fix: Include query parameters in link back to login on register page

fix: CSS tweaks
feat: Improve registration UI in first-run mode
2026-05-13 15:44:57 +00:00 · 2026-05-08 13:50:59 -04:00 · 2026-05-08 12:51:40 -04:00 · 2026-05-08 12:51:40 -04:00 · 2026-05-08 12:51:40 -04:00 · 2026-05-08 12:51:40 -04:00
425 changed files with 15454 additions and 11063 deletions
@@ -71,7 +71,7 @@ runs:

    - name: Install timelord-cli and git-warp-time
      if: steps.check-binaries.outputs.need-install == 'true'
-      uses: https://github.com/taiki-e/install-action@a2352fc6ce487f030a3aa709482d57823eadfb37 # v2
+      uses: https://github.com/taiki-e/install-action@b5fddbb5361bce8a06fb168c9d403a6cc552b084 # v2
      with:
        tool: git-warp-time,timelord-cli@3.0.1

@@ -45,7 +45,6 @@
  - [ ] I have [tested my contribution][c1t] (or proof-read it for documentation-only changes)
        myself, if applicable. This includes ensuring code compiles.
  - [ ] My commit messages follow the [commit message format][c1cm] and are descriptive.
-  - [ ] I have written a [news fragment][n1] for this PR, if applicable<!--(can be done after hitting open!)-->.

 <!--
 Notes on these requirements:
@@ -79,4 +78,3 @@
 [c1pc]: https://forgejo.ellis.link/continuwuation/continuwuity/src/branch/main/CONTRIBUTING.md#pre-commit-checks
 [c1t]: https://forgejo.ellis.link/continuwuation/continuwuity/src/branch/main/CONTRIBUTING.md#running-tests-locally
 [c1cm]: https://forgejo.ellis.link/continuwuation/continuwuity/src/branch/main/CONTRIBUTING.md#commit-messages
-[n1]: https://towncrier.readthedocs.io/en/stable/tutorial.html#creating-news-fragments
@@ -0,0 +1,56 @@
+name: Auto Labeler
+
+on:
+  pull_request_target:
+    types: [opened, reopened]
+
+permissions:
+  contents: read
+  pull-requests: write
+  issues: write
+
+jobs:
+  auto-label:
+    name: Apply labels based on changed files
+    runs-on: ubuntu-latest
+    steps:
+      - name: Apply PR Labels
+        uses: https://github.com/actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9
+        with:
+          script: |
+            const allFiles = await github.paginate(github.rest.pulls.listFiles, {
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              pull_number: context.issue.number,
+            });
+
+            const fileNames = allFiles.map(f => f.filename);
+            const labelsToAdd = new Set();
+
+            for (const file of fileNames) {
+              if (file.startsWith('docs/') || file.startsWith('theme/') || file.endsWith('.md') || file == 'rspress.config.ts') {
+                labelsToAdd.add('Documentation');
+              }
+              if (file.startsWith('.forgejo/')) {
+                labelsToAdd.add('Meta/CI');
+              }
+              if (file.startsWith('pkg/') || file.startsWith('nix/') || file === 'flake.nix' || file === 'flake.lock' || file.startsWith('docker/')) {
+                labelsToAdd.add('Meta/Packaging');
+              }
+              if (file === 'Cargo.lock') {
+                labelsToAdd.add('Dependencies');
+              }
+            }
+
+            if (labelsToAdd.size > 0) {
+              const labelsArray = Array.from(labelsToAdd);
+              console.log('Adding labels:', labelsArray);
+              await github.rest.issues.addLabels({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                issue_number: context.issue.number,
+                labels: labelsArray,
+              });
+            } else {
+              console.log('No files changed that require auto-labeling.');
+            }
@@ -92,10 +92,13 @@ jobs:
          BASE_VERSION=$(cargo metadata --no-deps --format-version 1 | jq -r ".packages[] | select(.name == \"conduwuit\").version" | sed 's/[^a-zA-Z0-9.+]/~/g')
          # VERSION is the package version, COMPONENT is used in
          # apt's repository config like a git repo branch
-          if [[ "${{ forge.ref }}" == "refs/tags/"* ]]; then
-            # Use the "stable" component for tagged releases
+          VERSION=$BASE_VERSION
+          if [[ ${{ forge.ref_name }} =~ ^v+[0-9]\.+[0-9]\.+[0-9]$ ]]; then
+            # Use the "stable" component for tagged semver releases
            COMPONENT="stable"
-            VERSION=$BASE_VERSION
+          elif [[ ${{ forge.ref_name }} =~ ^v+[0-9]\.+[0-9]\.+[0-9] ]]; then
+            # Use the "unstable" component for tagged semver pre-releases
+            COMPONENT="unstable"
          else
            # Use the "dev" component for development builds
            SHA=$(echo "${{ forge.sha }}" | cut -c1-7)
@@ -105,7 +105,7 @@ jobs:
            RELEASE_SUFFIX=""
            TAG_NAME="${{ github.ref_name }}"
            # Extract version from tag (remove v prefix if present)
-            TAG_VERSION=$(echo "$TAG_NAME" | sed 's/^v//')
+            TAG_VERSION=$(echo "$TAG_NAME" | sed 's/^v//' | tr '-' '~')

            # Create spec file with tag version
            sed -e "s/^Version:.*$/Version:        $TAG_VERSION/" \
@@ -270,9 +270,13 @@ jobs:

          # Determine the group based on ref type and branch
          if [[ "${{ github.ref }}" == "refs/tags/"* ]]; then
-            GROUP="stable"
            # For tags, extract the tag name for version info
            TAG_NAME="${{ github.ref_name }}"
+            if [[ "$TAG_NAME" == *"-"* ]]; then
+              GROUP="unstable"
+            else
+              GROUP="stable"
+            fi
          elif [ "${{ github.ref_name }}" = "main" ]; then
            GROUP="dev"
          else
@@ -32,7 +32,7 @@ jobs:

      - name: Setup Node.js
        if: steps.runner-env.outputs.node_major == '' || steps.runner-env.outputs.node_major < '20'
-        uses: https://github.com/actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
+        uses: https://github.com/actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
        with:
          node-version: 22

@@ -24,7 +24,7 @@ jobs:

    steps:
      - name: 📦 Setup Node.js
-        uses: https://github.com/actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
+        uses: https://github.com/actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
        with:
          node-version: "22"

@@ -9,6 +9,7 @@ on:

 permissions:
  contents: read
+  pull-requests: read

 jobs:
  fast-checks:
@@ -40,10 +41,32 @@ jobs:
          cargo +nightly fmt --all -- --check && \
            echo "✅ Formatting check passed" || \
            exit 1
+  check-changes:
+    name: Check changed files
+    runs-on: ubuntu-latest
+    outputs:
+      rust: ${{ steps.filter.outputs.rust }}
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
+
+      - name: Check for file changes
+        uses: https://github.com/dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # v4
+        id: filter
+        with:
+          filters: |
+            rust:
+              - '**/*.rs'
+              - '**/Cargo.toml'
+              - '**/Cargo.lock'

  clippy-and-tests:
    name: Clippy and Cargo Tests
    runs-on: ubuntu-latest
+    needs: check-changes
+    if: needs.check-changes.outputs.rust == 'true'

    steps:
      - name: Checkout repository
@@ -199,6 +199,28 @@ jobs:
          registry_user: ${{ vars.BUILTIN_REGISTRY_USER || github.actor }}
          registry_password: ${{ secrets.BUILTIN_REGISTRY_PASSWORD || secrets.GITHUB_TOKEN }}

+  release-binaries:
+    name: "Release Binaries"
+    runs-on: ubuntu-latest
+    needs:
+      - build-release
+      - build-maxperf
+    permissions:
+      contents: write
+    if: startsWith(github.ref, 'refs/tags/')
+    steps:
+      - name: Download binary artifacts
+        uses: forgejo/download-artifact@v4
+        with:
+          pattern: conduwuit*
+          path: binaries
+          merge-multiple: true
+      - name: Create Release and Upload
+        uses: https://github.com/softprops/action-gh-release@v2
+        with:
+          draft: true
+          files: binaries/*
+
  mirror_images:
    name: "Mirror Images"
    runs-on: ubuntu-latest
@@ -43,7 +43,7 @@ jobs:
    name: Renovate
    runs-on: ubuntu-latest
    container:
-      image: ghcr.io/renovatebot/renovate:43.111.0@sha256:da5fcac20c48d9792aac9c61fd234531bfa8df61263a39387cd8920263ca4768
+      image: ghcr.io/renovatebot/renovate:43.140.0@sha256:61303c28b10a491c559529fb6f41745850e4755a43a54c04c3ae6848d6eaf5cc
      options: --tmpfs /tmp:exec
    steps:
      - name: Checkout
@@ -90,12 +90,12 @@ jobs:
          RENOVATE_PLATFORM: forgejo
          RENOVATE_ENDPOINT: ${{ github.server_url }}
          RENOVATE_AUTODISCOVER: 'false'
-          RENOVATE_REPOSITORIES: '["${{ github.repository }}"]'
+          RENOVATE_REPOSITORIES: '["${{ github.repository }}", "continuwuation/resolvematrix"]'

          RENOVATE_GIT_TIMEOUT: 60000

          RENOVATE_REQUIRE_CONFIG: 'required'
-          RENOVATE_ONBOARDING: 'false'
+          # RENOVATE_ONBOARDING: 'false'
          RENOVATE_INHERIT_CONFIG: 'true'

          RENOVATE_GITHUB_TOKEN_WARN: 'false'
@@ -24,7 +24,7 @@ repos:
        - id: check-added-large-files

  - repo: https://github.com/crate-ci/typos
-    rev: v1.45.1
+    rev: v1.46.0
    hooks:
      - id: typos
      - id: typos
@@ -1,3 +1,62 @@
+# Continuwuity 0.5.8 (2026-04-24)
+
+## Features
+
+- LDAP can now optionally be connected to using StartTLS, and you may unsafely skip verification. Contributed by @getz (#1389)
+- Users will now be prevented from removing their email if the server is configured to require an email when registering an account.
+
+## Bugfixes
+
+- Fixed a situation where multiple email addresses could be associated with one user when that user changes their email address.
+
+## Improved Documentation
+
+- Updated config docs to state we support room version 12, and set it as default. Contributed by @ezera. (#1622)
+- Improve instructions for generic deployments, removing unnecessary parts and documenting the new initial registration token flow. Contributed by @stratself (#1677)
+
+
+# Continuwuity v0.5.7 (2026-04-17)
+
+## Features
+
+- Re-added support for reading registration tokens from a file. Contributed by @ginger and @benbot. (#1371)
+- Add new config option to allow or disallow search engine indexing through a `<meta ../>` tag. Defaults to blocking indexing (`content="noindex"`). Contributed by @s1lv3r and @ginger. (#1527)
+- Add new config option for [MSC4439](https://github.com/matrix-org/matrix-spec-proposals/pull/4439)
+  PGP key URIs. Contributed by LogN. (#1609)
+- Added `!admin users reset-push-rules` command to reset the notification settings of users. Contributed by @nex. (#1613)
+- Notification pushers are now automatically removed when their associated device is. Admin commands now exist for manual cleanup too. Contributed by @nex. (#1614)
+- Implemented option to deprioritize servers for room join requests. Contributed by @ezera. (#1624)
+- Added admin commands to get build information and features. Contributed by @Jade (#1629)
+- Added support for associating email addresses with accounts, requiring email addresses for registration, and resetting passwords via email. Contributed by @ginger
+- Added support for requiring users to accept terms and conditions when registering.
+- Added support for using an admin command to issue self-service password reset links.
+
+## Bugfixes
+
+- Fixed corrupted appservice registrations causing the server to enter a crash loop. Contributed by @nex. (#1265)
+- Prevent removing the admin room alias (`#admins`) to avoid accidentally breaking admin room functionality. Contributed by @0xnim (#1448)
+- Stripped `join_authorised_via_users_server` from json if user is already in room (@partha:cxy.run) (#1542)
+- Fixed internal server errors for fetching thumbnails. Contributed by @PerformativeJade (#1572)
+- Fixed error 500 when joining non-existent rooms. Contributed by @ezera. (#1579)
+- Refactored nix package. Breaking, since `all-features` package no longer exists. Continuwuity is now built with jemalloc and liburing by default. Contributed by @Henry-Hiles (QuadRadical). (#1596)
+- Fixed resolving IP of servers that only use SRV delegation. Contributed by @tulir. (#1615)
+- Fixed "Sender must be a local user" error for make_join, make_knock, and make_leave federation routes. Contributed by @nex. (#1623)
+- Fixed restricted joins not being signed when we are being used as an authorising server. Contributed by @nex, reported by [vel](matrix:u/vel:nhjkl.com?action=chat). (#1630)
+- Fixed room alias deletion so removing one local alias no longer removes other aliases from room alias listings.
+- Stopped left rooms from being unconditionally sent on initial sync, hopefully fixing spurious appearances of left rooms in some clients (and making sync faster as a bonus). Contributed by @ginger
+- Correct the response field name for MatrixRTC transports. Contributed by @spaetz
+
+## Improved Documentation
+
+- Added Testing and Troubleshooting instructions for Livekit documentation. Contributed by @stratself. (#1429)
+- Refactored docker docs to include new initial token workflow, and add Caddyfile example. Contributed by @stratself. (#1594)
+- Add DNS tuning guide for Continuwuity. Users are recommended to set up a local caching resolver following the guide's advice. Contributed by @stratself (#1601)
+
+## Misc
+
+- Fixed compiler warning in cf_opts.rs when building in release. Contributed by @ezera. (#1620)
+
+
 # Continuwuity 0.5.6 (2026-03-03)

 ## Security
@@ -12,7 +12,7 @@ license = "Apache-2.0"
 # See also `rust-toolchain.toml`
 readme = "README.md"
 repository = "https://forgejo.ellis.link/continuwuation/continuwuity"
-version = "0.5.7-alpha.2"
+version = "0.5.9"

 [workspace.metadata.crane]
 name = "conduwuit"
@@ -36,10 +36,13 @@ version = "0.3"
 features = ["ffi", "std", "union"]

 [workspace.dependencies.const-str]
-version = "0.7.0"
+version = "1.1.0"

 [workspace.dependencies.ctor]
-version = "0.10.0"
+version = "0.13.0"
+
+[workspace.dependencies.dtor]
+version = "0.13.0"

 [workspace.dependencies.cargo_toml]
 version = "0.22"
@@ -47,9 +50,9 @@ default-features = false
 features = ["features"]

 [workspace.dependencies.toml]
-version = "0.9.5"
+version = "1.1.2"
 default-features = false
-features = ["parse"]
+features = ["parse", "serde"]

 [workspace.dependencies.sanitize-filename]
 version = "0.6.0"
@@ -68,7 +71,7 @@ default-features = false
 version = "0.1.3"

 [workspace.dependencies.rand]
-version = "0.10.0"
+version = "0.10.1"

 # Used for the http request / response body type for Ruma endpoints used with reqwest
 [workspace.dependencies.bytes]
@@ -102,15 +105,18 @@ default-features = false
 features = ["typed-header", "tracing", "cookie"]

 [workspace.dependencies.axum-server]
-version = "0.7.2"
+version = "0.8.0"
 default-features = false

 # to listen on both HTTP and HTTPS if listening on TLS dierctly from conduwuit for complement or sytest
 [workspace.dependencies.axum-server-dual-protocol]
-version = "0.7"
+# version = "0.7"
+git = "https://github.com/vinchona/axum-server-dual-protocol.git"
+rev = "ca6db055254255b74238673ce4135698e347d71c" # feat!: bump axum_server to 0.8.0
+default-features = false

 [workspace.dependencies.axum-client-ip]
-version = "0.7"
+version = "1.3"

 [workspace.dependencies.tower]
 version = "0.5.2"
@@ -134,13 +140,12 @@ features = [
 [workspace.dependencies.rustls]
 version = "0.23.25"
 default-features = false
-features = ["aws_lc_rs"]

 [workspace.dependencies.reqwest]
-version = "0.12.15"
+version = "0.13.2"
 default-features = false
 features = [
-    "rustls-tls-native-roots",
+    "rustls-no-provider",
    "socks",
    "hickory-dns",
    "http2",
@@ -159,7 +164,7 @@ features = ["raw_value"]

 # Used for appservice registration files
 [workspace.dependencies.serde-saphyr]
-version = "0.0.23"
+version = "0.0.25"

 # Used to load forbidden room/user regex from config
 [workspace.dependencies.serde_regex]
@@ -167,7 +172,7 @@ version = "1.1.0"

 # Used for ruma wrapper
 [workspace.dependencies.serde_html_form]
-version = "0.2.6"
+version = "0.4.0"

 # Used for password hashing
 [workspace.dependencies.argon2]
@@ -251,7 +256,7 @@ features = [
 ]

 [workspace.dependencies.tokio-metrics]
-version = "0.4.0"
+version = "0.5.0"

 [workspace.dependencies.libloading]
 version = "0.9.0"
@@ -340,51 +345,50 @@ version = "0.1.88"
 [workspace.dependencies.lru-cache]
 version = "0.1.2"

+[workspace.dependencies.assign]
+version = "1.1.1"
+
 # Used for matrix spec type definitions and helpers
 [workspace.dependencies.ruma]
-git = "https://forgejo.ellis.link/continuwuation/ruwuma"
-#branch = "conduwuit-changes"
-rev = "d00b51a8669b21689c4eb47fb81f3a8b27c3e371"
+# version = "0.14.1"
+git = "https://github.com/ruma/ruma.git"
+rev = "5742fec0021b85fedbf5cd1f59c50a00bb5b9f7c"
 features = [
-    "compat",
-    "rand",
    "appservice-api-c",
    "client-api",
    "federation-api",
-    "markdown",
    "push-gateway-api-c",
-    "unstable-exhaustive-types",
+    "state-res",
+    "rand",
+    "markdown",
    "ring-compat",
    "compat-upload-signatures",
-    "identifiers-validation",
-    "unstable-unspecified",
+    "compat-optional-txn-pdus",
    "unstable-msc2448",
    "unstable-msc2666",
    "unstable-msc2867",
    "unstable-msc2870",
-    "unstable-msc3026",
    "unstable-msc3061",
    "unstable-msc3814",
    "unstable-msc3245",
-    "unstable-msc3266",
-    "unstable-msc3381", # polls
-    "unstable-msc3489", # beacon / live location
-    "unstable-msc3575",
-    "unstable-msc3930", # polls push rules
+    "unstable-msc3381",
+    "unstable-msc3489",
+    "unstable-msc3930",
    "unstable-msc4075",
    "unstable-msc4095",
    "unstable-msc4121",
    "unstable-msc4125",
-    "unstable-msc4155",
    "unstable-msc4186",
-    "unstable-msc4203", # sending to-device events to appservices
-    "unstable-msc4210", # remove legacy mentions
+    "unstable-msc4195",
+    "unstable-msc4203",
+    "unstable-msc4310",
+    "unstable-msc4373",
+    "unstable-msc4380",
+    "unstable-msc4143",
+    "unstable-msc4293",
+    "unstable-msc4406",
+    "unstable-msc4439",
    "unstable-extensible-events",
-    "unstable-pdu",
-    "unstable-msc4155",
-    "unstable-msc4143", # livekit well_known response
-    "unstable-msc4284",
-    "unstable-msc4439", # pgp_key in .well_known/matrix/support
 ]

 [workspace.dependencies.rust-rocksdb]
@@ -429,14 +433,13 @@ features = ["http", "grpc-tonic", "trace", "logs", "metrics"]

 # optional sentry metrics for crash/panic reporting
 [workspace.dependencies.sentry]
-version = "0.46.0"
+version = "0.48.0"
 default-features = false
 features = [
    "backtrace",
    "contexts",
    "debug-images",
    "panic",
-    "rustls",
    "tower",
    "tower-http",
    "tracing",
@@ -445,9 +448,9 @@ features = [
 ]

 [workspace.dependencies.sentry-tracing]
-version = "0.46.0"
+version = "0.48.0"
 [workspace.dependencies.sentry-tower]
-version = "0.46.0"
+version = "0.48.0"

 # jemalloc usage
 [workspace.dependencies.tikv-jemalloc-sys]
@@ -546,21 +549,16 @@ features = ["std"]
 [workspace.dependencies.maplit]
 version = "1.0.2"

-[workspace.dependencies.ldap3]
-version = "0.12.0"
-default-features = false
-features = ["sync", "tls-rustls", "rustls-provider"]
-
 [workspace.dependencies.yansi]
 version = "1.0.1"

 [workspace.dependencies.askama]
-version = "0.15.0"
+version = "0.16.0"

 [workspace.dependencies.lettre]
 version = "0.11.19"
 default-features = false
-features = ["smtp-transport", "pool", "hostname", "builder", "rustls", "rustls-native-certs", "tokio1", "ring", "tokio1-rustls", "tracing", "serde"]
+features = ["smtp-transport", "pool", "hostname", "builder", "rustls", "rustls-native-certs", "tokio1", "rustls-no-provider", "tokio1-rustls", "tracing", "serde"]

 [workspace.dependencies.governor]
 version = "0.10.4"
@@ -570,6 +568,9 @@ features = ["std"]
 [workspace.dependencies.nonzero_ext]
 version = "0.3.0"

+[workspace.dependencies.serde_urlencoded]
+version = "0.7.1"
+
 #
 # Patches
 #
@@ -657,6 +658,10 @@ default-features = false
 package = "conduwuit"
 path = "src/main"

