chore: Admin announcement

Yeah that didn't work sadly.

CHANGELOG.md

@@ -1,3 +1,20 @@
+# Continuwuity 0.5.8 (2026-04-24)
+
+## Features
+
+- LDAP can now optionally be connected to using StartTLS, and you may unsafely skip verification. Contributed by @getz (#1389)
+- Users will now be prevented from removing their email if the server is configured to require an email when registering an account.
+
+## Bugfixes
+
+- Fixed a situation where multiple email addresses could be associated with one user when that user changes their email address.
+
+## Improved Documentation
+
+- Updated config docs to state we support room version 12, and set it as default. Contributed by @ezera. (#1622)
+- Improve instructions for generic deployments, removing unnecessary parts and documenting the new initial registration token flow. Contributed by @stratself (#1677)
+
+
 # Continuwuity v0.5.7 (2026-04-17)
 
 ## Features

Cargo.lock

@@ -490,28 +490,6 @@ dependencies = [
  "tracing",
 ]
 
-[[package]]
-name = "axum-server"
-version = "0.7.3"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c1ab4a3ec9ea8a657c72d99a03a824af695bd0fb5ec639ccbd9cd3543b41a5f9"
-dependencies = [
- "arc-swap",
- "bytes",
- "fs-err",
- "http",
- "http-body",
- "hyper",
- "hyper-util",
- "pin-project-lite",
- "rustls",
- "rustls-pemfile",
- "rustls-pki-types",
- "tokio",
- "tokio-rustls",
- "tower-service",
-]
-
 [[package]]
 name = "axum-server"
 version = "0.8.0"
@@ -536,11 +514,10 @@ dependencies = [
 
 [[package]]
 name = "axum-server-dual-protocol"
-version = "0.7.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2164551db024e87f20316d164eab9f5ad342d8188b08051ceb15ca92a60ea7b7"
+version = "0.8.0"
+source = "git+https://github.com/vinchona/axum-server-dual-protocol.git?rev=ca6db055254255b74238673ce4135698e347d71c#ca6db055254255b74238673ce4135698e347d71c"
 dependencies = [
- "axum-server 0.7.3",
+ "axum-server",
  "bytes",
  "http",
  "http-body-util",
@@ -983,8 +960,9 @@ dependencies = [
 
 [[package]]
 name = "conduwuit"
-version = "0.5.7"
+version = "0.5.8"
 dependencies = [
+ "aws-lc-rs",
  "clap",
  "conduwuit_admin",
  "conduwuit_api",
@@ -1003,6 +981,8 @@ dependencies = [
  "opentelemetry-otlp",
  "opentelemetry_sdk",
  "parking_lot",
+ "reqwest 0.13.2",
+ "rustls",
  "sentry",
  "sentry-tower",
  "sentry-tracing",
@@ -1017,7 +997,7 @@ dependencies = [
 
 [[package]]
 name = "conduwuit_admin"
-version = "0.5.7"
+version = "0.5.8"
 dependencies = [
  "clap",
  "conduwuit_api",
@@ -1040,7 +1020,7 @@ dependencies = [
 
 [[package]]
 name = "conduwuit_api"
-version = "0.5.7"
+version = "0.5.8"
 dependencies = [
  "async-trait",
  "axum",
@@ -1075,7 +1055,7 @@ dependencies = [
 
 [[package]]
 name = "conduwuit_build_metadata"
-version = "0.5.7"
+version = "0.5.8"
 dependencies = [
  "built",
  "cargo_metadata",
@@ -1083,7 +1063,7 @@ dependencies = [
 
 [[package]]
 name = "conduwuit_core"
-version = "0.5.7"
+version = "0.5.8"
 dependencies = [
  "argon2",
  "arrayvec",
@@ -1123,13 +1103,13 @@ dependencies = [
  "rand_core 0.6.4",
  "regex",
  "reqwest 0.13.2",
- "ring",
  "ruma",
  "sanitize-filename",
  "serde",
  "serde-saphyr",
  "serde_json",
  "serde_regex",
+ "sha2 0.11.0",
  "smallstr",
  "smallvec",
  "thiserror 2.0.18",
@@ -1147,7 +1127,7 @@ dependencies = [
 
 [[package]]
 name = "conduwuit_database"
-version = "0.5.7"
+version = "0.5.8"
 dependencies = [
  "async-channel",
  "conduwuit_core",
@@ -1167,7 +1147,7 @@ dependencies = [
 
 [[package]]
 name = "conduwuit_macros"
-version = "0.5.7"
+version = "0.5.8"
 dependencies = [
  "cargo_toml",
  "itertools 0.14.0",
@@ -1178,11 +1158,11 @@ dependencies = [
 
 [[package]]
 name = "conduwuit_router"
-version = "0.5.7"
+version = "0.5.8"
 dependencies = [
  "axum",
  "axum-client-ip",
- "axum-server 0.8.0",
+ "axum-server",
  "axum-server-dual-protocol",
  "bytes",
  "conduwuit_admin",
@@ -1214,7 +1194,7 @@ dependencies = [
 
 [[package]]
 name = "conduwuit_service"
-version = "0.5.7"
+version = "0.5.8"
 dependencies = [
  "askama",
  "async-trait",
@@ -1261,7 +1241,7 @@ dependencies = [
 
 [[package]]
 name = "conduwuit_web"
-version = "0.5.7"
+version = "0.5.8"
 dependencies = [
  "askama",
  "async-trait",
@@ -3140,9 +3120,9 @@ dependencies = [
 
 [[package]]
 name = "libc"
-version = "0.2.185"
+version = "0.2.186"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "52ff2c0fe9bc6cb6b14a0592c2ff4fa9ceb83eea9db979b0487cd054946a2b8f"
+checksum = "68ab91017fe16c622486840e4c83c9a37afeff978bd239b5293d61ece587de66"
 
 [[package]]
 name = "libfuzzer-sys"
@@ -4364,7 +4344,7 @@ dependencies = [
  "once_cell",
  "socket2",
  "tracing",
- "windows-sys 0.60.2",
+ "windows-sys 0.52.0",
 ]
 
 [[package]]
@@ -4981,15 +4961,6 @@ dependencies = [
  "security-framework",
 ]
 
-[[package]]
-name = "rustls-pemfile"
-version = "2.2.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "dce314e5fee3f39953d46bb63bb8a46d40c2f8fb7cc5a3b6cab2bde9721d6e50"
-dependencies = [
- "rustls-pki-types",
-]
-
 [[package]]
 name = "rustls-pki-types"
 version = "1.14.0"
@@ -5160,7 +5131,6 @@ dependencies = [
  "cfg_aliases",
  "httpdate",
  "reqwest 0.13.2",
- "rustls",
  "sentry-backtrace",
  "sentry-contexts",
  "sentry-core",
@@ -5170,7 +5140,6 @@ dependencies = [
  "sentry-tower",
  "sentry-tracing",
  "tokio",
- "ureq",
 ]
 
 [[package]]
@@ -6373,34 +6342,6 @@ version = "0.9.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "8ecb6da28b8a351d773b68d5825ac39017e680750f980f3a1a85cd8dd28a47c1"
 
-[[package]]
-name = "ureq"
-version = "3.3.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "dea7109cdcd5864d4eeb1b58a1648dc9bf520360d7af16ec26d0a9354bafcfc0"
-dependencies = [
- "base64 0.22.1",
- "log",
- "percent-encoding",
- "rustls",
- "rustls-pki-types",
- "ureq-proto",
- "utf8-zero",
- "webpki-roots",
-]
-
-[[package]]
-name = "ureq-proto"
-version = "0.6.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e994ba84b0bd1b1b0cf92878b7ef898a5c1760108fe7b6010327e274917a808c"
-dependencies = [
- "base64 0.22.1",
- "http",
- "httparse",
- "log",
-]
-
 [[package]]
 name = "url"
 version = "2.5.8"
@@ -6426,12 +6367,6 @@ version = "0.7.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "09cc8ee72d2a9becf2f2febe0205bbed8fc6615b7cb429ad062dc7b7ddd036a9"
 
-[[package]]
-name = "utf8-zero"
-version = "0.8.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b8c0a043c9540bae7c578c88f91dda8bd82e59ae27c21baca69c8b191aaf5a6e"
-
 [[package]]
 name = "utf8_iter"
 version = "1.0.4"
@@ -6695,15 +6630,6 @@ dependencies = [
  "rustls-pki-types",
 ]
 
-[[package]]
-name = "webpki-roots"
-version = "1.0.7"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "52f5ee44c96cf55f1b349600768e3ece3a8f26010c05265ab73f945bb1a2eb9d"
-dependencies = [
- "rustls-pki-types",
-]
-
 [[package]]
 name = "weezl"
 version = "0.1.12"
@@ -6806,15 +6732,6 @@ dependencies = [
  "windows-targets 0.52.6",
 ]
 
-[[package]]
-name = "windows-sys"
-version = "0.60.2"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f2f500e4d28234f72040990ec9d39e3a6b950f9f22d3dba18416c35882612bcb"
-dependencies = [
- "windows-targets 0.53.5",
-]
-
 [[package]]
 name = "windows-sys"
 version = "0.61.2"
@@ -6848,30 +6765,13 @@ dependencies = [
  "windows_aarch64_gnullvm 0.52.6",
  "windows_aarch64_msvc 0.52.6",
  "windows_i686_gnu 0.52.6",
- "windows_i686_gnullvm 0.52.6",
+ "windows_i686_gnullvm",
  "windows_i686_msvc 0.52.6",
  "windows_x86_64_gnu 0.52.6",
  "windows_x86_64_gnullvm 0.52.6",
  "windows_x86_64_msvc 0.52.6",
 ]
 
