chore(deps): pin actions/cache action to 27d5ce7

Update to use actions/cache@v5 in our CI

.forgejo/actions/rust-toolchain/action.yml

@@ -33,7 +33,7 @@ runs:
         echo "version=$(rustup --version)" >> $GITHUB_OUTPUT
     - name: Cache rustup toolchains
       if: steps.rustup-version.outputs.version == ''
-      uses: actions/cache@6f8efc29b200d32929f49075959781ed54ec270c # v3
+      uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5
       with:
         path: |
           ~/.rustup

.forgejo/actions/setup-llvm-with-apt/action.yml

@@ -57,7 +57,7 @@ runs:
 
     - name: Check for LLVM cache
       id: cache
-      uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
+      uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5
       with:
         path: |
           /usr/bin/clang-*

.forgejo/actions/setup-rust/action.yml

@@ -65,7 +65,7 @@ runs:
 
     - name: Cache toolchain binaries
       id: toolchain-cache
-      uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
+      uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5
       with:
         path: |
           .cargo/bin
@@ -76,7 +76,7 @@ runs:
 
     - name: Cache Cargo registry and git
       id: registry-cache
-      uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
+      uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5
       with:
         path: |
           .cargo/registry/index

.forgejo/actions/timelord/action.yml

@@ -31,7 +31,7 @@ runs:
 
     - name: Restore binary cache
       id: binary-cache
-      uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
+      uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5
       with:
         path: |
           /usr/share/rust/.cargo/bin
@@ -77,7 +77,7 @@ runs:
 
     - name: Save binary cache
       if: steps.check-binaries.outputs.need-install == 'true'
-      uses: actions/cache/save@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
+      uses: actions/cache/save@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5
       with:
         path: |
           /usr/share/rust/.cargo/bin
@@ -87,7 +87,7 @@ runs:
 
     - name: Restore timelord cache with fallbacks
       id: timelord-restore
-      uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
+      uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5
       with:
         path: ${{ env.TIMELORD_CACHE_PATH }}
         key: ${{ env.TIMELORD_KEY }}
@@ -114,7 +114,7 @@ runs:
         timelord sync --source-dir ${{ env.TIMELORD_PATH }} --cache-dir ${{ env.TIMELORD_CACHE_PATH }}
 
     - name: Save updated timelord cache immediately
-      uses: actions/cache/save@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
+      uses: actions/cache/save@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5
       with:
         path: ${{ env.TIMELORD_CACHE_PATH }}
         key: ${{ env.TIMELORD_KEY }}

.forgejo/workflows/build-debian.yml

@@ -60,7 +60,7 @@ jobs:
           ref: ${{ github.ref_name }}
 
       - name: Cache Cargo registry
-        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
+        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5
         with:
           path: |
             ~/.cargo/registry

.forgejo/workflows/build-fedora.yml

@@ -37,7 +37,7 @@ jobs:
 
 
       - name: Cache DNF packages
-        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
+        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5
         with:
           path: |
             /var/cache/dnf
@@ -47,7 +47,7 @@ jobs:
             dnf-fedora${{ steps.fedora.outputs.version }}-
 
       - name: Cache Cargo registry
-        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
+        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5
         with:
           path: |
             ~/.cargo/registry
@@ -57,7 +57,7 @@ jobs:
             cargo-fedora${{ steps.fedora.outputs.version }}-
 
       - name: Cache Rust build dependencies
-        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
+        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5
         with:
           path: |
             ~/rpmbuild/BUILD/*/target/release/deps

.forgejo/workflows/check-changelog.yml

@@ -4,11 +4,6 @@ on:
   pull_request_target:
     types: [opened, synchronize, reopened, ready_for_review, labeled, unlabeled]
 
-
-concurrency:
-  group: "${{ github.workflow }}-${{ github.ref }}"
-  cancel-in-progress: true
-
 permissions:
   contents: read
   pull-requests: write

.forgejo/workflows/documentation.yml

@@ -37,7 +37,7 @@ jobs:
           node-version: 22
 
       - name: Cache npm dependencies
-        uses: actions/cache@6f8efc29b200d32929f49075959781ed54ec270c # v3
+        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5
         with:
           path: ~/.npm
           key: continuwuity-rspress-${{ steps.runner-env.outputs.slug }}-${{ steps.runner-env.outputs.arch }}-node-${{ steps.runner-env.outputs.node_version }}-${{ hashFiles('package-lock.json') }}

.forgejo/workflows/mirror-images.yml

@@ -55,7 +55,7 @@ jobs:
       #     repositories: continuwuity
 
       - name: Install regsync
-        uses: https://github.com/regclient/actions/regsync-installer@f07124ffba4b0cbf96b2a666d481ed9d44b5e7e4 # main
+        uses: https://github.com/regclient/actions/regsync-installer@f3c6d87835906c175eb6ccfc18b348b69bb447e7 # main
 
