style: Make "empty timeline" warning only warn in debug mode

.envrc

@@ -2,7 +2,7 @@
 
 dotenv_if_exists
 
-if command -v nix >/dev/null 2>&1; then
+if [ -f /etc/os-release ] && grep -q '^ID=nixos' /etc/os-release; then
     use flake ".#${DIRENV_DEVSHELL:-default}"
 fi
 

.forgejo/actions/create-docker-manifest/action.yml

@@ -44,7 +44,7 @@ runs:
 
     - name: Login to builtin registry
       if: ${{ env.BUILTIN_REGISTRY_ENABLED == 'true' }}
-      uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4
+      uses: docker/login-action@v3
       with:
         registry: ${{ env.BUILTIN_REGISTRY }}
         username: ${{ inputs.registry_user }}
@@ -52,7 +52,7 @@ runs:
 
     - name: Set up Docker Buildx
       if: ${{ env.BUILTIN_REGISTRY_ENABLED == 'true' }}
-      uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4
+      uses: docker/setup-buildx-action@v3
       with:
         # Use persistent BuildKit if BUILDKIT_ENDPOINT is set (e.g. tcp://buildkit:8125)
         driver: ${{ env.BUILDKIT_ENDPOINT != '' && 'remote' || 'docker-container' }}
@@ -61,7 +61,7 @@ runs:
     - name: Extract metadata (tags) for Docker
       if: ${{ env.BUILTIN_REGISTRY_ENABLED == 'true' }}
       id: meta
-      uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6
+      uses: docker/metadata-action@v5
       with:
         flavor: |
           latest=auto

.forgejo/actions/prepare-docker-build/action.yml

@@ -67,7 +67,7 @@ runs:
       uses: ./.forgejo/actions/rust-toolchain
 
     - name: Set up Docker Buildx
-      uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4
+      uses: docker/setup-buildx-action@v3
       with:
         # Use persistent BuildKit if BUILDKIT_ENDPOINT is set (e.g. tcp://buildkit:8125)
         driver: ${{ env.BUILDKIT_ENDPOINT != '' && 'remote' || 'docker-container' }}
@@ -75,11 +75,11 @@ runs:
 
     - name: Set up QEMU
       if: ${{ env.BUILDKIT_ENDPOINT == '' }}
-      uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4
+      uses: docker/setup-qemu-action@v3
 
     - name: Login to builtin registry
       if: ${{ env.BUILTIN_REGISTRY_ENABLED == 'true' }}
-      uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4
+      uses: docker/login-action@v3
       with:
         registry: ${{ env.BUILTIN_REGISTRY }}
         username: ${{ inputs.registry_user }}
@@ -87,7 +87,7 @@ runs:
 
     - name: Extract metadata (labels, annotations) for Docker
       id: meta
-      uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6
+      uses: docker/metadata-action@v5
       with:
         images: ${{ inputs.images }}
         # default labels & annotations: https://github.com/docker/metadata-action/blob/master/src/meta.ts#L509
@@ -111,3 +111,59 @@ runs:
 
     - uses: ./.forgejo/actions/timelord
       id: timelord
+
+    - name: Cache Rust registry
+      if: ${{ env.BUILDKIT_ENDPOINT == '' }}
+      uses: actions/cache@v3
+      with:
+        path: |
+          .cargo/git
+          .cargo/git/checkouts
+          .cargo/registry
+          .cargo/registry/src
+        key: continuwuity-rust-registry-image-${{hashFiles('**/Cargo.lock') }}
+
+    - name: Cache cargo target
+      if: ${{ env.BUILDKIT_ENDPOINT == '' }}
+      id: cache-cargo-target
+      uses: actions/cache@v3
+      with:
+        path: |
+          cargo-target${{ env.CPU_SUFFIX }}-${{ inputs.slug }}-${{ inputs.profile }}
+        key: continuwuity-cargo-target${{ env.CPU_SUFFIX }}-${{ inputs.slug }}-${{ inputs.profile }}-${{hashFiles('**/Cargo.lock') }}-${{steps.rust-toolchain.outputs.rustc_version}}
+
+    - name: Cache apt cache
+      if: ${{ env.BUILDKIT_ENDPOINT == '' }}
+      id: cache-apt
+      uses: actions/cache@v3
+      with:
+        path: |
+          var-cache-apt-${{ inputs.slug }}
+        key: continuwuity-var-cache-apt-${{ inputs.slug }}
+
+    - name: Cache apt lib
+      if: ${{ env.BUILDKIT_ENDPOINT == '' }}
+      id: cache-apt-lib
+      uses: actions/cache@v3
+      with:
+        path: |
+          var-lib-apt-${{ inputs.slug }}
+        key: continuwuity-var-lib-apt-${{ inputs.slug }}
+
+    - name: inject cache into docker
+      if: ${{ env.BUILDKIT_ENDPOINT == '' }}
+      uses: https://github.com/reproducible-containers/buildkit-cache-dance@v3.3.0
+      with:
+        cache-map: |
+          {
+            ".cargo/registry": "/usr/local/cargo/registry",
+            ".cargo/git/db": "/usr/local/cargo/git/db",
+            "cargo-target${{ env.CPU_SUFFIX }}-${{ inputs.slug }}-${{ inputs.profile }}": {
+              "target": "/app/target",
+              "id": "cargo-target${{ env.CPU_SUFFIX }}-${{ inputs.slug }}-${{ inputs.profile }}"
+            },
+            "var-cache-apt-${{ inputs.slug }}": "/var/cache/apt",
+            "var-lib-apt-${{ inputs.slug }}": "/var/lib/apt",
+            "${{ steps.timelord.outputs.database-path }}":"/timelord"
+          }
+        skip-extraction: ${{ steps.cache.outputs.cache-hit }}

.forgejo/actions/rust-toolchain/action.yml

@@ -33,7 +33,7 @@ runs:
         echo "version=$(rustup --version)" >> $GITHUB_OUTPUT
     - name: Cache rustup toolchains
       if: steps.rustup-version.outputs.version == ''
-      uses: actions/cache@v5
+      uses: actions/cache@v3
       with:
         path: |
           ~/.rustup

.forgejo/actions/sccache/action.yml

@@ -9,7 +9,7 @@ runs:
   - name: Install sccache
     uses: https://git.tomfos.tr/tom/sccache-action@v1
   - name: Configure sccache
-    uses: https://github.com/actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9
+    uses: https://github.com/actions/github-script@v8
     with:
       script: |
         core.exportVariable('ACTIONS_RESULTS_URL', process.env.ACTIONS_RESULTS_URL || '');

.forgejo/actions/setup-llvm-with-apt/action.yml

@@ -57,7 +57,7 @@ runs:
 
     - name: Check for LLVM cache
       id: cache
-      uses: actions/cache@v5
+      uses: actions/cache@v4
       with:
         path: |
           /usr/bin/clang-*
@@ -120,7 +120,7 @@ runs:
 
     - name: Install additional packages
       if: inputs.extra-packages != ''
-      uses: https://github.com/awalsh128/cache-apt-pkgs-action@2c09a5e66da6c8016428a2172bd76e5e4f14bb17 # latest
+      uses: https://github.com/awalsh128/cache-apt-pkgs-action@latest
       with:
         packages: ${{ inputs.extra-packages }}
         version: 1.0

.forgejo/actions/setup-rust/action.yml

@@ -65,7 +65,7 @@ runs:
 
     - name: Cache toolchain binaries
       id: toolchain-cache
-      uses: actions/cache@v5
+      uses: actions/cache@v4
       with:
         path: |
           .cargo/bin
@@ -76,7 +76,7 @@ runs:
 
     - name: Cache Cargo registry and git
       id: registry-cache
-      uses: actions/cache@v5
+      uses: actions/cache@v4
       with:
         path: |
           .cargo/registry/index
@@ -149,6 +149,37 @@ runs:
     - name: Setup sccache
       uses: https://git.tomfos.tr/tom/sccache-action@v1
 
+    - name: Cache dependencies
+      id: deps-cache
+      uses: actions/cache@v4
+      with:
+        path: |
+          target/**/.fingerprint
+          target/**/deps
+          target/**/*.d
+          target/**/.cargo-lock
+          target/**/CACHEDIR.TAG
+          target/**/.rustc_info.json
+          /timelord/
+        # Dependencies cache - based on Cargo.lock, survives source code changes
+        key: >-
+          continuwuity-deps-${{ steps.runner-os.outputs.slug }}-${{ steps.runner-os.outputs.arch }}-${{ steps.rust-setup.outputs.version }}${{ inputs.cache-key-suffix && format('-{0}', inputs.cache-key-suffix) || '' }}-${{ hashFiles('rust-toolchain.toml', '**/Cargo.lock') }}
+        restore-keys: |
+          continuwuity-deps-${{ steps.runner-os.outputs.slug }}-${{ steps.runner-os.outputs.arch }}-${{ steps.rust-setup.outputs.version }}${{ inputs.cache-key-suffix && format('-{0}', inputs.cache-key-suffix) || '' }}-
+
+    - name: Cache incremental compilation
+      id: incremental-cache
+      uses: actions/cache@v4
+      with:
+        path: |
+          target/**/incremental
+        # Incremental cache - based on source code changes
+        key: >-
+          continuwuity-incremental-${{ steps.runner-os.outputs.slug }}-${{ steps.runner-os.outputs.arch }}-${{ steps.rust-setup.outputs.version }}${{ inputs.cache-key-suffix && format('-{0}', inputs.cache-key-suffix) || '' }}-${{ hashFiles('rust-toolchain.toml', '**/Cargo.lock') }}-${{ hashFiles('**/*.rs', '**/Cargo.toml') }}
+        restore-keys: |
+          continuwuity-incremental-${{ steps.runner-os.outputs.slug }}-${{ steps.runner-os.outputs.arch }}-${{ steps.rust-setup.outputs.version }}${{ inputs.cache-key-suffix && format('-{0}', inputs.cache-key-suffix) || '' }}-${{ hashFiles('rust-toolchain.toml', '**/Cargo.lock') }}-
+          continuwuity-incremental-${{ steps.runner-os.outputs.slug }}-${{ steps.runner-os.outputs.arch }}-${{ steps.rust-setup.outputs.version }}${{ inputs.cache-key-suffix && format('-{0}', inputs.cache-key-suffix) || '' }}-
+
     - name: End build cache restore group
       shell: bash
       run: echo "::endgroup::"

.forgejo/actions/timelord/action.yml

@@ -31,7 +31,7 @@ runs:
 
     - name: Restore binary cache
       id: binary-cache
-      uses: actions/cache/restore@v5
+      uses: actions/cache/restore@v4
       with:
         path: |
           /usr/share/rust/.cargo/bin
@@ -71,13 +71,13 @@ runs:
 
     - name: Install timelord-cli and git-warp-time
       if: steps.check-binaries.outputs.need-install == 'true'
-      uses: https://github.com/taiki-e/install-action@5939f3337e40968c39aa70f5ecb1417a92fb25a0 # v2
+      uses: https://github.com/taiki-e/install-action@v2
       with:
         tool: git-warp-time,timelord-cli@3.0.1
 
     - name: Save binary cache
       if: steps.check-binaries.outputs.need-install == 'true'
-      uses: actions/cache/save@v5
+      uses: actions/cache/save@v4
       with:
         path: |
           /usr/share/rust/.cargo/bin
@@ -87,7 +87,7 @@ runs:
 
     - name: Restore timelord cache with fallbacks
       id: timelord-restore
-      uses: actions/cache/restore@v5
+      uses: actions/cache/restore@v4
       with:
         path: ${{ env.TIMELORD_CACHE_PATH }}
         key: ${{ env.TIMELORD_KEY }}
@@ -114,7 +114,7 @@ runs:
         timelord sync --source-dir ${{ env.TIMELORD_PATH }} --cache-dir ${{ env.TIMELORD_CACHE_PATH }}
 
     - name: Save updated timelord cache immediately
-      uses: actions/cache/save@v5
+      uses: actions/cache/save@v4
       with:
         path: ${{ env.TIMELORD_CACHE_PATH }}
         key: ${{ env.TIMELORD_KEY }}

.forgejo/regsync/regsync.yml

@@ -62,6 +62,10 @@ sync:
     target: registry.gitlab.com/continuwuity/continuwuity
     type: repository
     <<: *tags-main
+  - source: *source
+    target: git.nexy7574.co.uk/mirrored/continuwuity
+    type: repository
+    <<: *tags-releases
   - source: *source
     target: ghcr.io/continuwuity/continuwuity
     type: repository

.forgejo/workflows/build-debian.yml

@@ -30,22 +30,22 @@ jobs:
           echo "version=$VERSION" >> $GITHUB_OUTPUT
           echo "distribution=$DISTRIBUTION" >> $GITHUB_OUTPUT
           echo "Debian distribution: $DISTRIBUTION ($VERSION)"
-      #- name: Work around llvm-project#153385
-      #  id: llvm-workaround
-      #  run: |
-      #    if [ -f /usr/share/apt/default-sequoia.config ]; then
-      #      echo "Applying workaround for llvm-project#153385"
-      #      mkdir -p /etc/crypto-policies/back-ends/
-      #      cp /usr/share/apt/default-sequoia.config /etc/crypto-policies/back-ends/apt-sequoia.config
-      #      sed -i 's/\(sha1\.second_preimage_resistance = \)2026-02-01/\12026-06-01/' /etc/crypto-policies/back-ends/apt-sequoia.config
-      #    else
-      #      echo "No workaround needed for llvm-project#153385"
-      #    fi
+      - name: Work around llvm-project#153385
+        id: llvm-workaround
+        run: |
+          if [ -f /usr/share/apt/default-sequoia.config ]; then
+            echo "Applying workaround for llvm-project#153385"
+            mkdir -p /etc/crypto-policies/back-ends/
+            cp /usr/share/apt/default-sequoia.config /etc/crypto-policies/back-ends/apt-sequoia.config
+            sed -i 's/\(sha1\.second_preimage_resistance = \)2026-02-01/\12026-06-01/' /etc/crypto-policies/back-ends/apt-sequoia.config
+          else
+            echo "No workaround needed for llvm-project#153385"
+          fi
       - name: Pick compatible clang version
         id: clang-version
         run: |
           # both latest need to use clang-23, but oldstable and previous can just use clang
-          if [[ "${{ matrix.container }}" == "ubuntu-latest" ]]; then
+          if [[ "${{ matrix.container }}" == "ubuntu-latest" || "${{ matrix.container }}" == "debian-latest" ]]; then
             echo "Using clang-23 package for ${{ matrix.container }}"
             echo "version=clang-23" >> $GITHUB_OUTPUT
           else
@@ -54,13 +54,13 @@ jobs:
           fi
 
       - name: Checkout repository with full history
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        uses: actions/checkout@v6
         with:
           fetch-depth: 0
           ref: ${{ github.ref_name }}
 
       - name: Cache Cargo registry
-        uses: actions/cache@v5
+        uses: actions/cache@v4
         with:
           path: |
             ~/.cargo/registry

.forgejo/workflows/build-fedora.yml

@@ -30,14 +30,14 @@ jobs:
           echo "Fedora version: $VERSION"
 
       - name: Checkout repository with full history
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        uses: actions/checkout@v6
         with:
           fetch-depth: 0
           ref: ${{ github.ref_name }}
 
 
       - name: Cache DNF packages
-        uses: actions/cache@v5
+        uses: actions/cache@v4
         with:
           path: |
             /var/cache/dnf
@@ -47,7 +47,7 @@ jobs:
             dnf-fedora${{ steps.fedora.outputs.version }}-
 
       - name: Cache Cargo registry
-        uses: actions/cache@v5
+        uses: actions/cache@v4
         with:
           path: |
             ~/.cargo/registry
@@ -57,7 +57,7 @@ jobs:
             cargo-fedora${{ steps.fedora.outputs.version }}-
 
       - name: Cache Rust build dependencies
-        uses: actions/cache@v5
+        uses: actions/cache@v4
         with:
           path: |
             ~/rpmbuild/BUILD/*/target/release/deps

.forgejo/workflows/check-changelog.yml

@@ -1,94 +0,0 @@
-name: Checks / Changelog
-
-on:
-  pull_request_target:
-    types: [opened, synchronize, reopened, ready_for_review, labeled, unlabeled]
-
-permissions:
-  contents: read
-  pull-requests: write
-  issues: write
-
-jobs:
-  check-changelog:
-    name: Check changelog is added
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-        with:
-          ref: ${{ github.event.pull_request.head.sha }}
-          fetch-depth: 0
-          persist-credentials: false
-          sparse-checkout: .
-
-      - name: Check for changelog entry
-        id: check_files
-        run: |
-          git fetch origin ${GITHUB_BASE_REF}
-
-          # Check for Added (A) or Modified (M) files in changelog.d
-          CHANGELOG_CHANGES=$(git diff --name-status origin/${GITHUB_BASE_REF}...HEAD -- changelog.d/)
-
-          SRC_CHANGES=$(git diff --name-status origin/${GITHUB_BASE_REF}...HEAD -- src/)
-
-          echo "Changes in changelog.d/:"
-          echo "$CHANGELOG_CHANGES"
-          echo "Changes in src/:"
-          echo "$SRC_CHANGES"
-
-          if echo "$CHANGELOG_CHANGES" | grep -q "^[AM]"; then
-            echo "has_changelog=true" >> $GITHUB_OUTPUT
-          else
-            echo "has_changelog=false" >> $GITHUB_OUTPUT
-          fi
-
-          if [ -n "$SRC_CHANGES" ]; then
-            echo "src_changed=true" >> $GITHUB_OUTPUT
-          else
-            echo "src_changed=false" >> $GITHUB_OUTPUT
-          fi
-
-      - name: Manage PR Labels
-        uses: https://github.com/actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9
-        env:
-          HAS_CHANGELOG: ${{ steps.check_files.outputs.has_changelog }}
-          SRC_CHANGED: ${{ steps.check_files.outputs.src_changed }}
-        with:
-          script: |
-            const hasChangelog = process.env.HAS_CHANGELOG === 'true';
-            const srcChanged = process.env.SRC_CHANGED === 'true';
-
-            const { data: pullRequest } = await github.rest.pulls.get({
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              pull_number: context.issue.number,
-            });
-
-            const currentLabels = pullRequest.labels.map(l => l.name);
-
-            if (hasChangelog) {
-              console.log('PR has changelog');
-              await github.rest.issues.addLabels({
-                owner: context.repo.owner,
-                repo: context.repo.repo,
-                issue_number: context.issue.number,
-                labels: ['Changelog/Added'],
-              });
-            } else if (currentLabels.includes('Changelog/None')) {
-              console.log('PR has Changelog/None label, skipping.');
-            } else if (srcChanged) {
-              console.log('PR is missing changelog');
-              await github.rest.issues.addLabels({
-                owner: context.repo.owner,
-                repo: context.repo.repo,
-                issue_number: context.issue.number,
-                labels: ['Changelog/Missing'],
-              });
-              core.setFailed("Missing changelog entry (detected)");
-            } else if (currentLabels.includes('Changelog/Missing')) {
-              core.setFailed("Missing changelog entry (label)");
-            } else {
-              console.log('Changelog not needed');
-              // Changelog is probably not needed
-            }

.forgejo/workflows/documentation.yml

@@ -21,7 +21,7 @@ jobs:
 
     steps:
       - name: Sync repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        uses: actions/checkout@v6
         with:
           persist-credentials: false
           fetch-depth: 0
@@ -32,12 +32,12 @@ jobs:
 
       - name: Setup Node.js
         if: steps.runner-env.outputs.node_major == '' || steps.runner-env.outputs.node_major < '20'
-        uses: https://github.com/actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
+        uses: https://github.com/actions/setup-node@v6
         with:
           node-version: 22
 
       - name: Cache npm dependencies
-        uses: actions/cache@v5
+        uses: actions/cache@v3
         with:
           path: ~/.npm
           key: continuwuity-rspress-${{ steps.runner-env.outputs.slug }}-${{ steps.runner-env.outputs.arch }}-node-${{ steps.runner-env.outputs.node_version }}-${{ hashFiles('package-lock.json') }}
@@ -56,7 +56,7 @@ jobs:
 
       - name: Deploy to Cloudflare Pages (Production)
         if: github.ref == 'refs/heads/main' && vars.CLOUDFLARE_PROJECT_NAME != ''
-        uses: https://github.com/cloudflare/wrangler-action@da0e0dfe58b7a431659754fdf3f186c529afbe65 # v3
+        uses: https://github.com/cloudflare/wrangler-action@v3
         with:
           accountId: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
           apiToken: ${{ secrets.CLOUDFLARE_API_TOKEN }}
@@ -64,7 +64,7 @@ jobs:
 
       - name: Deploy to Cloudflare Pages (Preview)
         if: github.ref != 'refs/heads/main' && vars.CLOUDFLARE_PROJECT_NAME != ''
-        uses: https://github.com/cloudflare/wrangler-action@da0e0dfe58b7a431659754fdf3f186c529afbe65 # v3
+        uses: https://github.com/cloudflare/wrangler-action@v3
         with:
           accountId: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
           apiToken: ${{ secrets.CLOUDFLARE_API_TOKEN }}

.forgejo/workflows/element.yml

@@ -24,7 +24,7 @@ jobs:
 
     steps:
       - name: 📦 Setup Node.js
-        uses: https://github.com/actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
+        uses: https://github.com/actions/setup-node@v6
         with:
           node-version: "22"
 
@@ -121,7 +121,7 @@ jobs:
       - name: 🚀 Deploy to Cloudflare Pages
         if: vars.CLOUDFLARE_PROJECT_NAME != ''
         id: deploy
-        uses: https://github.com/cloudflare/wrangler-action@da0e0dfe58b7a431659754fdf3f186c529afbe65 # v3
+        uses: https://github.com/cloudflare/wrangler-action@v3
         with:
           accountId: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
           apiToken: ${{ secrets.CLOUDFLARE_API_TOKEN }}

.forgejo/workflows/mirror-images.yml

@@ -2,11 +2,8 @@ name: Mirror Container Images
 
 on:
   schedule:
-    # Run nightly
-    - cron: "25 2 * * *"
-
-  workflow_call:
-
+    # Run every 2 hours
+    - cron: "0 */2 * * *"
   workflow_dispatch:
     inputs:
       dry_run:
@@ -41,7 +38,7 @@ jobs:
       DOCKER_MIRROR_TOKEN: ${{ secrets.DOCKER_MIRROR_TOKEN }}
     steps:
       - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        uses: actions/checkout@v6
         with:
           persist-credentials: false
 
@@ -54,8 +51,10 @@ jobs:
       #     owner: continuwuity
       #     repositories: continuwuity
 
-      - name: Install regsync
-        uses: https://github.com/regclient/actions/regsync-installer@f3c6d87835906c175eb6ccfc18b348b69bb447e7 # main
+      - name: Install regctl
+        uses: https://forgejo.ellis.link/continuwuation/regclient-actions/regctl-installer@main
+        with:
+          binary: regsync
 
       - name: Check what images need mirroring
         run: |

.forgejo/workflows/prek-checks.yml

@@ -16,7 +16,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        uses: actions/checkout@v6
         with:
           persist-credentials: false
 
@@ -47,7 +47,7 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        uses: actions/checkout@v6
         with:
           persist-credentials: false
 

.forgejo/workflows/release-image.yml

@@ -9,9 +9,6 @@ on:
     paths-ignore:
       - "*.md"
       - "**/*.md"
-      - "*.mdx"
-      - "**/*.mdx"
-      - "changelog.d/**"
       - ".gitlab-ci.yml"
       - ".gitignore"
       - "renovate.json"
@@ -46,7 +43,7 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        uses: actions/checkout@v6
         with:
           persist-credentials: false
       - name: Prepare Docker build environment
@@ -62,7 +59,7 @@ jobs:
           registry_password: ${{ secrets.BUILTIN_REGISTRY_PASSWORD || secrets.GITHUB_TOKEN }}
       - name: Build and push Docker image by digest
         id: build
-        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7
+        uses: docker/build-push-action@v6
         with:
           context: .
           file: "docker/Dockerfile"
@@ -100,7 +97,7 @@ jobs:
     needs: build-release
     steps:
       - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        uses: actions/checkout@v6
         with:
           persist-credentials: false
       - name: Create multi-platform manifest
@@ -133,7 +130,7 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        uses: actions/checkout@v6
         with:
           persist-credentials: false
       - name: Prepare max-perf Docker build environment
@@ -149,7 +146,7 @@ jobs:
           registry_password: ${{ secrets.BUILTIN_REGISTRY_PASSWORD || secrets.GITHUB_TOKEN }}
       - name: Build and push max-perf Docker image by digest
         id: build
-        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7
+        uses: docker/build-push-action@v6
         with:
           context: .
           file: "docker/Dockerfile"
@@ -187,7 +184,7 @@ jobs:
     needs: build-maxperf
     steps:
       - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        uses: actions/checkout@v6
         with:
           persist-credentials: false
       - name: Create max-perf manifest
@@ -198,22 +195,3 @@ jobs:
           images: ${{ env.IMAGE_PATH }}
           registry_user: ${{ vars.BUILTIN_REGISTRY_USER || github.actor }}
           registry_password: ${{ secrets.BUILTIN_REGISTRY_PASSWORD || secrets.GITHUB_TOKEN }}
-
-  mirror_images:
-    name: "Mirror Images"
-    runs-on: ubuntu-latest
-    needs:
-      - merge-maxperf
-      - merge-release
-    env:
-      BUILTIN_REGISTRY_USER: ${{ vars.BUILTIN_REGISTRY_USER }}
-      BUILTIN_REGISTRY_PASSWORD: ${{ secrets.BUILTIN_REGISTRY_PASSWORD }}
-      GITLAB_USERNAME: ${{ vars.GITLAB_USERNAME }}
-      GITLAB_TOKEN: ${{ secrets.GITLAB_TOKEN }}
-      N7574_GIT_USERNAME: ${{ vars.N7574_GIT_USERNAME }}
-      N7574_GIT_TOKEN: ${{ secrets.N7574_GIT_TOKEN }}
-      GH_PACKAGES_USER: ${{ vars.GH_PACKAGES_USER }}
-      GH_PACKAGES_TOKEN: ${{ secrets.GH_PACKAGES_TOKEN }}
-      DOCKER_MIRROR_USER: ${{ vars.DOCKER_MIRROR_USER }}
-      DOCKER_MIRROR_TOKEN: ${{ secrets.DOCKER_MIRROR_TOKEN }}
-    uses: ./.forgejo/workflows/mirror-images.yml

