feat: Enable debug logs in release builds

chore: Regenerate example config
chore: Remove news fragment checkbox from PR template
2026-05-13 22:43:07 +00:00 · 2026-05-04 21:27:34 +01:00 · 2026-05-04 21:14:22 +01:00 · 2026-05-04 20:06:40 +00:00 · 2026-05-04 20:05:26 +00:00 · 2026-05-04 20:05:26 +00:00
341 changed files with 8373 additions and 8916 deletions
@@ -71,7 +71,7 @@ runs:

    - name: Install timelord-cli and git-warp-time
      if: steps.check-binaries.outputs.need-install == 'true'
-      uses: https://github.com/taiki-e/install-action@a2352fc6ce487f030a3aa709482d57823eadfb37 # v2
+      uses: https://github.com/taiki-e/install-action@b5fddbb5361bce8a06fb168c9d403a6cc552b084 # v2
      with:
        tool: git-warp-time,timelord-cli@3.0.1

@@ -45,7 +45,6 @@
  - [ ] I have [tested my contribution][c1t] (or proof-read it for documentation-only changes)
        myself, if applicable. This includes ensuring code compiles.
  - [ ] My commit messages follow the [commit message format][c1cm] and are descriptive.
-  - [ ] I have written a [news fragment][n1] for this PR, if applicable<!--(can be done after hitting open!)-->.

 <!--
 Notes on these requirements:
@@ -79,4 +78,3 @@
 [c1pc]: https://forgejo.ellis.link/continuwuation/continuwuity/src/branch/main/CONTRIBUTING.md#pre-commit-checks
 [c1t]: https://forgejo.ellis.link/continuwuation/continuwuity/src/branch/main/CONTRIBUTING.md#running-tests-locally
 [c1cm]: https://forgejo.ellis.link/continuwuation/continuwuity/src/branch/main/CONTRIBUTING.md#commit-messages
-[n1]: https://towncrier.readthedocs.io/en/stable/tutorial.html#creating-news-fragments
@@ -0,0 +1,56 @@
+name: Auto Labeler
+
+on:
+  pull_request_target:
+    types: [opened, reopened]
+
+permissions:
+  contents: read
+  pull-requests: write
+  issues: write
+
+jobs:
+  auto-label:
+    name: Apply labels based on changed files
+    runs-on: ubuntu-latest
+    steps:
+      - name: Apply PR Labels
+        uses: https://github.com/actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9
+        with:
+          script: |
+            const allFiles = await github.paginate(github.rest.pulls.listFiles, {
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              pull_number: context.issue.number,
+            });
+
+            const fileNames = allFiles.map(f => f.filename);
+            const labelsToAdd = new Set();
+
+            for (const file of fileNames) {
+              if (file.startsWith('docs/') || file.startsWith('theme/') || file.endsWith('.md') || file == 'rspress.config.ts') {
+                labelsToAdd.add('Documentation');
+              }
+              if (file.startsWith('.forgejo/')) {
+                labelsToAdd.add('Meta/CI');
+              }
+              if (file.startsWith('pkg/') || file.startsWith('nix/') || file === 'flake.nix' || file === 'flake.lock' || file.startsWith('docker/')) {
+                labelsToAdd.add('Meta/Packaging');
+              }
+              if (file === 'Cargo.lock') {
+                labelsToAdd.add('Dependencies');
+              }
+            }
+
+            if (labelsToAdd.size > 0) {
+              const labelsArray = Array.from(labelsToAdd);
+              console.log('Adding labels:', labelsArray);
+              await github.rest.issues.addLabels({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                issue_number: context.issue.number,
+                labels: labelsArray,
+              });
+            } else {
+              console.log('No files changed that require auto-labeling.');
+            }
@@ -92,10 +92,13 @@ jobs:
          BASE_VERSION=$(cargo metadata --no-deps --format-version 1 | jq -r ".packages[] | select(.name == \"conduwuit\").version" | sed 's/[^a-zA-Z0-9.+]/~/g')
          # VERSION is the package version, COMPONENT is used in
          # apt's repository config like a git repo branch
-          if [[ "${{ forge.ref }}" == "refs/tags/"* ]]; then
-            # Use the "stable" component for tagged releases
+          VERSION=$BASE_VERSION
+          if [[ ${{ forge.ref_name }} =~ ^v+[0-9]\.+[0-9]\.+[0-9]$ ]]; then
+            # Use the "stable" component for tagged semver releases
            COMPONENT="stable"
-            VERSION=$BASE_VERSION
+          elif [[ ${{ forge.ref_name }} =~ ^v+[0-9]\.+[0-9]\.+[0-9] ]]; then
+            # Use the "unstable" component for tagged semver pre-releases
+            COMPONENT="unstable"
          else
            # Use the "dev" component for development builds
            SHA=$(echo "${{ forge.sha }}" | cut -c1-7)
@@ -105,7 +105,7 @@ jobs:
            RELEASE_SUFFIX=""
            TAG_NAME="${{ github.ref_name }}"
            # Extract version from tag (remove v prefix if present)
-            TAG_VERSION=$(echo "$TAG_NAME" | sed 's/^v//')
+            TAG_VERSION=$(echo "$TAG_NAME" | sed 's/^v//' | tr '-' '~')

            # Create spec file with tag version
            sed -e "s/^Version:.*$/Version:        $TAG_VERSION/" \
@@ -270,9 +270,13 @@ jobs:

          # Determine the group based on ref type and branch
          if [[ "${{ github.ref }}" == "refs/tags/"* ]]; then
-            GROUP="stable"
            # For tags, extract the tag name for version info
            TAG_NAME="${{ github.ref_name }}"
+            if [[ "$TAG_NAME" == *"-"* ]]; then
+              GROUP="unstable"
+            else
+              GROUP="stable"
+            fi
          elif [ "${{ github.ref_name }}" = "main" ]; then
            GROUP="dev"
          else
@@ -32,7 +32,7 @@ jobs:

      - name: Setup Node.js
        if: steps.runner-env.outputs.node_major == '' || steps.runner-env.outputs.node_major < '20'
-        uses: https://github.com/actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
+        uses: https://github.com/actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
        with:
          node-version: 22

@@ -24,7 +24,7 @@ jobs:

    steps:
      - name: 📦 Setup Node.js
-        uses: https://github.com/actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
+        uses: https://github.com/actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
        with:
          node-version: "22"

@@ -9,6 +9,7 @@ on:

 permissions:
  contents: read
+  pull-requests: read

 jobs:
  fast-checks:
@@ -40,10 +41,32 @@ jobs:
          cargo +nightly fmt --all -- --check && \
            echo "✅ Formatting check passed" || \
            exit 1
+  check-changes:
+    name: Check changed files
+    runs-on: ubuntu-latest
+    outputs:
+      rust: ${{ steps.filter.outputs.rust }}
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
+
+      - name: Check for file changes
+        uses: https://github.com/dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # v4
+        id: filter
+        with:
+          filters: |
+            rust:
+              - '**/*.rs'
+              - '**/Cargo.toml'
+              - '**/Cargo.lock'

  clippy-and-tests:
    name: Clippy and Cargo Tests
    runs-on: ubuntu-latest
+    needs: check-changes
+    if: needs.check-changes.outputs.rust == 'true'

    steps:
      - name: Checkout repository
@@ -199,6 +199,28 @@ jobs:
          registry_user: ${{ vars.BUILTIN_REGISTRY_USER || github.actor }}
          registry_password: ${{ secrets.BUILTIN_REGISTRY_PASSWORD || secrets.GITHUB_TOKEN }}