+[workspace.dependencies.ruminuwuity]
+package = "ruminuwuity"
+path = "src/ruminuwuity"
+
 ###############################################################################
 #
 # Release profiles
@@ -1 +0,0 @@
-Added support for associating email addresses with accounts, requiring email addresses for registration, and resetting passwords via email. Contributed by @ginger
@@ -0,0 +1 @@
+The invite recipient's membership event is now included in invite stripped state, which should fix flaky invite display in some clients. Contributed by @ginger
@@ -1 +0,0 @@
-Added support for using an admin command to issue self-service password reset links.
@@ -1 +0,0 @@
-Stopped left rooms from being unconditionally sent on initial sync, hopefully fixing spurious appearances of left rooms in some clients (and making sync faster as a bonus). Contributed by @ginger
@@ -1 +0,0 @@
-Added support for requiring users to accept terms and conditions when registering.
@@ -0,0 +1 @@
+Switched from Continuwuity's fork of Ruma back to upstream Ruma. Contributed by @ginger.
@@ -0,0 +1 @@
+Users may now be forbidden from deactivating their own accounts with the new `allow_deactivation` config option.
@@ -0,0 +1 @@
+Added support for authenticating clients using the new OAuth 2.0 login API. Contributed by @ginger.
@@ -1 +0,0 @@
-Fixed room alias deletion so removing one local alias no longer removes other aliases from room alias listings.
@@ -0,0 +1 @@
+Removed support for guest user registration, a little-used and deprecated approach to room previews.
@@ -1 +0,0 @@
-Fixed corrupted appservice registrations causing the server to enter a crash loop. Contributed by @nex.
@@ -1 +0,0 @@
-Re-added support for reading registration tokens from a file. Contributed by @ginger and @benbot.
@@ -1 +0,0 @@
-Added Testing and Troubleshooting instructions for Livekit documentation. Contributed by @stratself.
@@ -1 +0,0 @@
-Prevent removing the admin room alias (`#admins`) to avoid accidentally breaking admin room functionality. Contributed by @0xnim
@@ -0,0 +1 @@
+Add performance tuning documentation. Contributed by @stratself.
@@ -1 +0,0 @@
-Add new config option to allow or disallow search engine indexing through a `<meta ../>` tag. Defaults to blocking indexing (`content="noindex"`). Contributed by @s1lv3r and @ginger.
@@ -1 +0,0 @@
-Stripped `join_authorised_via_users_server` from json if user is already in room (@partha:cxy.run)
@@ -1 +0,0 @@
-Fixed internal server errors for fetching thumbnails. Contributed by @PerformativeJade
@@ -1 +0,0 @@
-Fixed error 500 when joining non-existent rooms. Contributed by @ezera.
@@ -1 +0,0 @@
-Refactored docker docs to include new initial token workflow, and add Caddyfile example. Contributed by @stratself.
@@ -1 +0,0 @@
-Refactored nix package. Breaking, since `all-features` package no longer exists. Continuwuity is now built with jemalloc and liburing by default. Contributed by @Henry-Hiles (QuadRadical).
@@ -1 +0,0 @@
-Add DNS tuning guide for Continuwuity. Users are recommended to set up a local caching resolver following the guide's advice. Contributed by @stratself
@@ -1,2 +0,0 @@
-Add new config option for [MSC4439](https://github.com/matrix-org/matrix-spec-proposals/pull/4439)
-PGP key URIs. Contributed by LogN.
@@ -1 +0,0 @@
-Added `!admin users reset-push-rules` command to reset the notification settings of users. Contributed by @nex.
@@ -1 +0,0 @@
-Notification pushers are now automatically removed when their associated device is. Admin commands now exist for manual cleanup too. Contributed by @nex.
@@ -1 +0,0 @@
-Fixed resolving IP of servers that only use SRV delegation. Contributed by @tulir.
@@ -1 +0,0 @@
-Fixed compiler warning in cf_opts.rs when building in release. Contributed by @ezera.
@@ -1 +0,0 @@
-Fixed "Sender must be a local user" error for make_join, make_knock, and make_leave federation routes. Contributed by @nex.
@@ -1 +0,0 @@
-Implemented option to deprioritize servers for room join requests. Contributed by @ezera.
@@ -1 +0,0 @@
-Added admin commands to get build information and features. Contributed by @Jade
@@ -1 +0,0 @@
-Fixed restricted joins not being signed when we are being used as an authorising server. Contributed by @nex, reported by [vel](matrix:u/vel:nhjkl.com?action=chat).
@@ -0,0 +1 @@
+Explain accessing Continuwuity's server console when deployed via Docker.
@@ -0,0 +1 @@
+Removed support for LDAP.
@@ -0,0 +1 @@
+Clarified in the config that `max_request_size` affects federated media as well.
@@ -0,0 +1 @@
+Added support for fallback encryption keys.
@@ -0,0 +1 @@
+Fixed a bug that caused the server to drop events during processing if several events for the same room were sent in a singular transaction. Contributed by @nex.
@@ -0,0 +1 @@
+Add `!admin users reject-all-invites` to clean invite spam
@@ -7,7 +7,6 @@
 [global]
 address = "0.0.0.0"
 allow_device_name_federation = true
-allow_guest_registration = true
 allow_public_room_directory_over_federation = true
 allow_registration = true
 database_path = "/database"
@@ -32,7 +31,6 @@ rocksdb_log_level = "info"
 rocksdb_max_log_files = 1
 rocksdb_recovery_mode = 0
 rocksdb_paranoid_file_checks = true
-log_guest_registrations = false
 allow_legacy_media = true
 startup_netburst = true
 startup_netburst_keep = -1
@@ -291,6 +291,7 @@
 #ip_lookup_strategy = 5

 # Max request size for file uploads in bytes. Defaults to 20MB.
+# Also limits incoming federated media.
 #
 #max_request_size = 20971520

@@ -523,17 +524,15 @@
 #
 #recaptcha_private_site_key =

-# Policy documents, such as terms and conditions or a privacy policy,
-# which users must agree to when registering an account.
+# Controls whether users are allowed to deactivate their own accounts
+# through the account management panel or their Matrix clients. Server
+# admins can always deactivate users using the relevant admin commands.
 #
-# Example:
-# ```ignore
-# [global.registration_terms.privacy_policy]
-# en = { name = "Privacy Policy", url = "https://homeserver.example/en/privacy_policy.html" }
-# es = { name = "Política de Privacidad", url = "https://homeserver.example/es/privacy_policy.html" }
-# ```
+# Note that, in some jurisdictions, you may be legally required to honor
+# users who request to deactivate their accounts if you set this option
+# to `false`.
 #
-#registration_terms = {}
+#allow_deactivation = true

 # Controls whether encrypted rooms and events are allowed.
 #
@@ -573,18 +572,6 @@
 #
 #allow_public_room_directory_over_federation = false

-# Allow guests/unauthenticated users to access TURN credentials.
-#
-# This is the equivalent of Synapse's `turn_allow_guests` config option.
-# This allows any unauthenticated user to call the endpoint
-# `/_matrix/client/v3/voip/turnServer`.
-#
-# It is unlikely you need to enable this as all major clients support
-# authentication for this endpoint and prevents misuse of your TURN server
-# from potential bots.
-#
-#turn_allow_guests = false
-
 # Set this to true to lock down your server's public room directory and
 # only allow admins to publish rooms to the room directory. Unpublishing
 # is still allowed by all users with this enabled.
@@ -619,7 +606,7 @@
 # Set to false to disable users from joining or creating room versions
 # that aren't officially supported by continuwuity.
 #
-# continuwuity officially supports room versions 6 - 11.
+# continuwuity officially supports room versions 6 - 12.
 #
 # continuwuity has slightly experimental (though works fine in practice)
 # support for versions 3 - 5.
@@ -631,9 +618,9 @@
 # rather than an integer. Forgetting the quotes will make the server fail
 # to start!
 #
-# Per spec, room version "11" is the default.
+# Per spec, room version "12" is the default.
 #
-#default_room_version = "11"
+#default_room_version = "12"

 # Enable OpenTelemetry OTLP tracing export. This replaces the deprecated
 # Jaeger exporter. Traces will be sent via OTLP to a collector (such as
@@ -1282,21 +1269,6 @@
 #
 #brotli_compression = false

-# Set to true to allow user type "guest" registrations. Some clients like
-# Element attempt to register guest users automatically.
-#
-#allow_guest_registration = false
-
-# Set to true to log guest registrations in the admin room. Note that
-# these may be noisy or unnecessary if you're a public homeserver.
-#
-#log_guest_registrations = false
-
-# Set to true to allow guest registrations/users to auto join any rooms
-# specified in `auto_join_rooms`.
-#
-#allow_guests_auto_join_rooms = false
-
 # Enable the legacy unauthenticated Matrix media repository endpoints.
 # These endpoints consist of:
 # - /_matrix/media/*/config
@@ -1945,94 +1917,6 @@
 #
 #foci = []

-[global.ldap]
-
-# Whether to enable LDAP login.
-#
-# example: "true"
-#
-#enable = false
-
-# Whether to force LDAP authentication or authorize classical password
-# login.
-#
-# example: "true"
-#
-#ldap_only = false
-
-# URI of the LDAP server.
-#
-# example: "ldap://ldap.example.com:389"
-#
-#uri = ""
-
-# Root of the searches.
-#
-# example: "ou=users,dc=example,dc=org"
-#
-#base_dn = ""
-
-# Bind DN if anonymous search is not enabled.
-#
-# You can use the variable `{username}` that will be replaced by the
-# entered username. In such case, the password used to bind will be the
-# one provided for the login and not the one given by
-# `bind_password_file`. Beware: automatically granting admin rights will
-# not work if you use this direct bind instead of a LDAP search.
-#
-# example: "cn=ldap-reader,dc=example,dc=org" or
-# "cn={username},ou=users,dc=example,dc=org"
-#
-#bind_dn = ""
-
-# Path to a file on the system that contains the password for the
-# `bind_dn`.
-#
-# The server must be able to access the file, and it must not be empty.
-#
-#bind_password_file = ""
-
-# Search filter to limit user searches.
-#
-# You can use the variable `{username}` that will be replaced by the
-# entered username for more complex filters.
-#
-# example: "(&(objectClass=person)(memberOf=matrix))"
-#
-#filter = "(objectClass=*)"
-
-# Attribute to use to uniquely identify the user.
-#
-# example: "uid" or "cn"
-#
-#uid_attribute = "uid"
-
-# Attribute containing the display name of the user.
-#
-# example: "givenName" or "sn"
-#
-#name_attribute = "givenName"
-
-# Root of the searches for admin users.
-#
-# Defaults to `base_dn` if empty.
-#
-# example: "ou=admins,dc=example,dc=org"
-#
-#admin_base_dn = ""
-
-# The LDAP search filter to find administrative users for continuwuity.
-#
-# If left blank, administrative state must be configured manually for each
-# user.
-#
-# You can use the variable `{username}` that will be replaced by the
-# entered username for more complex filters.
-#
-# example: "(objectClass=conduwuitAdmin)" or "(uid={username})"
-#
-#admin_filter = ""
-
 #[global.antispam]

 #[global.antispam.meowlnir]
@@ -2104,9 +1988,42 @@
 # Whether to require that users provide an email address when they
 # register.
 #
+# If either this option or `require_email_for_token_registration` are set,
+# users will not be allowed to remove their email address.
+#
 #require_email_for_registration = false

 # Whether to require that users who register with a registration token
 # provide an email address.
 #
 #require_email_for_token_registration = false
+
+#[global.registration-terms]
+
+# The language code to provide to clients along with the policy documents.
+#
+#language = "en"
+
+# Policy documents, such as terms and conditions or a privacy policy,
+# which users must agree to when registering an account.
+#
+# Example:
+# ```ignore
+# [global.registration_terms.documents]
+# privacy_policy = { name = "Privacy Policy", url = "https://homeserver.example/en/privacy_policy.html" }
+# ```
+#
+#documents = {}
+
+#[global.oauth]
+
+# The compatibility mode to use for OAuth.
+#
+# - "disabled": OAuth will be unavailable. Users will only be able to log
+#   in using legacy authentication.
+# - "hybrid": OAuth and legacy authentication will both be available. Some
+#   clients may only use one or the other.
+# - "exclusive": Only OAuth will be available. Clients which require
+#   legacy authentication will be unable to log in.
+#
+#compatibility_mode = "hybrid"
@@ -17,12 +17,14 @@ ARG LLVM_VERSION=21
 # Line one: compiler tools
 # Line two: curl, for downloading binaries and wget because llvm.sh is broken with curl
 # Line three: for xx-verify
+# golang, cmake: For aws-lc-rs bindgen
 RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
    --mount=type=cache,target=/var/lib/apt,sharing=locked \
    apt-get update && apt-get install -y \
    pkg-config make jq \
    wget curl git software-properties-common \
    file
+    # golang cmake

 # LLVM packages
 RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
@@ -48,7 +50,7 @@ EOF

 # Developer tool versions
 # renovate: datasource=github-releases depName=cargo-bins/cargo-binstall
-ENV BINSTALL_VERSION=1.18.1
+ENV BINSTALL_VERSION=1.19.1
 # renovate: datasource=github-releases depName=psastras/sbom-rs
 ENV CARGO_SBOM_VERSION=0.9.1
 # renovate: datasource=crate depName=lddtree
@@ -162,7 +164,7 @@ ENV CONDUWUIT_VERSION_EXTRA=$CONDUWUIT_VERSION_EXTRA
 ENV CONTINUWUITY_VERSION_EXTRA=$CONTINUWUITY_VERSION_EXTRA

 ARG RUST_PROFILE=release
-ARG CARGO_FEATURES="default,http3"
+ARG CARGO_FEATURES="default"

 # Build the binary
 RUN --mount=type=cache,target=/usr/local/cargo/registry \
@@ -18,7 +18,7 @@ RUN --mount=type=cache,target=/etc/apk/cache apk add \

 # Developer tool versions
 # renovate: datasource=github-releases depName=cargo-bins/cargo-binstall
-ENV BINSTALL_VERSION=1.18.1
+ENV BINSTALL_VERSION=1.19.1
 # renovate: datasource=github-releases depName=psastras/sbom-rs
 ENV CARGO_SBOM_VERSION=0.9.1
 # renovate: datasource=crate depName=lddtree
@@ -8,6 +8,11 @@
        "type": "file",
        "name": "dns",
        "label": "DNS tuning (recommended)"
+    },
+    {
+        "type": "file",
+        "name": "performance",
+        "label": "Performance tuning"
    }

 ]
@@ -50,8 +50,6 @@ # Defaults to members of the admin room if unset
      # CONTINUWUITY_WELL_KNOWN__SERVER: matrix.example.com:443
 ```

-## Reverse proxying well-known files to Continuwuity
-
 After doing the steps above, Continuwuity will serve these 3 JSON files:

 - `/.well-known/matrix/client`: for Client-Server discovery
@@ -60,9 +58,11 @@ ## Reverse proxying well-known files to Continuwuity

 To enable full discovery, you will need to reverse proxy these paths from the base domain back to Continuwuity.

+## Reverse proxying well-known files to Continuwuity
+
 <details>

-<summary>For Caddy</summary>
+<summary>For **Caddy**</summary>

 ```
 matrix.example.com:443 {
@@ -78,7 +78,7 @@ ## Reverse proxying well-known files to Continuwuity

 <details>

-<summary>For Traefik (via Docker labels)</summary>
+<summary>For **Traefik** (via Docker labels)</summary>

 ```
 services:
@@ -93,7 +93,10 @@ ## Reverse proxying well-known files to Continuwuity

 </details>

-Restart Continuwuity and your reverse proxy. Once that's done, visit these routes and check that the responses match the examples below:
+
+For **Docker** users, consult the compose files in the [Appendix section](#docker-compose-examples).
+
+After applying these changes, restart Continuwuity and your reverse proxy.Visit these routes and check that the responses match the examples below:

 <details open>

@@ -153,9 +156,11 @@ ### Serving well-known files manually

 ## Troubleshooting

-Check with the [Matrix Connectivity Tester][federation-tester] to see that it's working.
+Check that other servers can connect to you.
+Here are some tools that can help identify federation issues:

-[federation-tester]: https://federationtester.mtrnord.blog/
+- [Matrix Connectivity Tester](https://federationtester.mtrnord.blog/)
+- [Matrix Federation Tester](https://federationtester.matrix.org/)

 ### Cannot log in with web clients

@@ -253,3 +258,45 @@ ## Related Documentation
 - [Server-to-Server resolution](https://spec.matrix.org/v1.17/server-server-api/#resolving-server-names) (see this for more information on SRV records)
 - [Client-to-Server resolution](https://spec.matrix.org/v1.17/client-server-api/#server-discovery)
 - [MSC1929: Homeserver Admin Contact and Support page](https://github.com/matrix-org/matrix-spec-proposals/pull/1929)
+
+## Appendix
+
+### Docker Compose examples
+
+The following Compose files are taken from [Docker instructions](../deploying/docker.mdx) and reconfigured to support split-domain delegation. Note the updated `CONTINUWUITY_WELL_KNOWN` variable and relevant changes in reverse proxy rules.
+
+<details>
+<summary>Caddy (using Caddyfile) - delegated.docker-compose.with-caddy.yml ([view raw](/advanced/delegated.docker-compose.with-caddy.yml))</summary>
+
+```yaml file="../public/advanced/delegated.docker-compose.with-caddy.yml"
+
+```
+
+</details>
+
+<details>
+<summary>Caddy (using labels) - delegated.docker-compose.with-caddy-labels.yml ([view raw](/advanced/delegated.docker-compose.with-caddy-labels.yml))</summary>
+
+```yaml file="../public/advanced/delegated.docker-compose.with-caddy-labels.yml"
+
+```
+
+</details>
+
+<details>
+<summary>Traefik (for existing setup) - delegated.docker-compose.for-traefik.yml ([view raw](/advanced/delegated.docker-compose.for-traefik.yml))</summary>
+
+```yaml file="../public/advanced/delegated.docker-compose.for-traefik.yml"
+
+```
+
+</details>
+
+<details>
+<summary>Traefik included - delegated.docker-compose.with-traefik.yml ([view raw](/advanced/delegated.docker-compose.with-traefik.yml))</summary>
+
+```yaml file="../public/advanced/delegated.docker-compose.with-traefik.yml"
+
+```
+
+</details>
@@ -0,0 +1,135 @@
+# Performance tuning
+
+Continuwuity's default configs are suited for many typical setups and scales appropriately with the size of your hardware. However, there are many scenarios where additional modifications can be made to better utilize your server resources.
+
+This page aims to outline various performance tweaks for Continuwuity and their effects. These adjustments are especially helpful for homeservers that join many large federated rooms or have many users, and it will become increasingly necessary as the Matrix network expands. As always, your mileage may vary according to your setup's specifics. If you have further discussions or recommendations, please share them in the community rooms.
+
+## DNS tuning (recommended)
+
+Please see the dedicated [DNS tuning guide](./dns.mdx).
+
+## Cache capacities
+
+If you have memory to spare, consider increasing the `cache_capacity_modifier` value to a larger number to allow more data to be stored in hot memory. This *significantly* speeds up many intensive operations (such as state resolutions) and decreases CPU usage and disk I/O. Start with a baseline of `cache_capacity_modifier = 2.0` and tune up until you are satisfied with RAM usage.
+
+On the other hand, if your system doesn't have a lot of RAM, consider decreasing the cache capacity modifier to something smaller than `1.0` to avoid low-memory issues (at the cost of higher load on disk/CPU). This recommendation also works if your system has abnormally little RAM compared to the number of CPU cores (for example, 2GB RAM for 12 cores), as cache capacities scale according to number of available cores.
+
+## Disabling some features
+
+You can disable outgoing **typing notifications** and **read markers** to reduce strain on the CPU and network when actively participating in rooms.
+
+```toml
+# disables sending read receipts
+allow_outgoing_read_receipts = false
+# disables sending typing notifications
+allow_outgoing_typing = false
+```
+
+Outgoing presence updates are also considered very expensive and have been disabled by default (`allow_outgoing_presence = false`). For more savings, you may wish to disable _all_ processing of presence entirely.
+
+```toml title=continuwuity.toml
+# disabling presence updates entirely
+allow_local_presence = false
+allow_incoming_presence = false
+allow_outgoing_presence = false
+```
+
+## Tuning database compression
+
+:::warning
+These steps SHOULD be done **before** starting Continuwuity for the first time. While switching database compression midway through is theoretically possible, this has not been tested extensively in the wild.
+:::
+
+### Changing the compression algorithm
+
+For reduced CPU usage at a tradeoff of increased storage space, consider deploying Continuwuity with the faster and less intensive `lz4` algorithm instead of `zstd` for rocksdb, and disable WAL compression entirely:
+
+```toml
+### in continuwuity.toml ###
+rocksdb_compression_algo = "lz4"
+rocksdb_wal_compression = "none"
+```
+
+This tweak can especially be helpful if you have an older or less performant CPU (e.g. a Raspberry Pi) and disk space to spare.
+
+### Increasing bottommost layer compression (`zstd` only)
+
+The bottommost layer of the database usually contains old and read-only data, so it is a suitable place for further compression. In Continuwuity, this is possible by setting `rocksdb_bottommost_compression = true` and tuning `rocksdb_bottommost_compression_level` to a more compact level than the default one used in `rocksdb_compression_level`. This tweak comes at a cost of increased CPU usage, but may prevent your database from growing too large in the long run.
+
+For those using `zstd` compression, the compression level ranges from 1 to 22. An example like this could apply:
+
+```toml
+### in continuwuity.toml ###
+rocksdb_compression_algo = "zstd"
+rocksdb_compression_level = 32767 # magic number, translates to level 3 on zstd
+rocksdb_bottommost_compression = true
+rocksdb_bottommost_compression_level = 9 # level 9 on zstd
+```
+
+For `lz4` users, the default level (`-1`) is already the most compact. You can only further decrease it to favor compression speed over ratio.
+
+Consult these documents for more information on compression tuning and levels:
+
+- [Rocksdb compression documentation][rocksdb-compression]
+- [Rocksdb default compression levels][rocksdb-compression-defaults]
+- [Zstd manual][zstd-manual]
+- [Lz4 manual][lz4-manual]
+
+[rocksdb-compression]: https://github.com/facebook/rocksdb/wiki/Compression
+[rocksdb-compression-defaults]: https://github.com/facebook/rocksdb/blob/main/include/rocksdb/options.h#L208-L217
+[zstd-manual]: https://facebook.github.io/zstd/zstd_manual.html
+[lz4-manual]: https://github.com/lz4/lz4/blob/release/doc/lz4_manual.html
+
+## Other tweaks
+
+### Using UNIX sockets
+
+If your homeserver and reverse proxy live on the same machine, you may wish to expose Continuwuity on a UNIX socket instead of a port. This removes TCP overhead between the two programs.
+
+<details>
+
+<summary>Example config with Caddy</summary>
+
+```toml
+### in continuwuity.toml ###
+
+# `address` and `port` has to be commented out first
+#address = ["127.0.0.1", "::1"]
+#port = 8008
+unix_socket_path = "/run/continuwuity/continuwuity.sock"
+```
+
+```
+### in your Caddyfile ###
+https://matrix.example.com {
+    reverse_proxy unix//run/continuwuity/continuwuity.sock
+
+    # alternatively, use the http2-plaintext protocol
+    # reverse_proxy unix+h2c//run/continuwuity/continuwuity.sock
+}
+```
+
+</details>
+
+### Tuning your trusted servers
+
+:::info Vet your trusted servers!
+Trusted servers are your first point of contact when obtaining public keys from other servers, and they could theoretically impersonate other servers and cause significant harm to your deployment. Please thoroughly verify your trusted servers' credibility before adding them to your configuration.
+:::
+
+Trusted servers are queried sequentially in the order they are listed. If you have multiple trusted servers configured, put the faster ones first:
+
+```toml
+# Example config, using maintainers' recommended homeservers
+trusted_servers = ["codestorm.net","starstruck.systems","unredacted.org","matrix.org"]
+```
+
+Avoid prioritising `matrix.org` as your primary trusted server, as it tends to be quite slow.
+
+Some users have also reported that increasing `trusted_server_batch_size` has helped with faster joins for huge rooms. Start with doubling the default to `2048` until you find a suitable value.
+
+### Enable HTTP/3 on your reverse proxy
+
+Consider enabling the newer **HTTP/3** protocol for inbound connections to Continuwuity. In Caddy HTTP/3 is allowed by default, but you must expose port :443/**udp** on your firewall.
+
+HTTP/3 can vastly improve Client-Server connections especially on unstable networks, as it reduces packet losses and latency from TCP head-of-line blocking, includes workarounds for network switching, and reduces connection establishment handshakes. Continuwuity also includes experimental _outbound_ HTTP/3 support in its Docker images, so connections between Continuwuity servers can benefit from this too.
@@ -91,7 +91,7 @@ ### 3. Telling clients where to find LiveKit

 To tell clients where to find LiveKit, you need to add the address of your `lk-jwt-service` to the `[global.matrix_rtc]` config section using the `foci` option.

-The variable should be a list of servers serving as MatrixRTC endpoints. Clients discover these via the `/_matrix/client/v1/rtc/transports` endpoint (MSC4143).
+The variable should be a list of servers serving as MatrixRTC endpoints. Replace the URL with the address you are deploying your instance of lk-jwt-service to:

 ```toml
 [global.matrix_rtc]
@@ -100,7 +100,10 @@ ### 3. Telling clients where to find LiveKit
 ]
 ```

-Remember to replace the URL with the address you are deploying your instance of lk-jwt-service to.
+This will expose LiveKit information on the following endpoints for clients to discover:
+
+- `/_matrix/client/unstable/org.matrix.msc4143/rtc/transports` (MSC4143 unstable, behind auth)
+- `/.well-known/matrix/client` (fallback, not behind auth. Only enabled if `[global.well_known].client` is set)

 ### 4. Configure your Reverse Proxy

@@ -114,6 +117,7 @@ ### 4. Configure your Reverse Proxy

 <details>
    <summary>Example caddy config</summary>
+
    ```
    livekit.example.com {

@@ -127,10 +131,12 @@ ### 4. Configure your Reverse Proxy
        reverse_proxy 127.0.0.1:7880
    }
    ```
+
 </details>

 <details>
    <summary>Example nginx config</summary>
+
    ```
    server {
        server_name livekit.example.com;
@@ -167,16 +173,19 @@ ### 4. Configure your Reverse Proxy
        ''      close;
    }
    ```
+
 </details>

 <details>
    <summary>Example traefik router</summary>
+
    ```
    # on LiveKit itself
    traefik.http.routers.livekit.rule=Host(`livekit.example.com`)
    # on the JWT service
    traefik.http.routers.livekit-jwt.rule=Host(`livekit.example.com`) && (PathPrefix(`/sfu/get`) || PathPrefix(`/healthz`) || PathPrefix(`/get_token`))
    ```
+
 </details>


@@ -210,7 +219,7 @@ ### add these to livekit's docker-compose ###
 ### if you're using `network_mode: host`, you can skip this part
 ```

-Recreate the LiveKit container (with `docker-compose up -d livekit`) to apply these changes. Remember to allow the new `3478/udp` and `50100:50200/udp` ports through your firewall.
+Recreate the LiveKit container (with `docker-compose up -d livekit`) to apply these changes. Remember to allow the new `3478/udp` and `50300:50400/udp` ports through your firewall.

 ### Integration with an external TURN server

@@ -257,11 +266,25 @@ ## Testing

 First, you will need an access token for your current login session. These can be found in your client's settings or obtained via [this website](https://timedout.uk/mxtoken.html).

-Then, using that token, request another OpenID token for use with the lk-jwt-service:
+Then, using that token, fetch the discovery endpoints for MatrixRTC services

 ```bash
-~$ curl -X POST -H "Authorization: Bearer <session-access-token>" \
+curl -X POST -H "Authorization: Bearer <session-access-token>" \
+  https://matrix.example.com/_matrix/client/unstable/org.matrix.msc4143/rtc/transports
+```
+
+In the output, you should see the LiveKit URL matching the one [configured above](#3-telling-clients-where-to-find-livekit).
+
+With the same token, request another OpenID token for use with the lk-jwt-service:
+
+```bash
+curl -X POST -H "Authorization: Bearer <session-access-token>" \
  https://matrix.example.com/_matrix/client/v3/user/@user:example.com/openid/request_token
+```
+
+You will see a response as below:
+
+```json
 {"access_token":"<openid_access_token>","token_type":"Bearer","matrix_server_name":"example.com","expires_in":3600}
 ```

@@ -296,10 +319,15 @@ ## Testing

 ```bash
 ~$ curl -X POST -d @payload.json https://livekit.example.com/get_token
+```
+
+The lk-jwt-service will, after checking against Continuwuity, answer with a `jwt` token to create a LiveKit media room:
+
+```json
 {"url":"wss://livekit.example.com","jwt":"a_really_really_long_string"}
 ```

-The lk-jwt-service will, after checking against Continuwuity, answer with a `jwt` token to create a LiveKit media room. Use this token to test at the [LiveKit Connection Tester](https://livekit.io/connection-test). If everything works there, then you have set up LiveKit successfully!
+Use this token to test at the [LiveKit Connection Tester](https://livekit.io/connection-test). If everything works there, then you have set up LiveKit successfully!

 ## Troubleshooting

@@ -363,8 +391,8 @@ ## Related Documentation

 Specifications:

- [MatrixRTC proposal](https://github.com/matrix-org/matrix-spec-proposals/pull/4143)
- [LiveKit proposal](https://github.com/matrix-org/matrix-spec-proposals/pull/4195)
+- [MSC4143 - MatrixRTC proposal](https://github.com/matrix-org/matrix-spec-proposals/pull/4143)
+- [MSC4195 - LiveKit proposal](https://github.com/matrix-org/matrix-spec-proposals/pull/4195)

 Source code:

@@ -34,6 +34,11 @@
        "name": "kubernetes",
        "label": "Kubernetes"
    },
+    {
+        "type": "file",
+        "name": "nomad",
+        "label": "Nomad"
+    },
    {
        "type": "file",
        "name": "freebsd",
@@ -148,7 +148,7 @@ #### For other reverse proxies

 </details>

-You will then need to point your reverse proxy towards Continuwuity at `127.0.0.1:8008`. See the [Other reverse proxies](generic.mdx#setting-up-the-reverse-proxy) section of the Generic page for further routing details.
+See the [Other reverse proxies](generic.mdx#setting-up-the-reverse-proxy) section of the Generic page for further routing details.

 ### Starting Your Server

@@ -243,9 +243,30 @@ ### (Optional) Building Custom Images
 [Building Docker Images](../development/index.mdx#building-docker-images)
 section in the development documentation.

+### Accessing the Server's Console
+
+Before you can access the server's console and [send admin commands](../reference/admin/index.md) from the CLI, you will need to make the container interactive and allocate a pseudo-tty. Make sure you set `admin_console_automatic` to `true` in [the config](../reference/config.mdx) as well for Continuwuity to activate the CLI on startup.
+
+For Docker Compose deployments this means adding `stdin_open: true` and `tty: true` to the container's declaration:
+
+```yaml
+services:
+    homeserver:
+        stdin_open: true
+        tty: true
+        # ...
+```
+
+If you choose to deploy via `docker run`, add the flags `-i`/`--interactive` and `-t`/`--tty` to the command.
+
+From there you can access the server's console by running `docker attach <container-name>`, which will show the server's prompt `uwu> `. To exit `docker attach`, press `CTRL+p` then `CTRL+q`.
+
+Note that using `CTRL+c` within `docker attach`'s context will forward the signal to the server, stopping it. See [Docker's reference][docker-attach-reference] for more information.
+
+[docker-attach-reference]: https://docs.docker.com/reference/cli/docker/container/attach/
+
 ## Next steps

 - For smooth federation, set up a caching resolver according to the [**DNS tuning guide**](../advanced/dns.mdx) (recommended)
 - To set up Audio/Video communication, see the [**Calls**](../calls.mdx) page.
- If you want to set up an appservice, take a look at the [**Appservice
-Guide**](../appservices.mdx).
+- If you want to set up an appservice, take a look at the [**Appservice Guide**](../appservices.mdx).
@@ -1,10 +1,12 @@
 # Generic deployment documentation

-> ### Getting help
->
-> If you run into any problems while setting up Continuwuity, ask us in
-> `#continuwuity:continuwuity.org` or [open an issue on
-> Forgejo](https://forgejo.ellis.link/continuwuation/continuwuity/issues/new).
+:::tip Getting help
+If you run into any problems while setting up Continuwuity, ask us in
+`#continuwuity:continuwuity.org` or [open an issue on
+Forgejo][forgejo-new-issue].
+:::
+
+[forgejo-new-issue]: https://forgejo.ellis.link/continuwuation/continuwuity/issues/new

 ## Installing Continuwuity

@@ -15,17 +17,16 @@ ### Prebuilt binary

 Prebuilt binaries are available from:

- **Tagged releases**: [Latest release page](https://forgejo.ellis.link/continuwuation/continuwuity/releases/latest)
- **Development builds**: CI artifacts from the `main` branch
-  (includes Debian/Ubuntu packages)
-
-When browsing CI artifacts, `ci-bins` contains binaries organised
-by commit hash, while `releases` contains tagged versions. Sort
-by last modified date to find the most recent builds.
+- **Tagged releases**: [see Release page][release-page]
+- **Development builds**: CI artifacts from the `main` branch,
+  [see `release-image.yml` for details][release-image]

 The binaries require jemalloc and io_uring on the host system. Currently
 we can't cross-build static binaries - contributions are welcome here.

+[release-page]: https://forgejo.ellis.link/continuwuation/continuwuity/releases/
+[release-image]: https://forgejo.ellis.link/continuwuation/continuwuity/actions/?workflow=release-image.yml
+
 #### Performance-optimised builds

 For x86_64 systems with CPUs from the last ~15 years, use the
@@ -38,11 +39,12 @@ #### Performance-optimised builds
 If you're using Docker instead, equivalent performance-optimised
 images are available with the `-maxperf` suffix (e.g.
 `forgejo.ellis.link/continuwuation/continuwuity:latest-maxperf`).
-These images use the `release-max-perf`
-build profile with
-[link-time optimisation (LTO)](https://doc.rust-lang.org/cargo/reference/profiles.html#lto)
+These images use the `release-max-perf` build profile with
+[link-time optimisation (LTO)][lto-rust-docs]
 and, for amd64, target the haswell CPU architecture.

+[lto-rust-docs]: https://doc.rust-lang.org/cargo/reference/profiles.html#lto
+
 ### Nix

 Theres a Nix package defined in our flake, available for Linux and MacOS. Add continuwuity as an input to your flake, and use `inputs.continuwuity.packages.${system}.default` to get a working Continuwuity package.
@@ -55,7 +57,8 @@ ### Compiling

 #### Using Docker

-If you would like to build using docker, you can run the command `docker build -f ./docker/Dockerfile -t forgejo.ellis.link/continuwuation/continuwuity:main .` to compile continuwuity.
+See the [Building Docker Images](../development/index.mdx#building-docker-images)
+section in the development documentation.

 #### Manual

@@ -69,7 +72,7 @@ ##### Dependencies

 ##### Build

-You can build Continuwuity using `cargo build --release`.
+You can now build Continuwuity using `cargo build --release`.

 Continuwuity supports various optional features that can be enabled during compilation. Please see the Cargo.toml file for a comprehensive list, or ask in our rooms.

@@ -91,27 +94,6 @@ ## Adding a Continuwuity user
 sudo useradd -r --shell /usr/bin/nologin --no-create-home continuwuity
 ```

-## Forwarding ports in the firewall or the router
-
-Matrix's default federation port is 8448, and clients must use port 443.
-If you would like to use only port 443 or a different port, you will need to set up
-delegation. Continuwuity has configuration options for delegation, or you can configure
-your reverse proxy to manually serve the necessary JSON files for delegation
-(see the `[global.well_known]` config section).
-
-If Continuwuity runs behind a router or in a container and has a different public
-IP address than the host system, you need to forward these public ports directly
-or indirectly to the port mentioned in the configuration.
-
-Note for NAT users: if you have trouble connecting to your server from inside
-your network, check if your router supports "NAT
-hairpinning" or "NAT loopback".
-
-If your router does not support this feature, you need to research doing local
-DNS overrides and force your Matrix DNS records to use your local IP internally.
-This can be done at the host level using `/etc/hosts`. If you need this to be
-on the network level, consider something like NextDNS or Pi-Hole.
-
 ## Setting up a systemd service

 You can find an example unit for continuwuity below.
@@ -123,7 +105,7 @@ ## Setting up a systemd service
 `/etc/rsyslog.conf` to allow color in logs.

 If you are using a different `database_path` than the systemd unit's
-configured default `/var/lib/conduwuit`, you need to add your path to the
+configured default (`/var/lib/conduwuit`), you need to add your path to the
 systemd unit's `ReadWritePaths=`. You can do this by either directly editing
 `conduwuit.service` and reloading systemd, or by running `systemctl edit conduwuit.service`
 and entering the following:
@@ -144,7 +126,9 @@ ### Example systemd Unit File

 </details>

-You can also [view the file on Foregejo](https://forgejo.ellis.link/continuwuation/continuwuity/src/branch/main/pkg/conduwuit.service).
+You can also [view the file on Foregejo][systemd-file].
+
+[systemd-file]: https://forgejo.ellis.link/continuwuation/continuwuity/src/branch/main/pkg/conduwuit.service

 ## Creating the Continuwuity configuration file

@@ -155,9 +139,7 @@ ## Creating the Continuwuity configuration file
 **Please take a moment to read the config. You need to change at least the
 server name.**

-RocksDB is the only supported database backend.
-
-## Setting the correct file permissions
+### Setting the correct file permissions

 If you are using a dedicated user for Continuwuity, you need to allow it to
 read the configuration. To do this, run:
@@ -175,22 +157,29 @@ ## Setting the correct file permissions
 sudo chmod 700 /var/lib/conduwuit/
 ```

-## Setting up the Reverse Proxy
+## Exposing ports in the firewall or the router

-We recommend Caddy as a reverse proxy because it is trivial to use and handles TLS certificates, reverse proxy headers, etc. transparently with proper defaults.
-For other software, please refer to their respective documentation or online guides.
+Matrix's default federation port is **:8448**, and clients use port **:443**. You will need to
+expose these ports on your firewall or router. If you use UFW, the commands to allow them
+are: `ufw allow 8448/tcp` and `ufw allow 443/tcp`.
+
+:::tip Alternative port/domain setups
+If you would like to use only port 443, a different port, or a subdomain for the homeserver, you will need to set up `.well-known` delegation. Consult the `[global.well_known]` section of the config file, and the [**Delegation/Split-domain**](../advanced/delegation) page to learn more about these kinds of deployments.
+:::
+
+## Setting up the Reverse Proxy

 ### Caddy

-After installing Caddy via your preferred method, create `/etc/caddy/conf.d/conduwuit_caddyfile`
-and enter the following (substitute your actual server name):
+Caddy is the recommended reverse proxy as it is easy to use, has good defaults,
+and handle TLS certificates automatically. After installing Caddy via your preferred
+method, create `/etc/caddy/conf.d/conduwuit_caddyfile` and enter the following
+(substitute `example.com` with your actual server name):

 ```
-your.server.name, your.server.name:8448 {
+example.com, example.com:8448 {
    # TCP reverse_proxy
-    reverse_proxy 127.0.0.1:6167
-    # UNIX socket
-    #reverse_proxy unix//run/conduwuit/conduwuit.sock
+    reverse_proxy 127.0.0.1:8008
 }
 ```

@@ -202,51 +191,45 @@ ### Caddy

 ### Other Reverse Proxies

-As we prefer our users to use Caddy, we do not provide configuration files for other proxies.
+Normally, your reverse proxy should route everything from port :8448 and :443 back to Continuwuity.

-You will need to reverse proxy everything under the following routes:
+For more granular controls, you will need to proxy everything under these following routes:

- `/_matrix/` - core Matrix C-S and S-S APIs
- `/_conduwuit/` and/or `/_continuwuity/` - ad-hoc Continuwuity routes such as `/local_user_count` and
-  `/server_version`
+- `/_matrix/` - core Matrix APIs, which includes:
+
+  - `/_matrix/federation` and `/_matrix/key` - core Server-Server APIs. These should be available on port :8448
+
+  - `/_matrix/client` - core Client-Server APIs. These should be available on port :443
+
+- `/_conduwuit/` and `/_continuwuity/` - ad-hoc Continuwuity routes for password resets, email verification, and server details such as `/local_user_count` and `/server_version`.

 You can optionally reverse proxy the following individual routes:

 - `/.well-known/matrix/client` and `/.well-known/matrix/server` if using
  Continuwuity to perform delegation (see the `[global.well_known]` config section)
 - `/.well-known/matrix/support` if using Continuwuity to send the homeserver admin
-  contact and support page (formerly known as MSC1929)
- `/` if you would like to see `hewwo from conduwuit woof!` at the root
+  [contact and support page][well-known-support]
+- `/` and `/_continuwuity/logo.svg` if you would like to see the Continuwuity landing page

-See the following spec pages for more details on these files:
+Refer to the respective software's documentation and online guides on how to do so.

- [`/.well-known/matrix/server`](https://spec.matrix.org/latest/client-server-api/#getwell-knownmatrixserver)
- [`/.well-known/matrix/client`](https://spec.matrix.org/latest/client-server-api/#getwell-knownmatrixclient)
- [`/.well-known/matrix/support`](https://spec.matrix.org/latest/client-server-api/#getwell-knownmatrixsupport)
+[well-known-support]: https://spec.matrix.org/v1.18/client-server-api/#getwell-knownmatrixsupport

-Examples of delegation:
+#### Caveats for specific reverse proxies

- https://continuwuity.org/.well-known/matrix/server
- https://continuwuity.org/.well-known/matrix/client
- https://ellis.link/.well-known/matrix/server
- https://ellis.link/.well-known/matrix/client
-
-For Apache and Nginx there are many examples available online.
-
-Lighttpd is not supported as it appears to interfere with the `X-Matrix` Authorization
+- Lighttpd is not supported as it appears to interfere with the `X-Matrix` Authorization
 header, making federation non-functional. If you find a workaround, please share it so we can add it to this documentation.

-If using Apache, you need to use `nocanon` in your `ProxyPass` directive to prevent httpd from interfering with the `X-Matrix` header (note that Apache is not ideal as a general reverse proxy, so we discourage using it if alternatives are available).
+- If using Apache, you need to use `nocanon` in your `ProxyPass` directive to prevent httpd from interfering with the `X-Matrix` header (note that Apache is not ideal as a general reverse proxy, so we discourage using it if alternatives are available).

-If using Nginx, you need to pass the request URI to Continuwuity using `$request_uri`, like this:
+- If using Nginx, you need to pass the request URI to Continuwuity using `$request_uri`, like this:

- `proxy_pass http://127.0.0.1:6167$request_uri;`
- `proxy_pass http://127.0.0.1:6167;`
+    - `proxy_pass http://127.0.0.1:6167$request_uri;`
+    - `proxy_pass http://127.0.0.1:6167;`

-Nginx users need to increase the `client_max_body_size` setting (default is 1M) to match the
-`max_request_size` defined in conduwuit.toml.
+    Furthermore, Nginx users need to increase the `client_max_body_size` setting (default is 1M) to match the `max_request_size` defined in conduwuit.toml.

-## You're done
+## Starting Your Server

 Now you can start Continuwuity with:

@@ -260,36 +243,57 @@ ## You're done
 sudo systemctl enable conduwuit
 ```

-## How do I know it works?
-
-You can open [a Matrix client](https://matrix.org/ecosystem/clients), enter your
-homeserver address, and try to register.
-
-You can also use these commands as a quick health check (replace
-`your.server.name`).
+Check Continuwuity logs with the following command:

 ```bash
-curl https://your.server.name/_conduwuit/server_version
-
-# If using port 8448
-curl https://your.server.name:8448/_conduwuit/server_version
-
-# If federation is enabled
-curl https://your.server.name:8448/_matrix/federation/v1/version
+sudo journalctl -u conduwuit.service
 ```

- To check if your server can communicate with other homeservers, use the
-  [Matrix Federation Tester](https://federationtester.mtrnord.blog/). If you can
-  register but cannot join federated rooms, check your configuration and verify
-  that port 8448 is open and forwarded correctly.
+If Continuwuity has successfully initialized, you'll see output as below.
+
+```
+In order to use your new homeserver, you need to create its
+first user account.
+Open your Matrix client of choice and register an account
+on example.com using registration token x5keUZ811RqvLsNa .
+Pick your own username and password!
+```
+
+You can then open [a Matrix client][matrix-clients],
+enter your homeserver address, and try to register with the provided token.
+By default, the first user is the instance's first admin. They will be added
+to the `#admin:example.com` room and be able to [issue admin commands](../reference/admin/index.md).
+
+[matrix-clients]: https://matrix.org/ecosystem/clients
+
+## How do I know it works?
+
+To check if your server can communicate with other homeservers,
+use an external testing tool:
+
+- [Matrix Connectivity Tester](https://federationtester.mtrnord.blog/)
+- [Matrix Federation Tester](https://federationtester.matrix.org/)
+
+If you can register your account but cannot join federated rooms, check your configuration
+and verify that your federation endpoints are opened and forwarded correctly.
+
+As a quick health check, you can also use these cURL commands:
+
+```bash
+curl https://example.com/_conduwuit/server_version
+
+# If using port 8448
+curl https://example.com:8448/_conduwuit/server_version
+
+# If federation is enabled
+curl https://example.com:8448/_matrix/federation/v1/version
+
+# For client-server endpoints
+curl https://example.com/_matrix/client/versions
+```