-[[package]]
-name = "windows-targets"
-version = "0.53.5"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4945f9f551b88e0d65f3db0bc25c33b8acea4d9e41163edf90dcd0b19f9069f3"
-dependencies = [
- "windows-link",
- "windows_aarch64_gnullvm 0.53.1",
- "windows_aarch64_msvc 0.53.1",
- "windows_i686_gnu 0.53.1",
- "windows_i686_gnullvm 0.53.1",
- "windows_i686_msvc 0.53.1",
- "windows_x86_64_gnu 0.53.1",
- "windows_x86_64_gnullvm 0.53.1",
- "windows_x86_64_msvc 0.53.1",
-]
-
 [[package]]
 name = "windows_aarch64_gnullvm"
 version = "0.42.2"
@@ -6884,12 +6784,6 @@ version = "0.52.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "32a4622180e7a0ec044bb555404c800bc9fd9ec262ec147edd5989ccd0c02cd3"
 
-[[package]]
-name = "windows_aarch64_gnullvm"
-version = "0.53.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a9d8416fa8b42f5c947f8482c43e7d89e73a173cead56d044f6a56104a6d1b53"
-
 [[package]]
 name = "windows_aarch64_msvc"
 version = "0.42.2"
@@ -6902,12 +6796,6 @@ version = "0.52.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "09ec2a7bb152e2252b53fa7803150007879548bc709c039df7627cabbd05d469"
 
-[[package]]
-name = "windows_aarch64_msvc"
-version = "0.53.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b9d782e804c2f632e395708e99a94275910eb9100b2114651e04744e9b125006"
-
 [[package]]
 name = "windows_i686_gnu"
 version = "0.42.2"
@@ -6920,24 +6808,12 @@ version = "0.52.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "8e9b5ad5ab802e97eb8e295ac6720e509ee4c243f69d781394014ebfe8bbfa0b"
 
-[[package]]
-name = "windows_i686_gnu"
-version = "0.53.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "960e6da069d81e09becb0ca57a65220ddff016ff2d6af6a223cf372a506593a3"
-
 [[package]]
 name = "windows_i686_gnullvm"
 version = "0.52.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "0eee52d38c090b3caa76c563b86c3a4bd71ef1a819287c19d586d7334ae8ed66"
 
-[[package]]
-name = "windows_i686_gnullvm"
-version = "0.53.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "fa7359d10048f68ab8b09fa71c3daccfb0e9b559aed648a8f95469c27057180c"
-
 [[package]]
 name = "windows_i686_msvc"
 version = "0.42.2"
@@ -6950,12 +6826,6 @@ version = "0.52.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "240948bc05c5e7c6dabba28bf89d89ffce3e303022809e73deaefe4f6ec56c66"
 
-[[package]]
-name = "windows_i686_msvc"
-version = "0.53.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1e7ac75179f18232fe9c285163565a57ef8d3c89254a30685b57d83a38d326c2"
-
 [[package]]
 name = "windows_x86_64_gnu"
 version = "0.42.2"
@@ -6968,12 +6838,6 @@ version = "0.52.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "147a5c80aabfbf0c7d901cb5895d1de30ef2907eb21fbbab29ca94c5b08b1a78"
 
-[[package]]
-name = "windows_x86_64_gnu"
-version = "0.53.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9c3842cdd74a865a8066ab39c8a7a473c0778a3f29370b5fd6b4b9aa7df4a499"
-
 [[package]]
 name = "windows_x86_64_gnullvm"
 version = "0.42.2"
@@ -6986,12 +6850,6 @@ version = "0.52.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "24d5b23dc417412679681396f2b49f3de8c1473deb516bd34410872eff51ed0d"
 
-[[package]]
-name = "windows_x86_64_gnullvm"
-version = "0.53.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0ffa179e2d07eee8ad8f57493436566c7cc30ac536a3379fdf008f47f6bb7ae1"
-
 [[package]]
 name = "windows_x86_64_msvc"
 version = "0.42.2"
@@ -7004,12 +6862,6 @@ version = "0.52.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "589f6da84c646204747d1270a2a5661ea66ed1cced2631d546fdfb155959f9ec"
 
-[[package]]
-name = "windows_x86_64_msvc"
-version = "0.53.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d6bbff5f0aada427a1e5a6da5f1f98158182f26556f345ac9e04d36d0ebed650"
-
 [[package]]
 name = "winnow"
 version = "0.7.15"
@@ -7158,7 +7010,7 @@ dependencies = [
 
 [[package]]
 name = "xtask"
-version = "0.5.7"
+version = "0.5.8"
 dependencies = [
  "askama",
  "cargo_metadata",

Cargo.toml

@@ -12,7 +12,7 @@ license = "Apache-2.0"
 # See also `rust-toolchain.toml`
 readme = "README.md"
 repository = "https://forgejo.ellis.link/continuwuation/continuwuity"
-version = "0.5.7"
+version = "0.5.8"
 
 [workspace.metadata.crane]
 name = "conduwuit"
@@ -107,7 +107,10 @@ default-features = false
 
 # to listen on both HTTP and HTTPS if listening on TLS dierctly from conduwuit for complement or sytest
 [workspace.dependencies.axum-server-dual-protocol]
-version = "0.7"
+# version = "0.7"
+git = "https://github.com/vinchona/axum-server-dual-protocol.git"
+rev = "ca6db055254255b74238673ce4135698e347d71c" # feat!: bump axum_server to 0.8.0
+default-features = false
 
 [workspace.dependencies.axum-client-ip]
 version = "1.3"
@@ -134,13 +137,12 @@ features = [
 [workspace.dependencies.rustls]
 version = "0.23.25"
 default-features = false
-features = ["aws_lc_rs"]
 
 [workspace.dependencies.reqwest]
 version = "0.13.2"
 default-features = false
 features = [
-    "rustls",
+    "rustls-no-provider",
     "socks",
     "hickory-dns",
     "http2",
@@ -436,7 +438,6 @@ features = [
     "contexts",
     "debug-images",
     "panic",
-    "rustls",
     "tower",
     "tower-http",
     "tracing",
@@ -560,7 +561,7 @@ version = "0.15.0"
 [workspace.dependencies.lettre]
 version = "0.11.19"
 default-features = false
-features = ["smtp-transport", "pool", "hostname", "builder", "rustls", "rustls-native-certs", "tokio1", "ring", "tokio1-rustls", "tracing", "serde"]
+features = ["smtp-transport", "pool", "hostname", "builder", "rustls", "rustls-native-certs", "tokio1", "rustls-no-provider", "tokio1-rustls", "tracing", "serde"]
 
 [workspace.dependencies.governor]
 version = "0.10.4"

changelog.d/+1608cdcb.feature.md

@@ -1 +0,0 @@
-Users will now be prevented from removing their email if the server is configured to require an email when registering an account.

changelog.d/+e82957a7.bugfix.md

@@ -1 +0,0 @@
-Fixed a situation where multiple email addresses could be associated with one user when that user changes their email address.

changelog.d/1389.feature.md

@@ -1 +0,0 @@
-LDAP can now optionally be connected to using StartTLS, and you may unsafely skip verification. Contributed by @getz

changelog.d/1622.doc

@@ -1 +0,0 @@
-Updated config docs to state we support room version 12, and set it as default. Contributed by @ezera.

changelog.d/1671.docs

@@ -0,0 +1 @@
+Explain accessing Continuwuity's server console when deployed via Docker.

docker/Dockerfile

@@ -17,12 +17,14 @@ ARG LLVM_VERSION=21
 # Line one: compiler tools
 # Line two: curl, for downloading binaries and wget because llvm.sh is broken with curl
 # Line three: for xx-verify
+# golang, cmake: For aws-lc-rs bindgen
 RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
     --mount=type=cache,target=/var/lib/apt,sharing=locked \
     apt-get update && apt-get install -y \
     pkg-config make jq \
     wget curl git software-properties-common \
     file
+    # golang cmake
 
 # LLVM packages
 RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
@@ -162,7 +164,7 @@ ENV CONDUWUIT_VERSION_EXTRA=$CONDUWUIT_VERSION_EXTRA
 ENV CONTINUWUITY_VERSION_EXTRA=$CONTINUWUITY_VERSION_EXTRA
 
 ARG RUST_PROFILE=release
-ARG CARGO_FEATURES="default,http3"
+ARG CARGO_FEATURES="default"
 
 # Build the binary
 RUN --mount=type=cache,target=/usr/local/cargo/registry \

docs/advanced/delegation.mdx

@@ -50,8 +50,6 @@ # Defaults to members of the admin room if unset
       # CONTINUWUITY_WELL_KNOWN__SERVER: matrix.example.com:443
 ```
 
-## Reverse proxying well-known files to Continuwuity
-
 After doing the steps above, Continuwuity will serve these 3 JSON files:
 
 - `/.well-known/matrix/client`: for Client-Server discovery
@@ -60,9 +58,11 @@ ## Reverse proxying well-known files to Continuwuity
 
 To enable full discovery, you will need to reverse proxy these paths from the base domain back to Continuwuity.
 
+## Reverse proxying well-known files to Continuwuity
+
 <details>
 
-<summary>For Caddy</summary>
+<summary>For **Caddy**</summary>
 
 ```
 matrix.example.com:443 {
@@ -78,7 +78,7 @@ ## Reverse proxying well-known files to Continuwuity
 