+  release-binaries:
+    name: "Release Binaries"
+    runs-on: ubuntu-latest
+    needs:
+      - build-release
+      - build-maxperf
+    permissions:
+      contents: write
+    if: startsWith(github.ref, 'refs/tags/')
+    steps:
+      - name: Download binary artifacts
+        uses: forgejo/download-artifact@v4
+        with:
+          pattern: conduwuit*
+          path: binaries
+          merge-multiple: true
+      - name: Create Release and Upload
+        uses: https://github.com/softprops/action-gh-release@v2
+        with:
+          draft: true
+          files: binaries/*
+
  mirror_images:
    name: "Mirror Images"
    runs-on: ubuntu-latest
@@ -43,7 +43,7 @@ jobs:
    name: Renovate
    runs-on: ubuntu-latest
    container:
-      image: ghcr.io/renovatebot/renovate:43.111.0@sha256:da5fcac20c48d9792aac9c61fd234531bfa8df61263a39387cd8920263ca4768
+      image: ghcr.io/renovatebot/renovate:43.140.0@sha256:61303c28b10a491c559529fb6f41745850e4755a43a54c04c3ae6848d6eaf5cc
      options: --tmpfs /tmp:exec
    steps:
      - name: Checkout
@@ -90,12 +90,12 @@ jobs:
          RENOVATE_PLATFORM: forgejo
          RENOVATE_ENDPOINT: ${{ github.server_url }}
          RENOVATE_AUTODISCOVER: 'false'
-          RENOVATE_REPOSITORIES: '["${{ github.repository }}"]'
+          RENOVATE_REPOSITORIES: '["${{ github.repository }}", "continuwuation/resolvematrix"]'

          RENOVATE_GIT_TIMEOUT: 60000

          RENOVATE_REQUIRE_CONFIG: 'required'
-          RENOVATE_ONBOARDING: 'false'
+          # RENOVATE_ONBOARDING: 'false'
          RENOVATE_INHERIT_CONFIG: 'true'

          RENOVATE_GITHUB_TOKEN_WARN: 'false'
@@ -24,7 +24,7 @@ repos:
        - id: check-added-large-files

  - repo: https://github.com/crate-ci/typos
-    rev: v1.45.1
+    rev: v1.46.0
    hooks:
      - id: typos
      - id: typos
@@ -1,3 +1,62 @@
+# Continuwuity 0.5.8 (2026-04-24)
+
+## Features
+
+- LDAP can now optionally be connected to using StartTLS, and you may unsafely skip verification. Contributed by @getz (#1389)
+- Users will now be prevented from removing their email if the server is configured to require an email when registering an account.
+
+## Bugfixes
+
+- Fixed a situation where multiple email addresses could be associated with one user when that user changes their email address.
+
+## Improved Documentation
+
+- Updated config docs to state we support room version 12, and set it as default. Contributed by @ezera. (#1622)
+- Improve instructions for generic deployments, removing unnecessary parts and documenting the new initial registration token flow. Contributed by @stratself (#1677)
+
+
+# Continuwuity v0.5.7 (2026-04-17)
+
+## Features
+
+- Re-added support for reading registration tokens from a file. Contributed by @ginger and @benbot. (#1371)
+- Add new config option to allow or disallow search engine indexing through a `<meta ../>` tag. Defaults to blocking indexing (`content="noindex"`). Contributed by @s1lv3r and @ginger. (#1527)
+- Add new config option for [MSC4439](https://github.com/matrix-org/matrix-spec-proposals/pull/4439)
+  PGP key URIs. Contributed by LogN. (#1609)
+- Added `!admin users reset-push-rules` command to reset the notification settings of users. Contributed by @nex. (#1613)
+- Notification pushers are now automatically removed when their associated device is. Admin commands now exist for manual cleanup too. Contributed by @nex. (#1614)
+- Implemented option to deprioritize servers for room join requests. Contributed by @ezera. (#1624)
+- Added admin commands to get build information and features. Contributed by @Jade (#1629)
+- Added support for associating email addresses with accounts, requiring email addresses for registration, and resetting passwords via email. Contributed by @ginger
+- Added support for requiring users to accept terms and conditions when registering.
+- Added support for using an admin command to issue self-service password reset links.
+
+## Bugfixes
+
+- Fixed corrupted appservice registrations causing the server to enter a crash loop. Contributed by @nex. (#1265)
+- Prevent removing the admin room alias (`#admins`) to avoid accidentally breaking admin room functionality. Contributed by @0xnim (#1448)
+- Stripped `join_authorised_via_users_server` from json if user is already in room (@partha:cxy.run) (#1542)
+- Fixed internal server errors for fetching thumbnails. Contributed by @PerformativeJade (#1572)
+- Fixed error 500 when joining non-existent rooms. Contributed by @ezera. (#1579)
+- Refactored nix package. Breaking, since `all-features` package no longer exists. Continuwuity is now built with jemalloc and liburing by default. Contributed by @Henry-Hiles (QuadRadical). (#1596)
+- Fixed resolving IP of servers that only use SRV delegation. Contributed by @tulir. (#1615)
+- Fixed "Sender must be a local user" error for make_join, make_knock, and make_leave federation routes. Contributed by @nex. (#1623)
+- Fixed restricted joins not being signed when we are being used as an authorising server. Contributed by @nex, reported by [vel](matrix:u/vel:nhjkl.com?action=chat). (#1630)
+- Fixed room alias deletion so removing one local alias no longer removes other aliases from room alias listings.
+- Stopped left rooms from being unconditionally sent on initial sync, hopefully fixing spurious appearances of left rooms in some clients (and making sync faster as a bonus). Contributed by @ginger
+- Correct the response field name for MatrixRTC transports. Contributed by @spaetz
+
+## Improved Documentation
+
+- Added Testing and Troubleshooting instructions for Livekit documentation. Contributed by @stratself. (#1429)
+- Refactored docker docs to include new initial token workflow, and add Caddyfile example. Contributed by @stratself. (#1594)
+- Add DNS tuning guide for Continuwuity. Users are recommended to set up a local caching resolver following the guide's advice. Contributed by @stratself (#1601)
+
+## Misc
+
+- Fixed compiler warning in cf_opts.rs when building in release. Contributed by @ezera. (#1620)
+
+
 # Continuwuity 0.5.6 (2026-03-03)

 ## Security
@@ -12,7 +12,7 @@ license = "Apache-2.0"
 # See also `rust-toolchain.toml`
 readme = "README.md"
 repository = "https://forgejo.ellis.link/continuwuation/continuwuity"
-version = "0.5.7-alpha.2"
+version = "0.5.8"

 [workspace.metadata.crane]
 name = "conduwuit"
@@ -36,10 +36,13 @@ version = "0.3"
 features = ["ffi", "std", "union"]

 [workspace.dependencies.const-str]
-version = "0.7.0"
+version = "1.1.0"

 [workspace.dependencies.ctor]
-version = "0.10.0"
+version = "0.13.0"
+
+[workspace.dependencies.dtor]
+version = "0.13.0"

 [workspace.dependencies.cargo_toml]
 version = "0.22"
@@ -47,9 +50,9 @@ default-features = false
 features = ["features"]

 [workspace.dependencies.toml]
-version = "0.9.5"
+version = "1.1.2"
 default-features = false
-features = ["parse"]
+features = ["parse", "serde"]

 [workspace.dependencies.sanitize-filename]
 version = "0.6.0"
@@ -68,7 +71,7 @@ default-features = false
 version = "0.1.3"

 [workspace.dependencies.rand]
-version = "0.10.0"
+version = "0.10.1"

 # Used for the http request / response body type for Ruma endpoints used with reqwest
 [workspace.dependencies.bytes]
@@ -102,15 +105,18 @@ default-features = false
 features = ["typed-header", "tracing", "cookie"]

 [workspace.dependencies.axum-server]
-version = "0.7.2"
+version = "0.8.0"
 default-features = false

 # to listen on both HTTP and HTTPS if listening on TLS dierctly from conduwuit for complement or sytest
 [workspace.dependencies.axum-server-dual-protocol]
-version = "0.7"
+# version = "0.7"
+git = "https://github.com/vinchona/axum-server-dual-protocol.git"
+rev = "ca6db055254255b74238673ce4135698e347d71c" # feat!: bump axum_server to 0.8.0
+default-features = false

