chore(deps): update rust crate ctor to 0.10.0

.forgejo/actions/rust-toolchain/action.yml

@@ -33,7 +33,7 @@ runs:
         echo "version=$(rustup --version)" >> $GITHUB_OUTPUT
     - name: Cache rustup toolchains
       if: steps.rustup-version.outputs.version == ''
-      uses: actions/cache@v5
+      uses: actions/cache@6f8efc29b200d32929f49075959781ed54ec270c # v3
       with:
         path: |
           ~/.rustup

.forgejo/actions/setup-llvm-with-apt/action.yml

@@ -57,7 +57,7 @@ runs:
 
     - name: Check for LLVM cache
       id: cache
-      uses: actions/cache@v5
+      uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
       with:
         path: |
           /usr/bin/clang-*

.forgejo/actions/setup-rust/action.yml

@@ -65,7 +65,7 @@ runs:
 
     - name: Cache toolchain binaries
       id: toolchain-cache
-      uses: actions/cache@v5
+      uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
       with:
         path: |
           .cargo/bin
@@ -76,7 +76,7 @@ runs:
 
     - name: Cache Cargo registry and git
       id: registry-cache
-      uses: actions/cache@v5
+      uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
       with:
         path: |
           .cargo/registry/index

.forgejo/actions/timelord/action.yml

@@ -31,7 +31,7 @@ runs:
 
     - name: Restore binary cache
       id: binary-cache
-      uses: actions/cache/restore@v5
+      uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
       with:
         path: |
           /usr/share/rust/.cargo/bin
@@ -71,13 +71,13 @@ runs:
 
     - name: Install timelord-cli and git-warp-time
       if: steps.check-binaries.outputs.need-install == 'true'
-      uses: https://github.com/taiki-e/install-action@5939f3337e40968c39aa70f5ecb1417a92fb25a0 # v2
+      uses: https://github.com/taiki-e/install-action@0abfcd587b70a713fdaa7fb502c885e2112acb15 # v2
       with:
         tool: git-warp-time,timelord-cli@3.0.1
 
     - name: Save binary cache
       if: steps.check-binaries.outputs.need-install == 'true'
-      uses: actions/cache/save@v5
+      uses: actions/cache/save@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
       with:
         path: |
           /usr/share/rust/.cargo/bin
@@ -87,7 +87,7 @@ runs:
 
     - name: Restore timelord cache with fallbacks
       id: timelord-restore
-      uses: actions/cache/restore@v5
+      uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
       with:
         path: ${{ env.TIMELORD_CACHE_PATH }}
         key: ${{ env.TIMELORD_KEY }}
@@ -114,7 +114,7 @@ runs:
         timelord sync --source-dir ${{ env.TIMELORD_PATH }} --cache-dir ${{ env.TIMELORD_CACHE_PATH }}
 
     - name: Save updated timelord cache immediately
-      uses: actions/cache/save@v5
+      uses: actions/cache/save@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
       with:
         path: ${{ env.TIMELORD_CACHE_PATH }}
         key: ${{ env.TIMELORD_KEY }}

.forgejo/workflows/build-debian.yml

@@ -60,7 +60,7 @@ jobs:
           ref: ${{ github.ref_name }}
 
       - name: Cache Cargo registry
-        uses: actions/cache@v5
+        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
         with:
           path: |
             ~/.cargo/registry

.forgejo/workflows/build-fedora.yml

@@ -37,7 +37,7 @@ jobs:
 
 
       - name: Cache DNF packages
-        uses: actions/cache@v5
+        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
         with:
           path: |
             /var/cache/dnf
@@ -47,7 +47,7 @@ jobs:
             dnf-fedora${{ steps.fedora.outputs.version }}-
 
       - name: Cache Cargo registry
-        uses: actions/cache@v5
+        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
         with:
           path: |
             ~/.cargo/registry
@@ -57,7 +57,7 @@ jobs:
             cargo-fedora${{ steps.fedora.outputs.version }}-
 
       - name: Cache Rust build dependencies
-        uses: actions/cache@v5
+        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
         with:
           path: |
             ~/rpmbuild/BUILD/*/target/release/deps

.forgejo/workflows/check-changelog.yml

@@ -4,6 +4,11 @@ on:
   pull_request_target:
     types: [opened, synchronize, reopened, ready_for_review, labeled, unlabeled]
 
+
+concurrency:
+  group: "${{ github.workflow }}-${{ github.ref }}"
+  cancel-in-progress: true
+
 permissions:
   contents: read
   pull-requests: write

.forgejo/workflows/documentation.yml

@@ -37,7 +37,7 @@ jobs:
           node-version: 22
 
       - name: Cache npm dependencies
-        uses: actions/cache@v5
+        uses: actions/cache@6f8efc29b200d32929f49075959781ed54ec270c # v3
         with:
           path: ~/.npm
           key: continuwuity-rspress-${{ steps.runner-env.outputs.slug }}-${{ steps.runner-env.outputs.arch }}-node-${{ steps.runner-env.outputs.node_version }}-${{ hashFiles('package-lock.json') }}

.forgejo/workflows/mirror-images.yml

@@ -2,11 +2,8 @@ name: Mirror Container Images
 
 on:
   schedule:
-    # Run nightly
-    - cron: "25 2 * * *"
-
-  workflow_call:
-
+    # Run every 2 hours
+    - cron: "0 */2 * * *"
   workflow_dispatch:
     inputs:
       dry_run:
@@ -55,7 +52,7 @@ jobs:
       #     repositories: continuwuity
 
       - name: Install regsync
-        uses: https://github.com/regclient/actions/regsync-installer@f3c6d87835906c175eb6ccfc18b348b69bb447e7 # main
+        uses: https://github.com/regclient/actions/regsync-installer@f07124ffba4b0cbf96b2a666d481ed9d44b5e7e4 # main
 
       - name: Check what images need mirroring
         run: |

.forgejo/workflows/release-image.yml

@@ -9,9 +9,6 @@ on:
     paths-ignore:
       - "*.md"
       - "**/*.md"
-      - "*.mdx"
-      - "**/*.mdx"
-      - "changelog.d/**"
       - ".gitlab-ci.yml"
       - ".gitignore"
       - "renovate.json"
@@ -198,22 +195,3 @@ jobs:
           images: ${{ env.IMAGE_PATH }}
           registry_user: ${{ vars.BUILTIN_REGISTRY_USER || github.actor }}
           registry_password: ${{ secrets.BUILTIN_REGISTRY_PASSWORD || secrets.GITHUB_TOKEN }}
-
-  mirror_images:
-    name: "Mirror Images"
-    runs-on: ubuntu-latest
-    needs:
-      - merge-maxperf
-      - merge-release
-    env:
-      BUILTIN_REGISTRY_USER: ${{ vars.BUILTIN_REGISTRY_USER }}
-      BUILTIN_REGISTRY_PASSWORD: ${{ secrets.BUILTIN_REGISTRY_PASSWORD }}
-      GITLAB_USERNAME: ${{ vars.GITLAB_USERNAME }}
-      GITLAB_TOKEN: ${{ secrets.GITLAB_TOKEN }}
-      N7574_GIT_USERNAME: ${{ vars.N7574_GIT_USERNAME }}
-      N7574_GIT_TOKEN: ${{ secrets.N7574_GIT_TOKEN }}
-      GH_PACKAGES_USER: ${{ vars.GH_PACKAGES_USER }}
-      GH_PACKAGES_TOKEN: ${{ secrets.GH_PACKAGES_TOKEN }}
-      DOCKER_MIRROR_USER: ${{ vars.DOCKER_MIRROR_USER }}
-      DOCKER_MIRROR_TOKEN: ${{ secrets.DOCKER_MIRROR_TOKEN }}
-    uses: ./.forgejo/workflows/mirror-images.yml

.forgejo/workflows/renovate.yml

@@ -55,7 +55,7 @@ jobs:
         run: /usr/local/renovate/node -e 'console.log(`node heap limit = ${require("v8").getHeapStatistics().heap_size_limit / (1024 * 1024)} Mb`)'
 
       - name: Restore renovate repo cache
-        uses: actions/cache/restore@v5
+        uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
         with:
           path: |
             /tmp/renovate/cache/renovate/repository
@@ -64,7 +64,7 @@ jobs:
             renovate-repo-cache-
 
       - name: Restore renovate package cache
-        uses: actions/cache/restore@v5
+        uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
         with:
           path: |
             /tmp/renovate/cache/renovate/renovate-cache-sqlite
@@ -73,7 +73,7 @@ jobs:
             renovate-package-cache-
 
       - name: Restore renovate OSV cache
-        uses: actions/cache/restore@v5
+        uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
         with:
           path: |
             /tmp/osv
@@ -109,7 +109,7 @@ jobs:
       - name: Save renovate repo cache
         if: always()
         uses:
-          actions/cache/save@v5
+          actions/cache/save@v4
         with:
           path: |
             /tmp/renovate/cache/renovate/repository
@@ -117,7 +117,7 @@ jobs:
 
       - name: Save renovate package cache
         if: always()
-        uses: actions/cache/save@v5
+        uses: actions/cache/save@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
         with:
           path: |
             /tmp/renovate/cache/renovate/renovate-cache-sqlite
@@ -125,7 +125,7 @@ jobs:
 
       - name: Save renovate OSV cache
         if: always()
-        uses: actions/cache/save@v5
+        uses: actions/cache/save@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
         with:
           path: |
             /tmp/osv

.pre-commit-config.yaml

@@ -24,7 +24,7 @@ repos:
         - id: check-added-large-files
 
   - repo: https://github.com/crate-ci/typos
-    rev: v1.45.1
+    rev: v1.45.0
     hooks:
       - id: typos
       - id: typos

Cargo.lock

@@ -1203,7 +1203,7 @@ dependencies = [
  "serde",
  "serde-saphyr",
  "serde_json",
- "sha2 0.11.0",
+ "sha2",
  "termimad",
  "tokio",
  "tracing",
@@ -1541,9 +1541,9 @@ dependencies = [
 
 [[package]]
 name = "ctor"
-version = "0.9.1"
+version = "0.10.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c1c888a2a4f677017373fb6c01e13e318dd9e78758445ed5eb985e355d3f8281"
+checksum = "95d0d11eb38e7642efca359c3cf6eb7b2e528182d09110165de70192b0352775"
 dependencies = [
  "ctor-proc-macro",
  "dtor",
@@ -1774,9 +1774,9 @@ dependencies = [
 
 [[package]]
 name = "dtor"
-version = "0.6.0"
+version = "0.7.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "30e4690622ab6700ced40fc370a3f07b7d111f0154bb6fb08f73b4c8834f75b6"
+checksum = "17f72721db8027a4e96dd6fb50d2a1d32259c9d3da1b63dee612ccd981e14293"
 dependencies = [
  "dtor-proc-macro",
 ]
@@ -1813,7 +1813,7 @@ dependencies = [
  "ed25519",
  "rand_core 0.6.4",
  "serde",
- "sha2 0.10.9",
+ "sha2",
  "subtle",
  "zeroize",
 ]
@@ -3118,9 +3118,9 @@ dependencies = [
 
 [[package]]
 name = "link-section"
-version = "0.0.12"
+version = "0.2.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f52437d47b0358721ec869cc7374b2a21f7b2237af9b439c0391341a1fbfbf1b"
+checksum = "468808413fa8bdf0edbe61c2bbc182dfc59885b94f496cf3fb42c9c96b1e0149"
 
 [[package]]
 name = "linked-hash-map"
@@ -4773,7 +4773,7 @@ dependencies = [
  "rand_core 0.6.4",
  "ruma-common",
  "serde_json",
- "sha2 0.10.9",
+ "sha2",
  "subslice",
  "thiserror 2.0.18",
 ]
@@ -5314,17 +5314,6 @@ dependencies = [
  "digest 0.10.7",
 ]
 
-[[package]]
-name = "sha2"
-version = "0.11.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "446ba717509524cb3f22f17ecc096f10f4822d76ab5c0b9822c5f9c284e825f4"
-dependencies = [
- "cfg-if",
- "cpufeatures 0.3.0",
- "digest 0.11.2",
-]
-
 [[package]]
 name = "sha256"
 version = "1.6.0"
@@ -5334,7 +5323,7 @@ dependencies = [
  "async-trait",
  "bytes",
  "hex",
- "sha2 0.10.9",
+ "sha2",
  "tokio",
 ]
 

Cargo.toml

@@ -39,7 +39,7 @@ features = ["ffi", "std", "union"]
 version = "0.7.0"
 
 [workspace.dependencies.ctor]
-version = "0.9.0"
+version = "0.10.0"
 
 [workspace.dependencies.cargo_toml]
 version = "0.22"
@@ -400,7 +400,7 @@ features = [
 ]
 
 [workspace.dependencies.sha2]
-version = "0.11.0"
+version = "0.10.8"
 default-features = false
 
 [workspace.dependencies.sha1]

changelog.d/1594.doc

@@ -1 +0,0 @@
-Refactored docker docs to include new initial token workflow, and add Caddyfile example. Contributed by @stratself.

changelog.d/1601.doc

@@ -1 +0,0 @@
-Add DNS tuning guide for Continuwuity. Users are recommended to set up a local caching resolver following the guide's advice. Contributed by @stratself

changelog.d/1624.feature

@@ -1 +0,0 @@
-Implemented option to deprioritize servers for room join requests. Contributed by @ezera.

conduwuit-example.toml

@@ -1409,20 +1409,6 @@
 #
 #ignore_messages_from_server_names = []
 