.forgejo/workflows/renovate.yml

@@ -43,11 +43,11 @@ jobs:
     name: Renovate
     runs-on: ubuntu-latest
     container:
-      image: ghcr.io/renovatebot/renovate:43.111.0@sha256:da5fcac20c48d9792aac9c61fd234531bfa8df61263a39387cd8920263ca4768
+      image: ghcr.io/renovatebot/renovate:42.70.2@sha256:3c2ac1b94fa92ef2fa4d1a0493f2c3ba564454720a32fdbcac2db2846ff1ee47
       options: --tmpfs /tmp:exec
     steps:
       - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        uses: actions/checkout@v6
         with:
           show-progress: false
 
@@ -55,7 +55,7 @@ jobs:
         run: /usr/local/renovate/node -e 'console.log(`node heap limit = ${require("v8").getHeapStatistics().heap_size_limit / (1024 * 1024)} Mb`)'
 
       - name: Restore renovate repo cache
-        uses: actions/cache/restore@v5
+        uses: actions/cache/restore@v4
         with:
           path: |
             /tmp/renovate/cache/renovate/repository
@@ -64,7 +64,7 @@ jobs:
             renovate-repo-cache-
 
       - name: Restore renovate package cache
-        uses: actions/cache/restore@v5
+        uses: actions/cache/restore@v4
         with:
           path: |
             /tmp/renovate/cache/renovate/renovate-cache-sqlite
@@ -73,7 +73,7 @@ jobs:
             renovate-package-cache-
 
       - name: Restore renovate OSV cache
-        uses: actions/cache/restore@v5
+        uses: actions/cache/restore@v4
         with:
           path: |
             /tmp/osv
@@ -109,7 +109,7 @@ jobs:
       - name: Save renovate repo cache
         if: always()
         uses:
-          actions/cache/save@v5
+          actions/cache/save@v4
         with:
           path: |
             /tmp/renovate/cache/renovate/repository
@@ -117,7 +117,7 @@ jobs:
 
       - name: Save renovate package cache
         if: always()
-        uses: actions/cache/save@v5
+        uses: actions/cache/save@v4
         with:
           path: |
             /tmp/renovate/cache/renovate/renovate-cache-sqlite
@@ -125,7 +125,7 @@ jobs:
 
       - name: Save renovate OSV cache
         if: always()
-        uses: actions/cache/save@v5
+        uses: actions/cache/save@v4
         with:
           path: |
             /tmp/osv

.forgejo/workflows/update-flake-hashes.yml

@@ -14,21 +14,50 @@ jobs:
   update-flake-hashes:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      - uses: actions/checkout@v6
         with:
+          fetch-depth: 0
+          fetch-tags: false
+          fetch-single-branch: true
+          submodules: false
           persist-credentials: true
           token: ${{ secrets.FORGEJO_TOKEN }}
 
-      - name: Install Lix
-        uses: https://github.com/samueldr/lix-gha-installer-action@f5e94192f565f53d84f41a056956dc0d3183b343
+      - uses: https://github.com/cachix/install-nix-action@4e002c8ec80594ecd40e759629461e26c8abed15 # v31.9.0
         with:
-          extra_nix_config: experimental-features = nix-command flakes flake-self-attrs
+          nix_path: nixpkgs=channel:nixos-unstable
+
+        # We can skip getting a toolchain hash if this was ran as a dispatch with the intent
+        # to update just the rocksdb hash. If this was ran as a dispatch and the toolchain
+        # files are changed, we still update them, as well as the rocksdb import.
+      - name: Detect changed files
+        id: changes
+        run: |
+          git fetch origin ${{ github.base_ref }} --depth=1 || true
+          if [ -n "${{ github.event.pull_request.base.sha }}" ]; then
+            base=${{ github.event.pull_request.base.sha }}
+          else
+            base=$(git rev-parse HEAD~1)
+          fi
+          echo "Base: $base"
+          echo "HEAD: $(git rev-parse HEAD)"
+          git diff --name-only $base HEAD > changed_files.txt
+          echo "detected changes in $(cat changed_files.txt)"
+          # Join files with commas
+          files=$(paste -sd, changed_files.txt)
+          echo "files=$files" >> $FORGEJO_OUTPUT
+
+      - name: Debug output
+        run: |
+          echo "State of output"
+          echo "Changed files: ${{ steps.changes.outputs.files }}"
 
       - name: Get new toolchain hash
+        if: contains(steps.changes.outputs.files, 'Cargo.toml') || contains(steps.changes.outputs.files, 'Cargo.lock') || contains(steps.changes.outputs.files, 'rust-toolchain.toml')
         run: |
           # Set the current sha256 to an empty hash to make `nix build` calculate a new one
-          awk '/fromToolchainFile *\{/{found=1; print; next} found && /sha256 =/{sub(/sha256 = .*/, "sha256 = lib.fakeSha256;"); found=0} 1' nix/rust.nix > temp.nix
-          mv temp.nix nix/rust.nix
+          awk '/fromToolchainFile *\{/{found=1; print; next} found && /sha256 =/{sub(/sha256 = .*/, "sha256 = lib.fakeSha256;"); found=0} 1' nix/packages/rust.nix > temp.nix
+          mv temp.nix nix/packages/rust.nix
 
           # Build continuwuity and filter for the new hash
           # We do `|| true` because we want this to fail without stopping the workflow
@@ -36,17 +65,36 @@ jobs:
 
           # Place the new hash in place of the empty hash
           new_hash=$(cat new_toolchain_hash.txt)
-          sed -i "s|lib.fakeSha256|\"$new_hash\"|" nix/rust.nix
+          sed -i "s|lib.fakeSha256|\"$new_hash\"|" nix/packages/rust.nix
 
           echo "New hash:"
-          awk -F'"' '/fromToolchainFile/{found=1; next} found && /sha256 =/{print $2; found=0}' nix/rust.nix
+          awk -F'"' '/fromToolchainFile/{found=1; next} found && /sha256 =/{print $2; found=0}' nix/packages/rust.nix
           echo "Expected new hash:"
           cat new_toolchain_hash.txt
 
           rm new_toolchain_hash.txt
 
-      - name: Update rocksdb
-        run: nix run .#update-rocksdb
+      - name: Get new rocksdb hash
+        if: contains(steps.changes.outputs.files, '.nix') || contains(steps.changes.outputs.files, 'flake.lock')
+        run: |
+          # Set the current sha256 to an empty hash to make `nix build` calculate a new one
+          awk '/repo = "rocksdb";/{found=1; print; next} found && /sha256 =/{sub(/sha256 = .*/, "sha256 = lib.fakeSha256;"); found=0} 1' nix/packages/rocksdb/package.nix > temp.nix
+          mv temp.nix nix/packages/rocksdb/package.nix
+
+          # Build continuwuity and filter for the new hash
+          # We do `|| true` because we want this to fail without stopping the workflow
+          nix build .#default 2>&1 | tee >(grep 'got:' | awk '{print $2}' > new_rocksdb_hash.txt) || true
+
+          # Place the new hash in place of the empty hash
+          new_hash=$(cat new_rocksdb_hash.txt)
+          sed -i "s|lib.fakeSha256|\"$new_hash\"|" nix/packages/rocksdb/package.nix
+
+          echo "New hash:"
+          awk -F'"' '/repo = "rocksdb";/{found=1; next} found && /sha256 =/{print $2; found=0}' nix/packages/rocksdb/package.nix
+          echo "Expected new hash:"
+          cat new_rocksdb_hash.txt
+
+          rm new_rocksdb_hash.txt
 
       - name: Show diff
         run: git diff flake.nix nix

.github/FUNDING.yml

@@ -1,4 +1,4 @@
 github: [JadedBlueEyes, nexy7574, gingershaped]
 custom:
-  - https://timedout.uk/donate.html
-  - https://jade.ellis.link/sponsors
+  - https://ko-fi.com/nexy7574
+  - https://ko-fi.com/JadedBlueEyes

.pre-commit-config.yaml

@@ -1,6 +1,5 @@
 default_install_hook_types:
   - pre-commit
-  - pre-push
   - commit-msg
 default_stages:
   - pre-commit
@@ -24,7 +23,7 @@ repos:
         - id: check-added-large-files
 
   - repo: https://github.com/crate-ci/typos
-    rev: v1.45.1
+    rev: v1.43.5
     hooks:
       - id: typos
       - id: typos
@@ -32,7 +31,7 @@ repos:
         stages: [commit-msg]
 
   - repo: https://github.com/crate-ci/committed
-    rev: v1.1.11
+    rev: v1.1.10
     hooks:
     - id: committed
 
@@ -46,14 +45,3 @@ repos:
         pass_filenames: false
         stages:
             - pre-commit
-
-  - repo: local
-    hooks:
-      - id: cargo-clippy
-        name: cargo clippy
-        entry: cargo clippy -- -D warnings
-        language: system
-        pass_filenames: false
-        types: [rust]
-        stages:
-          - pre-push

CHANGELOG.md

@@ -1,32 +1,3 @@
-# Continuwuity 0.5.6 (2026-03-03)
-
-## Security
-
-- Admin escape commands received over federation will never be executed, as this is never valid in a genuine situation. Contributed by @Jade.
-- Fixed data amplification vulnerability (CWE-409) that affected configurations with server-side compression enabled (non-default). Contributed by @nex.
-
-## Features
-
-- Outgoing presence is now disabled by default, and the config option documentation has been adjusted to more accurately represent the weight of presence, typing indicators, and read receipts. Contributed by @nex. ([#1399](https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1399))
-- Improved the concurrency handling of federation transactions, vastly improving performance and reliability by more accurately handling inbound transactions and reducing the amount of repeated wasted work. Contributed by @nex and @Jade. ([#1428](https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1428))
-- Added [MSC3202](https://github.com/matrix-org/matrix-spec-proposals/pull/3202) Device masquerading (not all of MSC3202). This should fix issues with enabling [MSC4190](https://github.com/matrix-org/matrix-spec-proposals/pull/4190) for some Mautrix bridges. Contributed by @Jade ([#1435](https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1435))
-- Added [MSC3814](https://github.com/matrix-org/matrix-spec-proposals/pull/3814) Dehydrated Devices - you can now decrypt messages sent while all devices were logged out. ([#1436](https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1436))
-- Implement [MSC4143](https://github.com/matrix-org/matrix-spec-proposals/pull/4143) MatrixRTC transport discovery endpoint. Move RTC foci configuration from `[global.well_known]` to a new `[global.matrix_rtc]` section with a `foci` field. Contributed by @0xnim ([#1442](https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1442))
-- Updated `list-backups` admin command to output one backup per line. ([#1394](https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1394))
-- Improved URL preview fetching with a more compatible user agent for sites like YouTube Music. Added `!admin media delete-url-preview <url>` command to clear cached URL previews that were stuck and broken. ([#1434](https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1434))
-
-## Bugfixes
-
-- Removed non-compliant nor functional room alias lookups over federation. Contributed by @nex ([#1393](https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1393))
-- Removed ability to set rocksdb as read only. Doing so would cause unintentional and buggy behaviour. Contributed by @Terryiscool160. ([#1418](https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1418))
-- Fixed a startup crash in the sender service if we can't detect the number of CPU cores, even if the `sender_workers` config option is set correctly. Contributed by @katie. ([#1421](https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1421))
-- Removed the `allow_public_room_directory_without_auth` config option. Contributed by @0xnim. ([#1441](https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1441))
-- Fixed sliding sync v5 list ranges always starting from 0, causing extra rooms to be unnecessarily processed and returned. Contributed by @0xnim ([#1445](https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1445))
-- Fixed a bug that (repairably) caused a room split between continuwuity and non-continuwuity servers when the room had both `m.room.policy` and `org.matrix.msc4284.policy` in its room state. Contributed by @nex ([#1481](https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1481))
-- Fixed `!admin media delete --mxc <url>` responding with an error message when the media was deleted successfully. Contributed by @lynxize
-- Fixed spurious 404 media errors in the logs. Contributed by @benbot.
-- Fixed spurious warn about needed backfill via federation for non-federated rooms. Contributed by @kraem.
-
 # Continuwuity v0.5.5 (2026-02-15)
 
 ## Features

CODE_OF_CONDUCT.md

@@ -1 +1,131 @@
-Contributors are expected to follow the [Continuwuity Community Guidelines](continuwuity.org/community/guidelines).
+# Contributor Covenant Code of Conduct
+
+## Our Pledge
+
+We as members, contributors, and leaders pledge to make participation in our
+community a harassment-free experience for everyone, regardless of age, body
+size, visible or invisible disability, ethnicity, sex characteristics, gender
+identity and expression, level of experience, education, socio-economic status,
+nationality, personal appearance, race, caste, color, religion, or sexual
+identity and orientation.
+
+We pledge to act and interact in ways that contribute to an open, welcoming,
+diverse, inclusive, and healthy community.
+
+## Our Standards
+
+Examples of behavior that contributes to a positive environment for our
+community include:
+
+* Demonstrating empathy and kindness toward other people
+* Being respectful of differing opinions, viewpoints, and experiences
+* Giving and gracefully accepting constructive feedback
+* Accepting responsibility and apologizing to those affected by our mistakes,
+  and learning from the experience
+* Focusing on what is best not just for us as individuals, but for the overall
+  community
+
+Examples of unacceptable behavior include:
+
+* The use of sexualized language or imagery, and sexual attention or advances of
+  any kind
+* Trolling, insulting or derogatory comments, and personal or political attacks
+* Public or private harassment
+* Publishing others' private information, such as a physical or email address,
+  without their explicit permission
+* Other conduct which could reasonably be considered inappropriate in a
+  professional setting
+
+## Enforcement Responsibilities
+
+Community leaders are responsible for clarifying and enforcing our standards of
+acceptable behavior and will take appropriate and fair corrective action in
+response to any behavior that they deem inappropriate, threatening, offensive,
+or harmful.
+
+Community leaders have the right and responsibility to remove, edit, or reject
+comments, commits, code, wiki edits, issues, and other contributions that are
+not aligned to this Code of Conduct, and will communicate reasons for moderation
+decisions when appropriate.
+
+## Scope
+
+This Code of Conduct applies within all community spaces, and also applies when
+an individual is officially representing the community in public spaces.
+Examples of representing our community include using an official e-mail address,
+posting via an official social media account, or acting as an appointed
+representative at an online or offline event.
+
+## Enforcement
+
+Instances of abusive, harassing, or otherwise unacceptable behavior may be
+reported to the community leaders responsible for enforcement over Matrix at [#continuwuity:continuwuity.org](https://matrix.to/#/#continuwuity:continuwuity.org?via=continuwuity.org&via=ellis.link&via=explodie.org&via=matrix.org) or email at <tom@tcpip.uk>, <jade@continuwuity.org> and <nex@continuwuity.org> respectively.
+All complaints will be reviewed and investigated promptly and fairly.
+
+All community leaders are obligated to respect the privacy and security of the
+reporter of any incident.
+
+## Enforcement Guidelines
+
+Community leaders will follow these Community Impact Guidelines in determining
+the consequences for any action they deem in violation of this Code of Conduct:
+
+### 1. Correction
+
+**Community Impact**: Use of inappropriate language or other behavior deemed
+unprofessional or unwelcome in the community.
+
+**Consequence**: A private, written warning from community leaders, providing
+clarity around the nature of the violation and an explanation of why the
+behavior was inappropriate. A public apology may be requested.
+
+### 2. Warning
+
+**Community Impact**: A violation through a single incident or series of
+actions.
+
+**Consequence**: A warning with consequences for continued behavior. No
+interaction with the people involved, including unsolicited interaction with
+those enforcing the Code of Conduct, for a specified period of time. This
+includes avoiding interactions in community spaces as well as external channels
+like social media. Violating these terms may lead to a temporary or permanent
+ban.
+
+### 3. Temporary Ban
+
+**Community Impact**: A serious violation of community standards, including
+sustained inappropriate behavior.
+
+**Consequence**: A temporary ban from any sort of interaction or public
+communication with the community for a specified period of time. No public or
+private interaction with the people involved, including unsolicited interaction
+with those enforcing the Code of Conduct, is allowed during this period.
+Violating these terms may lead to a permanent ban.
+
+### 4. Permanent Ban
+
+**Community Impact**: Demonstrating a pattern of violation of community
+standards, including sustained inappropriate behavior, harassment of an
+individual, or aggression toward or disparagement of classes of individuals.
+
+**Consequence**: A permanent ban from any sort of public interaction within the
+community.
+
+## Attribution
+
+This Code of Conduct is adapted from the [Contributor Covenant][homepage],
+version 2.1, available at
+[https://www.contributor-covenant.org/version/2/1/code_of_conduct.html][v2.1].
+
+Community Impact Guidelines were inspired by
+[Mozilla's code of conduct enforcement ladder][Mozilla CoC].
+
+For answers to common questions about this code of conduct, see the FAQ at
+[https://www.contributor-covenant.org/faq][FAQ]. Translations are available at
+[https://www.contributor-covenant.org/translations][translations].
+
+[homepage]: https://www.contributor-covenant.org
+[v2.1]: https://www.contributor-covenant.org/version/2/1/code_of_conduct.html
+[Mozilla CoC]: https://github.com/mozilla/diversity
+[FAQ]: https://www.contributor-covenant.org/faq
+[translations]: https://www.contributor-covenant.org/translations

CONTRIBUTING.md

@@ -22,21 +22,25 @@ ### Pre-commit Checks
 - Validating YAML, JSON, and TOML files
 - Checking for merge conflicts
 
-You can run these checks locally by installing [prek](https://github.com/j178/prek):
+You can run these checks locally by installing [prefligit](https://github.com/j178/prefligit):
 
 
 ```bash
-# Install prek using cargo-binstall
-cargo binstall prek
+# Requires UV: https://docs.astral.sh/uv/getting-started/installation/
+# Mac/linux: curl -LsSf https://astral.sh/uv/install.sh | sh
+# Windows: powershell -ExecutionPolicy ByPass -c "irm https://astral.sh/uv/install.ps1 | iex"
+
+# Install prefligit using cargo-binstall
+cargo binstall prefligit
 
 # Install git hooks to run checks automatically
-prek install
+prefligit install
 
 # Run all checks
-prek --all-files
+prefligit --all-files
 ```
 
-Alternatively, you can use [pre-commit][pre-commit]:
+Alternatively, you can use [pre-commit](https://pre-commit.com/):
 ```bash
 # Requires python
 
@@ -50,9 +54,7 @@ # Run all checks manually
 pre-commit run --all-files
 ```
 
-These same checks are run in CI via the prek-checks workflow to ensure consistency. These must pass before the PR is merged.
-
-[pre-commit]: https://pre-commit.com/
+These same checks are run in CI via the prefligit-checks workflow to ensure consistency. These must pass before the PR is merged.
 
 ### Running tests locally
 
@@ -111,7 +113,7 @@ ### Writing documentation
 
 ### Commit Messages
 
-Continuwuity follows the [Conventional Commits][conventional-commits] specification for commit messages. This provides a standardized format that makes the commit history more readable and enables automated tools to generate changelogs.
+Continuwuity follows the [Conventional Commits](https://www.conventionalcommits.org/) specification for commit messages. This provides a standardized format that makes the commit history more readable and enables automated tools to generate changelogs.
 
 The basic structure is:
 
@@ -170,7 +172,6 @@ ### Creating pull requests
 their contributions accepted. This includes users who have been banned from
 continuwuity Matrix rooms for Code of Conduct violations.
 
-[conventional-commits]: https://www.conventionalcommits.org/
 [issues]: https://forgejo.ellis.link/continuwuation/continuwuity/issues
 [continuwuity-matrix]: https://matrix.to/#/#continuwuity:continuwuity.org?via=continuwuity.org&via=ellis.link&via=explodie.org&via=matrix.org
 [complement]: https://github.com/matrix-org/complement/
@@ -178,32 +179,3 @@ ### Creating pull requests
 [nodejs-download]: https://nodejs.org/en/download
 [rspress]: https://rspress.rs/
 [documentation.yml]: https://forgejo.ellis.link/continuwuation/continuwuity/src/branch/main/.forgejo/workflows/documentation.yml
-
-#### Writing news fragments
-
-In order to make writing our changelogs easier, we make use of [Towncrier]. Towncrier builds changelogs based on
-"news fragments", which are little markdown files in the `changelog.d/` directory that describe individual changes.
-
-When you make a pull request that changes functionality, fixes a bug, or adds documentation, please add a news fragment
-describing your change. The file name *MUST* be in the format of `{pull_request_number}.{type}`, where `{type}` is one
-of the following:
-
-- `feature` - for new features
-- `bugfix` - for bug fixes
-- `doc` - for documentation changes
-- `misc` - for other changes that don't fit the above categories
-
-For example:
-
-```bash
-$ echo "Fixed the quantum flux stabiliser. Contributed by @alice." > changelog.d/42.bugfix
-```
-
-(Note: If you want to credit yourself, you should reference your forgejo handle, however links to other platforms are also acceptable.)
-
-When the next release is made, Towncrier will automatically include your news fragment in the changelog.
-
-You can read more about writing news fragments in the [Towncrier tutorial][tt].
-
-[Towncrier]: https://towncrier.readthedocs.io/
-[tt]: https://towncrier.readthedocs.io/en/stable/tutorial.html#creating-news-fragments

Cargo.toml

@@ -12,7 +12,7 @@ license = "Apache-2.0"
 # See also `rust-toolchain.toml`
 readme = "README.md"
 repository = "https://forgejo.ellis.link/continuwuation/continuwuity"
-version = "0.5.7-alpha.1"
+version = "0.5.5"
 
 [workspace.metadata.crane]
 name = "conduwuit"
@@ -39,7 +39,7 @@ features = ["ffi", "std", "union"]
 version = "0.7.0"
 
 [workspace.dependencies.ctor]
-version = "0.9.0"
+version = "0.6.0"
 
 [workspace.dependencies.cargo_toml]
 version = "0.22"
@@ -60,7 +60,7 @@ default-features = false
 
 # used for TURN server authentication
 [workspace.dependencies.hmac]
-version = "0.13.0"
+version = "0.12.1"
 default-features = false
 
 # used for checking if an IP is in specific subnets / CIDR ranges easier
@@ -97,9 +97,9 @@ features = [
 ]
 
 [workspace.dependencies.axum-extra]
-version = "0.12.0"
+version = "0.10.1"
 default-features = false
-features = ["typed-header", "tracing", "cookie"]
+features = ["typed-header", "tracing"]
 
 [workspace.dependencies.axum-server]
 version = "0.7.2"
@@ -144,7 +144,6 @@ features = [
     "socks",
     "hickory-dns",
     "http2",
-    "stream",
 ]
 
 [workspace.dependencies.serde]
@@ -159,7 +158,7 @@ features = ["raw_value"]
 
 # Used for appservice registration files
 [workspace.dependencies.serde-saphyr]
-version = "0.0.23"
+version = "0.0.19"
 
 # Used to load forbidden room/user regex from config
 [workspace.dependencies.serde_regex]
@@ -278,7 +277,7 @@ features = [
 ]
 
 [workspace.dependencies.hyper-util]
-version = "=0.1.20"
+version = "=0.1.17"
 default-features = false
 features = [
     "server-auto",
@@ -332,7 +331,7 @@ version = "0.4.0"
 
 # used for MPMC channels
 [workspace.dependencies.async-channel]
-version = "2.5.0"
+version = "2.3.1"
 
 [workspace.dependencies.async-trait]
 version = "0.1.88"
@@ -344,7 +343,7 @@ version = "0.1.2"
 [workspace.dependencies.ruma]
 git = "https://forgejo.ellis.link/continuwuation/ruwuma"
 #branch = "conduwuit-changes"
-rev = "1415caf8a32af4d943580c5ea4e12be1974593c2"
+rev = "e087ff15888156942ca2ffe6097d1b4c3fd27628"
 features = [
     "compat",
     "rand",
@@ -364,7 +363,6 @@ features = [
     "unstable-msc2870",
     "unstable-msc3026",
     "unstable-msc3061",
-    "unstable-msc3814",
     "unstable-msc3245",
     "unstable-msc3266",
     "unstable-msc3381", # polls
@@ -383,13 +381,11 @@ features = [
     "unstable-pdu",
     "unstable-msc4155",
     "unstable-msc4143", # livekit well_known response
-    "unstable-msc4284",
-    "unstable-msc4439", # pgp_key in .well_known/matrix/support
 ]
 
 [workspace.dependencies.rust-rocksdb]
 git = "https://forgejo.ellis.link/continuwuation/rust-rocksdb-zaidoon1"
-rev = "31fb8f772c7afcdc0061ab6a40cfa3a1be2fccd9"
+rev = "61d9d23872197e9ace4a477f2617d5c9f50ecb23"
 default-features = false
 features = [
     "multi-threaded-cf",
@@ -400,11 +396,11 @@ features = [
 ]
 
 [workspace.dependencies.sha2]
-version = "0.11.0"
+version = "0.10.8"
 default-features = false
 
 [workspace.dependencies.sha1]
-version = "0.11.0"
+version = "0.10.6"
 default-features = false
 
 # optional opentelemetry, performance measurements, flamegraphs, etc for performance measurements and monitoring
@@ -452,7 +448,7 @@ version = "0.46.0"
 # jemalloc usage
 [workspace.dependencies.tikv-jemalloc-sys]
 git = "https://forgejo.ellis.link/continuwuation/jemallocator"
-rev = "df86ff89d4b1e223b9f7d2dd2fbb7f202da7f554"
+rev = "82af58d6a13ddd5dcdc7d4e91eae3b63292995b8"
 default-features = false
 features = [
     "background_threads_runtime_support",
@@ -460,7 +456,7 @@ features = [
 ]
 [workspace.dependencies.tikv-jemallocator]
 git = "https://forgejo.ellis.link/continuwuation/jemallocator"
-rev = "df86ff89d4b1e223b9f7d2dd2fbb7f202da7f554"
+rev = "82af58d6a13ddd5dcdc7d4e91eae3b63292995b8"
 default-features = false
 features = [
     "background_threads_runtime_support",
@@ -468,7 +464,7 @@ features = [
 ]
 [workspace.dependencies.tikv-jemalloc-ctl]
 git = "https://forgejo.ellis.link/continuwuation/jemallocator"
-rev = "df86ff89d4b1e223b9f7d2dd2fbb7f202da7f554"
+rev = "82af58d6a13ddd5dcdc7d4e91eae3b63292995b8"
 default-features = false
 features = ["use_std"]
 
