path: |
+          var-cache-apt-${{ inputs.slug }}
+        key: continuwuity-var-cache-apt-${{ inputs.slug }}
+
+    - name: Cache apt lib
+      if: ${{ env.BUILDKIT_ENDPOINT == '' }}
+      id: cache-apt-lib
+      uses: actions/cache@v3
+      with:
+        path: |
+          var-lib-apt-${{ inputs.slug }}
+        key: continuwuity-var-lib-apt-${{ inputs.slug }}
+
+    - name: inject cache into docker
+      if: ${{ env.BUILDKIT_ENDPOINT == '' }}
+      uses: https://github.com/reproducible-containers/buildkit-cache-dance@v3.3.2
+      with:
+        cache-map: |
+          {
+            ".cargo/registry": "/usr/local/cargo/registry",
+            ".cargo/git/db": "/usr/local/cargo/git/db",
+            "cargo-target${{ env.CPU_SUFFIX }}-${{ inputs.slug }}-${{ inputs.profile }}": {
+              "target": "/app/target",
+              "id": "cargo-target${{ env.CPU_SUFFIX }}-${{ inputs.slug }}-${{ inputs.profile }}"
+            },
+            "var-cache-apt-${{ inputs.slug }}": "/var/cache/apt",
+            "var-lib-apt-${{ inputs.slug }}": "/var/lib/apt",
+            "${{ steps.timelord.outputs.database-path }}":"/timelord"
+          }
+        skip-extraction: ${{ steps.cache.outputs.cache-hit }}

.forgejo/actions/rust-toolchain/action.yml

@@ -33,7 +33,7 @@ runs:
         echo "version=$(rustup --version)" >> $GITHUB_OUTPUT
     - name: Cache rustup toolchains
       if: steps.rustup-version.outputs.version == ''
-      uses: actions/cache@6f8efc29b200d32929f49075959781ed54ec270c # v3
+      uses: actions/cache@v3
       with:
         path: |
           ~/.rustup

.forgejo/actions/sccache/action.yml

@@ -9,7 +9,7 @@ runs:
   - name: Install sccache
     uses: https://git.tomfos.tr/tom/sccache-action@v1
   - name: Configure sccache
-    uses: https://github.com/actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9
+    uses: https://github.com/actions/github-script@v8
     with:
       script: |
         core.exportVariable('ACTIONS_RESULTS_URL', process.env.ACTIONS_RESULTS_URL || '');

.forgejo/actions/setup-llvm-with-apt/action.yml

@@ -57,7 +57,7 @@ runs:
 
     - name: Check for LLVM cache
       id: cache
-      uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
+      uses: actions/cache@v4
       with:
         path: |
           /usr/bin/clang-*
@@ -120,7 +120,7 @@ runs:
 
     - name: Install additional packages
       if: inputs.extra-packages != ''
-      uses: https://github.com/awalsh128/cache-apt-pkgs-action@2c09a5e66da6c8016428a2172bd76e5e4f14bb17 # latest
+      uses: https://github.com/awalsh128/cache-apt-pkgs-action@latest
       with:
         packages: ${{ inputs.extra-packages }}
         version: 1.0

.forgejo/actions/setup-rust/action.yml

@@ -65,7 +65,7 @@ runs:
 
     - name: Cache toolchain binaries
       id: toolchain-cache
-      uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
+      uses: actions/cache@v4
       with:
         path: |
           .cargo/bin
@@ -76,7 +76,7 @@ runs:
 
     - name: Cache Cargo registry and git
       id: registry-cache
-      uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
+      uses: actions/cache@v4
       with:
         path: |
           .cargo/registry/index
@@ -149,6 +149,37 @@ runs:
     - name: Setup sccache
       uses: https://git.tomfos.tr/tom/sccache-action@v1
 
+    - name: Cache dependencies
+      id: deps-cache
+      uses: actions/cache@v4
+      with:
+        path: |
+          target/**/.fingerprint
+          target/**/deps
+          target/**/*.d
+          target/**/.cargo-lock
+          target/**/CACHEDIR.TAG
+          target/**/.rustc_info.json
+          /timelord/
+        # Dependencies cache - based on Cargo.lock, survives source code changes
+        key: >-
+          continuwuity-deps-${{ steps.runner-os.outputs.slug }}-${{ steps.runner-os.outputs.arch }}-${{ steps.rust-setup.outputs.version }}${{ inputs.cache-key-suffix && format('-{0}', inputs.cache-key-suffix) || '' }}-${{ hashFiles('rust-toolchain.toml', '**/Cargo.lock') }}
+        restore-keys: |
+          continuwuity-deps-${{ steps.runner-os.outputs.slug }}-${{ steps.runner-os.outputs.arch }}-${{ steps.rust-setup.outputs.version }}${{ inputs.cache-key-suffix && format('-{0}', inputs.cache-key-suffix) || '' }}-
+
+    - name: Cache incremental compilation
+      id: incremental-cache
+      uses: actions/cache@v4
+      with:
+        path: |
+          target/**/incremental
+        # Incremental cache - based on source code changes
+        key: >-
+          continuwuity-incremental-${{ steps.runner-os.outputs.slug }}-${{ steps.runner-os.outputs.arch }}-${{ steps.rust-setup.outputs.version }}${{ inputs.cache-key-suffix && format('-{0}', inputs.cache-key-suffix) || '' }}-${{ hashFiles('rust-toolchain.toml', '**/Cargo.lock') }}-${{ hashFiles('**/*.rs', '**/Cargo.toml') }}
+        restore-keys: |
+          continuwuity-incremental-${{ steps.runner-os.outputs.slug }}-${{ steps.runner-os.outputs.arch }}-${{ steps.rust-setup.outputs.version }}${{ inputs.cache-key-suffix && format('-{0}', inputs.cache-key-suffix) || '' }}-${{ hashFiles('rust-toolchain.toml', '**/Cargo.lock') }}-
+          continuwuity-incremental-${{ steps.runner-os.outputs.slug }}-${{ steps.runner-os.outputs.arch }}-${{ steps.rust-setup.outputs.version }}${{ inputs.cache-key-suffix && format('-{0}', inputs.cache-key-suffix) || '' }}-
+
     - name: End build cache restore group
       shell: bash
       run: echo "::endgroup::"

.forgejo/actions/timelord/action.yml

@@ -31,7 +31,7 @@ runs:
 
     - name: Restore binary cache
       id: binary-cache
-      uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
+      uses: actions/cache/restore@v4
       with:
         path: |
           /usr/share/rust/.cargo/bin
@@ -71,13 +71,13 @@ runs:
 
     - name: Install timelord-cli and git-warp-time
       if: steps.check-binaries.outputs.need-install == 'true'
-      uses: https://github.com/taiki-e/install-action@d0f23220b09a75c6db730f13bb37c4f8144b4382 # v2
+      uses: https://github.com/taiki-e/install-action@v2
       with:
         tool: git-warp-time,timelord-cli@3.0.1
 
     - name: Save binary cache
       if: steps.check-binaries.outputs.need-install == 'true'
-      uses: actions/cache/save@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
+      uses: actions/cache/save@v4
       with:
         path: |
           /usr/share/rust/.cargo/bin
@@ -87,7 +87,7 @@ runs:
 
     - name: Restore timelord cache with fallbacks
       id: timelord-restore
-      uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
+      uses: actions/cache/restore@v4
       with:
         path: ${{ env.TIMELORD_CACHE_PATH }}
         key: ${{ env.TIMELORD_KEY }}
@@ -114,7 +114,7 @@ runs:
         timelord sync --source-dir ${{ env.TIMELORD_PATH }} --cache-dir ${{ env.TIMELORD_CACHE_PATH }}
 
     - name: Save updated timelord cache immediately
-      uses: actions/cache/save@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
+      uses: actions/cache/save@v4
       with:
         path: ${{ env.TIMELORD_CACHE_PATH }}
         key: ${{ env.TIMELORD_KEY }}

.forgejo/workflows/build-debian.yml

@@ -54,13 +54,13 @@ jobs:
           fi
 
       - name: Checkout repository with full history
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        uses: actions/checkout@v6
         with:
           fetch-depth: 0
           ref: ${{ github.ref_name }}
 
       - name: Cache Cargo registry
-        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
+        uses: actions/cache@v4
         with:
           path: |
             ~/.cargo/registry

.forgejo/workflows/build-fedora.yml

@@ -30,14 +30,14 @@ jobs:
           echo "Fedora version: $VERSION"
 
       - name: Checkout repository with full history
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        uses: actions/checkout@v6
         with:
           fetch-depth: 0
           ref: ${{ github.ref_name }}
 
 
       - name: Cache DNF packages
-        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
+        uses: actions/cache@v4
         with:
           path: |
             /var/cache/dnf
@@ -47,7 +47,7 @@ jobs:
             dnf-fedora${{ steps.fedora.outputs.version }}-
 
       - name: Cache Cargo registry
-        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
+        uses: actions/cache@v4
         with:
           path: |
             ~/.cargo/registry
@@ -57,7 +57,7 @@ jobs:
             cargo-fedora${{ steps.fedora.outputs.version }}-
 
       - name: Cache Rust build dependencies
-        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
+        uses: actions/cache@v4
         with:
           path: |
             ~/rpmbuild/BUILD/*/target/release/deps

.forgejo/workflows/check-changelog.yml

@@ -1,8 +1,8 @@
-name: Checks / Changelog
+name: Check Changelog
 
 on:
   pull_request_target:
-    types: [opened, synchronize, reopened, ready_for_review, labeled, unlabeled]
+    types: [opened, synchronize, reopened, ready_for_review]
 
 
 concurrency:
@@ -16,11 +16,11 @@ permissions:
 
 jobs:
   check-changelog:
-    name: Check changelog is added
+    name: Check for changelog
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        uses: actions/checkout@v6
         with:
           ref: ${{ github.event.pull_request.head.sha }}
           fetch-depth: 0
@@ -33,9 +33,9 @@ jobs:
           git fetch origin ${GITHUB_BASE_REF}
 
           # Check for Added (A) or Modified (M) files in changelog.d
-          CHANGELOG_CHANGES=$(git diff --name-status origin/${GITHUB_BASE_REF}...HEAD -- changelog.d/)
+          CHANGELOG_CHANGES=$(git diff --name-status origin/${GITHUB_BASE_REF} HEAD -- changelog.d/)
 
-          SRC_CHANGES=$(git diff --name-status origin/${GITHUB_BASE_REF}...HEAD -- src/)
+          SRC_CHANGES=$(git diff --name-status origin/${GITHUB_BASE_REF} HEAD -- src/)
 
           echo "Changes in changelog.d/:"
           echo "$CHANGELOG_CHANGES"
@@ -54,8 +54,8 @@ jobs:
             echo "src_changed=false" >> $GITHUB_OUTPUT
           fi
 
-      - name: Manage PR Labels
-        uses: https://github.com/actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9
+      - name: Manage PR Comment
+        uses: https://github.com/actions/github-script@v8
         env:
           HAS_CHANGELOG: ${{ steps.check_files.outputs.has_changelog }}
           SRC_CHANGED: ${{ steps.check_files.outputs.src_changed }}
@@ -63,37 +63,41 @@ jobs:
           script: |
             const hasChangelog = process.env.HAS_CHANGELOG === 'true';
             const srcChanged = process.env.SRC_CHANGED === 'true';
+            const commentSignature = '<!-- changelog-check-action -->';
+            const commentBody = `${commentSignature}\nPlease add a changelog fragment to \`changelog.d/\` describing your changes.`;
 
-            const { data: pullRequest } = await github.rest.pulls.get({
+            const { data: currentUser } = await github.rest.users.getAuthenticated();
+
+            const { data: comments } = await github.rest.issues.listComments({
               owner: context.repo.owner,
               repo: context.repo.repo,
-              pull_number: context.issue.number,
+              issue_number: context.issue.number,
             });
 
-            const currentLabels = pullRequest.labels.map(l => l.name);
+            const botComment = comments.find(comment =>
+              comment.user.id === currentUser.id &&
+              comment.body.includes(commentSignature)
+            );
 
-            if (hasChangelog) {
-              console.log('PR has changelog');
-              await github.rest.issues.addLabels({
-                owner: context.repo.owner,
-                repo: context.repo.repo,
-                issue_number: context.issue.number,
-                labels: ['Changelog/Added'],
-              });
-            } else if (currentLabels.includes('Changelog/None')) {
-              console.log('PR has Changelog/None label, skipping.');
-            } else if (srcChanged) {
-              console.log('PR is missing changelog');
-              await github.rest.issues.addLabels({
-                owner: context.repo.owner,
-                repo: context.repo.repo,
-                issue_number: context.issue.number,
-                labels: ['Changelog/Missing'],
-              });
-              core.setFailed("Missing changelog entry (detected)");
-            } else if (currentLabels.includes('Changelog/Missing')) {
-              core.setFailed("Missing changelog entry (label)");
+            const shouldWarn = srcChanged && !hasChangelog;
+
+            if (!shouldWarn) {
+              if (botComment) {
+                console.log('Changelog found or not required. Deleting existing warning comment.');
+                await github.rest.issues.deleteComment({
+                  owner: context.repo.owner,
+                  repo: context.repo.repo,
+                  comment_id: botComment.id,
+                });
+              }
             } else {
-              console.log('Changelog not needed');
-              // Changelog is probably not needed
+              if (!botComment) {
+                console.log('Changelog missing and required. Creating warning comment.');
+                await github.rest.issues.createComment({
+                  owner: context.repo.owner,
+                  repo: context.repo.repo,
+                  issue_number: context.issue.number,
+                  body: commentBody,
+                });
+              }
             }

.forgejo/workflows/documentation.yml

@@ -21,7 +21,7 @@ jobs:
 
     steps:
       - name: Sync repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        uses: actions/checkout@v6
         with:
           persist-credentials: false
           fetch-depth: 0
@@ -32,12 +32,12 @@ jobs:
 
       - name: Setup Node.js
         if: steps.runner-env.outputs.node_major == '' || steps.runner-env.outputs.node_major < '20'
-        uses: https://github.com/actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
+        uses: https://github.com/actions/setup-node@v6
         with:
           node-version: 22
 
       - name: Cache npm dependencies
-        uses: actions/cache@6f8efc29b200d32929f49075959781ed54ec270c # v3
+        uses: actions/cache@v3
         with:
           path: ~/.npm
           key: continuwuity-rspress-${{ steps.runner-env.outputs.slug }}-${{ steps.runner-env.outputs.arch }}-node-${{ steps.runner-env.outputs.node_version }}-${{ hashFiles('package-lock.json') }}
@@ -56,7 +56,7 @@ jobs:
 
       - name: Deploy to Cloudflare Pages (Production)
         if: github.ref == 'refs/heads/main' && vars.CLOUDFLARE_PROJECT_NAME != ''
-        uses: https://github.com/cloudflare/wrangler-action@da0e0dfe58b7a431659754fdf3f186c529afbe65 # v3
+        uses: https://github.com/cloudflare/wrangler-action@v3
         with:
           accountId: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
           apiToken: ${{ secrets.CLOUDFLARE_API_TOKEN }}
@@ -64,7 +64,7 @@ jobs:
 
       - name: Deploy to Cloudflare Pages (Preview)
         if: github.ref != 'refs/heads/main' && vars.CLOUDFLARE_PROJECT_NAME != ''
-        uses: https://github.com/cloudflare/wrangler-action@da0e0dfe58b7a431659754fdf3f186c529afbe65 # v3
+        uses: https://github.com/cloudflare/wrangler-action@v3
         with:
           accountId: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
           apiToken: ${{ secrets.CLOUDFLARE_API_TOKEN }}

.forgejo/workflows/element.yml

@@ -24,7 +24,7 @@ jobs:
 
     steps:
       - name: 📦 Setup Node.js
-        uses: https://github.com/actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
+        uses: https://github.com/actions/setup-node@v6
         with:
           node-version: "22"
 
@@ -121,7 +121,7 @@ jobs:
       - name: 🚀 Deploy to Cloudflare Pages
         if: vars.CLOUDFLARE_PROJECT_NAME != ''
         id: deploy
-        uses: https://github.com/cloudflare/wrangler-action@da0e0dfe58b7a431659754fdf3f186c529afbe65 # v3
+        uses: https://github.com/cloudflare/wrangler-action@v3
         with:
           accountId: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
           apiToken: ${{ secrets.CLOUDFLARE_API_TOKEN }}

.forgejo/workflows/mirror-images.yml

@@ -2,11 +2,8 @@ name: Mirror Container Images
 
 on:
   schedule:
-    # Run nightly
-    - cron: "25 2 * * *"
-
-  workflow_call:
-
+    # Run every 2 hours
+    - cron: "0 */2 * * *"
   workflow_dispatch:
     inputs:
       dry_run:
@@ -41,7 +38,7 @@ jobs:
       DOCKER_MIRROR_TOKEN: ${{ secrets.DOCKER_MIRROR_TOKEN }}
     steps:
       - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        uses: actions/checkout@v6
         with:
           persist-credentials: false
 
@@ -54,8 +51,10 @@ jobs:
       #     owner: continuwuity
       #     repositories: continuwuity
 
-      - name: Install regsync
-        uses: https://github.com/regclient/actions/regsync-installer@f3c6d87835906c175eb6ccfc18b348b69bb447e7 # main
+      - name: Install regctl
+        uses: https://forgejo.ellis.link/continuwuation/regclient-actions/regctl-installer@main
+        with:
+          binary: regsync
 
       - name: Check what images need mirroring
         run: |

.forgejo/workflows/prek-checks.yml

@@ -16,7 +16,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        uses: actions/checkout@v6
         with:
           persist-credentials: false
 
@@ -47,7 +47,7 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        uses: actions/checkout@v6
         with:
           persist-credentials: false
 

.forgejo/workflows/release-image.yml

@@ -43,7 +43,7 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        uses: actions/checkout@v6
         with:
           persist-credentials: false
       - name: Prepare Docker build environment
@@ -59,7 +59,7 @@ jobs:
           registry_password: ${{ secrets.BUILTIN_REGISTRY_PASSWORD || secrets.GITHUB_TOKEN }}
       - name: Build and push Docker image by digest
         id: build
-        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7
+        uses: docker/build-push-action@v7
         with:
           context: .
           file: "docker/Dockerfile"
@@ -97,7 +97,7 @@ jobs:
     needs: build-release
     steps:
       - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        uses: actions/checkout@v6
         with:
           persist-credentials: false
       - name: Create multi-platform manifest
@@ -130,7 +130,7 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        uses: actions/checkout@v6
         with:
           persist-credentials: false
       - name: Prepare max-perf Docker build environment
@@ -146,7 +146,7 @@ jobs:
           registry_password: ${{ secrets.BUILTIN_REGISTRY_PASSWORD || secrets.GITHUB_TOKEN }}
       - name: Build and push max-perf Docker image by digest
         id: build
-        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7
+        uses: docker/build-push-action@v7
         with:
           context: .
           file: "docker/Dockerfile"
@@ -184,7 +184,7 @@ jobs:
     needs: build-maxperf
     steps:
       - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        uses: actions/checkout@v6
         with:
           persist-credentials: false
       - name: Create max-perf manifest
@@ -195,10 +195,3 @@ jobs:
           images: ${{ env.IMAGE_PATH }}
           registry_user: ${{ vars.BUILTIN_REGISTRY_USER || github.actor }}
           registry_password: ${{ secrets.BUILTIN_REGISTRY_PASSWORD || secrets.GITHUB_TOKEN }}
-
-  mirror_images:
-    needs:
-      - merge-maxperf
-      - merge-release
-    runs-on: ubuntu-latest
-    uses: ./.forgejo/workflows/mirror-images.yml

.forgejo/workflows/renovate.yml

@@ -43,11 +43,11 @@ jobs:
     name: Renovate
     runs-on: ubuntu-latest
     container:
-      image: ghcr.io/renovatebot/renovate:43.111.0@sha256:da5fcac20c48d9792aac9c61fd234531bfa8df61263a39387cd8920263ca4768
+      image: ghcr.io/renovatebot/renovate:43.59.4@sha256:f951508dea1e7d71cbe6deca298ab0a05488e7631229304813f630cc06010892
       options: --tmpfs /tmp:exec
     steps:
       - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        uses: actions/checkout@v6
         with:
           show-progress: false
 
@@ -55,7 +55,7 @@ jobs:
         run: /usr/local/renovate/node -e 'console.log(`node heap limit = ${require("v8").getHeapStatistics().heap_size_limit / (1024 * 1024)} Mb`)'
 
       - name: Restore renovate repo cache
-        uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
+        uses: actions/cache/restore@v4
         with:
           path: |
             /tmp/renovate/cache/renovate/repository
@@ -64,7 +64,7 @@ jobs:
             renovate-repo-cache-
 
       - name: Restore renovate package cache
-        uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
+        uses: actions/cache/restore@v4
         with:
           path: |
             /tmp/renovate/cache/renovate/renovate-cache-sqlite
@@ -73,7 +73,7 @@ jobs:
             renovate-package-cache-
 
       - name: Restore renovate OSV cache
-        uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
+        uses: actions/cache/restore@v4
         with:
           path: |
             /tmp/osv
@@ -117,7 +117,7 @@ jobs:
 
       - name: Save renovate package cache
         if: always()
-        uses: actions/cache/save@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
+        uses: actions/cache/save@v4
         with:
           path: |
             /tmp/renovate/cache/renovate/renovate-cache-sqlite
@@ -125,7 +125,7 @@ jobs:
 
       - name: Save renovate OSV cache
         if: always()
-        uses: actions/cache/save@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
+        uses: actions/cache/save@v4
         with:
           path: |
             /tmp/osv

.forgejo/workflows/update-flake-hashes.yml

@@ -14,21 +14,50 @@ jobs:
   update-flake-hashes:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      - uses: actions/checkout@v6
         with:
+          fetch-depth: 0
+          fetch-tags: false
+          fetch-single-branch: true
+          submodules: false
           persist-credentials: true
           token: ${{ secrets.FORGEJO_TOKEN }}
 