 <details>
 
-<summary>For Traefik (via Docker labels)</summary>
+<summary>For **Traefik** (via Docker labels)</summary>
 
 ```
 services:
@@ -93,7 +93,10 @@ ## Reverse proxying well-known files to Continuwuity
 
 </details>
 
-Restart Continuwuity and your reverse proxy. Once that's done, visit these routes and check that the responses match the examples below:
+
+For **Docker** users, consult the compose files in the [Appendix section](#docker-compose-examples).
+
+After applying these changes, restart Continuwuity and your reverse proxy.Visit these routes and check that the responses match the examples below:
 
 <details open>
 
@@ -253,3 +256,45 @@ ## Related Documentation
 - [Server-to-Server resolution](https://spec.matrix.org/v1.17/server-server-api/#resolving-server-names) (see this for more information on SRV records)
 - [Client-to-Server resolution](https://spec.matrix.org/v1.17/client-server-api/#server-discovery)
 - [MSC1929: Homeserver Admin Contact and Support page](https://github.com/matrix-org/matrix-spec-proposals/pull/1929)
+
+## Appendix
+
+### Docker Compose examples
+
+The following Compose files are taken from [Docker instructions](../deploying/docker.mdx) and reconfigured to support split-domain delegation. Note the updated `CONTINUWUITY_WELL_KNOWN` variable and relevant changes in reverse proxy rules.
+
+<details>
+<summary>Caddy (using Caddyfile) - delegated.docker-compose.with-caddy.yml ([view raw](/advanced/delegated.docker-compose.with-caddy.yml))</summary>
+
+```yaml file="../public/advanced/delegated.docker-compose.with-caddy.yml"
+
+```
+
+</details>
+
+<details>
+<summary>Caddy (using labels) - delegated.docker-compose.with-caddy-labels.yml ([view raw](/advanced/delegated.docker-compose.with-caddy-labels.yml))</summary>
+
+```yaml file="../public/advanced/delegated.docker-compose.with-caddy-labels.yml"
+
+```
+
+</details>
+
+<details>
+<summary>Traefik (for existing setup) - delegated.docker-compose.for-traefik.yml ([view raw](/advanced/delegated.docker-compose.for-traefik.yml))</summary>
+
+```yaml file="../public/advanced/delegated.docker-compose.for-traefik.yml"
+
+```
+
+</details>
+
+<details>
+<summary>Traefik included - delegated.docker-compose.with-traefik.yml ([view raw](/advanced/delegated.docker-compose.with-traefik.yml))</summary>
+
+```yaml file="../public/advanced/delegated.docker-compose.with-traefik.yml"
+
+```
+
+</details>

docs/deploying/_meta.json

@@ -34,6 +34,11 @@
         "name": "kubernetes",
         "label": "Kubernetes"
     },
+    {
+        "type": "file",
+        "name": "nomad",
+        "label": "Nomad"
+    },
     {
         "type": "file",
         "name": "freebsd",

docs/deploying/docker.mdx

@@ -148,7 +148,7 @@ #### For other reverse proxies
 
 </details>
 
-You will then need to point your reverse proxy towards Continuwuity at `127.0.0.1:8008`. See the [Other reverse proxies](generic.mdx#setting-up-the-reverse-proxy) section of the Generic page for further routing details.
+See the [Other reverse proxies](generic.mdx#setting-up-the-reverse-proxy) section of the Generic page for further routing details.
 
 ### Starting Your Server
 
@@ -243,9 +243,30 @@ ### (Optional) Building Custom Images
 [Building Docker Images](../development/index.mdx#building-docker-images)
 section in the development documentation.
 
+### Accessing the Server's Console
+
+Before you can access the server's console and [send admin commands](../reference/admin/index.md) from the CLI, you will need to make the container interactive and allocate a pseudo-tty. Make sure you set `admin_console_automatic` to `true` in [the config](../reference/config.mdx) as well for Continuwuity to activate the CLI on startup.
+
+For Docker Compose deployments this means adding `stdin_open: true` and `tty: true` to the container's declaration:
+
+```yaml
+services:
+    homeserver:
+        stdin_open: true
+        tty: true
+        # ...
+```
+
+If you choose to deploy via `docker run`, add the flags `-i`/`--interactive` and `-t`/`--tty` to the command.
+
+From there you can access the server's console by running `docker attach <container-name>`, which will show the server's prompt `uwu> `. To exit `docker attach`, press `CTRL+p` then `CTRL+q`.
+
+Note that using `CTRL+c` within `docker attach`'s context will forward the signal to the server, stopping it. See [Docker's reference][docker-attach-reference] for more information.
+
+[docker-attach-reference]: https://docs.docker.com/reference/cli/docker/container/attach/
+
 ## Next steps
 
 - For smooth federation, set up a caching resolver according to the [**DNS tuning guide**](../advanced/dns.mdx) (recommended)
 - To set up Audio/Video communication, see the [**Calls**](../calls.mdx) page.
-- If you want to set up an appservice, take a look at the [**Appservice
-Guide**](../appservices.mdx).
+- If you want to set up an appservice, take a look at the [**Appservice Guide**](../appservices.mdx).

docs/deploying/generic.mdx

@@ -1,10 +1,12 @@
 # Generic deployment documentation
 
-> ### Getting help
->
-> If you run into any problems while setting up Continuwuity, ask us in
-> `#continuwuity:continuwuity.org` or [open an issue on
-> Forgejo](https://forgejo.ellis.link/continuwuation/continuwuity/issues/new).
+:::tip Getting help
+If you run into any problems while setting up Continuwuity, ask us in
+`#continuwuity:continuwuity.org` or [open an issue on
+Forgejo][forgejo-new-issue].
+:::
+
+[forgejo-new-issue]: https://forgejo.ellis.link/continuwuation/continuwuity/issues/new
 
 ## Installing Continuwuity
 
@@ -15,17 +17,16 @@ ### Prebuilt binary
 
 Prebuilt binaries are available from:
 
-- **Tagged releases**: [Latest release page](https://forgejo.ellis.link/continuwuation/continuwuity/releases/latest)
-- **Development builds**: CI artifacts from the `main` branch
-  (includes Debian/Ubuntu packages)
-
-When browsing CI artifacts, `ci-bins` contains binaries organised
-by commit hash, while `releases` contains tagged versions. Sort
-by last modified date to find the most recent builds.
+- **Tagged releases**: [see Release page][release-page]
+- **Development builds**: CI artifacts from the `main` branch,
+  [see `release-image.yml` for details][release-image]
 
 The binaries require jemalloc and io_uring on the host system. Currently
 we can't cross-build static binaries - contributions are welcome here.
 
+[release-page]: https://forgejo.ellis.link/continuwuation/continuwuity/releases/
+[release-image]: https://forgejo.ellis.link/continuwuation/continuwuity/actions/?workflow=release-image.yml
+
 #### Performance-optimised builds
 
 For x86_64 systems with CPUs from the last ~15 years, use the
@@ -38,11 +39,12 @@ #### Performance-optimised builds
 If you're using Docker instead, equivalent performance-optimised
 images are available with the `-maxperf` suffix (e.g.
 `forgejo.ellis.link/continuwuation/continuwuity:latest-maxperf`).
-These images use the `release-max-perf`
-build profile with
-[link-time optimisation (LTO)](https://doc.rust-lang.org/cargo/reference/profiles.html#lto)
+These images use the `release-max-perf` build profile with
+[link-time optimisation (LTO)][lto-rust-docs]
 and, for amd64, target the haswell CPU architecture.
 
+[lto-rust-docs]: https://doc.rust-lang.org/cargo/reference/profiles.html#lto
+
 ### Nix
 
 Theres a Nix package defined in our flake, available for Linux and MacOS. Add continuwuity as an input to your flake, and use `inputs.continuwuity.packages.${system}.default` to get a working Continuwuity package.
@@ -55,7 +57,8 @@ ### Compiling
 
 #### Using Docker
 
-If you would like to build using docker, you can run the command `docker build -f ./docker/Dockerfile -t forgejo.ellis.link/continuwuation/continuwuity:main .` to compile continuwuity.
+See the [Building Docker Images](../development/index.mdx#building-docker-images)
+section in the development documentation.
 
 #### Manual
 
@@ -69,7 +72,7 @@ ##### Dependencies
 
 ##### Build
 
-You can build Continuwuity using `cargo build --release`.
+You can now build Continuwuity using `cargo build --release`.
 
 Continuwuity supports various optional features that can be enabled during compilation. Please see the Cargo.toml file for a comprehensive list, or ask in our rooms.
 
@@ -91,27 +94,6 @@ ## Adding a Continuwuity user
 sudo useradd -r --shell /usr/bin/nologin --no-create-home continuwuity
 ```
 
-## Forwarding ports in the firewall or the router
-
-Matrix's default federation port is 8448, and clients must use port 443.
-If you would like to use only port 443 or a different port, you will need to set up
-delegation. Continuwuity has configuration options for delegation, or you can configure
-your reverse proxy to manually serve the necessary JSON files for delegation
-(see the `[global.well_known]` config section).
-
-If Continuwuity runs behind a router or in a container and has a different public
-IP address than the host system, you need to forward these public ports directly
-or indirectly to the port mentioned in the configuration.
-
-Note for NAT users: if you have trouble connecting to your server from inside
-your network, check if your router supports "NAT
-hairpinning" or "NAT loopback".
-
-If your router does not support this feature, you need to research doing local
-DNS overrides and force your Matrix DNS records to use your local IP internally.
-This can be done at the host level using `/etc/hosts`. If you need this to be
-on the network level, consider something like NextDNS or Pi-Hole.
-
 ## Setting up a systemd service
 
 You can find an example unit for continuwuity below.
@@ -123,7 +105,7 @@ ## Setting up a systemd service
 `/etc/rsyslog.conf` to allow color in logs.
 