@@ -481,7 +477,7 @@ default-features = false
 features = ["resource"]
 
 [workspace.dependencies.sd-notify]
-version = "0.5.0"
+version = "0.4.5"
 default-features = false
 
 [workspace.dependencies.hardened_malloc-rs]
@@ -494,7 +490,7 @@ features = [
 ]
 
 [workspace.dependencies.rustyline-async]
-version = "0.4.9"
+version = "0.4.3"
 default-features = false
 
 [workspace.dependencies.termimad]
@@ -527,7 +523,7 @@ version = "0.4.13"
 version = "2.0"
 
 [workspace.dependencies.core_affinity]
-version = "0.8.3"
+version = "0.8.1"
 
 [workspace.dependencies.libc]
 version = "0.2"
@@ -551,25 +547,15 @@ version = "0.12.0"
 default-features = false
 features = ["sync", "tls-rustls", "rustls-provider"]
 
+[workspace.dependencies.resolv-conf]
+version = "0.7.5"
+
 [workspace.dependencies.yansi]
 version = "1.0.1"
 
 [workspace.dependencies.askama]
 version = "0.15.0"
 
-[workspace.dependencies.lettre]
-version = "0.11.19"
-default-features = false
-features = ["smtp-transport", "pool", "hostname", "builder", "rustls", "rustls-native-certs", "tokio1", "ring", "tokio1-rustls", "tracing", "serde"]
-
-[workspace.dependencies.governor]
-version = "0.10.4"
-default-features = false
-features = ["std"]
-
-[workspace.dependencies.nonzero_ext]
-version = "0.3.0"
-
 #
 # Patches
 #
@@ -582,25 +568,25 @@ version = "0.3.0"
 # adds event for CTRL+\: https://forgejo.ellis.link/continuwuation/rustyline-async/src/branch/main/.patchy/0001-add-event-for-ctrl.patch
 [patch.crates-io.rustyline-async]
 git = "https://forgejo.ellis.link/continuwuation/rustyline-async"
-rev = "b13aca2cc08d5f78303746cd192d9a03d73e768e"
+rev = "e9f01cf8c6605483cb80b3b0309b400940493d7f"
 
 # adds LIFO queue scheduling; this should be updated with PR progress.
 [patch.crates-io.event-listener]
 git = "https://forgejo.ellis.link/continuwuation/event-listener"
-rev = "b2c19bcaf5a0a69c38c034e417bda04a9b991529"
+rev = "fe4aebeeaae435af60087ddd56b573a2e0be671d"
 [patch.crates-io.async-channel]
 git = "https://forgejo.ellis.link/continuwuation/async-channel"
-rev = "e990f0006b68dc9bace7a3c95fc90b5c4e44948d"
+rev = "92e5e74063bf2a3b10414bcc8a0d68b235644280"
 
 # adds affinity masks for selecting more than one core at a time
 [patch.crates-io.core_affinity]
 git = "https://forgejo.ellis.link/continuwuation/core_affinity_rs"
-rev = "7c7a9dea35382743a63837cdd1d977efdb8f1b8a"
+rev = "9c8e51510c35077df888ee72a36b4b05637147da"
 
 # reverts hyperium#148 conflicting with our delicate federation resolver hooks
 [patch.crates-io.hyper-util]
 git = "https://forgejo.ellis.link/continuwuation/hyper-util"
-rev = "09fcd3bf4656c81a8ad573bee410ab2b57f60b86"
+rev = "5886d5292bf704c246206ad72d010d674a7b77d0"
 
 #
 # Our crates
@@ -930,6 +916,7 @@ fn_to_numeric_cast_any = "warn"
 format_push_string = "warn"
 get_unwrap = "warn"
 impl_trait_in_params = "warn"
+let_underscore_untyped = "warn"
 lossy_float_literal = "warn"
 mem_forget = "warn"
 missing_assert_message = "warn"
@@ -979,6 +966,3 @@ needless_raw_string_hashes = "allow"
 
 # TODO: Enable this lint & fix all instances
 collapsible_if = "allow"
-
-# TODO: break these apart
-cognitive_complexity = "allow"

LICENSE

@@ -1,3 +1,4 @@
+
                                  Apache License
                            Version 2.0, January 2004
                         http://www.apache.org/licenses/
@@ -186,7 +187,7 @@
       same "printed page" as the copyright notice for easier
       identification within third-party archives.
 
-   Copyright 2023 Continuwuity Team and contributors
+   Copyright 2023 June
 
    Licensed under the Apache License, Version 2.0 (the "License");
    you may not use this file except in compliance with the License.

bin/complement

@@ -6,10 +6,10 @@ set -euo pipefail
 COMPLEMENT_SRC="${COMPLEMENT_SRC:-$1}"
 
 # A `.jsonl` file to write test logs to
-LOG_FILE="${2:-tests/test_results/complement/test_logs.jsonl}"
+LOG_FILE="${2:-complement_test_logs.jsonl}"
 
 # A `.jsonl` file to write test results to
-RESULTS_FILE="${3:-tests/test_results/complement/test_results.jsonl}"
+RESULTS_FILE="${3:-complement_test_results.jsonl}"
 
 # The base docker image to use for complement tests
 # You can build the default with `docker build -t continuwuity:complement -f ./docker/complement.Dockerfile .`

book.toml

@@ -0,0 +1,23 @@
+[book]
+title = "continuwuity"
+description = "continuwuity is a community continuation of the conduwuit Matrix homeserver, written in Rust."
+language = "en"
+authors = ["The continuwuity Community"]
+text-direction = "ltr"
+src = "docs"
+
+[build]
+build-dir = "public"
+create-missing = true
+extra-watch-dirs = ["debian", "docs"]
+
+[rust]
+edition = "2024"
+
+[output.html]
+edit-url-template = "https://forgejo.ellis.link/continuwuation/continuwuity/src/branch/main/{path}"
+git-repository-url = "https://forgejo.ellis.link/continuwuation/continuwuity"
+git-repository-icon = "fa-git-alt"
+
+[output.html.search]
+limit-results = 15

changelog.d/+1770db35.feature.md

@@ -1 +0,0 @@
-Added support for associating email addresses with accounts, requiring email addresses for registration, and resetting passwords via email. Contributed by @ginger

changelog.d/+6368729a.feature.md

@@ -1 +0,0 @@
-Added support for using an admin command to issue self-service password reset links.

changelog.d/+6e57599d.bugfix.md

@@ -1 +0,0 @@
-Stopped left rooms from being unconditionally sent on initial sync, hopefully fixing spurious appearances of left rooms in some clients (and making sync faster as a bonus). Contributed by @ginger

changelog.d/+7409b1db.feature.md

@@ -1 +0,0 @@
-Added support for requiring users to accept terms and conditions when registering.

changelog.d/+alias-enumeration-delete.bugfix.md

@@ -1 +0,0 @@
-Fixed room alias deletion so removing one local alias no longer removes other aliases from room alias listings.

changelog.d/1265.bugfix

@@ -1 +0,0 @@
-Fixed corrupted appservice registrations causing the server to enter a crash loop. Contributed by @nex.

changelog.d/1371.feature.md

@@ -1 +0,0 @@
-Re-added support for reading registration tokens from a file. Contributed by @ginger and @benbot.

changelog.d/1393.bugfix

@@ -0,0 +1 @@
+Removed non-compliant nor functional room alias lookups over federation. Contributed by @nex

changelog.d/1399.feature

@@ -0,0 +1 @@
+Outgoing presence is now disabled by default, and the config option documentation has been adjusted to more accurately represent the weight of presence, typing indicators, and read receipts. Contributed by @nex.

changelog.d/1418.bugfix

@@ -0,0 +1 @@
+Removed ability to set rocksdb as read only. Doing so would cause unintentional and buggy behaviour. Contributed by @Terryiscool160.

changelog.d/1421.bugfix

@@ -0,0 +1 @@
+Fixed a startup crash in the sender service if we can't detect the number of CPU cores, even if the `sender_workers' config option is set correctly. Contributed by @katie.

changelog.d/1428.feature

@@ -0,0 +1 @@
+Improved the concurrency handling of federation transactions, vastly improving performance and reliability by more accurately handling inbound transactions and reducing the amount of repeated wasted work. Contributed by @nex and @Jade.

changelog.d/1429.doc

@@ -1 +0,0 @@
-Added Testing and Troubleshooting instructions for Livekit documentation. Contributed by @stratself.

changelog.d/1435.feature.md

@@ -0,0 +1 @@
+Added MSC3202 Device masquerading (not all of MSC3202). This should fix issues with enabling MSC4190 for some Mautrix bridges. Contributed by @Jade

changelog.d/1441.bugfix

@@ -0,0 +1 @@
+Removed the `allow_public_room_directory_without_auth` config option. Contributed by @0xnim.

changelog.d/1448.bugfix

@@ -1 +0,0 @@
-Prevent removing the admin room alias (`#admins`) to avoid accidentally breaking admin room functionality. Contributed by @0xnim

changelog.d/1527.feature.md

@@ -1 +0,0 @@
-Add new config option to allow or disallow search engine indexing through a `<meta ../>` tag. Defaults to blocking indexing (`content="noindex"`). Contributed by @s1lv3r and @ginger.

changelog.d/1542.bugfix.md

@@ -1 +0,0 @@
-Stripped `join_authorised_via_users_server` from json if user is already in room (@partha:cxy.run)

changelog.d/1572.bugfix

@@ -1 +0,0 @@
-Fixed internal server errors for fetching thumbnails. Contributed by @PerformativeJade

changelog.d/1579.bugfix

@@ -1 +0,0 @@
-Fixed error 500 when joining non-existent rooms. Contributed by @ezera.

changelog.d/1594.doc

@@ -1 +0,0 @@
-Refactored docker docs to include new initial token workflow, and add Caddyfile example. Contributed by @stratself.

changelog.d/1596.bugfix

@@ -1 +0,0 @@
-Refactored nix package. Breaking, since `all-features` package no longer exists. Continuwuity is now built with jemalloc and liburing by default. Contributed by @Henry-Hiles (QuadRadical).

changelog.d/1601.doc

@@ -1 +0,0 @@
-Add DNS tuning guide for Continuwuity. Users are recommended to set up a local caching resolver following the guide's advice. Contributed by @stratself

changelog.d/1609.feature.md

@@ -1,2 +0,0 @@
-Add new config option for [MSC4439](https://github.com/matrix-org/matrix-spec-proposals/pull/4439)
-PGP key URIs. Contributed by LogN.

changelog.d/1613.feature

@@ -1 +0,0 @@
-Added `!admin users reset-push-rules` command to reset the notification settings of users. Contributed by @nex.

changelog.d/1614.feature

@@ -1 +0,0 @@
-Notification pushers are now automatically removed when their associated device is. Admin commands now exist for manual cleanup too. Contributed by @nex.

changelog.d/1615.bugfix

@@ -1 +0,0 @@
-Fixed resolving IP of servers that only use SRV delegation. Contributed by @tulir.

changelog.d/1620.misc

@@ -1 +0,0 @@
-Fixed compiler warning in cf_opts.rs when building in release. Contributed by @ezera.

changelog.d/1623.bugfix

@@ -1 +0,0 @@
-Fixed "Sender must be a local user" error for make_join, make_knock, and make_leave federation routes. Contributed by @nex.

changelog.d/1624.feature

@@ -1 +0,0 @@
-Implemented option to deprioritize servers for room join requests. Contributed by @ezera.

changelog.d/1629.feature.md

@@ -1 +0,0 @@
-Added admin commands to get build information and features. Contributed by @Jade

changelog.d/1630.bugfix

@@ -1 +0,0 @@
-Fixed restricted joins not being signed when we are being used as an authorising server. Contributed by @nex, reported by [vel](matrix:u/vel:nhjkl.com?action=chat).

changelog.d/list-backups-formatting.feature

@@ -0,0 +1 @@
+Updated `list-backups` admin command to output one backup per line.

changelog.d/url-preview-fix.feature

@@ -0,0 +1 @@
+Improved URL preview fetching with a more compatible user agent for sites like YouTube Music. Added `!admin media delete-url-preview <url>` command to clear cached URL previews that were stuck and broken.

clippy.toml

@@ -15,18 +15,6 @@ disallowed-macros = [
 	{ path = "log::trace", reason = "use conduwuit_core::trace" },
 ]
 
-[[disallowed-methods]]
-path = "tokio::spawn"
-reason = "use and pass conduwuit_core::server::Server::runtime() to spawn from"
-
-[[disallowed-methods]]
-path = "reqwest::Response::bytes"
-reason = "bytes is unsafe, use limit_read via the conduwuit_core::utils::LimitReadExt trait instead"
-
-[[disallowed-methods]]
-path = "reqwest::Response::text"
-reason = "text is unsafe, use limit_read_text via the conduwuit_core::utils::LimitReadExt trait instead"
-
-[[disallowed-methods]]
-path = "reqwest::Response::json"
-reason = "json is unsafe, use limit_read_text via the conduwuit_core::utils::LimitReadExt trait instead"
+disallowed-methods = [
+    { path = "tokio::spawn", reason = "use and pass conduuwit_core::server::Server::runtime() to spawn from" },
+]

complement/complement.config.toml

@@ -11,7 +11,7 @@ allow_guest_registration = true
 allow_public_room_directory_over_federation = true
 allow_registration = true
 database_path = "/database"
-log = "trace,h2=debug,hyper=debug,conduwuit_database=warn,conduwuit_service::manager=info,conduwuit_api::router=error,conduwuit_router=error,tower_http=error"
+log = "trace,h2=debug,hyper=debug"
 port = [8008, 8448]
 trusted_servers = []
 only_query_trusted_key_servers = false
@@ -24,7 +24,7 @@ url_preview_domain_explicit_denylist = ["*"]
 media_compat_file_link = false
 media_startup_check = true
 prune_missing_media = true
-log_colors = false
+log_colors = true
 admin_room_notices = false
 allow_check_for_updates = false
 intentionally_unknown_config_option_for_testing = true
@@ -47,7 +47,6 @@ federation_idle_timeout = 300
 sender_timeout = 300
 sender_idle_timeout = 300
 sender_retry_backoff_limit = 300
-force_disable_first_run_mode = true
 
 [global.tls]
 dual_protocol = true

conduwuit-example.toml

@@ -25,10 +25,6 @@
 #
 # Also see the `[global.well_known]` config section at the very bottom.
 #
-# If `client` is not set under `[global.well_known]`, the server name will
-# be used as the base domain for user-facing links (such as password
-# reset links) created by Continuwuity.
-#
 # Examples of delegation:
 # - https://continuwuity.org/.well-known/matrix/server
 # - https://continuwuity.org/.well-known/matrix/client
@@ -95,10 +91,6 @@
 # engine API. To use this, set a database backup path that continuwuity
 # can write to.
 #
-# If you are using systemd, you will need to add the path to
-# ReadWritePaths in the service file, preferably via a drop-in file
-# through `systemctl edit`.
-#
 # For more information, see:
 # https://continuwuity.org/maintenance.html#backups
 #
@@ -484,25 +476,18 @@
 #yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse = false
 
 # A static registration token that new users will have to provide when
-# creating an account. This token does not supersede tokens from other
-# sources, such as the `!admin token` command or the
-# `registration_token_file` configuration option.
+# creating an account. If unset and `allow_registration` is true,
+# you must set
+# `yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse`
+# to true to allow open registration without any conditions.
+#
+# If you do not want to set a static token, the `!admin token` commands
+# may also be used to manage registration tokens.
 #
 # example: "o&^uCtes4HPf0Vu@F20jQeeWE7"
 #
 #registration_token =
 
-# A path to a file containing static registration tokens, one per line.
-# Tokens in this file do not supersede tokens from other sources, such as
-# the `!admin token` command or the `registration_token` configuration
-# option.
-#
-# The file will be read once, when Continuwuity starts. It is not
-# currently reread when the server configuration is reloaded. If the file
-# cannot be read, Continuwuity will fail to start.
-#
-#registration_token_file =
-
 # The public site key for reCaptcha. If this is provided, reCaptcha
 # becomes required during registration. If both captcha *and*
 # registration token are enabled, both will be required during
@@ -523,18 +508,6 @@
 #
 #recaptcha_private_site_key =
 
-# Policy documents, such as terms and conditions or a privacy policy,
-# which users must agree to when registering an account.
-#
-# Example:
-# ```ignore
-# [global.registration_terms.privacy_policy]
-# en = { name = "Privacy Policy", url = "https://homeserver.example/en/privacy_policy.html" }
-# es = { name = "Política de Privacidad", url = "https://homeserver.example/es/privacy_policy.html" }
-# ```
-#
-#registration_terms = {}
-
 # Controls whether encrypted rooms and events are allowed.
 #
 #allow_encryption = true
@@ -1409,20 +1382,6 @@
 #
 #ignore_messages_from_server_names = []
 
-# List of server names that continuwuity will deprioritize (try last) when
-# a client requests to join a room.
-#
-# This can be used to potentially speed up room join requests, by
-# deprioritizing sending join requests through servers that are known to
-# be large or slow.
-#
-# continuwuity will still send join requests to servers in this list if
-# the room couldn't be joined via other servers it federates with.
-#
-# example: ["example.com"]
-#
-#deprioritize_joins_through_servers = []
-
 # Send messages from users that the user has ignored to the client.
 #
 # There is no way for clients to receive messages sent while a user was
@@ -1539,11 +1498,6 @@
 #
 #url_preview_user_agent = "continuwuity/<version> (bot; +https://continuwuity.org)"
 
-# Determines whether audio and video files will be downloaded for URL
-# previews.
-#
-#url_preview_allow_audio_video = false
-
 # List of forbidden room aliases and room IDs as strings of regex
 # patterns.
 #
@@ -1829,11 +1783,6 @@
 #
 #config_reload_signal = true
 
-# Allow search engines and crawlers to index Continuwuity's built-in
-# webpages served under the `/_continuwuity/` prefix.
-#
-#allow_web_indexing = false
-
 [global.tls]
 
 # Path to a valid TLS certificate file.
@@ -1895,18 +1844,14 @@
 #
 #support_mxid =
 
-# PGP key URI for server support contacts, to be served as part of the
-# MSC1929 server support endpoint.
-#
-#support_pgp_key =
-
-# **DEPRECATED**: Use `[global.matrix_rtc].foci` instead.
-#
 # A list of MatrixRTC foci URLs which will be served as part of the
-# MSC4143 client endpoint at /.well-known/matrix/client.
+# MSC4143 client endpoint at /.well-known/matrix/client.  If you're
+# setting up livekit, you'd want something like:
+# rtc_focus_server_urls = [
+#     { type = "livekit", livekit_service_url = "https://livekit.example.com" },
+# ]
 #
-# This option is deprecated and will be removed in a future release.
-# Please migrate to the new `[global.matrix_rtc]` config section.
+# To disable, set this to be an empty vector (`[]`).
 #
 #rtc_focus_server_urls = []
 
@@ -1928,23 +1873,6 @@
 #
 #blurhash_max_raw_size = 33554432
 
-[global.matrix_rtc]
-
-# A list of MatrixRTC foci (transports) which will be served via the
-# MSC4143 RTC transports endpoint at
-# `/_matrix/client/v1/rtc/transports`. If you're setting up livekit,
-# you'd want something like:
-# ```toml
-# [global.matrix_rtc]
-# foci = [
-#     { type = "livekit", livekit_service_url = "https://livekit.example.com" },
-# ]
-# ```
-#
-# To disable, set this to an empty list (`[]`).
-#
-#foci = []
-
 [global.ldap]
 
 # Whether to enable LDAP login.
@@ -2072,41 +2000,3 @@
 # web->synapseHTTPAntispam->authorization
 #
 #secret =
-
-#[global.smtp]
-
-# A `smtp://`` URI which will be used to connect to a mail server.
-# Uncommenting the [global.smtp] group and setting this option enables
-# features which depend on the ability to send email,
-# such as self-service password resets.
-#
-# For most modern mail servers, format the URI like this:
-# 	`smtps://username:password@hostname:port`
-# Note that you will need to URL-encode the username and password. If your
-# username _is_ your email address, you will need to replace the `@` with
-# `%40`.
-#
-# For a guide on the accepted URI syntax, consult Lettre's documentation:
-# https://docs.rs/lettre/latest/lettre/transport/smtp/struct.AsyncSmtpTransport.html#method.from_url
-#
-#connection_uri =
-
-# The outgoing address which will be used for sending emails.
-#
-# For a syntax guide, see https://datatracker.ietf.org/doc/html/rfc2822#section-3.4
-#
-# ...or if you don't want to read the RFC, for some reason:
-# - `Name <address@domain.org>` to specify a sender name
-# - `address@domain.org` to not use a name
-#
-#sender =
-
-# Whether to require that users provide an email address when they
-# register.
-#
-#require_email_for_registration = false
-
-# Whether to require that users who register with a registration token
-# provide an email address.
-#
-#require_email_for_token_registration = false

docker/Dockerfile

@@ -10,18 +10,18 @@ RUN rm -f /etc/apt/apt.conf.d/docker-clean
 
 # Match Rustc version as close as possible
 # rustc -vV
-ARG LLVM_VERSION=21
+ARG LLVM_VERSION=20
 # ENV RUSTUP_TOOLCHAIN=${RUST_VERSION}
 
 # Install repo tools
 # Line one: compiler tools
-# Line two: curl, for downloading binaries and wget because llvm.sh is broken with curl
+# Line two: curl, for downloading binaries
 # Line three: for xx-verify
 RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
     --mount=type=cache,target=/var/lib/apt,sharing=locked \
     apt-get update && apt-get install -y \
     pkg-config make jq \
-    wget curl git software-properties-common \
+    curl git software-properties-common \
     file
 
 # LLVM packages
@@ -48,7 +48,7 @@ EOF
 
 # Developer tool versions
 # renovate: datasource=github-releases depName=cargo-bins/cargo-binstall
-ENV BINSTALL_VERSION=1.18.1
+ENV BINSTALL_VERSION=1.17.5
 # renovate: datasource=github-releases depName=psastras/sbom-rs
 ENV CARGO_SBOM_VERSION=0.9.1
 # renovate: datasource=crate depName=lddtree
@@ -180,11 +180,6 @@ RUN --mount=type=cache,target=/usr/local/cargo/registry \
         export RUSTFLAGS="${RUSTFLAGS}"
     fi
 