-# List of server names that continuwuity will deprioritize (try last) when
-# a client requests to join a room.
-#
-# This can be used to potentially speed up room join requests, by
-# deprioritizing sending join requests through servers that are known to
-# be large or slow.
-#
-# continuwuity will still send join requests to servers in this list if
-# the room couldn't be joined via other servers it federates with.
-#
-# example: ["example.com"]
-#
-#deprioritize_joins_through_servers = []
-
 # Send messages from users that the user has ignored to the client.
 #
 # There is no way for clients to receive messages sent while a user was

docker/Dockerfile

@@ -48,7 +48,7 @@ EOF
 
 # Developer tool versions
 # renovate: datasource=github-releases depName=cargo-bins/cargo-binstall
-ENV BINSTALL_VERSION=1.18.1
+ENV BINSTALL_VERSION=1.18.0
 # renovate: datasource=github-releases depName=psastras/sbom-rs
 ENV CARGO_SBOM_VERSION=0.9.1
 # renovate: datasource=crate depName=lddtree

docker/musl.Dockerfile

@@ -18,7 +18,7 @@ RUN --mount=type=cache,target=/etc/apk/cache apk add \
 
 # Developer tool versions
 # renovate: datasource=github-releases depName=cargo-bins/cargo-binstall
-ENV BINSTALL_VERSION=1.18.1
+ENV BINSTALL_VERSION=1.18.0
 # renovate: datasource=github-releases depName=psastras/sbom-rs
 ENV CARGO_SBOM_VERSION=0.9.1
 # renovate: datasource=crate depName=lddtree

docs/_meta.json

@@ -69,6 +69,11 @@
         "label": "Configuration Reference",
         "name": "/reference/config"
     },
+    {
+        "type": "file",
+        "label": "Environment Variables",
+        "name": "/reference/environment-variables"
+    },
     {
         "type": "dir",
         "label": "Admin Command Reference",

docs/advanced/_meta.json

@@ -3,11 +3,5 @@
         "type": "file",
         "name": "delegation",
         "label": "Delegation / split-domain"
-    },
-    {
-        "type": "file",
-        "name": "dns",
-        "label": "DNS tuning (recommended)"
     }
-
 ]

docs/advanced/delegation.mdx

@@ -18,14 +18,12 @@ ## Configuration
 ```toml
 [global.well_known]
 
-# defaults to port :443 if not specified
 client = "https://matrix.example.com"
 
 # port number MUST be specified
 server = "matrix.example.com:443"
 
 # (optional) customize your support contacts
-# Defaults to members of the admin room if unset
 #support_page =
 #support_role = "m.role.admin"
 #support_email =
@@ -44,13 +42,9 @@ # Defaults to members of the admin room if unset
         client=https://matrix.example.com,
         server=matrix.example.com:443
         }
-
-      # You can also configure individual `.well-knowns` like this
-      # CONTINUWUITY_WELL_KNOWN__CLIENT: https://matrix.example.com
-      # CONTINUWUITY_WELL_KNOWN__SERVER: matrix.example.com:443
 ```
 
-## Reverse proxying well-known files to Continuwuity
+## Serving with a reverse proxy
 
 After doing the steps above, Continuwuity will serve these 3 JSON files:
 
@@ -100,7 +94,9 @@ ## Reverse proxying well-known files to Continuwuity
 <summary>`https://example.com/.well-known/matrix/server`</summary>
 
 ```json
-{ "m.server": "matrix.example.com:443" }
+{
+  "m.server": "matrix.example.com:443"
+}
 ```
 
 </details>
@@ -119,57 +115,12 @@ ## Reverse proxying well-known files to Continuwuity
 
 </details>
 
-### Serving well-known files manually
-
-Instead of configuring `[global.well_known]` options and reverse proxying well-known URIs, you can serve these files directly as static JSON that match the ones above. This is useful if your base domain points to a different physical server, and reverse proxying isn't feasible.
-
-<details>
-
-<summary>Example Caddyfile **for the base domain**</summary>
-
-```
-https://example.com {
-
-    respond /.well-known/matrix/server 200 {
-        body `{"m.server":"matrix.example.com:443"}`
-    }
-
-    handle /.well-known/matrix/client {
-    header Access-Control-Allow-Origin *
-    respond <<JSON
-    {
-        "m.homeserver": {
-            "base_url": "https://matrix.example.com/"
-        }
-    }
-    JSON
-    }
-}
-```
-
-</details>
-
-Remember to set the `Access-Control-Allow-Origin: *` header in your `/.well-known/matrix/client` path for web clients to work.
-
 ## Troubleshooting
 
-Check with the [Matrix Connectivity Tester][federation-tester] to see that it's working.
-
-[federation-tester]: https://federationtester.mtrnord.blog/
-
 ### Cannot log in with web clients
 
 Make sure there is an `Access-Control-Allow-Origin: *` header in your `/.well-known/matrix/client` path. While Continuwuity serves this header by default, it may be dropped by reverse proxies or other middlewares.
 
-### Issues with alternative setups
-
-As Matrix clients prioritize well-known URIs for their destination, this can lead to issues with alternative methods of accessing the server that doesn't use a publicly routeable IP and domain name. You will probably find yourself connecting to non-existent/undesired URLs in certain cases like:
-
-- Accessing to the server via localhost IPs (e.g. for testing purposes)
-- Accessing the server from behind a VPN, or from alternative networks (such as from an onionsite)
-
-In these scenarios, further configurations would be needed. Refer to the [Related Documentation](#related-documentation) section for resolution steps and see how they could apply to your use case.
-
 ---
 
 ## Using SRV records (not recommended)

docs/advanced/dns.mdx

@@ -1,165 +0,0 @@
-# DNS Tuning (recommended)
-
-For federation, Matrix homeservers conduct an enormous amount of DNS requests, sometimes up to thousands of queries per minute. Normal DNS resolvers are simply not designed for this load, and running Continuwuity with them will likely result in various [DNS and federation errors](../troubleshooting#dns-issues).
-
-To solve this issue, it is strongly recommended to self-host a high-quality, external caching DNS resolver for Continuwuity. This guide will use [Unbound][unbound] as the recommended example, but the general principle applies to any resolver.
-
-[unbound]: https://wiki.archlinux.org/title/Unbound
-
-## Overview
-
-For generic deployments, install your resolver of choice and configure `/etc/resolv.conf` to point to it. The resolver should ideally reside on the same host as Continuwuity.
-
-```txt title="/etc/resolv.conf"
-nameserver 127.0.0.1
-```
-
-**Avoid using `systemd-resolved`** as it does **not** perform very well under high load, and we have identified its DNS caching to not be very effective.
-
-### For Docker users
-
-Docker bridge networks uses a non-performant resolver to intercept and respond to container hostnames, and **this should also be avoided**. Instead, mount a custom `/etc/resolv.conf` file into the container, and hardcode a resolver address to bypass Docker's.
-
-It is recommended to run a dedicated resolver container for Continuwuity, as to separate from the host's resolver setup. To do this, create a custom bridge network and IP range, and explicitly define an IP address for the resolver container.
-
-<details>
-<summary>Example Docker deployment with unbound</summary>
-
-```yaml title="docker-compose.yml"
-networks:
-  matrix_net:
-    ipam:
-      driver: default
-      config:
-        - subnet: "10.10.10.0/24"
-
-services:
-    homeserver:
-        # ...
-        volume:
-            - ./continuwuity-resolv.conf:/etc/resolv.conf:ro
-
-    unbound:
-        # ...
-        networks:
-            matrix_net:
-                ipv4_address: 10.10.10.20
-```
-
-```txt title="continuwuity-resolv.conf"
-nameserver 10.10.10.20
-```
-
-</details>
-
-### For IPv4-only users
-
-If you don't have IPv6 connectivity, changing `ip_lookup_strategy` to only resolve for IPv4 will reduce unnecessary AAAA queries.
-
-```toml title="continuwuity.toml"
-[global]
-# 1 - Ipv4Only (Only query for A records, no AAAA/IPv6)
-ip_lookup_strategy = 1
-```
-
-## Unbound
-
-[Unbound][unbound] is the recommended resolver to run with Continuwuity. For Docker users, the `docker.io/madnuttah/unbound` image ([Github repo][madnuttah-unbound-repo]) can be used.
-
-After installation, you can tune `/etc/unbound/unbound.conf` values according to your needs. While Continuwuity cannot recommend a "works-for-everyone" Unbound DNS setup guide, the official [Unbound tuning guide][unbound-tuning-guide] and the [Unbound Arch Linux wiki page][unbound-arch-linux] may be of interest.
-
-Some values that are commonly tuned include:
-
-- Increase `rrset-cache-size` and `msg-cache-size` to something much higher than the default `4M`, such as `64M`.
-
-- Increase `discard-timeout` to something like `4800` to wait longer for upstream resolvers, as recursion can take a long time to respond to some domains. Continuwuity default to `dns_timeout = 10` seconds, so dropping requests early would lead to unnecessary retries and/or failures.
-
-### Using a forwarder (optional)
-
-Unbound by default employs **recursive resolution** and contacts many servers around the world. If this is not performant enough, consider forwarding your queries to public resolvers to benefit from their CDNs and get faster responses.
-
-However, most popular upstreams (such as Google DNS or Quad9) employ IP ratelimiting, so a generous cache is still needed to avoid making too many queries.
-
-DNS-over-TLS forwarders may also be used should you need on-the-wire encryption, but TLS overhead causes some speed penalties.
-
-If you want to use forwarders, configure it as follows:
-
-<details>
-
-<summary>unbound.conf</summary>
-
-```
-# Use cloudflare public resolvers as an example
-forward-zone:
-    name: "."
-    forward-addr: 1.0.0.1@53
-    forward-addr: 1.1.1.1@53
-    # Also use IPv6 ones if you're dual-stack
-    # forward-addr: 2606:4700:4700::1001@53
-    # forward-addr: 2606:4700:4700::1111@53
-
-# alternatively, use DNS-over-TLS for forwarders.
-# forward-zone:
-    # name: "."
-    # forward-tls-upstream: yes
-    # forward-addr: 1.0.0.1@853#cloudflare-dns.com
-    # forward-addr: 1.1.1.1@853#cloudflare-dns.com
-    # forward-addr: 2606:4700:4700::1001@853#cloudflare-dns.com
-    # forward-addr: 2606:4700:4700::1111@853#cloudflare-dns.com
-```
-
-</details>
-
-[madnuttah-unbound-repo]: https://github.com/madnuttah/unbound-docker/
-[unbound-tuning-guide]: https://unbound.docs.nlnetlabs.nl/en/latest/topics/core/performance.html
-[unbound-arch-linux]: https://wiki.archlinux.org/title/Unbound
-
-## Other resolvers
-
-### dnsproxy
-
-[Dnsproxy][dnsproxy] and its sister product [AdGuard Home][adguard-home] are known to work with Continuwuity and has an official Docker image. They have support for DNS-over-HTTPS as well as DNS-over-QUIC, but not recursion.
-
-To best utilise dnsproxy, you should enable proper caching with `--cache` and set `--cache-size` to something bigger, like `64000000`.
-
-[dnsproxy]: https://github.com/AdguardTeam/dnsproxy
-[adguard-home]: https://github.com/AdguardTeam/AdGuardHome
-
-### dnsmasq
-
-[dnsmasq][arch-linux-dnsmasq] can possibly work with Continuwuity, though it only supports forwarding rather than recursion. Increase the `cache-size` to something like `30000` for better caching performance.
-
-However, `dnsmasq` does not support TCP fallback which can be problematic when receiving large DNS responses such as from large SRV records. If you still want to use dnsmasq, make sure you disable `dns_tcp_fallback` in Continuwuity config.
-
-[arch-linux-dnsmasq]: https://wiki.archlinux.org/title/Dnsmasq
-
-### Technitium
-
-[Technitium][technitium] supports recursion as well as a myriad of forwarding protocols, allows saving cache to disk natively, and does work well with Continuwuity. Its default configurations however ratelimits single-IP requests by a lot, and hence must be changed. You may consult this [community guide][technitium-continuwuity] for more details on setting up a dedicated Technitium for Continuwuity.
-
-[technitium]: https://github.com/TechnitiumSoftware/DnsServer
-[technitium-continuwuity]: https://muoi.me/~stratself/articles/technitium-continuwuity/
-
-## Testing
-
-As a rough stress test, you can run `!admin query resolver flush-cache -a` or `!admin server clear-caches` to trigger a netburst of DNS queries. If your resolver can handle these loads without problem, then it should be ready for regular Continuwuity activity.
-
-To test connectivity against a specific server, use `!admin debug ping <SERVER_NAME>` and `!admin debug resolve-true-destination <SERVER_NAME>`.
-
-Note that it is expected that not all servers will be resolved, as some of them may be temporarily offline, have broken DNS and/or discovery configuration, or have been decommissioned.
-
-## Further steps
-
-- (Recommended) Set **`dns_cache_entries = 0`** inside Continuwuity and fully rely on the more performant external resolver.
-
-- Consider employing **persistent cache to disk**, so your resolver can still run without hassle after a restart. Unbound, via [Cache DB module][unbound-cachedb], can use Redis as a storage backend for this feature.
-
-- Consider [enabling **Serve Stale**][unbound-serve-stale] functionality to serve expired data beyond DNS TTLs. Since most Matrix homeservers have static IPs, this should help improve federation with them especially when upstream resolvers have timed out. For dnsproxy, this corresponds to its [optimistic caching options][dnsproxy-usage].
-
-- If you still experience DNS performance issues, another step could be to **disable DNSSEC** (which is computationally expensive) at a cost of slightly decreased security. On Unbound this is done by commenting out `trust-anchors` config options and removing the `validator` module.
-
-- Some users have reported that setting `query_over_tcp_only = true` in Continuwuity has improved DNS reliability at a slight performance cost due to TCP overhead. Generally this is not needed if your resolver and homeserver is on the same machine.
-
-[unbound-cachedb]: https://unbound.docs.nlnetlabs.nl/en/latest/manpages/unbound.conf.html#cache-db-module-options
-[unbound-serve-stale]: https://wiki.archlinux.org/title/Unbound#Serving_expired_records
-[dnsproxy-usage]: https://github.com/AdguardTeam/dnsproxy#usage

docs/configuration.mdx

@@ -2,90 +2,66 @@ # Configuration
 
 This chapter describes various ways to configure Continuwuity.
 
