document all the fancy admin room config options and arguments

Signed-off-by: strawberry <strawberry@puppygock.gay>

.gitlab-ci.yml

@@ -58,7 +58,7 @@ before_script:
 
 ci:
   stage: ci
-  image: nixos/nix:2.23.3
+  image: nixos/nix:2.24.4
   script:
     # Cache CI dependencies
     - ./bin/nix-build-and-cache ci
@@ -83,7 +83,7 @@ ci:
 
 artifacts:
   stage: artifacts
-  image: nixos/nix:2.23.3
+  image: nixos/nix:2.24.4
   script:
     - ./bin/nix-build-and-cache just .#static-x86_64-unknown-linux-musl
     - cp result/bin/conduit x86_64-unknown-linux-musl

Cargo.lock

@@ -130,7 +130,7 @@ checksum = "16e62a023e7c117e27523144c5d2459f4397fcc3cab0085af8e2224f643a0193"
 dependencies = [
  "proc-macro2",
  "quote",
- "syn 2.0.75",
+ "syn 2.0.76",
 ]
 
 [[package]]
@@ -141,7 +141,7 @@ checksum = "6e0c28dcc82d7c8ead5cb13beb15405b57b8546e93215673ff8ca0349a028107"
 dependencies = [
  "proc-macro2",
  "quote",
- "syn 2.0.75",
+ "syn 2.0.76",
 ]
 
 [[package]]
@@ -376,7 +376,7 @@ dependencies = [
  "regex",
  "rustc-hash 1.1.0",
  "shlex",
- "syn 2.0.75",
+ "syn 2.0.76",
  "which",
 ]
 
@@ -572,7 +572,7 @@ dependencies = [
  "heck 0.5.0",
  "proc-macro2",
  "quote",
- "syn 2.0.75",
+ "syn 2.0.76",
 ]
 
 [[package]]
@@ -746,7 +746,7 @@ dependencies = [
  "itertools 0.13.0",
  "proc-macro2",
  "quote",
- "syn 2.0.75",
+ "syn 2.0.76",
 ]
 
 [[package]]
@@ -1042,7 +1042,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "edb49164822f3ee45b17acd4a208cfc1251410cf0cad9a833234c9890774dd9f"
 dependencies = [
  "quote",
- "syn 2.0.75",
+ "syn 2.0.76",
 ]
 
 [[package]]
@@ -1069,7 +1069,7 @@ checksum = "f46882e17999c6cc590af592290432be3bce0428cb0d5f8b6715e4dc7b383eb3"
 dependencies = [
  "proc-macro2",
  "quote",
- "syn 2.0.75",
+ "syn 2.0.76",
 ]
 
 [[package]]
@@ -1179,7 +1179,7 @@ dependencies = [
  "heck 0.4.1",
  "proc-macro2",
  "quote",
- "syn 2.0.75",
+ "syn 2.0.76",
 ]
 
 [[package]]
@@ -1331,7 +1331,7 @@ checksum = "87750cf4b7a4c0625b1529e4c543c2182106e4dedc60a2a6455e00d212c489ac"
 dependencies = [
  "proc-macro2",
  "quote",
- "syn 2.0.75",
+ "syn 2.0.76",
 ]
 
 [[package]]
@@ -1602,7 +1602,7 @@ dependencies = [
  "markup5ever",
  "proc-macro2",
  "quote",
- "syn 2.0.75",
+ "syn 2.0.76",
 ]
 
 [[package]]
@@ -1966,7 +1966,7 @@ dependencies = [
  "proc-macro2",
  "quote",
  "regex",
- "syn 2.0.75",
+ "syn 2.0.76",
 ]
 
 [[package]]
@@ -2497,7 +2497,7 @@ dependencies = [
  "proc-macro2",
  "proc-macro2-diagnostics",
  "quote",
- "syn 2.0.75",
+ "syn 2.0.76",
 ]
 
 [[package]]
@@ -2590,7 +2590,7 @@ checksum = "2f38a4412a78282e09a2cf38d195ea5420d15ba0602cb375210efbc877243965"
 dependencies = [
  "proc-macro2",
  "quote",
- "syn 2.0.75",
+ "syn 2.0.76",
 ]
 
 [[package]]
@@ -2662,7 +2662,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "5f12335488a2f3b0a83b14edad48dca9879ce89b2edd10e80237e4e852dd645e"
 dependencies = [
  "proc-macro2",
- "syn 2.0.75",
+ "syn 2.0.76",
 ]
 
 [[package]]
@@ -2691,7 +2691,7 @@ checksum = "af066a9c399a26e020ada66a034357a868728e72cd426f3adcd35f80d88d88c8"
 dependencies = [
  "proc-macro2",
  "quote",
- "syn 2.0.75",
+ "syn 2.0.76",
  "version_check",
  "yansi",
 ]
@@ -2716,7 +2716,7 @@ dependencies = [
  "itertools 0.13.0",
  "proc-macro2",
  "quote",
- "syn 2.0.75",
+ "syn 2.0.76",
 ]
 
 [[package]]
@@ -3131,7 +3131,7 @@ dependencies = [
  "quote",
  "ruma-identifiers-validation",
  "serde",
- "syn 2.0.75",
+ "syn 2.0.76",
  "toml",
 ]
 
@@ -3560,22 +3560,22 @@ dependencies = [
 
 [[package]]
 name = "serde"
-version = "1.0.208"
+version = "1.0.209"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "cff085d2cb684faa248efb494c39b68e522822ac0de72ccf08109abde717cfb2"
+checksum = "99fce0ffe7310761ca6bf9faf5115afbc19688edd00171d81b1bb1b116c63e09"
 dependencies = [
  "serde_derive",
 ]
 
 [[package]]
 name = "serde_derive"
-version = "1.0.208"
+version = "1.0.209"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "24008e81ff7613ed8e5ba0cfaf24e2c2f1e5b8a0495711e44fcd4882fca62bcf"
+checksum = "a5831b979fd7b5439637af1752d535ff49f4860c0f341d1baeb6faf0f4242170"
 dependencies = [
  "proc-macro2",
  "quote",
- "syn 2.0.75",
+ "syn 2.0.76",
 ]
 
 [[package]]
@@ -3869,9 +3869,9 @@ dependencies = [
 
 [[package]]
 name = "syn"
-version = "2.0.75"
+version = "2.0.76"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f6af063034fc1935ede7be0122941bafa9bacb949334d090b77ca98b5817c7d9"
+checksum = "578e081a14e0cefc3279b0472138c513f37b41a08d5a3cca9b6e4e8ceb6cd525"
 dependencies = [
  "proc-macro2",
  "quote",
@@ -3947,7 +3947,7 @@ checksum = "a4558b58466b9ad7ca0f102865eccc95938dca1a74a856f2b57b6629050da261"
 dependencies = [
  "proc-macro2",
  "quote",
- "syn 2.0.75",
+ "syn 2.0.76",
 ]
 
 [[package]]
@@ -4058,9 +4058,9 @@ checksum = "1f3ccbac311fea05f86f61904b462b55fb3df8837a366dfc601a0161d0532f20"
 
 [[package]]
 name = "tokio"
-version = "1.39.3"
+version = "1.40.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9babc99b9923bfa4804bd74722ff02c0381021eafa4db9949217e3be8e84fff5"
+checksum = "e2b070231665d27ad9ec9b8df639893f46727666c6767db40317fbe920a5d998"
 dependencies = [
  "backtrace",
  "bytes",
@@ -4082,7 +4082,7 @@ checksum = "693d596312e88961bc67d7f1f97af8a70227d9f90c31bba5806eec004978d752"
 dependencies = [
  "proc-macro2",
  "quote",
- "syn 2.0.75",
+ "syn 2.0.76",
 ]
 
 [[package]]
@@ -4306,7 +4306,7 @@ source = "git+https://github.com/girlbossceo/tracing?rev=4d78a14a5e03f539b8c6b47
 dependencies = [
  "proc-macro2",
  "quote",
- "syn 2.0.75",
+ "syn 2.0.76",
 ]
 
 [[package]]
@@ -4577,7 +4577,7 @@ dependencies = [
  "once_cell",
  "proc-macro2",
  "quote",
- "syn 2.0.75",
+ "syn 2.0.76",
  "wasm-bindgen-shared",
 ]
 
@@ -4611,7 +4611,7 @@ checksum = "afc340c74d9005395cf9dd098506f7f44e38f2b4a21c6aaacf9a105ea5e1e836"
 dependencies = [
  "proc-macro2",
  "quote",
- "syn 2.0.75",
+ "syn 2.0.76",
  "wasm-bindgen-backend",
  "wasm-bindgen-shared",
 ]
@@ -4976,7 +4976,7 @@ checksum = "fa4f8080344d4671fb4e831a13ad1e68092748387dfc4f55e356242fae12ce3e"
 dependencies = [
  "proc-macro2",
  "quote",
- "syn 2.0.75",
+ "syn 2.0.76",
 ]
 
 [[package]]
@@ -4996,7 +4996,7 @@ checksum = "ce36e65b0d2999d2aafac989fb249189a141aee1f53c612c1f37d72631959f69"
 dependencies = [
  "proc-macro2",
  "quote",
- "syn 2.0.75",
+ "syn 2.0.76",
 ]
 
 [[package]]

Cargo.toml

@@ -142,7 +142,7 @@ features = [
 ]
 