-      - name: Install Lix
-        uses: https://github.com/samueldr/lix-gha-installer-action@f5e94192f565f53d84f41a056956dc0d3183b343
+      - uses: https://github.com/cachix/install-nix-action@19effe9fe722874e6d46dd7182e4b8b7a43c4a99 # v31.10.0
         with:
-          extra_nix_config: experimental-features = nix-command flakes flake-self-attrs
+          nix_path: nixpkgs=channel:nixos-unstable
+
+        # We can skip getting a toolchain hash if this was ran as a dispatch with the intent
+        # to update just the rocksdb hash. If this was ran as a dispatch and the toolchain
+        # files are changed, we still update them, as well as the rocksdb import.
+      - name: Detect changed files
+        id: changes
+        run: |
+          git fetch origin ${{ github.base_ref }} --depth=1 || true
+          if [ -n "${{ github.event.pull_request.base.sha }}" ]; then
+            base=${{ github.event.pull_request.base.sha }}
+          else
+            base=$(git rev-parse HEAD~1)
+          fi
+          echo "Base: $base"
+          echo "HEAD: $(git rev-parse HEAD)"
+          git diff --name-only $base HEAD > changed_files.txt
+          echo "detected changes in $(cat changed_files.txt)"
+          # Join files with commas
+          files=$(paste -sd, changed_files.txt)
+          echo "files=$files" >> $FORGEJO_OUTPUT
+
+      - name: Debug output
+        run: |
+          echo "State of output"
+          echo "Changed files: ${{ steps.changes.outputs.files }}"
 
       - name: Get new toolchain hash
+        if: contains(steps.changes.outputs.files, 'Cargo.toml') || contains(steps.changes.outputs.files, 'Cargo.lock') || contains(steps.changes.outputs.files, 'rust-toolchain.toml')
         run: |
           # Set the current sha256 to an empty hash to make `nix build` calculate a new one
-          awk '/fromToolchainFile *\{/{found=1; print; next} found && /sha256 =/{sub(/sha256 = .*/, "sha256 = lib.fakeSha256;"); found=0} 1' nix/rust.nix > temp.nix
-          mv temp.nix nix/rust.nix
+          awk '/fromToolchainFile *\{/{found=1; print; next} found && /sha256 =/{sub(/sha256 = .*/, "sha256 = lib.fakeSha256;"); found=0} 1' nix/packages/rust.nix > temp.nix
+          mv temp.nix nix/packages/rust.nix
 
           # Build continuwuity and filter for the new hash
           # We do `|| true` because we want this to fail without stopping the workflow
@@ -36,17 +65,36 @@ jobs:
 
           # Place the new hash in place of the empty hash
           new_hash=$(cat new_toolchain_hash.txt)
-          sed -i "s|lib.fakeSha256|\"$new_hash\"|" nix/rust.nix
+          sed -i "s|lib.fakeSha256|\"$new_hash\"|" nix/packages/rust.nix
 
           echo "New hash:"
-          awk -F'"' '/fromToolchainFile/{found=1; next} found && /sha256 =/{print $2; found=0}' nix/rust.nix
+          awk -F'"' '/fromToolchainFile/{found=1; next} found && /sha256 =/{print $2; found=0}' nix/packages/rust.nix
           echo "Expected new hash:"
           cat new_toolchain_hash.txt
 
           rm new_toolchain_hash.txt
 
-      - name: Update rocksdb
-        run: nix run .#update-rocksdb
+      - name: Get new rocksdb hash
+        if: contains(steps.changes.outputs.files, '.nix') || contains(steps.changes.outputs.files, 'flake.lock')
+        run: |
+          # Set the current sha256 to an empty hash to make `nix build` calculate a new one
+          awk '/repo = "rocksdb";/{found=1; print; next} found && /sha256 =/{sub(/sha256 = .*/, "sha256 = lib.fakeSha256;"); found=0} 1' nix/packages/rocksdb/package.nix > temp.nix
+          mv temp.nix nix/packages/rocksdb/package.nix
+
+          # Build continuwuity and filter for the new hash
+          # We do `|| true` because we want this to fail without stopping the workflow
+          nix build .#default 2>&1 | tee >(grep 'got:' | awk '{print $2}' > new_rocksdb_hash.txt) || true
+
+          # Place the new hash in place of the empty hash
+          new_hash=$(cat new_rocksdb_hash.txt)
+          sed -i "s|lib.fakeSha256|\"$new_hash\"|" nix/packages/rocksdb/package.nix
+
+          echo "New hash:"
+          awk -F'"' '/repo = "rocksdb";/{found=1; next} found && /sha256 =/{print $2; found=0}' nix/packages/rocksdb/package.nix
+          echo "Expected new hash:"
+          cat new_rocksdb_hash.txt
+
+          rm new_rocksdb_hash.txt
 
       - name: Show diff
         run: git diff flake.nix nix

Cargo.toml

@@ -39,7 +39,7 @@ features = ["ffi", "std", "union"]
 version = "0.7.0"
 
 [workspace.dependencies.ctor]
-version = "0.9.0"
+version = "0.6.0"
 
 [workspace.dependencies.cargo_toml]
 version = "0.22"
@@ -60,7 +60,7 @@ default-features = false
 
 # used for TURN server authentication
 [workspace.dependencies.hmac]
-version = "0.13.0"
+version = "0.12.1"
 default-features = false
 
 # used for checking if an IP is in specific subnets / CIDR ranges easier
@@ -159,7 +159,7 @@ features = ["raw_value"]
 
 # Used for appservice registration files
 [workspace.dependencies.serde-saphyr]
-version = "0.0.23"
+version = "0.0.21"
 
 # Used to load forbidden room/user regex from config
 [workspace.dependencies.serde_regex]
@@ -344,7 +344,7 @@ version = "0.1.2"
 [workspace.dependencies.ruma]
 git = "https://forgejo.ellis.link/continuwuation/ruwuma"
 #branch = "conduwuit-changes"
-rev = "1415caf8a32af4d943580c5ea4e12be1974593c2"
+rev = "a97b91adcc012ef04991d823b8b5a79c6686ae48"
 features = [
     "compat",
     "rand",
@@ -383,8 +383,7 @@ features = [
     "unstable-pdu",
     "unstable-msc4155",
     "unstable-msc4143", # livekit well_known response
-    "unstable-msc4284",
-    "unstable-msc4439", # pgp_key in .well_known/matrix/support
+    "unstable-msc4284"
 ]
 
 [workspace.dependencies.rust-rocksdb]
@@ -404,7 +403,7 @@ version = "0.10.8"
 default-features = false
 
 [workspace.dependencies.sha1]
-version = "0.11.0"
+version = "0.10.6"
 default-features = false
 
 # optional opentelemetry, performance measurements, flamegraphs, etc for performance measurements and monitoring
@@ -481,7 +480,7 @@ default-features = false
 features = ["resource"]
 
 [workspace.dependencies.sd-notify]
-version = "0.5.0"
+version = "0.4.5"
 default-features = false
 
 [workspace.dependencies.hardened_malloc-rs]

changelog.d/1594.doc

@@ -1 +0,0 @@
-Refactored docker docs to include new initial token workflow, and add Caddyfile example. Contributed by @stratself.

changelog.d/1596.bugfix

@@ -1 +0,0 @@
-Refactored nix package. Breaking, since `all-features` package no longer exists. Continuwuity is now built with jemalloc and liburing by default. Contributed by @Henry-Hiles (QuadRadical).

changelog.d/1601.doc

@@ -1 +0,0 @@
-Add DNS tuning guide for Continuwuity. Users are recommended to set up a local caching resolver following the guide's advice. Contributed by @stratself

changelog.d/1609.feature.md

@@ -1,2 +0,0 @@
-Add new config option for [MSC4439](https://github.com/matrix-org/matrix-spec-proposals/pull/4439)
-PGP key URIs. Contributed by LogN.

changelog.d/1615.bugfix

@@ -1 +0,0 @@
-Fixed resolving IP of servers that only use SRV delegation. Contributed by @tulir.

changelog.d/1620.misc

@@ -1 +0,0 @@
-Fixed compiler warning in cf_opts.rs when building in release. Contributed by @ezera.

changelog.d/1623.bugfix

@@ -1 +0,0 @@
-Fixed "Sender must be a local user" error for make_join, make_knock, and make_leave federation routes. Contributed by @nex.

changelog.d/1629.feature.md

@@ -1 +0,0 @@
-Added admin commands to get build information and features. Contributed by @Jade

changelog.d/1630.bugfix

@@ -1 +0,0 @@
-Fixed restricted joins not being signed when we are being used as an authorising server. Contributed by @nex, reported by [vel](matrix:u/vel:nhjkl.com?action=chat).

conduwuit-example.toml

@@ -527,13 +527,13 @@
 # which users must agree to when registering an account.
 #
 # Example:
-# ```ignore
+# ```
 # [global.registration_terms.privacy_policy]
 # en = { name = "Privacy Policy", url = "https://homeserver.example/en/privacy_policy.html" }
 # es = { name = "Política de Privacidad", url = "https://homeserver.example/es/privacy_policy.html" }
 # ```
 #
-#registration_terms = {}
+#registration_terms = false
 
 # Controls whether encrypted rooms and events are allowed.
 #
@@ -1881,11 +1881,6 @@
 #
 #support_mxid =
 
-# PGP key URI for server support contacts, to be served as part of the
-# MSC1929 server support endpoint.
-#
-#support_pgp_key =
-
 # **DEPRECATED**: Use `[global.matrix_rtc].foci` instead.
 #
 # A list of MatrixRTC foci URLs which will be served as part of the

docker/Dockerfile

@@ -15,13 +15,13 @@ ARG LLVM_VERSION=21
 
 # Install repo tools
 # Line one: compiler tools
-# Line two: curl, for downloading binaries and wget because llvm.sh is broken with curl
+# Line two: curl, for downloading binaries
 # Line three: for xx-verify
 RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
     --mount=type=cache,target=/var/lib/apt,sharing=locked \
     apt-get update && apt-get install -y \
     pkg-config make jq \
-    wget curl git software-properties-common \
+    curl git software-properties-common \
     file
 
 # LLVM packages
@@ -48,7 +48,7 @@ EOF
 
 # Developer tool versions
 # renovate: datasource=github-releases depName=cargo-bins/cargo-binstall
-ENV BINSTALL_VERSION=1.18.0
+ENV BINSTALL_VERSION=1.17.8
 # renovate: datasource=github-releases depName=psastras/sbom-rs
 ENV CARGO_SBOM_VERSION=0.9.1
 # renovate: datasource=crate depName=lddtree

docker/musl.Dockerfile

@@ -18,7 +18,7 @@ RUN --mount=type=cache,target=/etc/apk/cache apk add \
 
 # Developer tool versions
 # renovate: datasource=github-releases depName=cargo-bins/cargo-binstall
-ENV BINSTALL_VERSION=1.18.0
+ENV BINSTALL_VERSION=1.17.8
 # renovate: datasource=github-releases depName=psastras/sbom-rs
 ENV CARGO_SBOM_VERSION=0.9.1
 # renovate: datasource=crate depName=lddtree

docs/advanced/_meta.json

@@ -3,11 +3,5 @@
         "type": "file",
         "name": "delegation",
         "label": "Delegation / split-domain"
-    },
-    {
-        "type": "file",
-        "name": "dns",
-        "label": "DNS tuning (recommended)"
     }
-
 ]

docs/advanced/dns.mdx

@@ -1,165 +0,0 @@
-# DNS Tuning (recommended)
-
-For federation, Matrix homeservers conduct an enormous amount of DNS requests, sometimes up to thousands of queries per minute. Normal DNS resolvers are simply not designed for this load, and running Continuwuity with them will likely result in various [DNS and federation errors](../troubleshooting#dns-issues).
-
-To solve this issue, it is strongly recommended to self-host a high-quality, external caching DNS resolver for Continuwuity. This guide will use [Unbound][unbound] as the recommended example, but the general principle applies to any resolver.
-
-[unbound]: https://wiki.archlinux.org/title/Unbound
-
-## Overview
-
-For generic deployments, install your resolver of choice and configure `/etc/resolv.conf` to point to it. The resolver should ideally reside on the same host as Continuwuity.
-
-```txt title="/etc/resolv.conf"
-nameserver 127.0.0.1
-```
-
-**Avoid using `systemd-resolved`** as it does **not** perform very well under high load, and we have identified its DNS caching to not be very effective.
-
-### For Docker users
-
-Docker bridge networks uses a non-performant resolver to intercept and respond to container hostnames, and **this should also be avoided**. Instead, mount a custom `/etc/resolv.conf` file into the container, and hardcode a resolver address to bypass Docker's.
-
-It is recommended to run a dedicated resolver container for Continuwuity, as to separate from the host's resolver setup. To do this, create a custom bridge network and IP range, and explicitly define an IP address for the resolver container.
-
-<details>
-<summary>Example Docker deployment with unbound</summary>
-
-```yaml title="docker-compose.yml"
-networks:
-  matrix_net:
-    ipam:
-      driver: default
-      config:
-        - subnet: "10.10.10.0/24"
-
-services:
-    homeserver:
-        # ...
-        volume:
-            - ./continuwuity-resolv.conf:/etc/resolv.conf:ro
-
-    unbound:
-        # ...
-        networks:
-            matrix_net:
-                ipv4_address: 10.10.10.20
-```
-
-```txt title="continuwuity-resolv.conf"
-nameserver 10.10.10.20
-```
-
-</details>
-
-### For IPv4-only users
-
-If you don't have IPv6 connectivity, changing `ip_lookup_strategy` to only resolve for IPv4 will reduce unnecessary AAAA queries.
-
-```toml title="continuwuity.toml"
-[global]
-# 1 - Ipv4Only (Only query for A records, no AAAA/IPv6)
-ip_lookup_strategy = 1
-```
-
-## Unbound
-
-[Unbound][unbound] is the recommended resolver to run with Continuwuity. For Docker users, the `docker.io/madnuttah/unbound` image ([Github repo][madnuttah-unbound-repo]) can be used.
-
-After installation, you can tune `/etc/unbound/unbound.conf` values according to your needs. While Continuwuity cannot recommend a "works-for-everyone" Unbound DNS setup guide, the official [Unbound tuning guide][unbound-tuning-guide] and the [Unbound Arch Linux wiki page][unbound-arch-linux] may be of interest.
-
-Some values that are commonly tuned include:
-
-- Increase `rrset-cache-size` and `msg-cache-size` to something much higher than the default `4M`, such as `64M`.
-
-- Increase `discard-timeout` to something like `4800` to wait longer for upstream resolvers, as recursion can take a long time to respond to some domains. Continuwuity default to `dns_timeout = 10` seconds, so dropping requests early would lead to unnecessary retries and/or failures.
-
-### Using a forwarder (optional)
-
-Unbound by default employs **recursive resolution** and contacts many servers around the world. If this is not performant enough, consider forwarding your queries to public resolvers to benefit from their CDNs and get faster responses.
-
-However, most popular upstreams (such as Google DNS or Quad9) employ IP ratelimiting, so a generous cache is still needed to avoid making too many queries.
-
-DNS-over-TLS forwarders may also be used should you need on-the-wire encryption, but TLS overhead causes some speed penalties.
-
-If you want to use forwarders, configure it as follows:
-
-<details>
-
-<summary>unbound.conf</summary>
-
-```
-# Use cloudflare public resolvers as an example
-forward-zone:
-    name: "."
-    forward-addr: 1.0.0.1@53
-    forward-addr: 1.1.1.1@53
-    # Also use IPv6 ones if you're dual-stack
-    # forward-addr: 2606:4700:4700::1001@53
-    # forward-addr: 2606:4700:4700::1111@53
-
-# alternatively, use DNS-over-TLS for forwarders.
-# forward-zone:
-    # name: "."
-    # forward-tls-upstream: yes
-    # forward-addr: 1.0.0.1@853#cloudflare-dns.com
-    # forward-addr: 1.1.1.1@853#cloudflare-dns.com
-    # forward-addr: 2606:4700:4700::1001@853#cloudflare-dns.com
-    # forward-addr: 2606:4700:4700::1111@853#cloudflare-dns.com
-```
-
-</details>
-
-[madnuttah-unbound-repo]: https://github.com/madnuttah/unbound-docker/
-[unbound-tuning-guide]: https://unbound.docs.nlnetlabs.nl/en/latest/topics/core/performance.html
-[unbound-arch-linux]: https://wiki.archlinux.org/title/Unbound
-
-## Other resolvers
-
-### dnsproxy
-
-[Dnsproxy][dnsproxy] and its sister product [AdGuard Home][adguard-home] are known to work with Continuwuity and has an official Docker image. They have support for DNS-over-HTTPS as well as DNS-over-QUIC, but not recursion.
-
-To best utilise dnsproxy, you should enable proper caching with `--cache` and set `--cache-size` to something bigger, like `64000000`.
-
-[dnsproxy]: https://github.com/AdguardTeam/dnsproxy
-[adguard-home]: https://github.com/AdguardTeam/AdGuardHome
-
-### dnsmasq
-
-[dnsmasq][arch-linux-dnsmasq] can possibly work with Continuwuity, though it only supports forwarding rather than recursion. Increase the `cache-size` to something like `30000` for better caching performance.
-
-However, `dnsmasq` does not support TCP fallback which can be problematic when receiving large DNS responses such as from large SRV records. If you still want to use dnsmasq, make sure you disable `dns_tcp_fallback` in Continuwuity config.
-
-[arch-linux-dnsmasq]: https://wiki.archlinux.org/title/Dnsmasq
-
-### Technitium
-
-[Technitium][technitium] supports recursion as well as a myriad of forwarding protocols, allows saving cache to disk natively, and does work well with Continuwuity. Its default configurations however ratelimits single-IP requests by a lot, and hence must be changed. You may consult this [community guide][technitium-continuwuity] for more details on setting up a dedicated Technitium for Continuwuity.
-
-[technitium]: https://github.com/TechnitiumSoftware/DnsServer
-[technitium-continuwuity]: https://muoi.me/~stratself/articles/technitium-continuwuity/
-
-## Testing
-
-As a rough stress test, you can run `!admin query resolver flush-cache -a` or `!admin server clear-caches` to trigger a netburst of DNS queries. If your resolver can handle these loads without problem, then it should be ready for regular Continuwuity activity.
-
-To test connectivity against a specific server, use `!admin debug ping <SERVER_NAME>` and `!admin debug resolve-true-destination <SERVER_NAME>`.
-
-Note that it is expected that not all servers will be resolved, as some of them may be temporarily offline, have broken DNS and/or discovery configuration, or have been decommissioned.
-
-## Further steps
-
-- (Recommended) Set **`dns_cache_entries = 0`** inside Continuwuity and fully rely on the more performant external resolver.
-
-- Consider employing **persistent cache to disk**, so your resolver can still run without hassle after a restart. Unbound, via [Cache DB module][unbound-cachedb], can use Redis as a storage backend for this feature.
-
-- Consider [enabling **Serve Stale**][unbound-serve-stale] functionality to serve expired data beyond DNS TTLs. Since most Matrix homeservers have static IPs, this should help improve federation with them especially when upstream resolvers have timed out. For dnsproxy, this corresponds to its [optimistic caching options][dnsproxy-usage].
-
-- If you still experience DNS performance issues, another step could be to **disable DNSSEC** (which is computationally expensive) at a cost of slightly decreased security. On Unbound this is done by commenting out `trust-anchors` config options and removing the `validator` module.
-
-- Some users have reported that setting `query_over_tcp_only = true` in Continuwuity has improved DNS reliability at a slight performance cost due to TCP overhead. Generally this is not needed if your resolver and homeserver is on the same machine.
-
-[unbound-cachedb]: https://unbound.docs.nlnetlabs.nl/en/latest/manpages/unbound.conf.html#cache-db-module-options
-[unbound-serve-stale]: https://wiki.archlinux.org/title/Unbound#Serving_expired_records
-[dnsproxy-usage]: https://github.com/AdguardTeam/dnsproxy#usage

docs/deploying/docker-compose.for-traefik.yml

@@ -0,0 +1,76 @@
+# Continuwuity - Behind Traefik Reverse Proxy
+
+services:
+  homeserver:
+    ### If you already built the continuwuity image with 'docker build' or want to use the Docker Hub image,
+    ### then you are ready to go.
+    image: forgejo.ellis.link/continuwuation/continuwuity:latest
+    restart: unless-stopped
+    command: /sbin/conduwuit
+    volumes:
+      - db:/var/lib/continuwuity
+      #- ./continuwuity.toml:/etc/continuwuity.toml
+    networks:
+      - proxy
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.continuwuity.rule=(Host(`matrix.example.com`) || (Host(`example.com`) && PathPrefix(`/.well-known/matrix`)))"
+      - "traefik.http.routers.continuwuity.entrypoints=websecure" # your HTTPS entry point
+      - "traefik.http.routers.continuwuity.tls=true"
+      - "traefik.http.routers.continuwuity.service=continuwuity"
+      - "traefik.http.services.continuwuity.loadbalancer.server.port=6167"
+      # possibly, depending on your config:
+      # - "traefik.http.routers.continuwuity.tls.certresolver=letsencrypt"
+    environment:
+      CONTINUWUITY_SERVER_NAME: your.server.name.example # EDIT THIS
+      CONTINUWUITY_DATABASE_PATH: /var/lib/continuwuity
+      CONTINUWUITY_PORT: 6167 # should match the loadbalancer traefik label
+      CONTINUWUITY_MAX_REQUEST_SIZE: 20000000 # in bytes, ~20 MB
+      CONTINUWUITY_ALLOW_REGISTRATION: 'true'
+      CONTINUWUITY_REGISTRATION_TOKEN: 'YOUR_TOKEN' # A registration token is required when registration is allowed.
+      #CONTINUWUITY_YES_I_AM_VERY_VERY_SURE_I_WANT_AN_OPEN_REGISTRATION_SERVER_PRONE_TO_ABUSE: 'true'
+      CONTINUWUITY_ALLOW_FEDERATION: 'true'
+      CONTINUWUITY_ALLOW_CHECK_FOR_UPDATES: 'true'
+      CONTINUWUITY_TRUSTED_SERVERS: '["matrix.org"]'
+      #CONTINUWUITY_LOG: warn,state_res=warn
+      CONTINUWUITY_ADDRESS: 0.0.0.0
+      #CONTINUWUITY_CONFIG: '/etc/continuwuity.toml' # Uncomment if you mapped config toml above
+
+      # We need some way to serve the client and server .well-known json. The simplest way is via the CONTINUWUITY_WELL_KNOWN
+      # variable / config option, there are multiple ways to do this, e.g. in the continuwuity.toml file, and in a separate
+      # see the override file for more information about delegation
+      CONTINUWUITY_WELL_KNOWN: |
+        {
+        client=https://your.server.name.example,
+        server=your.server.name.example:443
+        }
+    #cpuset: "0-4" # Uncomment to limit to specific CPU cores
+    ulimits: # Continuwuity uses quite a few file descriptors, and on some systems it defaults to 1024, so you can tell docker to increase it
+      nofile:
+        soft: 1048567
+        hard: 1048567
+
+    ### Uncomment if you want to use your own Element-Web App.
+    ### Note: You need to provide a config.json for Element and you also need a second
+    ###       Domain or Subdomain for the communication between Element and Continuwuity
+    ### Config-Docs: https://github.com/vector-im/element-web/blob/develop/docs/config.md
+    # element-web:
+    #     image: vectorim/element-web:latest
+    #     restart: unless-stopped
+    #     volumes:
+    #         - ./element_config.json:/app/config.json
+    #     networks:
+    #         - proxy
+    #     depends_on:
+    #         - homeserver
+
+volumes:
+  db:
+
+networks:
+  # This is the network Traefik listens to, if your network has a different
+  # name, don't forget to change it here and in the docker-compose.override.yml
+  proxy:
+    external: true
+
+# vim: ts=2:sw=2:expandtab

docs/deploying/docker-compose.override.yml

@@ -6,13 +6,11 @@ services:
       - "traefik.enable=true"
       - "traefik.docker.network=proxy"  # Change this to the name of your Traefik docker proxy network
 