-## Configuration file
+## Basics
 
-Continuwuity uses a TOML config file for all of its settings. This is the recommended way to configure Continuwuity. Please refer to the [example config file](./reference/config.mdx) for all of these settings.
+Continuwuity uses a config file for the majority of the settings, but also supports
+setting individual config options via commandline.
 
-You can specify the config file to be used by Continuwuity with the command-line flag `-c` or `--config`:
+Please refer to the [example config
+file](./reference/config.mdx) for all of those
+settings.
 
-```bash
-./conduwuit -c /path/to/continuwuity.toml
-```
+The config file to use can be specified on the commandline when running
+Continuwuity by specifying the `-c`, `--config` flag. Alternatively, you can use
+the environment variable `CONTINUWUITY_CONFIG` to specify the config file to be
+used; see [the section on environment variables](#environment-variables) for
+more information.
 
-Alternatively, you can use the environment variable `CONTINUWUITY_CONFIG` to specify the config file to be used; see [the section on environment variables](#environment-variables) for more information.
+## Option commandline flag
 
-## Environment variables
-
-All of the options in the config file can also be specified by using environment variables. This is ideal for containerised deployments and infrastructure-as-code scenarios.
-
-The environment variable names are represented in all caps and prefixed with `CONTINUWUITY_`. They are mapped to config options in the ways demonstrated below:
-
-```bash
-# Top-level options (those inside the [global] section) are simply capitalised
-CONTINUWUITY_SERVER_NAME="matrix.example.com"
-CONTINUWUITY_PORT="8008"
-CONTINUWUITY_DATABASE_PATH="/var/lib/continuwuity"
-
-# Nested config sections use double underscores `__`
-
-# This maps to the `server` field of the [global.well_known] section in TOML
-CONTINUWUITY_WELL_KNOWN__SERVER="example.com:443"
-
-# This maps to the `base_url` field of the `[global.antispam.draupnir]` section in TOML
-CONTINUWUITY_ANTISPAM__DRAUPNIR__BASE_URL="https://draupnir.example.com"
-
-# Alternatively, you can pass a (quoted) struct to define an entire section
-# This maps to the [global.well_known] section
-CONTINUWUITY_WELL_KNOWN="{ client=https://example.com,server=example.com:443 }"
-```
-
-### Alternative prefixes
-
-For backwards compatibility, Continuwuity also supports the following environment variable prefixes, in order of descending priority:
-
-- `CONDUWUIT_*` (compatibility)
-- `CONDUIT_*` (legacy)
-
-As an example, the environment variable `CONTINUWUITY_CONFIG` can also be expressed as `CONDUWUIT_CONFIG` or `CONDUIT_CONFIG`.
-
-## Option command-line flag
-
-Continuwuity also supports setting individual config options in TOML format from the `-O` / `--option` flag. For example, you can set your server name via `-O server_name=\"example.com\"`.
-
-Note that the config is parsed as TOML, and shells like `bash` will remove quotes. Therefore, if the config option is a string, quote escapes must be properly handled. If the config option is a number or a boolean, this does not apply.
+Continuwuity supports setting individual config options in TOML format from the
+`-O` / `--option` flag. For example, you can set your server name via `-O
+server_name=\"example.com\"`.
 
+Note that the config is parsed as TOML, and shells like bash will remove quotes.
+So unfortunately it is required to escape quotes if the config option takes a
+string. This does not apply to options that take booleans or numbers:
 - `--option allow_registration=true` works ✅
 - `-O max_request_size=99999999` works ✅
 - `-O server_name=example.com` does not work ❌
 - `--option log=\"debug\"` works ✅
 - `--option server_name='"example.com'"` works ✅
 
-## Order of priority
+## Execute commandline flag
 
-The above configuration methods are prioritised, in descending order, as below:
+Continuwuity supports running admin commands on startup using the commandline
+argument `--execute`. The most notable use for this is to create an admin user
+on first startup.
 
-- Command-line `-o`/`--option` flags
-- Environment variables
-    - `CONTINUWUITY_*` variables
-    - `CONDUWUIT_*` variables
-    - `CONDUIT_*` variables
-- Config file
+The syntax of this is a standard admin command without the prefix such as
+`./conduwuit --execute "users create_user june"`
 