-    RUST_PROFILE_DIR="${RUST_PROFILE}"
-    if [[ "${RUST_PROFILE}" == "dev" ]]; then
-        RUST_PROFILE_DIR="debug"
-    fi
-
     TARGET_DIR=($(cargo metadata --no-deps --format-version 1 | \
             jq -r ".target_directory"))
     mkdir /out/sbin
@@ -196,8 +191,8 @@ RUN --mount=type=cache,target=/usr/local/cargo/registry \
         jq -r ".packages[] | select(.name == \"$PACKAGE\") | .targets[] | select( .kind | map(. == \"bin\") | any ) | .name"))
     for BINARY in "${BINARIES[@]}"; do
         echo $BINARY
-        xx-verify $TARGET_DIR/$(xx-cargo --print-target-triple)/${RUST_PROFILE_DIR}/$BINARY
-        cp $TARGET_DIR/$(xx-cargo --print-target-triple)/${RUST_PROFILE_DIR}/$BINARY /out/sbin/$BINARY
+        xx-verify $TARGET_DIR/$(xx-cargo --print-target-triple)/${RUST_PROFILE}/$BINARY
+        cp $TARGET_DIR/$(xx-cargo --print-target-triple)/${RUST_PROFILE}/$BINARY /out/sbin/$BINARY
     done
 EOF
 

docker/musl.Dockerfile

@@ -18,7 +18,7 @@ RUN --mount=type=cache,target=/etc/apk/cache apk add \
 
 # Developer tool versions
 # renovate: datasource=github-releases depName=cargo-bins/cargo-binstall
-ENV BINSTALL_VERSION=1.18.1
+ENV BINSTALL_VERSION=1.17.5
 # renovate: datasource=github-releases depName=psastras/sbom-rs
 ENV CARGO_SBOM_VERSION=0.9.1
 # renovate: datasource=crate depName=lddtree

docs/_meta.json

@@ -34,11 +34,6 @@
         "name": "troubleshooting",
         "label": "Troubleshooting"
     },
-    {
-        "type": "dir",
-        "name": "advanced",
-        "label": "Advanced"
-    },
     "security",
     {
         "type": "dir-section-header",

docs/_nav.json

@@ -2,7 +2,7 @@
     {
         "text": "Guide",
         "link": "/introduction",
-        "activeMatch": "^/(introduction|configuration|deploying|calls|appservices|maintenance|troubleshooting|advanced)"
+        "activeMatch": "^/(introduction|configuration|deploying|calls|appservices|maintenance|troubleshooting)"
     },
     {
         "text": "Development",

docs/advanced/_meta.json

@@ -1,13 +0,0 @@
-[
-    {
-        "type": "file",
-        "name": "delegation",
-        "label": "Delegation / split-domain"
-    },
-    {
-        "type": "file",
-        "name": "dns",
-        "label": "DNS tuning (recommended)"
-    }
-
-]

docs/advanced/delegation.mdx

@@ -1,255 +0,0 @@
-# Delegation/split-domain deployment
-
-Matrix allows clients and servers to discover a homeserver's "true" destination via **`.well-known` delegation**. This is especially useful if you would like to:
-
-- Serve Continuwuity on a subdomain while having only the base domain for your usernames
-- Use a port other than `:8448` for server-to-server connections
-
-This guide will show you how to have `@user:example.com` usernames while serving Continuwuity on `https://matrix.example.com`. It assumes you are using port 443 for both client-to-server connections and server-to-server federation.
-
-## Configuration
-
-First, ensure you have set up A/AAAA records for `matrix.example.com` and `example.com` pointing to your IP.
-
-Then, ensure that the `server_name` field matches your intended username suffix. If this is not the case, you **MUST** wipe the database directory and reinstall Continuwuity with your desired `server_name`.
-
-Then, in the `[global.well_known]` section of your config file, add the following fields:
-
-```toml
-[global.well_known]
-
-# defaults to port :443 if not specified
-client = "https://matrix.example.com"
-
-# port number MUST be specified
-server = "matrix.example.com:443"
-
-# (optional) customize your support contacts
-# Defaults to members of the admin room if unset
-#support_page =
-#support_role = "m.role.admin"
-#support_email =
-#support_mxid = "@user:example.com"
-```
-
-Alternatively if you are using Docker, you can set the `CONTINUWUITY_WELL_KNOWN` environment variable as below:
-
-```yaml
-services:
-  continuwuity:
-    ...
-    environment:
-      CONTINUWUITY_WELL_KNOWN: |
-        {
-        client=https://matrix.example.com,
-        server=matrix.example.com:443
-        }
-
-      # You can also configure individual `.well-knowns` like this
-      # CONTINUWUITY_WELL_KNOWN__CLIENT: https://matrix.example.com
-      # CONTINUWUITY_WELL_KNOWN__SERVER: matrix.example.com:443
-```
-
-## Reverse proxying well-known files to Continuwuity
-
-After doing the steps above, Continuwuity will serve these 3 JSON files:
-
-- `/.well-known/matrix/client`: for Client-Server discovery
-- `/.well-known/matrix/server`: for Server-Server (federation) discovery
-- `/.well-known/matrix/support`: admin contact details (strongly recommended to have)
-
-To enable full discovery, you will need to reverse proxy these paths from the base domain back to Continuwuity.
-
-<details>
-
-<summary>For Caddy</summary>
-
-```
-matrix.example.com:443 {
-  reverse_proxy 127.0.0.1:8008
-}
-
-example.com:443 {
-  reverse_proxy /.well-known/matrix* 127.0.0.1:8008
-}
-```
-
-</details>
-
-<details>
-
-<summary>For Traefik (via Docker labels)</summary>
-
-```
-services:
-  continuwuity:
-    ...
-    labels:
-      - "traefik.enable=true"
-      - "traefik.http.routers.continuwuity.rule=(Host(`matrix.example.com`) || (Host(`example.com`) && PathPrefix(`/.well-known/matrix`)))"
-      - "traefik.http.routers.continuwuity.service=continuwuity"
-      - "traefik.http.services.continuwuity.loadbalancer.server.port=8008"
-```
-
-</details>
-
-Restart Continuwuity and your reverse proxy. Once that's done, visit these routes and check that the responses match the examples below:
-
-<details open>
-
-<summary>`https://example.com/.well-known/matrix/server`</summary>
-
-```json
-{ "m.server": "matrix.example.com:443" }
-```
-
-</details>
-
-<details open>
-
-<summary>`https://example.com/.well-known/matrix/client`</summary>
-
-```json
-{
-  "m.homeserver": {
-    "base_url": "https://matrix.example.com/"
-  }
-}
-```
-
-</details>
-
-### Serving well-known files manually
-
-Instead of configuring `[global.well_known]` options and reverse proxying well-known URIs, you can serve these files directly as static JSON that match the ones above. This is useful if your base domain points to a different physical server, and reverse proxying isn't feasible.
-
-<details>
-
-<summary>Example Caddyfile **for the base domain**</summary>
-
-```
-https://example.com {
-
-    respond /.well-known/matrix/server 200 {
-        body `{"m.server":"matrix.example.com:443"}`
-    }
-
-    handle /.well-known/matrix/client {
-    header Access-Control-Allow-Origin *
-    respond <<JSON
-    {
-        "m.homeserver": {
-            "base_url": "https://matrix.example.com/"
-        }
-    }
-    JSON
-    }
-}
-```
-
-</details>
-
-Remember to set the `Access-Control-Allow-Origin: *` header in your `/.well-known/matrix/client` path for web clients to work.
-
-## Troubleshooting
-
-Check with the [Matrix Connectivity Tester][federation-tester] to see that it's working.
-
-[federation-tester]: https://federationtester.mtrnord.blog/
-
-### Cannot log in with web clients
-
-Make sure there is an `Access-Control-Allow-Origin: *` header in your `/.well-known/matrix/client` path. While Continuwuity serves this header by default, it may be dropped by reverse proxies or other middlewares.
-
-### Issues with alternative setups
-
-As Matrix clients prioritize well-known URIs for their destination, this can lead to issues with alternative methods of accessing the server that doesn't use a publicly routeable IP and domain name. You will probably find yourself connecting to non-existent/undesired URLs in certain cases like:
-
-- Accessing to the server via localhost IPs (e.g. for testing purposes)
-- Accessing the server from behind a VPN, or from alternative networks (such as from an onionsite)
-
-In these scenarios, further configurations would be needed. Refer to the [Related Documentation](#related-documentation) section for resolution steps and see how they could apply to your use case.
-
----
-
-## Using SRV records (not recommended)
-
-:::warning
-The following methods are **not recommended** due to increased complexity with little benefits. If you have already set up `.well-known` delegation as above, you can safely skip this part.
-:::
-
-The following methods uses SRV DNS records and only work with federation traffic. They are only included for completeness.
-
-<details>
-
-<summary>Using only SRV records</summary>
-
-If you can't set up `/.well-known/matrix/server` on :443 for some reason, you can set up a SRV record (via your DNS provider) as below:
-
-- Service and name: `_matrix-fed._tcp.example.com.`
-- Priority: `10` (can be any number)
-- Weight: `10` (can be any number)
-- Port: `443`
-- Target: `matrix.example.com.`
-
-On the target's IP at port 443, you must configure a valid route and cert for your server name, `example.com`. Therefore, this method only works to redirect traffic into the right IP/port combo, and can not delegate your federation to a different domain.
-
-</details>
-
-<details>
-
-<summary>Using SRV records + .well-known</summary>
-
-You can also set up `/.well-known/matrix/server` with a delegated domain but no ports:
-
-```toml
-[global.well_known]
-server = "matrix.example.com"
-```
-
-Then, set up a SRV record (via your DNS provider) to announce the port number as below:
-
-- Service and name: `_matrix-fed._tcp.matrix.example.com.`
-- Priority: `10` (can be any number)
-- Weight: `10` (can be any number)
-- Port: `443`
-- Target: `matrix.example.com.`
-
-On the target's IP at port 443, you'll need to provide a valid route and cert for `matrix.example.com`. It provides the same feature as pure `.well-known` delegation, albeit with more parts to handle.
-
-</details>
-
-<details>
-
-<summary>Using SRV records as a fallback for .well-known delegation</summary>
-
-Assume your delegation is as below:
-
-```toml
-[global.well_known]
-server = "example.com:443"
-```
-
-If your Continuwuity instance becomes temporarily unreachable, other servers will not be able to find your `/.well-known/matrix/server` file, and defaults to using `server_name:8448`. This incorrect cache can persist for a long time, and would hinder re-federation when your server eventually comes back online.
-
-If you want other servers to default to using port :443 even when it is offline, you could set up a SRV record (via your DNS provider) as follows:
-
-- Service and name: `_matrix-fed._tcp.example.com.`
-- Priority: `10` (can be any number)
-- Weight: `10` (can be any number)
-- Port: `443`
-- Target: `example.com.`
-
-On the target's IP at port 443, you'll need to provide a valid route and cert for `example.com`.
-
-</details>
-
----
-
-## Related Documentation
-
-See the following Matrix Specs for full details on client/server resolution mechanisms:
-
-- [Server-to-Server resolution](https://spec.matrix.org/v1.17/server-server-api/#resolving-server-names) (see this for more information on SRV records)
-- [Client-to-Server resolution](https://spec.matrix.org/v1.17/client-server-api/#server-discovery)
-- [MSC1929: Homeserver Admin Contact and Support page](https://github.com/matrix-org/matrix-spec-proposals/pull/1929)

docs/advanced/dns.mdx

@@ -1,165 +0,0 @@
-# DNS Tuning (recommended)
-
-For federation, Matrix homeservers conduct an enormous amount of DNS requests, sometimes up to thousands of queries per minute. Normal DNS resolvers are simply not designed for this load, and running Continuwuity with them will likely result in various [DNS and federation errors](../troubleshooting#dns-issues).
-
-To solve this issue, it is strongly recommended to self-host a high-quality, external caching DNS resolver for Continuwuity. This guide will use [Unbound][unbound] as the recommended example, but the general principle applies to any resolver.
-
-[unbound]: https://wiki.archlinux.org/title/Unbound
-
-## Overview
-
-For generic deployments, install your resolver of choice and configure `/etc/resolv.conf` to point to it. The resolver should ideally reside on the same host as Continuwuity.
-
-```txt title="/etc/resolv.conf"
-nameserver 127.0.0.1
-```
-
-**Avoid using `systemd-resolved`** as it does **not** perform very well under high load, and we have identified its DNS caching to not be very effective.
-
-### For Docker users
-
-Docker bridge networks uses a non-performant resolver to intercept and respond to container hostnames, and **this should also be avoided**. Instead, mount a custom `/etc/resolv.conf` file into the container, and hardcode a resolver address to bypass Docker's.
-
-It is recommended to run a dedicated resolver container for Continuwuity, as to separate from the host's resolver setup. To do this, create a custom bridge network and IP range, and explicitly define an IP address for the resolver container.
-
-<details>
-<summary>Example Docker deployment with unbound</summary>
-
-```yaml title="docker-compose.yml"
-networks:
-  matrix_net:
-    ipam:
-      driver: default
-      config:
-        - subnet: "10.10.10.0/24"
-
-services:
-    homeserver:
-        # ...
-        volume:
-            - ./continuwuity-resolv.conf:/etc/resolv.conf:ro
-
-    unbound:
-        # ...
-        networks:
-            matrix_net:
-                ipv4_address: 10.10.10.20
-```
-
-```txt title="continuwuity-resolv.conf"
-nameserver 10.10.10.20
-```
-
-</details>
-
-### For IPv4-only users
-
-If you don't have IPv6 connectivity, changing `ip_lookup_strategy` to only resolve for IPv4 will reduce unnecessary AAAA queries.
-
-```toml title="continuwuity.toml"
-[global]
-# 1 - Ipv4Only (Only query for A records, no AAAA/IPv6)
-ip_lookup_strategy = 1
-```
-
-## Unbound
-
-[Unbound][unbound] is the recommended resolver to run with Continuwuity. For Docker users, the `docker.io/madnuttah/unbound` image ([Github repo][madnuttah-unbound-repo]) can be used.
-
-After installation, you can tune `/etc/unbound/unbound.conf` values according to your needs. While Continuwuity cannot recommend a "works-for-everyone" Unbound DNS setup guide, the official [Unbound tuning guide][unbound-tuning-guide] and the [Unbound Arch Linux wiki page][unbound-arch-linux] may be of interest.
-
-Some values that are commonly tuned include:
-
-- Increase `rrset-cache-size` and `msg-cache-size` to something much higher than the default `4M`, such as `64M`.
-
-- Increase `discard-timeout` to something like `4800` to wait longer for upstream resolvers, as recursion can take a long time to respond to some domains. Continuwuity default to `dns_timeout = 10` seconds, so dropping requests early would lead to unnecessary retries and/or failures.
-
-### Using a forwarder (optional)
-
-Unbound by default employs **recursive resolution** and contacts many servers around the world. If this is not performant enough, consider forwarding your queries to public resolvers to benefit from their CDNs and get faster responses.
-
-However, most popular upstreams (such as Google DNS or Quad9) employ IP ratelimiting, so a generous cache is still needed to avoid making too many queries.
-
-DNS-over-TLS forwarders may also be used should you need on-the-wire encryption, but TLS overhead causes some speed penalties.
-
-If you want to use forwarders, configure it as follows:
-
-<details>
-
-<summary>unbound.conf</summary>
-
-```
-# Use cloudflare public resolvers as an example
-forward-zone:
-    name: "."
-    forward-addr: 1.0.0.1@53
-    forward-addr: 1.1.1.1@53
-    # Also use IPv6 ones if you're dual-stack
-    # forward-addr: 2606:4700:4700::1001@53
-    # forward-addr: 2606:4700:4700::1111@53
-
-# alternatively, use DNS-over-TLS for forwarders.
-# forward-zone:
-    # name: "."
-    # forward-tls-upstream: yes
-    # forward-addr: 1.0.0.1@853#cloudflare-dns.com
-    # forward-addr: 1.1.1.1@853#cloudflare-dns.com
-    # forward-addr: 2606:4700:4700::1001@853#cloudflare-dns.com
-    # forward-addr: 2606:4700:4700::1111@853#cloudflare-dns.com
-```
-
-</details>
-
-[madnuttah-unbound-repo]: https://github.com/madnuttah/unbound-docker/
-[unbound-tuning-guide]: https://unbound.docs.nlnetlabs.nl/en/latest/topics/core/performance.html
-[unbound-arch-linux]: https://wiki.archlinux.org/title/Unbound
-
-## Other resolvers
-
-### dnsproxy
-
-[Dnsproxy][dnsproxy] and its sister product [AdGuard Home][adguard-home] are known to work with Continuwuity and has an official Docker image. They have support for DNS-over-HTTPS as well as DNS-over-QUIC, but not recursion.
-
-To best utilise dnsproxy, you should enable proper caching with `--cache` and set `--cache-size` to something bigger, like `64000000`.
-
-[dnsproxy]: https://github.com/AdguardTeam/dnsproxy
-[adguard-home]: https://github.com/AdguardTeam/AdGuardHome
-
-### dnsmasq
-
-[dnsmasq][arch-linux-dnsmasq] can possibly work with Continuwuity, though it only supports forwarding rather than recursion. Increase the `cache-size` to something like `30000` for better caching performance.
-
-However, `dnsmasq` does not support TCP fallback which can be problematic when receiving large DNS responses such as from large SRV records. If you still want to use dnsmasq, make sure you disable `dns_tcp_fallback` in Continuwuity config.
-
-[arch-linux-dnsmasq]: https://wiki.archlinux.org/title/Dnsmasq
-
-### Technitium
-
-[Technitium][technitium] supports recursion as well as a myriad of forwarding protocols, allows saving cache to disk natively, and does work well with Continuwuity. Its default configurations however ratelimits single-IP requests by a lot, and hence must be changed. You may consult this [community guide][technitium-continuwuity] for more details on setting up a dedicated Technitium for Continuwuity.
-
-[technitium]: https://github.com/TechnitiumSoftware/DnsServer
-[technitium-continuwuity]: https://muoi.me/~stratself/articles/technitium-continuwuity/
-
-## Testing
-
-As a rough stress test, you can run `!admin query resolver flush-cache -a` or `!admin server clear-caches` to trigger a netburst of DNS queries. If your resolver can handle these loads without problem, then it should be ready for regular Continuwuity activity.
-
-To test connectivity against a specific server, use `!admin debug ping <SERVER_NAME>` and `!admin debug resolve-true-destination <SERVER_NAME>`.
-
-Note that it is expected that not all servers will be resolved, as some of them may be temporarily offline, have broken DNS and/or discovery configuration, or have been decommissioned.
-
-## Further steps
-
-- (Recommended) Set **`dns_cache_entries = 0`** inside Continuwuity and fully rely on the more performant external resolver.
-
-- Consider employing **persistent cache to disk**, so your resolver can still run without hassle after a restart. Unbound, via [Cache DB module][unbound-cachedb], can use Redis as a storage backend for this feature.
-
-- Consider [enabling **Serve Stale**][unbound-serve-stale] functionality to serve expired data beyond DNS TTLs. Since most Matrix homeservers have static IPs, this should help improve federation with them especially when upstream resolvers have timed out. For dnsproxy, this corresponds to its [optimistic caching options][dnsproxy-usage].
-
-- If you still experience DNS performance issues, another step could be to **disable DNSSEC** (which is computationally expensive) at a cost of slightly decreased security. On Unbound this is done by commenting out `trust-anchors` config options and removing the `validator` module.
-
-- Some users have reported that setting `query_over_tcp_only = true` in Continuwuity has improved DNS reliability at a slight performance cost due to TCP overhead. Generally this is not needed if your resolver and homeserver is on the same machine.
-
-[unbound-cachedb]: https://unbound.docs.nlnetlabs.nl/en/latest/manpages/unbound.conf.html#cache-db-module-options
-[unbound-serve-stale]: https://wiki.archlinux.org/title/Unbound#Serving_expired_records
-[dnsproxy-usage]: https://github.com/AdguardTeam/dnsproxy#usage

docs/calls.mdx

@@ -10,4 +10,4 @@ # Calls
 For either one to work correctly, you have to do some additional setup.
 
 - For legacy calls to work, you need to set up a TURN/STUN server. [Read the TURN guide for tips on how to set up coturn](./calls/turn.mdx)
-- For MatrixRTC / Element Call to work, you have to set up the LiveKit backend (foci). LiveKit also uses TURN/STUN to increase reliability - you can set up its built-in TURN server, or integrate with an existing one. [Read the LiveKit guide](./calls/livekit.mdx)
+- For MatrixRTC / Element Call to work, you have to set up the LiveKit backend (foci). LiveKit also uses TURN/STUN to increase reliability, so you might want to configure your TURN server first. [Read the LiveKit guide](./calls/livekit.mdx)

docs/calls/livekit.mdx

@@ -4,10 +4,6 @@ # Matrix RTC/Element Call Setup
 This guide assumes that you are using docker compose for deployment. LiveKit only provides Docker images.
 :::
 
-:::tip
-You can find help setting up MatrixRTC in our dedicated room - [#matrixrtc:continuwuity.org](https://matrix.to/#/%23matrixrtc%3Acontinuwuity.org)
-:::
-
 ## Instructions
 
 ### 1. Domain
@@ -18,21 +14,17 @@ ### 1. Domain
 
 ### 2. Services
 
-Using LiveKit with Matrix requires two services - LiveKit itself, and a service (`lk-jwt-service`) that grants Matrix users permission to connect to it.
+Using LiveKit with Matrix requires two services - Livekit itself, and a service (`lk-jwt-service`) that grants Matrix users permission to connect to it.
 
 You must generate a key and secret to allow the Matrix service to authenticate with LiveKit. `LK_MATRIX_KEY` should be around 20 random characters, and `LK_MATRIX_SECRET` should be around 64. Remember to replace these with the actual values!
 
 :::tip Generating the secrets
 LiveKit provides a utility to generate secure random keys
 ```bash
-~$ docker run --rm livekit/livekit-server:latest generate-keys
-API Key:  APIUxUnMnSkuFWV
-API Secret:  t93ZVjPeoEdyx7Wbet3kG4L3NGZIZVEFvqe0UuiVc22A
+docker run --rm livekit/livekit-server:latest generate-keys
 ```
 :::
 
-Create a `docker-compose.yml` file as following:
-
 ```yaml
 services:
   lk-jwt-service:
@@ -40,11 +32,10 @@ ### 2. Services
     container_name: lk-jwt-service
     environment:
       - LIVEKIT_JWT_BIND=:8081
-      - LIVEKIT_URL=wss://livekit.example.com # your LiveKit domain
-      - LIVEKIT_FULL_ACCESS_HOMESERVERS=example.com # your server_name
-      # Replace these with the generated values as above
-      - LIVEKIT_KEY=LK_MATRIX_KEY # APIUxUnMnSkuFWV
-      - LIVEKIT_SECRET=LK_MATRIX_SECRET # t93ZVjPeoEdyx7Wbet3kG4L3NGZIZVEFvqe0UuiVc22A
+      - LIVEKIT_URL=wss://livekit.example.com
+      - LIVEKIT_KEY=LK_MATRIX_KEY
+      - LIVEKIT_SECRET=LK_MATRIX_SECRET
+      - LIVEKIT_FULL_ACCESS_HOMESERVERS=example.com
     restart: unless-stopped
     ports:
       - "8081:8081"
@@ -79,8 +70,6 @@ #      - "50100-50200:50100-50200/udp"
   enable_loopback_candidate: false
 keys:
   LK_MATRIX_KEY: LK_MATRIX_SECRET
-  # replace these with your key-secret pair. Example:
-  # APIUxUnMnSkuFWV: t93ZVjPeoEdyx7Wbet3kG4L3NGZIZVEFvqe0UuiVc22A
 ```
 
 #### Firewall hints
@@ -89,24 +78,52 @@ #### Firewall hints
 
 ### 3. Telling clients where to find LiveKit
 
-To tell clients where to find LiveKit, you need to add the address of your `lk-jwt-service` to the `[global.matrix_rtc]` config section using the `foci` option.
+To tell clients where to find LiveKit, you need to add the address of your `lk-jwt-service` to your client .well-known file. To do so, in the config section `global.well-known`, add (or modify) the option `rtc_focus_server_urls`.
 
-The variable should be a list of servers serving as MatrixRTC endpoints. Clients discover these via the `/_matrix/client/v1/rtc/transports` endpoint (MSC4143).
+The variable should be a list of servers serving as MatrixRTC endpoints to serve in the well-known file to the client.
 
 ```toml
-[global.matrix_rtc]
-foci = [
+rtc_focus_server_urls = [
     { type = "livekit", livekit_service_url = "https://livekit.example.com" },
 ]
 ```
 
 Remember to replace the URL with the address you are deploying your instance of lk-jwt-service to.
 
+#### Serving .well-known manually
+
+If you don't let Continuwuity serve your `.well-known` files, you need to add the following lines to your `.well-known/matrix/client` file, remembering to replace the URL with your own `lk-jwt-service` deployment:
+
+```json
+  "org.matrix.msc4143.rtc_foci": [
+    {
+      "type": "livekit",
+      "livekit_service_url": "https://livekit.example.com"
+    }
+  ]
+```
+
+The final file should look something like this:
+
+```json
+{
+  "m.homeserver": {
+    "base_url":"https://matrix.example.com"
+  },
+  "org.matrix.msc4143.rtc_foci": [
+    {
+      "type": "livekit",
+      "livekit_service_url": "https://livekit.example.com"
+    }
+  ]
+}
+```
+
 ### 4. Configure your Reverse Proxy
 
 Reverse proxies can be configured in many different ways - so we can't provide a step by step for this.
 
-All paths should be forwarded to LiveKit by default, with the exception of the following path prefixes, which should be forwarded to the JWT/Authentication service:
+By default, all routes should be forwarded to Livekit with the exception of the following path prefixes, which should be forwarded to the JWT/Authentication service:
 
 - `/sfu/get`
 - `/healthz`
@@ -115,7 +132,7 @@ ### 4. Configure your Reverse Proxy
 <details>
     <summary>Example caddy config</summary>
     ```
-    livekit.example.com {
+    matrix-rtc.example.com {
 
         # for lk-jwt-service
         @lk-jwt-service path /sfu/get* /healthz* /get_token*
@@ -133,7 +150,7 @@ ### 4. Configure your Reverse Proxy
     <summary>Example nginx config</summary>
     ```
     server {
-        server_name livekit.example.com;
+        server_name matrix-rtc.example.com;
 
         # for lk-jwt-service
         location ~ ^/(sfu/get|healthz|get_token) {
@@ -144,7 +161,7 @@ ### 4. Configure your Reverse Proxy
             proxy_buffering off;
         }
 
-        # for LiveKit
+        # for livekit
         location / {
             proxy_pass http://127.0.0.1:7880$request_uri;
             proxy_set_header X-Forwarded-For $remote_addr;
@@ -184,11 +201,44 @@ ### 6. Start Everything
 
 Start up the services using your usual method - for example `docker compose up -d`.
 
-## Additional TURN configuration
+## Additional Configuration
 
-### Using LiveKit's built-in TURN server
+### TURN Integration
 
-LiveKit includes a built-in TURN server which can be used in place of an external option. This TURN server will only work with LiveKit, so you can't use it for legacy Matrix calling or anything else.
+If you've already set up coturn, there may be a port clash between the two services. To fix this, make sure the `min-port` and `max-port` for coturn so it doesn't overlap with LiveKit's range:
+
+```ini
+min-port=50201
+max-port=65535
+```
+
+To improve LiveKit's reliability, you can configure it to use your coturn server.
+
+Generate a long random secret for LiveKit, and add it to your coturn config under the `static-auth-secret` option. You can add as many secrets as you want - so set a different one for each thing using your TURN server.
+
+Then configure livekit, making sure to replace `COTURN_SECRET`:
+
+```yaml
+# livekit.yaml
+rtc:
+  turn_servers:
+    - host: coturn.ellis.link
+      port: 3478
+      protocol: tcp
+      secret: "COTURN_SECRET"
+    - host: coturn.ellis.link
+      port: 5349
+      protocol: tls # Only if you've set up TLS in your coturn
+      secret: "COTURN_SECRET"
+    - host: coturn.ellis.link
+      port: 3478
+      protocol: udp
+      secret: "COTURN_SECRET"
+```
+
+## LiveKit's built in TURN server
+
+Livekit includes a built in TURN server which can be used in place of an external option. This TURN server will only work with Livekit, so you can't use it for legacy Matrix calling - or anything else.
 