       - name: Check what images need mirroring
         run: |

.forgejo/workflows/release-image.yml

@@ -9,6 +9,9 @@ on:
     paths-ignore:
       - "*.md"
       - "**/*.md"
+      - "*.mdx"
+      - "**/*.mdx"
+      - "changelog.d/**"
       - ".gitlab-ci.yml"
       - ".gitignore"
       - "renovate.json"
@@ -197,8 +200,9 @@ jobs:
           registry_password: ${{ secrets.BUILTIN_REGISTRY_PASSWORD || secrets.GITHUB_TOKEN }}
 
   mirror_images:
+    name: "Mirror Images"
+    runs-on: ubuntu-latest
     needs:
       - merge-maxperf
       - merge-release
-    runs-on: ubuntu-latest
     uses: ./.forgejo/workflows/mirror-images.yml

.forgejo/workflows/renovate.yml

@@ -55,7 +55,7 @@ jobs:
         run: /usr/local/renovate/node -e 'console.log(`node heap limit = ${require("v8").getHeapStatistics().heap_size_limit / (1024 * 1024)} Mb`)'
 
       - name: Restore renovate repo cache
-        uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
+        uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5
         with:
           path: |
             /tmp/renovate/cache/renovate/repository
@@ -64,7 +64,7 @@ jobs:
             renovate-repo-cache-
 
       - name: Restore renovate package cache
-        uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
+        uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5
         with:
           path: |
             /tmp/renovate/cache/renovate/renovate-cache-sqlite
@@ -73,7 +73,7 @@ jobs:
             renovate-package-cache-
 
       - name: Restore renovate OSV cache
-        uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
+        uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5
         with:
           path: |
             /tmp/osv
@@ -109,7 +109,7 @@ jobs:
       - name: Save renovate repo cache
         if: always()
         uses:
-          actions/cache/save@v4
+          actions/cache/save@v5
         with:
           path: |
             /tmp/renovate/cache/renovate/repository
@@ -117,7 +117,7 @@ jobs:
 
       - name: Save renovate package cache
         if: always()
-        uses: actions/cache/save@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
+        uses: actions/cache/save@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5
         with:
           path: |
             /tmp/renovate/cache/renovate/renovate-cache-sqlite
@@ -125,7 +125,7 @@ jobs:
 
       - name: Save renovate OSV cache
         if: always()
-        uses: actions/cache/save@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
+        uses: actions/cache/save@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5
         with:
           path: |
             /tmp/osv

.pre-commit-config.yaml

@@ -24,7 +24,7 @@ repos:
         - id: check-added-large-files
 
   - repo: https://github.com/crate-ci/typos
-    rev: v1.45.0
+    rev: v1.45.1
     hooks:
       - id: typos
       - id: typos

Cargo.lock

@@ -1203,7 +1203,7 @@ dependencies = [
  "serde",
  "serde-saphyr",
  "serde_json",
- "sha2",
+ "sha2 0.11.0",
  "termimad",
  "tokio",
  "tracing",
@@ -1813,7 +1813,7 @@ dependencies = [
  "ed25519",
  "rand_core 0.6.4",
  "serde",
- "sha2",
+ "sha2 0.10.9",
  "subtle",
  "zeroize",
 ]
@@ -4773,7 +4773,7 @@ dependencies = [
  "rand_core 0.6.4",
  "ruma-common",
  "serde_json",
- "sha2",
+ "sha2 0.10.9",
  "subslice",
  "thiserror 2.0.18",
 ]
@@ -5314,6 +5314,17 @@ dependencies = [
  "digest 0.10.7",
 ]
 
+[[package]]
+name = "sha2"
+version = "0.11.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "446ba717509524cb3f22f17ecc096f10f4822d76ab5c0b9822c5f9c284e825f4"
+dependencies = [
+ "cfg-if",
+ "cpufeatures 0.3.0",
+ "digest 0.11.2",
+]
+
 [[package]]
 name = "sha256"
 version = "1.6.0"
@@ -5323,7 +5334,7 @@ dependencies = [
  "async-trait",
  "bytes",
  "hex",
- "sha2",
+ "sha2 0.10.9",
  "tokio",
 ]
 

Cargo.toml

@@ -400,7 +400,7 @@ features = [
 ]
 
 [workspace.dependencies.sha2]
-version = "0.10.8"
+version = "0.11.0"
 default-features = false
 
 [workspace.dependencies.sha1]

docker/Dockerfile

@@ -48,7 +48,7 @@ EOF
 
 # Developer tool versions
 # renovate: datasource=github-releases depName=cargo-bins/cargo-binstall
-ENV BINSTALL_VERSION=1.18.0
+ENV BINSTALL_VERSION=1.18.1
 # renovate: datasource=github-releases depName=psastras/sbom-rs
 ENV CARGO_SBOM_VERSION=0.9.1
 # renovate: datasource=crate depName=lddtree

docker/musl.Dockerfile

@@ -18,7 +18,7 @@ RUN --mount=type=cache,target=/etc/apk/cache apk add \
 
 # Developer tool versions
 # renovate: datasource=github-releases depName=cargo-bins/cargo-binstall
-ENV BINSTALL_VERSION=1.18.0
+ENV BINSTALL_VERSION=1.18.1
 # renovate: datasource=github-releases depName=psastras/sbom-rs
 ENV CARGO_SBOM_VERSION=0.9.1
 # renovate: datasource=crate depName=lddtree