-Therefore, you can use environment variables or the options flags to override values in the config file.
-
----
-
-## Executing startup commands
-
-Continuwuity supports running admin commands on startup using the command-line flag `--execute`. This is treated as a standard admin command, without the need for the `!admin` prefix. For example, to create a new user:
-
-```bash
-# Equivalent to `!admin users create_user june`
-./conduwuit --execute "users create_user june"
+An example output of a success is:
+```
 INFO conduwuit_service::admin::startup: Startup command #0 completed:
 Created user with user_id: @june:girlboss.ceo and password: `<redacted>`
 ```
 
-Alternatively, you can configure `CONTINUWUITY_ADMIN_EXECUTE` or the config file value `admin_execute` with a list of commands.
+This commandline argument can be paired with the `--option` flag.
 
-This command-line argument can be paired with the `--option` flag.
+## Environment variables
+
+All of the settings that are found in the config file can be specified by using
+environment variables. The environment variable names should be all caps and
+prefixed with `CONTINUWUITY_`.
+
+For example, if the setting you are changing is `max_request_size`, then the
+environment variable to set is `CONTINUWUITY_MAX_REQUEST_SIZE`.
+
+To modify config options not in the `[global]` context such as
+`[global.well_known]`, use the `__` suffix split:
+`CONTINUWUITY_WELL_KNOWN__SERVER`
+
+Conduit and conduwuit's environment variables are also supported for backwards
+compatibility, via the `CONDUIT_` and `CONDUWUIT_` prefixes respectively (e.g.
+`CONDUIT_SERVER_NAME`).

docs/deploying/docker-compose.for-traefik.yml

@@ -0,0 +1,76 @@
+# Continuwuity - Behind Traefik Reverse Proxy
+
+services:
+  homeserver:
+    ### If you already built the continuwuity image with 'docker build' or want to use the Docker Hub image,
+    ### then you are ready to go.
+    image: forgejo.ellis.link/continuwuation/continuwuity:latest
+    restart: unless-stopped
+    command: /sbin/conduwuit
+    volumes:
+      - db:/var/lib/continuwuity
+      #- ./continuwuity.toml:/etc/continuwuity.toml
+    networks:
+      - proxy
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.continuwuity.rule=(Host(`matrix.example.com`) || (Host(`example.com`) && PathPrefix(`/.well-known/matrix`)))"
+      - "traefik.http.routers.continuwuity.entrypoints=websecure" # your HTTPS entry point
+      - "traefik.http.routers.continuwuity.tls=true"
+      - "traefik.http.routers.continuwuity.service=continuwuity"
+      - "traefik.http.services.continuwuity.loadbalancer.server.port=6167"
+      # possibly, depending on your config:
+      # - "traefik.http.routers.continuwuity.tls.certresolver=letsencrypt"
+    environment:
+      CONTINUWUITY_SERVER_NAME: your.server.name.example # EDIT THIS
+      CONTINUWUITY_DATABASE_PATH: /var/lib/continuwuity
+      CONTINUWUITY_PORT: 6167 # should match the loadbalancer traefik label
+      CONTINUWUITY_MAX_REQUEST_SIZE: 20000000 # in bytes, ~20 MB
+      CONTINUWUITY_ALLOW_REGISTRATION: 'true'
+      CONTINUWUITY_REGISTRATION_TOKEN: 'YOUR_TOKEN' # A registration token is required when registration is allowed.
+      #CONTINUWUITY_YES_I_AM_VERY_VERY_SURE_I_WANT_AN_OPEN_REGISTRATION_SERVER_PRONE_TO_ABUSE: 'true'
+      CONTINUWUITY_ALLOW_FEDERATION: 'true'
+      CONTINUWUITY_ALLOW_CHECK_FOR_UPDATES: 'true'
+      CONTINUWUITY_TRUSTED_SERVERS: '["matrix.org"]'
+      #CONTINUWUITY_LOG: warn,state_res=warn
+      CONTINUWUITY_ADDRESS: 0.0.0.0
+      #CONTINUWUITY_CONFIG: '/etc/continuwuity.toml' # Uncomment if you mapped config toml above
+
+      # We need some way to serve the client and server .well-known json. The simplest way is via the CONTINUWUITY_WELL_KNOWN
+      # variable / config option, there are multiple ways to do this, e.g. in the continuwuity.toml file, and in a separate
+      # see the override file for more information about delegation
+      CONTINUWUITY_WELL_KNOWN: |
+        {
+        client=https://your.server.name.example,
+        server=your.server.name.example:443
+        }
+    #cpuset: "0-4" # Uncomment to limit to specific CPU cores
+    ulimits: # Continuwuity uses quite a few file descriptors, and on some systems it defaults to 1024, so you can tell docker to increase it
+      nofile:
+        soft: 1048567
+        hard: 1048567
+
+    ### Uncomment if you want to use your own Element-Web App.
+    ### Note: You need to provide a config.json for Element and you also need a second
+    ###       Domain or Subdomain for the communication between Element and Continuwuity
+    ### Config-Docs: https://github.com/vector-im/element-web/blob/develop/docs/config.md
+    # element-web:
+    #     image: vectorim/element-web:latest
+    #     restart: unless-stopped
+    #     volumes:
+    #         - ./element_config.json:/app/config.json
+    #     networks:
+    #         - proxy
+    #     depends_on:
+    #         - homeserver
+
+volumes:
+  db:
+
+networks:
+  # This is the network Traefik listens to, if your network has a different
+  # name, don't forget to change it here and in the docker-compose.override.yml
+  proxy:
+    external: true
+
+# vim: ts=2:sw=2:expandtab

docs/deploying/docker-compose.override.yml

@@ -6,13 +6,11 @@ services:
       - "traefik.enable=true"
       - "traefik.docker.network=proxy"  # Change this to the name of your Traefik docker proxy network
 
-      - "traefik.http.routers.to-continuwuity.rule=Host(`example.com`)"  # Change to the address on which Continuwuity is hosted
+      - "traefik.http.routers.to-continuwuity.rule=Host(`<SUBDOMAIN>.<DOMAIN>`)"  # Change to the address on which Continuwuity is hosted
       - "traefik.http.routers.to-continuwuity.tls=true"
       - "traefik.http.routers.to-continuwuity.tls.certresolver=letsencrypt"
       - "traefik.http.routers.to-continuwuity.middlewares=cors-headers@docker"
-
-      # This must match with CONTINUWUITY_PORT (default: 8008)
-      - "traefik.http.services.to_continuwuity.loadbalancer.server.port=8008"
+      - "traefik.http.services.to_continuwuity.loadbalancer.server.port=6167"
 
       - "traefik.http.middlewares.cors-headers.headers.accessControlAllowOriginList=*"
       - "traefik.http.middlewares.cors-headers.headers.accessControlAllowHeaders=Origin, X-Requested-With, Content-Type, Accept, Authorization"
@@ -20,7 +18,19 @@ services:
 
       # If you want to have your account on <DOMAIN>, but host Continuwuity on a subdomain,
       # you can let it only handle the well known file on that domain instead
-      #- "traefik.http.routers.to-matrix-wellknown.rule=Host(`example.com`) && PathPrefix(`/.well-known/matrix`)"
+      #- "traefik.http.routers.to-matrix-wellknown.rule=Host(`<DOMAIN>`) && PathPrefix(`/.well-known/matrix`)"
       #- "traefik.http.routers.to-matrix-wellknown.tls=true"
       #- "traefik.http.routers.to-matrix-wellknown.tls.certresolver=letsencrypt"
       #- "traefik.http.routers.to-matrix-wellknown.middlewares=cors-headers@docker"
+
+  ### Uncomment this if you uncommented Element-Web App in the docker-compose.yml
+  # element-web:
+  #     labels:
+  #         - "traefik.enable=true"
+  #         - "traefik.docker.network=proxy"  # Change this to the name of your Traefik docker proxy network
+
+  #         - "traefik.http.routers.to-element-web.rule=Host(`<SUBDOMAIN>.<DOMAIN>`)"  # Change to the address on which Element-Web is hosted
+  #         - "traefik.http.routers.to-element-web.tls=true"
+  #         - "traefik.http.routers.to-element-web.tls.certresolver=letsencrypt"
+
+# vim: ts=2:sw=2:expandtab

docs/deploying/docker-compose.with-caddy.yml

@@ -0,0 +1,60 @@
+services:
+    caddy:
+    # This compose file uses caddy-docker-proxy as the reverse proxy for Continuwuity!
+    # For more info, visit https://github.com/lucaslorentz/caddy-docker-proxy
+        image: lucaslorentz/caddy-docker-proxy:ci-alpine
+        ports:
+            - 80:80
+            - 443:443
+        environment:
+            - CADDY_INGRESS_NETWORKS=caddy
+        networks:
+            - caddy
+        volumes:
+            - /var/run/docker.sock:/var/run/docker.sock
+            - ./data:/data
+        restart: unless-stopped
+        labels:
+            caddy: example.com
+            caddy.reverse_proxy: /.well-known/matrix/* homeserver:6167
+
+    homeserver:
+        ### If you already built the Continuwuity image with 'docker build' or want to use a registry image,
+        ### then you are ready to go.
+        image: forgejo.ellis.link/continuwuation/continuwuity:latest
+        restart: unless-stopped
+        command: /sbin/conduwuit
+        volumes:
+            - db:/var/lib/continuwuity
+            - /etc/resolv.conf:/etc/resolv.conf:ro # Use the host's DNS resolver rather than Docker's.
+            #- ./continuwuity.toml:/etc/continuwuity.toml
+        environment:
+            CONTINUWUITY_SERVER_NAME: example.com # EDIT THIS
+            CONTINUWUITY_DATABASE_PATH: /var/lib/continuwuity
+            CONTINUWUITY_PORT: 6167
+            CONTINUWUITY_MAX_REQUEST_SIZE: 20000000 # in bytes, ~20 MB
+            CONTINUWUITY_ALLOW_REGISTRATION: 'true'
+            CONTINUWUITY_REGISTRATION_TOKEN: 'YOUR_TOKEN' # A registration token is required when registration is allowed.
+            #CONTINUWUITY_YES_I_AM_VERY_VERY_SURE_I_WANT_AN_OPEN_REGISTRATION_SERVER_PRONE_TO_ABUSE: 'true'
+            CONTINUWUITY_ALLOW_FEDERATION: 'true'
+            CONTINUWUITY_ALLOW_CHECK_FOR_UPDATES: 'true'
+            CONTINUWUITY_TRUSTED_SERVERS: '["matrix.org"]'
+            #CONTINUWUITY_LOG: warn,state_res=warn
+            CONTINUWUITY_ADDRESS: 0.0.0.0
+            #CONTINUWUITY_CONFIG: '/etc/continuwuity.toml' # Uncomment if you mapped config toml above
+
+            # Required for .well-known delegation - edit these according to your chosen domain
+            CONTINUWUITY_WELL_KNOWN__CLIENT: https://matrix.example.com
+            CONTINUWUITY_WELL_KNOWN__SERVER: matrix.example.com:443
+        networks:
+            - caddy
+        labels:
+            caddy: matrix.example.com
+            caddy.reverse_proxy: "{{upstreams 6167}}"
+
+volumes:
+    db:
+
+networks:
+    caddy:
+        external: true

docs/deploying/docker-compose.with-traefik.yml

@@ -0,0 +1,160 @@
+# Continuwuity - Behind Traefik Reverse Proxy
+
+services:
+  homeserver:
+    ### If you already built the Continuwuity image with 'docker build' or want to use the Docker Hub image,
+    ### then you are ready to go.
+    image: forgejo.ellis.link/continuwuation/continuwuity:latest
+    restart: unless-stopped
+    command: /sbin/conduwuit
+    volumes:
+      - db:/var/lib/continuwuity
+      - /etc/resolv.conf:/etc/resolv.conf:ro # Use the host's DNS resolver rather than Docker's.
+      #- ./continuwuity.toml:/etc/continuwuity.toml
+    networks:
+      - proxy
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.continuwuity.rule=(Host(`matrix.example.com`) || (Host(`example.com`) && PathPrefix(`/.well-known/matrix`)))"
+      - "traefik.http.routers.continuwuity.entrypoints=websecure"
+      - "traefik.http.routers.continuwuity.tls.certresolver=letsencrypt"
+      - "traefik.http.services.continuwuity.loadbalancer.server.port=6167"
+      # Uncomment and adjust the following if you want to use middleware
+      # - "traefik.http.routers.continuwuity.middlewares=secureHeaders@file"
+    environment:
+      CONTINUWUITY_SERVER_NAME: your.server.name.example # EDIT THIS
+      CONTINUWUITY_TRUSTED_SERVERS: '["matrix.org"]'
+      CONTINUWUITY_ALLOW_REGISTRATION: 'false' # After setting a secure registration token, you can enable this
+      CONTINUWUITY_REGISTRATION_TOKEN: "" # This is a token you can use to register on the server
+      #CONTINUWUITY_REGISTRATION_TOKEN_FILE: "" # Alternatively you can configure a path to a token file to read
+      CONTINUWUITY_ADDRESS: 0.0.0.0
+      CONTINUWUITY_PORT: 6167 # you need to match this with the traefik load balancer label if you're want to change it
+      CONTINUWUITY_DATABASE_PATH: /var/lib/continuwuity
+      #CONTINUWUITY_CONFIG: '/etc/continuwuity.toml' # Uncomment if you mapped config toml above
+      ### Uncomment and change values as desired, note that Continuwuity has plenty of config options, so you should check out the example example config too
+      # Available levels are: error, warn, info, debug, trace - more info at: https://docs.rs/env_logger/*/env_logger/#enabling-logging
+      # CONTINUWUITY_LOG: info  # default is: "warn,state_res=warn"
+      # CONTINUWUITY_ALLOW_ENCRYPTION: 'true'
+      # CONTINUWUITY_ALLOW_FEDERATION: 'true'
+      # CONTINUWUITY_ALLOW_CHECK_FOR_UPDATES: 'true'
+      # CONTINUWUITY_ALLOW_INCOMING_PRESENCE: true
+      # CONTINUWUITY_ALLOW_OUTGOING_PRESENCE: true
+      # CONTINUWUITY_ALLOW_LOCAL_PRESENCE: true
+      # CONTINUWUITY_WORKERS: 10
+      # CONTINUWUITY_MAX_REQUEST_SIZE: 20000000  # in bytes, ~20 MB
+      # CONTINUWUITY_NEW_USER_DISPLAYNAME_SUFFIX = "🏳<200d>⚧"
+
+      # We need some way to serve the client and server .well-known json. The simplest way is via the CONTINUWUITY_WELL_KNOWN
+      # variable / config option, there are multiple ways to do this, e.g. in the continuwuity.toml file, and in a separate
+      # reverse proxy, but since you do not have a reverse proxy and following this guide, this example is included
+      CONTINUWUITY_WELL_KNOWN: |
+        {
+          client=https://your.server.name.example,
+          server=your.server.name.example:443
+        }
+    #cpuset: "0-4" # Uncomment to limit to specific CPU cores
+    ulimits: # Continuwuity uses quite a few file descriptors, and on some systems it defaults to 1024, so you can tell docker to increase it
+      nofile:
+        soft: 1048567
+        hard: 1048567
+
+    ### Uncomment if you want to use your own Element-Web App.
+    ### Note: You need to provide a config.json for Element and you also need a second
+    ###       Domain or Subdomain for the communication between Element and Continuwuity
+    ### Config-Docs: https://github.com/vector-im/element-web/blob/develop/docs/config.md
+    # element-web:
+    #     image: vectorim/element-web:latest
+    #     restart: unless-stopped
+    #     volumes:
+    #         - ./element_config.json:/app/config.json
+    #     networks:
+    #         - proxy
+    #     depends_on:
+    #         - homeserver
+
+  traefik:
+    image: "traefik:latest"
+    container_name: "traefik"
+    restart: "unless-stopped"
+    ports:
+      - "80:80"
+      - "443:443"
+    volumes:
+      - "/var/run/docker.sock:/var/run/docker.sock:z"
+      - "acme:/etc/traefik/acme"
+      #- "./traefik_config:/etc/traefik:z"
+    labels:
+      - "traefik.enable=true"
+
+      # middleware redirect
+      - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
+      # global redirect to https
+      - "traefik.http.routers.redirs.rule=hostregexp(`{host:.+}`)"
+      - "traefik.http.routers.redirs.entrypoints=web"
+      - "traefik.http.routers.redirs.middlewares=redirect-to-https"
+
+    configs:
+      - source: dynamic.yml
+        target: /etc/traefik/dynamic.yml
+
+    environment:
+      TRAEFIK_LOG_LEVEL: DEBUG
+      TRAEFIK_ENTRYPOINTS_WEB: true
+      TRAEFIK_ENTRYPOINTS_WEB_ADDRESS: ":80"
+      TRAEFIK_ENTRYPOINTS_WEB_HTTP_REDIRECTIONS_ENTRYPOINT_TO: websecure
+
+      TRAEFIK_ENTRYPOINTS_WEBSECURE: true
+      TRAEFIK_ENTRYPOINTS_WEBSECURE_ADDRESS: ":443"
+      TRAEFIK_ENTRYPOINTS_WEBSECURE_HTTP_TLS_CERTRESOLVER: letsencrypt
+      #TRAEFIK_ENTRYPOINTS_WEBSECURE_HTTP_MIDDLEWARES: secureHeaders@file # if you want to enabled STS
+
+      TRAEFIK_CERTIFICATESRESOLVERS_LETSENCRYPT: true
+      TRAEFIK_CERTIFICATESRESOLVERS_LETSENCRYPT_ACME_EMAIL: # Set this to the email you want to receive certificate expiration emails for
+      TRAEFIK_CERTIFICATESRESOLVERS_LETSENCRYPT_ACME_KEYTYPE: EC384
+      TRAEFIK_CERTIFICATESRESOLVERS_LETSENCRYPT_ACME_HTTPCHALLENGE: true
+      TRAEFIK_CERTIFICATESRESOLVERS_LETSENCRYPT_ACME_HTTPCHALLENGE_ENTRYPOINT: web
+      TRAEFIK_CERTIFICATESRESOLVERS_LETSENCRYPT_ACME_STORAGE: "/etc/traefik/acme/acme.json"
+
+      # Since Traefik 3.6.3, paths with certain "encoded characters" are now blocked by default; we need a couple, or else things *will* break
+      TRAEFIK_ENTRYPOINTS_WEBSECURE_HTTP_ENCODEDCHARACTERS_ALLOWENCODEDSLASH: true
+      TRAEFIK_ENTRYPOINTS_WEBSECURE_HTTP_ENCODEDCHARACTERS_ALLOWENCODEDHASH: true
+
+      TRAEFIK_PROVIDERS_DOCKER: true
+      TRAEFIK_PROVIDERS_DOCKER_ENDPOINT: "unix:///var/run/docker.sock"
+      TRAEFIK_PROVIDERS_DOCKER_EXPOSEDBYDEFAULT: false
+
+      TRAEFIK_PROVIDERS_FILE: true
+      TRAEFIK_PROVIDERS_FILE_FILENAME: "/etc/traefik/dynamic.yml"
+
+configs:
+  dynamic.yml:
+    content: |
+      # Optionally set STS headers, like in https://hstspreload.org
+      # http:
+      #   middlewares:
+      #     secureHeaders:
+      #       headers:
+      #         forceSTSHeader: true
+      #         stsIncludeSubdomains: true
+      #         stsPreload: true
+      #         stsSeconds: 31536000
+      tls:
+        options:
+          default:
+            cipherSuites:
+              - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
+              - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+              - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
+              - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+              - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
+              - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
+            minVersion: VersionTLS12
+
+volumes:
+    db:
+    acme:
+
+networks:
+    proxy:
+
+# vim: ts=2:sw=2:expandtab

docs/deploying/docker-compose.yml

@@ -0,0 +1,45 @@
+# Continuwuity
+
+services:
+    homeserver:
+        ### If you already built the Continuwuity image with 'docker build' or want to use a registry image,
+        ### then you are ready to go.
+        image: forgejo.ellis.link/continuwuation/continuwuity:latest
+        restart: unless-stopped
+        command: /sbin/conduwuit
+        ports:
+            - 8448:6167
+        volumes:
+            - db:/var/lib/continuwuity
+            #- ./continuwuity.toml:/etc/continuwuity.toml
+        environment:
+            CONTINUWUITY_SERVER_NAME: your.server.name # EDIT THIS
+            CONTINUWUITY_DATABASE_PATH: /var/lib/continuwuity
+            CONTINUWUITY_PORT: 6167
+            CONTINUWUITY_MAX_REQUEST_SIZE: 20000000 # in bytes, ~20 MB
+            CONTINUWUITY_ALLOW_REGISTRATION: 'true'
+            CONTINUWUITY_REGISTRATION_TOKEN: 'YOUR_TOKEN' # A registration token is required when registration is allowed.
+            #CONTINUWUITY_YES_I_AM_VERY_VERY_SURE_I_WANT_AN_OPEN_REGISTRATION_SERVER_PRONE_TO_ABUSE: 'true'
+            CONTINUWUITY_ALLOW_FEDERATION: 'true'
+            CONTINUWUITY_ALLOW_CHECK_FOR_UPDATES: 'true'
+            CONTINUWUITY_TRUSTED_SERVERS: '["matrix.org"]'
+            #CONTINUWUITY_LOG: warn,state_res=warn
+            CONTINUWUITY_ADDRESS: 0.0.0.0
+            #CONTINUWUITY_CONFIG: '/etc/continuwuity.toml' # Uncomment if you mapped config toml above
+    #
+    ### Uncomment if you want to use your own Element-Web App.
+    ### Note: You need to provide a config.json for Element and you also need a second
+    ###       Domain or Subdomain for the communication between Element and Continuwuity
+    ### Config-Docs: https://github.com/vector-im/element-web/blob/develop/docs/config.md
+    # element-web:
+    #     image: vectorim/element-web:latest
+    #     restart: unless-stopped
+    #     ports:
+    #         - 8009:80
+    #     volumes:
+    #         - ./element_config.json:/app/config.json
+    #     depends_on:
+    #         - homeserver
+
+volumes:
+    db:

docs/deploying/docker.mdx

@@ -1,251 +1,257 @@
 # Continuwuity for Docker
 
-## Preparation
+## Docker
 
-### Choose an image
+To run Continuwuity with Docker, you can either build the image yourself or pull
+it from a registry.
 
-The following OCI images are available for Continuwuity:
+### Use a registry
 
-| Image                                                                                        | Notes                                                                                                     |
-| ------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------- |
-| [https://forgejo.ellis.link/continuwuation/continuwuity:**latest**][latest]                 | Latest tagged release. (recommended)                                                                      |
-| [https://forgejo.ellis.link/continuwuation/continuwuity:**main**][main]                     | Latest `main` branch commit.                                                                              |
-| [https://forgejo.ellis.link/continuwuation/continuwuity:**latest-maxperf**][latest-maxperf] | Latest tagged release, [performance optimised version](./generic.mdx#performance-optimised-builds).       |
-| [https://forgejo.ellis.link/continuwuation/continuwuity:**main-maxperf**][main-maxperf]     | Latest `main` branch commit, [performance optimised version](./generic.mdx#performance-optimised-builds). |
+Available OCI images:
 
-[latest]: https://forgejo.ellis.link/continuwuation/-/packages/container/continuwuity/latest
-[main]: https://forgejo.ellis.link/continuwuation/-/packages/container/continuwuity/main
-[latest-maxperf]: https://forgejo.ellis.link/continuwuation/-/packages/container/continuwuity/latest-maxperf
-[main-maxperf]: https://forgejo.ellis.link/continuwuation/-/packages/container/continuwuity/main-maxperf
+| Registry         | Image                                                                                                                                                       | Notes                                                                        |
+| ---------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------- |
+| Forgejo Registry | [forgejo.ellis.link/continuwuation/continuwuity:latest](https://forgejo.ellis.link/continuwuation/-/packages/container/continuwuity/latest)                 | Latest tagged image.                                                         |
+| Forgejo Registry | [forgejo.ellis.link/continuwuation/continuwuity:main](https://forgejo.ellis.link/continuwuation/-/packages/container/continuwuity/main)                     | Main branch image.                                                           |
+| Forgejo Registry | [forgejo.ellis.link/continuwuation/continuwuity:latest-maxperf](https://forgejo.ellis.link/continuwuation/-/packages/container/continuwuity/latest-maxperf) | [Performance optimised version.](./generic.mdx#performance-optimised-builds) |
+| Forgejo Registry | [forgejo.ellis.link/continuwuation/continuwuity:main-maxperf](https://forgejo.ellis.link/continuwuation/-/packages/container/continuwuity/main-maxperf)     | [Performance optimised version.](./generic.mdx#performance-optimised-builds) |
 
-If you want a specific version or commit hash, you can browse for them [here][oci-all-versions].
+**Example:**
 
-Images are also mirrored to these locations automatically, on a schedule:
-
-- `ghcr.io/continuwuity/continuwuity` ([Github Registry][ghcr-io])
-- `docker.io/jadedblueeyes/continuwuity` ([Docker Hub][docker-hub])
-- `registry.gitlab.com/continuwuity/continuwuity` ([Gitlab Registry][gitlab-registry])
-- `git.nexy7574.co.uk/mirrored/continuwuity` ([Nexy's forge][nexy-forge]. Releases only, no `main` tags)
-
-[oci-all-versions]: https://forgejo.ellis.link/continuwuation/-/packages/container/continuwuity/versions
-[ghcr-io]: https://github.com/continuwuity/continuwuity/pkgs/container/continuwuity/versions?filters%5Bversion_type%5D=tagged
-[docker-hub]: https://hub.docker.com/r/jadedblueeyes/continuwuity/
-[gitlab-registry]: https://gitlab.com/continuwuity/continuwuity/container_registry/8871720
-[nexy-forge]: https://git.nexy7574.co.uk/mirrored/-/packages/container/continuwuity/versions
-
-### Prerequisites
-
-Continuwuity requires HTTPS for Matrix federation. You'll need:
-
-- A domain name pointing to your server's IP address - we will be using `example.com` in this guide.
-- A reverse proxy with SSL/TLS certificates (Traefik, Caddy, nginx, etc.) - see [Docker Compose](#docker-compose) for complete examples.
-- Port `:443` (for Client-Server traffic) and `:8448` (for federation traffic) opened on your server's firewall.
-
-    - Alternatively, if you want both client and federation traffic on `:443`, you can configure `CONTINUWUITY_WELL_KNOWN` following some of the [examples](#choose-your-reverse-proxy) below.
-
-:::tip Split-domain setups
-For more setups with `.well-known` delegation and split-domain deployments, consult the [Delegation/Split-domain](../advanced/delegation) page.
-:::
-
-## Docker Compose
-
-Docker Compose is the recommended deployment method for Continuwuity containers. The following environment variables will be set:
-
-- `CONTINUWUITY_SERVER_NAME` - Your Matrix server's domain name. **This CANNOT be changed later without a data wipe.**
-- `CONTINUWUITY_DATABASE_PATH` - Where to store your database. This must match the docker volume mount.
-- `CONTINUWUITY_ADDRESS` - Bind address (for Docker, use `0.0.0.0` to listen on all interfaces).
-
-Alternatively, you can specify a path to mount the configuration file using the `CONTINUWUITY_CONFIG` environment variable.
-
-See the [reference configuration](../reference/config) page for all config options, and the [Configuration page](../configuration#environment-variables) on how to convert them into Environment Variables.
-
-### Choose Your Reverse Proxy
-
-These examples include reverse proxy configurations for Matrix federation, which will route your Matrix domain (and optionally .well-known paths) to Continuwuity.
-
-:::note Docker DNS Performance
-Docker's default DNS resolver are known to [cause timeout issues](../troubleshooting#dns-issues) for Matrix federation. To bypass it and use a more performant resolver, mount a custom `/etc/resolv.conf` config file into the Continuwuity container.
-
-```yaml title='docker-compose.yml'
-services:
-  homeserver:
-    # ...
-    volumes:
-      - ./continuwuity-resolv.conf:/etc/resolv.conf
+```bash
+docker image pull forgejo.ellis.link/continuwuation/continuwuity:main-maxperf
 ```
 