 If you are using a different `database_path` than the systemd unit's
-configured default `/var/lib/conduwuit`, you need to add your path to the
+configured default (`/var/lib/conduwuit`), you need to add your path to the
 systemd unit's `ReadWritePaths=`. You can do this by either directly editing
 `conduwuit.service` and reloading systemd, or by running `systemctl edit conduwuit.service`
 and entering the following:
@@ -144,7 +126,9 @@ ### Example systemd Unit File
 
 </details>
 
-You can also [view the file on Foregejo](https://forgejo.ellis.link/continuwuation/continuwuity/src/branch/main/pkg/conduwuit.service).
+You can also [view the file on Foregejo][systemd-file].
+
+[systemd-file]: https://forgejo.ellis.link/continuwuation/continuwuity/src/branch/main/pkg/conduwuit.service
 
 ## Creating the Continuwuity configuration file
 
@@ -155,9 +139,7 @@ ## Creating the Continuwuity configuration file
 **Please take a moment to read the config. You need to change at least the
 server name.**
 
-RocksDB is the only supported database backend.
-
-## Setting the correct file permissions
+### Setting the correct file permissions
 
 If you are using a dedicated user for Continuwuity, you need to allow it to
 read the configuration. To do this, run:
@@ -175,22 +157,29 @@ ## Setting the correct file permissions
 sudo chmod 700 /var/lib/conduwuit/
 ```
 
-## Setting up the Reverse Proxy
+## Exposing ports in the firewall or the router
 
-We recommend Caddy as a reverse proxy because it is trivial to use and handles TLS certificates, reverse proxy headers, etc. transparently with proper defaults.
-For other software, please refer to their respective documentation or online guides.
+Matrix's default federation port is **:8448**, and clients use port **:443**. You will need to
+expose these ports on your firewall or router. If you use UFW, the commands to allow them
+are: `ufw allow 8448/tcp` and `ufw allow 443/tcp`.
+
+:::tip Alternative port/domain setups
+If you would like to use only port 443, a different port, or a subdomain for the homeserver, you will need to set up `.well-known` delegation. Consult the `[global.well_known]` section of the config file, and the [**Delegation/Split-domain**](../advanced/delegation) page to learn more about these kinds of deployments.
+:::
+
+## Setting up the Reverse Proxy
 
 ### Caddy
 
-After installing Caddy via your preferred method, create `/etc/caddy/conf.d/conduwuit_caddyfile`
-and enter the following (substitute your actual server name):
+Caddy is the recommended reverse proxy as it is easy to use, has good defaults,
+and handle TLS certificates automatically. After installing Caddy via your preferred
+method, create `/etc/caddy/conf.d/conduwuit_caddyfile` and enter the following
+(substitute `example.com` with your actual server name):
 
 ```
-your.server.name, your.server.name:8448 {
+example.com, example.com:8448 {
     # TCP reverse_proxy
-    reverse_proxy 127.0.0.1:6167
-    # UNIX socket
-    #reverse_proxy unix//run/conduwuit/conduwuit.sock
+    reverse_proxy 127.0.0.1:8008
 }
 ```
 
@@ -202,51 +191,45 @@ ### Caddy
 
 ### Other Reverse Proxies
 
-As we prefer our users to use Caddy, we do not provide configuration files for other proxies.
+Normally, your reverse proxy should route everything from port :8448 and :443 back to Continuwuity.
 
-You will need to reverse proxy everything under the following routes:
+For more granular controls, you will need to proxy everything under these following routes:
 
-- `/_matrix/` - core Matrix C-S and S-S APIs
-- `/_conduwuit/` and/or `/_continuwuity/` - ad-hoc Continuwuity routes such as `/local_user_count` and
-  `/server_version`
+- `/_matrix/` - core Matrix APIs, which includes:
+
+  - `/_matrix/federation` and `/_matrix/key` - core Server-Server APIs. These should be available on port :8448
+
+  - `/_matrix/client` - core Client-Server APIs. These should be available on port :443
+
+- `/_conduwuit/` and `/_continuwuity/` - ad-hoc Continuwuity routes for password resets, email verification, and server details such as `/local_user_count` and `/server_version`.
 
 You can optionally reverse proxy the following individual routes:
 
 - `/.well-known/matrix/client` and `/.well-known/matrix/server` if using
   Continuwuity to perform delegation (see the `[global.well_known]` config section)
 - `/.well-known/matrix/support` if using Continuwuity to send the homeserver admin
-  contact and support page (formerly known as MSC1929)
-- `/` if you would like to see `hewwo from conduwuit woof!` at the root
+  [contact and support page][well-known-support]
+- `/` and `/_continuwuity/logo.svg` if you would like to see the Continuwuity landing page
 
-See the following spec pages for more details on these files:
+Refer to the respective software's documentation and online guides on how to do so.
 
-- [`/.well-known/matrix/server`](https://spec.matrix.org/latest/client-server-api/#getwell-knownmatrixserver)
-- [`/.well-known/matrix/client`](https://spec.matrix.org/latest/client-server-api/#getwell-knownmatrixclient)
-- [`/.well-known/matrix/support`](https://spec.matrix.org/latest/client-server-api/#getwell-knownmatrixsupport)
+[well-known-support]: https://spec.matrix.org/v1.18/client-server-api/#getwell-knownmatrixsupport
 
-Examples of delegation:
+#### Caveats for specific reverse proxies
 
-- https://continuwuity.org/.well-known/matrix/server
-- https://continuwuity.org/.well-known/matrix/client
-- https://ellis.link/.well-known/matrix/server
-- https://ellis.link/.well-known/matrix/client
-
-For Apache and Nginx there are many examples available online.
-
-Lighttpd is not supported as it appears to interfere with the `X-Matrix` Authorization
+- Lighttpd is not supported as it appears to interfere with the `X-Matrix` Authorization
 header, making federation non-functional. If you find a workaround, please share it so we can add it to this documentation.
 
-If using Apache, you need to use `nocanon` in your `ProxyPass` directive to prevent httpd from interfering with the `X-Matrix` header (note that Apache is not ideal as a general reverse proxy, so we discourage using it if alternatives are available).
+- If using Apache, you need to use `nocanon` in your `ProxyPass` directive to prevent httpd from interfering with the `X-Matrix` header (note that Apache is not ideal as a general reverse proxy, so we discourage using it if alternatives are available).
 
-If using Nginx, you need to pass the request URI to Continuwuity using `$request_uri`, like this:
+- If using Nginx, you need to pass the request URI to Continuwuity using `$request_uri`, like this:
 
-- `proxy_pass http://127.0.0.1:6167$request_uri;`
-- `proxy_pass http://127.0.0.1:6167;`
+    - `proxy_pass http://127.0.0.1:6167$request_uri;`
+    - `proxy_pass http://127.0.0.1:6167;`
 
-Nginx users need to increase the `client_max_body_size` setting (default is 1M) to match the
-`max_request_size` defined in conduwuit.toml.
+    Furthermore, Nginx users need to increase the `client_max_body_size` setting (default is 1M) to match the `max_request_size` defined in conduwuit.toml.
 
-## You're done
+## Starting Your Server
 
 Now you can start Continuwuity with:
 
@@ -260,36 +243,53 @@ ## You're done
 sudo systemctl enable conduwuit
 ```
 
-## How do I know it works?
-
-You can open [a Matrix client](https://matrix.org/ecosystem/clients), enter your
-homeserver address, and try to register.
-
-You can also use these commands as a quick health check (replace
-`your.server.name`).
+Check Continuwuity logs with the following command:
 
 ```bash
-curl https://your.server.name/_conduwuit/server_version
-
-# If using port 8448
-curl https://your.server.name:8448/_conduwuit/server_version
-
-# If federation is enabled
-curl https://your.server.name:8448/_matrix/federation/v1/version
+sudo journalctl -u conduwuit.service
 ```
 
-- To check if your server can communicate with other homeservers, use the
-  [Matrix Federation Tester](https://federationtester.mtrnord.blog/). If you can
-  register but cannot join federated rooms, check your configuration and verify
-  that port 8448 is open and forwarded correctly.
+If Continuwuity has successfully initialized, you'll see output as below.
+
+```
+In order to use your new homeserver, you need to create its
+first user account.
+Open your Matrix client of choice and register an account
+on example.com using registration token x5keUZ811RqvLsNa .
+Pick your own username and password!
+```
+
+You can then open [a Matrix client][matrix-clients],
+enter your homeserver address, and try to register with the provided token.
+By default, the first user is the instance's first admin. They will be added
+to the `#admin:example.com` room and be able to [issue admin commands](../reference/admin/index.md).
+
+[matrix-clients]: https://matrix.org/ecosystem/clients
+
+## How do I know it works?
+
+To check if your server can communicate with other homeservers, use the
+[Matrix Federation Tester](https://federationtester.mtrnord.blog/). If you can
+register your account but cannot join federated rooms, check your configuration
+and verify that your federation endpoints are opened and forwarded correctly.
+
+As a quick health check, you can also use these cURL commands:
+
+```bash
+curl https://example.com/_conduwuit/server_version
+
+# If using port 8448
+curl https://example.com:8448/_conduwuit/server_version
+
+# If federation is enabled
+curl https://example.com:8448/_matrix/federation/v1/version
+
+# For client-server endpoints
+curl https://example.com/_matrix/client/versions
+```
 
 ## What's next?
 
-### Audio/Video calls
-
-For Audio/Video call functionality see the [Calls](../calls.md) page.
-
-### Appservices
-
-If you want to set up an appservice, take a look at the [Appservice
-Guide](../appservices.md).
+- For smooth federation, set up a caching resolver according to the [**DNS tuning guide**](../advanced/dns.mdx) (recommended)
+- For Audio/Video call functionality see the [**Calls**](../calls.md) page.
+- If you want to set up an appservice, take a look at the [**Appservice Guide**](../appservices.md).