docs/_meta.json

@@ -69,11 +69,6 @@
         "label": "Configuration Reference",
         "name": "/reference/config"
     },
-    {
-        "type": "file",
-        "label": "Environment Variables",
-        "name": "/reference/environment-variables"
-    },
     {
         "type": "dir",
         "label": "Admin Command Reference",

docs/advanced/delegation.mdx

@@ -18,12 +18,14 @@ ## Configuration
 ```toml
 [global.well_known]
 
+# defaults to port :443 if not specified
 client = "https://matrix.example.com"
 
 # port number MUST be specified
 server = "matrix.example.com:443"
 
 # (optional) customize your support contacts
+# Defaults to members of the admin room if unset
 #support_page =
 #support_role = "m.role.admin"
 #support_email =
@@ -42,9 +44,13 @@ # (optional) customize your support contacts
         client=https://matrix.example.com,
         server=matrix.example.com:443
         }
+
+      # You can also configure individual `.well-knowns` like this
+      # CONTINUWUITY_WELL_KNOWN__CLIENT: https://matrix.example.com
+      # CONTINUWUITY_WELL_KNOWN__SERVER: matrix.example.com:443
 ```
 
-## Serving with a reverse proxy
+## Reverse proxying well-known files to Continuwuity
 
 After doing the steps above, Continuwuity will serve these 3 JSON files:
 
@@ -94,9 +100,7 @@ ## Serving with a reverse proxy
 <summary>`https://example.com/.well-known/matrix/server`</summary>
 
 ```json
-{
-  "m.server": "matrix.example.com:443"
-}
+{ "m.server": "matrix.example.com:443" }
 ```
 
 </details>
@@ -115,12 +119,57 @@ ## Serving with a reverse proxy
 
 </details>
 
+### Serving well-known files manually
+
+Instead of configuring `[global.well_known]` options and reverse proxying well-known URIs, you can serve these files directly as static JSON that match the ones above. This is useful if your base domain points to a different physical server, and reverse proxying isn't feasible.
+
+<details>
+
+<summary>Example Caddyfile **for the base domain**</summary>
+
+```
+https://example.com {
+
+    respond /.well-known/matrix/server 200 {
+        body `{"m.server":"matrix.example.com:443"}`
+    }
+
+    handle /.well-known/matrix/client {
+    header Access-Control-Allow-Origin *
+    respond <<JSON
+    {
+        "m.homeserver": {
+            "base_url": "https://matrix.example.com/"
+        }
+    }
+    JSON
+    }
+}
+```
+
+</details>
+
+Remember to set the `Access-Control-Allow-Origin: *` header in your `/.well-known/matrix/client` path for web clients to work.
+
 ## Troubleshooting
 
+Check with the [Matrix Connectivity Tester][federation-tester] to see that it's working.
+
+[federation-tester]: https://federationtester.mtrnord.blog/
+
 ### Cannot log in with web clients
 
 Make sure there is an `Access-Control-Allow-Origin: *` header in your `/.well-known/matrix/client` path. While Continuwuity serves this header by default, it may be dropped by reverse proxies or other middlewares.
 
+### Issues with alternative setups
+
+As Matrix clients prioritize well-known URIs for their destination, this can lead to issues with alternative methods of accessing the server that doesn't use a publicly routeable IP and domain name. You will probably find yourself connecting to non-existent/undesired URLs in certain cases like:
+
+- Accessing to the server via localhost IPs (e.g. for testing purposes)
+- Accessing the server from behind a VPN, or from alternative networks (such as from an onionsite)
+
+In these scenarios, further configurations would be needed. Refer to the [Related Documentation](#related-documentation) section for resolution steps and see how they could apply to your use case.
+
 ---
 
 ## Using SRV records (not recommended)

docs/configuration.mdx

@@ -2,66 +2,90 @@ # Configuration
 
 This chapter describes various ways to configure Continuwuity.
 
-## Basics
+## Configuration file
 
-Continuwuity uses a config file for the majority of the settings, but also supports
-setting individual config options via commandline.
+Continuwuity uses a TOML config file for all of its settings. This is the recommended way to configure Continuwuity. Please refer to the [example config file](./reference/config.mdx) for all of these settings.
 
-Please refer to the [example config
-file](./reference/config.mdx) for all of those
-settings.
+You can specify the config file to be used by Continuwuity with the command-line flag `-c` or `--config`:
 
-The config file to use can be specified on the commandline when running
-Continuwuity by specifying the `-c`, `--config` flag. Alternatively, you can use
-the environment variable `CONTINUWUITY_CONFIG` to specify the config file to be
-used; see [the section on environment variables](#environment-variables) for
-more information.
+```bash
+./conduwuit -c /path/to/continuwuity.toml
+```
 
-## Option commandline flag
+Alternatively, you can use the environment variable `CONTINUWUITY_CONFIG` to specify the config file to be used; see [the section on environment variables](#environment-variables) for more information.
 