 ## What's next?

-### Audio/Video calls
-
-For Audio/Video call functionality see the [Calls](../calls.md) page.
-
-### Appservices
-
-If you want to set up an appservice, take a look at the [Appservice
-Guide](../appservices.md).
+- For smooth federation, set up a caching resolver according to the [**DNS tuning guide**](../advanced/dns.mdx) (recommended)
+- For Audio/Video call functionality see the [**Calls**](../calls.md) page.
+- If you want to set up an appservice, take a look at the [**Appservice Guide**](../appservices.md).
@@ -0,0 +1,118 @@
+# Continuwuity for Nomad
+
+You can either pass the configuration as environment variables or mount a file containing the configuration from consul.
+This given configuration assumes that you have a traefik reverse proxy running.
+
+## Persistence
+The database being a RockDB file, it is recommended to use a volume to persist the data.
+The example below uses a volume, you need to configure the CSI driver on your cluster.
+
+| Volume Name | Mount Path | Purpose |
+|-------------|------------|---------|
+| continuwuity-volume | `/var/lib/continuwuity` | Store the database |
+| continuwuity-media-volume | `/var/lib/continuwuity/media` | Store uploaded media |
+
+## Configuration
+### Using environment variables
+```hcl
+job "continuwuity" {
+  datacenters = ["dc1"]
+  type      = "service"
+  node_pool = "default"
+
+  group "continuwuity" {
+    count = 1
+
+    network {
+      port "http" {
+        static = 6167
+      }
+    }
+
+    service {
+      name = "continuwuity"
+      port = "http"
+      tags = [
+        "traefik.enable=true",
+        "traefik.http.routers.continuwuity.rule=(Host(`matrix.example.com`) || (Host(`example.com`) && PathPrefix(`/.well-known/matrix`)))",
+        "traefik.http.routers.continuwuity.entrypoints=https",
+        "traefik.http.routers.continuwuity.tls=true",
+        "traefik.http.routers.continuwuity.tls.certresolver=letsencrypt",
+        "traefik.http.routers.continuwuity-http.rule=(Host(`matrix.example.com`) || (Host(`example.com`) && PathPrefix(`/.well-known/matrix`)))",
+        "traefik.http.routers.continuwuity-http.entrypoints=http",
+        "traefik.http.routers.continuwuity-http.middlewares=continuwuity-redirect",
+        "traefik.http.middlewares.continuwuity-redirect.redirectscheme.scheme=https",
+        "traefik.http.middlewares.continuwuity-redirect.redirectscheme.permanent=true",
+      ]
+    }
+
+    volume "continuwuity-volume" {
+      type            = "csi"
+      read_only       = false
+      source          = "continuwuity-volume"
+      attachment_mode = "file-system"
+      access_mode     = "single-node-writer"
+      per_alloc       = false
+    }
+
+    volume "continuwuity-media-volume" {
+      type            = "csi"
+      read_only       = false
+      source          = "continuwuity-media-volume"
+      attachment_mode = "file-system"
+      access_mode     = "single-node-writer"
+      per_alloc       = false
+
+      mount_options {
+        mount_flags = []
+      }
+    }
+
+    task "continuwuity" {
+      driver = "docker"
+
+      env {
+        CONTINUWUITY_SERVER_NAME        = "matrix.example.com"
+        CONTINUWUITY_TRUSTED_SERVERS    = "[\"matrix.org\", \"mozilla.org\"]"
+        CONTINUWUITY_ALLOW_REGISTRATION = false
+        CONTINUWUITY_ADDRESS            = "0.0.0.0"
+        CONTINUWUITY_PORT               = 6167
+        CONTINUWUITY_DATABASE_PATH      = "/var/lib/continuwuity"
+        CONTINUWUITY_WELL_KNOWN         = <<EOF
+{
+client=https://matrix.example.com,
+server=matrix.example.com:443
+}
+EOF
+      }
+
+      config {
+        image = "forgejo.ellis.link/continuwuation/continuwuity:latest"
+        ports = ["http"]
+      }
+
+      volume_mount {
+        volume      = "continuwuity-volume"
+        destination = "/var/lib/continuwuity"
+      }
+
+      volume_mount {
+        volume      = "continuwuity-media-volume"
+        destination = "/var/lib/continuwuity/media"
+      }
+    }
+  }
+}
+```
+
+### Using consul
+```hcl
+...
+      template {
+        data = <<EOF
+{{key "config/continuwuity"}}
+EOF
+        destination = "local/conduwuit.toml"
+      }
+...
+```
@@ -81,8 +81,6 @@ ## List of forked dependencies
 All forked dependencies are maintained under the
 [continuwuation organization on Forgejo](https://forgejo.ellis.link/continuwuation):

- [ruwuma][continuwuation-ruwuma] - Fork of [ruma/ruma][ruma] with various
-  performance improvements, more features and better client/server interop
 - [rocksdb][continuwuation-rocksdb] - Fork of [facebook/rocksdb][rocksdb] via
  [`@zaidoon1`][8] with liburing build fixes and GCC debug build fixes
 - [jemallocator][continuwuation-jemallocator] - Fork of
@@ -6,10 +6,10 @@
            "message": "Welcome to Continuwuity! Important announcements about the project will appear here."
        },
        {
-            "id": 10,
-            "mention_room": false,
-            "date": "2026-03-03",
-            "message": "We've just released [v0.5.6](https://forgejo.ellis.link/continuwuation/continuwuity/releases/tag/v0.5.6), which contains a few  security improvements - plus significant reliability and performance improvements. Please update as soon as possible. \n\nWe released [v0.5.5](https://forgejo.ellis.link/continuwuation/continuwuity/releases/tag/v0.5.5) two weeks ago, but it skipped your admin room straight to [our announcements channel](https://matrix.to/#/!jIdNjSM5X-V5JVx2h2kAhUZIIQ08GyzPL55NFZAH1vM?via=ellis.link&via=gingershaped.computer&via=matrix.org). Make sure you're there to get important information as soon as we announce it! [Our space](https://matrix.to/#/!8cR4g-i9ucof69E4JHNg9LbPVkGprHb3SzcrGBDDJgk?via=continuwuity.org&via=ellis.link&via=matrix.org) has also gained a bunch of new and interesting rooms - be there or be square."
+            "id": 13,
+            "mention_room": true,
+            "date": "2026-05-08",
+            "message": "[v0.5.9](https://forgejo.ellis.link/continuwuation/continuwuity/releases/tag/v0.5.9) has been released, fixing a few low-severity federation-related vulnerabilities. It is recommended you read the changelog and update as soon as possible. There are no new features or other changes in this release, only related bugfixes. Deployments tracking the main branch should also update to the latest commit."
        }
    ]
 }
@@ -0,0 +1,43 @@
+# Continuwuity - Behind Traefik Reverse Proxy
+
+services:
+  homeserver:
+    image: "forgejo.ellis.link/continuwuation/continuwuity:latest"
+    restart: unless-stopped
+    command: /sbin/conduwuit
+    volumes:
+      - db:/var/lib/continuwuity
+      - ./continuwuity-resolv.conf:/etc/resolv.conf # use custom resolvers rather than Docker's
+      #- ./continuwuity.toml:/etc/continuwuity.toml
+    networks:
+      - proxy
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.continuwuity.rule=(Host(`matrix.example.com`) || (Host(`example.com`) && PathPrefix(`/.well-known/matrix`)))"
+      - "traefik.http.routers.continuwuity.entrypoints=websecure" # your HTTPS entry point
+      - "traefik.http.routers.continuwuity.tls=true"
+      - "traefik.http.routers.continuwuity.service=continuwuity"
+      - "traefik.http.services.continuwuity.loadbalancer.server.port=8008"
+      # possibly, depending on your config:
+      # - "traefik.http.routers.continuwuity.tls.certresolver=letsencrypt"
+    environment:
+      CONTINUWUITY_SERVER_NAME: example.com # EDIT THIS
+      CONTINUWUITY_DATABASE_PATH: /var/lib/continuwuity
+      CONTINUWUITY_ADDRESS: 0.0.0.0
+      CONTINUWUITY_PORT: 8008 # This must match with traefik's loadbalancer label
+      #CONTINUWUITY_CONFIG: '/etc/continuwuity.toml' # Uncomment if you mapped config toml above
+
+      # Serve .well-known files to tell others to reach Continuwuity on port :443
+      CONTINUWUITY_WELL_KNOWN: |
+        {
+        client=https://matrix.example.com,
+        server=matrix.example.com:443
+        }
+
+volumes:
+  db:
+
+networks:
+  # This must match the network name that Traefik listens on
+  proxy:
+    external: true
@@ -0,0 +1,54 @@
+# Continuwuity - With Caddy Labels
+
+services:
+    caddy:
+    # This compose file uses caddy-docker-proxy as the reverse proxy for Continuwuity!
+    # For more info, visit https://github.com/lucaslorentz/caddy-docker-proxy
+        image: "docker.io/lucaslorentz/caddy-docker-proxy:ci-alpine"
+        ports:
+            - 80:80
+            - 443:443
+        environment:
+            - CADDY_INGRESS_NETWORKS=caddy
+        networks:
+            - caddy
+        volumes:
+            - /var/run/docker.sock:/var/run/docker.sock
+            - ./data:/data
+        restart: unless-stopped
+        labels:
+            caddy: example.com
+            caddy.reverse_proxy: /.well-known/matrix/* homeserver:8008
+
+    homeserver:
+        image: "forgejo.ellis.link/continuwuation/continuwuity:latest"
+        restart: unless-stopped
+        command: /sbin/conduwuit
+        volumes:
+            - db:/var/lib/continuwuity
+            - ./continuwuity-resolv.conf:/etc/resolv.conf # use custom resolvers rather than Docker's
+            #- ./continuwuity.toml:/etc/continuwuity.toml
+        environment:
+            CONTINUWUITY_SERVER_NAME: example.com # EDIT THIS
+            CONTINUWUITY_DATABASE_PATH: /var/lib/continuwuity
+            CONTINUWUITY_ADDRESS: 0.0.0.0
+            CONTINUWUITY_PORT: 8008
+            #CONTINUWUITY_CONFIG: '/etc/continuwuity.toml' # Uncomment if you mapped config toml above
+
+            # Serve .well-known files to tell others to reach Continuwuity on port :443
+            CONTINUWUITY_WELL_KNOWN: |
+                {
+                client=https://matrix.example.com,
+                server=matrix.example.com:443
+                }
+
+        networks:
+            - caddy
+        labels:
+            caddy: matrix.example.com
+            caddy.reverse_proxy: "{{upstreams 8008}}"
+volumes:
+    db:
+
+networks:
+    caddy:
@@ -0,0 +1,57 @@
+# Continuwuity - Using Caddy Docker Image
+
+services:
+    caddy:
+        image: "docker.io/caddy:latest"
+        ports:
+            - 80:80
+            - 443:443
+        networks:
+            - caddy
+        volumes:
+            - ./data:/data
+        restart: unless-stopped
+        configs:
+            - source: Caddyfile
+              target: /etc/caddy/Caddyfile
+
+    homeserver:
+        image: "forgejo.ellis.link/continuwuation/continuwuity:latest"
+        restart: unless-stopped
+        command: /sbin/conduwuit
+        volumes:
+            - db:/var/lib/continuwuity
+            - ./continuwuity-resolv.conf:/etc/resolv.conf # use custom resolvers rather than Docker's
+            #- ./continuwuity.toml:/etc/continuwuity.toml
+        environment:
+            CONTINUWUITY_SERVER_NAME: example.com
+            CONTINUWUITY_DATABASE_PATH: /var/lib/continuwuity
+            CONTINUWUITY_ADDRESS: 0.0.0.0
+            CONTINUWUITY_PORT: 8008
+            #CONTINUWUITY_CONFIG: '/etc/continuwuity.toml' # Uncomment if you mapped config toml above
+
+            ## Serve .well-known files to tell others to reach Continuwuity on port :443
+            CONTINUWUITY_WELL_KNOWN: |
+                {
+                client=https://matrix.example.com,
+                server=matrix.example.com:443
+                }
+
+        networks:
+            - caddy
+
+networks:
+    caddy:
+
+volumes:
+    db:
+
+configs:
+    Caddyfile:
+        content: |
+            https://matrix.example.com:443 {
+                reverse_proxy http://homeserver:8008
+            }
+            https://example.com:443 {
+                reverse_proxy /.well-known/matrix* http://homeserver:8008
+            }
@@ -0,0 +1,85 @@
+# Continuwuity - With Traefik Reverse Proxy
+
+services:
+  homeserver:
+    image: "forgejo.ellis.link/continuwuation/continuwuity:latest"
+    restart: unless-stopped
+    command: /sbin/conduwuit
+    volumes:
+      - db:/var/lib/continuwuity
+      - ./continuwuity-resolv.conf:/etc/resolv.conf # use custom resolvers rather than Docker's
+      #- ./continuwuity.toml:/etc/continuwuity.toml
+    networks:
+      - proxy
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.continuwuity.rule=(Host(`matrix.example.com`) || (Host(`example.com`) && PathPrefix(`/.well-known/matrix`)))"
+      - "traefik.http.routers.continuwuity.entrypoints=websecure"
+      - "traefik.http.routers.continuwuity.tls.certresolver=letsencrypt"
+      - "traefik.http.services.continuwuity.loadbalancer.server.port=8008"
+    environment:
+      CONTINUWUITY_SERVER_NAME: example.com # EDIT THIS
+      CONTINUWUITY_DATABASE_PATH: /var/lib/continuwuity
+      CONTINUWUITY_ADDRESS: 0.0.0.0
+      CONTINUWUITY_PORT: 8008 # This must match with traefik's loadbalancer label
+      #CONTINUWUITY_CONFIG: '/etc/continuwuity.toml' # Uncomment if you mapped config toml above
+
+      # Serve .well-known files to tell others to reach Continuwuity on port :443
+      CONTINUWUITY_WELL_KNOWN: |
+        {
+          client=https://matrix.example.com,
+          server=matrix.example.com:443
+        }
+
+  traefik:
+    image: "docker.io/traefik:latest"
+    container_name: "traefik"
+    restart: "unless-stopped"
+    ports:
+      - "80:80"
+      - "443:443"
+    volumes:
+      - "/var/run/docker.sock:/var/run/docker.sock:ro"
+      - "acme:/etc/traefik/acme"
+    labels:
+      - "traefik.enable=true"
+
+      # middleware redirect
+      - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
+      # global redirect to https
+      - "traefik.http.routers.redirs.rule=hostregexp(`{host:.+}`)"
+      - "traefik.http.routers.redirs.entrypoints=web"
+      - "traefik.http.routers.redirs.middlewares=redirect-to-https"
+
+    environment:
+
+      TRAEFIK_LOG_LEVEL: DEBUG
+      TRAEFIK_ENTRYPOINTS_WEB: true
+      TRAEFIK_ENTRYPOINTS_WEB_ADDRESS: ":80"
+      TRAEFIK_ENTRYPOINTS_WEB_HTTP_REDIRECTIONS_ENTRYPOINT_TO: websecure
+
+      TRAEFIK_ENTRYPOINTS_WEBSECURE: true
+      TRAEFIK_ENTRYPOINTS_WEBSECURE_ADDRESS: ":443"
+      TRAEFIK_ENTRYPOINTS_WEBSECURE_HTTP_TLS_CERTRESOLVER: letsencrypt
+
+      TRAEFIK_CERTIFICATESRESOLVERS_LETSENCRYPT: true
+      # CHANGE THIS to desired email for ACME
+      TRAEFIK_CERTIFICATESRESOLVERS_LETSENCRYPT_ACME_EMAIL: user@example.com
+      TRAEFIK_CERTIFICATESRESOLVERS_LETSENCRYPT_ACME_HTTPCHALLENGE: true
+      TRAEFIK_CERTIFICATESRESOLVERS_LETSENCRYPT_ACME_HTTPCHALLENGE_ENTRYPOINT: web
+      TRAEFIK_CERTIFICATESRESOLVERS_LETSENCRYPT_ACME_STORAGE: "/etc/traefik/acme/acme.json"
+
+      # Since Traefik 3.6.3, paths with certain "encoded characters" are now blocked by default; we need a couple, or else things *will* break
+      TRAEFIK_ENTRYPOINTS_WEBSECURE_HTTP_ENCODEDCHARACTERS_ALLOWENCODEDSLASH: true
+      TRAEFIK_ENTRYPOINTS_WEBSECURE_HTTP_ENCODEDCHARACTERS_ALLOWENCODEDHASH: true
+
+      TRAEFIK_PROVIDERS_DOCKER: true
+      TRAEFIK_PROVIDERS_DOCKER_ENDPOINT: "unix:///var/run/docker.sock"
+      TRAEFIK_PROVIDERS_DOCKER_EXPOSEDBYDEFAULT: false
+
+volumes:
+  db:
+  acme:
+
+networks:
+  proxy:
@@ -2,7 +2,7 @@

 services:
  homeserver:
-    image: forgejo.ellis.link/continuwuation/continuwuity:latest
+    image: "forgejo.ellis.link/continuwuation/continuwuity:latest"
    restart: unless-stopped
    command: /sbin/conduwuit
    volumes:
@@ -38,7 +38,6 @@ volumes:
  db:

 networks:
-  # This is the network Traefik listens to, if your network has a different
-  # name, don't forget to change it here and in the docker-compose.override.yml
+  # This must match the network name that Traefik listens on
  proxy:
    external: true
@@ -1,10 +1,10 @@
-# Continuwuity - Traefik Reverse Proxy Labels
+# Continuwuity - Traefik Reverse Proxy Labels (override file)

 services:
  homeserver:
    labels:
      - "traefik.enable=true"
-      - "traefik.docker.network=proxy"  # Change this to the name of your Traefik docker proxy network
+      - "traefik.docker.network=proxy" # Change this to the name of your Traefik docker proxy network

      - "traefik.http.routers.to-continuwuity.rule=Host(`example.com`)"  # Change to the address on which Continuwuity is hosted
      - "traefik.http.routers.to-continuwuity.tls=true"
@@ -14,13 +14,10 @@ services:
      # This must match with CONTINUWUITY_PORT (default: 8008)
      - "traefik.http.services.to_continuwuity.loadbalancer.server.port=8008"

-      - "traefik.http.middlewares.cors-headers.headers.accessControlAllowOriginList=*"
-      - "traefik.http.middlewares.cors-headers.headers.accessControlAllowHeaders=Origin, X-Requested-With, Content-Type, Accept, Authorization"
-      - "traefik.http.middlewares.cors-headers.headers.accessControlAllowMethods=GET, POST, PUT, DELETE, OPTIONS"
-
      # If you want to have your account on <DOMAIN>, but host Continuwuity on a subdomain,
-      # you can let it only handle the well known file on that domain instead
-      #- "traefik.http.routers.to-matrix-wellknown.rule=Host(`example.com`) && PathPrefix(`/.well-known/matrix`)"
+      # you can let it only handle the well known file on the base domain instead
+      #
+      # - "traefik.http.routers.to-matrix-wellknown.rule=Host(`example.com`) && PathPrefix(`/.well-known/matrix`)"
      #- "traefik.http.routers.to-matrix-wellknown.tls=true"
      #- "traefik.http.routers.to-matrix-wellknown.tls.certresolver=letsencrypt"
      #- "traefik.http.routers.to-matrix-wellknown.middlewares=cors-headers@docker"
@@ -1,8 +1,10 @@
+# Continuwuity - With Caddy Labels
+
 services:
    caddy:
    # This compose file uses caddy-docker-proxy as the reverse proxy for Continuwuity!
    # For more info, visit https://github.com/lucaslorentz/caddy-docker-proxy
-        image: lucaslorentz/caddy-docker-proxy:ci-alpine
+        image: "docker.io/lucaslorentz/caddy-docker-proxy:ci-alpine"
        ports:
            - 80:80
            - 443:443
@@ -16,7 +18,7 @@ services:
        restart: unless-stopped

    homeserver:
-        image: forgejo.ellis.link/continuwuation/continuwuity:latest
+        image: "forgejo.ellis.link/continuwuation/continuwuity:latest"
        restart: unless-stopped
        command: /sbin/conduwuit
        volumes:
@@ -1,6 +1,8 @@
+# Continuwuity - Using Caddy Docker Image
+
 services:
    caddy:
-        image: docker.io/caddy:latest
+        image: "docker.io/caddy:latest"
        ports:
            - 80:80
            - 443:443
@@ -15,7 +17,7 @@ services:
              target: /etc/caddy/Caddyfile

    homeserver:
-        image: forgejo.ellis.link/continuwuation/continuwuity:latest
+        image: "forgejo.ellis.link/continuwuation/continuwuity:latest"
        restart: unless-stopped
        command: /sbin/conduwuit
        volumes:
@@ -37,7 +39,6 @@ services:
            #     server=example.com:443
            #     }