-      - "traefik.http.routers.to-continuwuity.rule=Host(`matrix.example.com`)"  # Change to the address on which Continuwuity is hosted
+      - "traefik.http.routers.to-continuwuity.rule=Host(`<SUBDOMAIN>.<DOMAIN>`)"  # Change to the address on which Continuwuity is hosted
       - "traefik.http.routers.to-continuwuity.tls=true"
       - "traefik.http.routers.to-continuwuity.tls.certresolver=letsencrypt"
       - "traefik.http.routers.to-continuwuity.middlewares=cors-headers@docker"
-
-      # This must match with CONTINUWUITY_PORT (default: 8008)
-      - "traefik.http.services.to_continuwuity.loadbalancer.server.port=8008"
+      - "traefik.http.services.to_continuwuity.loadbalancer.server.port=6167"
 
       - "traefik.http.middlewares.cors-headers.headers.accessControlAllowOriginList=*"
       - "traefik.http.middlewares.cors-headers.headers.accessControlAllowHeaders=Origin, X-Requested-With, Content-Type, Accept, Authorization"
@@ -20,7 +18,19 @@ services:
 
       # If you want to have your account on <DOMAIN>, but host Continuwuity on a subdomain,
       # you can let it only handle the well known file on that domain instead
-      #- "traefik.http.routers.to-matrix-wellknown.rule=Host(`example.com`) && PathPrefix(`/.well-known/matrix`)"
+      #- "traefik.http.routers.to-matrix-wellknown.rule=Host(`<DOMAIN>`) && PathPrefix(`/.well-known/matrix`)"
       #- "traefik.http.routers.to-matrix-wellknown.tls=true"
       #- "traefik.http.routers.to-matrix-wellknown.tls.certresolver=letsencrypt"
       #- "traefik.http.routers.to-matrix-wellknown.middlewares=cors-headers@docker"
+
+  ### Uncomment this if you uncommented Element-Web App in the docker-compose.yml
+  # element-web:
+  #     labels:
+  #         - "traefik.enable=true"
+  #         - "traefik.docker.network=proxy"  # Change this to the name of your Traefik docker proxy network
+
+  #         - "traefik.http.routers.to-element-web.rule=Host(`<SUBDOMAIN>.<DOMAIN>`)"  # Change to the address on which Element-Web is hosted
+  #         - "traefik.http.routers.to-element-web.tls=true"
+  #         - "traefik.http.routers.to-element-web.tls.certresolver=letsencrypt"
+
+# vim: ts=2:sw=2:expandtab

docs/deploying/docker-compose.with-caddy.yml

@@ -16,37 +16,45 @@ services:
         restart: unless-stopped
         labels:
             caddy: example.com
-            caddy.reverse_proxy: /.well-known/matrix/* homeserver:8008
+            caddy.reverse_proxy: /.well-known/matrix/* homeserver:6167
 
     homeserver:
+        ### If you already built the Continuwuity image with 'docker build' or want to use a registry image,
+        ### then you are ready to go.
         image: forgejo.ellis.link/continuwuation/continuwuity:latest
         restart: unless-stopped
         command: /sbin/conduwuit
         volumes:
             - db:/var/lib/continuwuity
-            - ./continuwuity-resolv.conf:/etc/resolv.conf # use custom resolvers rather than Docker's
+            - /etc/resolv.conf:/etc/resolv.conf:ro # Use the host's DNS resolver rather than Docker's.
             #- ./continuwuity.toml:/etc/continuwuity.toml
         environment:
             CONTINUWUITY_SERVER_NAME: example.com # EDIT THIS
             CONTINUWUITY_DATABASE_PATH: /var/lib/continuwuity
+            CONTINUWUITY_PORT: 6167
+            CONTINUWUITY_MAX_REQUEST_SIZE: 20000000 # in bytes, ~20 MB
+            CONTINUWUITY_ALLOW_REGISTRATION: 'true'
+            CONTINUWUITY_REGISTRATION_TOKEN: 'YOUR_TOKEN' # A registration token is required when registration is allowed.
+            #CONTINUWUITY_YES_I_AM_VERY_VERY_SURE_I_WANT_AN_OPEN_REGISTRATION_SERVER_PRONE_TO_ABUSE: 'true'
+            CONTINUWUITY_ALLOW_FEDERATION: 'true'
+            CONTINUWUITY_ALLOW_CHECK_FOR_UPDATES: 'true'
+            CONTINUWUITY_TRUSTED_SERVERS: '["matrix.org"]'
+            #CONTINUWUITY_LOG: warn,state_res=warn
             CONTINUWUITY_ADDRESS: 0.0.0.0
-            CONTINUWUITY_PORT: 8008
             #CONTINUWUITY_CONFIG: '/etc/continuwuity.toml' # Uncomment if you mapped config toml above
 
-            # Serve .well-known files to tell others to reach Continuwuity on port :443
-            CONTINUWUITY_WELL_KNOWN: |
-                {
-                client=https://example.com,
-                server=example.com:443
-                }
-
+            # Required for .well-known delegation - edit these according to your chosen domain
+            CONTINUWUITY_WELL_KNOWN__CLIENT: https://matrix.example.com
+            CONTINUWUITY_WELL_KNOWN__SERVER: matrix.example.com:443
         networks:
             - caddy
         labels:
-            caddy: example.com
-            caddy.reverse_proxy: "{{upstreams 8008}}"
+            caddy: matrix.example.com
+            caddy.reverse_proxy: "{{upstreams 6167}}"
+
 volumes:
     db:
 
 networks:
     caddy:
+        external: true

docs/deploying/docker-compose.with-traefik.yml

@@ -0,0 +1,160 @@
+# Continuwuity - Behind Traefik Reverse Proxy
+
+services:
+  homeserver:
+    ### If you already built the Continuwuity image with 'docker build' or want to use the Docker Hub image,
+    ### then you are ready to go.
+    image: forgejo.ellis.link/continuwuation/continuwuity:latest
+    restart: unless-stopped
+    command: /sbin/conduwuit
+    volumes:
+      - db:/var/lib/continuwuity
+      - /etc/resolv.conf:/etc/resolv.conf:ro # Use the host's DNS resolver rather than Docker's.
+      #- ./continuwuity.toml:/etc/continuwuity.toml
+    networks:
+      - proxy
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.continuwuity.rule=(Host(`matrix.example.com`) || (Host(`example.com`) && PathPrefix(`/.well-known/matrix`)))"
+      - "traefik.http.routers.continuwuity.entrypoints=websecure"
+      - "traefik.http.routers.continuwuity.tls.certresolver=letsencrypt"
+      - "traefik.http.services.continuwuity.loadbalancer.server.port=6167"
+      # Uncomment and adjust the following if you want to use middleware
+      # - "traefik.http.routers.continuwuity.middlewares=secureHeaders@file"
+    environment:
+      CONTINUWUITY_SERVER_NAME: your.server.name.example # EDIT THIS
+      CONTINUWUITY_TRUSTED_SERVERS: '["matrix.org"]'
+      CONTINUWUITY_ALLOW_REGISTRATION: 'false' # After setting a secure registration token, you can enable this
+      CONTINUWUITY_REGISTRATION_TOKEN: "" # This is a token you can use to register on the server
+      #CONTINUWUITY_REGISTRATION_TOKEN_FILE: "" # Alternatively you can configure a path to a token file to read
+      CONTINUWUITY_ADDRESS: 0.0.0.0
+      CONTINUWUITY_PORT: 6167 # you need to match this with the traefik load balancer label if you're want to change it
+      CONTINUWUITY_DATABASE_PATH: /var/lib/continuwuity
+      #CONTINUWUITY_CONFIG: '/etc/continuwuity.toml' # Uncomment if you mapped config toml above
+      ### Uncomment and change values as desired, note that Continuwuity has plenty of config options, so you should check out the example example config too
+      # Available levels are: error, warn, info, debug, trace - more info at: https://docs.rs/env_logger/*/env_logger/#enabling-logging
+      # CONTINUWUITY_LOG: info  # default is: "warn,state_res=warn"
+      # CONTINUWUITY_ALLOW_ENCRYPTION: 'true'
+      # CONTINUWUITY_ALLOW_FEDERATION: 'true'
+      # CONTINUWUITY_ALLOW_CHECK_FOR_UPDATES: 'true'
+      # CONTINUWUITY_ALLOW_INCOMING_PRESENCE: true
+      # CONTINUWUITY_ALLOW_OUTGOING_PRESENCE: true
+      # CONTINUWUITY_ALLOW_LOCAL_PRESENCE: true
+      # CONTINUWUITY_WORKERS: 10
+      # CONTINUWUITY_MAX_REQUEST_SIZE: 20000000  # in bytes, ~20 MB
+      # CONTINUWUITY_NEW_USER_DISPLAYNAME_SUFFIX = "🏳<200d>⚧"
+
+      # We need some way to serve the client and server .well-known json. The simplest way is via the CONTINUWUITY_WELL_KNOWN
+      # variable / config option, there are multiple ways to do this, e.g. in the continuwuity.toml file, and in a separate
+      # reverse proxy, but since you do not have a reverse proxy and following this guide, this example is included
+      CONTINUWUITY_WELL_KNOWN: |
+        {
+          client=https://your.server.name.example,
+          server=your.server.name.example:443
+        }
+    #cpuset: "0-4" # Uncomment to limit to specific CPU cores
+    ulimits: # Continuwuity uses quite a few file descriptors, and on some systems it defaults to 1024, so you can tell docker to increase it
+      nofile:
+        soft: 1048567
+        hard: 1048567
+
+    ### Uncomment if you want to use your own Element-Web App.
+    ### Note: You need to provide a config.json for Element and you also need a second
+    ###       Domain or Subdomain for the communication between Element and Continuwuity
+    ### Config-Docs: https://github.com/vector-im/element-web/blob/develop/docs/config.md
+    # element-web:
+    #     image: vectorim/element-web:latest
+    #     restart: unless-stopped
+    #     volumes:
+    #         - ./element_config.json:/app/config.json
+    #     networks:
+    #         - proxy
+    #     depends_on:
+    #         - homeserver
+
+  traefik:
+    image: "traefik:latest"
+    container_name: "traefik"
+    restart: "unless-stopped"
+    ports:
+      - "80:80"
+      - "443:443"
+    volumes:
+      - "/var/run/docker.sock:/var/run/docker.sock:z"
+      - "acme:/etc/traefik/acme"
+      #- "./traefik_config:/etc/traefik:z"
+    labels:
+      - "traefik.enable=true"
+
+      # middleware redirect
+      - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
+      # global redirect to https
+      - "traefik.http.routers.redirs.rule=hostregexp(`{host:.+}`)"
+      - "traefik.http.routers.redirs.entrypoints=web"
+      - "traefik.http.routers.redirs.middlewares=redirect-to-https"
+
+    configs:
+      - source: dynamic.yml
+        target: /etc/traefik/dynamic.yml
+
+    environment:
+      TRAEFIK_LOG_LEVEL: DEBUG
+      TRAEFIK_ENTRYPOINTS_WEB: true
+      TRAEFIK_ENTRYPOINTS_WEB_ADDRESS: ":80"
+      TRAEFIK_ENTRYPOINTS_WEB_HTTP_REDIRECTIONS_ENTRYPOINT_TO: websecure
+
+      TRAEFIK_ENTRYPOINTS_WEBSECURE: true
+      TRAEFIK_ENTRYPOINTS_WEBSECURE_ADDRESS: ":443"
+      TRAEFIK_ENTRYPOINTS_WEBSECURE_HTTP_TLS_CERTRESOLVER: letsencrypt
+      #TRAEFIK_ENTRYPOINTS_WEBSECURE_HTTP_MIDDLEWARES: secureHeaders@file # if you want to enabled STS
+
+      TRAEFIK_CERTIFICATESRESOLVERS_LETSENCRYPT: true
+      TRAEFIK_CERTIFICATESRESOLVERS_LETSENCRYPT_ACME_EMAIL: # Set this to the email you want to receive certificate expiration emails for
+      TRAEFIK_CERTIFICATESRESOLVERS_LETSENCRYPT_ACME_KEYTYPE: EC384
+      TRAEFIK_CERTIFICATESRESOLVERS_LETSENCRYPT_ACME_HTTPCHALLENGE: true
+      TRAEFIK_CERTIFICATESRESOLVERS_LETSENCRYPT_ACME_HTTPCHALLENGE_ENTRYPOINT: web
+      TRAEFIK_CERTIFICATESRESOLVERS_LETSENCRYPT_ACME_STORAGE: "/etc/traefik/acme/acme.json"
+
+      # Since Traefik 3.6.3, paths with certain "encoded characters" are now blocked by default; we need a couple, or else things *will* break
+      TRAEFIK_ENTRYPOINTS_WEBSECURE_HTTP_ENCODEDCHARACTERS_ALLOWENCODEDSLASH: true
+      TRAEFIK_ENTRYPOINTS_WEBSECURE_HTTP_ENCODEDCHARACTERS_ALLOWENCODEDHASH: true
+
+      TRAEFIK_PROVIDERS_DOCKER: true
+      TRAEFIK_PROVIDERS_DOCKER_ENDPOINT: "unix:///var/run/docker.sock"
+      TRAEFIK_PROVIDERS_DOCKER_EXPOSEDBYDEFAULT: false
+
+      TRAEFIK_PROVIDERS_FILE: true
+      TRAEFIK_PROVIDERS_FILE_FILENAME: "/etc/traefik/dynamic.yml"
+
+configs:
+  dynamic.yml:
+    content: |
+      # Optionally set STS headers, like in https://hstspreload.org
+      # http:
+      #   middlewares:
+      #     secureHeaders:
+      #       headers:
+      #         forceSTSHeader: true
+      #         stsIncludeSubdomains: true
+      #         stsPreload: true
+      #         stsSeconds: 31536000
+      tls:
+        options:
+          default:
+            cipherSuites:
+              - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
+              - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+              - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
+              - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+              - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
+              - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
+            minVersion: VersionTLS12
+
+volumes:
+    db:
+    acme:
+
+networks:
+    proxy:
+
+# vim: ts=2:sw=2:expandtab

docs/deploying/docker-compose.yml

@@ -0,0 +1,45 @@
+# Continuwuity
+
+services:
+    homeserver:
+        ### If you already built the Continuwuity image with 'docker build' or want to use a registry image,
+        ### then you are ready to go.
+        image: forgejo.ellis.link/continuwuation/continuwuity:latest
+        restart: unless-stopped
+        command: /sbin/conduwuit
+        ports:
+            - 8448:6167
+        volumes:
+            - db:/var/lib/continuwuity
+            #- ./continuwuity.toml:/etc/continuwuity.toml
+        environment:
+            CONTINUWUITY_SERVER_NAME: your.server.name # EDIT THIS
+            CONTINUWUITY_DATABASE_PATH: /var/lib/continuwuity
+            CONTINUWUITY_PORT: 6167
+            CONTINUWUITY_MAX_REQUEST_SIZE: 20000000 # in bytes, ~20 MB
+            CONTINUWUITY_ALLOW_REGISTRATION: 'true'
+            CONTINUWUITY_REGISTRATION_TOKEN: 'YOUR_TOKEN' # A registration token is required when registration is allowed.
+            #CONTINUWUITY_YES_I_AM_VERY_VERY_SURE_I_WANT_AN_OPEN_REGISTRATION_SERVER_PRONE_TO_ABUSE: 'true'
+            CONTINUWUITY_ALLOW_FEDERATION: 'true'
+            CONTINUWUITY_ALLOW_CHECK_FOR_UPDATES: 'true'
+            CONTINUWUITY_TRUSTED_SERVERS: '["matrix.org"]'
+            #CONTINUWUITY_LOG: warn,state_res=warn
+            CONTINUWUITY_ADDRESS: 0.0.0.0
+            #CONTINUWUITY_CONFIG: '/etc/continuwuity.toml' # Uncomment if you mapped config toml above
+    #
+    ### Uncomment if you want to use your own Element-Web App.
+    ### Note: You need to provide a config.json for Element and you also need a second
+    ###       Domain or Subdomain for the communication between Element and Continuwuity
+    ### Config-Docs: https://github.com/vector-im/element-web/blob/develop/docs/config.md
+    # element-web:
+    #     image: vectorim/element-web:latest
+    #     restart: unless-stopped
+    #     ports:
+    #         - 8009:80
+    #     volumes:
+    #         - ./element_config.json:/app/config.json
+    #     depends_on:
+    #         - homeserver
+
+volumes:
+    db:

docs/deploying/docker.mdx

@@ -1,251 +1,257 @@
 # Continuwuity for Docker
 
-## Preparation
+## Docker
 
-### Choose an image
+To run Continuwuity with Docker, you can either build the image yourself or pull
+it from a registry.
 
-The following OCI images are available for Continuwuity:
+### Use a registry
 
-| Image                                                                                        | Notes                                                                                                     |
-| ------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------- |
-| [https://forgejo.ellis.link/continuwuation/continuwuity:**latest**][latest]                 | Latest tagged release. (recommended)                                                                      |
-| [https://forgejo.ellis.link/continuwuation/continuwuity:**main**][main]                     | Latest `main` branch commit.                                                                              |
-| [https://forgejo.ellis.link/continuwuation/continuwuity:**latest-maxperf**][latest-maxperf] | Latest tagged release, [performance optimised version](./generic.mdx#performance-optimised-builds).       |
-| [https://forgejo.ellis.link/continuwuation/continuwuity:**main-maxperf**][main-maxperf]     | Latest `main` branch commit, [performance optimised version](./generic.mdx#performance-optimised-builds). |
+Available OCI images:
 
-[latest]: https://forgejo.ellis.link/continuwuation/-/packages/container/continuwuity/latest
-[main]: https://forgejo.ellis.link/continuwuation/-/packages/container/continuwuity/main
-[latest-maxperf]: https://forgejo.ellis.link/continuwuation/-/packages/container/continuwuity/latest-maxperf
-[main-maxperf]: https://forgejo.ellis.link/continuwuation/-/packages/container/continuwuity/main-maxperf
+| Registry         | Image                                                                                                                                                       | Notes                                                                        |
+| ---------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------- |
+| Forgejo Registry | [forgejo.ellis.link/continuwuation/continuwuity:latest](https://forgejo.ellis.link/continuwuation/-/packages/container/continuwuity/latest)                 | Latest tagged image.                                                         |
+| Forgejo Registry | [forgejo.ellis.link/continuwuation/continuwuity:main](https://forgejo.ellis.link/continuwuation/-/packages/container/continuwuity/main)                     | Main branch image.                                                           |
+| Forgejo Registry | [forgejo.ellis.link/continuwuation/continuwuity:latest-maxperf](https://forgejo.ellis.link/continuwuation/-/packages/container/continuwuity/latest-maxperf) | [Performance optimised version.](./generic.mdx#performance-optimised-builds) |
+| Forgejo Registry | [forgejo.ellis.link/continuwuation/continuwuity:main-maxperf](https://forgejo.ellis.link/continuwuation/-/packages/container/continuwuity/main-maxperf)     | [Performance optimised version.](./generic.mdx#performance-optimised-builds) |
 
-If you want a specific version or commit hash, you can browse for them [here][oci-all-versions].
+**Example:**
 