-Continuwuity supports setting individual config options in TOML format from the
-`-O` / `--option` flag. For example, you can set your server name via `-O
-server_name=\"example.com\"`.
+## Environment variables
+
+All of the options in the config file can also be specified by using environment variables. This is ideal for containerised deployments and infrastructure-as-code scenarios.
+
+The environment variable names are represented in all caps and prefixed with `CONTINUWUITY_`. They are mapped to config options in the ways demonstrated below:
+
+```bash
+# Top-level options (those inside the [global] section) are simply capitalised
+CONTINUWUITY_SERVER_NAME="matrix.example.com"
+CONTINUWUITY_PORT="8008"
+CONTINUWUITY_DATABASE_PATH="/var/lib/continuwuity"
+
+# Nested config sections use double underscores `__`
+
+# This maps to the `server` field of the [global.well_known] section in TOML
+CONTINUWUITY_WELL_KNOWN__SERVER="example.com:443"
+
+# This maps to the `base_url` field of the `[global.antispam.draupnir]` section in TOML
+CONTINUWUITY_ANTISPAM__DRAUPNIR__BASE_URL="https://draupnir.example.com"
+
+# Alternatively, you can pass a (quoted) struct to define an entire section
+# This maps to the [global.well_known] section
+CONTINUWUITY_WELL_KNOWN="{ client=https://example.com,server=example.com:443 }"
+```
+
+### Alternative prefixes
+
+For backwards compatibility, Continuwuity also supports the following environment variable prefixes, in order of descending priority:
+
+- `CONDUWUIT_*` (compatibility)
+- `CONDUIT_*` (legacy)
+
+As an example, the environment variable `CONTINUWUITY_CONFIG` can also be expressed as `CONDUWUIT_CONFIG` or `CONDUIT_CONFIG`.
+
+## Option command-line flag
+
+Continuwuity also supports setting individual config options in TOML format from the `-O` / `--option` flag. For example, you can set your server name via `-O server_name=\"example.com\"`.
+
+Note that the config is parsed as TOML, and shells like `bash` will remove quotes. Therefore, if the config option is a string, quote escapes must be properly handled. If the config option is a number or a boolean, this does not apply.
 
-Note that the config is parsed as TOML, and shells like bash will remove quotes.
-So unfortunately it is required to escape quotes if the config option takes a
-string. This does not apply to options that take booleans or numbers:
 - `--option allow_registration=true` works ✅
 - `-O max_request_size=99999999` works ✅
 - `-O server_name=example.com` does not work ❌
 - `--option log=\"debug\"` works ✅
 - `--option server_name='"example.com'"` works ✅
 
-## Execute commandline flag
+## Order of priority
 
-Continuwuity supports running admin commands on startup using the commandline
-argument `--execute`. The most notable use for this is to create an admin user
-on first startup.
+The above configuration methods are prioritised, in descending order, as below:
 
-The syntax of this is a standard admin command without the prefix such as
-`./conduwuit --execute "users create_user june"`
+- Command-line `-o`/`--option` flags
+- Environment variables
+    - `CONTINUWUITY_*` variables
+    - `CONDUWUIT_*` variables
+    - `CONDUIT_*` variables
+- Config file
 