-
        networks:
            - caddy

@@ -48,8 +49,8 @@ volumes:
    db:

 configs:
-    dynamic.yml:
+    Caddyfile:
        content: |
-            https://example.com, https://example.com:8448 {
+            https://example.com:443, https://example.com:8448 {
                reverse_proxy http://homeserver:8008
            }
@@ -1,8 +1,8 @@
-# Continuwuity - Behind Traefik Reverse Proxy
+# Continuwuity - With Traefik Reverse Proxy

 services:
  homeserver:
-    image: forgejo.ellis.link/continuwuation/continuwuity:latest
+    image: "forgejo.ellis.link/continuwuation/continuwuity:latest"
    restart: unless-stopped
    command: /sbin/conduwuit
    volumes:
@@ -32,14 +32,14 @@ services:
        }

  traefik:
-    image: "traefik:latest"
+    image: "docker.io/traefik:latest"
    container_name: "traefik"
    restart: "unless-stopped"
    ports:
      - "80:80"
      - "443:443"
    volumes:
-      - "/var/run/docker.sock:/var/run/docker.sock:z"
+      - "/var/run/docker.sock:/var/run/docker.sock:ro"
      - "acme:/etc/traefik/acme"
    labels:
      - "traefik.enable=true"
@@ -52,6 +52,7 @@ services:
      - "traefik.http.routers.redirs.middlewares=redirect-to-https"

    environment:
+
      TRAEFIK_LOG_LEVEL: DEBUG
      TRAEFIK_ENTRYPOINTS_WEB: true
      TRAEFIK_ENTRYPOINTS_WEB_ADDRESS: ":80"
@@ -1,12 +1,23 @@
-# Continuwuity
+# Continuwuity - Bare Configuration (for other reverse proxies)

 services:
    homeserver:
-        image: forgejo.ellis.link/continuwuation/continuwuity:latest
+        image: "forgejo.ellis.link/continuwuation/continuwuity:latest"
        restart: unless-stopped
        command: /sbin/conduwuit
        ports:
+
+            # If your reverse proxy is on the host, use this
+            # and configure it to connect to `127.0.0.1:8008`
            - 127.0.0.1:8008:8008
+
+            # If your reverse proxy is on another machine, use this
+            # and configure it to connect to <this-machine-ip>:8008
+            # - 8008:8008
+
+            # If your reverse proxy is a docker container on the same network,
+            # comment out the entire `ports` section, and configure it to connect to `continuwuity:8008`
+
        volumes:
            - db:/var/lib/continuwuity
            - ./continuwuity-resolv.conf:/etc/resolv.conf # use custom resolvers rather than Docker's
@@ -26,6 +37,5 @@ services:
            #     server=example.com:443
            #     }

-
 volumes:
    db:
@@ -3,11 +3,11 @@
    "advisory-db": {
      "flake": false,
      "locked": {
-        "lastModified": 1775907537,
-        "narHash": "sha256-vbeLNgmsx1Z6TwnlDV0dKyeBCcon3UpkV9yLr/yc6HM=",
+        "lastModified": 1777645914,
+        "narHash": "sha256-P1T7QVQS13OvkXEuEhI91CLaQfyv6iqV9vW8IBLLDYg=",
        "owner": "rustsec",
        "repo": "advisory-db",
-        "rev": "d99f7b9eb81731bddebf80a355f8be7b2f8b1b28",
+        "rev": "d6ba1f7070ba91f45efe372d68eb648be67d0417",
        "type": "github"
      },
      "original": {
@@ -18,11 +18,11 @@
    },
    "crane": {
      "locked": {
-        "lastModified": 1775839657,
-        "narHash": "sha256-SPm9ck7jh3Un9nwPuMGbRU04UroFmOHjLP56T10MOeM=",
+        "lastModified": 1777335812,
+        "narHash": "sha256-bEg5xoAxAwsyfnGhkEX7RJViTIBIYPd8ISg4O1c0HFc=",
        "owner": "ipetkov",
        "repo": "crane",
-        "rev": "7cf72d978629469c4bd4206b95c402514c1f6000",
+        "rev": "5e0fb2f64edff2822249f21293b8304dedaaf676",
        "type": "github"
      },
      "original": {
@@ -39,11 +39,11 @@
        "rust-analyzer-src": "rust-analyzer-src"
      },
      "locked": {
-        "lastModified": 1775891769,
-        "narHash": "sha256-EOfVlTKw2n8w1uhfh46GS4hEGnQ7oWrIWQfIY6utIkI=",
+        "lastModified": 1777624102,
+        "narHash": "sha256-thSyElkje577x/kAbP72nHlfiFc1a+tCudskLPHXe9s=",
        "owner": "nix-community",
        "repo": "fenix",
-        "rev": "6fbc54dde15aee725bdc7aae5e478849685d5f56",
+        "rev": "4d81601e0b73f20d81d066754ad0e7d1e7f75a06",
        "type": "github"
      },
      "original": {
@@ -89,11 +89,11 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1775710090,
-        "narHash": "sha256-ar3rofg+awPB8QXDaFJhJ2jJhu+KqN/PRCXeyuXR76E=",
+        "lastModified": 1777268161,
+        "narHash": "sha256-bxrdOn8SCOv8tN4JbTF/TXq7kjo9ag4M+C8yzzIRYbE=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "4c1018dae018162ec878d42fec712642d214fdfa",
+        "rev": "1c3fe55ad329cbcb28471bb30f05c9827f724c76",
        "type": "github"
      },
      "original": {
@@ -132,11 +132,11 @@
    "rust-analyzer-src": {
      "flake": false,
      "locked": {
-        "lastModified": 1775843361,
-        "narHash": "sha256-j53ZgyDvmYf3Sjh1IPvvTjqa614qUfVQSzj59+MpzkY=",
+        "lastModified": 1777583169,
+        "narHash": "sha256-dVJ4+wrRKc8oIgp3rLOFSq1obt/sCKlXy3h47qof/w0=",
        "owner": "rust-lang",
        "repo": "rust-analyzer",
-        "rev": "9eb97ea96d8400e8957ddd56702e962614296583",
+        "rev": "aa64e4828a2bbba44463c1229a81c748d3cce583",
        "type": "github"
      },
      "original": {
@@ -8,7 +8,9 @@
  callPackage,
  rustPlatform,
  cargoExtraArgs ? "",
+  rustflags ? "",
  rocksdb ? callPackage ./rocksdb.nix { },
+  profile ? "release",
 }:
 let
  # see https://crane.dev/API.html#cranelibfiltercargosources
@@ -35,6 +37,8 @@ let
    env = {
      ROCKSDB_INCLUDE_DIR = "${rocksdb}/include";
      ROCKSDB_LIB_DIR = "${rocksdb}/lib";
+      CARGO_PROFILE = profile;
+      RUSTFLAGS = rustflags;
    };
  };
 in
@@ -5,6 +5,7 @@
 {
  perSystem =
    {
+      self',
      pkgs,
      craneLib,
      ...
@@ -12,7 +13,22 @@
    {
      packages = {
        rocksdb = pkgs.callPackage ./rocksdb.nix { };
-        default = pkgs.callPackage ./continuwuity.nix { inherit self craneLib; };
+        default = pkgs.callPackage ./continuwuity.nix {
+          inherit self craneLib;
+          # extra features via `cargoExtraArgs`
+          cargoExtraArgs = "-F http3";
+          # extra RUSTFLAGS via `rustflags`
+          # the stuff below is required for http3
+          rustflags = "--cfg reqwest_unstable";
+        };
+        # users may also override this with other cargo profiles to build for other feature sets
+        #
+        # other examples include:
+        #
+        # - release-high-perf
+        max-perf = self'.packages.default.override {
+          profile = "release-max-perf";
+        };
      };
    };
 }
@@ -16,26 +16,24 @@
      }
    },
    "node_modules/@emnapi/core": {
-      "version": "1.9.2",
-      "resolved": "https://registry.npmjs.org/@emnapi/core/-/core-1.9.2.tgz",
-      "integrity": "sha512-UC+ZhH3XtczQYfOlu3lNEkdW/p4dsJ1r/bP7H8+rhao3TTTMO1ATq/4DdIi23XuGoFY+Cz0JmCbdVl0hz9jZcA==",
+      "version": "1.10.0",
+      "resolved": "https://registry.npmjs.org/@emnapi/core/-/core-1.10.0.tgz",
+      "integrity": "sha512-yq6OkJ4p82CAfPl0u9mQebQHKPJkY7WrIuk205cTYnYe+k2Z8YBh11FrbRG/H6ihirqcacOgl2BIO8oyMQLeXw==",
      "dev": true,
      "license": "MIT",
      "optional": true,
-      "peer": true,
      "dependencies": {
        "@emnapi/wasi-threads": "1.2.1",
        "tslib": "^2.4.0"
      }
    },
    "node_modules/@emnapi/runtime": {
-      "version": "1.9.2",
-      "resolved": "https://registry.npmjs.org/@emnapi/runtime/-/runtime-1.9.2.tgz",
-      "integrity": "sha512-3U4+MIWHImeyu1wnmVygh5WlgfYDtyf0k8AbLhMFxOipihf6nrWC4syIm/SwEeec0mNSafiiNnMJwbza/Is6Lw==",
+      "version": "1.10.0",
+      "resolved": "https://registry.npmjs.org/@emnapi/runtime/-/runtime-1.10.0.tgz",
+      "integrity": "sha512-ewvYlk86xUoGI0zQRNq/mC+16R1QeDlKQy21Ki3oSYXNgLb45GV1P6A0M+/s6nyCuNDqe5VpaY84BzXGwVbwFA==",
      "dev": true,
      "license": "MIT",
      "optional": true,
-      "peer": true,
      "dependencies": {
        "tslib": "^2.4.0"
      }
@@ -47,7 +45,6 @@
      "dev": true,
      "license": "MIT",
      "optional": true,
-      "peer": true,
      "dependencies": {
        "tslib": "^2.4.0"
      }
@@ -109,9 +106,9 @@
      }
    },
    "node_modules/@napi-rs/wasm-runtime": {
-      "version": "1.1.2",
-      "resolved": "https://registry.npmjs.org/@napi-rs/wasm-runtime/-/wasm-runtime-1.1.2.tgz",
-      "integrity": "sha512-sNXv5oLJ7ob93xkZ1XnxisYhGYXfaG9f65/ZgYuAu3qt7b3NadcOEhLvx28hv31PgX8SZJRYrAIPQilQmFpLVw==",
+      "version": "1.1.4",
+      "resolved": "https://registry.npmjs.org/@napi-rs/wasm-runtime/-/wasm-runtime-1.1.4.tgz",
+      "integrity": "sha512-3NQNNgA1YSlJb/kMH1ildASP9HW7/7kYnRI2szWJaofaS1hWmbGI4H+d3+22aGzXXN9IJ+n+GiFVcGipJP18ow==",
      "dev": true,
      "license": "MIT",
      "optional": true,
@@ -128,13 +125,13 @@
      }
    },
    "node_modules/@rsbuild/core": {
-      "version": "2.0.0-rc.1",
-      "resolved": "https://registry.npmjs.org/@rsbuild/core/-/core-2.0.0-rc.1.tgz",
-      "integrity": "sha512-eqxtRlQiFSm/ibCNGiPj8ozsGSNK91NY+GksmPuTCPmWQExGtPqM1V+s13UYeWZS6fYbMRs7NlQKD896e0QkKA==",
+      "version": "2.0.3",
+      "resolved": "https://registry.npmjs.org/@rsbuild/core/-/core-2.0.3.tgz",
+      "integrity": "sha512-2myp7jUgGen50saxW8OJD/eMVKp7HnuBN5MUzwRb6mDbRZZVpoorfI4LQqiGSBNjGLB6jltvx/R2yHmcmnchwg==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
-        "@rspack/core": "2.0.0-rc.1",
+        "@rspack/core": "~2.0.1",
        "@swc/helpers": "^0.5.21"
      },
      "bin": {
@@ -153,17 +150,17 @@
      }
    },
    "node_modules/@rsbuild/plugin-react": {
-      "version": "1.4.6",
-      "resolved": "https://registry.npmjs.org/@rsbuild/plugin-react/-/plugin-react-1.4.6.tgz",
-      "integrity": "sha512-LAT6xHlEyZKA0VjF/ph5d50iyG+WSmBx+7g98HNZUwb94VeeTMZFB8qVptTkbIRMss3BNKOXmHOu71Lhsh9oEw==",
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/@rsbuild/plugin-react/-/plugin-react-2.0.0.tgz",
+      "integrity": "sha512-/1gzt39EGUSFEqB83g46QoOwsgv172HI18i6au1b6lgIaX4sv9stuX4ijdHbHCp8PqYEq+MyQ99jIQMO6I+etg==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
-        "@rspack/plugin-react-refresh": "^1.6.1",
+        "@rspack/plugin-react-refresh": "2.0.0",
        "react-refresh": "^0.18.0"
      },
      "peerDependencies": {
-        "@rsbuild/core": "^1.0.0 || ^2.0.0-0"
+        "@rsbuild/core": "^2.0.0-0"
      },
      "peerDependenciesMeta": {
        "@rsbuild/core": {
@@ -172,28 +169,28 @@
      }
    },
    "node_modules/@rspack/binding": {
-      "version": "2.0.0-rc.1",
-      "resolved": "https://registry.npmjs.org/@rspack/binding/-/binding-2.0.0-rc.1.tgz",
-      "integrity": "sha512-rhJqtbyiRPOjTAZW0xTZFbOrS5yP5yL1SF0DPE9kvFfzePz30IqjMDMxL0KuhkDZd/M1eUINJyoqd8NTbR9wHw==",
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/@rspack/binding/-/binding-2.0.1.tgz",
+      "integrity": "sha512-ynV1gw4KqFtQ0P+ZZh76SUj49wBb2FuHW3zSmHverHWuxBhzvrZS6/dZ+fCFQG8bTTPtrPz0RQUTN3uEDbPVBQ==",
      "dev": true,
      "license": "MIT",
      "optionalDependencies": {
-        "@rspack/binding-darwin-arm64": "2.0.0-rc.1",
-        "@rspack/binding-darwin-x64": "2.0.0-rc.1",
-        "@rspack/binding-linux-arm64-gnu": "2.0.0-rc.1",
-        "@rspack/binding-linux-arm64-musl": "2.0.0-rc.1",
-        "@rspack/binding-linux-x64-gnu": "2.0.0-rc.1",
-        "@rspack/binding-linux-x64-musl": "2.0.0-rc.1",
-        "@rspack/binding-wasm32-wasi": "2.0.0-rc.1",
-        "@rspack/binding-win32-arm64-msvc": "2.0.0-rc.1",
-        "@rspack/binding-win32-ia32-msvc": "2.0.0-rc.1",
-        "@rspack/binding-win32-x64-msvc": "2.0.0-rc.1"
+        "@rspack/binding-darwin-arm64": "2.0.1",
+        "@rspack/binding-darwin-x64": "2.0.1",
+        "@rspack/binding-linux-arm64-gnu": "2.0.1",
+        "@rspack/binding-linux-arm64-musl": "2.0.1",
+        "@rspack/binding-linux-x64-gnu": "2.0.1",
+        "@rspack/binding-linux-x64-musl": "2.0.1",
+        "@rspack/binding-wasm32-wasi": "2.0.1",
+        "@rspack/binding-win32-arm64-msvc": "2.0.1",
+        "@rspack/binding-win32-ia32-msvc": "2.0.1",
+        "@rspack/binding-win32-x64-msvc": "2.0.1"
      }
    },
    "node_modules/@rspack/binding-darwin-arm64": {
-      "version": "2.0.0-rc.1",
-      "resolved": "https://registry.npmjs.org/@rspack/binding-darwin-arm64/-/binding-darwin-arm64-2.0.0-rc.1.tgz",
-      "integrity": "sha512-fYbeDDDg6QKZzXYt/J0/j0Qhr01wQLuISUsYnNhu5MLwdXVUSVcqz+CTqgF3d0EQVVn6FqLV63lbNRzUGfSq9g==",
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/@rspack/binding-darwin-arm64/-/binding-darwin-arm64-2.0.1.tgz",
+      "integrity": "sha512-CGFO5zmajD1Itch1lxAI7+gvKiagzyqXopHv/jHG9Su2WWQ2/Nhn2/rkSpdp6ptE9ri6+6tCOOahf099/v/Xog==",
      "cpu": [
        "arm64"
      ],
@@ -205,9 +202,9 @@
      ]
    },
    "node_modules/@rspack/binding-darwin-x64": {
-      "version": "2.0.0-rc.1",
-      "resolved": "https://registry.npmjs.org/@rspack/binding-darwin-x64/-/binding-darwin-x64-2.0.0-rc.1.tgz",
-      "integrity": "sha512-MvXi9kr8xXn1y0PD1WI/4YphRNOdbykJjKdEsAG4JxEVoERmhIHOTwKvUqlejajizAwlVZcxQl/FacoPLsKN5Q==",
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/@rspack/binding-darwin-x64/-/binding-darwin-x64-2.0.1.tgz",
+      "integrity": "sha512-2vvBNBoS09/PurupBwSrlTZd8283o00B8v20ncsNUdEff41uCR/hzIrYoTIVWnVST+Gt5O1+cfcfORp397lajg==",
      "cpu": [
        "x64"
      ],
@@ -219,9 +216,9 @@
      ]
    },
    "node_modules/@rspack/binding-linux-arm64-gnu": {
-      "version": "2.0.0-rc.1",
-      "resolved": "https://registry.npmjs.org/@rspack/binding-linux-arm64-gnu/-/binding-linux-arm64-gnu-2.0.0-rc.1.tgz",
-      "integrity": "sha512-j6WsHEwGSdUoiy4BsQBW0RjFl+MBzozdybSYhkiyVSoHlbm7CPt3XaaS3elH5YcwuLHORmVHPP91QhwWl9UFJg==",
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/@rspack/binding-linux-arm64-gnu/-/binding-linux-arm64-gnu-2.0.1.tgz",
+      "integrity": "sha512-uvNXk6ahE3AH3h2avnd1Mgno68YQpS4cfX1OkOGWIC/roL+NrOP2XVXV4yfVAoydPALDO7AfbIfN0QdmBK3rsA==",
      "cpu": [
        "arm64"
      ],
@@ -236,9 +233,9 @@
      ]
    },
    "node_modules/@rspack/binding-linux-arm64-musl": {
-      "version": "2.0.0-rc.1",
-      "resolved": "https://registry.npmjs.org/@rspack/binding-linux-arm64-musl/-/binding-linux-arm64-musl-2.0.0-rc.1.tgz",
-      "integrity": "sha512-MPoZE0aS8oH+Wr0R5tIYch8gbUwYYf4LsiGdP6enMKMTrmpJyOVGlhPHVSwsrFgBg7fjTGOuxHuibtsvDUdLOQ==",