-```txt title='continuwuity-resolv.conf'
-nameserver 1.0.0.1
-nameserver 1.1.1.1
-```
+#### Mirrors
 
-Consult the [**DNS tuning guide (recommended)**](../advanced/dns.mdx) for full solutions to this issue.
-:::
+Images are mirrored to multiple locations automatically, on a schedule:
 
-#### Caddy (using Caddyfile)
+- `ghcr.io/continuwuity/continuwuity`
+- `docker.io/jadedblueeyes/continuwuity`
+- `registry.gitlab.com/continuwuity/continuwuity`
+- `git.nexy7574.co.uk/mirrored/continuwuity` (releases only, no `main`)
 
-<details>
-<summary>docker-compose.with-caddy.yml ([view raw](/deploying/docker-compose.with-caddy.yml))</summary>
-
-```yaml file="../public/deploying/docker-compose.with-caddy.yml"
-
-```
-
-</details>
-
-#### Caddy (using labels)
-
-<details>
-<summary>docker-compose.with-caddy-labels.yml ([view raw](/deploying/docker-compose.with-caddy-labels.yml))</summary>
-
-```yaml file="../public/deploying/docker-compose.with-caddy-labels.yml"
-
-```
-
-</details>
-
-#### Traefik (for existing setup)
-
-<details>
-<summary>docker-compose.for-traefik.yml ([view raw](/deploying/docker-compose.for-traefik.yml))</summary>
-
-```yaml file="../public/deploying/docker-compose.for-traefik.yml"
-
-```
-
-</details>
-
-#### Traefik included
-
-<details>
-<summary>docker-compose.with-traefik.yml ([view raw](/deploying/docker-compose.with-traefik.yml))</summary>
-
-```yaml file="../public/deploying/docker-compose.with-traefik.yml"
-
-```
-
-</details>
-
-#### Traefik (as override file)
-
-<details>
-<summary>docker-compose.override.yml ([view raw](/deploying/docker-compose.override.yml))</summary>
-
-```yaml file="../public/deploying/docker-compose.override.yml"
-
-```
-
-</details>
-
-#### For other reverse proxies
-
-<details>
-<summary>docker-compose.yml ([view raw](/deploying/docker-compose.yml))</summary>
-
-```yaml file="../public/deploying/docker-compose.yml"
-
-```
-
-</details>
-
-You will then need to point your reverse proxy towards Continuwuity at `127.0.0.1:8008`. See the [Other reverse proxies](generic.mdx#setting-up-the-reverse-proxy) section of the Generic page for further routing details.
-
-### Starting Your Server
-
-1. Choose your compose file from the above, and rename it to `docker-compose.yml`. Replace `example.com` with your homeserver's domain name, and edit other values as you see fit.
-2. If using the override file, rename it to `docker-compose.override.yml` and
-   edit your values.
-3. Start the server:
-
-    ```bash
-    docker compose up -d
-    ```
-
-4. Check your server logs for a registration token:
-
-    ```bash
-    docker-compose logs continuwuity 2>&1
-    ```
-
-    You'll see output as below.
-
-    ```
-    In order to use your new homeserver, you need to create its
-    first user account.
-    Open your Matrix client of choice and register an account
-    on example.com using registration token x5keUZ811RqvLsNa .
-    Pick your own username and password!
-    ```
-
-5. Log in to your server with any Matrix client, and register for an account with the registration token from step 4. You'll automatically be invited to the admin room where you can [manage your server](../reference/admin).
-
-See the [generic deployment guide](generic.mdx) for more deployment options.
-
-## Testing
-
-Test that your setup works by following these [instructions](./generic.mdx#how-do-i-know-it-works)
-
-## Other deployment methods
-
-### Docker - Quick Run
-
-:::note For testing only
-The instructions below are only meant for a quick demo of Continuwuity.
-For production deployment, we recommend using [Docker Compose](#docker-compose)
-:::
+### Quick Run
 
 Get a working Continuwuity server with an admin user in four steps:
 
-1. Pull the image
+#### Prerequisites
 
-    ```bash
-    docker pull forgejo.ellis.link/continuwuation/continuwuity:latest
-    ```
+Continuwuity requires HTTPS for Matrix federation. You'll need:
 
-2. Start the server for the first time. Replace `example.com` with your actual server name.
+- A domain name pointing to your server
+- A reverse proxy with SSL/TLS certificates (Traefik, Caddy, nginx, etc.)
 
-    ```bash
-    docker run -d \
-      -p 8008:8008 \
-      -v continuwuity_db:/var/lib/continuwuity \
-      -e CONTINUWUITY_SERVER_NAME="example.com" \
-      -e CONTINUWUITY_DATABASE_PATH="/var/lib/continuwuity" \
-      -e CONTINUWUITY_ADDRESS="0.0.0.0" \
-      -e CONTINUWUITY_ALLOW_REGISTRATION="false" \
-      --name continuwuity \
-      forgejo.ellis.link/continuwuation/continuwuity:latest \
-      /sbin/conduwuit
-    ```
+See [Docker Compose](#docker-compose) for complete examples.
 
-3. Fetch the one-time initial registration token
+#### Environment Variables
 
-    ```bash
-    docker logs continuwuity 2>&1
-    ```
+- `CONTINUWUITY_SERVER_NAME` - Your Matrix server's domain name
+- `CONTINUWUITY_DATABASE_PATH` - Where to store your database (must match the
+  volume mount)
+- `CONTINUWUITY_ADDRESS` - Bind address (use `0.0.0.0` to listen on all
+  interfaces)
+- `CONTINUWUITY_ALLOW_REGISTRATION` - Set to `false` to disable registration, or
+  use with `CONTINUWUITY_REGISTRATION_TOKEN` to require a token (see
+  [reference](../reference/environment-variables.mdx#registration--user-configuration)
+  for details)
 
-    You'll see output as below.
+See the
+[Environment Variables Reference](../reference/environment-variables.mdx) for
+more configuration options.
 
-    ```
-    In order to use your new homeserver, you need to create its
-    first user account.
-    Open your Matrix client of choice and register an account
-    on example.com using registration token x5keUZ811RqvLsNa .
-    Pick your own username and password!
-    ```
+#### 1. Pull the image
 
-4. Configure your reverse proxy to forward HTTPS traffic to Continuwuity at port 8008. See [Docker Compose](#docker-compose) for examples.
+```bash
+docker pull forgejo.ellis.link/continuwuation/continuwuity:latest
+```
 
-Once configured, log in to your server with any Matrix client, and register for an account with the registration token from step 3. You'll automatically be invited to the admin room where you can [manage your server](../reference/admin).
+#### 2. Start the server with initial admin user
 