 [workspace.dependencies.serde]
-version = "1.0.204"
+version = "1.0.209"
 default-features = false
 features = ["rc"]
 
@@ -216,7 +216,7 @@ version = "0.3.30"
 default-features = false
 
 [workspace.dependencies.tokio]
-version = "1.39.2"
+version = "1.40.0"
 default-features = false
 features = [
 	"fs",
@@ -449,7 +449,7 @@ default-features = false
 version = "0.1"
 
 [workspace.dependencies.syn]
-version = "2.0.72"
+version = "2.0.76"
 default-features = false
 features = ["full", "extra-traits"]
 

README.md

@@ -1,15 +1,20 @@
 # conduwuit
 
-`main` / stable: [![CI and
+`main`: [![CI and
 Artifacts](https://github.com/girlbossceo/conduwuit/actions/workflows/ci.yml/badge.svg?branch=main)](https://github.com/girlbossceo/conduwuit/actions/workflows/ci.yml)
 
-<!-- ANCHOR: catchphrase --> ### a very cool, featureful fork of
-[Conduit](https://conduit.rs/) <!-- ANCHOR_END: catchphrase -->
+<!-- ANCHOR: catchphrase -->
+
+### a very cool, featureful fork of [Conduit](https://conduit.rs/)
+
+<!-- ANCHOR_END: catchphrase -->
 
 Visit the [Conduwuit documentation](https://conduwuit.puppyirl.gay/) for more
 information.
 
-<!-- ANCHOR: body --> #### What is Matrix?
+<!-- ANCHOR: body -->
+
+#### What is Matrix?
 
 [Matrix](https://matrix.org) is an open network for secure and decentralized
 communication. Users from every Matrix homeserver can chat with users from all
@@ -43,7 +48,9 @@ #### What is the current status?
 
 <!-- ANCHOR_END: body -->
 
-<!-- ANCHOR: footer --> #### Contact
+<!-- ANCHOR: footer -->
+
+#### Contact
 
 If you run into any question, feel free to
 
@@ -73,5 +80,6 @@ #### Mirrors of conduwuit
 - git.girlcock.ceo: <https://git.girlcock.ceo/strawberry/conduwuit>
 - git.gay: <https://git.gay/june/conduwuit>
 - Codeberg: <https://codeberg.org/girlbossceo/conduwuit>
-- sourcehut: <https://git.sr.ht/~girlbossceo/conduwuit> <!-- ANCHOR_END: footer
--->
+- sourcehut: <https://git.sr.ht/~girlbossceo/conduwuit>
+
+<!-- ANCHOR_END: footer -->

conduwuit-example.toml

@@ -68,6 +68,10 @@
 # only effective in release-mode; forced to false in debug-mode.
 #sentry_send_error = true
 
+# Controls the tracing log level for Sentry to send things like breadcrumbs and transactions
+# Defaults to "info"
+#sentry_filter = "info"
+
 
 ### Database configuration
 
@@ -160,6 +164,19 @@ ip_range_denylist = [
 
 ### Moderation / Privacy / Security
 
+# Config option to control whether the legacy unauthenticated Matrix media repository endpoints will be enabled.
+# These endpoints consist of:
+# - /_matrix/media/*/config
+# - /_matrix/media/*/upload
+# - /_matrix/media/*/preview_url
+# - /_matrix/media/*/download/*
+# - /_matrix/media/*/thumbnail/*
+#
+# The authenticated equivalent endpoints are always enabled.
+#
+# Defaults to true for now, but this is highly subject to change, likely in the next release.
+#allow_legacy_media = true
+
 # Set to true to allow user type "guest" registrations. Element attempts to register guest users automatically.
 # Defaults to false
 allow_guest_registration = false
@@ -207,11 +224,6 @@ registration_token = "change this token for something specific to your server"
 # defaults to false
 # block_non_admin_invites = false
 
-# Allows admins to enter commands in rooms other than #admins by prefixing with \!admin. The reply
-# will be publicly visible to the room, originating from the sender.
-# defaults to true
-#admin_escape_commands = true
-
 # List of forbidden username patterns/strings. Values in this list are matched as *contains*.
 # This is checked upon username availability check, registration, and startup as warnings if any local users in your database
 # have a forbidden username.
@@ -305,6 +317,41 @@ allow_profile_lookup_federation_requests = true
 #auto_deactivate_banned_room_attempts = false
 
 
+### Admin Room and Console
+
+# Controls whether the conduwuit admin room console / CLI will immediately activate on startup.
+# This option can also be enabled with `--console` conduwuit argument
+#
+# Defaults to false
+#admin_console_automatic = false
+
+# Controls what admin commands will be executed on startup. This is a vector list of strings of admin commands to run.
+#
+# An example of this can be: `admin_execute = ["debug ping puppygock.gay", "debug echo hi"]`
+#
+# This option can also be configured with the `--execute` conduwuit argument and can take standard shell commands and environment variables
+#
+# Such example could be: `./conduwuit --execute "server admin-notice conduwuit has started up at $(date)"`
+#
+# Defaults to nothing.
+#admin_execute = [""]
+
+# Controls whether conduwuit should error and fail to start if an admin execute command (`--execute` / `admin_execute`) fails
+#
+# Defaults to false
+#admin_execute_errors_ignore = false
+
+# Controls the max log level for admin command log captures (logs generated from running admin commands)
+#
+# Defaults to "info" on release builds, else "debug" on debug builds
+#admin_log_capture = info
+
+# Allows admins to enter commands in rooms other than #admins by prefixing with \!admin. The reply
+# will be publicly visible to the room, originating from the sender.
+# defaults to true
+#admin_escape_commands = true
+
+
 ### Misc
 
 # max log level for conduwuit. allows debug, info, warn, or error

docs/conduwuit_coc.md

@@ -9,7 +9,7 @@ # conduwuit Community Code of Conduct
 including any further community rooms that reference this CoC. Here are our
 guidelines to help maintain the welcoming atmosphere that sets conduwuit apart.
 
-For the general foundational rules, please refer to the [Contributor's 
+For the general foundational rules, please refer to the [Contributor's
 Covenant](https://github.com/girlbossceo/conduwuit/blob/main/CODE_OF_CONDUCT.md).
 Below are additional guidelines specific to the conduwuit community.
 
@@ -90,4 +90,4 @@ ## Enforcement
 
 Together, let’s build a community where everyone feels valued and respected.
 
-- The conduwuit Moderation Team
+— The conduwuit Moderation Team

docs/configuration.md

@@ -31,6 +31,22 @@ ## Option commandline flag
 - `--option log=\"debug\"` works ✅
 - `--option server_name='"example.com'"` works ✅
 
+## Execute commandline flag
+
+conduwuit supports running admin commands on startup using the commandline
+argument `--execute`. The most notable use for this is to create an admin user
+on first startup.
+
+The syntax of this is a standard admin command without the prefix such as
+`./conduwuit --execute "users create_user june"`
+
+An example output of a success is:
+```
+INFO conduit_service::admin::startup: Startup command #0 completed:
+Created user with user_id: @june:girlboss.ceo and password: `<redacted>`
+```
+
+This commandline argument can be paired with the `--option` flag.
 
 ## Environment variables
 

docs/deploying/docker-compose.for-traefik.yml

@@ -1,40 +1,44 @@
 # conduwuit - Behind Traefik Reverse Proxy
 
 services:
-    homeserver:
-        ### If you already built the conduduwit image with 'docker build' or want to use the Docker Hub image,
-        ### then you are ready to go.
-        image: girlbossceo/conduwuit:latest
-        restart: unless-stopped
-        volumes:
-            - db:/var/lib/conduwuit
-            #- ./conduwuit.toml:/etc/conduwuit.toml
-        networks:
-            - proxy
-        environment:
-            CONDUWUIT_SERVER_NAME: your.server.name # EDIT THIS
-            CONDUWUIT_DATABASE_PATH: /var/lib/conduwuit
-            CONDUWUIT_DATABASE_BACKEND: rocksdb
-            CONDUWUIT_PORT: 6167
-            CONDUWUIT_MAX_REQUEST_SIZE: 20_000_000 # in bytes, ~20 MB
-            CONDUWUIT_ALLOW_REGISTRATION: 'true'
-            CONDUWUIT_ALLOW_FEDERATION: 'true'
-            CONDUWUIT_ALLOW_CHECK_FOR_UPDATES: 'true'
-            CONDUWUIT_TRUSTED_SERVERS: '["matrix.org"]'
-            #CONDUWUIT_LOG: warn,state_res=warn
-            CONDUWUIT_ADDRESS: 0.0.0.0
-            #CONDUWUIT_CONFIG: '/etc/conduwuit.toml' # Uncomment if you mapped config toml above
-        #cpuset: "0-4" # Uncomment to limit to specific CPU cores
+  homeserver:
+    ### If you already built the conduduwit image with 'docker build' or want to use the Docker Hub image,
+    ### then you are ready to go.
+    image: girlbossceo/conduwuit:latest
+    restart: unless-stopped
+    volumes:
+      - db:/var/lib/conduwuit
+      #- ./conduwuit.toml:/etc/conduwuit.toml
+    networks:
+      - proxy
+    environment:
+      CONDUWUIT_SERVER_NAME: your.server.name.example # EDIT THIS
+      CONDUWUIT_DATABASE_PATH: /var/lib/conduwuit
+      CONDUWUIT_DATABASE_BACKEND: rocksdb
+      CONDUWUIT_PORT: 6167 # should match the loadbalancer traefik label
+      CONDUWUIT_MAX_REQUEST_SIZE: 20_000_000 # in bytes, ~20 MB
+      CONDUWUIT_ALLOW_REGISTRATION: 'true'
+      CONDUWUIT_ALLOW_FEDERATION: 'true'
+      CONDUWUIT_ALLOW_CHECK_FOR_UPDATES: 'true'
+      CONDUWUIT_TRUSTED_SERVERS: '["matrix.org"]'
+      #CONDUWUIT_LOG: warn,state_res=warn
+      CONDUWUIT_ADDRESS: 0.0.0.0
+      #CONDUWUIT_CONFIG: '/etc/conduwuit.toml' # Uncomment if you mapped config toml above
+
+      # We need some way to serve the client and server .well-known json. The simplest way is via the CONDUWUIT_WELL_KNOWN
+      # variable / config option, there are multiple ways to do this, e.g. in the conduwuit.toml file, and in a seperate
+      # see the override file for more information about delegation
+      CONDUWUIT_WELL_KNOWN: |
+        {
+        client=https://your.server.name.example,
+        server=your.server.name.example:443
+        }
+    #cpuset: "0-4" # Uncomment to limit to specific CPU cores
+    ulimits: # conduwuit uses quite a few file descriptors, and on some systems it defaults to 1024, so you can tell docker to increase it
+      nofile:
+        soft: 1048567
+        hard: 1048567
 