 If you don't want to set up a separate TURN server, you can enable this with the following changes:
 
@@ -199,175 +249,20 @@ ### add this to livekit.yaml ###
   udp_port: 3478
   relay_range_start: 50300
   relay_range_end: 50400
-  domain: livekit.example.com
+  domain: matrix-rtc.example.com
 ```
 
 ```yaml
-### add these to livekit's docker-compose ###
-ports:
-  - "3478:3478/udp"
-  - "50300-50400:50300-50400/udp"
-### if you're using `network_mode: host`, you can skip this part
+### Add these to docker-compose ###
+- "3478:3478/udp"
+- "50300-50400:50300-50400/udp"
 ```
 
-Recreate the LiveKit container (with `docker-compose up -d livekit`) to apply these changes. Remember to allow the new `3478/udp` and `50100:50200/udp` ports through your firewall.
+### Related Documentation
 
-### Integration with an external TURN server
-
-If you've already [set up coturn](./turn), you can configure Livekit to use it.
-
-:::tip Avoid port clashes between the two services
-
-Before continuing, make sure coturn's `min-port` and `max-port` do not overlap with LiveKit's port range:
-
-```ini
-# in your coturn.conf
-min-port=50201
-max-port=65535
-```
-:::
-
-Generate a long random secret for LiveKit, and add it to your coturn config under the `static-auth-secret` option. You can add as many secrets as you want, so set a different one for LiveKit to use.
-
-Then configure LiveKit, making sure to replace `COTURN_SECRET` with the one you generated:
-
-```yaml
-# livekit.yaml
-rtc:
-  turn_servers:
-    - host: coturn.example.com
-      port: 3478
-      protocol: udp
-      secret: "COTURN_SECRET"
-    - host: coturn.example.com
-      port: 3478
-      protocol: tcp
-      secret: "COTURN_SECRET"
-    - host: coturn.example.com
-      port: 5349
-      protocol: tls # Only if you have already set up TLS in your coturn
-      secret: "COTURN_SECRET"
-```
-
-Restart LiveKit and coturn to apply these changes.
-
-## Testing
-
-To test that LiveKit is successfully integrated with Continuwuity, you will need to replicate its [Token Exchange Flow](https://github.com/element-hq/lk-jwt-service#%EF%B8%8F-how-it-works--token-exchange-flow).
-
-First, you will need an access token for your current login session. These can be found in your client's settings or obtained via [this website](https://timedout.uk/mxtoken.html).
-
-Then, using that token, request another OpenID token for use with the lk-jwt-service:
-
-```bash
-~$ curl -X POST -H "Authorization: Bearer <session-access-token>" \
-  https://matrix.example.com/_matrix/client/v3/user/@user:example.com/openid/request_token
-{"access_token":"<openid_access_token>","token_type":"Bearer","matrix_server_name":"example.com","expires_in":3600}
-```
-
-Next, create a `payload.json` file with the following content:
-
-<details>
-
-<summary>`payload.json`</summary>
-
-```json
-{
-    "room_id": "abc",
-    "slot_id": "xyz",
-    "openid_token": {
-        "matrix_server_name": "example.com",
-        "access_token": "<openid_access_token>",
-        "token_type": "Bearer"
-    },
-    "member": {
-        "id": "xyz",
-        "claimed_device_id": "DEVICEID",
-        "claimed_user_id": "@user:example.com"
-    }
-}
-```
-
-Replace `matrix_server_name` and `claimed_user_id` with your information, and `<openid_access_token>` with the one you got from the previous step. Other values can be left as-is.
-
-</details>
-
-You can then send this payload to the lk-jwt-service:
-
-```bash
-~$ curl -X POST -d @payload.json https://livekit.example.com/get_token
-{"url":"wss://livekit.example.com","jwt":"a_really_really_long_string"}
-```
-
-The lk-jwt-service will, after checking against Continuwuity, answer with a `jwt` token to create a LiveKit media room. Use this token to test at the [LiveKit Connection Tester](https://livekit.io/connection-test). If everything works there, then you have set up LiveKit successfully!
-
-## Troubleshooting
-
-To debug any issues, you can place a call or redo the Testing instructions, and check the container logs for any specific errors. Use `docker-compose logs --follow` to follow them in real-time.
-
-### Common errors in Element Call UI
-
-- `MISSING_MATRIX_RTC_FOCUS`: LiveKit is missing from Continuwuity's config file
-- "Waiting for media" popup always showing: a LiveKit URL has been configured in Continuwuity, but your client cannot connect to it for some reason
-
-### Docker loopback networking issues
-
-Some distros do not allow Docker containers to connect to its host's public IP by default. This would cause `lk-jwt-service` to fail connecting to `livekit` or `continuwuity` on the same host. As a result, you would see connection refused/connection timeouts log entries in the JWT service, even when `LIVEKIT_URL` has been configured correctly.
-
-To alleviate this, you can try one of the following workarounds:
-
-- Use `network_mode: host` for the `lk-jwt-service` container (instead of the default bridge networking).
-
-- Add an `extra_hosts` file mapping livekit's (and continuwuity's) domain name to a localhost address:
-
-    ```diff
-    # in docker-compose.yaml
-    services:
-      lk-jwt-service:
-        ...
-    +    extra_hosts:
-    +     - "livekit.example.com:127.0.0.1"
-    +     - "matrix.example.com:127.0.0.1"
-    ```
-
-- (**untested, use at your own risk**) Implement an iptables workaround as shown [here](https://forums.docker.com/t/unable-to-connect-to-host-service-from-inside-docker-container/145749/6).
-
-After implementing the changes and restarting your compose, you can test whether the connection works by cURLing from a sidecar container:
-
-```bash
-~$ docker run --rm --net container:lk-jwt-service docker.io/curlimages/curl https://livekit.example.com
-OK
-```
-
-### Workaround for non-federating servers
-
-When deploying on servers with federation disabled (`allow_federation = false`), LiveKit will fail as it can't fetch the required [OpenID endpoint](https://spec.matrix.org/v1.17/server-server-api/#get_matrixfederationv1openiduserinfo) via federation paths.
-
-As a workaround, you can enable federation, but forbid all remote servers via the following config parameters:
-
-```toml
-### in your continuwuity.toml file ###
-allow_federation = true
-forbidden_remote_server_names = [".*"]
-```
-
-Subscribe to issue [!1440](https://forgejo.ellis.link/continuwuation/continuwuity/issues/1440) for future updates on this matter.
-
-## Related Documentation
-
-Guides:
-
-- [Element Call self-hosting documentation](https://github.com/element-hq/element-call/blob/livekit/docs/self-hosting.md)
-- [Community guide with overview of LiveKit's mechanisms](https://tomfos.tr/matrix/livekit/)
-- [Community guide using systemd](https://blog.kimiblock.top/2024/12/24/hosting-element-call/)
-
-Specifications:
-
-- [MatrixRTC proposal](https://github.com/matrix-org/matrix-spec-proposals/pull/4143)
-- [LiveKit proposal](https://github.com/matrix-org/matrix-spec-proposals/pull/4195)
-
-Source code:
-
-- [Element Call](https://github.com/element-hq/element-call)
-- [lk-jwt-service](https://github.com/element-hq/lk-jwt-service)
-- [LiveKit server](https://github.com/livekit/livekit)
+- [LiveKit GitHub](https://github.com/livekit/livekit)
+- [LiveKit Connection Tester](https://livekit.io/connection-test) - use with the token returned by `/sfu/get` or `/get_token`
+- [MatrixRTC proposal](https://half-shot.github.io/msc-crafter/#msc/4143)
+- [Synapse documentation](https://github.com/element-hq/element-call/blob/livekit/docs/self-hosting.md)
+- [Community guide](https://tomfos.tr/matrix/livekit/)
+- [Community guide](https://blog.kimiblock.top/2024/12/24/hosting-element-call/)

docs/community/guidelines.mdx

@@ -1,12 +1,17 @@
 # Continuwuity Community Guidelines
 
-Welcome to the Continuwuity commuwunity! We're excited to have you here.
+Welcome to the Continuwuity commuwunity! We're excited to have you here. Continuwuity is a
+continuation of the conduwuit homeserver, which in turn is a hard-fork of the Conduit homeserver,
+aimed at making Matrix more accessible and inclusive for everyone.
 
-Our project aims to make Matrix more accessible and inclusive for everyone. To that end, we are dedicated to fostering a positive, supportive, safe and welcoming environment for our community.
+This space is dedicated to fostering a positive, supportive, and welcoming environment for everyone.
+These guidelines apply to all Continuwuity spaces, including our Matrix rooms and any other
+community channels that reference them. We've written these guidelines to help us all create an
+environment where everyone feels safe and respected.
 
-These guidelines apply to all Continuwuity spaces, including our Matrix rooms and code forge.
-
-Our community spaces are intended for individuals aged 16 or over, because we expect maturity and respect from our community members.
+For code and contribution guidelines, please refer to the
+[Contributor's Covenant](https://forgejo.ellis.link/continuwuation/continuwuity/src/branch/main/CODE_OF_CONDUCT.md).
+Below are additional guidelines specific to the Continuwuity community.
 
 ## Our Values and Expected Behaviors
 
@@ -24,21 +29,17 @@ ## Our Values and Expected Behaviors
 
 3. **Communicate Clearly and Kindly**: Our community includes neurodivergent individuals and those
    who may not appreciate sarcasm or subtlety. Communicate clearly and kindly. Avoid ambiguity and
-   ensure your messages can be easily understood by all.
-
-4. **Be Considerate and Proactive**: Not everyone has the same time, resource and experience to spare.
-   Don't expect others to give up their time and labour for you; be thankful for what you have already been given.
-   Avoid placing the burden of education on
+   ensure your messages can be easily understood by all. Avoid placing the burden of education on
    marginalized groups; please make an effort to look into your questions before asking others for
    detailed explanations.
 
-5. **Be Engaged and Open-Minded**: Actively participate in making our community more inclusive.
+4. **Be Open to Improving Inclusivity**: Actively participate in making our community more inclusive.
    Report behaviour that contradicts these guidelines (see Reporting and Enforcement below) and be
    open to constructive feedback aimed at improving our community. Understand that discussing
    negative experiences can be emotionally taxing; focus on the message, not the tone.
 
-6. **Commit to Our Values**: Building an inclusive community requires ongoing effort from everyone.
-   Recognise that creating a welcoming and open community is a continuous process that needs commitment
+5. **Commit to Our Values**: Building an inclusive community requires ongoing effort from everyone.
+   Recognise that addressing bias and discrimination is a continuous process that needs commitment
    and action from all members.
 
 ## Unacceptable Behaviors
@@ -71,6 +72,36 @@ ## Unacceptable Behaviors
 This is not an exhaustive list. Any behaviour that makes others feel unsafe or unwelcome may be
 subject to enforcement action.
 
+## Matrix Community
+
+These Community Guidelines apply to the entire
+[Continuwuity Matrix Space](https://matrix.to/#/#space:continuwuity.org?via=continuwuity.org&via=ellis.link&via=explodie.org&via=matrix.org) and its rooms, including:
+
+### [#continuwuity:continuwuity.org](https://matrix.to/#/#continuwuity:continuwuity.org?via=continuwuity.org&via=ellis.link&via=explodie.org&via=matrix.org)
+
+This room is for support and discussions about Continuwuity. Ask questions, share insights, and help
+each other out while adhering to these guidelines.
+
+We ask that this room remain focused on the Continuwuity software specifically: the team are
+typically happy to engage in conversations about related subjects in the off-topic room.
+
+### [#offtopic:continuwuity.org](https://matrix.to/#/#offtopic:continuwuity.org?via=continuwuity.org&via=ellis.link&via=explodie.org&via=matrix.org)
+
+For off-topic community conversations about any subject. While this room allows for a wide range of
+topics, the same guidelines apply. Please keep discussions respectful and inclusive, and avoid
+divisive or stressful subjects like specific country/world politics unless handled with exceptional
+care and respect for diverse viewpoints.
+
+General topics, such as world events, are welcome as long as they follow the guidelines. If a member
+of the team asks for the conversation to end, please respect their decision.
+
+### [#dev:continuwuity.org](https://matrix.to/#/#dev:continuwuity.org?via=continuwuity.org&via=ellis.link&via=explodie.org&via=matrix.org)
+
+This room is dedicated to discussing active development of Continuwuity, including ongoing issues or
+code development. Collaboration here must follow these guidelines, and please consider raising
+[an issue](https://forgejo.ellis.link/continuwuation/continuwuity/issues) on the repository to help
+track progress.
+
 ## Reporting and Enforcement
 
 We take these Community Guidelines seriously to protect our community members. If you witness or
@@ -83,7 +114,6 @@ ## Reporting and Enforcement
   will immediately alert all available moderators.
 * **Direct Message:** If you're not comfortable raising the issue publicly, please send a direct
   message (DM) to one of the room moderators.
-* **Email**: Please email Jade and/or Nex at `jade@continuwuity.org` and `nex@continuwuity.org` respectively, or email `team@continuwuity.org`.
 
 Reports will be handled with discretion. We will investigate promptly and thoroughly.
 

docs/configuration.mdx

@@ -2,90 +2,63 @@ # Configuration
 
 This chapter describes various ways to configure Continuwuity.
 
-## Configuration file
+## Basics
 
-Continuwuity uses a TOML config file for all of its settings. This is the recommended way to configure Continuwuity. Please refer to the [example config file](./reference/config.mdx) for all of these settings.
+Continuwuity uses a config file for the majority of the settings, but also supports
+setting individual config options via commandline.
 
-You can specify the config file to be used by Continuwuity with the command-line flag `-c` or `--config`:
+Please refer to the [example config
+file](./reference/config.mdx) for all of those
+settings.
 
-```bash
-./conduwuit -c /path/to/continuwuity.toml
-```
+The config file to use can be specified on the commandline when running
+Continuwuity by specifying the `-c`, `--config` flag. Alternatively, you can use
+the environment variable `CONDUWUIT_CONFIG` to specify the config file to used.
+Conduit's environment variables are supported for backwards compatibility.
 
-Alternatively, you can use the environment variable `CONTINUWUITY_CONFIG` to specify the config file to be used; see [the section on environment variables](#environment-variables) for more information.
+## Option commandline flag
 
-## Environment variables
-
-All of the options in the config file can also be specified by using environment variables. This is ideal for containerised deployments and infrastructure-as-code scenarios.
-
-The environment variable names are represented in all caps and prefixed with `CONTINUWUITY_`. They are mapped to config options in the ways demonstrated below:
-
-```bash
-# Top-level options (those inside the [global] section) are simply capitalised
-CONTINUWUITY_SERVER_NAME="matrix.example.com"
-CONTINUWUITY_PORT="8008"
-CONTINUWUITY_DATABASE_PATH="/var/lib/continuwuity"
-
-# Nested config sections use double underscores `__`
-
-# This maps to the `server` field of the [global.well_known] section in TOML
-CONTINUWUITY_WELL_KNOWN__SERVER="example.com:443"
-
-# This maps to the `base_url` field of the `[global.antispam.draupnir]` section in TOML
-CONTINUWUITY_ANTISPAM__DRAUPNIR__BASE_URL="https://draupnir.example.com"
-
-# Alternatively, you can pass a (quoted) struct to define an entire section
-# This maps to the [global.well_known] section
-CONTINUWUITY_WELL_KNOWN="{ client=https://example.com,server=example.com:443 }"
-```
-
-### Alternative prefixes
-
-For backwards compatibility, Continuwuity also supports the following environment variable prefixes, in order of descending priority:
-
-- `CONDUWUIT_*` (compatibility)
-- `CONDUIT_*` (legacy)
-
-As an example, the environment variable `CONTINUWUITY_CONFIG` can also be expressed as `CONDUWUIT_CONFIG` or `CONDUIT_CONFIG`.
-
-## Option command-line flag
-
-Continuwuity also supports setting individual config options in TOML format from the `-O` / `--option` flag. For example, you can set your server name via `-O server_name=\"example.com\"`.
-
-Note that the config is parsed as TOML, and shells like `bash` will remove quotes. Therefore, if the config option is a string, quote escapes must be properly handled. If the config option is a number or a boolean, this does not apply.
+Continuwuity supports setting individual config options in TOML format from the
+`-O` / `--option` flag. For example, you can set your server name via `-O
+server_name=\"example.com\"`.
 
+Note that the config is parsed as TOML, and shells like bash will remove quotes.
+So unfortunately it is required to escape quotes if the config option takes a
+string. This does not apply to options that take booleans or numbers:
 - `--option allow_registration=true` works ✅
 - `-O max_request_size=99999999` works ✅
 - `-O server_name=example.com` does not work ❌
 - `--option log=\"debug\"` works ✅
 - `--option server_name='"example.com'"` works ✅
 
-## Order of priority
+## Execute commandline flag
 
-The above configuration methods are prioritised, in descending order, as below:
+Continuwuity supports running admin commands on startup using the commandline
+argument `--execute`. The most notable use for this is to create an admin user
+on first startup.
 
-- Command-line `-o`/`--option` flags
-- Environment variables
-    - `CONTINUWUITY_*` variables
-    - `CONDUWUIT_*` variables
-    - `CONDUIT_*` variables
-- Config file
+The syntax of this is a standard admin command without the prefix such as
+`./conduwuit --execute "users create_user june"`
 
-Therefore, you can use environment variables or the options flags to override values in the config file.
-
----
-
-## Executing startup commands
-
-Continuwuity supports running admin commands on startup using the command-line flag `--execute`. This is treated as a standard admin command, without the need for the `!admin` prefix. For example, to create a new user:
-
-```bash
-# Equivalent to `!admin users create_user june`
-./conduwuit --execute "users create_user june"
+An example output of a success is:
+```
 INFO conduwuit_service::admin::startup: Startup command #0 completed:
 Created user with user_id: @june:girlboss.ceo and password: `<redacted>`
 ```
 
-Alternatively, you can configure `CONTINUWUITY_ADMIN_EXECUTE` or the config file value `admin_execute` with a list of commands.
+This commandline argument can be paired with the `--option` flag.
 
-This command-line argument can be paired with the `--option` flag.
+## Environment variables
+
+All of the settings that are found in the config file can be specified by using
+environment variables. The environment variable names should be all caps and
+prefixed with `CONDUWUIT_`.
+
+For example, if the setting you are changing is `max_request_size`, then the
+environment variable to set is `CONDUWUIT_MAX_REQUEST_SIZE`.
+
+To modify config options not in the `[global]` context such as
+`[global.well_known]`, use the `__` suffix split: `CONDUWUIT_WELL_KNOWN__SERVER`
+
+Conduit's environment variables are supported for backwards compatibility (e.g.
+`CONDUIT_SERVER_NAME`).

docs/contributing.mdx

@@ -0,0 +1 @@
+../CONTRIBUTING.md

docs/deploying/docker-compose.for-traefik.yml

@@ -0,0 +1,76 @@
+# Continuwuity - Behind Traefik Reverse Proxy
+
+services:
+  homeserver:
+    ### If you already built the continuwuity image with 'docker build' or want to use the Docker Hub image,
+    ### then you are ready to go.
+    image: forgejo.ellis.link/continuwuation/continuwuity:latest
+    restart: unless-stopped
+    volumes:
+      - db:/var/lib/continuwuity
+      - /etc/resolv.conf:/etc/resolv.conf:ro # Use the host's DNS resolver rather than Docker's.
+      #- ./continuwuity.toml:/etc/continuwuity.toml
+    networks:
+      - proxy
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.continuwuity.rule=(Host(`matrix.example.com`) || (Host(`example.com`) && PathPrefix(`/.well-known/matrix`)))"
+      - "traefik.http.routers.continuwuity.entrypoints=websecure" # your HTTPS entry point
+      - "traefik.http.routers.continuwuity.tls=true"
+      - "traefik.http.routers.continuwuity.service=continuwuity"
+      - "traefik.http.services.continuwuity.loadbalancer.server.port=6167"
+      # possibly, depending on your config:
+      # - "traefik.http.routers.continuwuity.tls.certresolver=letsencrypt"
+    environment:
+      CONTINUWUITY_SERVER_NAME: your.server.name.example # EDIT THIS
+      CONTINUWUITY_DATABASE_PATH: /var/lib/continuwuity
+      CONTINUWUITY_PORT: 6167 # should match the loadbalancer traefik label
+      CONTINUWUITY_MAX_REQUEST_SIZE: 20000000 # in bytes, ~20 MB
+      CONTINUWUITY_ALLOW_REGISTRATION: 'true'
+      CONTINUWUITY_REGISTRATION_TOKEN: 'YOUR_TOKEN' # A registration token is required when registration is allowed.
+      #CONTINUWUITY_YES_I_AM_VERY_VERY_SURE_I_WANT_AN_OPEN_REGISTRATION_SERVER_PRONE_TO_ABUSE: 'true'
+      CONTINUWUITY_ALLOW_FEDERATION: 'true'
+      CONTINUWUITY_ALLOW_CHECK_FOR_UPDATES: 'true'
+      CONTINUWUITY_TRUSTED_SERVERS: '["matrix.org"]'
+      #CONTINUWUITY_LOG: warn,state_res=warn
+      CONTINUWUITY_ADDRESS: 0.0.0.0
+      #CONTINUWUITY_CONFIG: '/etc/continuwuity.toml' # Uncomment if you mapped config toml above
+
+      # We need some way to serve the client and server .well-known json. The simplest way is via the CONTINUWUITY_WELL_KNOWN
+      # variable / config option, there are multiple ways to do this, e.g. in the continuwuity.toml file, and in a separate
+      # see the override file for more information about delegation
+      CONTINUWUITY_WELL_KNOWN: |
+        {
+        client=https://your.server.name.example,
+        server=your.server.name.example:443
+        }
+    #cpuset: "0-4" # Uncomment to limit to specific CPU cores
+    ulimits: # Continuwuity uses quite a few file descriptors, and on some systems it defaults to 1024, so you can tell docker to increase it
+      nofile:
+        soft: 1048567
+        hard: 1048567
+
+    ### Uncomment if you want to use your own Element-Web App.
+    ### Note: You need to provide a config.json for Element and you also need a second
+    ###       Domain or Subdomain for the communication between Element and Continuwuity
+    ### Config-Docs: https://github.com/vector-im/element-web/blob/develop/docs/config.md
+    # element-web:
+    #     image: vectorim/element-web:latest
+    #     restart: unless-stopped
+    #     volumes:
+    #         - ./element_config.json:/app/config.json
+    #     networks:
+    #         - proxy
+    #     depends_on:
+    #         - homeserver
+
+volumes:
+  db:
+
+networks:
+  # This is the network Traefik listens to, if your network has a different
+  # name, don't forget to change it here and in the docker-compose.override.yml
+  proxy:
+    external: true
+
+# vim: ts=2:sw=2:expandtab

docs/deploying/docker-compose.override.yml

@@ -6,13 +6,11 @@ services:
       - "traefik.enable=true"
       - "traefik.docker.network=proxy"  # Change this to the name of your Traefik docker proxy network
 
-      - "traefik.http.routers.to-continuwuity.rule=Host(`example.com`)"  # Change to the address on which Continuwuity is hosted
+      - "traefik.http.routers.to-continuwuity.rule=Host(`<SUBDOMAIN>.<DOMAIN>`)"  # Change to the address on which Continuwuity is hosted
       - "traefik.http.routers.to-continuwuity.tls=true"
       - "traefik.http.routers.to-continuwuity.tls.certresolver=letsencrypt"
       - "traefik.http.routers.to-continuwuity.middlewares=cors-headers@docker"
-
-      # This must match with CONTINUWUITY_PORT (default: 8008)
-      - "traefik.http.services.to_continuwuity.loadbalancer.server.port=8008"
+      - "traefik.http.services.to_continuwuity.loadbalancer.server.port=6167"
 
       - "traefik.http.middlewares.cors-headers.headers.accessControlAllowOriginList=*"
       - "traefik.http.middlewares.cors-headers.headers.accessControlAllowHeaders=Origin, X-Requested-With, Content-Type, Accept, Authorization"
@@ -20,7 +18,19 @@ services:
 