-Images are also mirrored to these locations automatically, on a schedule:
-
-- `ghcr.io/continuwuity/continuwuity` ([Github Registry][ghcr-io])
-- `docker.io/jadedblueeyes/continuwuity` ([Docker Hub][docker-hub])
-- `registry.gitlab.com/continuwuity/continuwuity` ([Gitlab Registry][gitlab-registry])
-- `git.nexy7574.co.uk/mirrored/continuwuity` ([Nexy's forge][nexy-forge]. Releases only, no `main` tags)
-
-[oci-all-versions]: https://forgejo.ellis.link/continuwuation/-/packages/container/continuwuity/versions
-[ghcr-io]: https://github.com/continuwuity/continuwuity/pkgs/container/continuwuity/versions?filters%5Bversion_type%5D=tagged
-[docker-hub]: https://hub.docker.com/r/jadedblueeyes/continuwuity/
-[gitlab-registry]: https://gitlab.com/continuwuity/continuwuity/container_registry/8871720
-[nexy-forge]: https://git.nexy7574.co.uk/mirrored/-/packages/container/continuwuity/versions
-
-### Prerequisites
-
-Continuwuity requires HTTPS for Matrix federation. You'll need:
-
-- A domain name pointing to your server's IP address - we will be using `example.com` in this guide.
-- A reverse proxy with SSL/TLS certificates (Traefik, Caddy, nginx, etc.) - see [Docker Compose](#docker-compose) for complete examples.
-- Port `:443` (for Client-Server traffic) and `:8448` (for federation traffic) opened on your server's firewall.
-
-    - Alternatively, if you want both client and federation traffic on `:443`, you can configure `CONTINUWUITY_WELL_KNOWN` following some of the [examples](#choose-your-reverse-proxy) below.
-
-:::tip Split-domain setups
-For more setups with `.well-known` delegation and split-domain deployments, consult the [Delegation/Split-domain](../advanced/delegation) page.
-:::
-
-## Docker Compose
-
-Docker Compose is the recommended deployment method for Continuwuity containers. The following environment variables will be set:
-
-- `CONTINUWUITY_SERVER_NAME` - Your Matrix server's domain name. **This CANNOT be changed later without a data wipe.**
-- `CONTINUWUITY_DATABASE_PATH` - Where to store your database. This must match the docker volume mount.
-- `CONTINUWUITY_ADDRESS` - Bind address (for Docker, use `0.0.0.0` to listen on all interfaces).
-
-Alternatively, you can specify a path to mount the configuration file using the `CONTINUWUITY_CONFIG` environment variable.
-
-See the [reference configuration](../reference/config) page for all config options, and the [Configuration page](../configuration#environment-variables) on how to convert them into Environment Variables.
-
-### Choose Your Reverse Proxy
-
-These examples include reverse proxy configurations for Matrix federation, which will route your Matrix domain (and optionally .well-known paths) to Continuwuity.
-
-:::note Docker DNS Performance
-Docker's default DNS resolver are known to [cause timeout issues](../troubleshooting#dns-issues) for Matrix federation. To bypass it and use a more performant resolver, mount a custom `/etc/resolv.conf` config file into the Continuwuity container.
-
-```yaml title='docker-compose.yml'
-services:
-  homeserver:
-    # ...
-    volumes:
-      - ./continuwuity-resolv.conf:/etc/resolv.conf
+```bash
+docker image pull forgejo.ellis.link/continuwuation/continuwuity:main-maxperf
 ```
 
-```txt title='continuwuity-resolv.conf'
-nameserver 1.0.0.1
-nameserver 1.1.1.1
-```
+#### Mirrors
 
-Consult the [**DNS tuning guide (recommended)**](../advanced/dns.mdx) for full solutions to this issue.
-:::
+Images are mirrored to multiple locations automatically, on a schedule:
 
-#### Caddy (using Caddyfile)
+- `ghcr.io/continuwuity/continuwuity`
+- `docker.io/jadedblueeyes/continuwuity`
+- `registry.gitlab.com/continuwuity/continuwuity`
+- `git.nexy7574.co.uk/mirrored/continuwuity` (releases only, no `main`)
 
-<details>
-<summary>docker-compose.with-caddy.yml ([view raw](/deploying/docker-compose.with-caddy.yml))</summary>
-
-```yaml file="../public/deploying/docker-compose.with-caddy.yml"
-
-```
-
-</details>
-
-#### Caddy (using labels)
-
-<details>
-<summary>docker-compose.with-caddy-labels.yml ([view raw](/deploying/docker-compose.with-caddy-labels.yml))</summary>
-
-```yaml file="../public/deploying/docker-compose.with-caddy-labels.yml"
-
-```
-
-</details>
-
-#### Traefik (for existing setup)
-
-<details>
-<summary>docker-compose.for-traefik.yml ([view raw](/deploying/docker-compose.for-traefik.yml))</summary>
-
-```yaml file="../public/deploying/docker-compose.for-traefik.yml"
-
-```
-
-</details>
-
-#### Traefik included
-
-<details>
-<summary>docker-compose.with-traefik.yml ([view raw](/deploying/docker-compose.with-traefik.yml))</summary>
-
-```yaml file="../public/deploying/docker-compose.with-traefik.yml"
-
-```
-
-</details>
-
-#### Traefik (as override file)
-
-<details>
-<summary>docker-compose.override.yml ([view raw](/deploying/docker-compose.override.yml))</summary>
-
-```yaml file="../public/deploying/docker-compose.override.yml"
-
-```
-
-</details>
-
-#### For other reverse proxies
-
-<details>
-<summary>docker-compose.yml ([view raw](/deploying/docker-compose.yml))</summary>
-
-```yaml file="../public/deploying/docker-compose.yml"
-
-```
-
-</details>
-
-You will then need to point your reverse proxy towards Continuwuity at `127.0.0.1:8008`. See the [Other reverse proxies](generic.mdx#setting-up-the-reverse-proxy) section of the Generic page for further routing details.
-
-### Starting Your Server
-
-1. Choose your compose file from the above, and rename it to `docker-compose.yml`. Edit values as you see fit.
-2. If using the override file, rename it to `docker-compose.override.yml` and
-   edit your values.
-3. Start the server:
-
-    ```bash
-    docker compose up -d
-    ```
-
-4. Check your server logs for a registration token:
-
-    ```bash
-    docker-compose logs continuwuity 2>&1
-    ```
-
-    You'll see output as below.
-
-    ```
-    In order to use your new homeserver, you need to create its
-    first user account.
-    Open your Matrix client of choice and register an account
-    on example.com using registration token x5keUZ811RqvLsNa .
-    Pick your own username and password!
-    ```
-
-5. Log in to your server with any Matrix client, and register for an account with the registration token from step 4. You'll automatically be invited to the admin room where you can [manage your server](../reference/admin).
-
-See the [generic deployment guide](generic.mdx) for more deployment options.
-
-## Testing
-
-Test that your setup works by following these [instructions](./generic.mdx#how-do-i-know-it-works)
-
-## Other deployment methods
-
-### Docker - Quick Run
-
-:::note For testing only
-The instructions below are only meant for a quick demo of Continuwuity.
-For production deployment, we recommend using [Docker Compose](#docker-compose)
-:::
+### Quick Run
 
 Get a working Continuwuity server with an admin user in four steps:
 
-1. Pull the image
+#### Prerequisites
 
-    ```bash
-    docker pull forgejo.ellis.link/continuwuation/continuwuity:latest
-    ```
+Continuwuity requires HTTPS for Matrix federation. You'll need:
 
-2. Start the server for the first time. Replace `example.com` with your actual server name.
+- A domain name pointing to your server
+- A reverse proxy with SSL/TLS certificates (Traefik, Caddy, nginx, etc.)
 
-    ```bash
-    docker run -d \
-      -p 8008:8008 \
-      -v continuwuity_db:/var/lib/continuwuity \
-      -e CONTINUWUITY_SERVER_NAME="example.com" \
-      -e CONTINUWUITY_DATABASE_PATH="/var/lib/continuwuity" \
-      -e CONTINUWUITY_ADDRESS="0.0.0.0" \
-      -e CONTINUWUITY_ALLOW_REGISTRATION="false" \
-      --name continuwuity \
-      forgejo.ellis.link/continuwuation/continuwuity:latest \
-      /sbin/conduwuit
-    ```
+See [Docker Compose](#docker-compose) for complete examples.
 
-3. Fetch the one-time initial registration token
+#### Environment Variables
 
-    ```bash
-    docker logs continuwuity 2>&1
-    ```
+- `CONTINUWUITY_SERVER_NAME` - Your Matrix server's domain name
+- `CONTINUWUITY_DATABASE_PATH` - Where to store your database (must match the
+  volume mount)
+- `CONTINUWUITY_ADDRESS` - Bind address (use `0.0.0.0` to listen on all
+  interfaces)
+- `CONTINUWUITY_ALLOW_REGISTRATION` - Set to `false` to disable registration, or
+  use with `CONTINUWUITY_REGISTRATION_TOKEN` to require a token (see
+  [reference](../reference/environment-variables.mdx#registration--user-configuration)
+  for details)
 
-    You'll see output as below.
+See the
+[Environment Variables Reference](../reference/environment-variables.mdx) for
+more configuration options.
 
-    ```
-    In order to use your new homeserver, you need to create its
-    first user account.
-    Open your Matrix client of choice and register an account
-    on example.com using registration token x5keUZ811RqvLsNa .
-    Pick your own username and password!
-    ```
+#### 1. Pull the image
 
-4. Configure your reverse proxy to forward HTTPS traffic to Continuwuity at port 8008. See [Docker Compose](#docker-compose) for examples.
+```bash
+docker pull forgejo.ellis.link/continuwuation/continuwuity:latest
+```
 
-Once configured, log in to your server with any Matrix client, and register for an account with the registration token from step 3. You'll automatically be invited to the admin room where you can [manage your server](../reference/admin).
+#### 2. Start the server with initial admin user
 
-### (Optional) Building Custom Images
+```bash
+docker run -d \
+  -p 6167:6167 \
+  -v continuwuity_db:/var/lib/continuwuity \
+  -e CONTINUWUITY_SERVER_NAME="matrix.example.com" \
+  -e CONTINUWUITY_DATABASE_PATH="/var/lib/continuwuity" \
+  -e CONTINUWUITY_ADDRESS="0.0.0.0" \
+  -e CONTINUWUITY_ALLOW_REGISTRATION="false" \
+  --name continuwuity \
+  forgejo.ellis.link/continuwuation/continuwuity:latest \
+  /sbin/conduwuit --execute "users create-user admin"
+```
+
+Replace `matrix.example.com` with your actual server name and `admin` with
+your preferred username.
+
+#### 3. Get your admin password
+
+```bash
+docker logs continuwuity 2>&1 | grep "Created user"
+```
+
+You'll see output like:
+
+```
+Created user with user_id: @admin:matrix.example.com and password: `[auto-generated-password]`
+```
+
+#### 4. Configure your reverse proxy
+
+Configure your reverse proxy to forward HTTPS traffic to Continuwuity. See
+[Docker Compose](#docker-compose) for examples.
+
+Once configured, log in with any Matrix client using `@admin:matrix.example.com`
+and the generated password. You'll automatically be invited to the admin room
+where you can manage your server.
+
+### Docker Compose
+
+Docker Compose is the recommended deployment method. These examples include
+reverse proxy configurations for Matrix federation.
+
+#### Matrix Federation Requirements
+
+For Matrix federation to work, you need to serve `.well-known/matrix/client` and
+`.well-known/matrix/server` endpoints. You can achieve this either by:
+
+1. **Using a well-known service** - The compose files below include an nginx
+   container to serve these files
+2. **Using Continuwuity's built-in delegation** (easier for Traefik) - Configure
+   delegation files in your config, then proxy `/.well-known/matrix/*` to
+   Continuwuity
+
+**Traefik example using built-in delegation:**
+
+```yaml
+labels:
+  traefik.http.routers.continuwuity.rule: >-
+    (Host(`matrix.example.com`) ||
+     (Host(`example.com`) && PathPrefix(`/.well-known/matrix`)))
+```
+
+This routes your Matrix domain and well-known paths to Continuwuity.
+
+#### Creating Your First Admin User
+
+Add the `--execute` command to create an admin user on first startup. In your
+compose file, add under the `continuwuity` service:
+
+```yaml
+services:
+    continuwuity:
+        image: forgejo.ellis.link/continuwuation/continuwuity:latest
+        command: /sbin/conduwuit --execute "users create-user admin"
+        # ... rest of configuration
+```
+
+Then retrieve the auto-generated password:
+
+```bash
+docker compose logs continuwuity | grep "Created user"
+```
+
+#### Choose Your Reverse Proxy
+
+Select the compose file that matches your setup:
+
+:::note DNS Performance
+Docker's default DNS resolver can cause performance issues with Matrix
+federation. If you experience slow federation or DNS timeouts, you may need to
+use your host's DNS resolver instead. Add this volume mount to the
+`continuwuity` service:
+
+```yaml
+volumes:
+  - /etc/resolv.conf:/etc/resolv.conf:ro
+```
+
+See [Troubleshooting - DNS Issues](../troubleshooting.mdx#potential-dns-issues-when-using-docker)
+for more details and alternative solutions.
+:::
+
+##### For existing Traefik setup
+
+<details>
+<summary>docker-compose.for-traefik.yml</summary>
+
+```yaml file="./docker-compose.for-traefik.yml"
+
+```
+
+</details>
+
+##### With Traefik included
+
+<details>
+<summary>docker-compose.with-traefik.yml</summary>
+
+```yaml file="./docker-compose.with-traefik.yml"
+
+```
+
+</details>
+
+##### With Caddy Docker Proxy
+
+<details>
+<summary>docker-compose.with-caddy.yml</summary>
+
+Replace all `example.com` placeholders with your own domain.
+
+```yaml file="./docker-compose.with-caddy.yml"
+
+```
+
+If you don't already have a network for Caddy to monitor, create one first:
+
+```bash
+docker network create caddy
+```
+
+</details>
+
+##### For other reverse proxies
+
+<details>
+<summary>docker-compose.yml</summary>
+
+```yaml file="./docker-compose.yml"
+
+```
+
+</details>
+
+##### Override file for customisation
+
+<details>
+<summary>docker-compose.override.yml</summary>
+
+```yaml file="./docker-compose.override.yml"
+
+```
+
+</details>
+
+#### Starting Your Server
+
+1. Choose your compose file and rename it to `docker-compose.yml`
+2. If using the override file, rename it to `docker-compose.override.yml` and
+   edit your values
+3. Start the server:
+
+```bash
+docker compose up -d
+```
+
+See the [generic deployment guide](generic.mdx) for more deployment options.
+
+### Building Custom Images
 
 For information on building your own Continuwuity Docker images, see the
 [Building Docker Images](../development/index.mdx#building-docker-images)
 section in the development documentation.
 
-## Next steps
+## Voice communication
 
-- For smooth federation, set up a caching resolver according to the [**DNS tuning guide**](../advanced/dns.mdx) (recommended)
-- To set up Audio/Video communication, see the [**Calls**](../calls.mdx) page.
-- If you want to set up an appservice, take a look at the [**Appservice
-Guide**](../appservices.mdx).
+See the [Calls](../calls.mdx) page.

docs/deploying/generic.mdx

@@ -14,7 +14,6 @@ ### Prebuilt binary
 run the `uname -m` to check which you need.
 
 Prebuilt binaries are available from:
-
 - **Tagged releases**: [Latest release page](https://forgejo.ellis.link/continuwuation/continuwuity/releases/latest)
 - **Development builds**: CI artifacts from the `main` branch
   (includes Debian/Ubuntu packages)
@@ -43,36 +42,32 @@ #### Performance-optimised builds
 [link-time optimisation (LTO)](https://doc.rust-lang.org/cargo/reference/profiles.html#lto)
 and, for amd64, target the haswell CPU architecture.
 
-### Nix
-
-Theres a Nix package defined in our flake, available for Linux and MacOS. Add continuwuity as an input to your flake, and use `inputs.continuwuity.packages.${system}.default` to get a working Continuwuity package.
-
-If you simply wish to generate a binary using Nix, you can run `nix build git+https://forgejo.ellis.link/continuwuation/continuwuity` to generate a binary in `result/bin/conduwuit`.
-
 ### Compiling
 
 Alternatively, you may compile the binary yourself.
 
-#### Using Docker
+### Building with the Rust toolchain
 
-If you would like to build using docker, you can run the command `docker build -f ./docker/Dockerfile -t forgejo.ellis.link/continuwuation/continuwuity:main .` to compile continuwuity.
+If wanting to build using standard Rust toolchains, make sure you install:
 
-#### Manual
-
-##### Dependencies
-
-- Run `nix develop` to get a devshell with everything you need
-- Or, install the following:
-    - (On linux) `liburing-dev` on the compiling machine, and `liburing` on the target host
-    - (On linux) `pkg-config` on the compiling machine to allow finding `liburing`
-    - A C++ compiler and (on linux) `libclang` for RocksDB
-
-##### Build
+- (On linux) `liburing-dev` on the compiling machine, and `liburing` on the target host
+- (On linux) `pkg-config` on the compiling machine to allow finding `liburing`
+- A C++ compiler and (on linux) `libclang` for RocksDB
 
 You can build Continuwuity using `cargo build --release`.
 
 Continuwuity supports various optional features that can be enabled during compilation. Please see the Cargo.toml file for a comprehensive list, or ask in our rooms.
 
+### Building with Nix
+
+If you prefer, you can use Nix (or [Lix](https://lix.systems)) to build Continuwuity. This provides improved reproducibility and makes it easy to set up a build environment and generate output. This approach also allows for easy cross-compilation.
+
+You can run the `nix build -L .#static-x86_64-linux-musl-all-features` or
+`nix build -L .#static-aarch64-linux-musl-all-features` commands based
+on architecture to cross-compile the necessary static binary located at
+`result/bin/conduwuit`. This is reproducible with the static binaries produced
+in our CI.
+
 ## Adding a Continuwuity user
 
 While Continuwuity can run as any user, it is better to use dedicated users for
@@ -133,11 +128,13 @@ ## Setting up a systemd service
 ReadWritePaths=/path/to/custom/database/path
 ```
 
+
 ### Example systemd Unit File
 
 <details>
 <summary>Click to expand systemd unit file (conduwuit.service)</summary>
 
+
 ```ini file="../../pkg/conduwuit.service"
 
 ```
@@ -205,27 +202,23 @@ ### Other Reverse Proxies
 As we prefer our users to use Caddy, we do not provide configuration files for other proxies.
 
 You will need to reverse proxy everything under the following routes:
-
 - `/_matrix/` - core Matrix C-S and S-S APIs
 - `/_conduwuit/` and/or `/_continuwuity/` - ad-hoc Continuwuity routes such as `/local_user_count` and
-  `/server_version`
+`/server_version`
 
 You can optionally reverse proxy the following individual routes:
-
 - `/.well-known/matrix/client` and `/.well-known/matrix/server` if using
-  Continuwuity to perform delegation (see the `[global.well_known]` config section)
+Continuwuity to perform delegation (see the `[global.well_known]` config section)
 - `/.well-known/matrix/support` if using Continuwuity to send the homeserver admin
-  contact and support page (formerly known as MSC1929)
+contact and support page (formerly known as MSC1929)
 - `/` if you would like to see `hewwo from conduwuit woof!` at the root
 
 See the following spec pages for more details on these files:
-
 - [`/.well-known/matrix/server`](https://spec.matrix.org/latest/client-server-api/#getwell-knownmatrixserver)
 - [`/.well-known/matrix/client`](https://spec.matrix.org/latest/client-server-api/#getwell-knownmatrixclient)
 - [`/.well-known/matrix/support`](https://spec.matrix.org/latest/client-server-api/#getwell-knownmatrixsupport)
 
 Examples of delegation:
-
 - https://continuwuity.org/.well-known/matrix/server
 - https://continuwuity.org/.well-known/matrix/client
 - https://ellis.link/.well-known/matrix/server
@@ -239,7 +232,6 @@ ### Other Reverse Proxies
 If using Apache, you need to use `nocanon` in your `ProxyPass` directive to prevent httpd from interfering with the `X-Matrix` header (note that Apache is not ideal as a general reverse proxy, so we discourage using it if alternatives are available).
 