-    # We need some way to server the client and server .well-known json. The simplest way is to use a nginx container
-    # to serve those two as static files. If you want to use a different way, delete or comment the below service, here
-    # and in the docker compose override file.
-    well-known:
-        image: nginx:latest
-        restart: unless-stopped
-        volumes:
-            - ./nginx/matrix.conf:/etc/nginx/conf.d/matrix.conf # the config to serve the .well-known/matrix files
-            - ./nginx/www:/var/www/ # location of the client and server .well-known-files
     ### Uncomment if you want to use your own Element-Web App.
     ### Note: You need to provide a config.json for Element and you also need a second
     ###       Domain or Subdomain for the communication between Element and conduwuit
@@ -50,10 +54,12 @@ services:
     #         - homeserver
 
 volumes:
-    db:
+  db:
 
 networks:
-    # This is the network Traefik listens to, if your network has a different
-    # name, don't forget to change it here and in the docker-compose.override.yml
-    proxy:
-        external: true
+  # This is the network Traefik listens to, if your network has a different
+  # name, don't forget to change it here and in the docker-compose.override.yml
+  proxy:
+    external: true
+
+# vim: ts=2:sw=2:expandtab

docs/deploying/docker-compose.override.yml

@@ -1,44 +1,37 @@
 # conduwuit - Traefik Reverse Proxy Labels
 
 services:
-    homeserver:
-        labels:
-            - "traefik.enable=true"
-            - "traefik.docker.network=proxy"  # Change this to the name of your Traefik docker proxy network
+  homeserver:
+    labels:
+      - "traefik.enable=true"
+      - "traefik.docker.network=proxy"  # Change this to the name of your Traefik docker proxy network
 
-            - "traefik.http.routers.to-conduwuit.rule=Host(`<SUBDOMAIN>.<DOMAIN>`)"  # Change to the address on which conduwuit is hosted
-            - "traefik.http.routers.to-conduwuit.tls=true"
-            - "traefik.http.routers.to-conduwuit.tls.certresolver=letsencrypt"
-            - "traefik.http.routers.to-conduwuit.middlewares=cors-headers@docker"
+      - "traefik.http.routers.to-conduwuit.rule=Host(`<SUBDOMAIN>.<DOMAIN>`)"  # Change to the address on which conduwuit is hosted
+      - "traefik.http.routers.to-conduwuit.tls=true"
+      - "traefik.http.routers.to-conduwuit.tls.certresolver=letsencrypt"
+      - "traefik.http.routers.to-conduwuit.middlewares=cors-headers@docker"
+      - "traefik.http.services.to_conduwuit.loadbalancer.server.port=6167"
 
-            - "traefik.http.middlewares.cors-headers.headers.accessControlAllowOriginList=*"
-            - "traefik.http.middlewares.cors-headers.headers.accessControlAllowHeaders=Origin, X-Requested-With, Content-Type, Accept, Authorization"
-            - "traefik.http.middlewares.cors-headers.headers.accessControlAllowMethods=GET, POST, PUT, DELETE, OPTIONS"
+      - "traefik.http.middlewares.cors-headers.headers.accessControlAllowOriginList=*"
+      - "traefik.http.middlewares.cors-headers.headers.accessControlAllowHeaders=Origin, X-Requested-With, Content-Type, Accept, Authorization"
+      - "traefik.http.middlewares.cors-headers.headers.accessControlAllowMethods=GET, POST, PUT, DELETE, OPTIONS"
 
-    # We need some way to server the client and server .well-known json. The simplest way is to use a nginx container
-    # to serve those two as static files. If you want to use a different way, delete or comment the below service, here
-    # and in the docker compose file.
-    well-known:
-        labels:
-            - "traefik.enable=true"
-            - "traefik.docker.network=proxy"
+      # If you want to have your account on <DOMAIN>, but host conduwuit on a subdomain,
+      # you can let it only handle the well known file on that domain instead
+      #- "traefik.http.routers.to-matrix-wellknown.rule=Host(`<DOMAIN>`) && PathPrefix(`/.well-known/matrix`)"
+      #- "traefik.http.routers.to-matrix-wellknown.tls=true"
+      #- "traefik.http.routers.to-matrix-wellknown.tls.certresolver=letsencrypt"
+      #- "traefik.http.routers.to-matrix-wellknown.middlewares=cors-headers@docker"
 
-            - "traefik.http.routers.to-matrix-wellknown.rule=Host(`<SUBDOMAIN>.<DOMAIN>`) && PathPrefix(`/.well-known/matrix`)"
-            - "traefik.http.routers.to-matrix-wellknown.tls=true"
-            - "traefik.http.routers.to-matrix-wellknown.tls.certresolver=letsencrypt"
-            - "traefik.http.routers.to-matrix-wellknown.middlewares=cors-headers@docker"
+  ### Uncomment this if you uncommented Element-Web App in the docker-compose.yml
+  # element-web:
+  #     labels:
+  #         - "traefik.enable=true"
+  #         - "traefik.docker.network=proxy"  # Change this to the name of your Traefik docker proxy network
 
-            - "traefik.http.middlewares.cors-headers.headers.accessControlAllowOriginList=*"
-            - "traefik.http.middlewares.cors-headers.headers.accessControlAllowHeaders=Origin, X-Requested-With, Content-Type, Accept, Authorization"
-            - "traefik.http.middlewares.cors-headers.headers.accessControlAllowMethods=GET, POST, PUT, DELETE, OPTIONS"
+  #         - "traefik.http.routers.to-element-web.rule=Host(`<SUBDOMAIN>.<DOMAIN>`)"  # Change to the address on which Element-Web is hosted
+  #         - "traefik.http.routers.to-element-web.tls=true"
+  #         - "traefik.http.routers.to-element-web.tls.certresolver=letsencrypt"
 
+# vim: ts=2:sw=2:expandtab
 
-    ### Uncomment this if you uncommented Element-Web App in the docker-compose.yml
-    # element-web:
-    #     labels:
-    #         - "traefik.enable=true"
-    #         - "traefik.docker.network=proxy"  # Change this to the name of your Traefik docker proxy network
-
-    #         - "traefik.http.routers.to-element-web.rule=Host(`<SUBDOMAIN>.<DOMAIN>`)"  # Change to the address on which Element-Web is hosted
-    #         - "traefik.http.routers.to-element-web.tls=true"
-    #         - "traefik.http.routers.to-element-web.tls.certresolver=letsencrypt"