       # If you want to have your account on <DOMAIN>, but host Continuwuity on a subdomain,
       # you can let it only handle the well known file on that domain instead
-      #- "traefik.http.routers.to-matrix-wellknown.rule=Host(`example.com`) && PathPrefix(`/.well-known/matrix`)"
+      #- "traefik.http.routers.to-matrix-wellknown.rule=Host(`<DOMAIN>`) && PathPrefix(`/.well-known/matrix`)"
       #- "traefik.http.routers.to-matrix-wellknown.tls=true"
       #- "traefik.http.routers.to-matrix-wellknown.tls.certresolver=letsencrypt"
       #- "traefik.http.routers.to-matrix-wellknown.middlewares=cors-headers@docker"
+
+  ### Uncomment this if you uncommented Element-Web App in the docker-compose.yml
+  # element-web:
+  #     labels:
+  #         - "traefik.enable=true"
+  #         - "traefik.docker.network=proxy"  # Change this to the name of your Traefik docker proxy network
+
+  #         - "traefik.http.routers.to-element-web.rule=Host(`<SUBDOMAIN>.<DOMAIN>`)"  # Change to the address on which Element-Web is hosted
+  #         - "traefik.http.routers.to-element-web.tls=true"
+  #         - "traefik.http.routers.to-element-web.tls.certresolver=letsencrypt"
+
+# vim: ts=2:sw=2:expandtab

docs/deploying/docker-compose.with-caddy.yml

@@ -0,0 +1,56 @@
+services:
+    caddy:
+    # This compose file uses caddy-docker-proxy as the reverse proxy for Continuwuity!
+    # For more info, visit https://github.com/lucaslorentz/caddy-docker-proxy
+        image: lucaslorentz/caddy-docker-proxy:ci-alpine
+        ports:
+            - 80:80
+            - 443:443
+        environment:
+            - CADDY_INGRESS_NETWORKS=caddy
+        networks:
+            - caddy
+        volumes:
+            - /var/run/docker.sock:/var/run/docker.sock
+            - ./data:/data
+        restart: unless-stopped
+        labels:
+            caddy: example.com
+            caddy.0_respond: /.well-known/matrix/server {"m.server":"matrix.example.com:443"}
+            caddy.1_respond: /.well-known/matrix/client {"m.server":{"base_url":"https://matrix.example.com"},"m.homeserver":{"base_url":"https://matrix.example.com"},"org.matrix.msc3575.proxy":{"url":"https://matrix.example.com"}}
+
+    homeserver:
+        ### If you already built the Continuwuity image with 'docker build' or want to use a registry image,
+        ### then you are ready to go.
+        image: forgejo.ellis.link/continuwuation/continuwuity:latest
+        restart: unless-stopped
+        volumes:
+            - db:/var/lib/continuwuity
+            - /etc/resolv.conf:/etc/resolv.conf:ro # Use the host's DNS resolver rather than Docker's.
+            #- ./continuwuity.toml:/etc/continuwuity.toml
+        environment:
+            CONTINUWUITY_SERVER_NAME: example.com # EDIT THIS
+            CONTINUWUITY_DATABASE_PATH: /var/lib/continuwuity
+            CONTINUWUITY_PORT: 6167
+            CONTINUWUITY_MAX_REQUEST_SIZE: 20000000 # in bytes, ~20 MB
+            CONTINUWUITY_ALLOW_REGISTRATION: 'true'
+            CONTINUWUITY_REGISTRATION_TOKEN: 'YOUR_TOKEN' # A registration token is required when registration is allowed.
+            #CONTINUWUITY_YES_I_AM_VERY_VERY_SURE_I_WANT_AN_OPEN_REGISTRATION_SERVER_PRONE_TO_ABUSE: 'true'
+            CONTINUWUITY_ALLOW_FEDERATION: 'true'
+            CONTINUWUITY_ALLOW_CHECK_FOR_UPDATES: 'true'
+            CONTINUWUITY_TRUSTED_SERVERS: '["matrix.org"]'
+            #CONTINUWUITY_LOG: warn,state_res=warn
+            CONTINUWUITY_ADDRESS: 0.0.0.0
+            #CONTINUWUITY_CONFIG: '/etc/continuwuity.toml' # Uncomment if you mapped config toml above
+        networks:
+            - caddy
+        labels:
+            caddy: matrix.example.com
+            caddy.reverse_proxy: "{{upstreams 6167}}"
+
+volumes:
+    db:
+
+networks:
+    caddy:
+        external: true

docs/deploying/docker-compose.with-traefik.yml

@@ -0,0 +1,159 @@
+# Continuwuity - Behind Traefik Reverse Proxy
+
+services:
+  homeserver:
+    ### If you already built the Continuwuity image with 'docker build' or want to use the Docker Hub image,
+    ### then you are ready to go.
+    image: forgejo.ellis.link/continuwuation/continuwuity:latest
+    restart: unless-stopped
+    volumes:
+      - db:/var/lib/continuwuity
+      - /etc/resolv.conf:/etc/resolv.conf:ro # Use the host's DNS resolver rather than Docker's.
+      #- ./continuwuity.toml:/etc/continuwuity.toml
+    networks:
+      - proxy
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.continuwuity.rule=(Host(`matrix.example.com`) || (Host(`example.com`) && PathPrefix(`/.well-known/matrix`)))"
+      - "traefik.http.routers.continuwuity.entrypoints=websecure"
+      - "traefik.http.routers.continuwuity.tls.certresolver=letsencrypt"
+      - "traefik.http.services.continuwuity.loadbalancer.server.port=6167"
+      # Uncomment and adjust the following if you want to use middleware
+      # - "traefik.http.routers.continuwuity.middlewares=secureHeaders@file"
+    environment:
+      CONTINUWUITY_SERVER_NAME: your.server.name.example # EDIT THIS
+      CONTINUWUITY_TRUSTED_SERVERS: '["matrix.org"]'
+      CONTINUWUITY_ALLOW_REGISTRATION: 'false' # After setting a secure registration token, you can enable this
+      CONTINUWUITY_REGISTRATION_TOKEN: "" # This is a token you can use to register on the server
+      #CONTINUWUITY_REGISTRATION_TOKEN_FILE: "" # Alternatively you can configure a path to a token file to read
+      CONTINUWUITY_ADDRESS: 0.0.0.0
+      CONTINUWUITY_PORT: 6167 # you need to match this with the traefik load balancer label if you're want to change it
+      CONTINUWUITY_DATABASE_PATH: /var/lib/continuwuity
+      #CONTINUWUITY_CONFIG: '/etc/continuwuity.toml' # Uncomment if you mapped config toml above
+      ### Uncomment and change values as desired, note that Continuwuity has plenty of config options, so you should check out the example example config too
+      # Available levels are: error, warn, info, debug, trace - more info at: https://docs.rs/env_logger/*/env_logger/#enabling-logging
+      # CONTINUWUITY_LOG: info  # default is: "warn,state_res=warn"
+      # CONTINUWUITY_ALLOW_ENCRYPTION: 'true'
+      # CONTINUWUITY_ALLOW_FEDERATION: 'true'
+      # CONTINUWUITY_ALLOW_CHECK_FOR_UPDATES: 'true'
+      # CONTINUWUITY_ALLOW_INCOMING_PRESENCE: true
+      # CONTINUWUITY_ALLOW_OUTGOING_PRESENCE: true
+      # CONTINUWUITY_ALLOW_LOCAL_PRESENCE: true
+      # CONTINUWUITY_WORKERS: 10
+      # CONTINUWUITY_MAX_REQUEST_SIZE: 20000000  # in bytes, ~20 MB
+      # CONTINUWUITY_NEW_USER_DISPLAYNAME_SUFFIX = "🏳<200d>⚧"
+
+      # We need some way to serve the client and server .well-known json. The simplest way is via the CONTINUWUITY_WELL_KNOWN
+      # variable / config option, there are multiple ways to do this, e.g. in the continuwuity.toml file, and in a separate
+      # reverse proxy, but since you do not have a reverse proxy and following this guide, this example is included
+      CONTINUWUITY_WELL_KNOWN: |
+        {
+          client=https://your.server.name.example,
+          server=your.server.name.example:443
+        }
+    #cpuset: "0-4" # Uncomment to limit to specific CPU cores
+    ulimits: # Continuwuity uses quite a few file descriptors, and on some systems it defaults to 1024, so you can tell docker to increase it
+      nofile:
+        soft: 1048567
+        hard: 1048567
+
+    ### Uncomment if you want to use your own Element-Web App.
+    ### Note: You need to provide a config.json for Element and you also need a second
+    ###       Domain or Subdomain for the communication between Element and Continuwuity
+    ### Config-Docs: https://github.com/vector-im/element-web/blob/develop/docs/config.md
+    # element-web:
+    #     image: vectorim/element-web:latest
+    #     restart: unless-stopped
+    #     volumes:
+    #         - ./element_config.json:/app/config.json
+    #     networks:
+    #         - proxy
+    #     depends_on:
+    #         - homeserver
+
+  traefik:
+    image: "traefik:latest"
+    container_name: "traefik"
+    restart: "unless-stopped"
+    ports:
+      - "80:80"
+      - "443:443"
+    volumes:
+      - "/var/run/docker.sock:/var/run/docker.sock:z"
+      - "acme:/etc/traefik/acme"
+      #- "./traefik_config:/etc/traefik:z"
+    labels:
+      - "traefik.enable=true"
+
+      # middleware redirect
+      - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
+      # global redirect to https
+      - "traefik.http.routers.redirs.rule=hostregexp(`{host:.+}`)"
+      - "traefik.http.routers.redirs.entrypoints=web"
+      - "traefik.http.routers.redirs.middlewares=redirect-to-https"
+
+    configs:
+      - source: dynamic.yml
+        target: /etc/traefik/dynamic.yml
+
+    environment:
+      TRAEFIK_LOG_LEVEL: DEBUG
+      TRAEFIK_ENTRYPOINTS_WEB: true
+      TRAEFIK_ENTRYPOINTS_WEB_ADDRESS: ":80"
+      TRAEFIK_ENTRYPOINTS_WEB_HTTP_REDIRECTIONS_ENTRYPOINT_TO: websecure
+
+      TRAEFIK_ENTRYPOINTS_WEBSECURE: true
+      TRAEFIK_ENTRYPOINTS_WEBSECURE_ADDRESS: ":443"
+      TRAEFIK_ENTRYPOINTS_WEBSECURE_HTTP_TLS_CERTRESOLVER: letsencrypt
+      #TRAEFIK_ENTRYPOINTS_WEBSECURE_HTTP_MIDDLEWARES: secureHeaders@file # if you want to enabled STS
+
+      TRAEFIK_CERTIFICATESRESOLVERS_LETSENCRYPT: true
+      TRAEFIK_CERTIFICATESRESOLVERS_LETSENCRYPT_ACME_EMAIL: # Set this to the email you want to receive certificate expiration emails for
+      TRAEFIK_CERTIFICATESRESOLVERS_LETSENCRYPT_ACME_KEYTYPE: EC384
+      TRAEFIK_CERTIFICATESRESOLVERS_LETSENCRYPT_ACME_HTTPCHALLENGE: true
+      TRAEFIK_CERTIFICATESRESOLVERS_LETSENCRYPT_ACME_HTTPCHALLENGE_ENTRYPOINT: web
+      TRAEFIK_CERTIFICATESRESOLVERS_LETSENCRYPT_ACME_STORAGE: "/etc/traefik/acme/acme.json"
+
+      # Since Traefik 3.6.3, paths with certain "encoded characters" are now blocked by default; we need a couple, or else things *will* break
+      TRAEFIK_ENTRYPOINTS_WEBSECURE_HTTP_ENCODEDCHARACTERS_ALLOWENCODEDSLASH: true
+      TRAEFIK_ENTRYPOINTS_WEBSECURE_HTTP_ENCODEDCHARACTERS_ALLOWENCODEDHASH: true
+
+      TRAEFIK_PROVIDERS_DOCKER: true
+      TRAEFIK_PROVIDERS_DOCKER_ENDPOINT: "unix:///var/run/docker.sock"
+      TRAEFIK_PROVIDERS_DOCKER_EXPOSEDBYDEFAULT: false
+
+      TRAEFIK_PROVIDERS_FILE: true
+      TRAEFIK_PROVIDERS_FILE_FILENAME: "/etc/traefik/dynamic.yml"
+
+configs:
+  dynamic.yml:
+    content: |
+      # Optionally set STS headers, like in https://hstspreload.org
+      # http:
+      #   middlewares:
+      #     secureHeaders:
+      #       headers:
+      #         forceSTSHeader: true
+      #         stsIncludeSubdomains: true
+      #         stsPreload: true
+      #         stsSeconds: 31536000
+      tls:
+        options:
+          default:
+            cipherSuites:
+              - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
+              - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+              - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
+              - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+              - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
+              - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
+            minVersion: VersionTLS12
+
+volumes:
+    db:
+    acme:
+
+networks:
+    proxy:
+
+# vim: ts=2:sw=2:expandtab

docs/deploying/docker-compose.yml

@@ -0,0 +1,44 @@
+# Continuwuity
+
+services:
+    homeserver:
+        ### If you already built the Continuwuity image with 'docker build' or want to use a registry image,
+        ### then you are ready to go.
+        image: forgejo.ellis.link/continuwuation/continuwuity:latest
+        restart: unless-stopped
+        ports:
+            - 8448:6167
+        volumes:
+            - db:/var/lib/continuwuity
+            #- ./continuwuity.toml:/etc/continuwuity.toml
+        environment:
+            CONTINUWUITY_SERVER_NAME: your.server.name # EDIT THIS
+            CONTINUWUITY_DATABASE_PATH: /var/lib/continuwuity
+            CONTINUWUITY_PORT: 6167
+            CONTINUWUITY_MAX_REQUEST_SIZE: 20000000 # in bytes, ~20 MB
+            CONTINUWUITY_ALLOW_REGISTRATION: 'true'
+            CONTINUWUITY_REGISTRATION_TOKEN: 'YOUR_TOKEN' # A registration token is required when registration is allowed.
+            #CONTINUWUITY_YES_I_AM_VERY_VERY_SURE_I_WANT_AN_OPEN_REGISTRATION_SERVER_PRONE_TO_ABUSE: 'true'
+            CONTINUWUITY_ALLOW_FEDERATION: 'true'
+            CONTINUWUITY_ALLOW_CHECK_FOR_UPDATES: 'true'
+            CONTINUWUITY_TRUSTED_SERVERS: '["matrix.org"]'
+            #CONTINUWUITY_LOG: warn,state_res=warn
+            CONTINUWUITY_ADDRESS: 0.0.0.0
+            #CONTINUWUITY_CONFIG: '/etc/continuwuity.toml' # Uncomment if you mapped config toml above
+    #
+    ### Uncomment if you want to use your own Element-Web App.
+    ### Note: You need to provide a config.json for Element and you also need a second
+    ###       Domain or Subdomain for the communication between Element and Continuwuity
+    ### Config-Docs: https://github.com/vector-im/element-web/blob/develop/docs/config.md
+    # element-web:
+    #     image: vectorim/element-web:latest
+    #     restart: unless-stopped
+    #     ports:
+    #         - 8009:80
+    #     volumes:
+    #         - ./element_config.json:/app/config.json
+    #     depends_on:
+    #         - homeserver
+
+volumes:
+    db:

docs/deploying/docker.mdx

@@ -1,251 +1,220 @@
 # Continuwuity for Docker
 
-## Preparation
+## Docker
 
-### Choose an image
+To run Continuwuity with Docker, you can either build the image yourself or pull it
+from a registry.
 
-The following OCI images are available for Continuwuity:
+### Use a registry
 
-| Image                                                                                        | Notes                                                                                                     |
-| ------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------- |
-| [https://forgejo.ellis.link/continuwuation/continuwuity:**latest**][latest]                 | Latest tagged release. (recommended)                                                                      |
-| [https://forgejo.ellis.link/continuwuation/continuwuity:**main**][main]                     | Latest `main` branch commit.                                                                              |
-| [https://forgejo.ellis.link/continuwuation/continuwuity:**latest-maxperf**][latest-maxperf] | Latest tagged release, [performance optimised version](./generic.mdx#performance-optimised-builds).       |
-| [https://forgejo.ellis.link/continuwuation/continuwuity:**main-maxperf**][main-maxperf]     | Latest `main` branch commit, [performance optimised version](./generic.mdx#performance-optimised-builds). |
+OCI images for Continuwuity are available in the registries listed below.
 
-[latest]: https://forgejo.ellis.link/continuwuation/-/packages/container/continuwuity/latest
-[main]: https://forgejo.ellis.link/continuwuation/-/packages/container/continuwuity/main
-[latest-maxperf]: https://forgejo.ellis.link/continuwuation/-/packages/container/continuwuity/latest-maxperf
-[main-maxperf]: https://forgejo.ellis.link/continuwuation/-/packages/container/continuwuity/main-maxperf
+| Registry        | Image                                                           | Notes                  |
+| --------------- | --------------------------------------------------------------- | -----------------------|
+| Forgejo Registry| [forgejo.ellis.link/continuwuation/continuwuity:latest](https://forgejo.ellis.link/continuwuation/-/packages/container/continuwuity/latest)     | Latest tagged image.   |
+| Forgejo Registry| [forgejo.ellis.link/continuwuation/continuwuity:main](https://forgejo.ellis.link/continuwuation/-/packages/container/continuwuity/main)       | Main branch image.     |
+| Forgejo Registry| [forgejo.ellis.link/continuwuation/continuwuity:latest-maxperf](https://forgejo.ellis.link/continuwuation/-/packages/container/continuwuity/latest-maxperf) | [Performance optimised version.](./generic.mdx#performance-optimised-builds) |
+| Forgejo Registry| [forgejo.ellis.link/continuwuation/continuwuity:main-maxperf](https://forgejo.ellis.link/continuwuation/-/packages/container/continuwuity/main-maxperf)   | [Performance optimised version.](./generic.mdx#performance-optimised-builds) |
 
-If you want a specific version or commit hash, you can browse for them [here][oci-all-versions].
+Use
 
-Images are also mirrored to these locations automatically, on a schedule:
-
-- `ghcr.io/continuwuity/continuwuity` ([Github Registry][ghcr-io])
-- `docker.io/jadedblueeyes/continuwuity` ([Docker Hub][docker-hub])
-- `registry.gitlab.com/continuwuity/continuwuity` ([Gitlab Registry][gitlab-registry])
-- `git.nexy7574.co.uk/mirrored/continuwuity` ([Nexy's forge][nexy-forge]. Releases only, no `main` tags)
-
-[oci-all-versions]: https://forgejo.ellis.link/continuwuation/-/packages/container/continuwuity/versions
-[ghcr-io]: https://github.com/continuwuity/continuwuity/pkgs/container/continuwuity/versions?filters%5Bversion_type%5D=tagged
-[docker-hub]: https://hub.docker.com/r/jadedblueeyes/continuwuity/
-[gitlab-registry]: https://gitlab.com/continuwuity/continuwuity/container_registry/8871720
-[nexy-forge]: https://git.nexy7574.co.uk/mirrored/-/packages/container/continuwuity/versions
-
-### Prerequisites
-
-Continuwuity requires HTTPS for Matrix federation. You'll need:
-
-- A domain name pointing to your server's IP address - we will be using `example.com` in this guide.
-- A reverse proxy with SSL/TLS certificates (Traefik, Caddy, nginx, etc.) - see [Docker Compose](#docker-compose) for complete examples.
-- Port `:443` (for Client-Server traffic) and `:8448` (for federation traffic) opened on your server's firewall.
-
-    - Alternatively, if you want both client and federation traffic on `:443`, you can configure `CONTINUWUITY_WELL_KNOWN` following some of the [examples](#choose-your-reverse-proxy) below.
-
-:::tip Split-domain setups
-For more setups with `.well-known` delegation and split-domain deployments, consult the [Delegation/Split-domain](../advanced/delegation) page.
-:::
-
-## Docker Compose
-
-Docker Compose is the recommended deployment method for Continuwuity containers. The following environment variables will be set:
-
-- `CONTINUWUITY_SERVER_NAME` - Your Matrix server's domain name. **This CANNOT be changed later without a data wipe.**
-- `CONTINUWUITY_DATABASE_PATH` - Where to store your database. This must match the docker volume mount.
-- `CONTINUWUITY_ADDRESS` - Bind address (for Docker, use `0.0.0.0` to listen on all interfaces).
-
-Alternatively, you can specify a path to mount the configuration file using the `CONTINUWUITY_CONFIG` environment variable.
-
-See the [reference configuration](../reference/config) page for all config options, and the [Configuration page](../configuration#environment-variables) on how to convert them into Environment Variables.
-
-### Choose Your Reverse Proxy
-
-These examples include reverse proxy configurations for Matrix federation, which will route your Matrix domain (and optionally .well-known paths) to Continuwuity.
-
-:::note Docker DNS Performance
-Docker's default DNS resolver are known to [cause timeout issues](../troubleshooting#dns-issues) for Matrix federation. To bypass it and use a more performant resolver, mount a custom `/etc/resolv.conf` config file into the Continuwuity container.
-
-```yaml title='docker-compose.yml'
-services:
-  homeserver:
-    # ...
-    volumes:
-      - ./continuwuity-resolv.conf:/etc/resolv.conf
+```bash
+docker image pull $LINK
 ```
 
-```txt title='continuwuity-resolv.conf'
-nameserver 1.0.0.1
-nameserver 1.1.1.1
+to pull it to your machine.
+
+#### Mirrors
+
+Images are mirrored to multiple locations automatically, on a schedule:
+
+- `ghcr.io/continuwuity/continuwuity`
+- `docker.io/jadedblueeyes/continuwuity`
+- `registry.gitlab.com/continuwuity/continuwuity`
+- `git.nexy7574.co.uk/mirrored/continuwuity` (releases only, no `main`)
+
+### Run
+
+When you have the image, you can simply run it with
+
+```bash
+docker run -d -p 8448:6167 \
+    -v db:/var/lib/continuwuity/ \
+    -e CONTINUWUITY_SERVER_NAME="your.server.name" \
+    -e CONTINUWUITY_ALLOW_REGISTRATION=false \
+    --name continuwuity $LINK
 ```
 
-Consult the [**DNS tuning guide (recommended)**](../advanced/dns.mdx) for full solutions to this issue.
-:::
+or you can use [Docker Compose](#docker-compose).
 
-#### Caddy (using Caddyfile)
+The `-d` flag lets the container run in detached mode. You may supply an
+optional `continuwuity.toml` config file, the example config can be found
+[here](../reference/config.mdx). You can pass in different env vars to
+change config values on the fly. You can even configure Continuwuity completely by
+using env vars. For an overview of possible values, please take a look at the
+<a href="/examples/docker-compose.yml" target="_blank">`docker-compose.yml`</a> file.
+
+If you just want to test Continuwuity for a short time, you can use the `--rm`
+flag, which cleans up everything related to your container after you stop
+it.
+
+### Docker Compose
+
+If the `docker run` command is not suitable for you or your setup, you can also use one
+of the provided `docker-compose` files.
+
+Depending on your proxy setup, you can use one of the following files:
+
+### For existing Traefik setup
 
 <details>
-<summary>docker-compose.with-caddy.yml ([view raw](/deploying/docker-compose.with-caddy.yml))</summary>
+<summary>docker-compose.for-traefik.yml</summary>
 
-```yaml file="../public/deploying/docker-compose.with-caddy.yml"
+```yaml file="./docker-compose.for-traefik.yml"
 
 ```
 
 </details>
 
-#### Caddy (using labels)
+### With Traefik included
 
 <details>
-<summary>docker-compose.with-caddy-labels.yml ([view raw](/deploying/docker-compose.with-caddy-labels.yml))</summary>
+<summary>docker-compose.with-traefik.yml</summary>
 
-```yaml file="../public/deploying/docker-compose.with-caddy-labels.yml"
+```yaml file="./docker-compose.with-traefik.yml"
 
 ```
 
 </details>
 
-#### Traefik (for existing setup)
+### With Caddy Docker Proxy
 
 <details>
-<summary>docker-compose.for-traefik.yml ([view raw](/deploying/docker-compose.for-traefik.yml))</summary>
+<summary>docker-compose.with-caddy.yml</summary>
 
-```yaml file="../public/deploying/docker-compose.for-traefik.yml"
+Replace all `example.com` placeholders with your own domain.
+
+```yaml file="./docker-compose.with-caddy.yml"
 
 ```
 
 </details>
 
-#### Traefik included
+### For other reverse proxies
 
 <details>
-<summary>docker-compose.with-traefik.yml ([view raw](/deploying/docker-compose.with-traefik.yml))</summary>
+<summary>docker-compose.yml</summary>
 
-```yaml file="../public/deploying/docker-compose.with-traefik.yml"
+```yaml file="./docker-compose.yml"
 
 ```
 
 </details>
 
-#### Traefik (as override file)
+### Override file
 
 <details>
-<summary>docker-compose.override.yml ([view raw](/deploying/docker-compose.override.yml))</summary>
+<summary>docker-compose.override.yml</summary>
 
-```yaml file="../public/deploying/docker-compose.override.yml"
+```yaml file="./docker-compose.override.yml"
 
 ```
 
 </details>
 
-#### For other reverse proxies
+When picking the Traefik-related compose file, rename it to
+`docker-compose.yml`, and rename the override file to
+`docker-compose.override.yml`. Edit the latter with the values you want for your
+server.
+
+When picking the `caddy-docker-proxy` compose file, it's important to first
+create the `caddy` network before spinning up the containers:
+
+```bash
+docker network create caddy
+```
+
+After that, you can rename it to `docker-compose.yml` and spin up the
+containers!
+
+Additional info about deploying Continuwuity can be found [here](generic.mdx).
+
+### Build
+
+Official Continuwuity images are built using **Docker Buildx** and the Dockerfile found at [`docker/Dockerfile`][dockerfile-path]. This approach uses common Docker tooling and enables efficient multi-platform builds.
+
+The resulting images are widely compatible with Docker and other container runtimes like Podman or containerd.
+
+The images *do not contain a shell*. They contain only the Continuwuity binary, required libraries, TLS certificates, and metadata.
 
 <details>
-<summary>docker-compose.yml ([view raw](/deploying/docker-compose.yml))</summary>
+<summary>Click to view the Dockerfile</summary>
 
-```yaml file="../public/deploying/docker-compose.yml"
+You can also <a href="https://forgejo.ellis.link/continuwuation/continuwuation/src/branch/main/docker/Dockerfile" target="_blank">view the Dockerfile on Forgejo</a>.
+
+```dockerfile file="../../docker/Dockerfile"
 
 ```
 
 </details>
 
-You will then need to point your reverse proxy towards Continuwuity at `127.0.0.1:8008`. See the [Other reverse proxies](generic.mdx#setting-up-the-reverse-proxy) section of the Generic page for further routing details.
+To build an image locally using Docker Buildx, you can typically run a command like:
 
-### Starting Your Server
+```bash
+# Build for the current platform and load into the local Docker daemon
+docker buildx build --load --tag continuwuity:latest -f docker/Dockerfile .
 
-1. Choose your compose file from the above, and rename it to `docker-compose.yml`. Replace `example.com` with your homeserver's domain name, and edit other values as you see fit.
-2. If using the override file, rename it to `docker-compose.override.yml` and
-   edit your values.
-3. Start the server:
+# Example: Build for specific platforms and push to a registry.
+# docker buildx build --platform linux/amd64,linux/arm64 --tag registry.io/org/continuwuity:latest -f docker/Dockerfile . --push
 
-    ```bash
-    docker compose up -d
-    ```
+# Example: Build binary optimised for the current CPU (standard release profile)
+# docker buildx build --load \
+#   --tag continuwuity:latest \
+#   --build-arg TARGET_CPU=native \
+#   -f docker/Dockerfile .
 
-4. Check your server logs for a registration token:
+# Example: Build maxperf variant (release-max-perf profile with LTO)
+# Optimised for runtime performance and smaller binary size, but requires longer build time
+# docker buildx build --load \
+#   --tag continuwuity:latest-maxperf \
+#   --build-arg TARGET_CPU=native \
+#   --build-arg RUST_PROFILE=release-max-perf \
+#   -f docker/Dockerfile .
+```
 
-    ```bash
-    docker-compose logs continuwuity 2>&1
-    ```
+Refer to the Docker Buildx documentation for more advanced build options.
 
-    You'll see output as below.
+[dockerfile-path]: https://forgejo.ellis.link/continuwuation/continuwuation/src/branch/main/docker/Dockerfile
 
-    ```
-    In order to use your new homeserver, you need to create its
-    first user account.
-    Open your Matrix client of choice and register an account
-    on example.com using registration token x5keUZ811RqvLsNa .
-    Pick your own username and password!
-    ```
+### Run
 
-5. Log in to your server with any Matrix client, and register for an account with the registration token from step 4. You'll automatically be invited to the admin room where you can [manage your server](../reference/admin).
+If you have already built the image or want to use one from the registries, you
+can start the container and everything else in the compose file in detached
+mode with:
 
-See the [generic deployment guide](generic.mdx) for more deployment options.
+```bash
+docker compose up -d
+```
 
-## Testing
+> **Note:** Don't forget to modify and adjust the compose file to your needs.
 
-Test that your setup works by following these [instructions](./generic.mdx#how-do-i-know-it-works)
+### Use Traefik as Proxy
 
-## Other deployment methods
+As a container user, you probably know about Traefik. It is an easy-to-use
+reverse proxy for making containerized apps and services available through the
+web. With the Traefik-related docker-compose files provided above, it is equally easy
+to deploy and use Continuwuity, with a small caveat. If you have already looked at
+the files, you should have seen the `well-known` service, which is the
+small caveat. Traefik is simply a proxy and load balancer and cannot
+serve any kind of content. For Continuwuity to federate, we need to either
+expose ports `443` and `8448` or serve two endpoints: `.well-known/matrix/client`
+and `.well-known/matrix/server`.
 