 If using Nginx, you need to pass the request URI to Continuwuity using `$request_uri`, like this:
-
 - `proxy_pass http://127.0.0.1:6167$request_uri;`
 - `proxy_pass http://127.0.0.1:6167;`
 
@@ -279,17 +271,17 @@ # If federation is enabled
 ```
 
 - To check if your server can communicate with other homeservers, use the
-  [Matrix Federation Tester](https://federationtester.mtrnord.blog/). If you can
-  register but cannot join federated rooms, check your configuration and verify
-  that port 8448 is open and forwarded correctly.
+[Matrix Federation Tester](https://federationtester.mtrnord.blog/). If you can
+register but cannot join federated rooms, check your configuration and verify
+that port 8448 is open and forwarded correctly.
 
-## What's next?
+# What's next?
 
-### Audio/Video calls
+## Audio/Video calls
 
 For Audio/Video call functionality see the [Calls](../calls.md) page.
 
-### Appservices
+## Appservices
 
 If you want to set up an appservice, take a look at the [Appservice
 Guide](../appservices.md).

docs/deploying/nixos.mdx

@@ -1,40 +1,40 @@
 # Continuwuity for NixOS
 
-## Nix package
+NixOS packages Continuwuity as `matrix-continuwuity`. This package includes both the Continuwuity software and a dedicated NixOS module for configuration and deployment.
 
-You can get a Nix package for Continuwuity from the following sources:
+## Installation methods
 
-- Directly from Nixpkgs: `pkgs.matrix-continuwuity`
-- Or, using `continuwuity.packages.${system}.default` from:
-    - The `flake.nix` at the root of the Continuwuity repo, by adding Continuwuity to your flake inputs:
+You can acquire Continuwuity with Nix (or [Lix][lix]) from these sources:
 
-    ```nix
-    inputs.continuwuity.url = "git+https://forgejo.ellis.link/continuwuation/continuwuity";
-    ```
-
-    - The `default.nix` at the root of the Continuwuity repo
+* Directly from Nixpkgs using the official package (`pkgs.matrix-continuwuity`)
+* The `flake.nix` at the root of the Continuwuity repo
+* The `default.nix` at the root of the Continuwuity repo
 
 ## NixOS module
 
-Continuwuity has an official NixOS module that simplifies configuration and deployment. The module is available in Nixpkgs as `services.matrix-continuwuity`.
+Continuwuity now has an official NixOS module that simplifies configuration and deployment. The module is available in Nixpkgs as `services.matrix-continuwuity` from NixOS 25.05.
 
 Here's a basic example of how to use the module:
 
 ```nix
-services.matrix-continuwuity = {
-  enable = true;
-  settings = {
-    global = {
-      server_name = "example.com";
+{ config, pkgs, ... }:
 
-      # Continuwuity listens on localhost by default,
-      # address and port are handled automatically
-
-      # You can add any further configuration here, e.g.
-	  # trusted_servers = [ "matrix.org" ];
+{
+  services.matrix-continuwuity = {
+    enable = true;
+    settings = {
+      global = {
+        server_name = "example.com";
+        # Listening on localhost by default
+        # address and port are handled automatically
+        allow_registration = false;
+        allow_encryption = true;
+        allow_federation = true;
+        trusted_servers = [ "matrix.org" ];
+      };
     };
   };
-};
+}
 ```
 
 ### Available options
@@ -45,30 +45,86 @@ ### Available options
 - `user`: The user to run Continuwuity as (defaults to "continuwuity")
 - `group`: The group to run Continuwuity as (defaults to "continuwuity")
 - `extraEnvironment`: Extra environment variables to pass to the Continuwuity server
-- `package`: The Continuwuity package to use, defaults to `pkgs.matrix-continuwuity`
-    - You may want to override this to be from our flake, for faster updates and unstable versions:
-    ```nix
-    package = inputs.continuwuity.packages.${pkgs.stdenv.hostPlatform.system}.default;
-    ```
-- `admin.enable`: Whether to add the `conduwuit` binary to `PATH` for administration (enabled by default)
-- `settings`: The Continuwuity configuration
+- `package`: The Continuwuity package to use
+- `settings`: The Continuwuity configuration (in TOML format)
 
 Use the `settings` option to configure Continuwuity itself. See the [example configuration file](../reference/config.mdx) for all available options.
 
-Settings are automatically translated from Nix to TOML. For example, the following line of Nix:
+### UNIX sockets
+
+The NixOS module natively supports UNIX sockets through the `global.unix_socket_path` option. When using UNIX sockets, set `global.address` to `null`:
 
 ```nix
-settings.global.well_known.client = "https://matrix.example.com";
+services.matrix-continuwuity = {
+  enable = true;
+  settings = {
+    global = {
+      server_name = "example.com";
+      address = null; # Must be null when using unix_socket_path
+      unix_socket_path = "/run/continuwuity/continuwuity.sock";
+      unix_socket_perms = 660; # Default permissions for the socket
+      # ...
+    };
+  };
+};
 ```
 
-Would become this equivalent TOML configuration:
+The module automatically sets the correct `RestrictAddressFamilies` in the systemd service configuration to allow access to UNIX sockets.
 
-```toml
-[global.well_known]
-client = "https://matrix.example.com"
+### RocksDB database
+
+Continuwuity exclusively uses RocksDB as its database backend. The system configures the database path automatically to `/var/lib/continuwuity/` and you cannot change it due to the service's reliance on systemd's StateDir.
+
+If you're migrating from Conduit with SQLite, use this [tool to migrate a Conduit SQLite database to RocksDB](https://github.com/ShadowJonathan/conduit_toolbox/).
+
+### jemalloc and hardened profile
+
+Continuwuity uses jemalloc by default. This may interfere with the [`hardened.nix` profile][hardened.nix] because it uses `scudo` by default. Either disable/hide `scudo` from Continuwuity or disable jemalloc like this:
+
+```nix
+services.matrix-continuwuity = {
+  enable = true;
+  package = pkgs.matrix-continuwuity.override {
+    enableJemalloc = false;
+  };
+  # ...
+};
 ```
 
+## Upgrading from Conduit
+
+If you previously used Conduit with the `services.matrix-conduit` module:
+
+1. Ensure your Conduit uses the RocksDB backend, or migrate from SQLite using the [migration tool](https://github.com/ShadowJonathan/conduit_toolbox/)
+2. Switch to the new module by changing `services.matrix-conduit` to `services.matrix-continuwuity` in your configuration
+3. Update any custom configuration to match the new module's structure
+
 ## Reverse proxy configuration
 
-You'll need to set up a reverse proxy (like NGINX or Caddy) to expose Continuwuity to the internet. You can configure your reverse proxy using NixOS options (e.g. `services.caddy`).
-See the [reverse proxy setup guide](./generic.mdx#setting-up-the-reverse-proxy) for information on correct reverse proxy configuration.
+You'll need to set up a reverse proxy (like nginx or caddy) to expose Continuwuity to the internet. Configure your reverse proxy to forward requests to `/_matrix` on port 443 and 8448 to your Continuwuity instance.
+
+Here's an example nginx configuration:
+
+```nginx
+server {
+    listen 443 ssl;
+    listen [::]:443 ssl;
+    listen 8448 ssl;
+    listen [::]:8448 ssl;
+
+    server_name example.com;
+
+    # SSL configuration here...
+
+    location /_matrix/ {
+        proxy_pass http://127.0.0.1:6167$request_uri;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+}
+```
+
+[lix]: https://lix.systems/
+[hardened.nix]: https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/profiles/hardened.nix

docs/public/deploying/docker-compose.for-traefik.yml

@@ -1,44 +0,0 @@
-# Continuwuity - Behind Traefik Reverse Proxy
-
-services:
-  homeserver:
-    image: forgejo.ellis.link/continuwuation/continuwuity:latest
-    restart: unless-stopped
-    command: /sbin/conduwuit
-    volumes:
-      - db:/var/lib/continuwuity
-      - ./continuwuity-resolv.conf:/etc/resolv.conf # use custom resolvers rather than Docker's
-      #- ./continuwuity.toml:/etc/continuwuity.toml
-    networks:
-      - proxy
-    labels:
-      - "traefik.enable=true"
-      - "traefik.http.routers.continuwuity.rule=(Host(`matrix.example.com`) || (Host(`example.com`) && PathPrefix(`/.well-known/matrix`)))"
-      - "traefik.http.routers.continuwuity.entrypoints=websecure" # your HTTPS entry point
-      - "traefik.http.routers.continuwuity.tls=true"
-      - "traefik.http.routers.continuwuity.service=continuwuity"
-      - "traefik.http.services.continuwuity.loadbalancer.server.port=8008"
-      # possibly, depending on your config:
-      # - "traefik.http.routers.continuwuity.tls.certresolver=letsencrypt"
-    environment:
-      CONTINUWUITY_SERVER_NAME: example.com # EDIT THIS
-      CONTINUWUITY_DATABASE_PATH: /var/lib/continuwuity
-      CONTINUWUITY_ADDRESS: 0.0.0.0
-      CONTINUWUITY_PORT: 8008 # This must match with traefik's loadbalancer label
-      #CONTINUWUITY_CONFIG: '/etc/continuwuity.toml' # Uncomment if you mapped config toml above
-
-      # Serve .well-known files to tell others to reach Continuwuity on port :443
-      CONTINUWUITY_WELL_KNOWN: |
-        {
-        client=https://example.com,
-        server=example.com:443
-        }
-
-volumes:
-  db:
-
-networks:
-  # This is the network Traefik listens to, if your network has a different
-  # name, don't forget to change it here and in the docker-compose.override.yml
-  proxy:
-    external: true

docs/public/deploying/docker-compose.with-caddy.yml

@@ -1,55 +0,0 @@
-services:
-    caddy:
-        image: docker.io/caddy:latest
-        ports:
-            - 80:80
-            - 443:443
-            - 8448:8448
-        networks:
-            - caddy
-        volumes:
-            - ./data:/data
-        restart: unless-stopped
-        configs:
-            - source: Caddyfile
-              target: /etc/caddy/Caddyfile
-
-    homeserver:
-        image: forgejo.ellis.link/continuwuation/continuwuity:latest
-        restart: unless-stopped
-        command: /sbin/conduwuit
-        volumes:
-            - db:/var/lib/continuwuity
-            - ./continuwuity-resolv.conf:/etc/resolv.conf # use custom resolvers rather than Docker's
-            #- ./continuwuity.toml:/etc/continuwuity.toml
-        environment:
-            CONTINUWUITY_SERVER_NAME: example.com
-            CONTINUWUITY_DATABASE_PATH: /var/lib/continuwuity
-            CONTINUWUITY_ADDRESS: 0.0.0.0
-            CONTINUWUITY_PORT: 8008
-            #CONTINUWUITY_CONFIG: '/etc/continuwuity.toml' # Uncomment if you mapped config toml above
-
-            ## (Optional) Serve .well-known files to tell others to reach Continuwuity on port :443
-            ## If you do this, remove all routes to port :8448 from the compose and Caddyfile
-            # CONTINUWUITY_WELL_KNOWN: |
-            #     {
-            #     client=https://example.com,
-            #     server=example.com:443
-            #     }
-
-
-        networks:
-            - caddy
-
-networks:
-    caddy:
-
-volumes:
-    db:
-
-configs:
-    dynamic.yml:
-        content: |
-            https://example.com, https://example.com:8448 {
-                reverse_proxy http://homeserver:8008
-            }

docs/public/deploying/docker-compose.with-traefik.yml

@@ -1,84 +0,0 @@
-# Continuwuity - Behind Traefik Reverse Proxy
-
-services:
-  homeserver:
-    image: forgejo.ellis.link/continuwuation/continuwuity:latest
-    restart: unless-stopped
-    command: /sbin/conduwuit
-    volumes:
-      - db:/var/lib/continuwuity
-      - ./continuwuity-resolv.conf:/etc/resolv.conf # use custom resolvers rather than Docker's
-      #- ./continuwuity.toml:/etc/continuwuity.toml
-    networks:
-      - proxy
-    labels:
-      - "traefik.enable=true"
-      - "traefik.http.routers.continuwuity.rule=(Host(`matrix.example.com`) || (Host(`example.com`) && PathPrefix(`/.well-known/matrix`)))"
-      - "traefik.http.routers.continuwuity.entrypoints=websecure"
-      - "traefik.http.routers.continuwuity.tls.certresolver=letsencrypt"
-      - "traefik.http.services.continuwuity.loadbalancer.server.port=8008"
-    environment:
-      CONTINUWUITY_SERVER_NAME: example.com # EDIT THIS
-      CONTINUWUITY_DATABASE_PATH: /var/lib/continuwuity
-      CONTINUWUITY_ADDRESS: 0.0.0.0
-      CONTINUWUITY_PORT: 8008 # This must match with traefik's loadbalancer label
-      #CONTINUWUITY_CONFIG: '/etc/continuwuity.toml' # Uncomment if you mapped config toml above
-
-      # Serve .well-known files to tell others to reach Continuwuity on port :443
-      CONTINUWUITY_WELL_KNOWN: |
-        {
-          client=https://example.com,
-          server=example.com:443
-        }
-
-  traefik:
-    image: "traefik:latest"
-    container_name: "traefik"
-    restart: "unless-stopped"
-    ports:
-      - "80:80"
-      - "443:443"
-    volumes:
-      - "/var/run/docker.sock:/var/run/docker.sock:z"
-      - "acme:/etc/traefik/acme"
-    labels:
-      - "traefik.enable=true"
-
-      # middleware redirect
-      - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
-      # global redirect to https
-      - "traefik.http.routers.redirs.rule=hostregexp(`{host:.+}`)"
-      - "traefik.http.routers.redirs.entrypoints=web"
-      - "traefik.http.routers.redirs.middlewares=redirect-to-https"
-
-    environment:
-      TRAEFIK_LOG_LEVEL: DEBUG
-      TRAEFIK_ENTRYPOINTS_WEB: true
-      TRAEFIK_ENTRYPOINTS_WEB_ADDRESS: ":80"
-      TRAEFIK_ENTRYPOINTS_WEB_HTTP_REDIRECTIONS_ENTRYPOINT_TO: websecure
-
-      TRAEFIK_ENTRYPOINTS_WEBSECURE: true
-      TRAEFIK_ENTRYPOINTS_WEBSECURE_ADDRESS: ":443"
-      TRAEFIK_ENTRYPOINTS_WEBSECURE_HTTP_TLS_CERTRESOLVER: letsencrypt
-
-      TRAEFIK_CERTIFICATESRESOLVERS_LETSENCRYPT: true
-      # CHANGE THIS to desired email for ACME
-      TRAEFIK_CERTIFICATESRESOLVERS_LETSENCRYPT_ACME_EMAIL: user@example.com
-      TRAEFIK_CERTIFICATESRESOLVERS_LETSENCRYPT_ACME_HTTPCHALLENGE: true
-      TRAEFIK_CERTIFICATESRESOLVERS_LETSENCRYPT_ACME_HTTPCHALLENGE_ENTRYPOINT: web
-      TRAEFIK_CERTIFICATESRESOLVERS_LETSENCRYPT_ACME_STORAGE: "/etc/traefik/acme/acme.json"
-
-      # Since Traefik 3.6.3, paths with certain "encoded characters" are now blocked by default; we need a couple, or else things *will* break
-      TRAEFIK_ENTRYPOINTS_WEBSECURE_HTTP_ENCODEDCHARACTERS_ALLOWENCODEDSLASH: true
-      TRAEFIK_ENTRYPOINTS_WEBSECURE_HTTP_ENCODEDCHARACTERS_ALLOWENCODEDHASH: true
-
-      TRAEFIK_PROVIDERS_DOCKER: true
-      TRAEFIK_PROVIDERS_DOCKER_ENDPOINT: "unix:///var/run/docker.sock"
-      TRAEFIK_PROVIDERS_DOCKER_EXPOSEDBYDEFAULT: false
-
-volumes:
-  db:
-  acme:
-
-networks:
-  proxy:

docs/public/deploying/docker-compose.yml

@@ -1,31 +0,0 @@
-# Continuwuity
-
-services:
-    homeserver:
-        image: forgejo.ellis.link/continuwuation/continuwuity:latest
-        restart: unless-stopped
-        command: /sbin/conduwuit
-        ports:
-            - 127.0.0.1:8008:8008
-        volumes:
-            - db:/var/lib/continuwuity
-            - ./continuwuity-resolv.conf:/etc/resolv.conf # use custom resolvers rather than Docker's
-            #- ./continuwuity.toml:/etc/continuwuity.toml
-        environment:
-            CONTINUWUITY_SERVER_NAME: example.com # EDIT THIS
-            CONTINUWUITY_DATABASE_PATH: /var/lib/continuwuity
-            CONTINUWUITY_ADDRESS: 0.0.0.0
-            CONTINUWUITY_PORT: 8008
-            #CONTINUWUITY_CONFIG: '/etc/continuwuity.toml' # Uncomment if you mapped config toml above
-
-            ## (Optional) Serve .well-known files to tell others to reach Continuwuity on port :443
-            ## If you do this, remove all routes to port :8448 on your reverse proxy
-            # CONTINUWUITY_WELL_KNOWN: |
-            #     {
-            #     client=https://example.com,
-            #     server=example.com:443
-            #     }
-
-
-volumes:
-    db:

docs/reference/admin/query.md

@@ -133,18 +133,6 @@ ### `!admin query pusher get-pushers`
 
 Returns all the pushers for the user
 
-### `!admin query pusher delete-pusher`
-
-Deletes a specific pusher by ID
-
-### `!admin query pusher delete-all-user`
-
-Deletes all pushers for a user
-
-### `!admin query pusher delete-all-device`
-
-Deletes all pushers associated with a device ID
-
 ## `!admin query short`
 
 short service

docs/reference/admin/server.md

@@ -47,11 +47,3 @@ ## `!admin server restart`
 ## `!admin server shutdown`
 
 Shutdown the server
-
-## `!admin server list-features`
-
-List features built into the server
-
-## `!admin server build-info`
-
-Build information

docs/reference/admin/users.md

@@ -157,7 +157,3 @@ ## `!admin users force-join-all-local-users`
 At least 1 server admin must be in the room to reduce abuse.
 
 Requires the `--yes-i-want-to-do-this` flag.
-
-## `!admin users reset-push-rules`
-
-Resets the push-rules (notification settings) of the target user to the server defaults

docs/troubleshooting.mdx

@@ -45,30 +45,75 @@ ### Lost access to admin room
 
 ## DNS issues
 
-### DNS server overload
+### Potential DNS issues when using Docker
 
-If your server experience any of the following symptoms:
+Docker's DNS setup for containers in a non-default network intercepts queries to
+enable resolving of container hostnames to IP addresses. However, due to
+performance issues with Docker's built-in resolver, this can cause DNS queries
+to take a long time to resolve, resulting in federation issues.
 
-- Spurious server log entries with "DNS No connections available", "mismatching responding nameservers", or "error sending request"
-- Excessively long room joins (30+ minutes) as seen from server logs
-- Partial or non-functional outbound federation
+This is particularly common with Docker Compose, as custom networks are easily
+created and configured.
 
-This is likely due to your DNS server being overloaded. Most likely, these problems are encountered in the following scenarios:
+Symptoms of this include excessively long room joins (30+ minutes) from very
+long DNS timeouts, log entries of "mismatching responding nameservers",
+and/or partial or non-functional inbound/outbound federation.
 
-- Homeservers hosted on a machine that uses `systemd-resolved`.
-- Docker deployments which use the bridge network's forwarding resolver.
+This is not a bug in continuwuity. Docker's default DNS resolver is not suitable
+for heavy DNS activity, which is normal for federated protocols like Matrix.
 
-Matrix federation is extremely heavy and sends wild amounts of DNS requests. This makes normal resolvers like the ones above unsuitable for its activity. Ultimately, the best solution/fix for this is to selfhost a high quality caching DNS resolver such as Unbound, and configure Continuwuity to use it.
+Workarounds:
 
-Follow the [**DNS tuning guide**](./advanced/dns) for details on setting it up.
+- Use DNS over TCP via the config option `query_over_tcp_only = true`
+- Bypass Docker's default DNS setup and instead allow the container to use and communicate with your host's DNS servers. Typically, this can be done by mounting the host's `/etc/resolv.conf`.
 
-### Intermittent federation failures to a specific server
+### DNS No connections available error message
 
-There may be circumstances where servers fail to connect to each other, probably due to a bad DNS cache. In such cases, issuing `!admin debug ping <SERVER_NAME>` would return some errors.
+If you receive spurious amounts of error logs saying "DNS No connections
+available", this is due to your DNS server (servers from `/etc/resolv.conf`)
+being overloaded and unable to handle typical Matrix federation volume. Some
+users have reported that the upstream servers are rate-limiting them as well
+when they get this error (e.g. popular upstreams like Google DNS).
 
-To fix this, you can run `!admin query resolver flush-cache <SERVER_NAME>` to clear the bad cache for that domain, and outbound requests should work again.
+Matrix federation is extremely heavy and sends wild amounts of DNS requests.
+Unfortunately this is by design and has only gotten worse with more
+server/destination resolution steps. Synapse also expects a very perfect DNS
+setup.
 
-You may also use `!admin server clear-caches` or `!admin query resolver flush-cache -a` to clear all server/resolver caches, in case of failures with many domains. However, note that this significantly increases your server load for a short period.
+There are some ways you can reduce the amount of DNS queries, but ultimately
+the best solution/fix is selfhosting a high quality caching DNS server like
+[Unbound][unbound-arch] without any upstream resolvers, and without DNSSEC
+validation enabled.
+
+DNSSEC validation is highly recommended to be **disabled** due to DNSSEC being
+very computationally expensive, and is extremely susceptible to denial of
+service, especially on Matrix. Many servers also strangely have broken DNSSEC
+setups and will result in non-functional federation.
+
+Continuwuity cannot provide a "works-for-everyone" Unbound DNS setup guide, but
+the [official Unbound tuning guide][unbound-tuning] and the [Unbound Arch Linux wiki page][unbound-arch]
+may be of interest. Disabling DNSSEC on Unbound is commenting out trust-anchors
+config options and removing the `validator` module.
+
+**Avoid** using `systemd-resolved` as it does **not** perform very well under
+high load, and we have identified its DNS caching to not be very effective.
+
+dnsmasq can possibly work, but it does **not** support TCP fallback which can be
+problematic when receiving large DNS responses such as from large SRV records.
+If you still want to use dnsmasq, make sure you **disable** `dns_tcp_fallback`
+in Continuwuity config.
+
+Raising `dns_cache_entries` in Continuwuity config from the default can also assist
+in DNS caching, but a full-fledged external caching resolver is better and more
+reliable.
+
+If you don't have IPv6 connectivity, changing `ip_lookup_strategy` to match
+your setup can help reduce unnecessary AAAA queries
+(`1 - Ipv4Only (Only query for A records, no AAAA/IPv6)`).
+
+If your DNS server supports it, some users have reported enabling
+`query_over_tcp_only` to force only TCP querying by default has improved DNS
+reliability at a slight performance cost due to TCP overhead.
 