docs/deploying/docker-compose.with-traefik.yml

@@ -1,42 +1,52 @@
 # conduwuit - Behind Traefik Reverse Proxy
 
 services:
-    homeserver:
-        ### If you already built the conduwuit image with 'docker build' or want to use the Docker Hub image,
-        ### then you are ready to go.
-        image: girlbossceo/conduwuit:latest
-        restart: unless-stopped
-        volumes:
-            - db:/srv/conduwuit/.local/share/conduwuit
-            #- ./conduwuit.toml:/etc/conduwuit.toml
-        networks:
-            - proxy
-        environment:
-            CONDUWUIT_SERVER_NAME: your.server.name # EDIT THIS
-            CONDUWUIT_TRUSTED_SERVERS: '["matrix.org"]'
-            CONDUWUIT_ALLOW_REGISTRATION : 'true'
-            #CONDUWUIT_CONFIG: '/etc/conduwuit.toml' # Uncomment if you mapped config toml above
-            ### Uncomment and change values as desired
-            # CONDUWUIT_ADDRESS: 0.0.0.0
-            # CONDUWUIT_PORT: 6167
-            # CONDUWUIT_LOG: info  # default is: "warn,state_res=warn"
-            # CONDUWUIT_ALLOW_JAEGER: 'false'
-            # CONDUWUIT_ALLOW_ENCRYPTION: 'true'
-            # CONDUWUIT_ALLOW_FEDERATION: 'true'
-            # CONDUWUIT_ALLOW_CHECK_FOR_UPDATES: 'true'
-            # CONDUWUIT_DATABASE_PATH: /srv/conduwuit/.local/share/conduwuit
-            # CONDUWUIT_WORKERS: 10
-            # CONDUWUIT_MAX_REQUEST_SIZE: 20000000  # in bytes, ~20 MB
+  homeserver:
+    ### If you already built the conduwuit image with 'docker build' or want to use the Docker Hub image,
+    ### then you are ready to go.
+    image: girlbossceo/conduwuit:latest
+    restart: unless-stopped
+    volumes:
+      - db:/var/lib/conduwuit
+      #- ./conduwuit.toml:/etc/conduwuit.toml
+    networks:
+      - proxy
+    environment:
+      CONDUWUIT_SERVER_NAME: your.server.name.example # EDIT THIS
+      CONDUWUIT_TRUSTED_SERVERS: '["matrix.org"]'
+      CONDUWUIT_ALLOW_REGISTRATION: 'false' # After setting a secure registration token, you can enable this
+      CONDUWUIT_REGISTRATION_TOKEN: # This is a token you can use to register on the server
+      CONDUWUIT_ADDRESS: 0.0.0.0
+      CONDUWUIT_PORT: 6167 # you need to match this with the traefik load balancer label if you're want to change it
+      CONDUWUIT_DATABASE_PATH: /var/lib/conduwuit
+      #CONDUWUIT_CONFIG: '/etc/conduit.toml' # Uncomment if you mapped config toml above
+      ### Uncomment and change values as desired, note that conduwuit has plenty of config options, so you should check out the example example config too
+      # Available levels are: error, warn, info, debug, trace - more info at: https://docs.rs/env_logger/*/env_logger/#enabling-logging
+      # CONDUWUIT_LOG: info  # default is: "warn,state_res=warn"
+      # CONDUWUIT_ALLOW_JAEGER: 'false'
+      # CONDUWUIT_ALLOW_ENCRYPTION: 'true'
+      # CONDUWUIT_ALLOW_FEDERATION: 'true'
+      # CONDUWUIT_ALLOW_CHECK_FOR_UPDATES: 'true'
+      # CONDUWUIT_ALLOW_INCOMING_PRESENCE: true
+      # CONDUWUIT_ALLOW_OUTGOING_PRESENCE: true
+      # CONDUWUIT_ALLOW_LOCAL_PRESENCE: true
+      # CONDUWUIT_WORKERS: 10
+      # CONDUWUIT_MAX_REQUEST_SIZE: 20_000_000  # in bytes, ~20 MB
+      # CONDUWUIT_NEW_USER_DISPLAYNAME_SUFFIX = "🏳<200d>⚧"
 
-    # We need some way to server the client and server .well-known json. The simplest way is to use a nginx container
-    # to serve those two as static files. If you want to use a different way, delete or comment the below service, here
-    # and in the docker compose override file.
-    well-known:
-        image: nginx:latest
-        restart: unless-stopped
-        volumes:
-            - ./nginx/matrix.conf:/etc/nginx/conf.d/matrix.conf # the config to serve the .well-known/matrix files
-            - ./nginx/www:/var/www/ # location of the client and server .well-known-files
+      # We need some way to serve the client and server .well-known json. The simplest way is via the CONDUWUIT_WELL_KNOWN
+      # variable / config option, there are multiple ways to do this, e.g. in the conduwuit.toml file, and in a seperate
+      # reverse proxy, but since you do not have a reverse proxy and following this guide, this example is included
+      CONDUWUIT_WELL_KNOWN: |
+        {
+          client=https://your.server.name.example,
+          server=your.server.name.example:443
+        }
+    #cpuset: "0-4" # Uncomment to limit to specific CPU cores
+    ulimits: # conduwuit uses quite a few file descriptors, and on some systems it defaults to 1024, so you can tell docker to increase it
+      nofile:
+        soft: 1048567
+        hard: 1048567
 
     ### Uncomment if you want to use your own Element-Web App.
     ### Note: You need to provide a config.json for Element and you also need a second
@@ -52,29 +62,79 @@ services:
     #     depends_on:
     #         - homeserver
 
-    traefik:
-        image: "traefik:latest"
-        container_name: "traefik"
-        restart: "unless-stopped"
-        ports:
-            - "80:80"
-            - "443:443"
-        volumes:
-            - "/var/run/docker.sock:/var/run/docker.sock"
-            # - "./traefik_config:/etc/traefik"
-            - "acme:/etc/traefik/acme"
-        labels:
-            - "traefik.enable=true"
+  traefik:
+    image: "traefik:latest"
+    container_name: "traefik"
+    restart: "unless-stopped"
+    ports:
+      - "80:80"
+      - "443:443"
+    volumes:
+      - "/var/run/docker.sock:/var/run/docker.sock:z"
+      - "acme:/etc/traefik/acme"
+      #- "./traefik_config:/etc/traefik:z"
+    labels:
+      - "traefik.enable=true"
 
-            # middleware redirect
-            - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
-            # global redirect to https
-            - "traefik.http.routers.redirs.rule=hostregexp(`{host:.+}`)"
-            - "traefik.http.routers.redirs.entrypoints=http"
-            - "traefik.http.routers.redirs.middlewares=redirect-to-https"
+      # middleware redirect
+      - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
+      # global redirect to https
+      - "traefik.http.routers.redirs.rule=hostregexp(`{host:.+}`)"
+      - "traefik.http.routers.redirs.entrypoints=web"
+      - "traefik.http.routers.redirs.middlewares=redirect-to-https"
 
-        networks:
-            - proxy
+    configs:
+      - source: dynamic.yml
+        target: /etc/traefik/dynamic.yml
+
+    environment:
+      TRAEFIK_LOG_LEVEL: DEBUG
+      TRAEFIK_ENTRYPOINTS_WEB: true
+      TRAEFIK_ENTRYPOINTS_WEB_ADDRESS: ":80"
+      TRAEFIK_ENTRYPOINTS_WEB_HTTP_REDIRECTIONS_ENTRYPOINT_TO: websecure
+
+      TRAEFIK_ENTRYPOINTS_WEBSECURE: true
+      TRAEFIK_ENTRYPOINTS_WEBSECURE_ADDRESS: ":443"
+      TRAEFIK_ENTRYPOINTS_WEBSECURE_HTTP_TLS_CERTRESOLVER: letsencrypt
+      #TRAEFIK_ENTRYPOINTS_WEBSECURE_HTTP_MIDDLEWARES: secureHeaders@file # if you want to enabled STS
+
+      TRAEFIK_CERTIFICATESRESOLVERS_LETSENCRYPT: true
+      TRAEFIK_CERTIFICATESRESOLVERS_LETSENCRYPT_ACME_EMAIL: # Set this to the email you want to receive certificate expiration emails for
+      TRAEFIK_CERTIFICATESRESOLVERS_LETSENCRYPT_ACME_KEYTYPE: EC384
+      TRAEFIK_CERTIFICATESRESOLVERS_LETSENCRYPT_ACME_HTTPCHALLENGE: true
+      TRAEFIK_CERTIFICATESRESOLVERS_LETSENCRYPT_ACME_HTTPCHALLENGE_ENTRYPOINT: web
+      TRAEFIK_CERTIFICATESRESOLVERS_LETSENCRYPT_ACME_STORAGE: "/etc/traefik/acme/acme.json"
+
+      TRAEFIK_PROVIDERS_DOCKER: true
+      TRAEFIK_PROVIDERS_DOCKER_ENDPOINT: "unix:///var/run/docker.sock"
+      TRAEFIK_PROVIDERS_DOCKER_EXPOSEDBYDEFAULT: false
+
+      TRAEFIK_PROVIDERS_FILE: true
+      TRAEFIK_PROVIDERS_FILE_FILENAME: "/etc/traefik/dynamic.yml"
+
+configs:
+  dynamic.yml:
+    content: |
+      # Optionally set STS headers, like in https://hstspreload.org
+      # http:
+      #   middlewares:
+      #     secureHeaders:
+      #       headers:
+      #         forceSTSHeader: true
+      #         stsIncludeSubdomains: true
+      #         stsPreload: true
+      #         stsSeconds: 31536000
+      tls:
+        options:
+          default:
+            cipherSuites:
+              - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
+              - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+              - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
+              - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+              - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
+              - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
+            minVersion: VersionTLS12
 
 volumes:
     db:
@@ -82,3 +142,5 @@ volumes:
 
 networks:
     proxy:
+
+# vim: ts=2:sw=2:expandtab

docs/deploying/docker.md

@@ -9,22 +9,14 @@ ### Use a registry
 
 OCI images for conduwuit are available in the registries listed below.
 