 [workspace.dependencies.axum-client-ip]
-version = "0.7"
+version = "1.3"

 [workspace.dependencies.tower]
 version = "0.5.2"
@@ -134,13 +140,12 @@ features = [
 [workspace.dependencies.rustls]
 version = "0.23.25"
 default-features = false
-features = ["aws_lc_rs"]

 [workspace.dependencies.reqwest]
-version = "0.12.15"
+version = "0.13.2"
 default-features = false
 features = [
-    "rustls-tls-native-roots",
+    "rustls-no-provider",
    "socks",
    "hickory-dns",
    "http2",
@@ -159,7 +164,7 @@ features = ["raw_value"]

 # Used for appservice registration files
 [workspace.dependencies.serde-saphyr]
-version = "0.0.23"
+version = "0.0.25"

 # Used to load forbidden room/user regex from config
 [workspace.dependencies.serde_regex]
@@ -167,7 +172,7 @@ version = "1.1.0"

 # Used for ruma wrapper
 [workspace.dependencies.serde_html_form]
-version = "0.2.6"
+version = "0.4.0"

 # Used for password hashing
 [workspace.dependencies.argon2]
@@ -251,7 +256,7 @@ features = [
 ]

 [workspace.dependencies.tokio-metrics]
-version = "0.4.0"
+version = "0.5.0"

 [workspace.dependencies.libloading]
 version = "0.9.0"
@@ -340,51 +345,50 @@ version = "0.1.88"
 [workspace.dependencies.lru-cache]
 version = "0.1.2"

+[workspace.dependencies.assign]
+version = "1.1.1"
+
 # Used for matrix spec type definitions and helpers
 [workspace.dependencies.ruma]
-git = "https://forgejo.ellis.link/continuwuation/ruwuma"
-#branch = "conduwuit-changes"
-rev = "d00b51a8669b21689c4eb47fb81f3a8b27c3e371"
+# version = "0.14.1"
+git = "https://github.com/ruma/ruma.git"
+rev = "5742fec0021b85fedbf5cd1f59c50a00bb5b9f7c"
 features = [
-    "compat",
-    "rand",
    "appservice-api-c",
    "client-api",
    "federation-api",
-    "markdown",
    "push-gateway-api-c",
-    "unstable-exhaustive-types",
+    "state-res",
+    "rand",
+    "markdown",
    "ring-compat",
    "compat-upload-signatures",
-    "identifiers-validation",
-    "unstable-unspecified",
+    "compat-optional-txn-pdus",
    "unstable-msc2448",
    "unstable-msc2666",
    "unstable-msc2867",
    "unstable-msc2870",
-    "unstable-msc3026",
    "unstable-msc3061",
    "unstable-msc3814",
    "unstable-msc3245",
-    "unstable-msc3266",
-    "unstable-msc3381", # polls
-    "unstable-msc3489", # beacon / live location
-    "unstable-msc3575",
-    "unstable-msc3930", # polls push rules
+    "unstable-msc3381",
+    "unstable-msc3489",
+    "unstable-msc3930",
    "unstable-msc4075",
    "unstable-msc4095",
    "unstable-msc4121",
    "unstable-msc4125",
-    "unstable-msc4155",
    "unstable-msc4186",
-    "unstable-msc4203", # sending to-device events to appservices
-    "unstable-msc4210", # remove legacy mentions
+    "unstable-msc4195",
+    "unstable-msc4203",
+    "unstable-msc4310",
+    "unstable-msc4373",
+    "unstable-msc4380",
+    "unstable-msc4143",
+    "unstable-msc4293",
+    "unstable-msc4406",
+    "unstable-msc4439",
    "unstable-extensible-events",
-    "unstable-pdu",
-    "unstable-msc4155",
-    "unstable-msc4143", # livekit well_known response
-    "unstable-msc4284",
-    "unstable-msc4439", # pgp_key in .well_known/matrix/support
 ]

 [workspace.dependencies.rust-rocksdb]
@@ -429,14 +433,13 @@ features = ["http", "grpc-tonic", "trace", "logs", "metrics"]

 # optional sentry metrics for crash/panic reporting
 [workspace.dependencies.sentry]
-version = "0.46.0"
+version = "0.48.0"
 default-features = false
 features = [
    "backtrace",
    "contexts",
    "debug-images",
    "panic",
-    "rustls",
    "tower",
    "tower-http",
    "tracing",
@@ -445,9 +448,9 @@ features = [
 ]

 [workspace.dependencies.sentry-tracing]
-version = "0.46.0"
+version = "0.48.0"
 [workspace.dependencies.sentry-tower]
-version = "0.46.0"
+version = "0.48.0"

 # jemalloc usage
 [workspace.dependencies.tikv-jemalloc-sys]
@@ -546,21 +549,16 @@ features = ["std"]
 [workspace.dependencies.maplit]
 version = "1.0.2"

-[workspace.dependencies.ldap3]
-version = "0.12.0"
-default-features = false
-features = ["sync", "tls-rustls", "rustls-provider"]
-
 [workspace.dependencies.yansi]
 version = "1.0.1"

 [workspace.dependencies.askama]
-version = "0.15.0"
+version = "0.16.0"

 [workspace.dependencies.lettre]
 version = "0.11.19"
 default-features = false
-features = ["smtp-transport", "pool", "hostname", "builder", "rustls", "rustls-native-certs", "tokio1", "ring", "tokio1-rustls", "tracing", "serde"]
+features = ["smtp-transport", "pool", "hostname", "builder", "rustls", "rustls-native-certs", "tokio1", "rustls-no-provider", "tokio1-rustls", "tracing", "serde"]

 [workspace.dependencies.governor]
 version = "0.10.4"
@@ -657,6 +655,10 @@ default-features = false
 package = "conduwuit"
 path = "src/main"