-### Docker - Quick Run
+With the service `well-known`, we use a single `nginx` container that serves
+those two files.
 
-:::note For testing only
-The instructions below are only meant for a quick demo of Continuwuity.
-For production deployment, we recommend using [Docker Compose](#docker-compose)
-:::
+Alternatively, you can use Continuwuity's built-in delegation file capability. Set up the delegation files in the configuration file, and then proxy paths under `/.well-known/matrix` to continuwuity. For example, the label ``traefik.http.routers.continuwuity.rule=(Host(`matrix.ellis.link`) || (Host(`ellis.link`) && PathPrefix(`/.well-known/matrix`)))`` does this for the domain `ellis.link`.
 
-Get a working Continuwuity server with an admin user in four steps:
+## Voice communication
 
-1. Pull the image
-
-    ```bash
-    docker pull forgejo.ellis.link/continuwuation/continuwuity:latest
-    ```
-
-2. Start the server for the first time. Replace `example.com` with your actual server name.
-
-    ```bash
-    docker run -d \
-      -p 8008:8008 \
-      -v continuwuity_db:/var/lib/continuwuity \
-      -e CONTINUWUITY_SERVER_NAME="example.com" \
-      -e CONTINUWUITY_DATABASE_PATH="/var/lib/continuwuity" \
-      -e CONTINUWUITY_ADDRESS="0.0.0.0" \
-      -e CONTINUWUITY_ALLOW_REGISTRATION="false" \
-      --name continuwuity \
-      forgejo.ellis.link/continuwuation/continuwuity:latest \
-      /sbin/conduwuit
-    ```
-
-3. Fetch the one-time initial registration token
-
-    ```bash
-    docker logs continuwuity 2>&1
-    ```
-
-    You'll see output as below.
-
-    ```
-    In order to use your new homeserver, you need to create its
-    first user account.
-    Open your Matrix client of choice and register an account
-    on example.com using registration token x5keUZ811RqvLsNa .
-    Pick your own username and password!
-    ```
-
-4. Configure your reverse proxy to forward HTTPS traffic to Continuwuity at port 8008. See [Docker Compose](#docker-compose) for examples.
-
-Once configured, log in to your server with any Matrix client, and register for an account with the registration token from step 3. You'll automatically be invited to the admin room where you can [manage your server](../reference/admin).
-
-### (Optional) Building Custom Images
-
-For information on building your own Continuwuity Docker images, see the
-[Building Docker Images](../development/index.mdx#building-docker-images)
-section in the development documentation.
-
-## Next steps
-
-- For smooth federation, set up a caching resolver according to the [**DNS tuning guide**](../advanced/dns.mdx) (recommended)
-- To set up Audio/Video communication, see the [**Calls**](../calls.mdx) page.
-- If you want to set up an appservice, take a look at the [**Appservice
-Guide**](../appservices.mdx).
+See the [Calls](../calls.mdx) page.

docs/deploying/freebsd.mdx

@@ -1,7 +1,7 @@
 # Continuwuity for FreeBSD
 
-Continuwuity doesn't provide official FreeBSD packages; however, a community-maintained set of packages is available on [Forgejo](https://forgejo.ellis.link/katie/continuwuity-bsd). Note that these are provided as standalone packages and are not part of a FreeBSD package repository (yet), so updates need to be downloaded and installed manually.
+Continuwuity currently does not provide FreeBSD builds or FreeBSD packaging. However, Continuwuity does build and work on FreeBSD using the system-provided RocksDB.
 
-Please see the installation instructions in that repository. Direct any questions to its issue tracker or to [@katie:kat5.dev](https://matrix.to/#/@katie:kat5.dev).
+Contributions to get Continuwuity packaged for FreeBSD are welcome.
 
-For general BSD support, please join our [Continuwuity BSD](https://matrix.to/#/%23bsd:continuwuity.org) community room.
+Please join our [Continuwuity BSD](https://matrix.to/#/%23bsd:continuwuity.org) community room.

docs/deploying/generic.mdx

@@ -14,7 +14,6 @@ ### Prebuilt binary
 run the `uname -m` to check which you need.
 
 Prebuilt binaries are available from:
-
 - **Tagged releases**: [Latest release page](https://forgejo.ellis.link/continuwuation/continuwuity/releases/latest)
 - **Development builds**: CI artifacts from the `main` branch
   (includes Debian/Ubuntu packages)
@@ -43,36 +42,32 @@ #### Performance-optimised builds
 [link-time optimisation (LTO)](https://doc.rust-lang.org/cargo/reference/profiles.html#lto)
 and, for amd64, target the haswell CPU architecture.
 
-### Nix
-
-Theres a Nix package defined in our flake, available for Linux and MacOS. Add continuwuity as an input to your flake, and use `inputs.continuwuity.packages.${system}.default` to get a working Continuwuity package.
-
-If you simply wish to generate a binary using Nix, you can run `nix build git+https://forgejo.ellis.link/continuwuation/continuwuity` to generate a binary in `result/bin/conduwuit`.
-
 ### Compiling
 
 Alternatively, you may compile the binary yourself.
 
-#### Using Docker
+### Building with the Rust toolchain
 
-If you would like to build using docker, you can run the command `docker build -f ./docker/Dockerfile -t forgejo.ellis.link/continuwuation/continuwuity:main .` to compile continuwuity.
+If wanting to build using standard Rust toolchains, make sure you install:
 
-#### Manual
-
-##### Dependencies
-
-- Run `nix develop` to get a devshell with everything you need
-- Or, install the following:
-    - (On linux) `liburing-dev` on the compiling machine, and `liburing` on the target host
-    - (On linux) `pkg-config` on the compiling machine to allow finding `liburing`
-    - A C++ compiler and (on linux) `libclang` for RocksDB
-
-##### Build
+- (On linux) `liburing-dev` on the compiling machine, and `liburing` on the target host
+- (On linux) `pkg-config` on the compiling machine to allow finding `liburing`
+- A C++ compiler and (on linux) `libclang` for RocksDB
 
 You can build Continuwuity using `cargo build --release`.
 
 Continuwuity supports various optional features that can be enabled during compilation. Please see the Cargo.toml file for a comprehensive list, or ask in our rooms.
 
+### Building with Nix
+
+If you prefer, you can use Nix (or [Lix](https://lix.systems)) to build Continuwuity. This provides improved reproducibility and makes it easy to set up a build environment and generate output. This approach also allows for easy cross-compilation.
+
+You can run the `nix build -L .#static-x86_64-linux-musl-all-features` or
+`nix build -L .#static-aarch64-linux-musl-all-features` commands based
+on architecture to cross-compile the necessary static binary located at
+`result/bin/conduwuit`. This is reproducible with the static binaries produced
+in our CI.
+
 ## Adding a Continuwuity user
 
 While Continuwuity can run as any user, it is better to use dedicated users for
@@ -133,11 +128,13 @@ ## Setting up a systemd service
 ReadWritePaths=/path/to/custom/database/path
 ```
 
+
 ### Example systemd Unit File
 
 <details>
 <summary>Click to expand systemd unit file (conduwuit.service)</summary>
 
+
 ```ini file="../../pkg/conduwuit.service"
 
 ```
@@ -205,27 +202,23 @@ ### Other Reverse Proxies
 As we prefer our users to use Caddy, we do not provide configuration files for other proxies.
 
 You will need to reverse proxy everything under the following routes:
-
 - `/_matrix/` - core Matrix C-S and S-S APIs
 - `/_conduwuit/` and/or `/_continuwuity/` - ad-hoc Continuwuity routes such as `/local_user_count` and
-  `/server_version`
+`/server_version`
 
 You can optionally reverse proxy the following individual routes:
-
 - `/.well-known/matrix/client` and `/.well-known/matrix/server` if using
-  Continuwuity to perform delegation (see the `[global.well_known]` config section)
+Continuwuity to perform delegation (see the `[global.well_known]` config section)
 - `/.well-known/matrix/support` if using Continuwuity to send the homeserver admin
-  contact and support page (formerly known as MSC1929)
+contact and support page (formerly known as MSC1929)
 - `/` if you would like to see `hewwo from conduwuit woof!` at the root
 
 See the following spec pages for more details on these files:
-
 - [`/.well-known/matrix/server`](https://spec.matrix.org/latest/client-server-api/#getwell-knownmatrixserver)
 - [`/.well-known/matrix/client`](https://spec.matrix.org/latest/client-server-api/#getwell-knownmatrixclient)
 - [`/.well-known/matrix/support`](https://spec.matrix.org/latest/client-server-api/#getwell-knownmatrixsupport)
 
 Examples of delegation:
-
 - https://continuwuity.org/.well-known/matrix/server
 - https://continuwuity.org/.well-known/matrix/client
 - https://ellis.link/.well-known/matrix/server
@@ -239,7 +232,6 @@ ### Other Reverse Proxies
 If using Apache, you need to use `nocanon` in your `ProxyPass` directive to prevent httpd from interfering with the `X-Matrix` header (note that Apache is not ideal as a general reverse proxy, so we discourage using it if alternatives are available).
 
 If using Nginx, you need to pass the request URI to Continuwuity using `$request_uri`, like this:
-
 - `proxy_pass http://127.0.0.1:6167$request_uri;`
 - `proxy_pass http://127.0.0.1:6167;`
 
@@ -279,17 +271,17 @@ # If federation is enabled
 ```
 
 - To check if your server can communicate with other homeservers, use the
-  [Matrix Federation Tester](https://federationtester.mtrnord.blog/). If you can
-  register but cannot join federated rooms, check your configuration and verify
-  that port 8448 is open and forwarded correctly.
+[Matrix Federation Tester](https://federationtester.mtrnord.blog/). If you can
+register but cannot join federated rooms, check your configuration and verify
+that port 8448 is open and forwarded correctly.
 
-## What's next?
+# What's next?
 
-### Audio/Video calls
+## Audio/Video calls
 
 For Audio/Video call functionality see the [Calls](../calls.md) page.
 
-### Appservices
+## Appservices
 
 If you want to set up an appservice, take a look at the [Appservice
 Guide](../appservices.md).

docs/deploying/kubernetes.mdx

@@ -39,7 +39,6 @@ # Continuwuity for Kubernetes
         - name: continuwuity
           # use a sha hash <3
           image: forgejo.ellis.link/continuwuation/continuwuity:latest
-          command: ["/sbin/conduwuit"]
           imagePullPolicy: IfNotPresent
           ports:
             - name: http

docs/deploying/nixos.mdx

@@ -1,40 +1,40 @@
 # Continuwuity for NixOS
 
-## Nix package
+NixOS packages Continuwuity as `matrix-continuwuity`. This package includes both the Continuwuity software and a dedicated NixOS module for configuration and deployment.
 
-You can get a Nix package for Continuwuity from the following sources:
+## Installation methods
 
-- Directly from Nixpkgs: `pkgs.matrix-continuwuity`
-- Or, using `continuwuity.packages.${system}.default` from:
-    - The `flake.nix` at the root of the Continuwuity repo, by adding Continuwuity to your flake inputs:
+You can acquire Continuwuity with Nix (or [Lix][lix]) from these sources:
 
-    ```nix
-    inputs.continuwuity.url = "git+https://forgejo.ellis.link/continuwuation/continuwuity";
-    ```
-
-    - The `default.nix` at the root of the Continuwuity repo
+* Directly from Nixpkgs using the official package (`pkgs.matrix-continuwuity`)
+* The `flake.nix` at the root of the Continuwuity repo
+* The `default.nix` at the root of the Continuwuity repo
 
 ## NixOS module
 
-Continuwuity has an official NixOS module that simplifies configuration and deployment. The module is available in Nixpkgs as `services.matrix-continuwuity`.
+Continuwuity now has an official NixOS module that simplifies configuration and deployment. The module is available in Nixpkgs as `services.matrix-continuwuity` from NixOS 25.05.
 
 Here's a basic example of how to use the module:
 
 ```nix
-services.matrix-continuwuity = {
-  enable = true;
-  settings = {
-    global = {
-      server_name = "example.com";
+{ config, pkgs, ... }:
 
-      # Continuwuity listens on localhost by default,
-      # address and port are handled automatically
-
-      # You can add any further configuration here, e.g.
-	  # trusted_servers = [ "matrix.org" ];
+{
+  services.matrix-continuwuity = {
+    enable = true;
+    settings = {
+      global = {
+        server_name = "example.com";
+        # Listening on localhost by default
+        # address and port are handled automatically
+        allow_registration = false;
+        allow_encryption = true;
+        allow_federation = true;
+        trusted_servers = [ "matrix.org" ];
+      };
     };
   };
-};
+}
 ```
 
 ### Available options
@@ -45,30 +45,86 @@ ### Available options
 - `user`: The user to run Continuwuity as (defaults to "continuwuity")
 - `group`: The group to run Continuwuity as (defaults to "continuwuity")
 - `extraEnvironment`: Extra environment variables to pass to the Continuwuity server
-- `package`: The Continuwuity package to use, defaults to `pkgs.matrix-continuwuity`
-    - You may want to override this to be from our flake, for faster updates and unstable versions:
-    ```nix
-    package = inputs.continuwuity.packages.${pkgs.stdenv.hostPlatform.system}.default;
-    ```
-- `admin.enable`: Whether to add the `conduwuit` binary to `PATH` for administration (enabled by default)
-- `settings`: The Continuwuity configuration
+- `package`: The Continuwuity package to use
+- `settings`: The Continuwuity configuration (in TOML format)
 
 Use the `settings` option to configure Continuwuity itself. See the [example configuration file](../reference/config.mdx) for all available options.
 
-Settings are automatically translated from Nix to TOML. For example, the following line of Nix:
+### UNIX sockets
+
+The NixOS module natively supports UNIX sockets through the `global.unix_socket_path` option. When using UNIX sockets, set `global.address` to `null`:
 
 ```nix
-settings.global.well_known.client = "https://matrix.example.com";
+services.matrix-continuwuity = {
+  enable = true;
+  settings = {
+    global = {
+      server_name = "example.com";
+      address = null; # Must be null when using unix_socket_path
+      unix_socket_path = "/run/continuwuity/continuwuity.sock";
+      unix_socket_perms = 660; # Default permissions for the socket
+      # ...
+    };
+  };
+};
 ```
 
-Would become this equivalent TOML configuration:
+The module automatically sets the correct `RestrictAddressFamilies` in the systemd service configuration to allow access to UNIX sockets.
 
-```toml
-[global.well_known]
-client = "https://matrix.example.com"
+### RocksDB database
+
+Continuwuity exclusively uses RocksDB as its database backend. The system configures the database path automatically to `/var/lib/continuwuity/` and you cannot change it due to the service's reliance on systemd's StateDir.
+
+If you're migrating from Conduit with SQLite, use this [tool to migrate a Conduit SQLite database to RocksDB](https://github.com/ShadowJonathan/conduit_toolbox/).
+
+### jemalloc and hardened profile
+
+Continuwuity uses jemalloc by default. This may interfere with the [`hardened.nix` profile][hardened.nix] because it uses `scudo` by default. Either disable/hide `scudo` from Continuwuity or disable jemalloc like this:
+
+```nix
+services.matrix-continuwuity = {
+  enable = true;
+  package = pkgs.matrix-continuwuity.override {
+    enableJemalloc = false;
+  };
+  # ...
+};
 ```
 
+## Upgrading from Conduit
+
+If you previously used Conduit with the `services.matrix-conduit` module:
+
+1. Ensure your Conduit uses the RocksDB backend, or migrate from SQLite using the [migration tool](https://github.com/ShadowJonathan/conduit_toolbox/)
+2. Switch to the new module by changing `services.matrix-conduit` to `services.matrix-continuwuity` in your configuration
+3. Update any custom configuration to match the new module's structure
+
 ## Reverse proxy configuration
 
-You'll need to set up a reverse proxy (like NGINX or Caddy) to expose Continuwuity to the internet. You can configure your reverse proxy using NixOS options (e.g. `services.caddy`).
-See the [reverse proxy setup guide](./generic.mdx#setting-up-the-reverse-proxy) for information on correct reverse proxy configuration.
+You'll need to set up a reverse proxy (like nginx or caddy) to expose Continuwuity to the internet. Configure your reverse proxy to forward requests to `/_matrix` on port 443 and 8448 to your Continuwuity instance.
+
+Here's an example nginx configuration:
+
+```nginx
+server {
+    listen 443 ssl;
+    listen [::]:443 ssl;
+    listen 8448 ssl;
+    listen [::]:8448 ssl;
+
+    server_name example.com;
+
+    # SSL configuration here...
+
+    location /_matrix/ {
+        proxy_pass http://127.0.0.1:6167$request_uri;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+}
+```
+
+[lix]: https://lix.systems/
+[hardened.nix]: https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/profiles/hardened.nix

docs/development/contributing.mdx

@@ -1 +0,0 @@
-../../CONTRIBUTING.md

docs/development/contributing.mdx

@@ -0,0 +1,203 @@
+# Contributing guide
+
+This page is about contributing to Continuwuity. The
+[development](./index.mdx) and [code style guide](./code_style.mdx) pages may be of interest for you as well.
+
+If you would like to work on an [issue][issues] that is not assigned, preferably
+ask in the Matrix room first at [#continuwuity:continuwuity.org][continuwuity-matrix],
+and comment on it.
+
+### Code Style
+
+Please review and follow the [code style guide](./code_style) for formatting, linting, naming conventions, and other code standards.
+
+### Pre-commit Checks
+
+Continuwuity uses pre-commit hooks to enforce various coding standards and catch common issues before they're committed. These checks include:
+
+- Code formatting and linting
+- Typo detection (both in code and commit messages)
+- Checking for large files
+- Ensuring proper line endings and no trailing whitespace
+- Validating YAML, JSON, and TOML files
+- Checking for merge conflicts
+
+You can run these checks locally by installing [prefligit](https://github.com/j178/prefligit):
+
+
+```bash
+# Requires UV: https://docs.astral.sh/uv/getting-started/installation/
+# Mac/linux: curl -LsSf https://astral.sh/uv/install.sh | sh
+# Windows: powershell -ExecutionPolicy ByPass -c "irm https://astral.sh/uv/install.ps1 | iex"
+
+# Install prefligit using cargo-binstall
+cargo binstall prefligit
+
+# Install git hooks to run checks automatically
+prefligit install
+
+# Run all checks
+prefligit --all-files
+```
+
+Alternatively, you can use [pre-commit](https://pre-commit.com/):
+```bash
+# Requires python
+
+# Install pre-commit
+pip install pre-commit
+
+# Install the hooks
+pre-commit install
+
+# Run all checks manually
+pre-commit run --all-files
+```
+
+These same checks are run in CI via the prefligit-checks workflow to ensure consistency. These must pass before the PR is merged.
+
+### Running tests locally
+
+Tests, compilation, and linting can be run with standard Cargo commands:
+
+```bash
+# Run tests
+cargo test
+
+# Check compilation
+cargo check --workspace --features full
+
+# Run lints
+cargo clippy --workspace --features full
+# Auto-fix: cargo clippy --workspace --features full --fix --allow-staged;
+
+# Format code (must use nightly)
+cargo +nightly fmt
+```
+
+### Matrix tests
+
+Continuwuity uses [Complement][complement] for Matrix protocol compliance testing. Complement tests are run manually by developers, and documentation on how to run these tests locally is currently being developed.
+
+If your changes are done to fix Matrix tests, please note that in your pull request. If more Complement tests start failing from your changes, please review the logs and determine if they're intended or not.
+
+[Sytest][sytest] is currently unsupported.
+
+### Writing documentation
+
+Continuwuity's website uses [`mdbook`][mdbook] and is deployed via CI using Cloudflare Pages
+in the [`documentation.yml`][documentation.yml] workflow file. All documentation is in the `docs/`
+directory at the top level.
+
+To build the documentation locally:
+
+1. Install mdbook if you don't have it already:
+   ```bash
+   cargo install mdbook # or cargo binstall, or another method
+   ```
+
+2. Build the documentation:
+   ```bash
+   mdbook build
+   ```
+
+The output of the mdbook generation is in `public/`. You can open the HTML files directly in your browser without needing a web server.
+
+
+### Commit Messages
+
+Continuwuity follows the [Conventional Commits](https://www.conventionalcommits.org/) specification for commit messages. This provides a standardized format that makes the commit history more readable and enables automated tools to generate changelogs.
+
+The basic structure is:
+
+```
+<type>[(optional scope)]: <description>
+
+[optional body]
+
+[optional footer(s)]
+```
+
+The allowed types for commits are:
+- `fix`: Bug fixes
+- `feat`: New features
+- `docs`: Documentation changes
+- `style`: Changes that don't affect the meaning of the code (formatting, etc.)
+- `refactor`: Code changes that neither fix bugs nor add features
+- `perf`: Performance improvements
+- `test`: Adding or fixing tests
+- `build`: Changes to the build system or dependencies
+- `ci`: Changes to CI configuration
+- `chore`: Other changes that don't modify source or test files
+
+Examples:
+```
+feat: add user authentication
+fix(database): resolve connection pooling issue
+docs: update installation instructions
+```
+
+The project uses the `committed` hook to validate commit messages in pre-commit. This ensures all commits follow the conventional format.
+
+### Creating pull requests
+
+Please try to keep contributions to the Forgejo Instance. While the mirrors of continuwuity
+allow for pull/merge requests, there is no guarantee the maintainers will see them in a timely
+manner. Additionally, please mark WIP or unfinished or incomplete PRs as drafts.
+This prevents us from having to ping once in a while to double check the status
+of it, especially when the CI completed successfully and everything so it
+*looks* done.
+
+Before submitting a pull request, please ensure:
+1. Your code passes all CI checks (formatting, linting, typo detection, etc.). Run pre-commit for this.
+2. Your code follows the [code style guide](./code_style)
+3. Your commit messages follow the conventional commits format
+4. Tests are added for new functionality
+5. Documentation is updated if needed
+6. You have written a [news fragment](#writing-news-fragments) for your changes
+
+Direct all PRs/MRs to the `main` branch.
+
+By sending a pull request or patch, you are agreeing that your changes are
+allowed to be licenced under the Apache-2.0 licence and all of your conduct is
+in line with the Contributor's Covenant, and continuwuity's Code of Conduct.
+
+Contribution by users who violate either of these code of conducts may not have
+their contributions accepted. This includes users who have been banned from
+continuwuity Matrix rooms for Code of Conduct violations.
+
+[issues]: https://forgejo.ellis.link/continuwuation/continuwuity/issues
+[continuwuity-matrix]: https://matrix.to/#/#continuwuity:continuwuity.org?via=continuwuity.org&via=ellis.link&via=explodie.org&via=matrix.org
+[complement]: https://github.com/matrix-org/complement/
+[sytest]: https://github.com/matrix-org/sytest/
+[mdbook]: https://rust-lang.github.io/mdBook/
+[documentation.yml]: https://forgejo.ellis.link/continuwuation/continuwuity/src/branch/main/.forgejo/workflows/documentation.yml
+
+#### Writing news fragments
+
+In order to make writing our changelogs easier, we make use of [Towncrier]. Towncrier builds changelogs based on
+"news fragments", which are little markdown files in the `changelog.d/` directory that describe individual changes.
+
+When you make a pull request that changes functionality, fixes a bug, or adds documentation, please add a news fragment
+describing your change. The file name *MUST* be in the format of `{pull_request_number}.{type}`, where `{type}` is one
+of the following:
+
+- `feature` - for new features
+- `bugfix` - for bug fixes
+- `doc` - for documentation changes
+- `misc` - for other changes that don't fit the above categories
+
+For example:
+
+```bash
+$ echo "Fixed the quantum flux stabiliser. Contributed by @alice." > changelog.d/42.bugfix
+```
+
+(Note: If you want to credit yourself, you should reference your forgejo handle, however links to other platforms are also acceptable.)
+
+When the next release is made, Towncrier will automatically include your news fragment in the changelog.
+
+You can read more about writing news fragments in the [Towncrier tutorial][tt].
+
+[Towncrier]: https://towncrier.readthedocs.io/
+[tt]: https://towncrier.readthedocs.io/en/stable/tutorial.html#creating-news-fragments

docs/development/index.mdx

@@ -2,8 +2,7 @@ # Development
 
 Information about developing the project. If you are only interested in using
 it, you can safely ignore this page. If you plan on contributing, see the
-[contributor's guide](./contributing.mdx) and
-[code style guide](./code_style.mdx).
+[contributor's guide](./contributing.mdx) and [code style guide](./code_style.mdx).
 
 ## Continuwuity project layout
 
@@ -13,98 +12,86 @@ ## Continuwuity project layout
 `Cargo.toml`.
 
 The crate names are generally self-explanatory:
-
 - `admin` is the admin room
 - `api` is the HTTP API, Matrix C-S and S-S endpoints, etc
-- `core` is core Continuwuity functionality like config loading, error
-  definitions, global utilities, logging infrastructure, etc
-- `database` is RocksDB methods, helpers, RocksDB config, and general database
-  definitions, utilities, or functions
-- `macros` are Continuwuity Rust [macros][macros] like general helper macros,
-  logging and error handling macros, and [syn][syn] and [procedural
-  macros][proc-macro] used for admin room commands and others
+- `core` is core Continuwuity functionality like config loading, error definitions,
+global utilities, logging infrastructure, etc
+- `database` is RocksDB methods, helpers, RocksDB config, and general database definitions,
+utilities, or functions
+- `macros` are Continuwuity Rust [macros][macros] like general helper macros, logging
+and error handling macros, and [syn][syn] and [procedural macros][proc-macro]
+used for admin room commands and others
 - `main` is the "primary" sub-crate. This is where the `main()` function lives,
-  tokio worker and async initialisation, Sentry initialisation, [clap][clap]
-  init, and signal handling. If you are adding new [Rust features][features],
-  they _must_ go here.
-- `router` is the webserver and request handling bits, using axum, tower,
-  tower-http, hyper, etc, and the [global server state][state] to access
-  `services`.
+tokio worker and async initialisation, Sentry initialisation, [clap][clap] init,
+and signal handling. If you are adding new [Rust features][features], they *must*
+go here.
+- `router` is the webserver and request handling bits, using axum, tower, tower-http,
+hyper, etc, and the [global server state][state] to access `services`.
 - `service` is the high-level database definitions and functions for data,
-  outbound/sending code, and other business logic such as media fetching.
+outbound/sending code, and other business logic such as media fetching.
 
-It is highly unlikely you will ever need to add a new workspace member, but if
-you truly find yourself needing to, we recommend reaching out to us in the
-Matrix room for discussions about it beforehand.
+It is highly unlikely you will ever need to add a new workspace member, but
+if you truly find yourself needing to, we recommend reaching out to us in
+the Matrix room for discussions about it beforehand.
 
 The primary inspiration for this design was apart of hot reloadable development,
-to support "Continuwuity as a library" where specific parts can simply be
-swapped out. There is evidence Conduit wanted to go this route too as `axum` is
-technically an optional feature in Conduit, and can be compiled without the
-binary or axum library for handling inbound web requests; but it was never
-completed or worked.
+to support "Continuwuity as a library" where specific parts can simply be swapped out.
+There is evidence Conduit wanted to go this route too as `axum` is technically an
+optional feature in Conduit, and can be compiled without the binary or axum library
+for handling inbound web requests; but it was never completed or worked.
 
-See the Rust documentation on [Workspaces][workspaces] for general questions and
-information on Cargo workspaces.
+See the Rust documentation on [Workspaces][workspaces] for general questions
+and information on Cargo workspaces.
 
 ## Adding compile-time [features][features]
 
-If you'd like to add a compile-time feature, you must first define it in the
-`main` workspace crate located in `src/main/Cargo.toml`. The feature must enable
-a feature in the other workspace crate(s) you intend to use it in. Then the said
-workspace crate(s) must define the feature there in its `Cargo.toml`.
+If you'd like to add a compile-time feature, you must first define it in
+the `main` workspace crate located in `src/main/Cargo.toml`. The feature must
+enable a feature in the other workspace crate(s) you intend to use it in. Then
+the said workspace crate(s) must define the feature there in its `Cargo.toml`.
 
-So, if this is adding a feature to the API such as `woof`, you define the
-feature in the `api` crate's `Cargo.toml` as `woof = []`. The feature definition
-in `main`'s `Cargo.toml` will be `woof = ["conduwuit-api/woof"]`.
+So, if this is adding a feature to the API such as `woof`, you define the feature
+in the `api` crate's `Cargo.toml` as `woof = []`. The feature definition in `main`'s
+`Cargo.toml` will be `woof = ["conduwuit-api/woof"]`.
 
-The rationale for this is due to Rust / Cargo not supporting ["workspace level
-features"][9], we must make a choice of; either scattering features all over the
-workspace crates, making it difficult for anyone to add or remove default
-features; or define all the features in one central workspace crate that
-propagate down/up to the other workspace crates. It is a Cargo pitfall, and we'd
-like to see better developer UX in Rust's Workspaces.
+The rationale for this is due to Rust / Cargo not supporting
+["workspace level features"][9], we must make a choice of; either scattering
+features all over the workspace crates, making it difficult for anyone to add
+or remove default features; or define all the features in one central workspace
+crate that propagate down/up to the other workspace crates. It is a Cargo pitfall,
+and we'd like to see better developer UX in Rust's Workspaces.
 
-Additionally, the definition of one single place makes "feature collection" in
-our Nix flake a million times easier instead of collecting and deduping them all
-from searching in all the workspace crates' `Cargo.toml`s. Though we wouldn't
-need to do this if Rust supported workspace-level features to begin with.
+Additionally, the definition of one single place makes "feature collection" in our
+Nix flake a million times easier instead of collecting and deduping them all from
+searching in all the workspace crates' `Cargo.toml`s. Though we wouldn't need to
+do this if Rust supported workspace-level features to begin with.
 
 ## List of forked dependencies
 
-During Continuwuity (and prior projects) development, we have had to fork some
-dependencies to support our use-cases. These forks exist for various reasons
-including features that upstream projects won't accept, faster-paced
-development, Continuwuity-specific usecases, or lack of time to upstream
-changes.
+During Continuwuity (and prior projects) development, we have had to fork some dependencies to support our use-cases.
+These forks exist for various reasons including features that upstream projects won't accept,
+faster-paced development, Continuwuity-specific usecases, or lack of time to upstream changes.
 
-All forked dependencies are maintained under the
-[continuwuation organization on Forgejo](https://forgejo.ellis.link/continuwuation):
+All forked dependencies are maintained under the [continuwuation organization on Forgejo](https://forgejo.ellis.link/continuwuation):
 
-- [ruwuma][continuwuation-ruwuma] - Fork of [ruma/ruma][ruma] with various
-  performance improvements, more features and better client/server interop
-- [rocksdb][continuwuation-rocksdb] - Fork of [facebook/rocksdb][rocksdb] via
-  [`@zaidoon1`][8] with liburing build fixes and GCC debug build fixes
-- [jemallocator][continuwuation-jemallocator] - Fork of
-  [tikv/jemallocator][jemallocator] fixing musl builds, suspicious code, and
-  adding support for redzones in Valgrind
-- [rustyline-async][continuwuation-rustyline-async] - Fork of
-  [zyansheep/rustyline-async][rustyline-async] with tab completion callback and
-  `CTRL+\` signal quit event for Continuwuity console CLI
-- [rust-rocksdb][continuwuation-rust-rocksdb] - Fork of
-  [rust-rocksdb/rust-rocksdb][rust-rocksdb] fixing musl build issues, removing
-  unnecessary `gtest` include, and using our RocksDB and jemallocator forks
-- [tracing][continuwuation-tracing] - Fork of [tokio-rs/tracing][tracing]
-  implementing `Clone` for `EnvFilter` to support dynamically changing tracing
-  environments
+- [ruwuma][continuwuation-ruwuma] - Fork of [ruma/ruma][ruma] with various performance improvements, more features and better client/server interop
+- [rocksdb][continuwuation-rocksdb] - Fork of [facebook/rocksdb][rocksdb] via [`@zaidoon1`][8] with liburing build fixes and GCC debug build fixes
+- [jemallocator][continuwuation-jemallocator] - Fork of [tikv/jemallocator][jemallocator] fixing musl builds, suspicious code,
+  and adding support for redzones in Valgrind
+- [rustyline-async][continuwuation-rustyline-async] - Fork of [zyansheep/rustyline-async][rustyline-async] with tab completion callback
+  and `CTRL+\` signal quit event for Continuwuity console CLI
+- [rust-rocksdb][continuwuation-rust-rocksdb] - Fork of [rust-rocksdb/rust-rocksdb][rust-rocksdb] fixing musl build issues,
+  removing unnecessary `gtest` include, and using our RocksDB and jemallocator forks
+- [tracing][continuwuation-tracing] - Fork of [tokio-rs/tracing][tracing] implementing `Clone` for `EnvFilter` to
+  support dynamically changing tracing environments
 
 ## Debugging with `tokio-console`
 
 [`tokio-console`][7] can be a useful tool for debugging and profiling. To make a
-`tokio-console`-enabled build of Continuwuity, enable the `tokio_console`
-feature, disable the default `release_max_log_level` feature, and set the
-`--cfg tokio_unstable` flag to enable experimental tokio APIs. A build might
-look like this:
+`tokio-console`-enabled build of Continuwuity, enable the `tokio_console` feature,
+disable the default `release_max_log_level` feature, and set the `--cfg
+tokio_unstable` flag to enable experimental tokio APIs. A build might look like
+this:
 