docs/deploying/nomad.mdx

@@ -0,0 +1,118 @@
+# Continuwuity for Nomad
+
+You can either pass the configuration as environment variables or mount a file containing the configuration from consul.
+This given configuration assumes that you have a traefik reverse proxy running.
+
+## Persistence
+The database being a RockDB file, it is recommended to use a volume to persist the data.
+The example below uses a volume, you need to configure the CSI driver on your cluster.
+
+| Volume Name | Mount Path | Purpose |
+|-------------|------------|---------|
+| continuwuity-volume | `/var/lib/continuwuity` | Store the database |
+| continuwuity-media-volume | `/var/lib/continuwuity/media` | Store uploaded media |
+
+## Configuration
+### Using environment variables
+```hcl
+job "continuwuity" {
+  datacenters = ["dc1"]
+  type      = "service"
+  node_pool = "default"
+
+  group "continuwuity" {
+    count = 1
+
+    network {
+      port "http" {
+        static = 6167
+      }
+    }
+
+    service {
+      name = "continuwuity"
+      port = "http"
+      tags = [
+        "traefik.enable=true",
+        "traefik.http.routers.continuwuity.rule=(Host(`matrix.example.com`) || (Host(`example.com`) && PathPrefix(`/.well-known/matrix`)))",
+        "traefik.http.routers.continuwuity.entrypoints=https",
+        "traefik.http.routers.continuwuity.tls=true",
+        "traefik.http.routers.continuwuity.tls.certresolver=letsencrypt",
+        "traefik.http.routers.continuwuity-http.rule=(Host(`matrix.example.com`) || (Host(`example.com`) && PathPrefix(`/.well-known/matrix`)))",
+        "traefik.http.routers.continuwuity-http.entrypoints=http",
+        "traefik.http.routers.continuwuity-http.middlewares=continuwuity-redirect",
+        "traefik.http.middlewares.continuwuity-redirect.redirectscheme.scheme=https",
+        "traefik.http.middlewares.continuwuity-redirect.redirectscheme.permanent=true",
+      ]
+    }
+
+    volume "continuwuity-volume" {
+      type            = "csi"
+      read_only       = false
+      source          = "continuwuity-volume"
+      attachment_mode = "file-system"
+      access_mode     = "single-node-writer"
+      per_alloc       = false
+    }
+
+    volume "continuwuity-media-volume" {
+      type            = "csi"
+      read_only       = false
+      source          = "continuwuity-media-volume"
+      attachment_mode = "file-system"
+      access_mode     = "single-node-writer"
+      per_alloc       = false
+
+      mount_options {
+        mount_flags = []
+      }
+    }
+
+    task "continuwuity" {
+      driver = "docker"
+
+      env {
+        CONTINUWUITY_SERVER_NAME        = "matrix.example.com"
+        CONTINUWUITY_TRUSTED_SERVERS    = "[\"matrix.org\", \"mozilla.org\"]"
+        CONTINUWUITY_ALLOW_REGISTRATION = false
+        CONTINUWUITY_ADDRESS            = "0.0.0.0"
+        CONTINUWUITY_PORT               = 6167
+        CONTINUWUITY_DATABASE_PATH      = "/var/lib/continuwuity"
+        CONTINUWUITY_WELL_KNOWN         = <<EOF
+{
+client=https://matrix.example.com,
+server=matrix.example.com:443
+}
+EOF
+      }
+
+      config {
+        image = "forgejo.ellis.link/continuwuation/continuwuity:latest"
+        ports = ["http"]
+      }
+
+      volume_mount {
+        volume      = "continuwuity-volume"
+        destination = "/var/lib/continuwuity"
+      }
+
+      volume_mount {
+        volume      = "continuwuity-media-volume"
+        destination = "/var/lib/continuwuity/media"
+      }
+    }
+  }
+}
+```
+
+### Using consul
+```hcl
+...
+      template {
+        data = <<EOF
+{{key "config/continuwuity"}}
+EOF
+        destination = "local/conduwuit.toml"
+      }
+...
+```

docs/public/.well-known/continuwuity/announcements

@@ -6,10 +6,10 @@
             "message": "Welcome to Continuwuity! Important announcements about the project will appear here."
         },
         {
-            "id": 11,
+            "id": 12,
             "mention_room": false,
-            "date": "2026-04-17",
-            "message": "[v0.5.7](https://forgejo.ellis.link/continuwuation/continuwuity/releases/tag/v0.5.7) is out! Email verification! Terms and Conditions! Deleting notification pushers! So much good stuff. Go grab the release and read the changelog!"
+            "date": "2026-04-24",
+            "message": "[v0.5.8](https://forgejo.ellis.link/continuwuation/continuwuity/releases/tag/v0.5.8) is out! This is a patch release which fixes a bug in 0.5.7's email support -- upgrade soon if you use that feature."
         }
     ]
 }

docs/public/advanced/delegated.docker-compose.for-traefik.yml

@@ -0,0 +1,43 @@
+# Continuwuity - Behind Traefik Reverse Proxy
+
+services:
+  homeserver:
+    image: "forgejo.ellis.link/continuwuation/continuwuity:latest"
+    restart: unless-stopped
+    command: /sbin/conduwuit
+    volumes:
+      - db:/var/lib/continuwuity
+      - ./continuwuity-resolv.conf:/etc/resolv.conf # use custom resolvers rather than Docker's
+      #- ./continuwuity.toml:/etc/continuwuity.toml
+    networks:
+      - proxy
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.continuwuity.rule=(Host(`matrix.example.com`) || (Host(`example.com`) && PathPrefix(`/.well-known/matrix`)))"
+      - "traefik.http.routers.continuwuity.entrypoints=websecure" # your HTTPS entry point
+      - "traefik.http.routers.continuwuity.tls=true"
+      - "traefik.http.routers.continuwuity.service=continuwuity"
+      - "traefik.http.services.continuwuity.loadbalancer.server.port=8008"
+      # possibly, depending on your config:
+      # - "traefik.http.routers.continuwuity.tls.certresolver=letsencrypt"
+    environment:
+      CONTINUWUITY_SERVER_NAME: example.com # EDIT THIS
+      CONTINUWUITY_DATABASE_PATH: /var/lib/continuwuity
+      CONTINUWUITY_ADDRESS: 0.0.0.0
+      CONTINUWUITY_PORT: 8008 # This must match with traefik's loadbalancer label
+      #CONTINUWUITY_CONFIG: '/etc/continuwuity.toml' # Uncomment if you mapped config toml above
+
+      # Serve .well-known files to tell others to reach Continuwuity on port :443
+      CONTINUWUITY_WELL_KNOWN: |
+        {
+        client=https://matrix.example.com,
+        server=matrix.example.com:443
+        }
+
+volumes:
+  db:
+
+networks:
+  # This must match the network name that Traefik listens on
+  proxy:
+    external: true

docs/public/advanced/delegated.docker-compose.with-caddy-labels.yml

@@ -0,0 +1,54 @@
+# Continuwuity - With Caddy Labels
+
+services:
+    caddy:
+    # This compose file uses caddy-docker-proxy as the reverse proxy for Continuwuity!
+    # For more info, visit https://github.com/lucaslorentz/caddy-docker-proxy
+        image: "docker.io/lucaslorentz/caddy-docker-proxy:ci-alpine"
+        ports:
+            - 80:80
+            - 443:443
+        environment:
+            - CADDY_INGRESS_NETWORKS=caddy
+        networks:
+            - caddy
+        volumes:
+            - /var/run/docker.sock:/var/run/docker.sock
+            - ./data:/data
+        restart: unless-stopped
+        labels:
+            caddy: example.com
+            caddy.reverse_proxy: /.well-known/matrix/* homeserver:8008
+
+    homeserver:
+        image: "forgejo.ellis.link/continuwuation/continuwuity:latest"
+        restart: unless-stopped
+        command: /sbin/conduwuit
+        volumes:
+            - db:/var/lib/continuwuity
+            - ./continuwuity-resolv.conf:/etc/resolv.conf # use custom resolvers rather than Docker's
+            #- ./continuwuity.toml:/etc/continuwuity.toml
+        environment:
+            CONTINUWUITY_SERVER_NAME: example.com # EDIT THIS
+            CONTINUWUITY_DATABASE_PATH: /var/lib/continuwuity
+            CONTINUWUITY_ADDRESS: 0.0.0.0
+            CONTINUWUITY_PORT: 8008
+            #CONTINUWUITY_CONFIG: '/etc/continuwuity.toml' # Uncomment if you mapped config toml above
+
+            # Serve .well-known files to tell others to reach Continuwuity on port :443
+            CONTINUWUITY_WELL_KNOWN: |
+                {
+                client=https://matrix.example.com,
+                server=matrix.example.com:443
+                }
+
+        networks:
+            - caddy
+        labels:
+            caddy: matrix.example.com
+            caddy.reverse_proxy: "{{upstreams 8008}}"
+volumes:
+    db:
+
+networks:
+    caddy:

docs/public/advanced/delegated.docker-compose.with-caddy.yml

@@ -0,0 +1,57 @@
+# Continuwuity - Using Caddy Docker Image
+
+services:
+    caddy:
+        image: "docker.io/caddy:latest"
+        ports:
+            - 80:80
+            - 443:443
+        networks:
+            - caddy
+        volumes:
+            - ./data:/data
+        restart: unless-stopped
+        configs:
+            - source: Caddyfile
+              target: /etc/caddy/Caddyfile
+
+    homeserver:
+        image: "forgejo.ellis.link/continuwuation/continuwuity:latest"
+        restart: unless-stopped
+        command: /sbin/conduwuit
+        volumes:
+            - db:/var/lib/continuwuity
+            - ./continuwuity-resolv.conf:/etc/resolv.conf # use custom resolvers rather than Docker's
+            #- ./continuwuity.toml:/etc/continuwuity.toml
+        environment:
+            CONTINUWUITY_SERVER_NAME: example.com
+            CONTINUWUITY_DATABASE_PATH: /var/lib/continuwuity
+            CONTINUWUITY_ADDRESS: 0.0.0.0
+            CONTINUWUITY_PORT: 8008
+            #CONTINUWUITY_CONFIG: '/etc/continuwuity.toml' # Uncomment if you mapped config toml above
+
+            ## Serve .well-known files to tell others to reach Continuwuity on port :443
+            CONTINUWUITY_WELL_KNOWN: |
+                {
+                client=https://matrix.example.com,
+                server=matrix.example.com:443
+                }
+
+        networks:
+            - caddy
+
+networks:
+    caddy:
+
+volumes:
+    db:
+
+configs:
+    Caddyfile:
+        content: |
+            https://matrix.example.com:443 {
+                reverse_proxy http://homeserver:8008
+            }
+            https://example.com:443 {
+                reverse_proxy /.well-known/matrix* http://homeserver:8008
+            }