 ## RocksDB / database issues
 

flake.lock

@@ -3,11 +3,11 @@
     "advisory-db": {
       "flake": false,
       "locked": {
-        "lastModified": 1775907537,
-        "narHash": "sha256-vbeLNgmsx1Z6TwnlDV0dKyeBCcon3UpkV9yLr/yc6HM=",
+        "lastModified": 1773786698,
+        "narHash": "sha256-o/J7ZculgwSs1L4H4UFlFZENOXTJzq1X0n71x6oNNvY=",
         "owner": "rustsec",
         "repo": "advisory-db",
-        "rev": "d99f7b9eb81731bddebf80a355f8be7b2f8b1b28",
+        "rev": "99e9de91bb8b61f06ef234ff84e11f758ecd5384",
         "type": "github"
       },
       "original": {
@@ -18,11 +18,11 @@
     },
     "crane": {
       "locked": {
-        "lastModified": 1775839657,
-        "narHash": "sha256-SPm9ck7jh3Un9nwPuMGbRU04UroFmOHjLP56T10MOeM=",
+        "lastModified": 1773189535,
+        "narHash": "sha256-E1G/Or6MWeP+L6mpQ0iTFLpzSzlpGrITfU2220Gq47g=",
         "owner": "ipetkov",
         "repo": "crane",
-        "rev": "7cf72d978629469c4bd4206b95c402514c1f6000",
+        "rev": "6fa2fb4cf4a89ba49fc9dd5a3eb6cde99d388269",
         "type": "github"
       },
       "original": {
@@ -39,11 +39,11 @@
         "rust-analyzer-src": "rust-analyzer-src"
       },
       "locked": {
-        "lastModified": 1775891769,
-        "narHash": "sha256-EOfVlTKw2n8w1uhfh46GS4hEGnQ7oWrIWQfIY6utIkI=",
+        "lastModified": 1773732206,
+        "narHash": "sha256-HKibxaUXyWd4Hs+ZUnwo6XslvaFqFqJh66uL9tphU4Q=",
         "owner": "nix-community",
         "repo": "fenix",
-        "rev": "6fbc54dde15aee725bdc7aae5e478849685d5f56",
+        "rev": "0aa13c1b54063a8d8679b28a5cd357ba98f4a56b",
         "type": "github"
       },
       "original": {
@@ -74,11 +74,11 @@
         "nixpkgs-lib": "nixpkgs-lib"
       },
       "locked": {
-        "lastModified": 1775087534,
-        "narHash": "sha256-91qqW8lhL7TLwgQWijoGBbiD4t7/q75KTi8NxjVmSmA=",
+        "lastModified": 1772408722,
+        "narHash": "sha256-rHuJtdcOjK7rAHpHphUb1iCvgkU3GpfvicLMwwnfMT0=",
         "owner": "hercules-ci",
         "repo": "flake-parts",
-        "rev": "3107b77cd68437b9a76194f0f7f9c55f2329ca5b",
+        "rev": "f20dc5d9b8027381c474144ecabc9034d6a839a3",
         "type": "github"
       },
       "original": {
@@ -89,11 +89,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1775710090,
-        "narHash": "sha256-ar3rofg+awPB8QXDaFJhJ2jJhu+KqN/PRCXeyuXR76E=",
+        "lastModified": 1773734432,
+        "narHash": "sha256-IF5ppUWh6gHGHYDbtVUyhwy/i7D261P7fWD1bPefOsw=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "4c1018dae018162ec878d42fec712642d214fdfa",
+        "rev": "cda48547b432e8d3b18b4180ba07473762ec8558",
         "type": "github"
       },
       "original": {
@@ -105,11 +105,11 @@
     },
     "nixpkgs-lib": {
       "locked": {
-        "lastModified": 1774748309,
-        "narHash": "sha256-+U7gF3qxzwD5TZuANzZPeJTZRHS29OFQgkQ2kiTJBIQ=",
+        "lastModified": 1772328832,
+        "narHash": "sha256-e+/T/pmEkLP6BHhYjx6GmwP5ivonQQn0bJdH9YrRB+Q=",
         "owner": "nix-community",
         "repo": "nixpkgs.lib",
-        "rev": "333c4e0545a6da976206c74db8773a1645b5870a",
+        "rev": "c185c7a5e5dd8f9add5b2f8ebeff00888b070742",
         "type": "github"
       },
       "original": {
@@ -132,11 +132,11 @@
     "rust-analyzer-src": {
       "flake": false,
       "locked": {
-        "lastModified": 1775843361,
-        "narHash": "sha256-j53ZgyDvmYf3Sjh1IPvvTjqa614qUfVQSzj59+MpzkY=",
+        "lastModified": 1773697963,
+        "narHash": "sha256-xdKI77It9PM6eNrCcDZsnP4SKulZwk8VkDgBRVMnCb8=",
         "owner": "rust-lang",
         "repo": "rust-analyzer",
-        "rev": "9eb97ea96d8400e8957ddd56702e962614296583",
+        "rev": "2993637174252ff60a582fd1f55b9ab52c39db6d",
         "type": "github"
       },
       "original": {
@@ -153,11 +153,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1775636079,
-        "narHash": "sha256-pc20NRoMdiar8oPQceQT47UUZMBTiMdUuWrYu2obUP0=",
+        "lastModified": 1773297127,
+        "narHash": "sha256-6E/yhXP7Oy/NbXtf1ktzmU8SdVqJQ09HC/48ebEGBpk=",
         "owner": "numtide",
         "repo": "treefmt-nix",
-        "rev": "790751ff7fd3801feeaf96d7dc416a8d581265ba",
+        "rev": "71b125cd05fbfd78cab3e070b73544abe24c5016",
         "type": "github"
       },
       "original": {

flake.nix

@@ -29,6 +29,7 @@
       url = "github:edolstra/flake-compat?ref=master";
       flake = false;
     };
+
   };
 
   outputs =
@@ -36,10 +37,10 @@
     flake-parts.lib.mkFlake { inherit inputs; } {
       imports = [ ./nix ];
       systems = [
+        # good support
         "x86_64-linux"
-        "aarch64-linux"
         # support untested but theoretically there
-        "aarch64-darwin"
+        "aarch64-linux"
       ];
     };
 }

nix/checks/default.nix

@@ -0,0 +1,107 @@
+{ inputs, ... }:
+{
+  perSystem =
+    {
+      self',
+      lib,
+      pkgs,
+      ...
+    }:
+    let
+      uwulib = inputs.self.uwulib.init pkgs;
+
+      rocksdbAllFeatures = self'.packages.rocksdb.override {
+        enableJemalloc = true;
+      };
+
+      commonAttrs = (uwulib.build.commonAttrs { }) // {
+        buildInputs = [
+          pkgs.liburing
+          pkgs.rust-jemalloc-sys-unprefixed
+          rocksdbAllFeatures
+        ];
+        nativeBuildInputs = [
+          pkgs.pkg-config
+          # bindgen needs the build platform's libclang. Apparently due to "splicing
+          # weirdness", pkgs.rustPlatform.bindgenHook on its own doesn't quite do the
+          # right thing here.
+          pkgs.rustPlatform.bindgenHook
+        ];
+        env = {
+          LIBCLANG_PATH = lib.makeLibraryPath [ pkgs.llvmPackages.libclang.lib ];
+          LD_LIBRARY_PATH = lib.makeLibraryPath [
+            pkgs.liburing
+            pkgs.rust-jemalloc-sys-unprefixed
+            rocksdbAllFeatures
+          ];
+        }
+        // uwulib.environment.buildPackageEnv
+        // {
+          ROCKSDB_INCLUDE_DIR = "${rocksdbAllFeatures}/include";
+          ROCKSDB_LIB_DIR = "${rocksdbAllFeatures}/lib";
+        };
+      };
+      cargoArtifacts = self'.packages.continuwuity-all-features-deps;
+    in
+    {
+      # taken from
+      #
+      # https://crane.dev/examples/quick-start.html
+      checks = {
+        continuwuity-all-features-build = self'.packages.continuwuity-all-features-bin;
+
+        continuwuity-all-features-clippy = uwulib.build.craneLibForChecks.cargoClippy (
+          commonAttrs
+          // {
+            inherit cargoArtifacts;
+            cargoClippyExtraArgs = "-- --deny warnings";
+          }
+        );
+
+        continuwuity-all-features-docs = uwulib.build.craneLibForChecks.cargoDoc (
+          commonAttrs
+          // {
+            inherit cargoArtifacts;
+            # This can be commented out or tweaked as necessary, e.g. set to
+            # `--deny rustdoc::broken-intra-doc-links` to only enforce that lint
+            env.RUSTDOCFLAGS = "--deny warnings";
+          }
+        );
+
+        # Check formatting
+        continuwuity-all-features-fmt = uwulib.build.craneLibForChecks.cargoFmt {
+          src = uwulib.build.src;
+        };
+
+        continuwuity-all-features-toml-fmt = uwulib.build.craneLibForChecks.taploFmt {
+          src = pkgs.lib.sources.sourceFilesBySuffices uwulib.build.src [ ".toml" ];
+          # taplo arguments can be further customized below as needed
+          taploExtraArgs = "--config ${inputs.self}/taplo.toml";
+        };
+
+        # Audit dependencies
+        continuwuity-all-features-audit = uwulib.build.craneLibForChecks.cargoAudit {
+          inherit (inputs) advisory-db;
+          src = uwulib.build.src;
+        };
+
+        # Audit licenses
+        continuwuity-all-features-deny = uwulib.build.craneLibForChecks.cargoDeny {
+          src = uwulib.build.src;
+        };
+
+        # Run tests with cargo-nextest
+        # Consider setting `doCheck = false` on `continuwuity-all-features` if you do not want
+        # the tests to run twice
+        continuwuity-all-features-nextest = uwulib.build.craneLibForChecks.cargoNextest (
+          commonAttrs
+          // {
+            inherit cargoArtifacts;
+            partitions = 1;
+            partitionType = "count";
+            cargoNextestPartitionsExtraArgs = "--no-tests=pass";
+          }
+        );
+      };
+    };
+}

nix/crane.nix

@@ -1,14 +0,0 @@
-{ inputs, ... }:
-{
-  perSystem =
-    {
-      pkgs,
-      self',
-      ...
-    }:
-    {
-      _module.args.craneLib = (inputs.crane.mkLib pkgs).overrideToolchain (
-        pkgs: self'.packages.stable-toolchain
-      );
-    };
-}

nix/default.nix

@@ -1,10 +1,11 @@
 {
   imports = [
-    ./rust.nix
-    ./crane.nix
+    ./checks
     ./packages
-    ./devshell.nix
+    ./shells
+    ./tests
+
+    ./hydra.nix
     ./fmt.nix
-    ./rocksdb-updater.nix
   ];
 }

nix/devshell.nix

@@ -1,42 +0,0 @@
-{
-  perSystem =
-    {
-      craneLib,
-      self',
-      lib,
-      pkgs,
-      ...
-    }:
-    {
-      # basic nix shell containing all things necessary to build continuwuity in all flavors manually (on x86_64-linux)
-      devShells.default = craneLib.devShell {
-        packages = [
-          self'.packages.rocksdb
-          pkgs.nodejs
-          pkgs.pkg-config
-        ]
-        ++ lib.optionals pkgs.stdenv.isLinux [
-          pkgs.liburing
-          pkgs.rust-jemalloc-sys-unprefixed
-        ];
-
-        env = {
-          LIBCLANG_PATH = lib.makeLibraryPath [ pkgs.llvmPackages.libclang.lib ];
-          LD_LIBRARY_PATH = lib.makeLibraryPath (
-            [
-              pkgs.stdenv.cc.cc.lib
-            ]
-            ++ lib.optionals pkgs.stdenv.isLinux [
-              pkgs.liburing
-              pkgs.jemalloc
-            ]
-          );
-        }
-        // lib.optionalAttrs pkgs.stdenv.isLinux {
-          PKG_CONFIG_PATH = lib.makeSearchPath "lib/pkgconfig" [
-            pkgs.liburing.dev
-          ];
-        };
-      };
-    };
-}

nix/hydra.nix

@@ -0,0 +1,9 @@
+{ inputs, ... }:
+let
+  lib = inputs.nixpkgs.lib;
+in
+{
+  flake.hydraJobs.packages = builtins.mapAttrs (
+    _name: lib.hydraJob
+  ) inputs.self.packages.x86_64-linux;
+}

nix/packages/continuwuity.nix

@@ -1,65 +0,0 @@
-{
-  lib,
-  self,
-  stdenv,
-  liburing,
-  craneLib,
-  pkg-config,
-  callPackage,
-  rustPlatform,
-  cargoExtraArgs ? "",
-  rocksdb ? callPackage ./rocksdb.nix { },
-}:
-let
-  # see https://crane.dev/API.html#cranelibfiltercargosources
-  # we need to keep the `web` directory which would be filtered out by the regular source filtering function
-  # https://crane.dev/API.html#cranelibcleancargosource
-  isWebTemplate = path: _type: builtins.match ".*(src/(web|service)|docs).*" path != null;
-  isRust = craneLib.filterCargoSources;
-  isNix = path: _type: builtins.match ".+/nix.*" path != null;
-  webOrRustNotNix = p: t: !(isNix p t) && (isWebTemplate p t || isRust p t);
-
-  src = lib.cleanSourceWith {
-    src = self;
-    filter = webOrRustNotNix;
-    name = "source";
-  };
-
-  attrs = {
-    inherit src;
-    nativeBuildInputs = [
-      pkg-config
-      rustPlatform.bindgenHook
-    ];
-    buildInputs = lib.optionals stdenv.hostPlatform.isLinux [ liburing ];
-    env = {
-      ROCKSDB_INCLUDE_DIR = "${rocksdb}/include";
-      ROCKSDB_LIB_DIR = "${rocksdb}/lib";
-    };
-  };
-in
-craneLib.buildPackage (
-  lib.recursiveUpdate attrs {
-    inherit cargoExtraArgs;
-    cargoArtifacts = craneLib.buildDepsOnly attrs;
-
-    # Needed to make continuwuity link to rocksdb
-    postFixup = lib.optionalString stdenv.hostPlatform.isLinux ''
-      old_rpath="$(patchelf --print-rpath $out/bin/conduwuit)"
-      extra_rpath="${
-        lib.makeLibraryPath [
-          rocksdb
-        ]
-      }"
-
-      patchelf  --set-rpath "$old_rpath:$extra_rpath" $out/bin/conduwuit
-    '';
-
-    meta = {
-      description = "A community-driven Matrix homeserver in Rust";
-      mainProgram = "conduwuit";
-      platforms = lib.platforms.all;
-      maintainers = with lib.maintainers; [ quadradical ];
-    };
-  }
-)

nix/packages/continuwuity/default.nix

@@ -0,0 +1,59 @@
+{ inputs, ... }:
+{
+  perSystem =
+    {
+      self',
+      lib,
+      pkgs,
+      ...
+    }:
+    let
+      uwulib = inputs.self.uwulib.init pkgs;
+    in
+    {
+      packages =
+        lib.pipe
+          [
+            # this is the default variant
+            {
+              variantName = "default";
+              commonAttrsArgs.profile = "release";
+              rocksdb = self'.packages.rocksdb;
+              features = { };
+            }
+            # this is the variant with all features enabled (liburing + jemalloc)
+            {
+              variantName = "all-features";
+              commonAttrsArgs.profile = "release";
+              rocksdb = self'.packages.rocksdb.override {
+                enableJemalloc = true;
+              };
+              features = {
+                enabledFeatures = "all";
+                disabledFeatures = uwulib.features.defaultDisabledFeatures ++ [ "bindgen-static" ];
+              };
+            }
+          ]
+          [
+            (builtins.map (cfg: rec {
+              deps = {
+                name = "continuwuity-${cfg.variantName}-deps";
+                value = uwulib.build.buildDeps {
+                  features = uwulib.features.calcFeatures cfg.features;
+                  inherit (cfg) commonAttrsArgs rocksdb;
+                };
+              };
+              bin = {
+                name = "continuwuity-${cfg.variantName}-bin";
+                value = uwulib.build.buildPackage {
+                  deps = self'.packages.${deps.name};
+                  features = uwulib.features.calcFeatures cfg.features;
+                  inherit (cfg) commonAttrsArgs rocksdb;
+                };
+              };
+            }))
+            (builtins.concatMap builtins.attrValues)
+            builtins.listToAttrs
+          ];
+    };
+}

nix/packages/default.nix

@@ -1,18 +1,14 @@
 {
-  self,
-  ...
-}:
-{
+  imports = [
+    ./continuwuity
+    ./rocksdb
+    ./rust.nix
+    ./uwulib
+  ];
+
   perSystem =
+    { self', ... }:
     {
-      pkgs,
-      craneLib,
-      ...
-    }:
-    {
-      packages = {
-        rocksdb = pkgs.callPackage ./rocksdb.nix { };
-        default = pkgs.callPackage ./continuwuity.nix { inherit self craneLib; };
-      };
+      packages.default = self'.packages.continuwuity-default-bin;
     };
 }

nix/packages/rocksdb.nix

@@ -1,34 +0,0 @@
-{
-  stdenv,
-  rocksdb,
-  fetchFromGitea,
-  rust-jemalloc-sys-unprefixed,
-  ...
-}:
-(rocksdb.override {
-  # rocksdb fails to build with prefixed jemalloc, which is required on
-  # darwin due to [1]. In this case, fall back to building rocksdb with
-  # libc malloc. This should not cause conflicts, because all of the
-  # jemalloc symbols are prefixed.
-  #
-  # [1]: https://github.com/tikv/jemallocator/blob/ab0676d77e81268cd09b059260c75b38dbef2d51/jemalloc-sys/src/env.rs#L17
-  jemalloc = rust-jemalloc-sys-unprefixed;
-  enableJemalloc = stdenv.hostPlatform.isLinux;
-}).overrideAttrs
-  ({
-    version = "continuwuity-v0.5.0-unstable-2026-03-27";
-    src = fetchFromGitea {
-      domain = "forgejo.ellis.link";
-      owner = "continuwuation";
-      repo = "rocksdb";
-      rev = "463f47afceebfe088f6922420265546bd237f249";
-      hash = "sha256-1ef75IDMs5Hba4VWEyXPJb02JyShy5k4gJfzGDhopRk=";
-    };
-
-    # We have this already at https://forgejo.ellis.link/continuwuation/rocksdb/commit/a935c0273e1ba44eacf88ce3685a9b9831486155
-    # Unsetting `patches` so we don't have to revert it and make this nix exclusive
-    patches = [ ];
-
-    # Unset postPatch, as our version override breaks version-specific sed calls in the original package
-    postPatch = "";
-  })

nix/packages/rocksdb/default.nix

@@ -0,0 +1,12 @@
+{
+  perSystem =
+    {
+      pkgs,
+      ...
+    }:
+    {
+      packages = {
+        rocksdb = pkgs.callPackage ./package.nix { };
+      };
+    };
+}

nix/packages/rocksdb/package.nix

@@ -0,0 +1,87 @@
+{
+  lib,
+  stdenv,
+
+  rocksdb,
+  liburing,
+  rust-jemalloc-sys-unprefixed,
+
+  enableJemalloc ? false,
+
+  fetchFromGitea,
+
+  ...
+}:
+let
+  notDarwin = !stdenv.hostPlatform.isDarwin;
+in
+(rocksdb.override {
+  # Override the liburing input for the build with our own so
+  # we have it built with the library flag
+  inherit liburing;
+  jemalloc = rust-jemalloc-sys-unprefixed;
+
+  # rocksdb fails to build with prefixed jemalloc, which is required on
+  # darwin due to [1]. In this case, fall back to building rocksdb with
+  # libc malloc. This should not cause conflicts, because all of the
+  # jemalloc symbols are prefixed.
+  #
+  # [1]: https://github.com/tikv/jemallocator/blob/ab0676d77e81268cd09b059260c75b38dbef2d51/jemalloc-sys/src/env.rs#L17
+  enableJemalloc = enableJemalloc && notDarwin;
+
+  # for some reason enableLiburing in nixpkgs rocksdb is default true
+  # which breaks Darwin entirely
+  enableLiburing = notDarwin;
+}).overrideAttrs
+  (old: {
+    src = fetchFromGitea {
+      domain = "forgejo.ellis.link";
+      owner = "continuwuation";
+      repo = "rocksdb";
+      rev = "10.5.fb";
+      sha256 = "sha256-X4ApGLkHF9ceBtBg77dimEpu720I79ffLoyPa8JMHaU=";
+    };
+    version = "10.5.fb";
+    cmakeFlags =
+      lib.subtractLists (builtins.map (flag: lib.cmakeBool flag true) [
+        # No real reason to have snappy or zlib, no one uses this
+        "WITH_SNAPPY"
+        "ZLIB"
+        "WITH_ZLIB"
+        # We don't need to use ldb or sst_dump (core_tools)
+        "WITH_CORE_TOOLS"
+        # We don't need to build rocksdb tests
+        "WITH_TESTS"
+        # We use rust-rocksdb via C interface and don't need C++ RTTI
+        "USE_RTTI"
+        # This doesn't exist in RocksDB, and USE_SSE is deprecated for
+        # PORTABLE=$(march)
+        "FORCE_SSE42"
+      ]) old.cmakeFlags
+      ++ (builtins.map (flag: lib.cmakeBool flag false) [
+        # No real reason to have snappy, no one uses this
+        "WITH_SNAPPY"
+        "ZLIB"
+        "WITH_ZLIB"
+        # We don't need to use ldb or sst_dump (core_tools)
+        "WITH_CORE_TOOLS"
+        # We don't need trace tools
+        "WITH_TRACE_TOOLS"
+        # We don't need to build rocksdb tests
+        "WITH_TESTS"
+        # We use rust-rocksdb via C interface and don't need C++ RTTI
+        "USE_RTTI"
+      ]);
+
+    enableLiburing = notDarwin;
+
+    # outputs has "tools" which we don't need or use
+    outputs = [ "out" ];
+
+    # preInstall hooks has stuff for messing with ldb/sst_dump which we don't need or use
+    preInstall = "";
+
+    # We have this already at https://forgejo.ellis.link/continuwuation/rocksdb/commit/a935c0273e1ba44eacf88ce3685a9b9831486155
+    # Unsetting `patches` so we don't have to revert it and make this nix exclusive
+    patches = [ ];
+  })

nix/packages/rust.nix

@@ -4,7 +4,6 @@
     {
       system,
       lib,
-      pkgs,
       ...
     }:
     {
@@ -12,7 +11,7 @@
         let
           fnx = inputs.fenix.packages.${system};
 
-          stable-toolchain = fnx.fromToolchainFile {
+          stable = fnx.fromToolchainFile {
             file = inputs.self + "/rust-toolchain.toml";
 