 ```bash
 RUSTFLAGS="--cfg tokio_unstable" cargo +nightly build \
@@ -113,84 +100,34 @@ ## Debugging with `tokio-console`
     --features=systemd,element_hacks,gzip_compression,brotli_compression,zstd_compression,tokio_console
 ```
 
-You will also need to enable the `tokio_console` config option in Continuwuity
-when starting it. This was due to tokio-console causing gradual memory
-leak/usage if left enabled.
+You will also need to enable the `tokio_console` config option in Continuwuity when
+starting it. This was due to tokio-console causing gradual memory leak/usage
+if left enabled.
 
 ## Building Docker Images
 
-Official Continuwuity images are built using **Docker Buildx** and the
-Dockerfile found at [`docker/Dockerfile`][dockerfile-path].
-
-The images are compatible with Docker and other container runtimes like Podman
-or containerd.
-
-The images _do not contain a shell_. They contain only the Continuwuity binary,
-required libraries, TLS certificates, and metadata.
-
-<details>
-<summary>Click to view the Dockerfile</summary>
-
-You can also
-
-<a
-    href="<https://forgejo.ellis.link/continuwuation/continuwuation/src/branch/main/docker/Dockerfile>"
-    target="_blank"
->
-    view the Dockerfile on Forgejo
-</a>
-.
-
-```dockerfile file="../../docker/Dockerfile"
-
-```
-
-</details>
-
-### Building Locally
-
-To build an image locally using Docker Buildx:
+To build a Docker image for Continuwuity, use the standard Docker build command:
 
 ```bash
-# Build for the current platform and load into the local Docker daemon
-docker buildx build --load --tag continuwuity:latest -f docker/Dockerfile .
-
-# Example: Build for specific platforms and push to a registry
-# docker buildx build --platform linux/amd64,linux/arm64 --tag registry.io/org/continuwuity:latest -f docker/Dockerfile . --push
-
-# Example: Build binary optimised for the current CPU (standard release profile)
-# docker buildx build --load \
-#   --tag continuwuity:latest \
-#   --build-arg TARGET_CPU=native \
-#   -f docker/Dockerfile .
-
-# Example: Build maxperf variant (release-max-perf profile with LTO)
-# docker buildx build --load \
-#   --tag continuwuity:latest-maxperf \
-#   --build-arg TARGET_CPU=native \
-#   --build-arg RUST_PROFILE=release-max-perf \
-#   -f docker/Dockerfile .
+docker build -f docker/Dockerfile .
 ```
 
-Refer to the Docker Buildx documentation for more advanced build options.
+The image can be cross-compiled for different architectures.
 
-[dockerfile-path]:
-    https://forgejo.ellis.link/continuwuation/continuwuation/src/branch/main/docker/Dockerfile
 [continuwuation-ruwuma]: https://forgejo.ellis.link/continuwuation/ruwuma
 [continuwuation-rocksdb]: https://forgejo.ellis.link/continuwuation/rocksdb
-[continuwuation-jemallocator]:
-    https://forgejo.ellis.link/continuwuation/jemallocator
-[continuwuation-rustyline-async]:
-    https://forgejo.ellis.link/continuwuation/rustyline-async
-[continuwuation-rust-rocksdb]:
-    https://forgejo.ellis.link/continuwuation/rust-rocksdb
+[continuwuation-jemallocator]: https://forgejo.ellis.link/continuwuation/jemallocator
+[continuwuation-rustyline-async]: https://forgejo.ellis.link/continuwuation/rustyline-async
+[continuwuation-rust-rocksdb]: https://forgejo.ellis.link/continuwuation/rust-rocksdb
 [continuwuation-tracing]: https://forgejo.ellis.link/continuwuation/tracing
+
 [ruma]: https://github.com/ruma/ruma/
 [rocksdb]: https://github.com/facebook/rocksdb/
 [jemallocator]: https://github.com/tikv/jemallocator/
 [rustyline-async]: https://github.com/zyansheep/rustyline-async/
 [rust-rocksdb]: https://github.com/rust-rocksdb/rust-rocksdb/
 [tracing]: https://github.com/tokio-rs/tracing/
+
 [7]: https://docs.rs/tokio-console/latest/tokio_console/
 [8]: https://github.com/zaidoon1/
 [9]: https://github.com/rust-lang/cargo/issues/12162

docs/public/.well-known/continuwuity/announcements

@@ -6,10 +6,10 @@
             "message": "Welcome to Continuwuity! Important announcements about the project will appear here."
         },
         {
-            "id": 10,
+            "id": 9,
             "mention_room": false,
-            "date": "2026-03-03",
-            "message": "We've just released [v0.5.6](https://forgejo.ellis.link/continuwuation/continuwuity/releases/tag/v0.5.6), which contains a few  security improvements - plus significant reliability and performance improvements. Please update as soon as possible. \n\nWe released [v0.5.5](https://forgejo.ellis.link/continuwuation/continuwuity/releases/tag/v0.5.5) two weeks ago, but it skipped your admin room straight to [our announcements channel](https://matrix.to/#/!jIdNjSM5X-V5JVx2h2kAhUZIIQ08GyzPL55NFZAH1vM?via=ellis.link&via=gingershaped.computer&via=matrix.org). Make sure you're there to get important information as soon as we announce it! [Our space](https://matrix.to/#/!8cR4g-i9ucof69E4JHNg9LbPVkGprHb3SzcrGBDDJgk?via=continuwuity.org&via=ellis.link&via=matrix.org) has also gained a bunch of new and interesting rooms - be there or be square."
+            "date": "2026-02-09",
+            "message": "Yesterday we released [v0.5.4](https://forgejo.ellis.link/continuwuation/continuwuity/releases/tag/v0.5.4). Bugfixes, performance improvements and more moderation features! There's also a security fix, so please update as soon as possible. Don't forget to join [our announcements channel](https://matrix.to/#/!jIdNjSM5X-V5JVx2h2kAhUZIIQ08GyzPL55NFZAH1vM/%2489TY9CqRg4-ff1MGo3Ulc5r5X4pakfdzT-99RD8Docc?via=ellis.link&via=explodie.org&via=matrix.org) to get important information sooner <3 "
         }
     ]
 }

docs/public/.well-known/matrix/client

@@ -1 +1 @@
-{"m.homeserver":{"base_url": "https://matrix.continuwuity.org"},"org.matrix.msc4143.rtc_foci":[{"type":"livekit","livekit_service_url":"https://livekit.ellis.link"}]}
+{"m.homeserver":{"base_url": "https://matrix.continuwuity.org"},"org.matrix.msc3575.proxy":{"url": "https://matrix.continuwuity.org"},"org.matrix.msc4143.rtc_foci":[{"type":"livekit","livekit_service_url":"https://livekit.ellis.link"}]}

docs/public/deploying/docker-compose.for-traefik.yml

@@ -1,44 +0,0 @@
-# Continuwuity - Behind Traefik Reverse Proxy
-
-services:
-  homeserver:
-    image: forgejo.ellis.link/continuwuation/continuwuity:latest
-    restart: unless-stopped
-    command: /sbin/conduwuit
-    volumes:
-      - db:/var/lib/continuwuity
-      - ./continuwuity-resolv.conf:/etc/resolv.conf # use custom resolvers rather than Docker's
-      #- ./continuwuity.toml:/etc/continuwuity.toml
-    networks:
-      - proxy
-    labels:
-      - "traefik.enable=true"
-      - "traefik.http.routers.continuwuity.rule=(Host(`example.com`))"
-      - "traefik.http.routers.continuwuity.entrypoints=websecure" # your HTTPS entry point
-      - "traefik.http.routers.continuwuity.tls=true"
-      - "traefik.http.routers.continuwuity.service=continuwuity"
-      - "traefik.http.services.continuwuity.loadbalancer.server.port=8008"
-      # possibly, depending on your config:
-      # - "traefik.http.routers.continuwuity.tls.certresolver=letsencrypt"
-    environment:
-      CONTINUWUITY_SERVER_NAME: example.com
-      CONTINUWUITY_DATABASE_PATH: /var/lib/continuwuity
-      CONTINUWUITY_ADDRESS: 0.0.0.0
-      CONTINUWUITY_PORT: 8008 # This must match with traefik's loadbalancer label
-      #CONTINUWUITY_CONFIG: '/etc/continuwuity.toml' # Uncomment if you mapped config toml above
-
-      # Serve .well-known files to tell others to reach Continuwuity on port :443
-      CONTINUWUITY_WELL_KNOWN: |
-        {
-        client=https://example.com,
-        server=example.com:443
-        }
-
-volumes:
-  db:
-
-networks:
-  # This is the network Traefik listens to, if your network has a different
-  # name, don't forget to change it here and in the docker-compose.override.yml
-  proxy:
-    external: true

docs/public/deploying/docker-compose.with-caddy-labels.yml

@@ -1,49 +0,0 @@
-services:
-    caddy:
-    # This compose file uses caddy-docker-proxy as the reverse proxy for Continuwuity!
-    # For more info, visit https://github.com/lucaslorentz/caddy-docker-proxy
-        image: lucaslorentz/caddy-docker-proxy:ci-alpine
-        ports:
-            - 80:80
-            - 443:443
-        environment:
-            - CADDY_INGRESS_NETWORKS=caddy
-        networks:
-            - caddy
-        volumes:
-            - /var/run/docker.sock:/var/run/docker.sock
-            - ./data:/data
-        restart: unless-stopped
-
-    homeserver:
-        image: forgejo.ellis.link/continuwuation/continuwuity:latest
-        restart: unless-stopped
-        command: /sbin/conduwuit
-        volumes:
-            - db:/var/lib/continuwuity
-            - ./continuwuity-resolv.conf:/etc/resolv.conf # use custom resolvers rather than Docker's
-            #- ./continuwuity.toml:/etc/continuwuity.toml
-        environment:
-            CONTINUWUITY_SERVER_NAME: example.com
-            CONTINUWUITY_DATABASE_PATH: /var/lib/continuwuity
-            CONTINUWUITY_ADDRESS: 0.0.0.0
-            CONTINUWUITY_PORT: 8008
-            #CONTINUWUITY_CONFIG: '/etc/continuwuity.toml' # Uncomment if you mapped config toml above
-
-            # Serve .well-known files to tell others to reach Continuwuity on port :443
-            CONTINUWUITY_WELL_KNOWN: |
-                {
-                client=https://example.com,
-                server=example.com:443
-                }
-
-        networks:
-            - caddy
-        labels:
-            caddy: example.com
-            caddy.reverse_proxy: "{{upstreams 8008}}"
-volumes:
-    db:
-
-networks:
-    caddy:

docs/public/deploying/docker-compose.with-caddy.yml

@@ -1,55 +0,0 @@
-services:
-    caddy:
-        image: docker.io/caddy:latest
-        ports:
-            - 80:80
-            - 443:443
-            - 8448:8448
-        networks:
-            - caddy
-        volumes:
-            - ./data:/data
-        restart: unless-stopped
-        configs:
-            - source: Caddyfile
-              target: /etc/caddy/Caddyfile
-
-    homeserver:
-        image: forgejo.ellis.link/continuwuation/continuwuity:latest
-        restart: unless-stopped
-        command: /sbin/conduwuit
-        volumes:
-            - db:/var/lib/continuwuity
-            - ./continuwuity-resolv.conf:/etc/resolv.conf # use custom resolvers rather than Docker's
-            #- ./continuwuity.toml:/etc/continuwuity.toml
-        environment:
-            CONTINUWUITY_SERVER_NAME: example.com
-            CONTINUWUITY_DATABASE_PATH: /var/lib/continuwuity
-            CONTINUWUITY_ADDRESS: 0.0.0.0
-            CONTINUWUITY_PORT: 8008
-            #CONTINUWUITY_CONFIG: '/etc/continuwuity.toml' # Uncomment if you mapped config toml above
-
-            ## (Optional) Serve .well-known files to tell others to reach Continuwuity on port :443
-            ## If you do this, remove all routes to port :8448 from the compose and Caddyfile
-            # CONTINUWUITY_WELL_KNOWN: |
-            #     {
-            #     client=https://example.com,
-            #     server=example.com:443
-            #     }
-
-
-        networks:
-            - caddy
-
-networks:
-    caddy:
-
-volumes:
-    db:
-
-configs:
-    dynamic.yml:
-        content: |
-            https://example.com, https://example.com:8448 {
-                reverse_proxy http://homeserver:8008
-            }

docs/public/deploying/docker-compose.with-traefik.yml

@@ -1,84 +0,0 @@
-# Continuwuity - Behind Traefik Reverse Proxy
-
-services:
-  homeserver:
-    image: forgejo.ellis.link/continuwuation/continuwuity:latest
-    restart: unless-stopped
-    command: /sbin/conduwuit
-    volumes:
-      - db:/var/lib/continuwuity
-      - ./continuwuity-resolv.conf:/etc/resolv.conf # use custom resolvers rather than Docker's
-      #- ./continuwuity.toml:/etc/continuwuity.toml
-    networks:
-      - proxy
-    labels:
-      - "traefik.enable=true"
-      - "traefik.http.routers.continuwuity.rule=(Host(`example.com`))"
-      - "traefik.http.routers.continuwuity.entrypoints=websecure"
-      - "traefik.http.routers.continuwuity.tls.certresolver=letsencrypt"
-      - "traefik.http.services.continuwuity.loadbalancer.server.port=8008"
-    environment:
-      CONTINUWUITY_SERVER_NAME: example.com
-      CONTINUWUITY_DATABASE_PATH: /var/lib/continuwuity
-      CONTINUWUITY_ADDRESS: 0.0.0.0
-      CONTINUWUITY_PORT: 8008 # This must match with traefik's loadbalancer label
-      #CONTINUWUITY_CONFIG: '/etc/continuwuity.toml' # Uncomment if you mapped config toml above
-
-      # Serve .well-known files to tell others to reach Continuwuity on port :443
-      CONTINUWUITY_WELL_KNOWN: |
-        {
-          client=https://example.com,
-          server=example.com:443
-        }
-
-  traefik:
-    image: "traefik:latest"
-    container_name: "traefik"
-    restart: "unless-stopped"
-    ports:
-      - "80:80"
-      - "443:443"
-    volumes:
-      - "/var/run/docker.sock:/var/run/docker.sock:z"
-      - "acme:/etc/traefik/acme"
-    labels:
-      - "traefik.enable=true"
-
-      # middleware redirect
-      - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
-      # global redirect to https
-      - "traefik.http.routers.redirs.rule=hostregexp(`{host:.+}`)"
-      - "traefik.http.routers.redirs.entrypoints=web"
-      - "traefik.http.routers.redirs.middlewares=redirect-to-https"
-
-    environment:
-      TRAEFIK_LOG_LEVEL: DEBUG
-      TRAEFIK_ENTRYPOINTS_WEB: true
-      TRAEFIK_ENTRYPOINTS_WEB_ADDRESS: ":80"
-      TRAEFIK_ENTRYPOINTS_WEB_HTTP_REDIRECTIONS_ENTRYPOINT_TO: websecure
-
-      TRAEFIK_ENTRYPOINTS_WEBSECURE: true
-      TRAEFIK_ENTRYPOINTS_WEBSECURE_ADDRESS: ":443"
-      TRAEFIK_ENTRYPOINTS_WEBSECURE_HTTP_TLS_CERTRESOLVER: letsencrypt
-
-      TRAEFIK_CERTIFICATESRESOLVERS_LETSENCRYPT: true
-      # CHANGE THIS to desired email for ACME
-      TRAEFIK_CERTIFICATESRESOLVERS_LETSENCRYPT_ACME_EMAIL: user@example.com
-      TRAEFIK_CERTIFICATESRESOLVERS_LETSENCRYPT_ACME_HTTPCHALLENGE: true
-      TRAEFIK_CERTIFICATESRESOLVERS_LETSENCRYPT_ACME_HTTPCHALLENGE_ENTRYPOINT: web
-      TRAEFIK_CERTIFICATESRESOLVERS_LETSENCRYPT_ACME_STORAGE: "/etc/traefik/acme/acme.json"
-
-      # Since Traefik 3.6.3, paths with certain "encoded characters" are now blocked by default; we need a couple, or else things *will* break
-      TRAEFIK_ENTRYPOINTS_WEBSECURE_HTTP_ENCODEDCHARACTERS_ALLOWENCODEDSLASH: true
-      TRAEFIK_ENTRYPOINTS_WEBSECURE_HTTP_ENCODEDCHARACTERS_ALLOWENCODEDHASH: true
-
-      TRAEFIK_PROVIDERS_DOCKER: true
-      TRAEFIK_PROVIDERS_DOCKER_ENDPOINT: "unix:///var/run/docker.sock"
-      TRAEFIK_PROVIDERS_DOCKER_EXPOSEDBYDEFAULT: false
-
-volumes:
-  db:
-  acme:
-
-networks:
-  proxy:

docs/public/deploying/docker-compose.yml

@@ -1,31 +0,0 @@
-# Continuwuity
-
-services:
-    homeserver:
-        image: forgejo.ellis.link/continuwuation/continuwuity:latest
-        restart: unless-stopped
-        command: /sbin/conduwuit
-        ports:
-            - 127.0.0.1:8008:8008
-        volumes:
-            - db:/var/lib/continuwuity
-            - ./continuwuity-resolv.conf:/etc/resolv.conf # use custom resolvers rather than Docker's
-            #- ./continuwuity.toml:/etc/continuwuity.toml
-        environment:
-            CONTINUWUITY_SERVER_NAME: example.com # EDIT THIS
-            CONTINUWUITY_DATABASE_PATH: /var/lib/continuwuity
-            CONTINUWUITY_ADDRESS: 0.0.0.0
-            CONTINUWUITY_PORT: 8008
-            #CONTINUWUITY_CONFIG: '/etc/continuwuity.toml' # Uncomment if you mapped config toml above
-
-            ## (Optional) Serve .well-known files to tell others to reach Continuwuity on port :443
-            ## If you do this, remove all routes to port :8448 on your reverse proxy
-            # CONTINUWUITY_WELL_KNOWN: |
-            #     {
-            #     client=https://example.com,
-            #     server=example.com:443
-            #     }
-
-
-volumes:
-    db:

docs/public/schema/announcements.schema.json

@@ -1,6 +1,6 @@
 {
     "$schema": "http://json-schema.org/draft-04/schema#",
-    "$id": "https://continuwuity.org/schema/announcements.schema.json",
+    "$id": "https://continwuity.org/schema/announcements.schema.json",
     "type": "object",
     "properties": {
       "announcements": {

docs/reference/admin/debug.md

@@ -130,10 +130,6 @@ ## `!admin debug database-files`
 
 List database files
 
-## `!admin debug send-test-email`
-
-Send a test email to the invoking admin's email address
-
 ## `!admin debug tester`
 
 Developer test stubs