docs/public/advanced/delegated.docker-compose.with-traefik.yml

@@ -0,0 +1,85 @@
+# Continuwuity - With Traefik Reverse Proxy
+
+services:
+  homeserver:
+    image: "forgejo.ellis.link/continuwuation/continuwuity:latest"
+    restart: unless-stopped
+    command: /sbin/conduwuit
+    volumes:
+      - db:/var/lib/continuwuity
+      - ./continuwuity-resolv.conf:/etc/resolv.conf # use custom resolvers rather than Docker's
+      #- ./continuwuity.toml:/etc/continuwuity.toml
+    networks:
+      - proxy
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.continuwuity.rule=(Host(`matrix.example.com`) || (Host(`example.com`) && PathPrefix(`/.well-known/matrix`)))"
+      - "traefik.http.routers.continuwuity.entrypoints=websecure"
+      - "traefik.http.routers.continuwuity.tls.certresolver=letsencrypt"
+      - "traefik.http.services.continuwuity.loadbalancer.server.port=8008"
+    environment:
+      CONTINUWUITY_SERVER_NAME: example.com # EDIT THIS
+      CONTINUWUITY_DATABASE_PATH: /var/lib/continuwuity
+      CONTINUWUITY_ADDRESS: 0.0.0.0
+      CONTINUWUITY_PORT: 8008 # This must match with traefik's loadbalancer label
+      #CONTINUWUITY_CONFIG: '/etc/continuwuity.toml' # Uncomment if you mapped config toml above
+
+      # Serve .well-known files to tell others to reach Continuwuity on port :443
+      CONTINUWUITY_WELL_KNOWN: |
+        {
+          client=https://matrix.example.com,
+          server=matrix.example.com:443
+        }
+
+  traefik:
+    image: "docker.io/traefik:latest"
+    container_name: "traefik"
+    restart: "unless-stopped"
+    ports:
+      - "80:80"
+      - "443:443"
+    volumes:
+      - "/var/run/docker.sock:/var/run/docker.sock:ro"
+      - "acme:/etc/traefik/acme"
+    labels:
+      - "traefik.enable=true"
+
+      # middleware redirect
+      - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
+      # global redirect to https
+      - "traefik.http.routers.redirs.rule=hostregexp(`{host:.+}`)"
+      - "traefik.http.routers.redirs.entrypoints=web"
+      - "traefik.http.routers.redirs.middlewares=redirect-to-https"
+
+    environment:
+
+      TRAEFIK_LOG_LEVEL: DEBUG
+      TRAEFIK_ENTRYPOINTS_WEB: true
+      TRAEFIK_ENTRYPOINTS_WEB_ADDRESS: ":80"
+      TRAEFIK_ENTRYPOINTS_WEB_HTTP_REDIRECTIONS_ENTRYPOINT_TO: websecure
+
+      TRAEFIK_ENTRYPOINTS_WEBSECURE: true
+      TRAEFIK_ENTRYPOINTS_WEBSECURE_ADDRESS: ":443"
+      TRAEFIK_ENTRYPOINTS_WEBSECURE_HTTP_TLS_CERTRESOLVER: letsencrypt
+
+      TRAEFIK_CERTIFICATESRESOLVERS_LETSENCRYPT: true
+      # CHANGE THIS to desired email for ACME
+      TRAEFIK_CERTIFICATESRESOLVERS_LETSENCRYPT_ACME_EMAIL: user@example.com
+      TRAEFIK_CERTIFICATESRESOLVERS_LETSENCRYPT_ACME_HTTPCHALLENGE: true
+      TRAEFIK_CERTIFICATESRESOLVERS_LETSENCRYPT_ACME_HTTPCHALLENGE_ENTRYPOINT: web
+      TRAEFIK_CERTIFICATESRESOLVERS_LETSENCRYPT_ACME_STORAGE: "/etc/traefik/acme/acme.json"
+
+      # Since Traefik 3.6.3, paths with certain "encoded characters" are now blocked by default; we need a couple, or else things *will* break
+      TRAEFIK_ENTRYPOINTS_WEBSECURE_HTTP_ENCODEDCHARACTERS_ALLOWENCODEDSLASH: true
+      TRAEFIK_ENTRYPOINTS_WEBSECURE_HTTP_ENCODEDCHARACTERS_ALLOWENCODEDHASH: true
+
+      TRAEFIK_PROVIDERS_DOCKER: true
+      TRAEFIK_PROVIDERS_DOCKER_ENDPOINT: "unix:///var/run/docker.sock"
+      TRAEFIK_PROVIDERS_DOCKER_EXPOSEDBYDEFAULT: false
+
+volumes:
+  db:
+  acme:
+
+networks:
+  proxy:

docs/public/deploying/docker-compose.for-traefik.yml

@@ -2,7 +2,7 @@
 
 services:
   homeserver:
-    image: forgejo.ellis.link/continuwuation/continuwuity:latest
+    image: "forgejo.ellis.link/continuwuation/continuwuity:latest"
     restart: unless-stopped
     command: /sbin/conduwuit
     volumes:
@@ -38,7 +38,6 @@ volumes:
   db:
 
 networks:
-  # This is the network Traefik listens to, if your network has a different
-  # name, don't forget to change it here and in the docker-compose.override.yml
+  # This must match the network name that Traefik listens on
   proxy:
     external: true

docs/public/deploying/docker-compose.override.yml

@@ -1,10 +1,10 @@
-# Continuwuity - Traefik Reverse Proxy Labels
+# Continuwuity - Traefik Reverse Proxy Labels (override file)
 
 services:
   homeserver:
     labels:
       - "traefik.enable=true"
-      - "traefik.docker.network=proxy"  # Change this to the name of your Traefik docker proxy network
+      - "traefik.docker.network=proxy" # Change this to the name of your Traefik docker proxy network
 
       - "traefik.http.routers.to-continuwuity.rule=Host(`example.com`)"  # Change to the address on which Continuwuity is hosted
       - "traefik.http.routers.to-continuwuity.tls=true"
@@ -14,13 +14,10 @@ services:
       # This must match with CONTINUWUITY_PORT (default: 8008)
       - "traefik.http.services.to_continuwuity.loadbalancer.server.port=8008"
 
-      - "traefik.http.middlewares.cors-headers.headers.accessControlAllowOriginList=*"
-      - "traefik.http.middlewares.cors-headers.headers.accessControlAllowHeaders=Origin, X-Requested-With, Content-Type, Accept, Authorization"
-      - "traefik.http.middlewares.cors-headers.headers.accessControlAllowMethods=GET, POST, PUT, DELETE, OPTIONS"
-
       # If you want to have your account on <DOMAIN>, but host Continuwuity on a subdomain,
-      # you can let it only handle the well known file on that domain instead
-      #- "traefik.http.routers.to-matrix-wellknown.rule=Host(`example.com`) && PathPrefix(`/.well-known/matrix`)"
+      # you can let it only handle the well known file on the base domain instead
+      #
+      # - "traefik.http.routers.to-matrix-wellknown.rule=Host(`example.com`) && PathPrefix(`/.well-known/matrix`)"
       #- "traefik.http.routers.to-matrix-wellknown.tls=true"
       #- "traefik.http.routers.to-matrix-wellknown.tls.certresolver=letsencrypt"
       #- "traefik.http.routers.to-matrix-wellknown.middlewares=cors-headers@docker"

docs/public/deploying/docker-compose.with-caddy-labels.yml

@@ -1,8 +1,10 @@
+# Continuwuity - With Caddy Labels
+
 services:
     caddy:
     # This compose file uses caddy-docker-proxy as the reverse proxy for Continuwuity!
     # For more info, visit https://github.com/lucaslorentz/caddy-docker-proxy
-        image: lucaslorentz/caddy-docker-proxy:ci-alpine
+        image: "docker.io/lucaslorentz/caddy-docker-proxy:ci-alpine"
         ports:
             - 80:80
             - 443:443
@@ -16,7 +18,7 @@ services:
         restart: unless-stopped
 
     homeserver:
-        image: forgejo.ellis.link/continuwuation/continuwuity:latest
+        image: "forgejo.ellis.link/continuwuation/continuwuity:latest"
         restart: unless-stopped
         command: /sbin/conduwuit
         volumes:

docs/public/deploying/docker-compose.with-caddy.yml

@@ -1,6 +1,8 @@
+# Continuwuity - Using Caddy Docker Image
+
 services:
     caddy:
-        image: docker.io/caddy:latest
+        image: "docker.io/caddy:latest"
         ports:
             - 80:80
             - 443:443
@@ -15,7 +17,7 @@ services:
               target: /etc/caddy/Caddyfile
 
     homeserver:
-        image: forgejo.ellis.link/continuwuation/continuwuity:latest
+        image: "forgejo.ellis.link/continuwuation/continuwuity:latest"
         restart: unless-stopped
         command: /sbin/conduwuit
         volumes:
@@ -37,7 +39,6 @@ services:
             #     server=example.com:443
             #     }
 