-### (Optional) Building Custom Images
+```bash
+docker run -d \
+  -p 6167:6167 \
+  -v continuwuity_db:/var/lib/continuwuity \
+  -e CONTINUWUITY_SERVER_NAME="matrix.example.com" \
+  -e CONTINUWUITY_DATABASE_PATH="/var/lib/continuwuity" \
+  -e CONTINUWUITY_ADDRESS="0.0.0.0" \
+  -e CONTINUWUITY_ALLOW_REGISTRATION="false" \
+  --name continuwuity \
+  forgejo.ellis.link/continuwuation/continuwuity:latest \
+  /sbin/conduwuit --execute "users create-user admin"
+```
+
+Replace `matrix.example.com` with your actual server name and `admin` with
+your preferred username.
+
+#### 3. Get your admin password
+
+```bash
+docker logs continuwuity 2>&1 | grep "Created user"
+```
+
+You'll see output like:
+
+```
+Created user with user_id: @admin:matrix.example.com and password: `[auto-generated-password]`
+```
+
+#### 4. Configure your reverse proxy
+
+Configure your reverse proxy to forward HTTPS traffic to Continuwuity. See
+[Docker Compose](#docker-compose) for examples.
+
+Once configured, log in with any Matrix client using `@admin:matrix.example.com`
+and the generated password. You'll automatically be invited to the admin room
+where you can manage your server.
+
+### Docker Compose
+
+Docker Compose is the recommended deployment method. These examples include
+reverse proxy configurations for Matrix federation.
+
+#### Matrix Federation Requirements
+
+For Matrix federation to work, you need to serve `.well-known/matrix/client` and
+`.well-known/matrix/server` endpoints. You can achieve this either by:
+
+1. **Using a well-known service** - The compose files below include an nginx
+   container to serve these files
+2. **Using Continuwuity's built-in delegation** (easier for Traefik) - Configure
+   delegation files in your config, then proxy `/.well-known/matrix/*` to
+   Continuwuity
+
+**Traefik example using built-in delegation:**
+
+```yaml
+labels:
+  traefik.http.routers.continuwuity.rule: >-
+    (Host(`matrix.example.com`) ||
+     (Host(`example.com`) && PathPrefix(`/.well-known/matrix`)))
+```
+
+This routes your Matrix domain and well-known paths to Continuwuity.
+
+#### Creating Your First Admin User
+
+Add the `--execute` command to create an admin user on first startup. In your
+compose file, add under the `continuwuity` service:
+
+```yaml
+services:
+    continuwuity:
+        image: forgejo.ellis.link/continuwuation/continuwuity:latest
+        command: /sbin/conduwuit --execute "users create-user admin"
+        # ... rest of configuration
+```
+
+Then retrieve the auto-generated password:
+
+```bash
+docker compose logs continuwuity | grep "Created user"
+```
+
+#### Choose Your Reverse Proxy
+
+Select the compose file that matches your setup:
+
+:::note DNS Performance
+Docker's default DNS resolver can cause performance issues with Matrix
+federation. If you experience slow federation or DNS timeouts, you may need to
+use your host's DNS resolver instead. Add this volume mount to the
+`continuwuity` service:
+
+```yaml
+volumes:
+  - /etc/resolv.conf:/etc/resolv.conf:ro
+```
+
+See [Troubleshooting - DNS Issues](../troubleshooting.mdx#potential-dns-issues-when-using-docker)
+for more details and alternative solutions.
+:::
+
+##### For existing Traefik setup
+
+<details>
+<summary>docker-compose.for-traefik.yml</summary>
+
+```yaml file="./docker-compose.for-traefik.yml"
+
+```
+
+</details>
+
+##### With Traefik included
+
+<details>
+<summary>docker-compose.with-traefik.yml</summary>
+
+```yaml file="./docker-compose.with-traefik.yml"
+
+```
+
+</details>
+
+##### With Caddy Docker Proxy
+
+<details>
+<summary>docker-compose.with-caddy.yml</summary>
+
+Replace all `example.com` placeholders with your own domain.
+
+```yaml file="./docker-compose.with-caddy.yml"
+
+```
+
+If you don't already have a network for Caddy to monitor, create one first:
+
+```bash
+docker network create caddy
+```
+
+</details>
+
+##### For other reverse proxies
+
+<details>
+<summary>docker-compose.yml</summary>
+
+```yaml file="./docker-compose.yml"
+
+```
+
+</details>
+
+##### Override file for customisation
+
+<details>
+<summary>docker-compose.override.yml</summary>
+
+```yaml file="./docker-compose.override.yml"
+
+```
+
+</details>
+
+#### Starting Your Server
+
+1. Choose your compose file and rename it to `docker-compose.yml`
+2. If using the override file, rename it to `docker-compose.override.yml` and
+   edit your values
+3. Start the server:
+
+```bash
+docker compose up -d
+```
+
+See the [generic deployment guide](generic.mdx) for more deployment options.
+
+### Building Custom Images
 
 For information on building your own Continuwuity Docker images, see the
 [Building Docker Images](../development/index.mdx#building-docker-images)
 section in the development documentation.
 
-## Next steps
+## Voice communication
 
-- For smooth federation, set up a caching resolver according to the [**DNS tuning guide**](../advanced/dns.mdx) (recommended)
-- To set up Audio/Video communication, see the [**Calls**](../calls.mdx) page.
-- If you want to set up an appservice, take a look at the [**Appservice
-Guide**](../appservices.mdx).
+See the [Calls](../calls.mdx) page.

docs/public/deploying/docker-compose.for-traefik.yml

@@ -1,44 +0,0 @@
-# Continuwuity - Behind Traefik Reverse Proxy
-
-services:
-  homeserver:
-    image: forgejo.ellis.link/continuwuation/continuwuity:latest
-    restart: unless-stopped
-    command: /sbin/conduwuit
-    volumes:
-      - db:/var/lib/continuwuity
-      - ./continuwuity-resolv.conf:/etc/resolv.conf # use custom resolvers rather than Docker's
-      #- ./continuwuity.toml:/etc/continuwuity.toml
-    networks:
-      - proxy
-    labels:
-      - "traefik.enable=true"
-      - "traefik.http.routers.continuwuity.rule=(Host(`example.com`))"
-      - "traefik.http.routers.continuwuity.entrypoints=websecure" # your HTTPS entry point
-      - "traefik.http.routers.continuwuity.tls=true"
-      - "traefik.http.routers.continuwuity.service=continuwuity"
-      - "traefik.http.services.continuwuity.loadbalancer.server.port=8008"
-      # possibly, depending on your config:
-      # - "traefik.http.routers.continuwuity.tls.certresolver=letsencrypt"
-    environment:
-      CONTINUWUITY_SERVER_NAME: example.com
-      CONTINUWUITY_DATABASE_PATH: /var/lib/continuwuity
-      CONTINUWUITY_ADDRESS: 0.0.0.0
-      CONTINUWUITY_PORT: 8008 # This must match with traefik's loadbalancer label
-      #CONTINUWUITY_CONFIG: '/etc/continuwuity.toml' # Uncomment if you mapped config toml above
-
-      # Serve .well-known files to tell others to reach Continuwuity on port :443
-      CONTINUWUITY_WELL_KNOWN: |
-        {
-        client=https://example.com,
-        server=example.com:443
-        }
-
-volumes:
-  db:
-
-networks:
-  # This is the network Traefik listens to, if your network has a different
-  # name, don't forget to change it here and in the docker-compose.override.yml
-  proxy:
-    external: true

docs/public/deploying/docker-compose.with-caddy-labels.yml

@@ -1,49 +0,0 @@
-services:
-    caddy:
-    # This compose file uses caddy-docker-proxy as the reverse proxy for Continuwuity!
-    # For more info, visit https://github.com/lucaslorentz/caddy-docker-proxy
-        image: lucaslorentz/caddy-docker-proxy:ci-alpine
-        ports:
-            - 80:80
-            - 443:443
-        environment:
-            - CADDY_INGRESS_NETWORKS=caddy
-        networks:
-            - caddy
-        volumes:
-            - /var/run/docker.sock:/var/run/docker.sock
-            - ./data:/data
-        restart: unless-stopped
-
-    homeserver:
-        image: forgejo.ellis.link/continuwuation/continuwuity:latest
-        restart: unless-stopped
-        command: /sbin/conduwuit
-        volumes:
-            - db:/var/lib/continuwuity
-            - ./continuwuity-resolv.conf:/etc/resolv.conf # use custom resolvers rather than Docker's
-            #- ./continuwuity.toml:/etc/continuwuity.toml
-        environment:
-            CONTINUWUITY_SERVER_NAME: example.com
-            CONTINUWUITY_DATABASE_PATH: /var/lib/continuwuity
-            CONTINUWUITY_ADDRESS: 0.0.0.0
-            CONTINUWUITY_PORT: 8008
-            #CONTINUWUITY_CONFIG: '/etc/continuwuity.toml' # Uncomment if you mapped config toml above
-
-            # Serve .well-known files to tell others to reach Continuwuity on port :443
-            CONTINUWUITY_WELL_KNOWN: |
-                {
-                client=https://example.com,
-                server=example.com:443
-                }
-
-        networks:
-            - caddy
-        labels:
-            caddy: example.com
-            caddy.reverse_proxy: "{{upstreams 8008}}"
-volumes:
-    db:
-
-networks:
-    caddy:

docs/public/deploying/docker-compose.with-caddy.yml

@@ -1,55 +0,0 @@
-services:
-    caddy:
-        image: docker.io/caddy:latest
-        ports:
-            - 80:80
-            - 443:443
-            - 8448:8448
-        networks:
-            - caddy
-        volumes:
-            - ./data:/data
-        restart: unless-stopped
-        configs:
-            - source: Caddyfile
-              target: /etc/caddy/Caddyfile
-
-    homeserver:
-        image: forgejo.ellis.link/continuwuation/continuwuity:latest
-        restart: unless-stopped
-        command: /sbin/conduwuit
-        volumes:
-            - db:/var/lib/continuwuity
-            - ./continuwuity-resolv.conf:/etc/resolv.conf # use custom resolvers rather than Docker's
-            #- ./continuwuity.toml:/etc/continuwuity.toml
-        environment:
-            CONTINUWUITY_SERVER_NAME: example.com
-            CONTINUWUITY_DATABASE_PATH: /var/lib/continuwuity
-            CONTINUWUITY_ADDRESS: 0.0.0.0
-            CONTINUWUITY_PORT: 8008
-            #CONTINUWUITY_CONFIG: '/etc/continuwuity.toml' # Uncomment if you mapped config toml above
-
-            ## (Optional) Serve .well-known files to tell others to reach Continuwuity on port :443
-            ## If you do this, remove all routes to port :8448 from the compose and Caddyfile
-            # CONTINUWUITY_WELL_KNOWN: |
-            #     {
-            #     client=https://example.com,
-            #     server=example.com:443
-            #     }
-
-
-        networks:
-            - caddy
-
-networks:
-    caddy:
-
-volumes:
-    db:
-
-configs:
-    dynamic.yml:
-        content: |
-            https://example.com, https://example.com:8448 {
-                reverse_proxy http://homeserver:8008
-            }

docs/public/deploying/docker-compose.with-traefik.yml

@@ -1,84 +0,0 @@
-# Continuwuity - Behind Traefik Reverse Proxy
-
-services:
-  homeserver:
-    image: forgejo.ellis.link/continuwuation/continuwuity:latest
-    restart: unless-stopped
-    command: /sbin/conduwuit
-    volumes:
-      - db:/var/lib/continuwuity
-      - ./continuwuity-resolv.conf:/etc/resolv.conf # use custom resolvers rather than Docker's
-      #- ./continuwuity.toml:/etc/continuwuity.toml
-    networks:
-      - proxy
-    labels:
-      - "traefik.enable=true"
-      - "traefik.http.routers.continuwuity.rule=(Host(`example.com`))"
-      - "traefik.http.routers.continuwuity.entrypoints=websecure"
-      - "traefik.http.routers.continuwuity.tls.certresolver=letsencrypt"
-      - "traefik.http.services.continuwuity.loadbalancer.server.port=8008"
-    environment:
-      CONTINUWUITY_SERVER_NAME: example.com
-      CONTINUWUITY_DATABASE_PATH: /var/lib/continuwuity
-      CONTINUWUITY_ADDRESS: 0.0.0.0
-      CONTINUWUITY_PORT: 8008 # This must match with traefik's loadbalancer label
-      #CONTINUWUITY_CONFIG: '/etc/continuwuity.toml' # Uncomment if you mapped config toml above
-
-      # Serve .well-known files to tell others to reach Continuwuity on port :443
-      CONTINUWUITY_WELL_KNOWN: |
-        {
-          client=https://example.com,
-          server=example.com:443
-        }
-
-  traefik:
-    image: "traefik:latest"
-    container_name: "traefik"
-    restart: "unless-stopped"
-    ports:
-      - "80:80"
-      - "443:443"
-    volumes:
-      - "/var/run/docker.sock:/var/run/docker.sock:z"
-      - "acme:/etc/traefik/acme"
-    labels:
-      - "traefik.enable=true"
-
-      # middleware redirect
-      - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
-      # global redirect to https
-      - "traefik.http.routers.redirs.rule=hostregexp(`{host:.+}`)"
-      - "traefik.http.routers.redirs.entrypoints=web"
-      - "traefik.http.routers.redirs.middlewares=redirect-to-https"
-
-    environment:
-      TRAEFIK_LOG_LEVEL: DEBUG
-      TRAEFIK_ENTRYPOINTS_WEB: true
-      TRAEFIK_ENTRYPOINTS_WEB_ADDRESS: ":80"
-      TRAEFIK_ENTRYPOINTS_WEB_HTTP_REDIRECTIONS_ENTRYPOINT_TO: websecure
-
-      TRAEFIK_ENTRYPOINTS_WEBSECURE: true
-      TRAEFIK_ENTRYPOINTS_WEBSECURE_ADDRESS: ":443"
-      TRAEFIK_ENTRYPOINTS_WEBSECURE_HTTP_TLS_CERTRESOLVER: letsencrypt
-
-      TRAEFIK_CERTIFICATESRESOLVERS_LETSENCRYPT: true
-      # CHANGE THIS to desired email for ACME
-      TRAEFIK_CERTIFICATESRESOLVERS_LETSENCRYPT_ACME_EMAIL: user@example.com
-      TRAEFIK_CERTIFICATESRESOLVERS_LETSENCRYPT_ACME_HTTPCHALLENGE: true
-      TRAEFIK_CERTIFICATESRESOLVERS_LETSENCRYPT_ACME_HTTPCHALLENGE_ENTRYPOINT: web
-      TRAEFIK_CERTIFICATESRESOLVERS_LETSENCRYPT_ACME_STORAGE: "/etc/traefik/acme/acme.json"
-
-      # Since Traefik 3.6.3, paths with certain "encoded characters" are now blocked by default; we need a couple, or else things *will* break
-      TRAEFIK_ENTRYPOINTS_WEBSECURE_HTTP_ENCODEDCHARACTERS_ALLOWENCODEDSLASH: true
-      TRAEFIK_ENTRYPOINTS_WEBSECURE_HTTP_ENCODEDCHARACTERS_ALLOWENCODEDHASH: true
-
-      TRAEFIK_PROVIDERS_DOCKER: true
-      TRAEFIK_PROVIDERS_DOCKER_ENDPOINT: "unix:///var/run/docker.sock"
-      TRAEFIK_PROVIDERS_DOCKER_EXPOSEDBYDEFAULT: false
-
-volumes:
-  db:
-  acme:
-
-networks:
-  proxy:

docs/public/deploying/docker-compose.yml

@@ -1,31 +0,0 @@
-# Continuwuity
-
-services:
-    homeserver:
-        image: forgejo.ellis.link/continuwuation/continuwuity:latest
-        restart: unless-stopped
-        command: /sbin/conduwuit
-        ports:
-            - 127.0.0.1:8008:8008
-        volumes:
-            - db:/var/lib/continuwuity
-            - ./continuwuity-resolv.conf:/etc/resolv.conf # use custom resolvers rather than Docker's
-            #- ./continuwuity.toml:/etc/continuwuity.toml
-        environment:
-            CONTINUWUITY_SERVER_NAME: example.com # EDIT THIS
-            CONTINUWUITY_DATABASE_PATH: /var/lib/continuwuity
-            CONTINUWUITY_ADDRESS: 0.0.0.0
-            CONTINUWUITY_PORT: 8008
-            #CONTINUWUITY_CONFIG: '/etc/continuwuity.toml' # Uncomment if you mapped config toml above
-
-            ## (Optional) Serve .well-known files to tell others to reach Continuwuity on port :443
-            ## If you do this, remove all routes to port :8448 on your reverse proxy
-            # CONTINUWUITY_WELL_KNOWN: |
-            #     {
-            #     client=https://example.com,
-            #     server=example.com:443
-            #     }
-
-
-volumes:
-    db:

docs/reference/_meta.json

@@ -4,6 +4,11 @@
         "name": "config",
         "label": "Configuration"
     },
+    {
+        "type": "file",
+        "name": "environment-variables",
+        "label": "Environment Variables"
+    },
     {
         "type": "file",
         "name": "admin",

docs/reference/environment-variables.mdx

@@ -0,0 +1,281 @@
+# Environment Variables
+
+Continuwuity can be configured entirely through environment variables, making it
+ideal for containerised deployments and infrastructure-as-code scenarios.
+
+This is a convenience reference and may not be exhaustive. The
+[Configuration Reference](./config.mdx) is the primary source for all
+configuration options.
+
+## Prefix System
+
+Continuwuity supports three environment variable prefixes for backwards
+compatibility:
+
+- `CONTINUWUITY_*` (current, recommended)
+- `CONDUWUIT_*` (compatibility)
+- `CONDUIT_*` (legacy)
+
+All three prefixes work identically. Use double underscores (`__`) to represent
+nested configuration sections from the TOML config.
+
+**Examples:**
+
+```bash
+# Simple top-level config
+CONTINUWUITY_SERVER_NAME="matrix.example.com"
+CONTINUWUITY_PORT="8008"
+
+# Nested config sections use double underscores
+# This maps to [database] section in TOML
+CONTINUWUITY_DATABASE__PATH="/var/lib/continuwuity"
+
+# This maps to [tls] section in TOML
+CONTINUWUITY_TLS__CERTS="/path/to/cert.pem"
+```
+
+## Configuration File Override
+
+You can specify a custom configuration file path:
+
+- `CONTINUWUITY_CONFIG` - Path to continuwuity.toml (current)
+- `CONDUWUIT_CONFIG` - Path to config file (compatibility)
+- `CONDUIT_CONFIG` - Path to config file (legacy)
+
+## Essential Variables
+
+These are the minimum variables needed for a working deployment:
+
+| Variable                     | Description                        | Default                |
+| ---------------------------- | ---------------------------------- | ---------------------- |
+| `CONTINUWUITY_SERVER_NAME`   | Your Matrix server's domain name   | Required               |
+| `CONTINUWUITY_DATABASE_PATH` | Path to RocksDB database directory | `/var/lib/conduwuit`   |
+| `CONTINUWUITY_ADDRESS`       | IP address to bind to              | `["127.0.0.1", "::1"]` |
+| `CONTINUWUITY_PORT`          | Port to listen on                  | `8008`                 |
+
+## Network Configuration
+
+| Variable                         | Description                                     | Default                |
+| -------------------------------- | ----------------------------------------------- | ---------------------- |
+| `CONTINUWUITY_ADDRESS`           | Bind address (use `0.0.0.0` for all interfaces) | `["127.0.0.1", "::1"]` |
+| `CONTINUWUITY_PORT`              | HTTP port                                       | `8008`                 |
+| `CONTINUWUITY_UNIX_SOCKET_PATH`  | UNIX socket path (alternative to TCP)           | -                      |
+| `CONTINUWUITY_UNIX_SOCKET_PERMS` | Socket permissions (octal)                      | `660`                  |
+
+## Database Configuration
+
+| Variable                                   | Description                 | Default              |
+| ------------------------------------------ | --------------------------- | -------------------- |
+| `CONTINUWUITY_DATABASE_PATH`               | RocksDB data directory      | `/var/lib/conduwuit` |
+| `CONTINUWUITY_DATABASE_BACKUP_PATH`        | Backup directory            | -                    |
+| `CONTINUWUITY_DATABASE_BACKUPS_TO_KEEP`    | Number of backups to retain | `1`                  |
+| `CONTINUWUITY_DB_CACHE_CAPACITY_MB`        | Database read cache (MB)    | -                    |
+| `CONTINUWUITY_DB_WRITE_BUFFER_CAPACITY_MB` | Write cache (MB)            | -                    |
+
+## Cache Configuration
+
+| Variable                                 | Description              |
+| ---------------------------------------- | ------------------------ |
+| `CONTINUWUITY_CACHE_CAPACITY_MODIFIER`   | LRU cache multiplier     |
+| `CONTINUWUITY_PDU_CACHE_CAPACITY`        | PDU cache entries        |
+| `CONTINUWUITY_AUTH_CHAIN_CACHE_CAPACITY` | Auth chain cache entries |
+
+## DNS Configuration
+
+Configure DNS resolution behaviour for federation and external requests.
+
+| Variable                             | Description                  | Default  |
+| ------------------------------------ | ---------------------------- | -------- |
+| `CONTINUWUITY_DNS_CACHE_ENTRIES`     | Max DNS cache entries        | `32768`  |
+| `CONTINUWUITY_DNS_MIN_TTL`           | Minimum cache TTL (seconds)  | `10800`  |
+| `CONTINUWUITY_DNS_MIN_TTL_NXDOMAIN`  | NXDOMAIN cache TTL (seconds) | `259200` |
+| `CONTINUWUITY_DNS_ATTEMPTS`          | Retry attempts               | -        |
+| `CONTINUWUITY_DNS_TIMEOUT`           | Query timeout (seconds)      | -        |
+| `CONTINUWUITY_DNS_TCP_FALLBACK`      | Allow TCP fallback           | -        |
+| `CONTINUWUITY_QUERY_ALL_NAMESERVERS` | Query all nameservers        | -        |
+| `CONTINUWUITY_QUERY_OVER_TCP_ONLY`   | TCP-only queries             | -        |
+
+## Request Configuration
+
+| Variable                             | Description                   |
+| ------------------------------------ | ----------------------------- |
+| `CONTINUWUITY_MAX_REQUEST_SIZE`      | Max HTTP request size (bytes) |
+| `CONTINUWUITY_REQUEST_CONN_TIMEOUT`  | Connection timeout (seconds)  |
+| `CONTINUWUITY_REQUEST_TIMEOUT`       | Overall request timeout       |
+| `CONTINUWUITY_REQUEST_TOTAL_TIMEOUT` | Total timeout                 |
+| `CONTINUWUITY_REQUEST_IDLE_TIMEOUT`  | Idle timeout                  |
+| `CONTINUWUITY_REQUEST_IDLE_PER_HOST` | Idle connections per host     |
+
+## Federation Configuration
+
+Control how your server federates with other Matrix servers.
+
+| Variable                                       | Description                   | Default |
+| ---------------------------------------------- | ----------------------------- | ------- |
+| `CONTINUWUITY_ALLOW_FEDERATION`                | Enable federation             | `true`  |
+| `CONTINUWUITY_FEDERATION_LOOPBACK`             | Allow loopback federation     | -       |
+| `CONTINUWUITY_FEDERATION_CONN_TIMEOUT`         | Connection timeout            | -       |
+| `CONTINUWUITY_FEDERATION_TIMEOUT`              | Request timeout               | -       |
+| `CONTINUWUITY_FEDERATION_IDLE_TIMEOUT`         | Idle timeout                  | -       |
+| `CONTINUWUITY_FEDERATION_IDLE_PER_HOST`        | Idle connections per host     | -       |
+| `CONTINUWUITY_TRUSTED_SERVERS`                 | JSON array of trusted servers | -       |
+| `CONTINUWUITY_QUERY_TRUSTED_KEY_SERVERS_FIRST` | Query trusted first           | -       |
+| `CONTINUWUITY_ONLY_QUERY_TRUSTED_KEY_SERVERS`  | Only query trusted            | -       |
+
+**Example:**
+
+```bash
+# Trust matrix.org for key verification
+CONTINUWUITY_TRUSTED_SERVERS='["matrix.org"]'
+```
+
+## Registration & User Configuration
+
+Control user registration and account creation behaviour.
+
+| Variable                                   | Description           | Default |
+| ------------------------------------------ | --------------------- | ------- |
+| `CONTINUWUITY_ALLOW_REGISTRATION`          | Enable registration   | `true`  |
+| `CONTINUWUITY_REGISTRATION_TOKEN`          | Token requirement     | -       |
+| `CONTINUWUITY_SUSPEND_ON_REGISTER`         | Suspend new accounts  | -       |
+| `CONTINUWUITY_NEW_USER_DISPLAYNAME_SUFFIX` | Display name suffix   | 🏳️‍⚧️      |
+| `CONTINUWUITY_RECAPTCHA_SITE_KEY`          | reCAPTCHA site key    | -       |
+| `CONTINUWUITY_RECAPTCHA_PRIVATE_SITE_KEY`  | reCAPTCHA private key | -       |
+
+**Example:**
+
+```bash
+# Disable open registration
+CONTINUWUITY_ALLOW_REGISTRATION="false"
+
+# Require a registration token
+CONTINUWUITY_REGISTRATION_TOKEN="your_secret_token_here"
+```
+
+## Feature Configuration
+
+| Variable                                                   | Description                | Default |
+| ---------------------------------------------------------- | -------------------------- | ------- |
+| `CONTINUWUITY_ALLOW_ENCRYPTION`                            | Enable E2EE                | `true`  |
+| `CONTINUWUITY_ALLOW_ROOM_CREATION`                         | Enable room creation       | -       |
+| `CONTINUWUITY_ALLOW_UNSTABLE_ROOM_VERSIONS`                | Allow unstable versions    | -       |
+| `CONTINUWUITY_DEFAULT_ROOM_VERSION`                        | Default room version       | `v11`   |
+| `CONTINUWUITY_REQUIRE_AUTH_FOR_PROFILE_REQUESTS`           | Auth for profiles          | -       |
+| `CONTINUWUITY_ALLOW_PUBLIC_ROOM_DIRECTORY_OVER_FEDERATION` | Federate directory         | -       |
+| `CONTINUWUITY_ALLOW_PUBLIC_ROOM_DIRECTORY_WITHOUT_AUTH`    | Unauth directory           | -       |
+| `CONTINUWUITY_ALLOW_DEVICE_NAME_FEDERATION`                | Device names in federation | -       |
+
+## TLS Configuration
+
+Built-in TLS support is primarily for testing. **For production deployments,
+especially when federating on the internet, use a reverse proxy** (Traefik,
+Caddy, nginx) to handle TLS termination.
+
+| Variable                          | Description               |
+| --------------------------------- | ------------------------- |
+| `CONTINUWUITY_TLS__CERTS`         | TLS certificate file path |
+| `CONTINUWUITY_TLS__KEY`           | TLS private key path      |
+| `CONTINUWUITY_TLS__DUAL_PROTOCOL` | Support TLS 1.2 + 1.3     |
+
+**Example (testing only):**
+
+```bash
+CONTINUWUITY_TLS__CERTS="/etc/letsencrypt/live/matrix.example.com/fullchain.pem"
+CONTINUWUITY_TLS__KEY="/etc/letsencrypt/live/matrix.example.com/privkey.pem"
+```
+
+## Logging Configuration
+
+Control log output format and verbosity.
+
+| Variable                       | Description        | Default |
+| ------------------------------ | ------------------ | ------- |
+| `CONTINUWUITY_LOG`             | Log filter level   | -       |
+| `CONTINUWUITY_LOG_COLORS`      | ANSI colours       | `true`  |
+| `CONTINUWUITY_LOG_SPAN_EVENTS` | Log span events    | `none`  |
+| `CONTINUWUITY_LOG_THREAD_IDS`  | Include thread IDs | -       |
+
+**Examples:**
+
+```bash
+# Set log level to info
+CONTINUWUITY_LOG="info"
+
+# Enable debug logging for specific modules
+CONTINUWUITY_LOG="warn,continuwuity::api=debug"
+
+# Disable colours for log aggregation
+CONTINUWUITY_LOG_COLORS="false"
+```
+
+## Observability Configuration
+
+| Variable                                 | Description           |
+| ---------------------------------------- | --------------------- |
+| `CONTINUWUITY_ALLOW_OTLP`                | Enable OpenTelemetry  |
+| `CONTINUWUITY_OTLP_FILTER`               | OTLP filter level     |
+| `CONTINUWUITY_OTLP_PROTOCOL`             | Protocol (http/grpc)  |
+| `CONTINUWUITY_TRACING_FLAME`             | Enable flame graphs   |
+| `CONTINUWUITY_TRACING_FLAME_FILTER`      | Flame graph filter    |
+| `CONTINUWUITY_TRACING_FLAME_OUTPUT_PATH` | Output directory      |
+| `CONTINUWUITY_SENTRY`                    | Enable Sentry         |
+| `CONTINUWUITY_SENTRY_ENDPOINT`           | Sentry DSN            |
+| `CONTINUWUITY_SENTRY_SEND_SERVER_NAME`   | Include server name   |
+| `CONTINUWUITY_SENTRY_TRACES_SAMPLE_RATE` | Sample rate (0.0-1.0) |
+
+## Admin Configuration
+
+Configure admin users and automated command execution.
+
+| Variable                                   | Description                      | Default           |
+| ------------------------------------------ | -------------------------------- | ----------------- |
+| `CONTINUWUITY_ADMINS_LIST`                 | JSON array of admin user IDs     | -                 |
+| `CONTINUWUITY_ADMINS_FROM_ROOM`            | Derive admins from room          | -                 |
+| `CONTINUWUITY_ADMIN_ESCAPE_COMMANDS`       | Allow `\` prefix in public rooms | -                 |
+| `CONTINUWUITY_ADMIN_CONSOLE_AUTOMATIC`     | Auto-activate console            | -                 |
+| `CONTINUWUITY_ADMIN_EXECUTE`               | JSON array of startup commands   | -                 |
+| `CONTINUWUITY_ADMIN_EXECUTE_ERRORS_IGNORE` | Ignore command errors            | -                 |
+| `CONTINUWUITY_ADMIN_SIGNAL_EXECUTE`        | Commands on SIGUSR2              | -                 |
+| `CONTINUWUITY_ADMIN_ROOM_TAG`              | Admin room tag                   | `m.server_notice` |
+
+**Examples:**
+
+```bash
+# Create admin user on startup
+CONTINUWUITY_ADMIN_EXECUTE='["users create-user admin", "users make-user-admin admin"]'
+
+# Specify admin users directly
+CONTINUWUITY_ADMINS_LIST='["@alice:example.com", "@bob:example.com"]'
+```
+
+## Media & URL Preview Configuration
+
+| Variable                                             | Description        |
+| ---------------------------------------------------- | ------------------ |
+| `CONTINUWUITY_URL_PREVIEW_BOUND_INTERFACE`           | Bind interface     |
+| `CONTINUWUITY_URL_PREVIEW_DOMAIN_CONTAINS_ALLOWLIST` | Domain allowlist   |
+| `CONTINUWUITY_URL_PREVIEW_DOMAIN_EXPLICIT_ALLOWLIST` | Explicit allowlist |
+| `CONTINUWUITY_URL_PREVIEW_DOMAIN_EXPLICIT_DENYLIST`  | Explicit denylist  |
+| `CONTINUWUITY_URL_PREVIEW_MAX_SPIDER_SIZE`           | Max fetch size     |
+| `CONTINUWUITY_URL_PREVIEW_TIMEOUT`                   | Fetch timeout      |
+| `CONTINUWUITY_IP_RANGE_DENYLIST`                     | IP range denylist  |
+
+## Tokio Runtime Configuration
+
+These can be set as environment variables or CLI arguments:
+
+| Variable                                  | Description                |
+| ----------------------------------------- | -------------------------- |
+| `TOKIO_WORKER_THREADS`                    | Worker thread count        |
+| `TOKIO_GLOBAL_QUEUE_INTERVAL`             | Global queue interval      |
+| `TOKIO_EVENT_INTERVAL`                    | Event interval             |
+| `TOKIO_MAX_IO_EVENTS_PER_TICK`            | Max I/O events per tick    |
+| `CONTINUWUITY_RUNTIME_HISTOGRAM_INTERVAL` | Histogram bucket size (μs) |
+| `CONTINUWUITY_RUNTIME_HISTOGRAM_BUCKETS`  | Bucket count               |
+| `CONTINUWUITY_RUNTIME_WORKER_AFFINITY`    | Enable worker affinity     |
+
+## See Also
+
+- [Configuration Reference](./config.mdx) - Complete TOML configuration
+  documentation
+- [Admin Commands](./admin/) - Admin command reference