+[workspace.dependencies.ruminuwuity]
+package = "ruminuwuity"
+path = "src/ruminuwuity"
+
 ###############################################################################
 #
 # Release profiles
@@ -1 +0,0 @@
-Added support for associating email addresses with accounts, requiring email addresses for registration, and resetting passwords via email. Contributed by @ginger
@@ -0,0 +1 @@
+The invite recipient's membership event is now included in invite stripped state, which should fix flaky invite display in some clients. Contributed by @ginger
@@ -1 +0,0 @@
-Added support for using an admin command to issue self-service password reset links.
@@ -1 +0,0 @@
-Stopped left rooms from being unconditionally sent on initial sync, hopefully fixing spurious appearances of left rooms in some clients (and making sync faster as a bonus). Contributed by @ginger
@@ -1 +0,0 @@
-Added support for requiring users to accept terms and conditions when registering.
@@ -0,0 +1 @@
+Switched from Continuwuity's fork of Ruma back to upstream Ruma. Contributed by @ginger.
@@ -1 +0,0 @@
-Fixed room alias deletion so removing one local alias no longer removes other aliases from room alias listings.
@@ -1 +0,0 @@
-Fixed corrupted appservice registrations causing the server to enter a crash loop. Contributed by @nex.
@@ -1 +0,0 @@
-Re-added support for reading registration tokens from a file. Contributed by @ginger and @benbot.
@@ -1 +0,0 @@
-Added Testing and Troubleshooting instructions for Livekit documentation. Contributed by @stratself.
@@ -1 +0,0 @@
-Prevent removing the admin room alias (`#admins`) to avoid accidentally breaking admin room functionality. Contributed by @0xnim
@@ -1 +0,0 @@
-Add new config option to allow or disallow search engine indexing through a `<meta ../>` tag. Defaults to blocking indexing (`content="noindex"`). Contributed by @s1lv3r and @ginger.
@@ -1 +0,0 @@
-Stripped `join_authorised_via_users_server` from json if user is already in room (@partha:cxy.run)
@@ -1 +0,0 @@
-Fixed internal server errors for fetching thumbnails. Contributed by @PerformativeJade
@@ -1 +0,0 @@
-Fixed error 500 when joining non-existent rooms. Contributed by @ezera.
@@ -1 +0,0 @@
-Refactored docker docs to include new initial token workflow, and add Caddyfile example. Contributed by @stratself.
@@ -1 +0,0 @@
-Refactored nix package. Breaking, since `all-features` package no longer exists. Continuwuity is now built with jemalloc and liburing by default. Contributed by @Henry-Hiles (QuadRadical).
@@ -1 +0,0 @@
-Add DNS tuning guide for Continuwuity. Users are recommended to set up a local caching resolver following the guide's advice. Contributed by @stratself
@@ -1,2 +0,0 @@
-Add new config option for [MSC4439](https://github.com/matrix-org/matrix-spec-proposals/pull/4439)
-PGP key URIs. Contributed by LogN.
@@ -1 +0,0 @@
-Added `!admin users reset-push-rules` command to reset the notification settings of users. Contributed by @nex.
@@ -1 +0,0 @@
-Notification pushers are now automatically removed when their associated device is. Admin commands now exist for manual cleanup too. Contributed by @nex.
@@ -1 +0,0 @@
-Fixed resolving IP of servers that only use SRV delegation. Contributed by @tulir.
@@ -1 +0,0 @@
-Fixed compiler warning in cf_opts.rs when building in release. Contributed by @ezera.
@@ -1 +0,0 @@
-Fixed "Sender must be a local user" error for make_join, make_knock, and make_leave federation routes. Contributed by @nex.
@@ -1 +0,0 @@
-Implemented option to deprioritize servers for room join requests. Contributed by @ezera.
@@ -1 +0,0 @@
-Added admin commands to get build information and features. Contributed by @Jade
@@ -1 +0,0 @@
-Fixed restricted joins not being signed when we are being used as an authorising server. Contributed by @nex, reported by [vel](matrix:u/vel:nhjkl.com?action=chat).
@@ -0,0 +1 @@
+Explain accessing Continuwuity's server console when deployed via Docker.
@@ -0,0 +1 @@
+Removed support for LDAP.
@@ -0,0 +1 @@
+Clarified in the config that `max_request_size` affects federated media as well.
@@ -0,0 +1 @@
+Added support for fallback encryption keys.
@@ -0,0 +1 @@
+Fixed a bug that caused the server to drop events during processing if several events for the same room were sent in a singular transaction. Contributed by @nex.
@@ -291,6 +291,7 @@
 #ip_lookup_strategy = 5

 # Max request size for file uploads in bytes. Defaults to 20MB.
+# Also limits incoming federated media.
 #
 #max_request_size = 20971520

@@ -573,18 +574,6 @@
 #
 #allow_public_room_directory_over_federation = false

-# Allow guests/unauthenticated users to access TURN credentials.
-#
-# This is the equivalent of Synapse's `turn_allow_guests` config option.
-# This allows any unauthenticated user to call the endpoint
-# `/_matrix/client/v3/voip/turnServer`.
-#
-# It is unlikely you need to enable this as all major clients support
-# authentication for this endpoint and prevents misuse of your TURN server
-# from potential bots.
-#
-#turn_allow_guests = false
-
 # Set this to true to lock down your server's public room directory and
 # only allow admins to publish rooms to the room directory. Unpublishing
 # is still allowed by all users with this enabled.
@@ -619,7 +608,7 @@
 # Set to false to disable users from joining or creating room versions
 # that aren't officially supported by continuwuity.
 #
-# continuwuity officially supports room versions 6 - 11.
+# continuwuity officially supports room versions 6 - 12.
 #
 # continuwuity has slightly experimental (though works fine in practice)
 # support for versions 3 - 5.
@@ -631,9 +620,9 @@
 # rather than an integer. Forgetting the quotes will make the server fail
 # to start!
 #
-# Per spec, room version "11" is the default.
+# Per spec, room version "12" is the default.
 #
-#default_room_version = "11"
+#default_room_version = "12"

 # Enable OpenTelemetry OTLP tracing export. This replaces the deprecated
 # Jaeger exporter. Traces will be sent via OTLP to a collector (such as
@@ -1945,94 +1934,6 @@
 #
 #foci = []

-[global.ldap]
-
-# Whether to enable LDAP login.
-#
-# example: "true"
-#
-#enable = false
-
-# Whether to force LDAP authentication or authorize classical password
-# login.
-#
-# example: "true"
-#
-#ldap_only = false
-
-# URI of the LDAP server.
-#
-# example: "ldap://ldap.example.com:389"
-#
-#uri = ""
-
-# Root of the searches.
-#
-# example: "ou=users,dc=example,dc=org"
-#
-#base_dn = ""
-
-# Bind DN if anonymous search is not enabled.
-#
-# You can use the variable `{username}` that will be replaced by the
-# entered username. In such case, the password used to bind will be the
-# one provided for the login and not the one given by
-# `bind_password_file`. Beware: automatically granting admin rights will
-# not work if you use this direct bind instead of a LDAP search.
-#
-# example: "cn=ldap-reader,dc=example,dc=org" or
-# "cn={username},ou=users,dc=example,dc=org"
-#
-#bind_dn = ""
-
-# Path to a file on the system that contains the password for the
-# `bind_dn`.
-#
-# The server must be able to access the file, and it must not be empty.
-#
-#bind_password_file = ""
-
-# Search filter to limit user searches.
-#
-# You can use the variable `{username}` that will be replaced by the
-# entered username for more complex filters.
-#
-# example: "(&(objectClass=person)(memberOf=matrix))"
-#
-#filter = "(objectClass=*)"
-
-# Attribute to use to uniquely identify the user.
-#
-# example: "uid" or "cn"
-#
-#uid_attribute = "uid"
-
-# Attribute containing the display name of the user.
-#
-# example: "givenName" or "sn"
-#
-#name_attribute = "givenName"
-
-# Root of the searches for admin users.
-#
-# Defaults to `base_dn` if empty.
-#
-# example: "ou=admins,dc=example,dc=org"
-#
-#admin_base_dn = ""
-
-# The LDAP search filter to find administrative users for continuwuity.
-#
-# If left blank, administrative state must be configured manually for each
-# user.
-#
-# You can use the variable `{username}` that will be replaced by the
-# entered username for more complex filters.
-#
-# example: "(objectClass=conduwuitAdmin)" or "(uid={username})"
-#
-#admin_filter = ""
-
 #[global.antispam]

 #[global.antispam.meowlnir]
@@ -2104,6 +2005,9 @@
 # Whether to require that users provide an email address when they
 # register.
 #
+# If either this option or `require_email_for_token_registration` are set,
+# users will not be allowed to remove their email address.
+#
 #require_email_for_registration = false

 # Whether to require that users who register with a registration token
@@ -17,12 +17,14 @@ ARG LLVM_VERSION=21
 # Line one: compiler tools
 # Line two: curl, for downloading binaries and wget because llvm.sh is broken with curl
 # Line three: for xx-verify
+# golang, cmake: For aws-lc-rs bindgen
 RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
    --mount=type=cache,target=/var/lib/apt,sharing=locked \
    apt-get update && apt-get install -y \
    pkg-config make jq \
    wget curl git software-properties-common \
    file
+    # golang cmake

 # LLVM packages
 RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
@@ -48,7 +50,7 @@ EOF

 # Developer tool versions
 # renovate: datasource=github-releases depName=cargo-bins/cargo-binstall
-ENV BINSTALL_VERSION=1.18.1
+ENV BINSTALL_VERSION=1.19.0
 # renovate: datasource=github-releases depName=psastras/sbom-rs
 ENV CARGO_SBOM_VERSION=0.9.1
 # renovate: datasource=crate depName=lddtree
@@ -162,7 +164,7 @@ ENV CONDUWUIT_VERSION_EXTRA=$CONDUWUIT_VERSION_EXTRA
 ENV CONTINUWUITY_VERSION_EXTRA=$CONTINUWUITY_VERSION_EXTRA