-
         networks:
             - caddy
 
@@ -48,8 +49,8 @@ volumes:
     db:
 
 configs:
-    dynamic.yml:
+    Caddyfile:
         content: |
-            https://example.com, https://example.com:8448 {
+            https://example.com:443, https://example.com:8448 {
                 reverse_proxy http://homeserver:8008
             }

docs/public/deploying/docker-compose.with-traefik.yml

@@ -1,8 +1,8 @@
-# Continuwuity - Behind Traefik Reverse Proxy
+# Continuwuity - With Traefik Reverse Proxy
 
 services:
   homeserver:
-    image: forgejo.ellis.link/continuwuation/continuwuity:latest
+    image: "forgejo.ellis.link/continuwuation/continuwuity:latest"
     restart: unless-stopped
     command: /sbin/conduwuit
     volumes:
@@ -32,14 +32,14 @@ services:
         }
 
   traefik:
-    image: "traefik:latest"
+    image: "docker.io/traefik:latest"
     container_name: "traefik"
     restart: "unless-stopped"
     ports:
       - "80:80"
       - "443:443"
     volumes:
-      - "/var/run/docker.sock:/var/run/docker.sock:z"
+      - "/var/run/docker.sock:/var/run/docker.sock:ro"
       - "acme:/etc/traefik/acme"
     labels:
       - "traefik.enable=true"
@@ -52,6 +52,7 @@ services:
       - "traefik.http.routers.redirs.middlewares=redirect-to-https"
 
     environment:
+
       TRAEFIK_LOG_LEVEL: DEBUG
       TRAEFIK_ENTRYPOINTS_WEB: true
       TRAEFIK_ENTRYPOINTS_WEB_ADDRESS: ":80"

docs/public/deploying/docker-compose.yml

@@ -1,12 +1,23 @@
-# Continuwuity
+# Continuwuity - Bare Configuration (for other reverse proxies)
 
 services:
     homeserver:
-        image: forgejo.ellis.link/continuwuation/continuwuity:latest
+        image: "forgejo.ellis.link/continuwuation/continuwuity:latest"
         restart: unless-stopped
         command: /sbin/conduwuit
         ports:
+
+            # If your reverse proxy is on the host, use this
+            # and configure it to connect to `127.0.0.1:8008`
             - 127.0.0.1:8008:8008
+
+            # If your reverse proxy is on another machine, use this
+            # and configure it to connect to <this-machine-ip>:8008
+            # - 8008:8008
+
+            # If your reverse proxy is a docker container on the same network,
+            # comment out the entire `ports` section, and configure it to connect to `continuwuity:8008`
+
         volumes:
             - db:/var/lib/continuwuity
             - ./continuwuity-resolv.conf:/etc/resolv.conf # use custom resolvers rather than Docker's
@@ -26,6 +37,5 @@ services:
             #     server=example.com:443
             #     }
 
-
 volumes:
     db:

docs/reference/admin/index.md

@@ -7,7 +7,7 @@ ## Running commands
 
 * All commands listed here may be used by server administrators in the admin room by sending them as messages.
 * If the `admin_escape_commands` configuration option is enabled, server administrators may run certain commands in public rooms by prefixing them with a single backslash. These commands will only run on _their_ homeserver, even if they are a member of another homeserver's admin room. Some sensitive commands cannot be used outside the admin room and will return an error.
-* All commands listed here may be used in the server's console, if it is enabled. Commands entered in the console do not require the `!admin` prefix.
+* All commands listed here may be used in the server's console, if it is enabled. Commands entered in the console do not require the `!admin` prefix. If Continuwuity is deployed via Docker, be sure to set the appropriate options detailed in [the Docker deployment guide](../../deploying/docker.mdx#accessing-the-servers-console) to enable access to the server's console.
 
 ## Categories
 

rspress.config.ts

@@ -20,7 +20,11 @@ export default defineConfig({
                     '/deploying/docker-compose.for-traefik.yml',
                     '/deploying/docker-compose.with-traefik.yml',
                     `/deploying/docker-compose.override.yml`,
-                    `/deploying/docker-compose.yml`
+                    `/deploying/docker-compose.yml`,
+                    '/advanced/delegated.docker-compose.with-caddy.yml',
+                    '/advanced/delegated.docker-compose.with-caddy-labels.yml',
+                    '/advanced/delegated.docker-compose.for-traefik.yml',
+                    '/advanced/delegated.docker-compose.with-traefik.yml',
                 ]
             },
         },

src/api/Cargo.toml

@@ -29,10 +29,6 @@ gzip_compression = [
 	"conduwuit-service/gzip_compression",
 	"reqwest/gzip",
 ]
-http3 = [
-	"conduwuit-core/http3",
-	"conduwuit-service/http3",
-]
 io_uring = [
 	"conduwuit-service/io_uring",
 ]

src/api/server/send.rs

@@ -15,6 +15,7 @@
 		IterStream, ReadyExt, millis_since_unix_epoch,
 		stream::{BroadbandExt, TryBroadbandExt, automatic_width},
 	},
+	warn,
 };
 use conduwuit_service::{
 	Services,
@@ -152,7 +153,7 @@ async fn process_inbound_transaction(
 		.iter()
 		.stream()
 		.broad_then(|pdu| services.rooms.event_handler.parse_incoming_pdu(pdu))
-		.inspect_err(|e| debug_warn!("Could not parse PDU: {e}"))
+		.inspect_err(|e| warn!("Could not parse incoming PDU: {e}"))
 		.ready_filter_map(Result::ok);
 
 	let edus = body
@@ -283,17 +284,16 @@ async fn build_local_dag(
 	let mut dag: HashMap<OwnedEventId, HashSet<OwnedEventId>> = HashMap::new();
 
 	for (event_id, value) in pdu_map {
+		// We already checked that these properties are correct in parse_incoming_pdu,
+		// so it's safe to unwrap here.
 		let prev_events = value
 			.get("prev_events")
-			.expect("pdu must have prev_events")
+			.unwrap()
 			.as_array()
-			.expect("prev_events must be an array")
+			.unwrap()
 			.iter()
-			.map(|v| {
-				OwnedEventId::parse(v.as_str().expect("prev_events values must be strings"))
-					.expect("prev_events must be valid event IDs")
-			})
-			.collect::<HashSet<OwnedEventId>>();
+			.map(|v| OwnedEventId::parse(v.as_str().unwrap()).unwrap())
+			.collect();
 
 		dag.insert(event_id.clone(), prev_events);
 	}

src/core/Cargo.toml

@@ -25,9 +25,6 @@ conduwuit_mods = [
 gzip_compression = [
 	"reqwest/gzip",
 ]
-http3 = [
-	"reqwest/http3",
-]
 hardened_malloc = [
 	"dep:hardened_malloc-rs"
 ]
@@ -92,7 +89,7 @@ rand.workspace = true
 rand_core = { version = "0.6.4", features = ["getrandom"] }
 regex.workspace = true
 reqwest.workspace = true
-ring.workspace = true
+sha2.workspace = true
 ruma.workspace = true
 sanitize-filename.workspace = true
 serde_json.workspace = true

src/core/utils/hash/sha256.rs

@@ -1,19 +1,16 @@
-use ring::{
-	digest,
-	digest::{Context, SHA256, SHA256_OUTPUT_LEN},
-};
+use sha2::{Digest, Sha256};
 
-pub type Digest = [u8; SHA256_OUTPUT_LEN];
+pub type DigestOut = [u8; 256 / 8];
 
 /// Sha256 hash (input gather joined by 0xFF bytes)
 #[must_use]
 #[tracing::instrument(skip(inputs), level = "trace")]
-pub fn delimited<'a, T, I>(mut inputs: I) -> Digest
+pub fn delimited<'a, T, I>(mut inputs: I) -> DigestOut
 where
 	I: Iterator<Item = T> + 'a,
 	T: AsRef<[u8]> + 'a,
 {
-	let mut ctx = Context::new(&SHA256);
+	let mut ctx = Sha256::new();
 	if let Some(input) = inputs.next() {
 		ctx.update(input.as_ref());
 		for input in inputs {
@@ -22,8 +19,7 @@ pub fn delimited<'a, T, I>(mut inputs: I) -> Digest
 		}
 	}
 
-	ctx.finish()
-		.as_ref()
+	ctx.finalize()
 		.try_into()
 		.expect("failed to return Digest buffer")
 }
@@ -31,18 +27,17 @@ pub fn delimited<'a, T, I>(mut inputs: I) -> Digest
 /// Sha256 hash (input gather)
 #[must_use]
 #[tracing::instrument(skip(inputs), level = "trace")]
-pub fn concat<'a, T, I>(inputs: I) -> Digest
+pub fn concat<'a, T, I>(inputs: I) -> DigestOut
 where
 	I: Iterator<Item = T> + 'a,
 	T: AsRef<[u8]> + 'a,
 {
 	inputs
-		.fold(Context::new(&SHA256), |mut ctx, input| {
+		.fold(Sha256::new(), |mut ctx, input| {
 			ctx.update(input.as_ref());
 			ctx
 		})
-		.finish()
-		.as_ref()
+		.finalize()
 		.try_into()
 		.expect("failed to return Digest buffer")
 }
@@ -51,12 +46,11 @@ pub fn concat<'a, T, I>(inputs: I) -> Digest
 #[inline]
 #[must_use]
 #[tracing::instrument(skip(input), level = "trace")]
-pub fn hash<T>(input: T) -> Digest
+pub fn hash<T>(input: T) -> DigestOut
 where
 	T: AsRef<[u8]>,
 {
-	digest::digest(&SHA256, input.as_ref())
-		.as_ref()
+	Sha256::digest(input)
 		.try_into()
 		.expect("failed to return Digest buffer")
 }

src/main/Cargo.toml

@@ -43,6 +43,7 @@ assets = [
 default = [
     "standard",
     "release_max_log_level",
+    "ring",
 	"bindgen-runtime", # replace with bindgen-static on alpine
 ]
 standard = [
@@ -100,9 +101,14 @@ hardened_malloc = [
 	"conduwuit-core/hardened_malloc",
 ]
 http3 = [
-	"conduwuit-api/http3",
-	"conduwuit-core/http3",
-	"conduwuit-service/http3",
+    "reqwest/http3"
+]
+ring = [
+    "rustls/ring"
+]
+aws_lc_rs = [
+    "rustls/aws_lc_rs",
+    "dep:aws-lc-rs"
 ]
 io_uring = [
 	"conduwuit-database/io_uring",
@@ -238,6 +244,9 @@ tracing-subscriber.workspace = true
 tracing.workspace = true
 tracing-journald = { workspace = true, optional = true }
 parking_lot.workspace = true
+reqwest = { workspace = true, default-features = false }
+rustls = { workspace = true, default-features = false }
+aws-lc-rs = { version = "1.16.3", default-features = false, optional = true }
 