-| Registry        | Image
-| Size                          | Notes                  | | --------------- |
---------------------------------------------------------------- |
------------------------------ | ---------------------- | | GitHub Registry |
-[ghcr.io/girlbossceo/conduwuit:latest][gh] | ![Image Size][shield-latest]  |
-Stable tagged image.          | | GitLab Registry |
-[registry.gitlab.com/conduwuit/conduwuit:latest][gl] | ![Image
-Size][shield-latest]  | Stable tagged image.          | | Docker Hub      |
-[docker.io/girlbossceo/conduwuit:latest][dh]             | ![Image
-Size][shield-latest]  | Stable tagged image.          | | GitHub Registry |
-[ghcr.io/girlbossceo/conduwuit:main][gh]   | ![Image Size][shield-main]    |
-Stable main branch.   | | GitLab Registry |
-[registry.gitlab.com/conduwuit/conduwuit:main][gl]   | ![Image
-Size][shield-main]    | Stable main branch.   | | Docker Hub      |
-[docker.io/girlbossceo/conduwuit:main][dh]               | ![Image
-Size][shield-main]    | Stable main branch.   |
+| Registry        | Image                                                           | Size                          | Notes                  |
+| --------------- | --------------------------------------------------------------- | ----------------------------- | ---------------------- |
+| GitHub Registry | [ghcr.io/girlbossceo/conduwuit:latest][gh] | ![Image Size][shield-latest]  | Stable tagged image.          |
+| GitLab Registry | [registry.gitlab.com/conduwuit/conduwuit:latest][gl] | ![Image Size][shield-latest]  | Stable tagged image.          |
+| Docker Hub      | [docker.io/girlbossceo/conduwuit:latest][dh]             | ![Image Size][shield-latest]  | Stable tagged image.          |
+| GitHub Registry | [ghcr.io/girlbossceo/conduwuit:main][gh]   | ![Image Size][shield-main]    | Stable main branch.   |
+| GitLab Registry | [registry.gitlab.com/conduwuit/conduwuit:main][gl]   | ![Image Size][shield-main]    | Stable main branch.   |
+| Docker Hub      | [docker.io/girlbossceo/conduwuit:main][dh]               | ![Image Size][shield-main]    | Stable main branch.   |
 
 [dh]: https://hub.docker.com/r/girlbossceo/conduwuit
 [gh]: https://github.com/girlbossceo/conduwuit/pkgs/container/conduwuit
@@ -34,7 +26,9 @@ ### Use a registry
 
 Use
 
-```bash docker image pull <link> ```
+```bash
+docker image pull $LINK
+```
 
 to pull it to your machine.
 
@@ -42,13 +36,13 @@ ### Run
 
 When you have the image you can simply run it with
 
-```bash 
-docker run -d -p 8448:6167 \ 
-    -v db:/var/lib/conduwuit/ \ 
-    -e CONDUWUIT_SERVER_NAME="your.server.name" \ 
-    -e CONDUWUIT_DATABASE_BACKEND="rocksdb" \ 
+```bash
+docker run -d -p 8448:6167 \
+    -v db:/var/lib/conduwuit/ \
+    -e CONDUWUIT_SERVER_NAME="your.server.name" \
+    -e CONDUWUIT_DATABASE_BACKEND="rocksdb" \
     -e CONDUWUIT_ALLOW_REGISTRATION=false \
-    --name conduit <link> 
+    --name conduit $LINK
 ```
 
 or you can use [docker compose](#docker-compose).
@@ -88,7 +82,9 @@ ### Docker-compose
 When picking the `caddy-docker-proxy` compose file, it's important to first
 create the `caddy` network before spinning up the containers:
 
-```bash docker network create caddy ```
+```bash
+docker network create caddy
+```
 
 After that, you can rename it so it matches `docker-compose.yml` and spin up the
 containers!
@@ -101,7 +97,7 @@ ### Build
 modify the `docker-compose.yml` file. There you need to comment the `image:`
 option and uncomment the `build:` option. Then call docker compose with:
 
-```bash 
+```bash
 docker compose up
 ```
 

docs/deploying/generic.md

@@ -34,12 +34,14 @@ ## Adding a conduwuit user
 In Debian or Fedora/RHEL, you can use this command to create a conduwuit user:
 
 ```bash
-sudo adduser --system conduwuit --group --disabled-login --no-create-home 
+sudo adduser --system conduwuit --group --disabled-login --no-create-home
 ```
 
 For distros without `adduser`:
 
-```bash sudo useradd -r --shell /usr/bin/nologin --no-create-home conduwuit ```
+```bash
+sudo useradd -r --shell /usr/bin/nologin --no-create-home conduwuit
+```
 
 ## Forwarding ports in the firewall or the router
 
@@ -60,8 +62,9 @@ ## Creating the conduwuit configuration file
 
 Now we need to create the conduwuit's config file in
 `/etc/conduwuit/conduwuit.toml`. The example config can be found at
-[conduwuit-example.toml](../configuration/examples.md).**Please take a moment to
-read it. You need to change at least the server name.**
+[conduwuit-example.toml](../configuration/examples.md).
+
+**Please take a moment to read the config. You need to change at least the server name.**
 
 RocksDB is the only supported database backend.
 
@@ -76,9 +79,9 @@ ## Setting the correct file permissions
 
 If you use the default database path you also need to run this:
 
-```bash 
-sudo mkdir -p /var/lib/conduwuit/ sudo chown -R conduwuit:conduwuit
-/var/lib/conduwuit/ sudo chmod 700 /var/lib/conduwuit/ 
+```bash
+sudo mkdir -p /var/lib/conduwuit/ sudo chown -R conduwuit:conduwuit /var/lib/conduwuit/
+sudo chmod 700 /var/lib/conduwuit/
 ```
 
 ## Setting up the Reverse Proxy
@@ -97,27 +100,34 @@ ### Caddy
 Create `/etc/caddy/conf.d/conduwuit_caddyfile` and enter this (substitute for
 your server name).
 
-```caddy
-your.server.name, your.server.name:8448 { # TCP reverse_proxy
+```caddyfile
+your.server.name, your.server.name:8448 {
+    # TCP reverse_proxy
     127.0.0.1:6167
-    # UNIX socket 
-    #reverse_proxy unix//run/conduwuit/conduwuit.sock 
+    # UNIX socket
+    #reverse_proxy unix//run/conduwuit/conduwuit.sock
 }
 ```
 
 That's it! Just start and enable the service and you're set.
 
-```bash sudo systemctl enable --now caddy ```
+```bash
+sudo systemctl enable --now caddy
+```
 
 ## You're done
 
 Now you can start conduwuit with:
 
-```bash sudo systemctl start conduwuit ```
+```bash
+sudo systemctl start conduwuit
+```
 
 Set it to start automatically when your system boots with:
 
-```bash sudo systemctl enable conduwuit ```
+```bash
+sudo systemctl enable conduwuit
+```
 
 ## How do I know it works?
 
@@ -127,10 +137,12 @@ ## How do I know it works?
 You can also use these commands as a quick health check (replace
 `your.server.name`).
 
-```bash $ curl https://your.server.name/_conduwuit/server_version
+```bash
+curl https://your.server.name/_conduwuit/server_version
 
-# If using port 8448 $ curl
-https://your.server.name:8448/_conduwuit/server_version ```
+# If using port 8448
+curl https://your.server.name:8448/_conduwuit/server_version
+```
 
 - To check if your server can talk with other homeservers, you can use the
 [Matrix Federation Tester](https://federationtester.matrix.org/). If you can

docs/deploying/nixos.md

@@ -9,18 +9,21 @@ # conduwuit for NixOS
 A binary cache for conduwuit that the CI/CD publishes to is available at the
 following places (both are the same just different names):
 
-``` https://attic.kennel.juneis.dog/conduit
+```
+https://attic.kennel.juneis.dog/conduit
 conduit:eEKoUwlQGDdYmAI/Q/0slVlegqh/QmAvQd7HBSm21Wk=
 
 https://attic.kennel.juneis.dog/conduwuit
-conduwuit:BbycGUgTISsltcmH0qNjFR9dbrQNYgdIAcmViSGoVTE= ```
+conduwuit:BbycGUgTISsltcmH0qNjFR9dbrQNYgdIAcmViSGoVTE=
+```
 
 The binary caches have been recreated recently due to attic issues. The old
 public keys were:
 
-``` conduit:Isq8FGyEC6FOXH6nD+BOeAA+bKp6X6UIbupSlGEPuOg=
-
-conduwuit:lYPVh7o1hLu1idH4Xt2QHaRa49WRGSAqzcfFd94aOTw= ```
+```
+conduit:Isq8FGyEC6FOXH6nD+BOeAA+bKp6X6UIbupSlGEPuOg=
+conduwuit:lYPVh7o1hLu1idH4Xt2QHaRa49WRGSAqzcfFd94aOTw=
+```
 
 If specifying a URL in your flake, please use the GitHub remote:
 `github:girlbossceo/conduwuit`

docs/development.md

@@ -38,9 +38,11 @@ ## Debugging with `tokio-console`
 tokio_unstable` flag to enable experimental tokio APIs. A build might look like
 this:
 