 ARG RUST_PROFILE=release
-ARG CARGO_FEATURES="default,http3"
+ARG CARGO_FEATURES="default"

 # Build the binary
 RUN --mount=type=cache,target=/usr/local/cargo/registry \
@@ -18,7 +18,7 @@ RUN --mount=type=cache,target=/etc/apk/cache apk add \

 # Developer tool versions
 # renovate: datasource=github-releases depName=cargo-bins/cargo-binstall
-ENV BINSTALL_VERSION=1.18.1
+ENV BINSTALL_VERSION=1.19.0
 # renovate: datasource=github-releases depName=psastras/sbom-rs
 ENV CARGO_SBOM_VERSION=0.9.1
 # renovate: datasource=crate depName=lddtree
@@ -50,8 +50,6 @@ # Defaults to members of the admin room if unset
      # CONTINUWUITY_WELL_KNOWN__SERVER: matrix.example.com:443
 ```

-## Reverse proxying well-known files to Continuwuity
-
 After doing the steps above, Continuwuity will serve these 3 JSON files:

 - `/.well-known/matrix/client`: for Client-Server discovery
@@ -60,9 +58,11 @@ ## Reverse proxying well-known files to Continuwuity

 To enable full discovery, you will need to reverse proxy these paths from the base domain back to Continuwuity.

+## Reverse proxying well-known files to Continuwuity
+
 <details>

-<summary>For Caddy</summary>
+<summary>For **Caddy**</summary>

 ```
 matrix.example.com:443 {
@@ -78,7 +78,7 @@ ## Reverse proxying well-known files to Continuwuity

 <details>

-<summary>For Traefik (via Docker labels)</summary>
+<summary>For **Traefik** (via Docker labels)</summary>

 ```
 services:
@@ -93,7 +93,10 @@ ## Reverse proxying well-known files to Continuwuity

 </details>

-Restart Continuwuity and your reverse proxy. Once that's done, visit these routes and check that the responses match the examples below:
+
+For **Docker** users, consult the compose files in the [Appendix section](#docker-compose-examples).
+
+After applying these changes, restart Continuwuity and your reverse proxy.Visit these routes and check that the responses match the examples below:

 <details open>

@@ -253,3 +256,45 @@ ## Related Documentation
 - [Server-to-Server resolution](https://spec.matrix.org/v1.17/server-server-api/#resolving-server-names) (see this for more information on SRV records)
 - [Client-to-Server resolution](https://spec.matrix.org/v1.17/client-server-api/#server-discovery)
 - [MSC1929: Homeserver Admin Contact and Support page](https://github.com/matrix-org/matrix-spec-proposals/pull/1929)
+
+## Appendix
+
+### Docker Compose examples
+
+The following Compose files are taken from [Docker instructions](../deploying/docker.mdx) and reconfigured to support split-domain delegation. Note the updated `CONTINUWUITY_WELL_KNOWN` variable and relevant changes in reverse proxy rules.
+
+<details>
+<summary>Caddy (using Caddyfile) - delegated.docker-compose.with-caddy.yml ([view raw](/advanced/delegated.docker-compose.with-caddy.yml))</summary>
+
+```yaml file="../public/advanced/delegated.docker-compose.with-caddy.yml"
+
+```
+
+</details>
+
+<details>
+<summary>Caddy (using labels) - delegated.docker-compose.with-caddy-labels.yml ([view raw](/advanced/delegated.docker-compose.with-caddy-labels.yml))</summary>
+
+```yaml file="../public/advanced/delegated.docker-compose.with-caddy-labels.yml"
+
+```
+
+</details>
+
+<details>
+<summary>Traefik (for existing setup) - delegated.docker-compose.for-traefik.yml ([view raw](/advanced/delegated.docker-compose.for-traefik.yml))</summary>
+
+```yaml file="../public/advanced/delegated.docker-compose.for-traefik.yml"
+
+```
+
+</details>
+
+<details>
+<summary>Traefik included - delegated.docker-compose.with-traefik.yml ([view raw](/advanced/delegated.docker-compose.with-traefik.yml))</summary>
+
+```yaml file="../public/advanced/delegated.docker-compose.with-traefik.yml"
+
+```
+
+</details>
@@ -91,7 +91,7 @@ ### 3. Telling clients where to find LiveKit

 To tell clients where to find LiveKit, you need to add the address of your `lk-jwt-service` to the `[global.matrix_rtc]` config section using the `foci` option.

-The variable should be a list of servers serving as MatrixRTC endpoints. Clients discover these via the `/_matrix/client/v1/rtc/transports` endpoint (MSC4143).
+The variable should be a list of servers serving as MatrixRTC endpoints. Replace the URL with the address you are deploying your instance of lk-jwt-service to:

 ```toml
 [global.matrix_rtc]
@@ -100,7 +100,10 @@ ### 3. Telling clients where to find LiveKit
 ]
 ```

-Remember to replace the URL with the address you are deploying your instance of lk-jwt-service to.
+This will expose LiveKit information on the following endpoints for clients to discover:
+
+- `/_matrix/client/unstable/org.matrix.msc4143/rtc/transports` (MSC4143 unstable, behind auth)
+- `/.well-known/matrix/client` (fallback, not behind auth. Only enabled if `[global.well_known].client` is set)

 ### 4. Configure your Reverse Proxy

@@ -114,6 +117,7 @@ ### 4. Configure your Reverse Proxy

 <details>
    <summary>Example caddy config</summary>
+
    ```
    livekit.example.com {

@@ -127,10 +131,12 @@ ### 4. Configure your Reverse Proxy
        reverse_proxy 127.0.0.1:7880
    }
    ```
+
 </details>

 <details>
    <summary>Example nginx config</summary>
+
    ```
    server {
        server_name livekit.example.com;
@@ -167,16 +173,19 @@ ### 4. Configure your Reverse Proxy
        ''      close;
    }
    ```
+
 </details>

 <details>
    <summary>Example traefik router</summary>
+
    ```
    # on LiveKit itself
    traefik.http.routers.livekit.rule=Host(`livekit.example.com`)
    # on the JWT service
    traefik.http.routers.livekit-jwt.rule=Host(`livekit.example.com`) && (PathPrefix(`/sfu/get`) || PathPrefix(`/healthz`) || PathPrefix(`/get_token`))
    ```
+
 </details>


@@ -210,7 +219,7 @@ ### add these to livekit's docker-compose ###
 ### if you're using `network_mode: host`, you can skip this part
 ```

-Recreate the LiveKit container (with `docker-compose up -d livekit`) to apply these changes. Remember to allow the new `3478/udp` and `50100:50200/udp` ports through your firewall.
+Recreate the LiveKit container (with `docker-compose up -d livekit`) to apply these changes. Remember to allow the new `3478/udp` and `50300:50400/udp` ports through your firewall.

 ### Integration with an external TURN server

@@ -257,11 +266,25 @@ ## Testing

 First, you will need an access token for your current login session. These can be found in your client's settings or obtained via [this website](https://timedout.uk/mxtoken.html).

-Then, using that token, request another OpenID token for use with the lk-jwt-service:
+Then, using that token, fetch the discovery endpoints for MatrixRTC services

 ```bash
-~$ curl -X POST -H "Authorization: Bearer <session-access-token>" \
+curl -X POST -H "Authorization: Bearer <session-access-token>" \
+  https://matrix.example.com/_matrix/client/unstable/org.matrix.msc4143/rtc/transports
+```
+
+In the output, you should see the LiveKit URL matching the one [configured above](#3-telling-clients-where-to-find-livekit).
+
+With the same token, request another OpenID token for use with the lk-jwt-service:
+
+```bash
+curl -X POST -H "Authorization: Bearer <session-access-token>" \
  https://matrix.example.com/_matrix/client/v3/user/@user:example.com/openid/request_token
+```
+
+You will see a response as below:
+
+```json
 {"access_token":"<openid_access_token>","token_type":"Bearer","matrix_server_name":"example.com","expires_in":3600}
 ```

@@ -296,10 +319,15 @@ ## Testing