docs/troubleshooting.mdx

@@ -45,30 +45,75 @@ ### Lost access to admin room
 
 ## DNS issues
 
-### DNS server overload
+### Potential DNS issues when using Docker
 
-If your server experience any of the following symptoms:
+Docker's DNS setup for containers in a non-default network intercepts queries to
+enable resolving of container hostnames to IP addresses. However, due to
+performance issues with Docker's built-in resolver, this can cause DNS queries
+to take a long time to resolve, resulting in federation issues.
 
-- Spurious server log entries with "DNS No connections available", "mismatching responding nameservers", or "error sending request"
-- Excessively long room joins (30+ minutes) as seen from server logs
-- Partial or non-functional outbound federation
+This is particularly common with Docker Compose, as custom networks are easily
+created and configured.
 
-This is likely due to your DNS server being overloaded. Most likely, these problems are encountered in the following scenarios:
+Symptoms of this include excessively long room joins (30+ minutes) from very
+long DNS timeouts, log entries of "mismatching responding nameservers",
+and/or partial or non-functional inbound/outbound federation.
 
-- Homeservers hosted on a machine that uses `systemd-resolved`.
-- Docker deployments which use the bridge network's forwarding resolver.
+This is not a bug in continuwuity. Docker's default DNS resolver is not suitable
+for heavy DNS activity, which is normal for federated protocols like Matrix.
 
-Matrix federation is extremely heavy and sends wild amounts of DNS requests. This makes normal resolvers like the ones above unsuitable for its activity. Ultimately, the best solution/fix for this is to selfhost a high quality caching DNS resolver such as Unbound, and configure Continuwuity to use it.
+Workarounds:
 
-Follow the [**DNS tuning guide**](./advanced/dns) for details on setting it up.
+- Use DNS over TCP via the config option `query_over_tcp_only = true`
+- Bypass Docker's default DNS setup and instead allow the container to use and communicate with your host's DNS servers. Typically, this can be done by mounting the host's `/etc/resolv.conf`.
 
-### Intermittent federation failures to a specific server
+### DNS No connections available error message
 
-There may be circumstances where servers fail to connect to each other, probably due to a bad DNS cache. In such cases, issuing `!admin debug ping <SERVER_NAME>` would return some errors.
+If you receive spurious amounts of error logs saying "DNS No connections
+available", this is due to your DNS server (servers from `/etc/resolv.conf`)
+being overloaded and unable to handle typical Matrix federation volume. Some
+users have reported that the upstream servers are rate-limiting them as well
+when they get this error (e.g. popular upstreams like Google DNS).
 
-To fix this, you can run `!admin query resolver flush-cache <SERVER_NAME>` to clear the bad cache for that domain, and outbound requests should work again.
+Matrix federation is extremely heavy and sends wild amounts of DNS requests.
+Unfortunately this is by design and has only gotten worse with more
+server/destination resolution steps. Synapse also expects a very perfect DNS
+setup.
 
-You may also use `!admin server clear-caches` or `!admin query resolver flush-cache -a` to clear all server/resolver caches, in case of failures with many domains. However, note that this significantly increases your server load for a short period.
+There are some ways you can reduce the amount of DNS queries, but ultimately
+the best solution/fix is selfhosting a high quality caching DNS server like
+[Unbound][unbound-arch] without any upstream resolvers, and without DNSSEC
+validation enabled.
+
+DNSSEC validation is highly recommended to be **disabled** due to DNSSEC being
+very computationally expensive, and is extremely susceptible to denial of
+service, especially on Matrix. Many servers also strangely have broken DNSSEC
+setups and will result in non-functional federation.
+
+Continuwuity cannot provide a "works-for-everyone" Unbound DNS setup guide, but
+the [official Unbound tuning guide][unbound-tuning] and the [Unbound Arch Linux wiki page][unbound-arch]
+may be of interest. Disabling DNSSEC on Unbound is commenting out trust-anchors
+config options and removing the `validator` module.
+
+**Avoid** using `systemd-resolved` as it does **not** perform very well under
+high load, and we have identified its DNS caching to not be very effective.
+
+dnsmasq can possibly work, but it does **not** support TCP fallback which can be
+problematic when receiving large DNS responses such as from large SRV records.
+If you still want to use dnsmasq, make sure you **disable** `dns_tcp_fallback`
+in Continuwuity config.
+
+Raising `dns_cache_entries` in Continuwuity config from the default can also assist
+in DNS caching, but a full-fledged external caching resolver is better and more
+reliable.
+
+If you don't have IPv6 connectivity, changing `ip_lookup_strategy` to match
+your setup can help reduce unnecessary AAAA queries
+(`1 - Ipv4Only (Only query for A records, no AAAA/IPv6)`).
+
+If your DNS server supports it, some users have reported enabling
+`query_over_tcp_only` to force only TCP querying by default has improved DNS
+reliability at a slight performance cost due to TCP overhead.
 
 ## RocksDB / database issues
 

rspress.config.ts

@@ -11,20 +11,6 @@ export default defineConfig({
         light: '/assets/logo.svg',
         dark: '/assets/logo.svg',
     },
-    markdown: {
-        link: {
-            checkDeadLinks: {
-                excludes: [
-                    '/deploying/docker-compose.with-caddy.yml',
-                    '/deploying/docker-compose.with-caddy-labels.yml',
-                    '/deploying/docker-compose.for-traefik.yml',
-                    '/deploying/docker-compose.with-traefik.yml',
-                    `/deploying/docker-compose.override.yml`,
-                    `/deploying/docker-compose.yml`
-                ]
-            },
-        },
-    },
     themeConfig: {
         socialLinks: [
             {

src/api/client/membership/join.rs

@@ -113,7 +113,6 @@ pub(crate) async fn join_room_by_id_route(
 	servers.sort_unstable();
 	servers.dedup();
 	shuffle(&mut servers);
-	let servers = deprioritize(servers, &services.config.deprioritize_joins_through_servers);
 
 	join_room_by_id_helper(
 		&services,
@@ -242,7 +241,6 @@ pub(crate) async fn join_room_by_id_or_alias_route(
 		},
 	};
 
-	let servers = deprioritize(servers, &services.config.deprioritize_joins_through_servers);
 	let join_room_response = join_room_by_id_helper(
 		&services,
 		sender_user,
@@ -892,59 +890,3 @@ async fn make_join_request(
 	info!("All {} servers were unable to assist in joining {room_id} :(", servers.len());
 	Err!(BadServerResponse("No server available to assist in joining."))
 }
-
-/// Moves deprioritized servers (if any) to the back of the list.
-///
-/// No-op if we aren't given any servers to deprioritize.
-fn deprioritize(
-	servers: Vec<OwnedServerName>,
-	deprioritized: &[OwnedServerName],
-) -> Vec<OwnedServerName> {
-	if deprioritized.is_empty() {
-		return servers;
-	}
-
-	let (mut depr, mut servers): (Vec<_>, Vec<_>) =
-		servers.into_iter().partition(|s| deprioritized.contains(s));
-	servers.append(&mut depr);
-	servers
-}
-
-#[cfg(test)]
-mod tests {
-	use ruma::OwnedServerName;
-
-	use super::*;
-
-	#[test]
-	fn deprioritizing_servers_works() -> Result<(), Box<dyn std::error::Error>> {
-		let servers = vec![
-			"example.com".try_into()?,
-			"slow.invalid".try_into()?,
-			"example.org".try_into()?,
-		];
-		let depr = vec!["slow.invalid".try_into()?];
-		let expected: Vec<OwnedServerName> = vec![
-			"example.com".try_into()?,
-			"example.org".try_into()?,
-			"slow.invalid".try_into()?,
-		];
-
-		let servers = deprioritize(servers, &depr);
-		assert_eq!(servers, expected);
-		Ok(())
-	}
-
-	#[test]
-	fn empty_deprioritized_is_noop() -> Result<(), Box<dyn std::error::Error>> {
-		let servers = vec![
-			"example.com".try_into()?,
-			"slow.invalid".try_into()?,
-			"example.org".try_into()?,
-		];
-
-		let depr_servers = deprioritize(servers.clone(), &[]);
-		assert_eq!(depr_servers, servers);
-		Ok(())
-	}
-}

src/core/config/mod.rs

@@ -1630,22 +1630,6 @@ pub struct Config {
 	#[serde(default, with = "serde_regex")]
 	pub ignore_messages_from_server_names: RegexSet,
 
-	/// List of server names that continuwuity will deprioritize (try last) when
-	/// a client requests to join a room.
-	///
-	/// This can be used to potentially speed up room join requests, by
-	/// deprioritizing sending join requests through servers that are known to
-	/// be large or slow.
-	///
-	/// continuwuity will still send join requests to servers in this list if
-	/// the room couldn't be joined via other servers it federates with.
-	///
-	/// example: ["example.com"]
-	///
-	/// default: []
-	#[serde(default = "Vec::new")]
-	pub deprioritize_joins_through_servers: Vec<OwnedServerName>,
-
 	/// Send messages from users that the user has ignored to the client.
 	///
 	/// There is no way for clients to receive messages sent while a user was