-An example output of a success is:
-```
+Therefore, you can use environment variables or the options flags to override values in the config file.
+
+---
+
+## Executing startup commands
+
+Continuwuity supports running admin commands on startup using the command-line flag `--execute`. This is treated as a standard admin command, without the need for the `!admin` prefix. For example, to create a new user:
+
+```bash
+# Equivalent to `!admin users create_user june`
+./conduwuit --execute "users create_user june"
 INFO conduwuit_service::admin::startup: Startup command #0 completed:
 Created user with user_id: @june:girlboss.ceo and password: `<redacted>`
 ```
 
-This commandline argument can be paired with the `--option` flag.
+Alternatively, you can configure `CONTINUWUITY_ADMIN_EXECUTE` or the config file value `admin_execute` with a list of commands.
 
-## Environment variables
-
-All of the settings that are found in the config file can be specified by using
-environment variables. The environment variable names should be all caps and
-prefixed with `CONTINUWUITY_`.
-
-For example, if the setting you are changing is `max_request_size`, then the
-environment variable to set is `CONTINUWUITY_MAX_REQUEST_SIZE`.
-
-To modify config options not in the `[global]` context such as
-`[global.well_known]`, use the `__` suffix split:
-`CONTINUWUITY_WELL_KNOWN__SERVER`
-
-Conduit and conduwuit's environment variables are also supported for backwards
-compatibility, via the `CONDUIT_` and `CONDUWUIT_` prefixes respectively (e.g.
-`CONDUIT_SERVER_NAME`).
+This command-line argument can be paired with the `--option` flag.

docs/deploying/docker.mdx

@@ -152,7 +152,7 @@ #### For other reverse proxies
 
 ### Starting Your Server
 
-1. Choose your compose file from the above, and rename it to `docker-compose.yml`. Edit values as you see fit.
+1. Choose your compose file from the above, and rename it to `docker-compose.yml`. Replace `example.com` with your homeserver's domain name, and edit other values as you see fit.
 2. If using the override file, rename it to `docker-compose.override.yml` and
    edit your values.
 3. Start the server:

docs/public/deploying/docker-compose.for-traefik.yml

@@ -13,7 +13,7 @@ services:
       - proxy
     labels:
       - "traefik.enable=true"
-      - "traefik.http.routers.continuwuity.rule=(Host(`matrix.example.com`) || (Host(`example.com`) && PathPrefix(`/.well-known/matrix`)))"
+      - "traefik.http.routers.continuwuity.rule=(Host(`example.com`))"
       - "traefik.http.routers.continuwuity.entrypoints=websecure" # your HTTPS entry point
       - "traefik.http.routers.continuwuity.tls=true"
       - "traefik.http.routers.continuwuity.service=continuwuity"
@@ -21,7 +21,7 @@ services:
       # possibly, depending on your config:
       # - "traefik.http.routers.continuwuity.tls.certresolver=letsencrypt"
     environment:
-      CONTINUWUITY_SERVER_NAME: example.com # EDIT THIS
+      CONTINUWUITY_SERVER_NAME: example.com
       CONTINUWUITY_DATABASE_PATH: /var/lib/continuwuity
       CONTINUWUITY_ADDRESS: 0.0.0.0
       CONTINUWUITY_PORT: 8008 # This must match with traefik's loadbalancer label

docs/public/deploying/docker-compose.override.yml

@@ -6,7 +6,7 @@ services:
       - "traefik.enable=true"
       - "traefik.docker.network=proxy"  # Change this to the name of your Traefik docker proxy network
 
-      - "traefik.http.routers.to-continuwuity.rule=Host(`matrix.example.com`)"  # Change to the address on which Continuwuity is hosted
+      - "traefik.http.routers.to-continuwuity.rule=Host(`example.com`)"  # Change to the address on which Continuwuity is hosted
       - "traefik.http.routers.to-continuwuity.tls=true"
       - "traefik.http.routers.to-continuwuity.tls.certresolver=letsencrypt"
       - "traefik.http.routers.to-continuwuity.middlewares=cors-headers@docker"

docs/public/deploying/docker-compose.with-caddy-labels.yml

@@ -14,9 +14,6 @@ services:
             - /var/run/docker.sock:/var/run/docker.sock
             - ./data:/data
         restart: unless-stopped
-        labels:
-            caddy: example.com
-            caddy.reverse_proxy: /.well-known/matrix/* homeserver:8008
 
     homeserver:
         image: forgejo.ellis.link/continuwuation/continuwuity:latest
@@ -27,7 +24,7 @@ services:
             - ./continuwuity-resolv.conf:/etc/resolv.conf # use custom resolvers rather than Docker's
             #- ./continuwuity.toml:/etc/continuwuity.toml
         environment:
-            CONTINUWUITY_SERVER_NAME: example.com # EDIT THIS
+            CONTINUWUITY_SERVER_NAME: example.com
             CONTINUWUITY_DATABASE_PATH: /var/lib/continuwuity
             CONTINUWUITY_ADDRESS: 0.0.0.0
             CONTINUWUITY_PORT: 8008

docs/public/deploying/docker-compose.with-traefik.yml

@@ -13,12 +13,12 @@ services:
       - proxy
     labels:
       - "traefik.enable=true"
-      - "traefik.http.routers.continuwuity.rule=(Host(`matrix.example.com`) || (Host(`example.com`) && PathPrefix(`/.well-known/matrix`)))"