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/@rspack/binding-linux-arm64-musl/-/binding-linux-arm64-musl-2.0.1.tgz",
+      "integrity": "sha512-S/a6uN9PiZ5O/PjSqyIXhuRC1lVzeJkJV69NeLk5sIEUiDQ/aQGZG97uN+tluwpbo1tPbLJkdHYETfjspOX4Pg==",
      "cpu": [
        "arm64"
      ],
@@ -253,9 +250,9 @@
      ]
    },
    "node_modules/@rspack/binding-linux-x64-gnu": {
-      "version": "2.0.0-rc.1",
-      "resolved": "https://registry.npmjs.org/@rspack/binding-linux-x64-gnu/-/binding-linux-x64-gnu-2.0.0-rc.1.tgz",
-      "integrity": "sha512-gOlPCwtIg9GsFG/8ZdUyV5SyXDaGq2kmtXmyyFU7RO33MaalltNEBMf2hevRPj9z39eSzxwgJDonMOdx5Fo0Og==",
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/@rspack/binding-linux-x64-gnu/-/binding-linux-x64-gnu-2.0.1.tgz",
+      "integrity": "sha512-C13Kk0OkZiocZVj187Sf753UH6pDXnuEu6vzUvi3qv9ltibG1ki0H2Y8isXBYL2cHQOV+hk0g1S6/4z3TTB97A==",
      "cpu": [
        "x64"
      ],
@@ -270,9 +267,9 @@
      ]
    },
    "node_modules/@rspack/binding-linux-x64-musl": {
-      "version": "2.0.0-rc.1",
-      "resolved": "https://registry.npmjs.org/@rspack/binding-linux-x64-musl/-/binding-linux-x64-musl-2.0.0-rc.1.tgz",
-      "integrity": "sha512-K6Swk1rfP4z4b6bp84NlikGlUWMOPpIWCtlPr/W0TWgc2C/cd844oHdoIu7WtmOH7y9AwB5UG2bWpgFAVwykCw==",
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/@rspack/binding-linux-x64-musl/-/binding-linux-x64-musl-2.0.1.tgz",
+      "integrity": "sha512-TQsiBFpEDGkuvK9tNdGj/Uc+AIytzqhxXH/1jKU6M24cWB1DTw/Cx7DdrkCBDyq3129K3POLdujvbWCGqBzQUw==",
      "cpu": [
        "x64"
      ],
@@ -287,9 +284,9 @@
      ]
    },
    "node_modules/@rspack/binding-wasm32-wasi": {
-      "version": "2.0.0-rc.1",
-      "resolved": "https://registry.npmjs.org/@rspack/binding-wasm32-wasi/-/binding-wasm32-wasi-2.0.0-rc.1.tgz",
-      "integrity": "sha512-aa9oUTqOb1QjwsHVlMr5sV+7mcBI4MLQ/xhFO2CIEcfVnJIPl8XpKUbDEgqMwcFlzcgzKmHg5cVmIvd82BLgow==",
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/@rspack/binding-wasm32-wasi/-/binding-wasm32-wasi-2.0.1.tgz",
+      "integrity": "sha512-wk3gyUgBW/ayP49bI54bkY8+EQnfBHxdoe9dz3oobSTZQc8AOWwmUUDEPltW8rUvPOM6dfHECTOUMnfaf2f5yA==",
      "cpu": [
        "wasm32"
      ],
@@ -297,13 +294,15 @@
      "license": "MIT",
      "optional": true,
      "dependencies": {
-        "@napi-rs/wasm-runtime": "1.1.2"
+        "@emnapi/core": "1.10.0",
+        "@emnapi/runtime": "1.10.0",
+        "@napi-rs/wasm-runtime": "1.1.4"
      }
    },
    "node_modules/@rspack/binding-win32-arm64-msvc": {
-      "version": "2.0.0-rc.1",
-      "resolved": "https://registry.npmjs.org/@rspack/binding-win32-arm64-msvc/-/binding-win32-arm64-msvc-2.0.0-rc.1.tgz",
-      "integrity": "sha512-+UxF0c7E9bE3siFbMHi+mmoeQJzcTKl1j3x+Y6MY/PJ3V70cU23wOaxMvmSsCyq2JNJBT2RCNZ9HaL+o3kReug==",
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/@rspack/binding-win32-arm64-msvc/-/binding-win32-arm64-msvc-2.0.1.tgz",
+      "integrity": "sha512-rHjLcy3VcAC3+x+PxH+gwhwv6tPe0JdXTNT5eAOs9wgZIM6T9p4wre49+K4Qy98+Fb7TTbLX0ObUitlOkGwTSA==",
      "cpu": [
        "arm64"
      ],
@@ -315,9 +314,9 @@
      ]
    },
    "node_modules/@rspack/binding-win32-ia32-msvc": {
-      "version": "2.0.0-rc.1",
-      "resolved": "https://registry.npmjs.org/@rspack/binding-win32-ia32-msvc/-/binding-win32-ia32-msvc-2.0.0-rc.1.tgz",
-      "integrity": "sha512-gc0JdkdxSWo+o/b1qTCT6mZ3DrlGe32eW+Ps3xInxcG4UHjUG7hTDgFtOgVQ6VhQ8WMUXG+TQOz0CySVpYjsoQ==",
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/@rspack/binding-win32-ia32-msvc/-/binding-win32-ia32-msvc-2.0.1.tgz",
+      "integrity": "sha512-Ad1vVqMBBnd4T8rsORngu9sl2kyRTlS4kMlvFudjzl1X2UFArEDBe0YVGNN7ZvahM12CErUx2WiN8Sd8pb+qXQ==",
      "cpu": [
        "ia32"
      ],
@@ -329,9 +328,9 @@
      ]
    },
    "node_modules/@rspack/binding-win32-x64-msvc": {
-      "version": "2.0.0-rc.1",
-      "resolved": "https://registry.npmjs.org/@rspack/binding-win32-x64-msvc/-/binding-win32-x64-msvc-2.0.0-rc.1.tgz",
-      "integrity": "sha512-Dnj0jthyVUikf65MGEyZy3akshtSmR1xsp/Xr0h/NWTo5JFWHKAFNYFE+jFfY0uzC8e4IDcLQLYoFomqV1DsEg==",
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/@rspack/binding-win32-x64-msvc/-/binding-win32-x64-msvc-2.0.1.tgz",
+      "integrity": "sha512-oPM2Jtm7HOlmxl/aBfleAVlL6t9VeHx6WvEets7BBJMInemFXAQd4CErRqybf7rXutACzLeUWBOue4Jpd1/ykw==",
      "cpu": [
        "x64"
      ],
@@ -343,13 +342,13 @@
      ]
    },
    "node_modules/@rspack/core": {
-      "version": "2.0.0-rc.1",
-      "resolved": "https://registry.npmjs.org/@rspack/core/-/core-2.0.0-rc.1.tgz",
-      "integrity": "sha512-OIfkYn05/IWtVIdZ8Y/a0y/k4ipzqfApxIZqnJM59G/bGwQKMBrLHpOMGgV2Wmq1j9UMXzF7ZtsFMUbYBhFb9A==",
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/@rspack/core/-/core-2.0.1.tgz",
+      "integrity": "sha512-lgfZiExh8kDR/3obgi3RQKwKG5av1Xf5qDN1aVde777W9pbmx0Pqvrww1qtNvJ+gobEjbrrn5HEZWYGe0VLmcA==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
-        "@rspack/binding": "2.0.0-rc.1"
+        "@rspack/binding": "2.0.1"
      },
      "engines": {
        "node": "^20.19.0 || >=22.12.0"
@@ -368,36 +367,33 @@
      }
    },
    "node_modules/@rspack/plugin-react-refresh": {
-      "version": "1.6.2",
-      "resolved": "https://registry.npmjs.org/@rspack/plugin-react-refresh/-/plugin-react-refresh-1.6.2.tgz",
-      "integrity": "sha512-k+/VrfTNgo+KirjI6V+8CWRj6y+DH9jOUWv8JorYY4vKf/9xfnZ8xHzuB4iqCwTtoZl9YnxOaOuoyjJipc2tiQ==",
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/@rspack/plugin-react-refresh/-/plugin-react-refresh-2.0.0.tgz",
+      "integrity": "sha512-Cf6CxBStNDJbiXMc/GmsvG1G8PRlUpa0MSfWsMTI+e8npzuTN/p8nwLs3shriBZOLciqgkSZpBtPTd10BLpj1g==",
      "dev": true,
      "license": "MIT",
-      "dependencies": {
-        "error-stack-parser": "^2.1.4"
-      },
      "peerDependencies": {
-        "react-refresh": ">=0.10.0 <1.0.0",
-        "webpack-hot-middleware": "2.x"
+        "@rspack/core": "^2.0.0-0",
+        "react-refresh": ">=0.10.0 <1.0.0"
      },
      "peerDependenciesMeta": {
-        "webpack-hot-middleware": {
+        "@rspack/core": {
          "optional": true
        }
      }
    },
    "node_modules/@rspress/core": {
-      "version": "2.0.9",
-      "resolved": "https://registry.npmjs.org/@rspress/core/-/core-2.0.9.tgz",
-      "integrity": "sha512-cfbqqbWtdimrWIsfeyPnQOTKwJpdNLr8VnwLIL4JYC2ZcRq+xcInpszLXVpV86nONL6qI19usr2Or7uzZJ+ynA==",
+      "version": "2.0.10",
+      "resolved": "https://registry.npmjs.org/@rspress/core/-/core-2.0.10.tgz",
+      "integrity": "sha512-DvoV7YUW538x0CVAGyYPKfjUHgEuq7Z8LZq1cpfUgBpA1DynFUK3Ls6spvdoAHAl3l0AN+xxOHpu/sRVhzqi/A==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
        "@mdx-js/mdx": "^3.1.1",
        "@mdx-js/react": "^3.1.1",
-        "@rsbuild/core": "2.0.0-rc.1",
-        "@rsbuild/plugin-react": "~1.4.6",
-        "@rspress/shared": "2.0.9",
+        "@rsbuild/core": "^2.0.2",
+        "@rsbuild/plugin-react": "~2.0.0",
+        "@rspress/shared": "2.0.10",
        "@shikijs/rehype": "^4.0.2",
        "@types/unist": "^3.0.3",
        "@unhead/react": "^2.1.13",
@@ -411,8 +407,8 @@
        "mdast-util-mdxjs-esm": "^2.0.1",
        "medium-zoom": "1.1.0",
        "nprogress": "^0.2.0",
-        "react": "^19.2.4",
-        "react-dom": "^19.2.4",
+        "react": "^19.2.5",
+        "react-dom": "^19.2.5",
        "react-lazy-with-preload": "^2.2.1",
        "react-reconciler": "0.33.0",
        "react-render-to-markdown": "19.0.1",
@@ -440,39 +436,39 @@
      }
    },
    "node_modules/@rspress/plugin-client-redirects": {
-      "version": "2.0.9",
-      "resolved": "https://registry.npmjs.org/@rspress/plugin-client-redirects/-/plugin-client-redirects-2.0.9.tgz",
-      "integrity": "sha512-r2GyHzOSt8CeS4UIsy/cPM5Zotekt1JVQFmgOYGapvll5ktUlVcd77HLtXDbZjtpgtj0XlaMLrXueOpV2gsBoQ==",
+      "version": "2.0.10",
+      "resolved": "https://registry.npmjs.org/@rspress/plugin-client-redirects/-/plugin-client-redirects-2.0.10.tgz",
+      "integrity": "sha512-ImOm3h/cbXiJXIvpwv3Wn9rM91xgdhKbD2WX+WlMlWO4AtQfKR4XFrVhIZZAkrt09eeotRIklA7nu8Nuzzzbsw==",
      "dev": true,
      "license": "MIT",
      "engines": {
        "node": "^20.19.0 || >=22.12.0"
      },
      "peerDependencies": {
-        "@rspress/core": "^2.0.9"
+        "@rspress/core": "^2.0.10"
      }
    },
    "node_modules/@rspress/plugin-sitemap": {
-      "version": "2.0.9",
-      "resolved": "https://registry.npmjs.org/@rspress/plugin-sitemap/-/plugin-sitemap-2.0.9.tgz",
-      "integrity": "sha512-GTuXuySaeaazUZoUxdk2vZ8p0ehIgulPjCP9C7gDg6lIh5JGpUbcjG4def4tWHsxUoKp2rIwu/93bHwKb8T0Mw==",
+      "version": "2.0.10",
+      "resolved": "https://registry.npmjs.org/@rspress/plugin-sitemap/-/plugin-sitemap-2.0.10.tgz",
+      "integrity": "sha512-PZLig9+OlnyLcy6x9BlEqWSRef6TzDWB6Dlh2/hY41FtKlhyb7d7U56RGlLselWaQV54SHVa6H/y611A56ZI2g==",
      "dev": true,
      "license": "MIT",
      "engines": {
        "node": "^20.19.0 || >=22.12.0"
      },
      "peerDependencies": {
-        "@rspress/core": "^2.0.9"
+        "@rspress/core": "^2.0.10"
      }
    },
    "node_modules/@rspress/shared": {
-      "version": "2.0.9",
-      "resolved": "https://registry.npmjs.org/@rspress/shared/-/shared-2.0.9.tgz",
-      "integrity": "sha512-G48n3pC7AVAR58pLqwClUCYj5Nt7ZgYEStR8VTBGFuPgXtzb3+KPfo/gz0hb6wxdKJ1cL5ohPsZ6EXqllu6lew==",
+      "version": "2.0.10",
+      "resolved": "https://registry.npmjs.org/@rspress/shared/-/shared-2.0.10.tgz",
+      "integrity": "sha512-Kx10OAHWqi2jvW7ScmBUbkGjnwv4E6rEoelUchcL8It8nQ4nAVk0xvvES7m64knEon55zDbs8JQumCjbHu801Q==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
-        "@rsbuild/core": "2.0.0-rc.1",
+        "@rsbuild/core": "^2.0.2",
        "@shikijs/rehype": "^4.0.2",
        "unified": "^11.0.5"
      }
@@ -972,16 +968,6 @@
        "url": "https://github.com/fb55/entities?sponsor=1"
      }
    },
-    "node_modules/error-stack-parser": {
-      "version": "2.1.4",
-      "resolved": "https://registry.npmjs.org/error-stack-parser/-/error-stack-parser-2.1.4.tgz",
-      "integrity": "sha512-Sk5V6wVazPhq5MhpO+AUxJn5x7XSXGl1R93Vn7i+zS15KDVxQijejNCrz8340/2bgLBjR9GtEG8ZVKONDjcqGQ==",
-      "dev": true,
-      "license": "MIT",
-      "dependencies": {
-        "stackframe": "^1.3.4"
-      }
-    },
    "node_modules/esast-util-from-estree": {
      "version": "2.0.0",
      "resolved": "https://registry.npmjs.org/esast-util-from-estree/-/esast-util-from-estree-2.0.0.tgz",
@@ -1413,9 +1399,9 @@
      }
    },
    "node_modules/hookable": {
-      "version": "6.1.0",
-      "resolved": "https://registry.npmjs.org/hookable/-/hookable-6.1.0.tgz",
-      "integrity": "sha512-ZoKZSJgu8voGK2geJS+6YtYjvIzu9AOM/KZXsBxr83uhLL++e9pEv/dlgwgy3dvHg06kTz6JOh1hk3C8Ceiymw==",
+      "version": "6.1.1",
+      "resolved": "https://registry.npmjs.org/hookable/-/hookable-6.1.1.tgz",
+      "integrity": "sha512-U9LYDy1CwhMCnprUfeAZWZGByVbhd54hwepegYTK7Pi5NvqEj63ifz5z+xukznehT7i6NIZRu89Ay1AZmRsLEQ==",
      "dev": true,
      "license": "MIT"
    },
@@ -2697,20 +2683,20 @@
      "license": "MIT"
    },
    "node_modules/oniguruma-parser": {
-      "version": "0.12.1",
-      "resolved": "https://registry.npmjs.org/oniguruma-parser/-/oniguruma-parser-0.12.1.tgz",
-      "integrity": "sha512-8Unqkvk1RYc6yq2WBYRj4hdnsAxVze8i7iPfQr8e4uSP3tRv0rpZcbGUDvxfQQcdwHt/e9PrMvGCsa8OqG9X3w==",
+      "version": "0.12.2",
+      "resolved": "https://registry.npmjs.org/oniguruma-parser/-/oniguruma-parser-0.12.2.tgz",
+      "integrity": "sha512-6HVa5oIrgMC6aA6WF6XyyqbhRPJrKR02L20+2+zpDtO5QAzGHAUGw5TKQvwi5vctNnRHkJYmjAhRVQF2EKdTQw==",
      "dev": true,
      "license": "MIT"
    },
    "node_modules/oniguruma-to-es": {
-      "version": "4.3.5",
-      "resolved": "https://registry.npmjs.org/oniguruma-to-es/-/oniguruma-to-es-4.3.5.tgz",
-      "integrity": "sha512-Zjygswjpsewa0NLTsiizVuMQZbp0MDyM6lIt66OxsF21npUDlzpHi1Mgb/qhQdkb+dWFTzJmFbEWdvZgRho8eQ==",
+      "version": "4.3.6",
+      "resolved": "https://registry.npmjs.org/oniguruma-to-es/-/oniguruma-to-es-4.3.6.tgz",
+      "integrity": "sha512-csuQ9x3Yr0cEIs/Zgx/OEt9iBw9vqIunAPQkx19R/fiMq2oGVTgcMqO/V3Ybqefr1TBvosI6jU539ksaBULJyA==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
-        "oniguruma-parser": "^0.12.1",
+        "oniguruma-parser": "^0.12.2",
        "regex": "^6.1.0",
        "regex-recursion": "^6.0.2"
      }
@@ -2836,9 +2822,9 @@
      }
    },
    "node_modules/react-router": {
-      "version": "7.14.0",
-      "resolved": "https://registry.npmjs.org/react-router/-/react-router-7.14.0.tgz",
-      "integrity": "sha512-m/xR9N4LQLmAS0ZhkY2nkPA1N7gQ5TUVa5n8TgANuDTARbn1gt+zLPXEm7W0XDTbrQ2AJSJKhoa6yx1D8BcpxQ==",
+      "version": "7.14.2",
+      "resolved": "https://registry.npmjs.org/react-router/-/react-router-7.14.2.tgz",
+      "integrity": "sha512-yCqNne6I8IB6rVCH7XUvlBK7/QKyqypBFGv+8dj4QBFJiiRX+FG7/nkdAvGElyvVZ/HQP5N19wzteuTARXi5Gw==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
@@ -2859,13 +2845,13 @@
      }
    },
    "node_modules/react-router-dom": {
-      "version": "7.14.0",
-      "resolved": "https://registry.npmjs.org/react-router-dom/-/react-router-dom-7.14.0.tgz",
-      "integrity": "sha512-2G3ajSVSZMEtmTjIklRWlNvo8wICEpLihfD/0YMDxbWK2UyP5EGfnoIn9AIQGnF3G/FX0MRbHXdFcD+rL1ZreQ==",
+      "version": "7.14.2",
+      "resolved": "https://registry.npmjs.org/react-router-dom/-/react-router-dom-7.14.2.tgz",
+      "integrity": "sha512-YZcM5ES8jJSM+KrJ9BdvHHqlnGTg5tH3sC5ChFRj4inosKctdyzBDhOyyHdGk597q2OT6NTrCA1OvB/YDwfekQ==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
-        "react-router": "7.14.0"
+        "react-router": "7.14.2"
      },
      "engines": {
        "node": ">=20.0.0"
@@ -3218,13 +3204,6 @@
        "url": "https://github.com/sponsors/wooorm"
      }
    },
-    "node_modules/stackframe": {
-      "version": "1.3.4",
-      "resolved": "https://registry.npmjs.org/stackframe/-/stackframe-1.3.4.tgz",
-      "integrity": "sha512-oeVtt7eWQS+Na6F//S4kJ2K2VbRlS9D43mAlMyVpVWovy9o+jfgH8O9agzANzaiLjclA0oYzUXEM4PurhSUChw==",
-      "dev": true,
-      "license": "MIT"
-    },
    "node_modules/stringify-entities": {
      "version": "4.0.4",
      "resolved": "https://registry.npmjs.org/stringify-entities/-/stringify-entities-4.0.4.tgz",
@@ -6,7 +6,9 @@ ### Installation