 ```bash
 ~$ curl -X POST -d @payload.json https://livekit.example.com/get_token
+```
+
+The lk-jwt-service will, after checking against Continuwuity, answer with a `jwt` token to create a LiveKit media room:
+
+```json
 {"url":"wss://livekit.example.com","jwt":"a_really_really_long_string"}
 ```

-The lk-jwt-service will, after checking against Continuwuity, answer with a `jwt` token to create a LiveKit media room. Use this token to test at the [LiveKit Connection Tester](https://livekit.io/connection-test). If everything works there, then you have set up LiveKit successfully!
+Use this token to test at the [LiveKit Connection Tester](https://livekit.io/connection-test). If everything works there, then you have set up LiveKit successfully!

 ## Troubleshooting

@@ -363,8 +391,8 @@ ## Related Documentation

 Specifications:

- [MatrixRTC proposal](https://github.com/matrix-org/matrix-spec-proposals/pull/4143)
- [LiveKit proposal](https://github.com/matrix-org/matrix-spec-proposals/pull/4195)
+- [MSC4143 - MatrixRTC proposal](https://github.com/matrix-org/matrix-spec-proposals/pull/4143)
+- [MSC4195 - LiveKit proposal](https://github.com/matrix-org/matrix-spec-proposals/pull/4195)

 Source code:

@@ -34,6 +34,11 @@
        "name": "kubernetes",
        "label": "Kubernetes"
    },
+    {
+        "type": "file",
+        "name": "nomad",
+        "label": "Nomad"
+    },
    {
        "type": "file",
        "name": "freebsd",
@@ -148,7 +148,7 @@ #### For other reverse proxies

 </details>

-You will then need to point your reverse proxy towards Continuwuity at `127.0.0.1:8008`. See the [Other reverse proxies](generic.mdx#setting-up-the-reverse-proxy) section of the Generic page for further routing details.
+See the [Other reverse proxies](generic.mdx#setting-up-the-reverse-proxy) section of the Generic page for further routing details.

 ### Starting Your Server

@@ -243,9 +243,30 @@ ### (Optional) Building Custom Images
 [Building Docker Images](../development/index.mdx#building-docker-images)
 section in the development documentation.

+### Accessing the Server's Console
+
+Before you can access the server's console and [send admin commands](../reference/admin/index.md) from the CLI, you will need to make the container interactive and allocate a pseudo-tty. Make sure you set `admin_console_automatic` to `true` in [the config](../reference/config.mdx) as well for Continuwuity to activate the CLI on startup.
+
+For Docker Compose deployments this means adding `stdin_open: true` and `tty: true` to the container's declaration:
+
+```yaml
+services:
+    homeserver:
+        stdin_open: true
+        tty: true
+        # ...
+```
+
+If you choose to deploy via `docker run`, add the flags `-i`/`--interactive` and `-t`/`--tty` to the command.
+
+From there you can access the server's console by running `docker attach <container-name>`, which will show the server's prompt `uwu> `. To exit `docker attach`, press `CTRL+p` then `CTRL+q`.
+
+Note that using `CTRL+c` within `docker attach`'s context will forward the signal to the server, stopping it. See [Docker's reference][docker-attach-reference] for more information.
+
+[docker-attach-reference]: https://docs.docker.com/reference/cli/docker/container/attach/
+
 ## Next steps

 - For smooth federation, set up a caching resolver according to the [**DNS tuning guide**](../advanced/dns.mdx) (recommended)
 - To set up Audio/Video communication, see the [**Calls**](../calls.mdx) page.
- If you want to set up an appservice, take a look at the [**Appservice
-Guide**](../appservices.mdx).
+- If you want to set up an appservice, take a look at the [**Appservice Guide**](../appservices.mdx).
@@ -1,10 +1,12 @@
 # Generic deployment documentation

-> ### Getting help
->
-> If you run into any problems while setting up Continuwuity, ask us in
-> `#continuwuity:continuwuity.org` or [open an issue on
-> Forgejo](https://forgejo.ellis.link/continuwuation/continuwuity/issues/new).
+:::tip Getting help
+If you run into any problems while setting up Continuwuity, ask us in
+`#continuwuity:continuwuity.org` or [open an issue on
+Forgejo][forgejo-new-issue].
+:::
+
+[forgejo-new-issue]: https://forgejo.ellis.link/continuwuation/continuwuity/issues/new

 ## Installing Continuwuity

@@ -15,17 +17,16 @@ ### Prebuilt binary

 Prebuilt binaries are available from:

- **Tagged releases**: [Latest release page](https://forgejo.ellis.link/continuwuation/continuwuity/releases/latest)
- **Development builds**: CI artifacts from the `main` branch
-  (includes Debian/Ubuntu packages)
-
-When browsing CI artifacts, `ci-bins` contains binaries organised
-by commit hash, while `releases` contains tagged versions. Sort
-by last modified date to find the most recent builds.
+- **Tagged releases**: [see Release page][release-page]
+- **Development builds**: CI artifacts from the `main` branch,
+  [see `release-image.yml` for details][release-image]

 The binaries require jemalloc and io_uring on the host system. Currently
 we can't cross-build static binaries - contributions are welcome here.

+[release-page]: https://forgejo.ellis.link/continuwuation/continuwuity/releases/
+[release-image]: https://forgejo.ellis.link/continuwuation/continuwuity/actions/?workflow=release-image.yml
+
 #### Performance-optimised builds

 For x86_64 systems with CPUs from the last ~15 years, use the
@@ -38,11 +39,12 @@ #### Performance-optimised builds
 If you're using Docker instead, equivalent performance-optimised
 images are available with the `-maxperf` suffix (e.g.
 `forgejo.ellis.link/continuwuation/continuwuity:latest-maxperf`).
-These images use the `release-max-perf`
-build profile with
-[link-time optimisation (LTO)](https://doc.rust-lang.org/cargo/reference/profiles.html#lto)
+These images use the `release-max-perf` build profile with
+[link-time optimisation (LTO)][lto-rust-docs]
 and, for amd64, target the haswell CPU architecture.

+[lto-rust-docs]: https://doc.rust-lang.org/cargo/reference/profiles.html#lto
+
 ### Nix

 Theres a Nix package defined in our flake, available for Linux and MacOS. Add continuwuity as an input to your flake, and use `inputs.continuwuity.packages.${system}.default` to get a working Continuwuity package.
@@ -55,7 +57,8 @@ ### Compiling

 #### Using Docker

-If you would like to build using docker, you can run the command `docker build -f ./docker/Dockerfile -t forgejo.ellis.link/continuwuation/continuwuity:main .` to compile continuwuity.
+See the [Building Docker Images](../development/index.mdx#building-docker-images)
+section in the development documentation.

 #### Manual

@@ -69,7 +72,7 @@ ##### Dependencies

 ##### Build

-You can build Continuwuity using `cargo build --release`.
+You can now build Continuwuity using `cargo build --release`.

 Continuwuity supports various optional features that can be enabled during compilation. Please see the Cargo.toml file for a comprehensive list, or ask in our rooms.

@@ -91,27 +94,6 @@ ## Adding a Continuwuity user
 sudo useradd -r --shell /usr/bin/nologin --no-create-home continuwuity
 ```

-## Forwarding ports in the firewall or the router
-
-Matrix's default federation port is 8448, and clients must use port 443.
-If you would like to use only port 443 or a different port, you will need to set up
-delegation. Continuwuity has configuration options for delegation, or you can configure
-your reverse proxy to manually serve the necessary JSON files for delegation
-(see the `[global.well_known]` config section).
-
-If Continuwuity runs behind a router or in a container and has a different public
-IP address than the host system, you need to forward these public ports directly
-or indirectly to the port mentioned in the configuration.
-
-Note for NAT users: if you have trouble connecting to your server from inside
-your network, check if your router supports "NAT
-hairpinning" or "NAT loopback".
-
-If your router does not support this feature, you need to research doing local
-DNS overrides and force your Matrix DNS records to use your local IP internally.
-This can be done at the host level using `/etc/hosts`. If you need this to be
-on the network level, consider something like NextDNS or Pi-Hole.
-
 ## Setting up a systemd service

 You can find an example unit for continuwuity below.
@@ -123,7 +105,7 @@ ## Setting up a systemd service
 `/etc/rsyslog.conf` to allow color in logs.