+      - "traefik.http.routers.continuwuity.rule=(Host(`example.com`))"
       - "traefik.http.routers.continuwuity.entrypoints=websecure"
       - "traefik.http.routers.continuwuity.tls.certresolver=letsencrypt"
       - "traefik.http.services.continuwuity.loadbalancer.server.port=8008"
     environment:
-      CONTINUWUITY_SERVER_NAME: example.com # EDIT THIS
+      CONTINUWUITY_SERVER_NAME: example.com
       CONTINUWUITY_DATABASE_PATH: /var/lib/continuwuity
       CONTINUWUITY_ADDRESS: 0.0.0.0
       CONTINUWUITY_PORT: 8008 # This must match with traefik's loadbalancer label

docs/reference/_meta.json

@@ -4,11 +4,6 @@
         "name": "config",
         "label": "Configuration"
     },
-    {
-        "type": "file",
-        "name": "environment-variables",
-        "label": "Environment Variables"
-    },
     {
         "type": "file",
         "name": "admin",

docs/reference/environment-variables.mdx

@@ -1,281 +0,0 @@
-# Environment Variables
-
-Continuwuity can be configured entirely through environment variables, making it
-ideal for containerised deployments and infrastructure-as-code scenarios.
-
-This is a convenience reference and may not be exhaustive. The
-[Configuration Reference](./config.mdx) is the primary source for all
-configuration options.
-
-## Prefix System
-
-Continuwuity supports three environment variable prefixes for backwards
-compatibility:
-
-- `CONTINUWUITY_*` (current, recommended)
-- `CONDUWUIT_*` (compatibility)
-- `CONDUIT_*` (legacy)
-
-All three prefixes work identically. Use double underscores (`__`) to represent
-nested configuration sections from the TOML config.
-
-**Examples:**
-
-```bash
-# Simple top-level config
-CONTINUWUITY_SERVER_NAME="matrix.example.com"
-CONTINUWUITY_PORT="8008"
-
-# Nested config sections use double underscores
-# This maps to [database] section in TOML
-CONTINUWUITY_DATABASE__PATH="/var/lib/continuwuity"
-
-# This maps to [tls] section in TOML
-CONTINUWUITY_TLS__CERTS="/path/to/cert.pem"
-```
-
-## Configuration File Override
-
-You can specify a custom configuration file path:
-
-- `CONTINUWUITY_CONFIG` - Path to continuwuity.toml (current)
-- `CONDUWUIT_CONFIG` - Path to config file (compatibility)
-- `CONDUIT_CONFIG` - Path to config file (legacy)
-
-## Essential Variables
-
-These are the minimum variables needed for a working deployment:
-
-| Variable                     | Description                        | Default                |
-| ---------------------------- | ---------------------------------- | ---------------------- |
-| `CONTINUWUITY_SERVER_NAME`   | Your Matrix server's domain name   | Required               |
-| `CONTINUWUITY_DATABASE_PATH` | Path to RocksDB database directory | `/var/lib/conduwuit`   |
-| `CONTINUWUITY_ADDRESS`       | IP address to bind to              | `["127.0.0.1", "::1"]` |
-| `CONTINUWUITY_PORT`          | Port to listen on                  | `8008`                 |
-
-## Network Configuration
-
-| Variable                         | Description                                     | Default                |
-| -------------------------------- | ----------------------------------------------- | ---------------------- |
-| `CONTINUWUITY_ADDRESS`           | Bind address (use `0.0.0.0` for all interfaces) | `["127.0.0.1", "::1"]` |
-| `CONTINUWUITY_PORT`              | HTTP port                                       | `8008`                 |
-| `CONTINUWUITY_UNIX_SOCKET_PATH`  | UNIX socket path (alternative to TCP)           | -                      |
-| `CONTINUWUITY_UNIX_SOCKET_PERMS` | Socket permissions (octal)                      | `660`                  |
-
-## Database Configuration
-
-| Variable                                   | Description                 | Default              |
-| ------------------------------------------ | --------------------------- | -------------------- |
-| `CONTINUWUITY_DATABASE_PATH`               | RocksDB data directory      | `/var/lib/conduwuit` |
-| `CONTINUWUITY_DATABASE_BACKUP_PATH`        | Backup directory            | -                    |
-| `CONTINUWUITY_DATABASE_BACKUPS_TO_KEEP`    | Number of backups to retain | `1`                  |
-| `CONTINUWUITY_DB_CACHE_CAPACITY_MB`        | Database read cache (MB)    | -                    |
-| `CONTINUWUITY_DB_WRITE_BUFFER_CAPACITY_MB` | Write cache (MB)            | -                    |
-
-## Cache Configuration
-
-| Variable                                 | Description              |
-| ---------------------------------------- | ------------------------ |
-| `CONTINUWUITY_CACHE_CAPACITY_MODIFIER`   | LRU cache multiplier     |
-| `CONTINUWUITY_PDU_CACHE_CAPACITY`        | PDU cache entries        |
-| `CONTINUWUITY_AUTH_CHAIN_CACHE_CAPACITY` | Auth chain cache entries |
-
-## DNS Configuration
-
-Configure DNS resolution behaviour for federation and external requests.
-
-| Variable                             | Description                  | Default  |
-| ------------------------------------ | ---------------------------- | -------- |