             # See also `rust-toolchain.toml`
@@ -20,10 +19,11 @@
           };
         in
         {
-          inherit stable-toolchain;
-
+          # used for building nix stuff (doesn't include rustfmt overhead)
+          build-toolchain = stable;
+          # used for dev shells
           dev-toolchain = fnx.combine [
-            stable-toolchain
+            stable
             # use the nightly rustfmt because we use nightly features
             fnx.complete.rustfmt
           ];

nix/packages/uwulib/build.nix

@@ -0,0 +1,122 @@
+args@{ pkgs, inputs, ... }:
+let
+  inherit (pkgs) lib;
+  uwuenv = import ./environment.nix args;
+  selfpkgs = inputs.self.packages.${pkgs.stdenv.system};
+in
+rec {
+  # basic, very minimal instance of the crane library with a minimal rust toolchain
+  craneLib = (inputs.crane.mkLib pkgs).overrideToolchain (_: selfpkgs.build-toolchain);
+  # the checks require more rust toolchain components, hence we have this separate instance of the crane library
+  craneLibForChecks = (inputs.crane.mkLib pkgs).overrideToolchain (_: selfpkgs.dev-toolchain);
+
+  # meta information (name, version, etc) of the rust crate based on the Cargo.toml
+  crateInfo = craneLib.crateNameFromCargoToml { cargoToml = "${inputs.self}/Cargo.toml"; };
+
+  src =
+    let
+      # see https://crane.dev/API.html#cranelibfiltercargosources
+      #
+      # we need to keep the `web` directory which would be filtered out by the regular source filtering function
+      #
+      # https://crane.dev/API.html#cranelibcleancargosource
+      isWebTemplate = path: _type: builtins.match ".*(src/(web|service)|docs).*" path != null;
+      isRust = craneLib.filterCargoSources;
+      isNix = path: _type: builtins.match ".+/nix.*" path != null;
+      webOrRustNotNix = p: t: !(isNix p t) && (isWebTemplate p t || isRust p t);
+    in
+    lib.cleanSourceWith {
+      src = inputs.self;
+      filter = webOrRustNotNix;
+      name = "source";
+    };
+
+  # common attrs that are shared between building continuwuity's deps and the package itself
+  commonAttrs =
+    {
+      profile ? "dev",
+      ...
+    }:
+    {
+      inherit (crateInfo)
+        pname
+        version
+        ;
+      inherit src;
+
+      # this prevents unnecessary rebuilds
+      strictDeps = true;
+
+      dontStrip = profile == "dev" || profile == "test";
+      dontPatchELF = profile == "dev" || profile == "test";
+
+      doCheck = true;
+
+      nativeBuildInputs = [
+        # bindgen needs the build platform's libclang. Apparently due to "splicing
+        # weirdness", pkgs.rustPlatform.bindgenHook on its own doesn't quite do the
+        # right thing here.
+        pkgs.rustPlatform.bindgenHook
+      ];
+    };
+
+  makeRocksDBEnv =
+    { rocksdb }:
+    {
+      ROCKSDB_INCLUDE_DIR = "${rocksdb}/include";
+      ROCKSDB_LIB_DIR = "${rocksdb}/lib";
+    };
+
+  # function that builds the continuwuity dependencies derivation
+  buildDeps =
+    {
+      rocksdb,
+      features,
+      commonAttrsArgs,
+    }:
+    craneLib.buildDepsOnly (
+      (commonAttrs commonAttrsArgs)
+      // {
+        env = uwuenv.buildDepsOnlyEnv
+              // (makeRocksDBEnv { inherit rocksdb; })
+              // {
+                # required since we started using unstable reqwest apparently ... otherwise the all-features build will fail
+                RUSTFLAGS = "--cfg reqwest_unstable";
+              };
+        inherit (features) cargoExtraArgs;
+      }
+
+    );
+
+  # function that builds the continuwuity package
+  buildPackage =
+    {
+      deps,
+      rocksdb,
+      features,
+      commonAttrsArgs,
+    }:
+    let
+      rocksdbEnv = makeRocksDBEnv { inherit rocksdb; };
+    in
+    craneLib.buildPackage (
+      (commonAttrs commonAttrsArgs)
+      // {
+        postFixup = ''
+          patchelf --set-rpath "$(${pkgs.patchelf}/bin/patchelf --print-rpath $out/bin/${crateInfo.pname}):${rocksdb}/lib" $out/bin/${crateInfo.pname}
+        '';
+        cargoArtifacts = deps;
+        doCheck = true;
+        env =
+          uwuenv.buildPackageEnv
+          // rocksdbEnv
+          // {
+            # required since we started using unstable reqwest apparently ... otherwise the all-features build will fail
+            RUSTFLAGS = "--cfg reqwest_unstable";
+          };
+        passthru.env = uwuenv.buildPackageEnv // rocksdbEnv;
+        meta.mainProgram = crateInfo.pname;
+        inherit (features) cargoExtraArgs;
+      }
+    );
+}

nix/packages/uwulib/default.nix

@@ -0,0 +1,10 @@
+{ inputs, ... }:
+{
+  flake.uwulib = {
+    init = pkgs: {
+      features = import ./features.nix { inherit pkgs inputs; };
+      environment = import ./environment.nix { inherit pkgs inputs; };
+      build = import ./build.nix { inherit pkgs inputs; };
+    };
+  };
+}

nix/packages/uwulib/environment.nix

@@ -0,0 +1,18 @@
+args@{ pkgs, inputs, ... }:
+let
+  uwubuild = import ./build.nix args;
+in
+rec {
+  buildDepsOnlyEnv = {
+    # https://crane.dev/faq/rebuilds-bindgen.html
+    NIX_OUTPATH_USED_AS_RANDOM_SEED = "aaaaaaaaaa";
+    CARGO_PROFILE = "release";
+  }
+  // uwubuild.craneLib.mkCrossToolchainEnv (p: pkgs.clangStdenv);
+
+  buildPackageEnv = {
+    GIT_COMMIT_HASH = inputs.self.rev or inputs.self.dirtyRev or "";
+    GIT_COMMIT_HASH_SHORT = inputs.self.shortRev or inputs.self.dirtyShortRev or "";
+  }
+  // buildDepsOnlyEnv;
+}

nix/packages/uwulib/features.nix

@@ -0,0 +1,77 @@
+{ pkgs, inputs, ... }:
+let
+  inherit (pkgs) lib;
+in
+rec {
+  defaultDisabledFeatures = [
+    # dont include experimental features
+    "experimental"
+    # jemalloc profiling/stats features are expensive and shouldn't
+    # be expected on non-debug builds.
+    "jemalloc_prof"
+    "jemalloc_stats"
+    # this is non-functional on nix for some reason
+    "hardened_malloc"
+    # conduwuit_mods is a development-only hot reload feature
+    "conduwuit_mods"
+    # we don't want to enable this feature set by default but be more specific about it
+    "full"
+  ];
+  # We perform default-feature unification in nix, because some of the dependencies
+  # on the nix side depend on feature values.
+  calcFeatures =
+    {
+      tomlPath ? "${inputs.self}/src/main",
+      # either a list of feature names or a string "all" which enables all non-default features
+      enabledFeatures ? [ ],
+      disabledFeatures ? defaultDisabledFeatures,
+      default_features ? true,
+      disable_release_max_log_level ? false,
+    }:
+    let
+      # simple helper to get the contents of a Cargo.toml file in a nix format
+      getToml = path: lib.importTOML "${path}/Cargo.toml";
+
+      # get all the features except for the default features
+      allFeatures = lib.pipe tomlPath [
+        getToml
+        (manifest: manifest.features)
+        lib.attrNames
+        (lib.remove "default")
+      ];
+
+      # get just the default enabled features
+      allDefaultFeatures = lib.pipe tomlPath [
+        getToml
+        (manifest: manifest.features.default)
+      ];
+
+      # depending on the value of enabledFeatures choose just a set or all non-default features
+      #
+      # - [ list of features ] -> choose exactly the features listed
+      # - "all" -> choose all non-default features
+      additionalFeatures = if enabledFeatures == "all" then allFeatures else enabledFeatures;
+
+      # unification with default features (if enabled)
+      features = lib.unique (additionalFeatures ++ lib.optionals default_features allDefaultFeatures);
+
+      # prepare the features that are subtracted from the set
+      disabledFeatures' =
+        disabledFeatures ++ lib.optionals disable_release_max_log_level [ "release_max_log_level" ];
+
+      # construct the final feature set
+      finalFeatures = lib.subtractLists disabledFeatures' features;
+    in
+    {
+      # final feature set, useful for querying it
+      features = finalFeatures;
+
+      # crane flag with the relevant features
+      cargoExtraArgs = builtins.concatStringsSep " " [
+        "--no-default-features"
+        "--locked"
+        (lib.optionalString (finalFeatures != [ ]) "--features")
+        (builtins.concatStringsSep "," finalFeatures)
+      ];
+    };
+}

nix/rocksdb-updater.nix

@@ -1,14 +0,0 @@
-{
-  perSystem =
-    { pkgs, ... }:
-    {
-      apps.update-rocksdb = {
-        type = "app";
-        program = pkgs.writeShellApplication {
-          name = "update-rocksdb";
-          runtimeInputs = [ pkgs.nix-update ];
-          text = "nix-update rocksdb -F --version branch";
-        };
-      };
-    };
-}

nix/shells/default.nix

@@ -0,0 +1,29 @@
+{ inputs, ... }:
+{
+  perSystem =
+    {
+      self',
+      lib,
+      pkgs,
+      ...
+    }:
+    let
+      uwulib = inputs.self.uwulib.init pkgs;
+      rocksdbAllFeatures = self'.packages.rocksdb.override {
+        enableJemalloc = true;
+      };
+    in
+    {
+      # basic nix shell containing all things necessary to build continuwuity in all flavors manually (on x86_64-linux)
+      devShells.default = uwulib.build.craneLib.devShell {
+        packages = [
+          pkgs.nodejs
+          pkgs.pkg-config
+          pkgs.liburing
+          pkgs.rust-jemalloc-sys-unprefixed
+          rocksdbAllFeatures
+        ];
+        env.LIBCLANG_PATH = lib.makeLibraryPath [ pkgs.llvmPackages.libclang.lib ];
+      };
+    };
+}

nix/tests/default.nix

@@ -0,0 +1,150 @@
+{
+  perSystem =
+    {
+      self',
+      lib,
+      pkgs,
+      ...
+    }:
+    let
+      baseTestScript =
+        pkgs.writers.writePython3Bin "do_test" { libraries = [ pkgs.python3Packages.matrix-nio ]; }
+          ''
+            import asyncio
+            import nio
+
+
+            async def main() -> None:
+                # Connect to continuwuity
+                client = nio.AsyncClient("http://continuwuity:6167", "alice")
+
+                # Register as user alice
+                response = await client.register("alice", "my-secret-password")
+
+                # Log in as user alice
+                response = await client.login("my-secret-password")
+
+                # Create a new room
+                response = await client.room_create(federate=False)
+                print("Matrix room create response:", response)
+                assert isinstance(response, nio.RoomCreateResponse)
+                room_id = response.room_id
+
+                # Join the room
+                response = await client.join(room_id)
+                print("Matrix join response:", response)
+                assert isinstance(response, nio.JoinResponse)
+
+                # Send a message to the room
+                response = await client.room_send(
+                    room_id=room_id,
+                    message_type="m.room.message",
+                    content={
+                        "msgtype": "m.text",
+                        "body": "Hello continuwuity!"
+                    }
+                )
+                print("Matrix room send response:", response)
+                assert isinstance(response, nio.RoomSendResponse)
+
+                # Sync responses
+                response = await client.sync(timeout=30000)
+                print("Matrix sync response:", response)
+                assert isinstance(response, nio.SyncResponse)
+
+                # Check the message was received by continuwuity
+                last_message = response.rooms.join[room_id].timeline.events[-1].body
+                assert last_message == "Hello continuwuity!"
+
+                # Leave the room
+                response = await client.room_leave(room_id)
+                print("Matrix room leave response:", response)
+                assert isinstance(response, nio.RoomLeaveResponse)
+
+                # Close the client
+                await client.close()
+
+
+            if __name__ == "__main__":
+                asyncio.run(main())
+          '';
+    in
+    {
+      # run some nixos tests as checks
+      checks = lib.pipe self'.packages [
+        # we take all packages (names)
+        builtins.attrNames
+        # we filter out all packages that end with `-bin` (which we are interested in for testing)
+        (builtins.filter (lib.hasSuffix "-bin"))
+        # for each of these binaries we built the basic nixos test
+        #
+        # this test was initially yoinked from
+        #
+        # https://github.com/NixOS/nixpkgs/blob/960ce26339661b1b69c6f12b9063ca51b688615f/nixos/tests/matrix/continuwuity.nix
+        (builtins.concatMap (
+          name:
+          builtins.map
+            (
+              { config, suffix }:
+              {
+                name = "test-${name}-${suffix}";
+                value = pkgs.testers.runNixOSTest {
+                  inherit name;
+
+                  nodes = {
+                    continuwuity = {
+                      services.matrix-continuwuity = {
+                        enable = true;
+                        package = self'.packages.${name};
+                        settings = config;
+                        extraEnvironment.RUST_BACKTRACE = "yes";
+                      };
+                      networking.firewall.allowedTCPPorts = [ 6167 ];
+                    };
+                    client.environment.systemPackages = [ baseTestScript ];
+                  };
+
+                  testScript = ''
+                    start_all()
+
+                    with subtest("start continuwuity"):
+                          continuwuity.wait_for_unit("continuwuity.service")
+                          continuwuity.wait_for_open_port(6167)
+
+                    with subtest("ensure messages can be exchanged"):
+                          client.succeed("${lib.getExe baseTestScript} >&2")
+                  '';
+
+                };
+              }
+            )
+            [
+              {
+                suffix = "base";
+                config = {
+                  global = {
+                    server_name = name;
+                    address = [ "0.0.0.0" ];
+                    allow_registration = true;
+                    yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse = true;
+                  };
+                };
+              }
+              {
+                suffix = "with-room-version";
+                config = {
+                  global = {
+                    server_name = name;
+                    address = [ "0.0.0.0" ];
+                    allow_registration = true;
+                    yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse = true;
+                    default_room_version = "12";
+                  };
+                };
+              }
+            ]
+        ))
+        builtins.listToAttrs
+      ];
+    };
+}

rspress.config.ts

@@ -11,20 +11,6 @@ export default defineConfig({
         light: '/assets/logo.svg',
         dark: '/assets/logo.svg',
     },
-    markdown: {
-        link: {
-            checkDeadLinks: {
-                excludes: [
-                    '/deploying/docker-compose.with-caddy.yml',
-                    '/deploying/docker-compose.with-caddy-labels.yml',
-                    '/deploying/docker-compose.for-traefik.yml',
-                    '/deploying/docker-compose.with-traefik.yml',
-                    `/deploying/docker-compose.override.yml`,
-                    `/deploying/docker-compose.yml`
-                ]
-            },
-        },
-    },
     themeConfig: {
         socialLinks: [
             {

src/admin/Cargo.toml

@@ -2,7 +2,6 @@
 name = "conduwuit_admin"
 description.workspace = true
 edition.workspace = true
-homepage.workspace = true
 license.workspace = true
 readme.workspace = true
 repository.workspace = true
@@ -80,7 +79,6 @@ conduwuit-database.workspace = true
 conduwuit-macros.workspace = true
 conduwuit-service.workspace = true
 const-str.workspace = true
-ctor.workspace = true
 futures.workspace = true
 lettre.workspace = true
 log.workspace = true

src/admin/mod.rs

@@ -3,8 +3,6 @@
 #![allow(clippy::enum_glob_use)]
 #![allow(clippy::too_many_arguments)]
 
-conduwuit_macros::introspect_crate! {}
-
 pub(crate) mod admin;
 pub(crate) mod context;
 pub(crate) mod processor;

src/admin/server/commands.rs

@@ -1,4 +1,4 @@
-use std::{fmt::Write, path::PathBuf, sync::Arc};
+use std::{path::PathBuf, sync::Arc};
 
 use conduwuit::{
 	Err, Result,
@@ -153,97 +153,3 @@ pub(super) async fn shutdown(&self) -> Result {
 
 	self.write_str("Shutting down server...").await
 }
-
-#[admin_command]
-pub(super) async fn list_features(&self) -> Result {
-	let mut enabled_features = conduwuit::info::introspection::ENABLED_FEATURES
-		.lock()
-		.expect("locked")
-		.iter()
-		.flat_map(|(_, f)| f.iter())
-		.collect::<Vec<_>>();
-
-	enabled_features.sort_unstable();
-	enabled_features.dedup();
-
-	let mut available_features = conduwuit::build_metadata::WORKSPACE_FEATURES
-		.iter()
-		.flat_map(|(_, f)| f.iter())
-		.collect::<Vec<_>>();
-
-	available_features.sort_unstable();
-	available_features.dedup();
-
-	let mut features = String::new();
-
-	for feature in available_features {
-		let active = enabled_features.contains(&feature);
-		let emoji = if active { "✅" } else { "❌" };
-		let remark = if active { "[enabled]" } else { "" };
-		writeln!(features, "{emoji} {feature} {remark}")?;
-	}
-
-	self.write_str(&features).await
-}
-
-#[admin_command]
-pub(super) async fn build_info(&self) -> Result {
-	use conduwuit::build_metadata::built;
-
-	let mut info = String::new();
-
-	// Version information
-	writeln!(info, "# Build Information\n")?;
-	writeln!(info, "**Version:** {}", built::PKG_VERSION)?;
-	writeln!(info, "**Package:** {}", built::PKG_NAME)?;
-	writeln!(info, "**Description:** {}", built::PKG_DESCRIPTION)?;
-
-	// Git information
-	writeln!(info, "\n## Git Information\n")?;
-	if let Some(hash) = conduwuit::build_metadata::GIT_COMMIT_HASH {
-		writeln!(info, "**Commit Hash:** {hash}")?;
-	}
-	if let Some(hash) = conduwuit::build_metadata::GIT_COMMIT_HASH_SHORT {
-		writeln!(info, "**Commit Hash (short):** {hash}")?;
-	}
-	if let Some(url) = conduwuit::build_metadata::GIT_REMOTE_WEB_URL {
-		writeln!(info, "**Repository:** {url}")?;
-	}
-	if let Some(url) = conduwuit::build_metadata::GIT_REMOTE_COMMIT_URL {
-		writeln!(info, "**Commit URL:** {url}")?;
-	}
-
-	// Build environment
-	writeln!(info, "\n## Build Environment\n")?;
-	writeln!(info, "**Profile:** {}", built::PROFILE)?;
-	writeln!(info, "**Optimization Level:** {}", built::OPT_LEVEL)?;
-	writeln!(info, "**Debug:** {}", built::DEBUG)?;
-	writeln!(info, "**Target:** {}", built::TARGET)?;
-	writeln!(info, "**Host:** {}", built::HOST)?;
-
-	// Rust compiler information
-	writeln!(info, "\n## Compiler Information\n")?;
-	writeln!(info, "**Rustc Version:** {}", built::RUSTC_VERSION)?;
-	if !built::RUSTDOC_VERSION.is_empty() {
-		writeln!(info, "**Rustdoc Version:** {}", built::RUSTDOC_VERSION)?;
-	}
-
-	// Target configuration
-	writeln!(info, "\n## Target Configuration\n")?;
-	writeln!(info, "**Architecture:** {}", built::CFG_TARGET_ARCH)?;
-	writeln!(info, "**OS:** {}", built::CFG_OS)?;
-	writeln!(info, "**Family:** {}", built::CFG_FAMILY)?;
-	writeln!(info, "**Endianness:** {}", built::CFG_ENDIAN)?;
-	writeln!(info, "**Pointer Width:** {} bits", built::CFG_POINTER_WIDTH)?;
-	if !built::CFG_ENV.is_empty() {
-		writeln!(info, "**Environment:** {}", built::CFG_ENV)?;
-	}
-
-	// CI information
-	if let Some(ci) = built::CI_PLATFORM {
-		writeln!(info, "\n## CI Platform\n")?;
-		writeln!(info, "**Platform:** {ci}")?;
-	}
-
-	self.write_str(&info).await
-}

src/admin/server/mod.rs

@@ -52,10 +52,4 @@ pub enum ServerCommand {
 
 	/// Shutdown the server
 	Shutdown,
-
-	/// List features built into the server
-	ListFeatures,
-
-	/// Build information
-	BuildInfo,
 }

src/api/Cargo.toml

@@ -2,7 +2,6 @@
 name = "conduwuit_api"
 description.workspace = true
 edition.workspace = true
-homepage.workspace = true
 license.workspace = true
 readme.workspace = true
 repository.workspace = true
@@ -77,10 +76,8 @@ axum.workspace = true
 base64.workspace = true
 bytes.workspace = true
 conduwuit-core.workspace = true
-conduwuit-macros.workspace = true
 conduwuit-service.workspace = true
 const-str.workspace = true
-ctor.workspace = true
 futures.workspace = true
 hmac.workspace = true
 http.workspace = true

src/api/client/account/mod.rs

@@ -425,9 +425,7 @@ pub async fn full_user_deactivate(
 		// TODO: Redact all messages sent by the user in the room
 	}
 
-	super::update_all_rooms(services, pdu_queue, user_id)
-		.boxed()
-		.await;
+	super::update_all_rooms(services, pdu_queue, user_id).await;
 	for room_id in all_joined_rooms {
 		services.rooms.state_cache.forget(room_id, user_id);
 	}

src/api/client/directory.rs

@@ -1,9 +1,7 @@
-use std::iter::once;
-
 use axum::extract::State;
 use axum_client_ip::InsecureClientIp;
 use conduwuit::{
-	Err, Event, Result, RoomVersion, err, info,
+	Err, Event, Result, err, info,
 	utils::{
 		TryFutureExtExt,
 		math::Expected,
@@ -32,14 +30,12 @@
 	events::{
 		StateEventType,
 		room::{
-			create::RoomCreateEventContent,
 			join_rules::{JoinRule, RoomJoinRulesEventContent},
 			power_levels::{RoomPowerLevels, RoomPowerLevelsEventContent},
 		},
 	},
 	uint,
 };
-use tokio::join;
 
 use crate::Ruma;
 
@@ -343,63 +339,36 @@ pub(crate) async fn get_public_rooms_filtered_helper(
 	})
 }
 