-```bash RUSTFLAGS="--cfg tokio_unstable" cargo build \ --release \
---no-default-features \
---features=systemd,element_hacks,gzip_compression,brotli_compression,zstd_compression,tokio_console
+```bash
+RUSTFLAGS="--cfg tokio_unstable" cargo build \
+    --release \
+    --no-default-features \
+    --features=systemd,element_hacks,gzip_compression,brotli_compression,zstd_compression,tokio_console
 ```
 
 [1]: https://github.com/ruma/ruma/

docs/troubleshooting.md

@@ -13,6 +13,17 @@ # Troubleshooting conduwuit
 > If there are things like Compose file issues or Dockerhub image issues, those
 > can still be mentioned as long as they're something we can fix.
 
+## conduwuit and Matrix issues
+
+#### Lost access to admin room
+
+You can reinvite yourself to the admin room through the following methods:
+- Use the `--execute "users make_user_admin <username>"` conduwuit binary
+argument once to invite yourslf to the admin room on startup
+- Use the conduwuit console/CLI to run the `users make_user_admin` command
+- Or specify the `emergency_password` config option to allow you to temporarily
+log into the server account (`@conduit`) from a web client
+
 ## General potential issues
 
 #### Potential DNS issues when using Docker
@@ -30,7 +41,7 @@ #### Potential DNS issues when using Docker
 - Don't use Docker's default DNS setup and instead allow the container to use
 and communicate with your host's DNS servers (host's `/etc/resolv.conf`)
 
-## Rocksdb / database issues
+## RocksDB / database issues
 
 #### Direct IO
 

renovate.json

@@ -12,5 +12,15 @@
   "nix": {
     "enabled": true
   },
-  "labels": ["dependencies", "github_actions"]
+  "labels": [
+    "dependencies",
+    "github_actions"
+  ],
+  "ignoreDeps": [
+    "tikv-jemllocator",
+    "tikv-jemalloc-sys",
+    "tikv-jemalloc-ctl",
+    "opentelemetry-rust",
+    "tracing-opentelemetry"
+  ]
 }

src/admin/processor.rs

@@ -15,7 +15,7 @@
 	},
 	trace,
 	utils::string::{collect_stream, common_prefix},
-	Error, Result,
+	warn, Error, Result,
 };
 use futures_util::future::FutureExt;
 use ruma::{
@@ -114,7 +114,15 @@ async fn process(context: &Command<'_>, command: AdminCommand, args: &[String])
 
 fn capture_create(context: &Command<'_>) -> (Arc<Capture>, Arc<Mutex<String>>) {
 	let env_config = &context.services.server.config.admin_log_capture;
-	let env_filter = EnvFilter::try_new(env_config).unwrap_or_else(|_| "debug".into());
+	let env_filter = EnvFilter::try_new(env_config).unwrap_or_else(|e| {
+		warn!("admin_log_capture filter invalid: {e:?}");
+		cfg!(debug_assertions)
+			.then_some("debug")
+			.or(Some("info"))
+			.map(Into::into)
+			.expect("default capture EnvFilter")
+	});
+
 	let log_level = env_filter
 		.max_level_hint()
 		.and_then(LevelFilter::into_level)

src/admin/room/commands.rs

@@ -1,13 +1,11 @@
-use std::fmt::Write;
-
 use conduit::Result;
 use ruma::events::room::message::RoomMessageEventContent;
 
-use crate::{admin_command, escape_html, get_room_info, PAGE_SIZE};
+use crate::{admin_command, get_room_info, PAGE_SIZE};
 
 #[admin_command]
 pub(super) async fn list_rooms(
-	&self, page: Option<usize>, exclude_disabled: bool, exclude_banned: bool,
+	&self, page: Option<usize>, exclude_disabled: bool, exclude_banned: bool, no_details: bool,
 ) -> Result<RoomMessageEventContent> {
 	// TODO: i know there's a way to do this with clap, but i can't seem to find it
 	let page = page.unwrap_or(1);
@@ -61,29 +59,18 @@ pub(super) async fn list_rooms(
 	};
 
 	let output_plain = format!(
-		"Rooms:\n{}",
+		"Rooms ({}):\n```\n{}\n```",
+		rooms.len(),
 		rooms
 			.iter()
-			.map(|(id, members, name)| format!("{id}\tMembers: {members}\tName: {name}"))
+			.map(|(id, members, name)| if no_details {
+				format!("{id}")
+			} else {
+				format!("{id}\tMembers: {members}\tName: {name}")
+			})
 			.collect::<Vec<_>>()
 			.join("\n")
 	);
-	let output_html = format!(
-		"<table><caption>Room list - page \
-		 {page}</caption>\n<tr><th>id</th>\t<th>members</th>\t<th>name</th></tr>\n{}</table>",
-		rooms
-			.iter()
-			.fold(String::new(), |mut output, (id, members, name)| {
-				writeln!(
-					output,
-					"<tr><td>{}</td>\t<td>{}</td>\t<td>{}</td></tr>",
-					escape_html(id.as_ref()),
-					members,
-					escape_html(name)
-				)
-				.expect("should be able to write to string buffer");
-				output
-			})
-	);
-	Ok(RoomMessageEventContent::text_html(output_plain, output_html))
+
+	Ok(RoomMessageEventContent::notice_markdown(output_plain))
 }

src/admin/room/mod.rs

@@ -27,6 +27,11 @@ pub(super) enum RoomCommand {
 		/// Excludes rooms that we have banned
 		#[arg(long)]
 		exclude_banned: bool,
+
+		#[arg(long)]
+		/// Whether to only output room IDs without supplementary room
+		/// information
+		no_details: bool,
 	},
 
 	#[command(subcommand)]

src/admin/user/commands.rs

@@ -1,6 +1,6 @@
 use std::{collections::BTreeMap, fmt::Write as _};
 
-use api::client::{join_room_by_id_helper, leave_all_rooms, update_avatar_url, update_displayname};
+use api::client::{join_room_by_id_helper, leave_all_rooms, leave_room, update_avatar_url, update_displayname};
 use conduit::{error, info, utils, warn, PduBuilder, Result};
 use ruma::{
 	events::{
@@ -13,7 +13,7 @@
 use serde_json::value::to_raw_value;
 
 use crate::{
-	admin_command, escape_html, get_room_info,
+	admin_command, get_room_info,
 	utils::{parse_active_local_user_id, parse_local_user_id},
 };
 
@@ -320,7 +320,7 @@ pub(super) async fn list_joined_rooms(&self, user_id: String) -> Result<RoomMess
 	rooms.reverse();
 
 	let output_plain = format!(
-		"Rooms {user_id} Joined ({}):\n{}",
+		"Rooms {user_id} Joined ({}):\n```\n{}\n```",
 		rooms.len(),
 		rooms
 			.iter()
@@ -329,26 +329,7 @@ pub(super) async fn list_joined_rooms(&self, user_id: String) -> Result<RoomMess
 			.join("\n")
 	);
 
-	let output_html = format!(
-		"<table><caption>Rooms {user_id} Joined \
-		 ({})</caption>\n<tr><th>id</th>\t<th>members</th>\t<th>name</th></tr>\n{}</table>",
-		rooms.len(),
-		rooms
-			.iter()
-			.fold(String::new(), |mut output, (id, members, name)| {
-				writeln!(
-					output,
-					"<tr><td>{}</td>\t<td>{}</td>\t<td>{}</td></tr>",
-					escape_html(id.as_ref()),
-					members,
-					escape_html(name)
-				)
-				.unwrap();
-				output
-			})
-	);
-
-	Ok(RoomMessageEventContent::text_html(output_plain, output_html))
+	Ok(RoomMessageEventContent::notice_markdown(output_plain))
 }
 
 #[admin_command]
@@ -369,6 +350,24 @@ pub(super) async fn force_join_room(
 	)))
 }
 
+#[admin_command]
+pub(super) async fn force_leave_room(
+	&self, user_id: String, room_id: OwnedRoomOrAliasId,
+) -> Result<RoomMessageEventContent> {
+	let user_id = parse_local_user_id(self.services, &user_id)?;
+	let room_id = self.services.rooms.alias.resolve(&room_id).await?;
+
+	assert!(
+		self.services.globals.user_is_local(&user_id),
+		"Parsed user_id must be a local user"
+	);
+	leave_room(self.services, &user_id, &room_id, None).await?;
+
+	Ok(RoomMessageEventContent::notice_markdown(format!(
+		"{user_id} has left {room_id}.",
+	)))
+}
+
 #[admin_command]
 pub(super) async fn make_user_admin(&self, user_id: String) -> Result<RoomMessageEventContent> {
 	let user_id = parse_local_user_id(self.services, &user_id)?;

src/admin/user/mod.rs

@@ -73,6 +73,12 @@ pub(super) enum UserCommand {
 		room_id: OwnedRoomOrAliasId,
 	},
 
+	/// - Manually leave a local user from a room.
+	ForceLeaveRoom {
+		user_id: String,
+		room_id: OwnedRoomOrAliasId,
+	},
+
 	/// - Grant server-admin privileges to a user.
 	MakeUserAdmin {
 		user_id: String,

src/api/client/appservice.rs

@@ -0,0 +1,47 @@
+use axum::extract::State;
+use conduit::{err, Err, Result};
+use ruma::api::{appservice::ping, client::appservice::request_ping};
+
+use crate::Ruma;
+
+/// # `POST /_matrix/client/v1/appservice/{appserviceId}/ping`
+///
+/// Ask the homeserver to ping the application service to ensure the connection
+/// works.
+pub(crate) async fn appservice_ping(
+	State(services): State<crate::State>, body: Ruma<request_ping::v1::Request>,
+) -> Result<request_ping::v1::Response> {
+	let appservice_info = body
+		.appservice_info
+		.as_ref()
+		.ok_or_else(|| err!(Request(Forbidden("This endpoint can only be called by appservices."))))?;
+