-| `CONTINUWUITY_DNS_CACHE_ENTRIES`     | Max DNS cache entries        | `32768`  |
-| `CONTINUWUITY_DNS_MIN_TTL`           | Minimum cache TTL (seconds)  | `10800`  |
-| `CONTINUWUITY_DNS_MIN_TTL_NXDOMAIN`  | NXDOMAIN cache TTL (seconds) | `259200` |
-| `CONTINUWUITY_DNS_ATTEMPTS`          | Retry attempts               | -        |
-| `CONTINUWUITY_DNS_TIMEOUT`           | Query timeout (seconds)      | -        |
-| `CONTINUWUITY_DNS_TCP_FALLBACK`      | Allow TCP fallback           | -        |
-| `CONTINUWUITY_QUERY_ALL_NAMESERVERS` | Query all nameservers        | -        |
-| `CONTINUWUITY_QUERY_OVER_TCP_ONLY`   | TCP-only queries             | -        |
-
-## Request Configuration
-
-| Variable                             | Description                   |
-| ------------------------------------ | ----------------------------- |
-| `CONTINUWUITY_MAX_REQUEST_SIZE`      | Max HTTP request size (bytes) |
-| `CONTINUWUITY_REQUEST_CONN_TIMEOUT`  | Connection timeout (seconds)  |
-| `CONTINUWUITY_REQUEST_TIMEOUT`       | Overall request timeout       |
-| `CONTINUWUITY_REQUEST_TOTAL_TIMEOUT` | Total timeout                 |
-| `CONTINUWUITY_REQUEST_IDLE_TIMEOUT`  | Idle timeout                  |
-| `CONTINUWUITY_REQUEST_IDLE_PER_HOST` | Idle connections per host     |
-
-## Federation Configuration
-
-Control how your server federates with other Matrix servers.
-
-| Variable                                       | Description                   | Default |
-| ---------------------------------------------- | ----------------------------- | ------- |
-| `CONTINUWUITY_ALLOW_FEDERATION`                | Enable federation             | `true`  |
-| `CONTINUWUITY_FEDERATION_LOOPBACK`             | Allow loopback federation     | -       |
-| `CONTINUWUITY_FEDERATION_CONN_TIMEOUT`         | Connection timeout            | -       |
-| `CONTINUWUITY_FEDERATION_TIMEOUT`              | Request timeout               | -       |
-| `CONTINUWUITY_FEDERATION_IDLE_TIMEOUT`         | Idle timeout                  | -       |
-| `CONTINUWUITY_FEDERATION_IDLE_PER_HOST`        | Idle connections per host     | -       |
-| `CONTINUWUITY_TRUSTED_SERVERS`                 | JSON array of trusted servers | -       |
-| `CONTINUWUITY_QUERY_TRUSTED_KEY_SERVERS_FIRST` | Query trusted first           | -       |
-| `CONTINUWUITY_ONLY_QUERY_TRUSTED_KEY_SERVERS`  | Only query trusted            | -       |
-
-**Example:**
-
-```bash
-# Trust matrix.org for key verification
-CONTINUWUITY_TRUSTED_SERVERS='["matrix.org"]'
-```
-
-## Registration & User Configuration
-
-Control user registration and account creation behaviour.
-
-| Variable                                   | Description           | Default |
-| ------------------------------------------ | --------------------- | ------- |
-| `CONTINUWUITY_ALLOW_REGISTRATION`          | Enable registration   | `true`  |
-| `CONTINUWUITY_REGISTRATION_TOKEN`          | Token requirement     | -       |
-| `CONTINUWUITY_SUSPEND_ON_REGISTER`         | Suspend new accounts  | -       |
-| `CONTINUWUITY_NEW_USER_DISPLAYNAME_SUFFIX` | Display name suffix   | 🏳️‍⚧️      |
-| `CONTINUWUITY_RECAPTCHA_SITE_KEY`          | reCAPTCHA site key    | -       |
-| `CONTINUWUITY_RECAPTCHA_PRIVATE_SITE_KEY`  | reCAPTCHA private key | -       |
-
-**Example:**
-
-```bash
-# Disable open registration
-CONTINUWUITY_ALLOW_REGISTRATION="false"
-
-# Require a registration token
-CONTINUWUITY_REGISTRATION_TOKEN="your_secret_token_here"
-```
-
-## Feature Configuration
-
-| Variable                                                   | Description                | Default |
-| ---------------------------------------------------------- | -------------------------- | ------- |
-| `CONTINUWUITY_ALLOW_ENCRYPTION`                            | Enable E2EE                | `true`  |
-| `CONTINUWUITY_ALLOW_ROOM_CREATION`                         | Enable room creation       | -       |
-| `CONTINUWUITY_ALLOW_UNSTABLE_ROOM_VERSIONS`                | Allow unstable versions    | -       |
-| `CONTINUWUITY_DEFAULT_ROOM_VERSION`                        | Default room version       | `v11`   |
-| `CONTINUWUITY_REQUIRE_AUTH_FOR_PROFILE_REQUESTS`           | Auth for profiles          | -       |
-| `CONTINUWUITY_ALLOW_PUBLIC_ROOM_DIRECTORY_OVER_FEDERATION` | Federate directory         | -       |
-| `CONTINUWUITY_ALLOW_PUBLIC_ROOM_DIRECTORY_WITHOUT_AUTH`    | Unauth directory           | -       |
-| `CONTINUWUITY_ALLOW_DEVICE_NAME_FEDERATION`                | Device names in federation | -       |
-
-## TLS Configuration
-
-Built-in TLS support is primarily for testing. **For production deployments,
-especially when federating on the internet, use a reverse proxy** (Traefik,
-Caddy, nginx) to handle TLS termination.
-
-| Variable                          | Description               |
-| --------------------------------- | ------------------------- |
-| `CONTINUWUITY_TLS__CERTS`         | TLS certificate file path |