 
 [target.'cfg(all(not(target_env = "msvc"), target_os = "linux"))'.dependencies]

src/main/mod.rs

@@ -33,6 +33,18 @@ pub fn run_with_args(args: &Args) -> Result<()> {
 	// Spawn deadlock detection thread
 	deadlock::spawn();
 
+	// Because we're not using rustls default-tls, we have to initialise a TLS
+	// provider
+	#[cfg(feature = "aws_lc_rs")]
+	rustls::crypto::aws_lc_rs::default_provider()
+		.install_default()
+		.expect("failed to initialise ring rustls crypto provider");
+
+	#[cfg(all(feature = "ring", not(feature = "aws_lc_rs")))]
+	rustls::crypto::ring::default_provider()
+		.install_default()
+		.expect("failed to initialise ring rustls crypto provider");
+
 	let runtime = runtime::new(args)?;
 	let server = Server::new(args, Some(runtime.handle()))?;
 

src/router/Cargo.toml

@@ -24,7 +24,7 @@ brotli_compression = [
 	"tower-http/compression-br",
 ]
 direct_tls = [
-	"axum-server/tls-rustls",
+	"axum-server/tls-rustls-no-provider",
 	"dep:rustls",
 	"dep:axum-server-dual-protocol",
 ]

src/router/serve/tls.rs

@@ -13,7 +13,7 @@
 pub(super) async fn serve(
 	server: &Arc<Server>,
 	app: Router,
-	handle: ServerHandle,
+	handle: ServerHandle<SocketAddr>,
 	addrs: Vec<SocketAddr>,
 ) -> Result {
 	let tls = &server.config.tls;
@@ -24,13 +24,6 @@ pub(super) async fn serve(
 		.key
 		.as_ref()
 		.ok_or_else(|| err!(Config("tls.key", "Missing required value in tls config section")))?;
-
-	// we use ring for ruma and hashing state, but aws-lc-rs is the new default.
-	// without this, TLS mode will panic.
-	rustls::crypto::aws_lc_rs::default_provider()
-		.install_default()
-		.expect("failed to initialise aws-lc-rs rustls crypto provider");
-
 	info!(
 		"Note: It is strongly recommended that you use a reverse proxy instead of running \
 		 conduwuit directly with TLS."

src/service/Cargo.toml

@@ -33,9 +33,6 @@ gzip_compression = [
 	"conduwuit-core/gzip_compression",
 	"reqwest/gzip",
 ]
-http3 = [
-	"conduwuit-core/http3",
-]
 io_uring = [
 	"conduwuit-database/io_uring",
 ]

src/service/rooms/event_handler/parse_incoming_pdu.rs

@@ -1,12 +1,95 @@
+use std::str::FromStr;
+
 use conduwuit::{
-	Result, RoomVersion, err, implement, matrix::event::gen_event_id_canonical_json,
-	result::FlatOk,
+	Err, Result, err, implement,
+	matrix::event::{gen_event_id, gen_event_id_canonical_json},
 };
+use itertools::Itertools;
 use ruma::{CanonicalJsonObject, CanonicalJsonValue, OwnedEventId, OwnedRoomId, RoomVersionId};
 use serde_json::value::RawValue as RawJsonValue;
 
 type Parsed = (OwnedRoomId, OwnedEventId, CanonicalJsonObject);
 
+/// Extracts the expected room ID from the PDU. If the PDU claims its own room
+/// ID, that is returned. Since `m.room.create` in v12 and onward lacks this
+/// field over federation, it will be calculated if not provided, otherwise a
+/// validation error will be returned.
+fn extract_room_id(event_type: &str, pdu: &CanonicalJsonObject) -> Result<OwnedRoomId> {
+	use RoomVersionId::*;
+	if let Some(room_id) = pdu.get("room_id").and_then(CanonicalJsonValue::as_str) {
+		return OwnedRoomId::parse(room_id)
+			.map_err(|e| err!(Request(BadJson("Invalid room_id {room_id:?} in pdu: {e}"))));
+	}
+	// If there's no room ID, and this is not a create event, it is illegal.
+	if event_type != "m.room.create" || pdu.get("state_key").is_none() {
+		return Err!(Request(BadJson("Missing room_id in pdu")));
+	}
+
+	// Room versions 11 and below require the room ID is present.
+	let room_version_id = RoomVersionId::from_str(
+		pdu.get("content")
+			.and_then(CanonicalJsonValue::as_object)
+			.ok_or_else(|| err!(Request(InvalidParam("Missing or invalid content in pdu"))))?
+			.get("room_version")
+			.and_then(CanonicalJsonValue::as_str)
+			.unwrap_or("1"), // Omitted room versions default to v1
+	)
+	.map_err(|e| err!(Request(BadJson("Invalid room_version in pdu: {e}"))))?;
+
+	if matches!(room_version_id, V1 | V2 | V3 | V4 | V5 | V6 | V7 | V8 | V9 | V10 | V11) {
+		return Err!(Request(BadJson("Missing room_id in pdu")));
+	}
+	let event_id = gen_event_id(pdu, &room_version_id)?;
+	Ok(OwnedRoomId::parse(event_id.as_str().replace('$', "!"))
+		.expect("constructed room ID has to be valid"))
+}
+
+/// Parses every entry in an array as an event ID, returning an error if any
+/// step fails.
+fn expect_event_id_array(value: &CanonicalJsonObject, field: &str) -> Result<Vec<OwnedEventId>> {
+	value
+		.get(field)
+		.ok_or_else(|| err!(Request(BadJson("missing field `{field}` on PDU"))))?
+		.as_array()
+		.ok_or_else(|| err!(Request(BadJson("expected an array PDU field `{field}`"))))?
+		.iter()
+		.map(|v| {
+			v.as_str()
+				.ok_or_else(|| {
+					err!(Request(BadJson("expected an array of event IDs for `{field}`")))
+				})
+				.and_then(|s| {
+					OwnedEventId::parse(s)
+						.map_err(|e| err!(Request(BadJson("invalid event ID in `{field}`: {e}"))))
+				})
+		})
+		.try_collect()
+}
+
+/// Performs some basic validation on the PDU to make sure it's not obviously
+/// malformed. This is not a full validation, but guards against extreme errors.
+///
+/// Currently, this just validates that prev/auth events are within acceptable
+/// ranges. Other servers do some additional things like checking depth range,
+/// but serde will do that later when converting the object to a PduEvent.
+#[implement(super::Service)]
+pub fn validate_pdu(&self, pdu: &CanonicalJsonObject) -> Result {
+	// Since v3:
+	// `event_id` should not be present on the PDU.
+	// NOTE: The above is ignored since technically it's still allowed to be
+	// included, but should be ignored instead.
+	// `auth_events` and `prev_events` must be an array of event IDs
+	let auth_events = expect_event_id_array(pdu, "auth_events")?;
+	if auth_events.len() > 10 {
+		return Err!(Request(BadJson("PDU has too many auth events")));
+	}
+	let prev_events = expect_event_id_array(pdu, "prev_events")?;
+	if prev_events.len() > 20 {
+		return Err!(Request(BadJson("PDU has too many prev events")));
+	}
+	Ok(())
+}
+
 #[implement(super::Service)]
 pub async fn parse_incoming_pdu(&self, pdu: &RawJsonValue) -> Result<Parsed> {
 	let value = serde_json::from_str::<CanonicalJsonObject>(pdu.get()).map_err(|e| {
@@ -17,39 +100,7 @@ pub async fn parse_incoming_pdu(&self, pdu: &RawJsonValue) -> Result<Parsed> {
 		.and_then(CanonicalJsonValue::as_str)
 		.ok_or_else(|| err!(Request(InvalidParam("Missing or invalid type in pdu"))))?;
 
-	let room_id: OwnedRoomId = if event_type != "m.room.create" {
-		value
-			.get("room_id")
-			.and_then(CanonicalJsonValue::as_str)
-			.map(OwnedRoomId::parse)
-			.flat_ok_or(err!(Request(InvalidParam("Invalid room_id in pdu"))))?
-	} else {
-		// v12 rooms might have no room_id in the create event. We'll need to check the
-		// content.room_version
-		let content = value
-			.get("content")
-			.and_then(CanonicalJsonValue::as_object)
-			.ok_or_else(|| err!(Request(InvalidParam("Missing or invalid content in pdu"))))?;
-		let room_version = content
-			.get("room_version")
-			.and_then(CanonicalJsonValue::as_str)
-			.unwrap_or("1");
-		let vi = RoomVersionId::try_from(room_version).unwrap_or(RoomVersionId::V1);
-		let vf = RoomVersion::new(&vi).expect("supported room version");
-		if vf.room_ids_as_hashes {
-			let (event_id, _) = gen_event_id_canonical_json(pdu, &vi).map_err(|e| {
-				err!(Request(InvalidParam("Could not convert event to canonical json: {e}")))
-			})?;
-			OwnedRoomId::parse(event_id.as_str().replace('$', "!")).expect("valid room ID")
-		} else {
-			// V11 or below room, room_id must be present
-			value
-				.get("room_id")
-				.and_then(CanonicalJsonValue::as_str)
-				.map(OwnedRoomId::parse)
-				.flat_ok_or(err!(Request(InvalidParam("Invalid or missing room_id in pdu"))))?
-		}
-	};
+	let room_id = extract_room_id(event_type, &value)?;
 
 	let room_version_id = self
 		.services
@@ -60,5 +111,6 @@ pub async fn parse_incoming_pdu(&self, pdu: &RawJsonValue) -> Result<Parsed> {
 	let (event_id, value) = gen_event_id_canonical_json(pdu, &room_version_id).map_err(|e| {
 		err!(Request(InvalidParam("Could not convert event to canonical json: {e}")))
 	})?;
+	self.validate_pdu(&value)?;
 	Ok((room_id, event_id, value))
 }