+	if body.appservice_id != appservice_info.registration.id {
+		return Err!(Request(Forbidden(
+			"Appservices can only ping themselves (wrong appservice ID)."
+		)));
+	}
+
+	if appservice_info.registration.url.is_none() {
+		return Err!(Request(UrlNotSet(
+			"Appservice does not have a URL set, there is nothing to ping."
+		)));
+	}
+
+	let timer = tokio::time::Instant::now();
+
+	let _response = services
+		.sending
+		.send_appservice_request(
+			appservice_info.registration.clone(),
+			ping::send_ping::v1::Request {
+				transaction_id: body.transaction_id.clone(),
+			},
+		)
+		.await?
+		.expect("We already validated if an appservice URL exists above");
+
+	Ok(request_ping::v1::Response {
+		duration: timer.elapsed(),
+	})
+}

src/api/client/capabilities.rs

@@ -1,8 +1,11 @@
 use std::collections::BTreeMap;
 
 use axum::extract::State;
-use ruma::api::client::discovery::get_capabilities::{
-	self, Capabilities, RoomVersionStability, RoomVersionsCapability, ThirdPartyIdChangesCapability,
+use ruma::{
+	api::client::discovery::get_capabilities::{
+		self, Capabilities, RoomVersionStability, RoomVersionsCapability, ThirdPartyIdChangesCapability,
+	},
+	RoomVersionId,
 };
 
 use crate::{Result, Ruma};
@@ -14,13 +17,19 @@
 pub(crate) async fn get_capabilities_route(
 	State(services): State<crate::State>, _body: Ruma<get_capabilities::v3::Request>,
 ) -> Result<get_capabilities::v3::Response> {
-	let mut available = BTreeMap::new();
-	for room_version in &services.globals.unstable_room_versions {
-		available.insert(room_version.clone(), RoomVersionStability::Unstable);
-	}
-	for room_version in &services.globals.stable_room_versions {
-		available.insert(room_version.clone(), RoomVersionStability::Stable);
-	}
+	let available: BTreeMap<RoomVersionId, RoomVersionStability> = services
+		.globals
+		.unstable_room_versions
+		.iter()
+		.map(|unstable_room_version| (unstable_room_version.clone(), RoomVersionStability::Unstable))
+		.chain(
+			services
+				.globals
+				.stable_room_versions
+				.iter()
+				.map(|stable_room_version| (stable_room_version.clone(), RoomVersionStability::Stable)),
+		)
+		.collect();
 
 	let mut capabilities = Capabilities::default();
 	capabilities.room_versions = RoomVersionsCapability {
@@ -28,7 +37,7 @@ pub(crate) async fn get_capabilities_route(
 		available,
 	};
 
-	// conduit does not implement 3PID stuff
+	// we do not implement 3PID stuff
 	capabilities.thirdparty_id_changes = ThirdPartyIdChangesCapability {
 		enabled: false,
 	};

src/api/client/directory.rs

@@ -139,6 +139,14 @@ pub(crate) async fn set_room_visibility_route(
 					 \"lockdown_public_room_directory\" is enabled",
 					body.room_id
 				);
+				services
+					.admin
+					.send_text(&format!(
+						"Non-admin user {sender_user} tried to publish {0} to the room directory while \
+						 \"lockdown_public_room_directory\" is enabled",
+						body.room_id
+					))
+					.await;
 
 				return Err(Error::BadRequest(
 					ErrorKind::forbidden(),
@@ -147,7 +155,11 @@ pub(crate) async fn set_room_visibility_route(
 			}
 
 			services.rooms.directory.set_public(&body.room_id)?;
-			info!("{sender_user} made {0} public", body.room_id);
+			services
+				.admin
+				.send_text(&format!("{sender_user} made {} public to the room directory", body.room_id))
+				.await;
+			info!("{sender_user} made {0} public to the room directory", body.room_id);
 		},
 		room::Visibility::Private => services.rooms.directory.set_not_public(&body.room_id)?,
 		_ => {

src/api/client/membership.rs

@@ -20,7 +20,8 @@
 			error::ErrorKind,
 			membership::{
 				ban_user, forget_room, get_member_events, invite_user, join_room_by_id, join_room_by_id_or_alias,
-				joined_members, joined_rooms, kick_user, leave_room, unban_user, ThirdPartySigned,
+				joined_members::{self, v3::RoomMember},
+				joined_rooms, kick_user, leave_room, unban_user, ThirdPartySigned,
 			},
 		},
 		federation::{self, membership::create_invite},
@@ -635,24 +636,22 @@ pub(crate) async fn joined_members_route(
 		));
 	}
 
-	let mut joined = BTreeMap::new();
-	for user_id in services
+	let joined: BTreeMap<OwnedUserId, RoomMember> = services
 		.rooms
 		.state_cache
 		.room_members(&body.room_id)
-		.filter_map(Result::ok)
-	{
-		let display_name = services.users.displayname(&user_id)?;
-		let avatar_url = services.users.avatar_url(&user_id)?;
+		.filter_map(|user| {
+			let user = user.ok()?;
 
-		joined.insert(
-			user_id,
-			joined_members::v3::RoomMember {
-				display_name,
-				avatar_url,
-			},
-		);
-	}
+			Some((
+				user.clone(),
+				RoomMember {
+					display_name: services.users.displayname(&user).unwrap_or_default(),
+					avatar_url: services.users.avatar_url(&user).unwrap_or_default(),
+				},
+			))
+		})
+		.collect();
 
 	Ok(joined_members::v3::Response {
 		joined,

src/api/client/mod.rs

@@ -1,5 +1,6 @@
 pub(super) mod account;
 pub(super) mod alias;
+pub(super) mod appservice;
 pub(super) mod backup;
 pub(super) mod capabilities;
 pub(super) mod config;
@@ -38,6 +39,7 @@
 
 pub(super) use account::*;
 pub(super) use alias::*;
+pub(super) use appservice::*;
 pub(super) use backup::*;
 pub(super) use capabilities::*;
 pub(super) use config::*;

src/api/client/report.rs

@@ -31,6 +31,8 @@ pub(crate) async fn report_event_route(
 		body.room_id, body.event_id
 	);
 
+	delay_response().await;
+
 	// check if we know about the reported event ID or if it's invalid
 	let Some(pdu) = services.rooms.timeline.get_pdu(&body.event_id)? else {
 		return Err(Error::BadRequest(
@@ -81,21 +83,19 @@ pub(crate) async fn report_event_route(
 		))
 		.await;
 
-	delay_response().await?;
-
 	Ok(report_content::v3::Response {})
 }
 
 /// in the following order:
 ///
 /// check if the room ID from the URI matches the PDU's room ID
-/// check if reporting user is in the reporting room
 /// check if score is in valid range
 /// check if report reasoning is less than or equal to 750 characters
+/// check if reporting user is in the reporting room
 fn is_report_valid(
 	services: &Services, event_id: &EventId, room_id: &RoomId, sender_user: &UserId, reason: &Option<String>,
 	score: Option<ruma::Int>, pdu: &std::sync::Arc<PduEvent>,
-) -> Result<bool> {
+) -> Result<()> {
 	debug_info!("Checking if report from user {sender_user} for event {event_id} in room {room_id} is valid");
 
 	if room_id != pdu.room_id {
@@ -105,10 +105,24 @@ fn is_report_valid(
 		));
 	}
 
+	if score.is_some_and(|s| s > int!(0) || s < int!(-100)) {
+		return Err(Error::BadRequest(
+			ErrorKind::InvalidParam,
+			"Invalid score, must be within 0 to -100",
+		));
+	};
+
+	if reason.as_ref().is_some_and(|s| s.len() > 750) {
+		return Err(Error::BadRequest(
+			ErrorKind::InvalidParam,
+			"Reason too long, should be 750 characters or fewer",
+		));
+	};
+
 	if !services
 		.rooms
 		.state_cache
-		.room_members(&pdu.room_id)
+		.room_members(room_id)
 		.filter_map(Result::ok)
 		.any(|user_id| user_id == *sender_user)
 	{
@@ -118,30 +132,14 @@ fn is_report_valid(
 		));
 	}
 
-	if score.map(|s| s > int!(0) || s < int!(-100)) == Some(true) {
-		return Err(Error::BadRequest(
-			ErrorKind::InvalidParam,
-			"Invalid score, must be within 0 to -100",
-		));
-	};
-
-	if reason.clone().map(|s| s.len() >= 750) == Some(true) {
-		return Err(Error::BadRequest(
-			ErrorKind::InvalidParam,
-			"Reason too long, should be 750 characters or fewer",
-		));
-	};
-
-	Ok(true)
+	Ok(())
 }
 
 /// even though this is kinda security by obscurity, let's still make a small
-/// random delay sending a successful response per spec suggestion regarding
+/// random delay sending a response per spec suggestion regarding
 /// enumerating for potential events existing in our server.
-async fn delay_response() -> Result<()> {
-	let time_to_wait = rand::thread_rng().gen_range(8..21);
+async fn delay_response() {
+	let time_to_wait = rand::thread_rng().gen_range(3..10);
 	debug_info!("Got successful /report request, waiting {time_to_wait} seconds before sending successful response.");
 	sleep(Duration::from_secs(time_to_wait)).await;
-
-	Ok(())
 }

src/api/client/sync.rs

@@ -1,6 +1,5 @@
 use std::{
-	cmp,
-	cmp::Ordering,
+	cmp::{self, Ordering},
 	collections::{hash_map::Entry, BTreeMap, BTreeSet, HashMap, HashSet},
 	time::Duration,
 };