-| `CONTINUWUITY_TLS__KEY`           | TLS private key path      |
-| `CONTINUWUITY_TLS__DUAL_PROTOCOL` | Support TLS 1.2 + 1.3     |
-
-**Example (testing only):**
-
-```bash
-CONTINUWUITY_TLS__CERTS="/etc/letsencrypt/live/matrix.example.com/fullchain.pem"
-CONTINUWUITY_TLS__KEY="/etc/letsencrypt/live/matrix.example.com/privkey.pem"
-```
-
-## Logging Configuration
-
-Control log output format and verbosity.
-
-| Variable                       | Description        | Default |
-| ------------------------------ | ------------------ | ------- |
-| `CONTINUWUITY_LOG`             | Log filter level   | -       |
-| `CONTINUWUITY_LOG_COLORS`      | ANSI colours       | `true`  |
-| `CONTINUWUITY_LOG_SPAN_EVENTS` | Log span events    | `none`  |
-| `CONTINUWUITY_LOG_THREAD_IDS`  | Include thread IDs | -       |
-
-**Examples:**
-
-```bash
-# Set log level to info
-CONTINUWUITY_LOG="info"
-
-# Enable debug logging for specific modules
-CONTINUWUITY_LOG="warn,continuwuity::api=debug"
-
-# Disable colours for log aggregation
-CONTINUWUITY_LOG_COLORS="false"
-```
-
-## Observability Configuration
-
-| Variable                                 | Description           |
-| ---------------------------------------- | --------------------- |
-| `CONTINUWUITY_ALLOW_OTLP`                | Enable OpenTelemetry  |
-| `CONTINUWUITY_OTLP_FILTER`               | OTLP filter level     |
-| `CONTINUWUITY_OTLP_PROTOCOL`             | Protocol (http/grpc)  |
-| `CONTINUWUITY_TRACING_FLAME`             | Enable flame graphs   |
-| `CONTINUWUITY_TRACING_FLAME_FILTER`      | Flame graph filter    |
-| `CONTINUWUITY_TRACING_FLAME_OUTPUT_PATH` | Output directory      |
-| `CONTINUWUITY_SENTRY`                    | Enable Sentry         |
-| `CONTINUWUITY_SENTRY_ENDPOINT`           | Sentry DSN            |
-| `CONTINUWUITY_SENTRY_SEND_SERVER_NAME`   | Include server name   |
-| `CONTINUWUITY_SENTRY_TRACES_SAMPLE_RATE` | Sample rate (0.0-1.0) |
-
-## Admin Configuration
-
-Configure admin users and automated command execution.
-
-| Variable                                   | Description                      | Default           |
-| ------------------------------------------ | -------------------------------- | ----------------- |
-| `CONTINUWUITY_ADMINS_LIST`                 | JSON array of admin user IDs     | -                 |
-| `CONTINUWUITY_ADMINS_FROM_ROOM`            | Derive admins from room          | -                 |
-| `CONTINUWUITY_ADMIN_ESCAPE_COMMANDS`       | Allow `\` prefix in public rooms | -                 |
-| `CONTINUWUITY_ADMIN_CONSOLE_AUTOMATIC`     | Auto-activate console            | -                 |
-| `CONTINUWUITY_ADMIN_EXECUTE`               | JSON array of startup commands   | -                 |
-| `CONTINUWUITY_ADMIN_EXECUTE_ERRORS_IGNORE` | Ignore command errors            | -                 |
-| `CONTINUWUITY_ADMIN_SIGNAL_EXECUTE`        | Commands on SIGUSR2              | -                 |
-| `CONTINUWUITY_ADMIN_ROOM_TAG`              | Admin room tag                   | `m.server_notice` |
-
-**Examples:**
-
-```bash
-# Create admin user on startup
-CONTINUWUITY_ADMIN_EXECUTE='["users create-user admin", "users make-user-admin admin"]'
-
-# Specify admin users directly
-CONTINUWUITY_ADMINS_LIST='["@alice:example.com", "@bob:example.com"]'
-```
-
-## Media & URL Preview Configuration
-
-| Variable                                             | Description        |
-| ---------------------------------------------------- | ------------------ |
-| `CONTINUWUITY_URL_PREVIEW_BOUND_INTERFACE`           | Bind interface     |
-| `CONTINUWUITY_URL_PREVIEW_DOMAIN_CONTAINS_ALLOWLIST` | Domain allowlist   |
-| `CONTINUWUITY_URL_PREVIEW_DOMAIN_EXPLICIT_ALLOWLIST` | Explicit allowlist |
-| `CONTINUWUITY_URL_PREVIEW_DOMAIN_EXPLICIT_DENYLIST`  | Explicit denylist  |
-| `CONTINUWUITY_URL_PREVIEW_MAX_SPIDER_SIZE`           | Max fetch size     |
-| `CONTINUWUITY_URL_PREVIEW_TIMEOUT`                   | Fetch timeout      |
-| `CONTINUWUITY_IP_RANGE_DENYLIST`                     | IP range denylist  |
-
-## Tokio Runtime Configuration
-
-These can be set as environment variables or CLI arguments:
-
-| Variable                                  | Description                |
-| ----------------------------------------- | -------------------------- |
-| `TOKIO_WORKER_THREADS`                    | Worker thread count        |
-| `TOKIO_GLOBAL_QUEUE_INTERVAL`             | Global queue interval      |
-| `TOKIO_EVENT_INTERVAL`                    | Event interval             |
-| `TOKIO_MAX_IO_EVENTS_PER_TICK`            | Max I/O events per tick    |
-| `CONTINUWUITY_RUNTIME_HISTOGRAM_INTERVAL` | Histogram bucket size (μs) |
-| `CONTINUWUITY_RUNTIME_HISTOGRAM_BUCKETS`  | Bucket count               |
-| `CONTINUWUITY_RUNTIME_WORKER_AFFINITY`    | Enable worker affinity     |
-
-## See Also
-
-- [Configuration Reference](./config.mdx) - Complete TOML configuration
-  documentation
-- [Admin Commands](./admin/) - Admin command reference