 If you are using a different `database_path` than the systemd unit's
-configured default `/var/lib/conduwuit`, you need to add your path to the
+configured default (`/var/lib/conduwuit`), you need to add your path to the
 systemd unit's `ReadWritePaths=`. You can do this by either directly editing
 `conduwuit.service` and reloading systemd, or by running `systemctl edit conduwuit.service`
 and entering the following:
@@ -144,7 +126,9 @@ ### Example systemd Unit File

 </details>

-You can also [view the file on Foregejo](https://forgejo.ellis.link/continuwuation/continuwuity/src/branch/main/pkg/conduwuit.service).
+You can also [view the file on Foregejo][systemd-file].
+
+[systemd-file]: https://forgejo.ellis.link/continuwuation/continuwuity/src/branch/main/pkg/conduwuit.service

 ## Creating the Continuwuity configuration file

@@ -155,9 +139,7 @@ ## Creating the Continuwuity configuration file
 **Please take a moment to read the config. You need to change at least the
 server name.**

-RocksDB is the only supported database backend.
-
-## Setting the correct file permissions
+### Setting the correct file permissions

 If you are using a dedicated user for Continuwuity, you need to allow it to
 read the configuration. To do this, run:
@@ -175,22 +157,29 @@ ## Setting the correct file permissions
 sudo chmod 700 /var/lib/conduwuit/
 ```

-## Setting up the Reverse Proxy
+## Exposing ports in the firewall or the router

-We recommend Caddy as a reverse proxy because it is trivial to use and handles TLS certificates, reverse proxy headers, etc. transparently with proper defaults.
-For other software, please refer to their respective documentation or online guides.
+Matrix's default federation port is **:8448**, and clients use port **:443**. You will need to
+expose these ports on your firewall or router. If you use UFW, the commands to allow them
+are: `ufw allow 8448/tcp` and `ufw allow 443/tcp`.
+
+:::tip Alternative port/domain setups
+If you would like to use only port 443, a different port, or a subdomain for the homeserver, you will need to set up `.well-known` delegation. Consult the `[global.well_known]` section of the config file, and the [**Delegation/Split-domain**](../advanced/delegation) page to learn more about these kinds of deployments.
+:::
+
+## Setting up the Reverse Proxy

 ### Caddy

-After installing Caddy via your preferred method, create `/etc/caddy/conf.d/conduwuit_caddyfile`
-and enter the following (substitute your actual server name):
+Caddy is the recommended reverse proxy as it is easy to use, has good defaults,
+and handle TLS certificates automatically. After installing Caddy via your preferred
+method, create `/etc/caddy/conf.d/conduwuit_caddyfile` and enter the following
+(substitute `example.com` with your actual server name):

 ```
-your.server.name, your.server.name:8448 {
+example.com, example.com:8448 {
    # TCP reverse_proxy
-    reverse_proxy 127.0.0.1:6167
-    # UNIX socket
-    #reverse_proxy unix//run/conduwuit/conduwuit.sock
+    reverse_proxy 127.0.0.1:8008
 }
 ```

@@ -202,51 +191,45 @@ ### Caddy

 ### Other Reverse Proxies

-As we prefer our users to use Caddy, we do not provide configuration files for other proxies.
+Normally, your reverse proxy should route everything from port :8448 and :443 back to Continuwuity.

-You will need to reverse proxy everything under the following routes:
+For more granular controls, you will need to proxy everything under these following routes:

- `/_matrix/` - core Matrix C-S and S-S APIs
- `/_conduwuit/` and/or `/_continuwuity/` - ad-hoc Continuwuity routes such as `/local_user_count` and
-  `/server_version`
+- `/_matrix/` - core Matrix APIs, which includes:
+
+  - `/_matrix/federation` and `/_matrix/key` - core Server-Server APIs. These should be available on port :8448
+
+  - `/_matrix/client` - core Client-Server APIs. These should be available on port :443
+
+- `/_conduwuit/` and `/_continuwuity/` - ad-hoc Continuwuity routes for password resets, email verification, and server details such as `/local_user_count` and `/server_version`.

 You can optionally reverse proxy the following individual routes:

 - `/.well-known/matrix/client` and `/.well-known/matrix/server` if using
  Continuwuity to perform delegation (see the `[global.well_known]` config section)
 - `/.well-known/matrix/support` if using Continuwuity to send the homeserver admin
-  contact and support page (formerly known as MSC1929)
- `/` if you would like to see `hewwo from conduwuit woof!` at the root
+  [contact and support page][well-known-support]
+- `/` and `/_continuwuity/logo.svg` if you would like to see the Continuwuity landing page

-See the following spec pages for more details on these files:
+Refer to the respective software's documentation and online guides on how to do so.

- [`/.well-known/matrix/server`](https://spec.matrix.org/latest/client-server-api/#getwell-knownmatrixserver)
- [`/.well-known/matrix/client`](https://spec.matrix.org/latest/client-server-api/#getwell-knownmatrixclient)
- [`/.well-known/matrix/support`](https://spec.matrix.org/latest/client-server-api/#getwell-knownmatrixsupport)
+[well-known-support]: https://spec.matrix.org/v1.18/client-server-api/#getwell-knownmatrixsupport

-Examples of delegation:
+#### Caveats for specific reverse proxies

- https://continuwuity.org/.well-known/matrix/server
- https://continuwuity.org/.well-known/matrix/client
- https://ellis.link/.well-known/matrix/server
- https://ellis.link/.well-known/matrix/client
-
-For Apache and Nginx there are many examples available online.
-
-Lighttpd is not supported as it appears to interfere with the `X-Matrix` Authorization
+- Lighttpd is not supported as it appears to interfere with the `X-Matrix` Authorization
 header, making federation non-functional. If you find a workaround, please share it so we can add it to this documentation.

-If using Apache, you need to use `nocanon` in your `ProxyPass` directive to prevent httpd from interfering with the `X-Matrix` header (note that Apache is not ideal as a general reverse proxy, so we discourage using it if alternatives are available).
+- If using Apache, you need to use `nocanon` in your `ProxyPass` directive to prevent httpd from interfering with the `X-Matrix` header (note that Apache is not ideal as a general reverse proxy, so we discourage using it if alternatives are available).

-If using Nginx, you need to pass the request URI to Continuwuity using `$request_uri`, like this:
+- If using Nginx, you need to pass the request URI to Continuwuity using `$request_uri`, like this:

- `proxy_pass http://127.0.0.1:6167$request_uri;`
- `proxy_pass http://127.0.0.1:6167;`
+    - `proxy_pass http://127.0.0.1:6167$request_uri;`
+    - `proxy_pass http://127.0.0.1:6167;`

-Nginx users need to increase the `client_max_body_size` setting (default is 1M) to match the
-`max_request_size` defined in conduwuit.toml.
+    Furthermore, Nginx users need to increase the `client_max_body_size` setting (default is 1M) to match the `max_request_size` defined in conduwuit.toml.

-## You're done
+## Starting Your Server

 Now you can start Continuwuity with:

@@ -260,36 +243,53 @@ ## You're done
 sudo systemctl enable conduwuit
 ```

-## How do I know it works?
-
-You can open [a Matrix client](https://matrix.org/ecosystem/clients), enter your
-homeserver address, and try to register.
-
-You can also use these commands as a quick health check (replace
-`your.server.name`).
+Check Continuwuity logs with the following command:

 ```bash
-curl https://your.server.name/_conduwuit/server_version
-
-# If using port 8448
-curl https://your.server.name:8448/_conduwuit/server_version
-
-# If federation is enabled
-curl https://your.server.name:8448/_matrix/federation/v1/version
+sudo journalctl -u conduwuit.service
 ```