-/// Checks whether the given user ID is allowed to publish the target room to
-/// the server's public room directory. Users are allowed to publish rooms if
-/// they are server admins, room creators (in v12), or have the power level to
-/// send `m.room.canonical_alias`.
+/// Check whether the user can publish to the room directory via power levels of
+/// room history visibility event or room creator
 async fn user_can_publish_room(
 	services: &Services,
 	user_id: &UserId,
 	room_id: &RoomId,
 ) -> Result<bool> {
-	if services.users.is_admin(user_id).await {
-		// Server admins can always publish to their own room directory.
-		return Ok(true);
-	}
-	let (create_event, room_version, power_levels_content) = join!(
-		services
-			.rooms
-			.state_accessor
-			.room_state_get(room_id, &StateEventType::RoomCreate, ""),
-		services.rooms.state.get_room_version(room_id),
-		services
-			.rooms
-			.state_accessor
-			.room_state_get_content::<RoomPowerLevelsEventContent>(
-				room_id,
-				&StateEventType::RoomPowerLevels,
-				""
-			)
-	);
-	let room_version = room_version
-		.as_ref()
-		.map_err(|_| err!(Request(NotFound("Unknown room"))))?;
-	let create_event = create_event.map_err(|_| err!(Request(NotFound("Unknown room"))))?;
-	if RoomVersion::new(room_version)
-		.expect("room version must be supported")
-		.explicitly_privilege_room_creators
+	match services
+		.rooms
+		.state_accessor
+		.room_state_get(room_id, &StateEventType::RoomPowerLevels, "")
+		.await
 	{
-		let create_content: RoomCreateEventContent =
-			serde_json::from_str(create_event.content().get())
-				.map_err(|_| err!(Database("Invalid event content for m.room.create")))?;
-		let is_creator = create_content
-			.additional_creators
-			.unwrap_or_default()
-			.into_iter()
-			.chain(once(create_event.sender().to_owned()))
-			.any(|sender| sender == user_id);
-		if is_creator {
-			return Ok(true);
-		}
-	}
-	match power_levels_content.map(RoomPowerLevels::from) {
-		| Ok(pl) => Ok(pl.user_can_send_state(user_id, StateEventType::RoomCanonicalAlias)),
-		| Err(e) =>
-			if e.is_not_found() {
-				Ok(create_event.sender() == user_id)
-			} else {
-				Err!(Database("Invalid event content for m.room.power_levels: {e}"))
-			},
+		| Ok(event) => serde_json::from_str(event.content().get())
+			.map_err(|_| err!(Database("Invalid event content for m.room.power_levels")))
+			.map(|content: RoomPowerLevelsEventContent| {
+				RoomPowerLevels::from(content)
+					.user_can_send_state(user_id, StateEventType::RoomHistoryVisibility)
+			}),
+		| _ => {
+			match services
+				.rooms
+				.state_accessor
+				.room_state_get(room_id, &StateEventType::RoomCreate, "")
+				.await
+			{
+				| Ok(event) => Ok(event.sender() == user_id),
+				| _ => Err!(Request(Forbidden("User is not allowed to publish this room"))),
+			}
+		},
 	}
 }
 

src/api/client/profile.rs

@@ -7,7 +7,7 @@
 };
 use conduwuit_service::Services;
 use futures::{
-	FutureExt, StreamExt, TryStreamExt,
+	StreamExt, TryStreamExt,
 	future::{join, join3, join4},
 };
 use ruma::{
@@ -51,7 +51,6 @@ pub(crate) async fn set_displayname_route(
 		.await;
 
 	update_displayname(&services, &body.user_id, body.displayname.clone(), &all_joined_rooms)
-		.boxed()
 		.await;
 
 	if services.config.allow_local_presence {
@@ -150,7 +149,6 @@ pub(crate) async fn set_avatar_url_route(
 		body.blurhash.clone(),
 		&all_joined_rooms,
 	)
-	.boxed()
 	.await;
 
 	if services.config.allow_local_presence {
@@ -346,9 +344,7 @@ pub async fn update_displayname(
 		.collect()
 		.await;
 
-	update_all_rooms(services, all_joined_rooms, user_id)
-		.boxed()
-		.await;
+	update_all_rooms(services, all_joined_rooms, user_id).await;
 }
 
 pub async fn update_avatar_url(
@@ -398,9 +394,7 @@ pub async fn update_avatar_url(
 		.collect()
 		.await;
 
-	update_all_rooms(services, all_joined_rooms, user_id)
-		.boxed()
-		.await;
+	update_all_rooms(services, all_joined_rooms, user_id).await;
 }
 
 pub async fn update_all_rooms(

src/api/client/room/upgrade.rs

@@ -137,7 +137,6 @@ pub(crate) async fn upgrade_room_route(
 				Some(&body.room_id),
 				&state_lock,
 			)
-			.boxed()
 			.await?;
 		// Change lock to replacement room
 		drop(state_lock);

src/api/client/state.rs

@@ -60,7 +60,6 @@ pub(crate) async fn send_state_event_for_key_route(
 				None
 			},
 		)
-		.boxed()
 		.await?,
 	})
 }

src/api/client/unstable.rs

@@ -3,7 +3,7 @@
 use axum::extract::State;
 use axum_client_ip::InsecureClientIp;
 use conduwuit::{Err, Result};
-use futures::{FutureExt, StreamExt};
+use futures::StreamExt;
 use ruma::{
 	OwnedRoomId,
 	api::{
@@ -112,7 +112,6 @@ pub(crate) async fn set_profile_key_route(
 			Some(display_name.to_owned()),
 			&all_joined_rooms,
 		)
-		.boxed()
 		.await;
 	} else if body.key_name == "avatar_url" {
 		let Some(avatar_url) = profile_key_value.as_str() else {
@@ -128,9 +127,7 @@ pub(crate) async fn set_profile_key_route(
 			.collect()
 			.await;
 
-		update_avatar_url(&services, &body.user_id, Some(mxc), None, &all_joined_rooms)
-			.boxed()
-			.await;
+		update_avatar_url(&services, &body.user_id, Some(mxc), None, &all_joined_rooms).await;
 	} else {
 		services.users.set_profile_key(
 			&body.user_id,
@@ -181,9 +178,7 @@ pub(crate) async fn delete_profile_key_route(
 			.collect()
 			.await;
 
-		update_displayname(&services, &body.user_id, None, &all_joined_rooms)
-			.boxed()
-			.await;
+		update_displayname(&services, &body.user_id, None, &all_joined_rooms).await;
 	} else if body.key_name == "avatar_url" {
 		let all_joined_rooms: Vec<OwnedRoomId> = services
 			.rooms
@@ -193,9 +188,7 @@ pub(crate) async fn delete_profile_key_route(
 			.collect()
 			.await;
 
-		update_avatar_url(&services, &body.user_id, None, None, &all_joined_rooms)
-			.boxed()
-			.await;
+		update_avatar_url(&services, &body.user_id, None, None, &all_joined_rooms).await;
 	} else {
 		services
 			.users

src/api/client/voip.rs

@@ -3,7 +3,7 @@
 use axum::extract::State;
 use base64::{Engine as _, engine::general_purpose};
 use conduwuit::{Err, Result, utils};
-use hmac::{Hmac, KeyInit, Mac};
+use hmac::{Hmac, Mac};
 use ruma::{SecondsSinceUnixEpoch, UserId, api::client::voip::get_turn_server_info};
 use sha1::Sha1;
 

src/api/client/well_known.rs

@@ -71,7 +71,6 @@ pub(crate) async fn well_known_support(
 
 	let email_address = services.config.well_known.support_email.clone();
 	let matrix_id = services.config.well_known.support_mxid.clone();
-	let pgp_key = services.config.well_known.support_pgp_key.clone();
 
 	// TODO: support defining multiple contacts in the config
 	let mut contacts: Vec<Contact> = vec![];
@@ -89,7 +88,6 @@ pub(crate) async fn well_known_support(
 			role: role_value.clone(),
 			email_address: email_address.clone(),
 			matrix_id: matrix_id.clone(),
-			pgp_key: pgp_key.clone(),
 		});
 	}
 
@@ -106,7 +104,6 @@ pub(crate) async fn well_known_support(
 				role: role_value.clone(),
 				email_address: None,
 				matrix_id: Some(user_id.to_owned()),
-				pgp_key: None,
 			});
 		}
 	}

src/api/mod.rs

@@ -3,9 +3,6 @@
 
 extern crate conduwuit_core as conduwuit;
 extern crate conduwuit_service as service;
-
-conduwuit_macros::introspect_crate! {}
-
 pub mod client;
 pub mod router;
 pub mod server;

src/api/server/make_join.rs

@@ -1,13 +1,11 @@
 use std::borrow::ToOwned;
 
 use axum::extract::State;
-use conduwuit::{
-	Err, Error, Result, debug, debug_info, info, matrix::pdu::PduBuilder, utils, warn,
-};
+use conduwuit::{Err, Error, Result, debug, debug_info, info, matrix::pdu::PduBuilder, warn};
 use conduwuit_service::Services;
 use futures::StreamExt;
 use ruma::{
-	OwnedUserId, RoomId, RoomVersionId, UserId,
+	CanonicalJsonObject, OwnedUserId, RoomId, RoomVersionId, UserId,
 	api::{client::error::ErrorKind, federation::membership::prepare_join_event},
 	events::{
 		StateEventType,
@@ -42,7 +40,6 @@ pub(crate) async fn create_join_event_template_route(
 	{
 		info!(
 			origin = body.origin().as_str(),
-			room_id = %body.room_id,
 			"Refusing to serve make_join for room we aren't participating in"
 		);
 		return Err!(Request(NotFound("This server is not participating in that room.")));
@@ -136,10 +133,10 @@ pub(crate) async fn create_join_event_template_route(
 		}
 	}
 
-	let (pdu, _) = services
+	let (_pdu, mut pdu_json) = services
 		.rooms
 		.timeline
-		.create_event(
+		.create_hash_and_sign_event(
 			PduBuilder::state(body.user_id.to_string(), &RoomMemberEventContent {
 				join_authorized_via_users_server,
 				..RoomMemberEventContent::new(MembershipState::Join)
@@ -150,8 +147,6 @@ pub(crate) async fn create_join_event_template_route(
 		)
 		.await?;
 	drop(state_lock);
-	let mut pdu_json = utils::to_canonical_object(&pdu)
-		.expect("Barebones PDU should be convertible to canonical JSON");
 	pdu_json.remove("event_id");
 
 	Ok(prepare_join_event::v1::Response {
@@ -302,3 +297,18 @@ pub(crate) async fn user_can_perform_restricted_join(
 		)))
 	}
 }
+
+pub(crate) fn maybe_strip_event_id(
+	pdu_json: &mut CanonicalJsonObject,
+	room_version_id: &RoomVersionId,
+) -> Result {
+	use RoomVersionId::*;
+
+	match room_version_id {
+		| V1 | V2 => Ok(()),
+		| _ => {
+			pdu_json.remove("event_id");
+			Ok(())
+		},
+	}
+}

src/api/server/make_knock.rs

@@ -1,6 +1,6 @@
 use RoomVersionId::*;
 use axum::extract::State;
-use conduwuit::{Err, Error, Result, debug_warn, info, matrix::pdu::PduBuilder, utils, warn};
+use conduwuit::{Err, Error, Result, debug_warn, info, matrix::pdu::PduBuilder, warn};
 use ruma::{
 	RoomVersionId,
 	api::{client::error::ErrorKind, federation::knock::create_knock_event_template},
@@ -28,7 +28,6 @@ pub(crate) async fn create_knock_event_template_route(
 	{
 		info!(
 			origin = body.origin().as_str(),
-			room_id = %body.room_id,
 			"Refusing to serve make_knock for room we aren't participating in"
 		);
 		return Err!(Request(NotFound("This server is not participating in that room.")));
@@ -99,10 +98,10 @@ pub(crate) async fn create_knock_event_template_route(
 		}
 	}
 
-	let (pdu, _) = services
+	let (_pdu, mut pdu_json) = services
 		.rooms
 		.timeline
-		.create_event(
+		.create_hash_and_sign_event(
 			PduBuilder::state(
 				body.user_id.to_string(),
 				&RoomMemberEventContent::new(MembershipState::Knock),
@@ -114,9 +113,9 @@ pub(crate) async fn create_knock_event_template_route(
 		.await?;
 
 	drop(state_lock);
-	let mut pdu_json = utils::to_canonical_object(&pdu)
-		.expect("Barebones PDU should be convertible to canonical JSON");
-	pdu_json.remove("event_id");
+
+	// room v3 and above removed the "event_id" field from remote PDU format
+	super::maybe_strip_event_id(&mut pdu_json, &room_version_id)?;
 
 	Ok(create_knock_event_template::v1::Response {
 		room_version: room_version_id,

src/api/server/make_leave.rs

@@ -1,11 +1,12 @@
 use axum::extract::State;
-use conduwuit::{Err, Result, info, matrix::pdu::PduBuilder, utils};
+use conduwuit::{Err, Result, info, matrix::pdu::PduBuilder};
 use ruma::{
 	api::federation::membership::prepare_leave_event,
 	events::room::member::{MembershipState, RoomMemberEventContent},
 };
 use serde_json::value::to_raw_value;
 
+use super::make_join::maybe_strip_event_id;
 use crate::Ruma;
 
 /// # `GET /_matrix/federation/v1/make_leave/{roomId}/{eventId}`
@@ -48,10 +49,10 @@ pub(crate) async fn create_leave_event_template_route(
 	let room_version_id = services.rooms.state.get_room_version(&body.room_id).await?;
 	let state_lock = services.rooms.state.mutex.lock(&body.room_id).await;
 
-	let (pdu, _) = services
+	let (_pdu, mut pdu_json) = services
 		.rooms
 		.timeline
-		.create_event(
+		.create_hash_and_sign_event(
 			PduBuilder::state(
 				body.user_id.to_string(),
 				&RoomMemberEventContent::new(MembershipState::Leave),
@@ -63,9 +64,9 @@ pub(crate) async fn create_leave_event_template_route(
 		.await?;
 
 	drop(state_lock);
-	let mut pdu_json = utils::to_canonical_object(&pdu)
-		.expect("Barebones PDU should be convertible to canonical JSON");
-	pdu_json.remove("event_id");
+
+	// room v3 and above removed the "event_id" field from remote PDU format
+	maybe_strip_event_id(&mut pdu_json, &room_version_id)?;
 
 	Ok(prepare_leave_event::v1::Response {
 		room_version: Some(room_version_id),

src/api/server/send_join.rs

@@ -187,15 +187,14 @@ async fn create_join_event(
 				"Joining user did not pass restricted room's rules."
 			)));
 		}
-
-		services
-			.server_keys
-			.hash_and_sign_event(&mut value, &room_version_id)
-			.map_err(|e| {
-				err!(Request(InvalidParam(warn!("Failed to sign send_join event: {e}"))))
-			})?;
 	}
 
+	trace!("Signing send_join event");
+	services
+		.server_keys
+		.hash_and_sign_event(&mut value, &room_version_id)
+		.map_err(|e| err!(Request(InvalidParam(warn!("Failed to sign send_join event: {e}")))))?;
+
 	let mutex_lock = services
 		.rooms
 		.event_handler

src/build_metadata/Cargo.toml

@@ -2,7 +2,6 @@
 name = "conduwuit_build_metadata"
 description.workspace = true
 edition.workspace = true
-homepage.workspace = true
 license.workspace = true
 readme.workspace = true
 repository.workspace = true
@@ -28,6 +27,6 @@ crate-type = [
 
 [build-dependencies]
 built = { version = "0.8", features = [] }
-cargo_metadata = { version = "0.23.1" }
+
 [lints]
 workspace = true

src/build_metadata/build.rs

@@ -1,9 +1,5 @@
-use std::{
-	collections::BTreeMap, env, fmt::Write as FmtWrite, fs, io::Write, path::Path,
-	process::Command,
-};
+use std::process::Command;
 
-use cargo_metadata::MetadataCommand;
 fn run_git_command(args: &[&str]) -> Option<String> {
 	Command::new("git")
 		.args(args)
@@ -15,60 +11,12 @@ fn run_git_command(args: &[&str]) -> Option<String> {
 		.filter(|s| !s.is_empty())
 }
 fn get_env(env_var: &str) -> Option<String> {
-	match env::var(env_var) {
+	match std::env::var(env_var) {
 		| Ok(val) if !val.is_empty() => Some(val),
 		| _ => None,
 	}
 }
 fn main() {
-	println!("cargo:rerun-if-changed=Cargo.toml");
-
-	let manifest_dir = env::var("CARGO_MANIFEST_DIR").unwrap(); // Cargo.toml path
-	let manifest_path = Path::new(&manifest_dir).join("Cargo.toml");
-
-	let metadata = MetadataCommand::new()
-		.manifest_path(&manifest_path)
-		.no_deps()
-		.exec()
-		.expect("failed to parse `cargo metadata`");
-
-	let workspace_packages = metadata
-		.workspace_members
-		.iter()
-		.map(|package| {
-			let package = metadata.packages.iter().find(|p| p.id == *package).unwrap();
-			println!("cargo:rerun-if-changed={}", package.manifest_path.as_str());
-			package
-		})
-		.collect::<Vec<_>>();
-
-	// Extract available features from workspace packages
-	let mut available_features: BTreeMap<String, Vec<String>> = BTreeMap::new();
-	for package in &workspace_packages {
-		let crate_name = package
-			.name
-			.trim_start_matches("conduwuit-")
-			.replace('-', "_");
-		let features: Vec<String> = package.features.keys().cloned().collect();
-		if !features.is_empty() {
-			available_features.insert(crate_name, features);
-		}
-	}
-
-	// Generate Rust code for available features
-	let features_code = generate_features_code(&available_features);
-	let features_dst =
-		Path::new(&env::var("OUT_DIR").expect("OUT_DIR not set")).join("available_features.rs");
-	let mut features_file = fs::File::create(features_dst).unwrap();
-	features_file.write_all(features_code.as_bytes()).unwrap();
-
-	let dst = Path::new(&env::var("OUT_DIR").expect("OUT_DIR not set")).join("pkg.json");
-
-	let mut out_file = fs::File::create(dst).unwrap();
-	out_file
-		.write_all(format!("{workspace_packages:?}").as_bytes())
-		.unwrap();
-
 	// built gets the default crate from the workspace. Not sure if this is intended
 	// behavior, but it's what we want.
 	built::write_built_file().expect("Failed to acquire build-time information");
@@ -143,30 +91,3 @@ fn main() {
 	println!("cargo:rerun-if-env-changed=GIT_REMOTE_URL");
 	println!("cargo:rerun-if-env-changed=GIT_REMOTE_COMMIT_URL");
 }
-
-fn generate_features_code(features: &BTreeMap<String, Vec<String>>) -> String {
-	let mut code = String::from(
-		r#"
-/// All available features for workspace crates
-pub const WORKSPACE_FEATURES: &[(&str, &[&str])] = &[
-"#,
-	);
-
-	for (crate_name, feature_list) in features {
-		write!(code, "    (\"{crate_name}\", &[").unwrap();
-		for (i, feature) in feature_list.iter().enumerate() {
-			if i > 0 {
-				code.push_str(", ");
-			}
-			write!(code, "\"{feature}\"").unwrap();
-		}
-		code.push_str("]),\n");
-	}
-
-	code.push_str(
-		r#"];
-"#,
-	);
-
-	code
-}

src/build_metadata/mod.rs

@@ -2,10 +2,6 @@ pub mod built {
 	include!(concat!(env!("OUT_DIR"), "/built.rs"));
 }
 
-// Include generated available features
-// This provides: pub const WORKSPACE_FEATURES: &[(&str, &[&str])]
-include!(concat!(env!("OUT_DIR"), "/available_features.rs"));
-
 pub static GIT_COMMIT_HASH: Option<&str> = option_env!("GIT_COMMIT_HASH");
 
 pub static GIT_COMMIT_HASH_SHORT: Option<&str> = option_env!("GIT_COMMIT_HASH_SHORT");

src/core/Cargo.toml

@@ -2,7 +2,6 @@
 name = "conduwuit_core"
 description.workspace = true
 edition.workspace = true
-homepage.workspace = true
 license.workspace = true
 readme.workspace = true
 repository.workspace = true

src/core/config/mod.rs

@@ -659,7 +659,7 @@ pub struct Config {
 	/// which users must agree to when registering an account.
 	///
 	/// Example:
-	/// ```ignore
+	/// ```
 	/// [global.registration_terms.privacy_policy]
 	/// en = { name = "Privacy Policy", url = "https://homeserver.example/en/privacy_policy.html" }
 	/// es = { name = "Política de Privacidad", url = "https://homeserver.example/es/privacy_policy.html" }
@@ -2205,10 +2205,6 @@ pub struct WellKnownConfig {
 	/// listed.
 	pub support_mxid: Option<OwnedUserId>,
 
-	/// PGP key URI for server support contacts, to be served as part of the
-	/// MSC1929 server support endpoint.
-	pub support_pgp_key: Option<String>,
-
 	/// **DEPRECATED**: Use `[global.matrix_rtc].foci` instead.
 	///
 	/// A list of MatrixRTC foci URLs which will be served as part of the

src/core/info/introspection.rs

@@ -1,7 +0,0 @@
-//! Information about features the crates were compiled with.
-//! Only available for crates that have called the `introspect_crate` macro
-
-use std::collections::BTreeMap;
-
-pub static ENABLED_FEATURES: std::sync::Mutex<BTreeMap<&str, &[&str]>> =
-	std::sync::Mutex::new(BTreeMap::new());

src/core/info/mod.rs

@@ -1,4 +1,3 @@
-pub mod introspection;
 pub mod room_version;
 pub mod version;
 

src/core/mod.rs

@@ -19,7 +19,6 @@
 pub use ::smallvec;
 pub use ::toml;
 pub use ::tracing;
-pub use conduwuit_build_metadata as build_metadata;
 pub use config::Config;
 pub use error::Error;
 pub use info::{
@@ -35,8 +34,6 @@
 
 pub use crate as conduwuit_core;
 
-conduwuit_macros::introspect_crate! {}
-
 #[cfg(any(not(conduwuit_mods), not(feature = "conduwuit_mods")))]
 pub mod mods {
 	#[macro_export]

src/database/Cargo.toml

@@ -2,7 +2,6 @@
 name = "conduwuit_database"
 description.workspace = true
 edition.workspace = true
-homepage.workspace = true
 license.workspace = true
 readme.workspace = true
 repository.workspace = true
@@ -55,9 +54,7 @@ bindgen-runtime = [
 [dependencies]
 async-channel.workspace = true
 conduwuit-core.workspace = true
-conduwuit-macros.workspace = true
 const-str.workspace = true
-ctor.workspace = true
 futures.workspace = true
 log.workspace = true
 minicbor.workspace = true