 To add the Continuwuation apt repository:
 ```bash
-# Replace with `"dev"` for bleeding-edge builds at your own risk
+# Component `"stable"` contains all tagged releases. Use `"stable unstable"` to additionally include all pre-releases (alpha, beta, rc,...)
+# Replace with `"dev"` for bleeding-edge builds at your own risk, these contain
+# automatic nightly builds and might or might not work.
 export COMPONENT="stable"
 # Import the Continuwuation signing key
 sudo curl https://forgejo.ellis.link/api/packages/continuwuation/debian/repository.key -o /etc/apt/keyrings/forgejo-continuwuation.asc
@@ -20,7 +20,11 @@ export default defineConfig({
                    '/deploying/docker-compose.for-traefik.yml',
                    '/deploying/docker-compose.with-traefik.yml',
                    `/deploying/docker-compose.override.yml`,
-                    `/deploying/docker-compose.yml`
+                    `/deploying/docker-compose.yml`,
+                    '/advanced/delegated.docker-compose.with-caddy.yml',
+                    '/advanced/delegated.docker-compose.with-caddy-labels.yml',
+                    '/advanced/delegated.docker-compose.for-traefik.yml',
+                    '/advanced/delegated.docker-compose.with-traefik.yml',
                ]
            },
        },
@@ -81,9 +81,11 @@ conduwuit-macros.workspace = true
 conduwuit-service.workspace = true
 const-str.workspace = true
 ctor.workspace = true
+dtor.workspace = true
 futures.workspace = true
 lettre.workspace = true
 log.workspace = true
+assign.workspace = true
 ruma.workspace = true
 serde_json.workspace = true
 serde-saphyr.workspace = true
@@ -16,7 +16,7 @@
 };

 #[derive(Debug, Parser)]
-#[command(name = conduwuit_core::name(), version = conduwuit_core::version())]
+#[command(name = conduwuit_core::BRANDING, version = conduwuit_core::version())]
 pub enum AdminCommand {
 	#[command(subcommand)]
 	/// Commands for managing appservices
@@ -7,7 +7,7 @@
 #[implement(Context, params = "<'_>")]
 pub(super) async fn check_all_users(&self) -> Result {
 	let timer = tokio::time::Instant::now();
-	let users = self.services.users.iter().collect::<Vec<_>>().await;
+	let users = self.services.users.stream().collect::<Vec<_>>().await;
 	let query_time = timer.elapsed();

 	let total = users.len();
@@ -79,12 +79,14 @@ pub(super) async fn parse_pdu(&self) -> Result {
 	}

 	let string = self.body[1..self.body.len().saturating_sub(1)].join("\n");
+	let room_version_rules = RoomVersionId::V12.rules().unwrap();
+
 	match serde_json::from_str(&string) {
 		| Err(e) => return Err!("Invalid json in command body: {e}"),
-		| Ok(value) => match ruma::signatures::reference_hash(&value, &RoomVersionId::V6) {
+		| Ok(value) => match ruma::signatures::reference_hash(&value, &room_version_rules) {
 			| Err(e) => return Err!("Could not parse PDU JSON: {e:?}"),
 			| Ok(hash) => {
-				let event_id = OwnedEventId::parse(format!("${hash}"));
+				let event_id = EventId::parse(format!("${hash}"));
 				match serde_json::from_value::<PduEvent>(serde_json::to_value(value)?) {
 					| Err(e) => return Err!("EventId: {event_id:?}\nCould not parse event: {e}"),
 					| Ok(pdu) => write!(self, "EventId: {event_id:?}\n{pdu:#?}"),
@@ -119,7 +121,7 @@ pub(super) async fn get_pdu(&self, event_id: OwnedEventId) -> Result {
 			} else {
 				"PDU found in our database"
 			};
-			write!(self, "{msg}\n```json\n{text}\n```",)
+			write!(self, "{msg}\n```json\n{text}\n```")
 		},
 	}
 	.await
@@ -187,10 +189,7 @@ pub(super) async fn get_remote_pdu_list(&self, server: OwnedServerName, force: b

 	for event_id in list {
 		if force {
-			match self
-				.get_remote_pdu(event_id.to_owned(), server.clone())
-				.await
-			{
+			match self.get_remote_pdu(event_id.clone(), server.clone()).await {
 				| Err(e) => {
 					failed_count = failed_count.saturating_add(1);
 					self.services
@@ -205,7 +204,7 @@ pub(super) async fn get_remote_pdu_list(&self, server: OwnedServerName, force: b
 				},
 			}
 		} else {
-			self.get_remote_pdu(event_id.to_owned(), server.clone())
+			self.get_remote_pdu(event_id.clone(), server.clone())
 				.await?;
 			success_count = success_count.saturating_add(1);
 		}
@@ -237,10 +236,10 @@ pub(super) async fn get_remote_pdu(
 	match self
 		.services
 		.sending
-		.send_federation_request(&server, ruma::api::federation::event::get_event::v1::Request {
-			event_id: event_id.clone(),
-			include_unredacted_content: None,
-		})
+		.send_federation_request(
+			&server,
+			ruma::api::federation::event::get_event::v1::Request::new(event_id.clone()),
+		)
 		.await
 	{
 		| Err(e) => {
@@ -330,9 +329,9 @@ pub(super) async fn ping(&self, server: OwnedServerName) -> Result {
 	match self
 		.services
 		.sending
-		.send_federation_request(
+		.send_unauthenticated_request(
 			&server,
-			ruma::api::federation::discovery::get_server_version::v1::Request {},
+			ruma::api::federation::discovery::get_server_version::v1::Request::new(),
 		)
 		.await
 	{
@@ -361,7 +360,7 @@ pub(super) async fn force_device_list_updates(&self) -> Result {
 	self.services
 		.users
 		.stream()
-		.for_each(|user_id| self.services.users.mark_device_key_update(user_id))
+		.for_each(async |user_id| self.services.users.mark_device_key_update(&user_id).await)
 		.await;

 	write!(self, "Marked all devices for all users as having new keys to update").await
@@ -430,9 +429,16 @@ pub(super) async fn verify_json(&self) -> Result {
 	}

 	let string = self.body[1..self.body.len().checked_sub(1).unwrap()].join("\n");
+	let room_version_rules = RoomVersionId::V12.rules().unwrap();
+
 	match serde_json::from_str::<CanonicalJsonObject>(&string) {
 		| Err(e) => return Err!("Invalid json: {e}"),
-		| Ok(value) => match self.services.server_keys.verify_json(&value, None).await {
+		| Ok(value) => match self
+			.services
+			.server_keys
+			.verify_json(&value, &room_version_rules)
+			.await
+		{
 			| Err(e) => return Err!("Signature verification failed: {e}"),
 			| Ok(()) => write!(self, "Signature correct"),
 		},
@@ -445,9 +451,15 @@ pub(super) async fn verify_pdu(&self, event_id: OwnedEventId) -> Result {
 	use ruma::signatures::Verified;

 	let mut event = self.services.rooms.timeline.get_pdu_json(&event_id).await?;
+	let room_version_rules = RoomVersionId::V12.rules().unwrap();

 	event.remove("event_id");
-	let msg = match self.services.server_keys.verify_event(&event, None).await {
+	let msg = match self
+		.services
+		.server_keys
+		.verify_event(&event, &room_version_rules)
+		.await
+	{
 		| Err(e) => return Err(e),
 		| Ok(Verified::Signatures) => "signatures OK, but content hash failed (redaction).",
 		| Ok(Verified::All) => "signatures and hashes OK.",
@@ -544,16 +556,17 @@ pub(super) async fn force_set_room_state_from_server(
 	};

 	let room_version = self.services.rooms.state.get_room_version(&room_id).await?;
+	let room_version_rules = room_version.rules().unwrap();

 	let mut state: HashMap<u64, OwnedEventId> = HashMap::new();

 	let remote_state_response = self
 		.services
 		.sending
-		.send_federation_request(&server_name, get_room_state::v1::Request {
-			room_id: room_id.clone(),
-			event_id: at_event_id,
-		})
+		.send_federation_request(
+			&server_name,
+			get_room_state::v1::Request::new(at_event_id, room_id.clone()),
+		)
 		.await?;

 	for pdu in remote_state_response.pdus.clone() {
@@ -576,7 +589,7 @@ pub(super) async fn force_set_room_state_from_server(
 	for result in remote_state_response.pdus.iter().map(|pdu| {
 		self.services
 			.server_keys
-			.validate_and_add_event_id(pdu, &room_version)
+			.validate_and_add_event_id(pdu, &room_version_rules)
 	}) {
 		let Ok((event_id, value)) = result.await else {
 			continue;
@@ -608,7 +621,7 @@ pub(super) async fn force_set_room_state_from_server(
 	for result in remote_state_response.auth_chain.iter().map(|pdu| {
 		self.services
 			.server_keys
-			.validate_and_add_event_id(pdu, &room_version)
+			.validate_and_add_event_id(pdu, &room_version_rules)
 	}) {
 		let Ok((event_id, value)) = result.await else {
 			continue;
@@ -625,7 +638,7 @@ pub(super) async fn force_set_room_state_from_server(
 		.services
 		.rooms
 		.event_handler
-		.resolve_state(&room_id, &room_version, state)
+		.resolve_state(&room_id, &room_version_rules, state)
 		.await?;

 	info!("Compressing new room state");
@@ -102,16 +102,12 @@ pub(super) async fn remote_user_in_rooms(&self, user_id: OwnedUserId) -> Result
 		);
 	}

-	if !self.services.users.exists(&user_id).await {
-		return Err!("Remote user does not exist in our database.",);
-	}
-
 	let mut rooms: Vec<(OwnedRoomId, u64, String)> = self
 		.services
 		.rooms
 		.state_cache
 		.rooms_joined(&user_id)
-		.then(|room_id| get_room_info(self.services, room_id))
+		.then(async |room_id| get_room_info(self.services, &room_id).await)
 		.collect()
 		.await;

@@ -129,6 +125,6 @@ pub(super) async fn remote_user_in_rooms(&self, user_id: OwnedUserId) -> Result
 		.collect::<Vec<_>>()
 		.join("\n");

-	self.write_str(&format!("Rooms {user_id} shares with us ({num}):\n```\n{body}\n```",))
+	self.write_str(&format!("Rooms {user_id} shares with us ({num}):\n```\n{body}\n```"))
 		.await
 }
@@ -6,7 +6,8 @@
 	warn,
 };
 use conduwuit_service::media::Dim;
-use ruma::{Mxc, OwnedEventId, OwnedMxcUri, OwnedServerName};
+use ruma::{OwnedEventId, OwnedMxcUri, OwnedServerName};
+use service::media::mxc::Mxc;

 use crate::{admin_command, utils::parse_local_user_id};

@@ -261,7 +262,7 @@ pub(super) async fn delete_past_remote_media(
 		)
 		.await?;

-	self.write_str(&format!("Deleted {deleted_count} total files.",))
+	self.write_str(&format!("Deleted {deleted_count} total files."))
 		.await
 }

@@ -271,7 +272,7 @@ pub(super) async fn delete_all_from_user(&self, username: String) -> Result {

 	let deleted_count = self.services.media.delete_from_user(&user_id).await?;

-	self.write_str(&format!("Deleted {deleted_count} total files.",))
+	self.write_str(&format!("Deleted {deleted_count} total files."))
 		.await
 }

@@ -330,7 +331,7 @@ pub(super) async fn delete_all_from_server(
 		}
 	}

-	self.write_str(&format!("Deleted {deleted_count} total files.",))
+	self.write_str(&format!("Deleted {deleted_count} total files."))
 		.await
 }

@@ -16,8 +16,8 @@
 use ruma::{
 	EventId,
 	events::{
-		relation::InReplyTo,
-		room::message::{Relation::Reply, RoomMessageEventContent},
+		relation::{InReplyTo, Reply},
+		room::message::{Relation, RoomMessageEventContent},
 	},
 };
 use service::{
@@ -38,6 +38,7 @@ pub(super) fn dispatch(services: Arc<Services>, command: CommandInput) -> Proces
 }

 #[tracing::instrument(skip_all, name = "admin", level = "info")]
+#[allow(clippy::result_large_err)]
 async fn handle_command(services: Arc<Services>, command: CommandInput) -> ProcessorResult {
 	AssertUnwindSafe(Box::pin(process_command(services, &command)))
 		.catch_unwind()
@@ -277,9 +278,8 @@ fn reply(
 	mut content: RoomMessageEventContent,
 	reply_id: Option<&EventId>,
 ) -> RoomMessageEventContent {
-	content.relates_to = reply_id.map(|event_id| Reply {
-		in_reply_to: InReplyTo { event_id: event_id.to_owned() },
-	});
+	content.relates_to =
+		reply_id.map(|event_id| Relation::Reply(Reply::new(InReplyTo::new(event_id.to_owned()))));

 	content
 }
@@ -50,7 +50,7 @@ async fn destinations_cache(&self, server_name: Option<OwnedServerName>) -> Resu

 	while let Some((name, CachedDest { dest, host, expire })) = destinations.next().await {
 		if let Some(server_name) = server_name.as_ref() {
-			if name != server_name {
+			if name != *server_name {
 				continue;
 			}
 		}
@@ -76,7 +76,7 @@ async fn overrides_cache(&self, server_name: Option<String>) -> Result {
 		overrides.next().await
 	{
 		if let Some(server_name) = server_name.as_ref() {
-			if name != server_name {
+			if name != *server_name {
 				continue;
 			}
 		}
@@ -41,7 +41,6 @@ pub(super) async fn process(subcommand: RoomAliasCommand, context: &Context<'_>)
 				.rooms
 				.alias
 				.local_aliases_for_room(&room_id)
-				.map(ToOwned::to_owned)
 				.collect()
 				.await;
 			let query_time = timer.elapsed();
@@ -54,7 +53,7 @@ pub(super) async fn process(subcommand: RoomAliasCommand, context: &Context<'_>)
 				.rooms
 				.alias
 				.all_local_aliases()
-				.map(|(room_id, alias)| (room_id.to_owned(), alias.to_owned()))
+				.map(|(room_id, alias)| (room_id, alias.to_owned()))
 				.collect::<Vec<_>>()
 				.await;
 			let query_time = timer.elapsed();
@@ -101,7 +101,6 @@ pub(super) async fn process(subcommand: RoomStateCacheCommand, context: &Context
 				.rooms
 				.state_cache
 				.room_servers(&room_id)
-				.map(ToOwned::to_owned)
 				.collect()
 				.await;
 			let query_time = timer.elapsed();
@@ -118,7 +117,6 @@ pub(super) async fn process(subcommand: RoomStateCacheCommand, context: &Context
 				.rooms
 				.state_cache
 				.server_rooms(&server)
-				.map(ToOwned::to_owned)
 				.collect()
 				.await;
 			let query_time = timer.elapsed();
@@ -135,7 +133,6 @@ pub(super) async fn process(subcommand: RoomStateCacheCommand, context: &Context
 				.rooms
 				.state_cache
 				.room_members(&room_id)
-				.map(ToOwned::to_owned)
 				.collect()
 				.await;
 			let query_time = timer.elapsed();
@@ -152,7 +149,6 @@ pub(super) async fn process(subcommand: RoomStateCacheCommand, context: &Context
 				.rooms
 				.state_cache
 				.local_users_in_room(&room_id)
-				.map(ToOwned::to_owned)
 				.collect()
 				.await;
 			let query_time = timer.elapsed();
@@ -169,7 +165,6 @@ pub(super) async fn process(subcommand: RoomStateCacheCommand, context: &Context
 				.rooms
 				.state_cache
 				.active_local_users_in_room(&room_id)
-				.map(ToOwned::to_owned)
 				.collect()
 				.await;
 			let query_time = timer.elapsed();
@@ -212,7 +207,6 @@ pub(super) async fn process(subcommand: RoomStateCacheCommand, context: &Context
 				.rooms
 				.state_cache
 				.room_useroncejoined(&room_id)
-				.map(ToOwned::to_owned)
 				.collect()
 				.await;
 			let query_time = timer.elapsed();
@@ -229,7 +223,6 @@ pub(super) async fn process(subcommand: RoomStateCacheCommand, context: &Context
 				.rooms
 				.state_cache
 				.room_members_invited(&room_id)
-				.map(ToOwned::to_owned)
 				.collect()
 				.await;
 			let query_time = timer.elapsed();
@@ -276,7 +269,6 @@ pub(super) async fn process(subcommand: RoomStateCacheCommand, context: &Context
 				.rooms
 				.state_cache
 				.rooms_joined(&user_id)
-				.map(ToOwned::to_owned)
 				.collect()
 				.await;
 			let query_time = timer.elapsed();
@@ -15,10 +15,6 @@ pub enum UsersCommand {

 	IterUsers2,

-	PasswordHash {
-		user_id: OwnedUserId,
-	},
-
 	ListDevices {
 		user_id: OwnedUserId,
 	},
@@ -104,7 +100,6 @@ async fn get_shared_rooms(&self, user_a: OwnedUserId, user_b: OwnedUserId) -> Re
 		.rooms
 		.state_cache
 		.get_shared_rooms(&user_a, &user_b)
-		.map(ToOwned::to_owned)
 		.collect()
 		.await;
 	let query_time = timer.elapsed();
@@ -217,8 +212,7 @@ async fn iter_users2(&self) -> Result {
 	let result: Vec<_> = self.services.users.stream().collect().await;
 	let result: Vec<_> = result
 		.into_iter()
-		.map(ruma::UserId::as_bytes)
-		.map(String::from_utf8_lossy)
+		.map(|user_id| String::from_utf8_lossy(user_id.as_bytes()).into_owned())
 		.collect();

 	let query_time = timer.elapsed();
@@ -237,16 +231,6 @@ async fn count_users(&self) -> Result {
 		.await
 }

-#[admin_command]
-async fn password_hash(&self, user_id: OwnedUserId) -> Result {
-	let timer = tokio::time::Instant::now();
-	let result = self.services.users.password_hash(&user_id).await;
-	let query_time = timer.elapsed();
-
-	self.write_str(&format!("Query completed in {query_time:?}:\n\n```rs\n{result:#?}\n```"))
-		.await
-}
-
 #[admin_command]
 async fn list_devices(&self, user_id: OwnedUserId) -> Result {
 	let timer = tokio::time::Instant::now();
@@ -254,7 +238,6 @@ async fn list_devices(&self, user_id: OwnedUserId) -> Result {
 		.services
 		.users
 		.all_device_ids(&user_id)
-		.map(ToOwned::to_owned)
 		.collect::<Vec<_>>()
 		.await;

@@ -3,7 +3,7 @@
 use clap::Subcommand;
 use conduwuit::{Err, Result};
 use futures::StreamExt;
-use ruma::{OwnedRoomAliasId, OwnedRoomId};
+use ruma::{OwnedRoomAliasId, OwnedRoomId, RoomAliasId};

 use crate::Context;

@@ -52,7 +52,7 @@ pub(super) async fn process(command: RoomAliasCommand, context: &Context<'_>) ->
 		| RoomAliasCommand::Which { ref room_alias_localpart } => {
 			let room_alias_str =
 				format!("#{}:{}", room_alias_localpart, services.globals.server_name());
-			let room_alias = match OwnedRoomAliasId::parse(room_alias_str) {
+			let room_alias = match RoomAliasId::parse(room_alias_str) {
 				| Ok(alias) => alias,
 				| Err(err) => {
 					return Err!("Failed to parse alias: {err}");
@@ -139,7 +139,7 @@ pub(super) async fn process(command: RoomAliasCommand, context: &Context<'_>) ->
 					.rooms
 					.alias
 					.all_local_aliases()
-					.map(|(room_id, localpart)| (room_id.into(), localpart.into()))
+					.map(|(room_id, localpart)| (room_id, localpart.into()))
 					.collect::<Vec<(OwnedRoomId, String)>>()
 					.await;

@@ -22,14 +22,14 @@ pub(super) async fn list_rooms(
 		.metadata
 		.iter_ids()
 		.filter_map(|room_id| async move {
-			(!exclude_disabled || !self.services.rooms.metadata.is_disabled(room_id).await)
+			(!exclude_disabled || !self.services.rooms.metadata.is_disabled(&room_id).await)
 				.then_some(room_id)
 		})
 		.filter_map(|room_id| async move {
-			(!exclude_banned || !self.services.rooms.metadata.is_banned(room_id).await)
+			(!exclude_banned || !self.services.rooms.metadata.is_banned(&room_id).await)
 				.then_some(room_id)
 		})
-		.then(|room_id| get_room_info(self.services, room_id))
+		.then(async |room_id| get_room_info(self.services, &room_id).await)
 		.then(|(room_id, total_members, name)| async move {
 			let local_members: Vec<_> = self
 				.services
@@ -72,7 +72,7 @@ pub(super) async fn list_rooms(
 		.collect::<Vec<_>>()
 		.join("\n");

-	self.write_str(&format!("Rooms ({}):\n```\n{body}\n```", rooms.len(),))
+	self.write_str(&format!("Rooms ({}):\n```\n{body}\n```", rooms.len()))
 		.await
 }

@@ -43,7 +43,7 @@ pub(super) async fn process(command: RoomDirectoryCommand, context: &Context<'_>
 				.rooms
 				.directory
 				.public_rooms()
-				.then(|room_id| get_room_info(services, room_id))
+				.then(async |room_id| get_room_info(services, &room_id).await)
 				.collect()
 				.await;

@@ -67,7 +67,7 @@ pub(super) async fn process(command: RoomDirectoryCommand, context: &Context<'_>
 				.join("\n");

 			context
-				.write_str(&format!("Rooms (page {page}):\n```\n{body}\n```",))
+				.write_str(&format!("Rooms (page {page}):\n```\n{body}\n```"))
 				.await
 		},
 	}
@@ -46,7 +46,6 @@ async fn list_joined_members(&self, room_id: OwnedRoomId, local_only: bool) -> R
 				.then(|| self.services.globals.user_is_local(user_id))
 				.unwrap_or(true)
 		})
-		.map(ToOwned::to_owned)
 		.filter_map(|user_id| async move {
 			Some((
 				self.services
@@ -67,7 +66,7 @@ async fn list_joined_members(&self, room_id: OwnedRoomId, local_only: bool) -> R
 		.collect::<Vec<_>>()
 		.join("\n");

-	self.write_str(&format!("{num} Members in Room \"{room_name}\":\n```\n{body}\n```",))
+	self.write_str(&format!("{num} Members in Room \"{room_name}\":\n```\n{body}\n```"))
 		.await
 }

@@ -71,7 +71,7 @@ async fn ban_room(&self, room: OwnedRoomOrAliasId) -> Result {

 		debug!("Room specified is a room ID, banning room ID");

-		room_id.to_owned()
+		room_id.clone()
 	} else if room.is_room_alias_id() {
 		let room_alias = match RoomAliasId::parse(&room) {
 			| Ok(room_alias) => room_alias,
@@ -89,7 +89,7 @@ async fn ban_room(&self, room: OwnedRoomOrAliasId) -> Result {
 			 locally, if not using get_alias_helper to fetch room ID remotely"
 		);

-		match self.services.rooms.alias.resolve_alias(room_alias).await {
+		match self.services.rooms.alias.resolve_alias(&room_alias).await {
 			| Ok((room_id, servers)) => {
 				debug!(
 					%room_id,
@@ -116,7 +116,6 @@ async fn ban_room(&self, room: OwnedRoomOrAliasId) -> Result {
 		.rooms
 		.state_cache
 		.room_members(&room_id)
-		.map(ToOwned::to_owned)
 		.ready_filter(|user| self.services.globals.user_is_local(user))
 		.boxed();

@@ -140,7 +139,6 @@ async fn ban_room(&self, room: OwnedRoomOrAliasId) -> Result {
 		.rooms
 		.alias
 		.local_aliases_for_room(&room_id)
-		.map(ToOwned::to_owned)
 		.for_each(|local_alias| async move {
 			self.services
 				.rooms
@@ -205,7 +203,7 @@ async fn ban_list_of_rooms(&self) -> Result {
 						},
 					};

-					room_ids.push(room_id.to_owned());
+					room_ids.push(room_id.clone());
 				}

 				if room_alias_or_id.is_room_alias_id() {
@@ -215,7 +213,7 @@ async fn ban_list_of_rooms(&self) -> Result {
 								.services
 								.rooms
 								.alias
-								.resolve_local_alias(room_alias)
+								.resolve_local_alias(&room_alias)
 								.await
 							{
 								| Ok(room_id) => room_id,
@@ -229,7 +227,7 @@ async fn ban_list_of_rooms(&self) -> Result {
 										.services
 										.rooms
 										.alias
-										.resolve_alias(room_alias)
+										.resolve_alias(&room_alias)
 										.await
 									{
 										| Ok((room_id, servers)) => {
@@ -284,7 +282,6 @@ async fn ban_list_of_rooms(&self) -> Result {
 			.rooms
 			.state_cache
 			.room_members(&room_id)
-			.map(ToOwned::to_owned)
 			.ready_filter(|user| self.services.globals.user_is_local(user))
 			.boxed();

@@ -309,7 +306,6 @@ async fn ban_list_of_rooms(&self) -> Result {
 			.rooms
 			.alias
 			.local_aliases_for_room(&room_id)
-			.map(ToOwned::to_owned)
 			.for_each(|local_alias| async move {
 				self.services
 					.rooms
@@ -348,9 +344,9 @@ async fn unban_room(&self, room: OwnedRoomOrAliasId) -> Result {