@@ -1501,8 +1500,28 @@ pub(crate) async fn sync_events_v4_route(
 	for (room_id, (required_state_request, timeline_limit, roomsince)) in &todo_rooms {
 		let roomsincecount = PduCount::Normal(*roomsince);
 
-		let (timeline_pdus, limited) =
-			load_timeline(&services, &sender_user, room_id, roomsincecount, *timeline_limit)?;
+		let mut timestamp: Option<_> = None;
+		let mut invite_state = None;
+		let (timeline_pdus, limited);
+		if all_invited_rooms.contains(room_id) {
+			// TODO: figure out a timestamp we can use for remote invites
+			invite_state = services
+				.rooms
+				.state_cache
+				.invite_state(&sender_user, room_id)
+				.unwrap_or(None);
+
+			(timeline_pdus, limited) = (Vec::new(), true);
+		} else {
+			(timeline_pdus, limited) =
+				match load_timeline(&services, &sender_user, room_id, roomsincecount, *timeline_limit) {
+					Ok(value) => value,
+					Err(err) => {
+						warn!("Encountered missing timeline in {}, error {}", room_id, err);
+						continue;
+					},
+				};
+		}
 
 		account_data.rooms.insert(
 			room_id.clone(),
@@ -1556,17 +1575,6 @@ pub(crate) async fn sync_events_v4_route(
 			.map(|(_, pdu)| pdu.to_sync_room_event())
 			.collect();
 
-		let invite_state = if all_invited_rooms.contains(room_id) {
-			services
-				.rooms
-				.state_cache
-				.invite_state(&sender_user, room_id)
-				.unwrap_or(None)
-		} else {
-			None
-		};
-
-		let mut timestamp: Option<_> = None;
 		for (_, pdu) in timeline_pdus {
 			let ts = MilliSecondsSinceUnixEpoch(pdu.origin_server_ts);
 			if DEFAULT_BUMP_TYPES.contains(pdu.event_type()) && !timestamp.is_some_and(|time| time > ts) {

src/api/router.rs

@@ -22,6 +22,7 @@
 pub fn build(router: Router<State>, server: &Server) -> Router<State> {
 	let config = &server.config;
 	let mut router = router
+        .ruma_route(client::appservice_ping)
 		.ruma_route(client::get_supported_versions_route)
 		.ruma_route(client::get_register_available_route)
 		.ruma_route(client::register_route)
@@ -249,7 +250,11 @@ pub fn build(router: Router<State>, server: &Server) -> Router<State> {
 			.route("/_matrix/media/v3/config", any(legacy_media_disabled))
 			.route("/_matrix/media/v3/download/*path", any(legacy_media_disabled))
 			.route("/_matrix/media/v3/thumbnail/*path", any(legacy_media_disabled))
-			.route("/_matrix/media/v3/preview_url", any(redirect_legacy_preview));
+			.route("/_matrix/media/v3/preview_url", any(redirect_legacy_preview))
+			.route("/_matrix/media/r0/config", any(legacy_media_disabled))
+			.route("/_matrix/media/r0/download/*path", any(legacy_media_disabled))
+			.route("/_matrix/media/r0/thumbnail/*path", any(legacy_media_disabled))
+			.route("/_matrix/media/r0/preview_url", any(redirect_legacy_preview));
 	}
 
 	router

src/core/config/mod.rs

@@ -1079,6 +1079,11 @@ fn default_sentry_filter() -> String { "info".to_owned() }
 
 fn default_startup_netburst_keep() -> i64 { 50 }
 
-fn default_admin_log_capture() -> String { "debug".to_owned() }
+fn default_admin_log_capture() -> String {
+	cfg!(debug_assertions)
+		.then_some("debug")
+		.unwrap_or("info")
+		.to_owned()
+}
 
 fn default_admin_room_tag() -> String { "m.server_notice".to_owned() }

src/service/admin/grant.rs

@@ -123,9 +123,8 @@ pub async fn make_user_admin(&self, user_id: &UserId, displayname: String) -> Re
 		self.services.timeline.build_and_append_pdu(
   			PduBuilder {
                 event_type: TimelineEventType::RoomMessage,
-                content: to_raw_value(&RoomMessageEventContent::text_html(
-                        format!("## Thank you for trying out conduwuit!\n\nconduwuit is a fork of upstream Conduit which is in Beta. This means you can join and participate in most Matrix rooms, but not all features are supported and you might run into bugs from time to time.\n\nHelpful links:\n> Git and Documentation: https://github.com/girlbossceo/conduwuit\n> Report issues: https://github.com/girlbossceo/conduwuit/issues\n\nFor a list of available commands, send the following message in this room: `@conduit:{}: --help`\n\nHere are some rooms you can join (by typing the command):\n\nconduwuit room (Ask questions and get notified on updates):\n`/join #conduwuit:puppygock.gay`", self.services.globals.server_name()),
-                        format!("<h2>Thank you for trying out conduwuit!</h2>\n<p>conduwuit is a fork of upstream Conduit which is in Beta. This means you can join and participate in most Matrix rooms, but not all features are supported and you might run into bugs from time to time.</p>\n<p>Helpful links:</p>\n<blockquote>\n<p>Git and Documentation: https://github.com/girlbossceo/conduwuit<br>Report issues: https://github.com/girlbossceo/conduwuit/issues</p>\n</blockquote>\n<p>For a list of available commands, send the following message in this room: <code>@conduit:{}: --help</code></p>\n<p>Here are some rooms you can join (by typing the command):</p>\n<p>conduwuit room (Ask questions and get notified on updates):<br><code>/join #conduwuit:puppygock.gay</code></p>\n", self.services.globals.server_name()),
+                content: to_raw_value(&RoomMessageEventContent::text_markdown(
+                        String::from("## Thank you for trying out conduwuit!\n\nconduwuit is a fork of upstream Conduit which is in Beta. This means you can join and participate in most Matrix rooms, but not all features are supported and you might run into bugs from time to time.\n\nHelpful links:\n> Git and Documentation: https://github.com/girlbossceo/conduwuit\n> Report issues: https://github.com/girlbossceo/conduwuit/issues\n\nFor a list of available commands, send the following message in this room: `!admin --help`\n\nHere are some rooms you can join (by typing the command):\n\nconduwuit room (Ask questions and get notified on updates):\n`/join #conduwuit:puppygock.gay`"),
                 ))
                 .expect("event is valid, we just created it"),
                 unsigned: None,

src/service/admin/startup.rs

@@ -92,12 +92,12 @@ fn startup_command_error(i: usize, content: &RoomMessageEventContent) -> Result<
 #[cfg(not(feature = "console"))]
 #[implement(super::Service)]
 fn startup_command_output(i: usize, content: &RoomMessageEventContent) -> Result<()> {
-	info!("Startup command #{i} completed:\n{:#?}", content.body());
+	info!("Startup command #{i} completed:\n{:#}", content.body());
 	Ok(())
 }
 
 #[cfg(not(feature = "console"))]
 #[implement(super::Service)]
 fn startup_command_error(i: usize, content: &RoomMessageEventContent) -> Result<()> {
-	Err!(error!("Startup command #{i} failed:\n{:#?}", content.body()))
+	Err!(error!("Startup command #{i} failed:\n{:#}", content.body()))
 }

src/service/client/mod.rs

@@ -120,7 +120,7 @@ fn base(config: &Config) -> Result<reqwest::ClientBuilder> {
 		builder = if config.zstd_compression {
 			builder.zstd(true)
 		} else {
-			builder.zstd(false).no_brotli()
+			builder.zstd(false).no_zstd()
 		};
 	};
 

src/service/globals/mod.rs

@@ -8,7 +8,7 @@
 	time::Instant,
 };
 
-use conduit::{error, trace, Config, Result};
+use conduit::{err, error, trace, Config, Result};
 use data::Data;
 use ipaddress::IPAddress;
 use regex::RegexSet;
@@ -76,12 +76,13 @@ fn build(args: crate::Args<'_>) -> Result<Arc<Self>> {
 		// Experimental, partially supported room versions
 		let unstable_room_versions = vec![RoomVersionId::V2, RoomVersionId::V3, RoomVersionId::V4, RoomVersionId::V5];
 
-		let mut cidr_range_denylist = Vec::new();
-		for cidr in config.ip_range_denylist.clone() {
-			let cidr = IPAddress::parse(cidr).expect("valid cidr range");
-			trace!("Denied CIDR range: {:?}", cidr);
-			cidr_range_denylist.push(cidr);
-		}
+		let cidr_range_denylist: Vec<_> = config
+			.ip_range_denylist
+			.iter()
+			.map(IPAddress::parse)
+			.inspect(|cidr| trace!("Denied CIDR range: {cidr:?}"))
+			.collect::<Result<_, String>>()
+			.map_err(|e| err!(Config("ip_range_denylist", e)))?;
 
 		let mut s = Self {
 			db,

src/service/sending/appservice.rs

@@ -15,7 +15,7 @@ pub(crate) async fn send_request<T>(
 where
 	T: OutgoingRequest + Debug + Send,
 {
-	const VERSIONS: [MatrixVersion; 1] = [MatrixVersion::V1_0];
+	const VERSIONS: [MatrixVersion; 1] = [MatrixVersion::V1_7];
 
 	let Some(dest) = registration.url else {
 		return Ok(None);