 		};

 		debug!("Room specified is a room ID, unbanning room ID");
-		self.services.rooms.metadata.ban_room(room_id, false);
+		self.services.rooms.metadata.ban_room(&room_id, false);

-		room_id.to_owned()
+		room_id.clone()
 	} else if room.is_room_alias_id() {
 		let room_alias = match RoomAliasId::parse(&room) {
 			| Ok(room_alias) => room_alias,
@@ -372,7 +368,7 @@ async fn unban_room(&self, room: OwnedRoomOrAliasId) -> Result {
 			.services
 			.rooms
 			.alias
-			.resolve_local_alias(room_alias)
+			.resolve_local_alias(&room_alias)
 			.await
 		{
 			| Ok(room_id) => room_id,
@@ -382,7 +378,7 @@ async fn unban_room(&self, room: OwnedRoomOrAliasId) -> Result {
 					 room ID over federation"
 				);

-				match self.services.rooms.alias.resolve_alias(room_alias).await {
+				match self.services.rooms.alias.resolve_alias(&room_alias).await {
 					| Ok((room_id, servers)) => {
 						debug!(
 							%room_id,
@@ -453,6 +449,6 @@ async fn list_banned_rooms(&self, no_details: bool) -> Result {
 		.collect::<Vec<_>>()
 		.join("\n");

-	self.write_str(&format!("Rooms Banned ({num}):\n```\n{body}\n```",))
+	self.write_str(&format!("Rooms Banned ({num}):\n```\n{body}\n```"))
 		.await
 }
@@ -159,8 +159,8 @@ pub(super) async fn list_features(&self) -> Result {
 	let mut enabled_features = conduwuit::info::introspection::ENABLED_FEATURES
 		.lock()
 		.expect("locked")
-		.iter()
-		.flat_map(|(_, f)| f.iter())
+		.values()
+		.flat_map(|f| f.iter())
 		.collect::<Vec<_>>();

 	enabled_features.sort_unstable();
@@ -30,14 +30,37 @@ pub(super) async fn issue_token(&self, expires: super::TokenExpires) -> Result {
 		.issue_token(self.sender_or_service_user().into(), expires);

 	self.write_str(&format!(
-		"New registration token issued: `{token}`. {}.",
+		"New registration token issued: `{token}` . {}.",
 		if let Some(expires) = info.expires {
 			format!("{expires}")
 		} else {
 			"Never expires".to_owned()
 		}
 	))
-	.await
+	.await?;
+
+	if self
+		.services
+		.config
+		.oauth
+		.compatibility_mode
+		.oauth_available()
+	{
+		self.write_str(&format!(
+			"\nInvite link using this token: {}",
+			self.services
+				.config
+				.get_client_domain()
+				.join(&format!(
+					"{}/account/register/?flow=trusted&token={token}",
+					conduwuit::ROUTE_PREFIX
+				))
+				.unwrap()
+		))
+		.await?;
+	}
+
+	Ok(())
 }

 #[admin_command]
@@ -1,31 +1,26 @@
-use std::{
-	collections::{BTreeMap, HashSet},
-	fmt::Write as _,
-};
+use std::collections::{BTreeMap, HashSet};

 use api::client::{
-	full_user_deactivate, join_room_by_id_helper, leave_room, recreate_push_rules_and_return,
-	remote_leave_room,
+	full_user_deactivate, leave_room, recreate_push_rules_and_return, remote_leave_room,
 };
 use conduwuit::{
-	Err, Result, debug_warn, error, info,
-	matrix::{Event, pdu::PduBuilder},
+	Err, Result, debug_warn, info,
+	matrix::{Event, pdu::PartialPdu},
 	utils::{self, ReadyExt},
 	warn,
 };
 use futures::{FutureExt, StreamExt};
 use lettre::Address;
 use ruma::{
-	OwnedEventId, OwnedRoomId, OwnedRoomOrAliasId, OwnedServerName, OwnedUserId, UserId,
+	OwnedEventId, OwnedRoomId, OwnedRoomOrAliasId, OwnedServerName, OwnedUserId, ServerName,
+	UserId, assign,
 	events::{
-		RoomAccountDataEventType, StateEventType,
-		room::{
-			power_levels::{RoomPowerLevels, RoomPowerLevelsEventContent},
-			redaction::RoomRedactionEventContent,
-		},
+		RoomAccountDataEventType,
+		room::{power_levels::RoomPowerLevelsEventContent, redaction::RoomRedactionEventContent},
 		tag::{TagEvent, TagEventContent, TagInfo},
 	},
 };
+use service::users::HashedPassword;

 use crate::{
 	admin_command, get_room_info,
@@ -41,7 +36,7 @@ pub(super) async fn list_users(&self) -> Result {
 		.services
 		.users
 		.list_local_users()
-		.map(ToString::to_string)
+		.map(|id| id.as_str().to_owned())
 		.collect()
 		.await;

@@ -55,127 +50,22 @@ pub(super) async fn list_users(&self) -> Result {
 #[admin_command]
 pub(super) async fn create_user(&self, username: String, password: Option<String>) -> Result {
 	// Validate user id
-	let user_id = parse_local_user_id(self.services, &username)?;
-
-	if let Err(e) = user_id.validate_strict() {
-		if self.services.config.emergency_password.is_none() {
-			return Err!("Username {user_id} contains disallowed characters or spaces: {e}");
-		}
-	}
-
-	if self.services.users.exists(&user_id).await {
-		return Err!("User {user_id} already exists");
-	}
-
-	let password = password.unwrap_or_else(|| utils::random_string(AUTO_GEN_PASSWORD_LENGTH));
-
-	// Create user
-	self.services
-		.users
-		.create(&user_id, Some(password.as_str()), None)
-		.await?;
-
-	// Default to pretty displayname
-	let mut displayname = user_id.localpart().to_owned();
-
-	// If `new_user_displayname_suffix` is set, registration will push whatever
-	// content is set to the user's display name with a space before it
-	if !self
+	let user_id = self
 		.services
-		.server
-		.config
-		.new_user_displayname_suffix
-		.is_empty()
-	{
-		write!(displayname, " {}", self.services.server.config.new_user_displayname_suffix)?;
-	}
+		.users
+		.determine_registration_user_id(Some(username), None, None)
+		.await?;
+
+	let password = HashedPassword::new(
+		&password.unwrap_or_else(|| utils::random_string(AUTO_GEN_PASSWORD_LENGTH)),
+	)?;

 	self.services
 		.users
-		.set_displayname(&user_id, Some(displayname));
+		.create_local_account(&user_id, password, None)
+		.await;

-	// Initial account data
-	self.services
-		.account_data
-		.update(
-			None,
-			&user_id,
-			ruma::events::GlobalAccountDataEventType::PushRules
-				.to_string()
-				.into(),
-			&serde_json::to_value(ruma::events::push_rules::PushRulesEvent {
-				content: ruma::events::push_rules::PushRulesEventContent {
-					global: ruma::push::Ruleset::server_default(&user_id),
-				},
-			})?,
-		)
-		.await?;
-
-	if !self.services.server.config.auto_join_rooms.is_empty() {
-		for room in &self.services.server.config.auto_join_rooms {
-			let Ok(room_id) = self.services.rooms.alias.resolve(room).await else {
-				error!(
-					%user_id,
-					"Failed to resolve room alias to room ID when attempting to auto join {room}, skipping"
-				);
-				continue;
-			};
-
-			if !self
-				.services
-				.rooms
-				.state_cache
-				.server_in_room(self.services.globals.server_name(), &room_id)
-				.await
-			{
-				warn!(
-					"Skipping room {room} to automatically join as we have never joined before."
-				);
-				continue;
-			}
-
-			if let Some(room_server_name) = room.server_name() {
-				match join_room_by_id_helper(
-					self.services,
-					&user_id,
-					&room_id,
-					Some("Automatically joining this room upon registration".to_owned()),
-					&[
-						self.services.globals.server_name().to_owned(),
-						room_server_name.to_owned(),
-					],
-					&None,
-				)
-				.await
-				{
-					| Ok(_response) => {
-						info!("Automatically joined room {room} for user {user_id}");
-					},
-					| Err(e) => {
-						// don't return this error so we don't fail registrations
-						error!(
-							"Failed to automatically join room {room} for user {user_id}: {e}"
-						);
-						self.services
-							.admin
-							.send_text(&format!(
-								"Failed to automatically join room {room} for user {user_id}: \
-								 {e}"
-							))
-							.await;
-					},
-				}
-			}
-		}
-	}
-
-	// we dont add a device since we're not the user, just the creator
-
-	// Make the first user to register an administrator and disable first-run mode.
-	self.services.firstrun.empower_first_user(&user_id).await?;
-
-	self.write_str(&format!("Created user with user_id: {user_id} and password: `{password}`"))
-		.await
+	self.write_str(&format!("Created user {user_id}")).await
 }

 #[admin_command]
@@ -275,24 +165,25 @@ pub(super) async fn reset_password(

 	let new_password = password.unwrap_or_else(|| utils::random_string(AUTO_GEN_PASSWORD_LENGTH));

-	match self
-		.services
+	self.services
 		.users
-		.set_password(&user_id, Some(new_password.as_str()))
-		.await
-	{
-		| Err(e) => return Err!("Couldn't reset the password for user {user_id}: {e}"),
-		| Ok(()) => {
-			write!(self, "Successfully reset the password for user {user_id}: `{new_password}`")
-		},
-	}
+		.set_password(&user_id, Some(HashedPassword::new(&new_password)?));
+
+	self.write_str(&format!(
+		"Successfully reset the password for user {user_id}: `{new_password}`"
+	))
 	.await?;

 	if logout {
 		self.services
 			.users
 			.all_device_ids(&user_id)
-			.for_each(|device_id| self.services.users.remove_device(&user_id, device_id))
+			.for_each(async |device_id| {
+				self.services
+					.users
+					.remove_device(&user_id, &device_id)
+					.await;
+			})
 			.await;
 		write!(self, "\nAll existing sessions have been logged out.").await?;
 	}
@@ -300,31 +191,6 @@ pub(super) async fn reset_password(
 	Ok(())
 }

-#[admin_command]
-pub(super) async fn issue_password_reset_link(&self, username: String) -> Result {
-	use conduwuit_service::password_reset::{PASSWORD_RESET_PATH, RESET_TOKEN_QUERY_PARAM};
-
-	self.bail_restricted()?;
-
-	let mut reset_url = self
-		.services
-		.config
-		.get_client_domain()
-		.join(PASSWORD_RESET_PATH)
-		.unwrap();
-
-	let user_id = parse_local_user_id(self.services, &username)?;
-	let token = self.services.password_reset.issue_token(user_id).await?;
-	reset_url
-		.query_pairs_mut()
-		.append_pair(RESET_TOKEN_QUERY_PARAM, &token.token);
-
-	self.write_str(&format!("Password reset link issued for {username}: {reset_url}"))
-		.await?;
-
-	Ok(())
-}
-
 #[admin_command]
 pub(super) async fn deactivate_all(&self, no_leave_rooms: bool, force: bool) -> Result {
 	if self.body.len() < 2
@@ -427,6 +293,82 @@ pub(super) async fn deactivate_all(&self, no_leave_rooms: bool, force: bool) ->
 	.await
 }

+#[admin_command]
+pub(super) async fn list_invited_rooms(&self, user_id: String) -> Result {
+	// Validate user id
+	let user_id = parse_local_user_id(self.services, &user_id)?;
+
+	let mut rooms: Vec<((OwnedRoomId, u64, String), Result<OwnedUserId>)> = self
+		.services
+		.rooms
+		.state_cache
+		.rooms_invited(&user_id)
+		.then(async |(room_id, _)| {
+			let sender = self
+				.services
+				.rooms
+				.state_cache
+				.invite_sender(&user_id, &room_id)
+				.await;
+			(get_room_info(self.services, &room_id).await, sender)
+		})
+		.collect()
+		.await;
+
+	if rooms.is_empty() {
+		return Err!("User is not invited to any rooms.");
+	}
+
+	rooms.sort_by_key(|r| r.0.1);
+	rooms.reverse();
+
+	let body = rooms
+		.iter()
+		.map(|((id, members, name), sender)| match sender {
+			| Ok(user_id) =>
+				format!("{id}\tInviter: {user_id}\tMembers: {members}\tName: {name}"),
+			| Err(_) => format!("{id}\tMembers: {members}\tName: {name}"),
+		})
+		.collect::<Vec<_>>()
+		.join("\n");
+
+	self.write_str(&format!("Rooms {user_id} is Invited to ({}):\n```\n{body}\n```", rooms.len()))
+		.await
+}
+
+#[admin_command]
+pub(super) async fn reject_all_invites(&self, user_id: String) -> Result {
+	let user_id = parse_local_user_id(self.services, &user_id)?;
+
+	assert!(
+		self.services.globals.user_is_local(&user_id),
+		"Parsed user_id must be a local user"
+	);
+
+	let fails = self
+		.services
+		.rooms
+		.state_cache
+		.rooms_invited(&user_id)
+		.filter_map(async |(room_id, _)| {
+			match leave_room(self.services, &user_id, &room_id, None).await {
+				| Err(ref e) => {
+					warn!(%user_id, "Failed to leave {room_id}: {e}");
+					Some(())
+				},
+				| Ok(()) => None,
+			}
+		})
+		.count()
+		.await;
+
+	if fails > 0 {
+		return Err!("{fails} invites could not be rejected");
+	}
+
+	self.write_str("Successfully rejected all invites.").await
+}
+
 #[admin_command]
 pub(super) async fn list_joined_rooms(&self, user_id: String) -> Result {
 	// Validate user id
@@ -437,7 +379,7 @@ pub(super) async fn list_joined_rooms(&self, user_id: String) -> Result {
 		.rooms
 		.state_cache
 		.rooms_joined(&user_id)
-		.then(|room_id| get_room_info(self.services, room_id))
+		.then(async |room_id| get_room_info(self.services, &room_id).await)
 		.collect()
 		.await;

@@ -454,7 +396,7 @@ pub(super) async fn list_joined_rooms(&self, user_id: String) -> Result {
 		.collect::<Vec<_>>()
 		.join("\n");

-	self.write_str(&format!("Rooms {user_id} Joined ({}):\n```\n{body}\n```", rooms.len(),))
+	self.write_str(&format!("Rooms {user_id} Joined ({}):\n```\n{body}\n```", rooms.len()))
 		.await
 }

@@ -506,7 +448,7 @@ pub(super) async fn force_join_list_of_local_users(
 		.rooms
 		.state_cache
 		.room_members(&room_id)
-		.ready_any(|user_id| server_admins.contains(&user_id.to_owned()))
+		.ready_any(|user_id| server_admins.contains(&user_id))
 		.await
 	{
 		return Err!("There is not a single server admin in the room.",);
@@ -552,15 +494,12 @@ pub(super) async fn force_join_list_of_local_users(
 	let mut successful_joins: usize = 0;

 	for user_id in user_ids {
-		match join_room_by_id_helper(
-			self.services,
-			&user_id,
-			&room_id,
-			Some(String::from(BULK_JOIN_REASON)),
-			&servers,
-			&None,
-		)
-		.await
+		match self
+			.services
+			.rooms
+			.membership
+			.join_room(&user_id, &room_id, Some(String::from(BULK_JOIN_REASON)), &servers)
+			.await
 		{
 			| Ok(_res) => {
 				successful_joins = successful_joins.saturating_add(1);
@@ -620,7 +559,7 @@ pub(super) async fn force_join_all_local_users(
 		.rooms
 		.state_cache
 		.room_members(&room_id)
-		.ready_any(|user_id| server_admins.contains(&user_id.to_owned()))
+		.ready_any(|user_id| server_admins.contains(&user_id))
 		.await
 	{
 		return Err!("There is not a single server admin in the room.",);
@@ -633,19 +572,15 @@ pub(super) async fn force_join_all_local_users(
 		.services
 		.users
 		.list_local_users()
-		.map(UserId::to_owned)
 		.collect::<Vec<_>>()
 		.await
 	{
-		match join_room_by_id_helper(
-			self.services,
-			user_id,
-			&room_id,
-			Some(String::from(BULK_JOIN_REASON)),
-			&servers,
-			&None,
-		)
-		.await
+		match self
+			.services
+			.rooms
+			.membership
+			.join_room(user_id, &room_id, Some(String::from(BULK_JOIN_REASON)), &servers)
+			.await
 		{
 			| Ok(_res) => {
 				successful_joins = successful_joins.saturating_add(1);
@@ -682,9 +617,13 @@ pub(super) async fn force_join_room(
 		self.services.globals.user_is_local(&user_id),
 		"Parsed user_id must be a local user"
 	);
-	join_room_by_id_helper(self.services, &user_id, &room_id, None, &servers, &None).await?;
+	self.services
+		.rooms
+		.membership
+		.join_room(&user_id, &room_id, None, &servers)
+		.await?;

-	self.write_str(&format!("{user_id} has been joined to {room_id}.",))
+	self.write_str(&format!("{user_id} has been joined to {room_id}."))
 		.await
 }

@@ -716,7 +655,7 @@ pub(super) async fn force_leave_room(
 		.boxed()
 		.await?;

-	self.write_str(&format!("{user_id} has left {room_id}.",))
+	self.write_str(&format!("{user_id} has left {room_id}."))
 		.await
 }

@@ -730,42 +669,34 @@ pub(super) async fn force_demote(&self, user_id: String, room_id: OwnedRoomOrAli
 		"Parsed user_id must be a local user"
 	);

-	let state_lock = self.services.rooms.state.mutex.lock(&room_id).await;
+	let state_lock = self.services.rooms.state.mutex.lock(room_id.as_str()).await;

-	let room_power_levels: Option<RoomPowerLevelsEventContent> = self
+	let mut room_power_levels = self
 		.services
 		.rooms
 		.state_accessor
-		.room_state_get_content(&room_id, &StateEventType::RoomPowerLevels, "")
-		.await
-		.ok();
+		.get_room_power_levels(&room_id)
+		.await;

-	let user_can_demote_self = room_power_levels
-		.as_ref()
-		.is_some_and(|power_levels_content| {
-			RoomPowerLevels::from(power_levels_content.clone())
-				.user_can_change_user_power_level(&user_id, &user_id)
-		}) || self
-		.services
-		.rooms
-		.state_accessor
-		.room_state_get(&room_id, &StateEventType::RoomCreate, "")
-		.await
-		.is_ok_and(|event| event.sender() == user_id);
+	let user_can_demote_self =
+		room_power_levels.user_can_change_user_power_level(&user_id, &user_id);

 	if !user_can_demote_self {
 		return Err!("User is not allowed to modify their own power levels in the room.",);
 	}

-	let mut power_levels_content = room_power_levels.unwrap_or_default();
-	power_levels_content.users.remove(&user_id);
+	room_power_levels.users.remove(&user_id);

 	let event_id = self
 		.services
 		.rooms
 		.timeline
 		.build_and_append_pdu(
-			PduBuilder::state(String::new(), &power_levels_content),
+			PartialPdu::state(
+				String::new(),
+				&RoomPowerLevelsEventContent::try_from(room_power_levels)
+					.expect("PLs should be valid for room version"),
+			),
 			&user_id,
 			Some(&room_id),
 			&state_lock,
@@ -793,7 +724,7 @@ pub(super) async fn make_user_admin(&self, user_id: String) -> Result {
 		.boxed()
 		.await?;

-	self.write_str(&format!("{user_id} has been granted admin privileges.",))
+	self.write_str(&format!("{user_id} has been granted admin privileges."))
 		.await
 }

@@ -811,9 +742,7 @@ pub(super) async fn put_room_tag(
 		.account_data
 		.get_room(&room_id, &user_id, RoomAccountDataEventType::Tag)
 		.await
-		.unwrap_or(TagEvent {
-			content: TagEventContent { tags: BTreeMap::new() },
-		});
+		.unwrap_or_else(|_| TagEvent::new(TagEventContent::new(BTreeMap::new())));

 	tags_event
 		.content
@@ -850,9 +779,7 @@ pub(super) async fn delete_room_tag(
 		.account_data
 		.get_room(&room_id, &user_id, RoomAccountDataEventType::Tag)
 		.await
-		.unwrap_or(TagEvent {
-			content: TagEventContent { tags: BTreeMap::new() },
-		});
+		.unwrap_or_else(|_| TagEvent::new(TagEventContent::new(BTreeMap::new())));

 	tags_event.content.tags.remove(&tag.clone().into());

@@ -882,9 +809,7 @@ pub(super) async fn get_room_tags(&self, user_id: String, room_id: OwnedRoomId)
 		.account_data
 		.get_room(&room_id, &user_id, RoomAccountDataEventType::Tag)
 		.await
-		.unwrap_or(TagEvent {
-			content: TagEventContent { tags: BTreeMap::new() },
-		});
+		.unwrap_or_else(|_| TagEvent::new(TagEventContent::new(BTreeMap::new())));

 	self.write_str(&format!("```\n{:#?}\n```", tags_event.content.tags))
 		.await
@@ -921,19 +846,19 @@ pub(super) async fn redact_event(&self, event_id: OwnedEventId) -> Result {
 			.rooms
 			.state
 			.mutex
-			.lock(&event.room_id_or_hash())
+			.lock(event.room_id_or_hash().as_str())
 			.await;

 		self.services
 			.rooms
 			.timeline
 			.build_and_append_pdu(
-				PduBuilder {
+				PartialPdu {
 					redacts: Some(event.event_id().to_owned()),
-					..PduBuilder::timeline(&RoomRedactionEventContent {
+					..PartialPdu::timeline(&assign!(RoomRedactionEventContent::new_v1(), {
 						redacts: Some(event.event_id().to_owned()),
 						reason: Some(reason),
-					})
+					}))
 				},
 				event.sender(),
 				Some(&event.room_id_or_hash()),
@@ -963,7 +888,7 @@ pub(super) async fn force_leave_remote_room(
 		.resolve_with_servers(
 			&room_id,
 			if let Some(v) = via.clone() {
-				Some(vec![OwnedServerName::parse(v)?])
+				Some(vec![ServerName::parse(v)?])
 			} else {
 				None
 			},
@@ -976,7 +901,7 @@ pub(super) async fn force_leave_remote_room(
 	);
 	let mut vias: HashSet<OwnedServerName> = HashSet::new();
 	if let Some(via) = via {
-		vias.insert(OwnedServerName::parse(via)?);
+		vias.insert(ServerName::parse(via)?);
 	}
 	for server in vias_raw {
 		vias.insert(server);
@@ -1051,7 +976,12 @@ pub(super) async fn logout(&self, user_id: String) -> Result {
 	self.services
 		.users
 		.all_device_ids(&user_id)
-		.for_each(|device_id| self.services.users.remove_device(&user_id, device_id))
+		.for_each(async |device_id| {
+			self.services
+				.users
+				.remove_device(&user_id, &device_id)
+				.await;
+		})
 		.await;
 	self.write_str(&format!("User {user_id} has been logged out from all devices."))
 		.await
@@ -1129,11 +1059,9 @@ pub(super) async fn get_user_by_email(&self, email: String) -> Result {

 	match self.services.threepid.get_localpart_for_email(&email).await {
 		| Some(localpart) => {
-			let user_id = OwnedUserId::parse(format!(
-				"@{localpart}:{}",
-				self.services.globals.server_name()
-			))
-			.unwrap();
+			let user_id =
+				UserId::parse(format!("@{localpart}:{}", self.services.globals.server_name()))
+					.unwrap();

 			self.write_str(&format!("{email} belongs to {user_id}."))
 				.await
--- a/Show More
+++ b/Show More
				`@@ -1 +0,0 @@`
				`Added support for associating email addresses with accounts, requiring email addresses for registration, and resetting passwords via email. Contributed by @ginger`
				`@@ -0,0 +1 @@`
				`The invite recipient's membership event is now included in invite stripped state, which should fix flaky invite display in some clients. Contributed by @ginger`
				`@@ -1 +0,0 @@`
				`Added support for using an admin command to issue self-service password reset links.`
				`@@ -1 +0,0 @@`
				`Stopped left rooms from being unconditionally sent on initial sync, hopefully fixing spurious appearances of left rooms in some clients (and making sync faster as a bonus). Contributed by @ginger`
				`@@ -1 +0,0 @@`
				`Added support for requiring users to accept terms and conditions when registering.`
				`@@ -0,0 +1 @@`
				`Switched from Continuwuity's fork of Ruma back to upstream Ruma. Contributed by @ginger.`
				`@@ -0,0 +1 @@`
				Users may now be forbidden from deactivating their own accounts with the new `allow_deactivation` config option.
				`@@ -0,0 +1 @@`
				`Added support for authenticating clients using the new OAuth 2.0 login API. Contributed by @ginger.`
				`@@ -1 +0,0 @@`
				`Fixed room alias deletion so removing one local alias no longer removes other aliases from room alias listings.`
				`@@ -0,0 +1 @@`
				`Removed support for guest user registration, a little-used and deprecated approach to room previews.`