- To check if your server can communicate with other homeservers, use the
-  [Matrix Federation Tester](https://federationtester.mtrnord.blog/). If you can
-  register but cannot join federated rooms, check your configuration and verify
-  that port 8448 is open and forwarded correctly.
+If Continuwuity has successfully initialized, you'll see output as below.
+
+```
+In order to use your new homeserver, you need to create its
+first user account.
+Open your Matrix client of choice and register an account
+on example.com using registration token x5keUZ811RqvLsNa .
+Pick your own username and password!
+```
+
+You can then open [a Matrix client][matrix-clients],
+enter your homeserver address, and try to register with the provided token.
+By default, the first user is the instance's first admin. They will be added
+to the `#admin:example.com` room and be able to [issue admin commands](../reference/admin/index.md).
+
+[matrix-clients]: https://matrix.org/ecosystem/clients
+
+## How do I know it works?
+
+To check if your server can communicate with other homeservers, use the
+[Matrix Federation Tester](https://federationtester.mtrnord.blog/). If you can
+register your account but cannot join federated rooms, check your configuration
+and verify that your federation endpoints are opened and forwarded correctly.
+
+As a quick health check, you can also use these cURL commands:
+
+```bash
+curl https://example.com/_conduwuit/server_version
+
+# If using port 8448
+curl https://example.com:8448/_conduwuit/server_version
+
+# If federation is enabled
+curl https://example.com:8448/_matrix/federation/v1/version
+
+# For client-server endpoints
+curl https://example.com/_matrix/client/versions
+```

 ## What's next?

-### Audio/Video calls
-
-For Audio/Video call functionality see the [Calls](../calls.md) page.
-
-### Appservices
-
-If you want to set up an appservice, take a look at the [Appservice
-Guide](../appservices.md).
+- For smooth federation, set up a caching resolver according to the [**DNS tuning guide**](../advanced/dns.mdx) (recommended)
+- For Audio/Video call functionality see the [**Calls**](../calls.md) page.
+- If you want to set up an appservice, take a look at the [**Appservice Guide**](../appservices.md).
@@ -0,0 +1,118 @@
+# Continuwuity for Nomad
+
+You can either pass the configuration as environment variables or mount a file containing the configuration from consul.
+This given configuration assumes that you have a traefik reverse proxy running.
+
+## Persistence
+The database being a RockDB file, it is recommended to use a volume to persist the data.
+The example below uses a volume, you need to configure the CSI driver on your cluster.
+
+| Volume Name | Mount Path | Purpose |
+|-------------|------------|---------|
+| continuwuity-volume | `/var/lib/continuwuity` | Store the database |
+| continuwuity-media-volume | `/var/lib/continuwuity/media` | Store uploaded media |
+
+## Configuration
+### Using environment variables
+```hcl
+job "continuwuity" {
+  datacenters = ["dc1"]
+  type      = "service"
+  node_pool = "default"
+
+  group "continuwuity" {
+    count = 1
+
+    network {
+      port "http" {
+        static = 6167
+      }
+    }
+
+    service {
+      name = "continuwuity"
+      port = "http"
+      tags = [
+        "traefik.enable=true",
+        "traefik.http.routers.continuwuity.rule=(Host(`matrix.example.com`) || (Host(`example.com`) && PathPrefix(`/.well-known/matrix`)))",
+        "traefik.http.routers.continuwuity.entrypoints=https",
+        "traefik.http.routers.continuwuity.tls=true",
+        "traefik.http.routers.continuwuity.tls.certresolver=letsencrypt",
+        "traefik.http.routers.continuwuity-http.rule=(Host(`matrix.example.com`) || (Host(`example.com`) && PathPrefix(`/.well-known/matrix`)))",
+        "traefik.http.routers.continuwuity-http.entrypoints=http",
+        "traefik.http.routers.continuwuity-http.middlewares=continuwuity-redirect",
+        "traefik.http.middlewares.continuwuity-redirect.redirectscheme.scheme=https",
+        "traefik.http.middlewares.continuwuity-redirect.redirectscheme.permanent=true",
+      ]
+    }
+
+    volume "continuwuity-volume" {
+      type            = "csi"
+      read_only       = false
+      source          = "continuwuity-volume"
+      attachment_mode = "file-system"
+      access_mode     = "single-node-writer"
+      per_alloc       = false
+    }
+
+    volume "continuwuity-media-volume" {
+      type            = "csi"
+      read_only       = false
+      source          = "continuwuity-media-volume"
+      attachment_mode = "file-system"
+      access_mode     = "single-node-writer"
+      per_alloc       = false
+
+      mount_options {
+        mount_flags = []
+      }
+    }
+
+    task "continuwuity" {
+      driver = "docker"
+
+      env {
+        CONTINUWUITY_SERVER_NAME        = "matrix.example.com"
+        CONTINUWUITY_TRUSTED_SERVERS    = "[\"matrix.org\", \"mozilla.org\"]"
+        CONTINUWUITY_ALLOW_REGISTRATION = false
+        CONTINUWUITY_ADDRESS            = "0.0.0.0"
+        CONTINUWUITY_PORT               = 6167
+        CONTINUWUITY_DATABASE_PATH      = "/var/lib/continuwuity"
+        CONTINUWUITY_WELL_KNOWN         = <<EOF
+{
+client=https://matrix.example.com,
+server=matrix.example.com:443
+}
+EOF
+      }
+
+      config {
+        image = "forgejo.ellis.link/continuwuation/continuwuity:latest"
+        ports = ["http"]
+      }
+
+      volume_mount {
+        volume      = "continuwuity-volume"
+        destination = "/var/lib/continuwuity"
+      }
+
+      volume_mount {
+        volume      = "continuwuity-media-volume"
+        destination = "/var/lib/continuwuity/media"
+      }
+    }
+  }
+}
+```
+
+### Using consul
+```hcl
+...
+      template {
+        data = <<EOF
+{{key "config/continuwuity"}}
+EOF
+        destination = "local/conduwuit.toml"
+      }
+...
+```
@@ -81,8 +81,6 @@ ## List of forked dependencies
 All forked dependencies are maintained under the
 [continuwuation organization on Forgejo](https://forgejo.ellis.link/continuwuation):

- [ruwuma][continuwuation-ruwuma] - Fork of [ruma/ruma][ruma] with various
-  performance improvements, more features and better client/server interop
 - [rocksdb][continuwuation-rocksdb] - Fork of [facebook/rocksdb][rocksdb] via
  [`@zaidoon1`][8] with liburing build fixes and GCC debug build fixes
 - [jemallocator][continuwuation-jemallocator] - Fork of
@@ -6,10 +6,10 @@
            "message": "Welcome to Continuwuity! Important announcements about the project will appear here."
        },
        {
-            "id": 10,
+            "id": 12,
            "mention_room": false,
-            "date": "2026-03-03",
-            "message": "We've just released [v0.5.6](https://forgejo.ellis.link/continuwuation/continuwuity/releases/tag/v0.5.6), which contains a few  security improvements - plus significant reliability and performance improvements. Please update as soon as possible. \n\nWe released [v0.5.5](https://forgejo.ellis.link/continuwuation/continuwuity/releases/tag/v0.5.5) two weeks ago, but it skipped your admin room straight to [our announcements channel](https://matrix.to/#/!jIdNjSM5X-V5JVx2h2kAhUZIIQ08GyzPL55NFZAH1vM?via=ellis.link&via=gingershaped.computer&via=matrix.org). Make sure you're there to get important information as soon as we announce it! [Our space](https://matrix.to/#/!8cR4g-i9ucof69E4JHNg9LbPVkGprHb3SzcrGBDDJgk?via=continuwuity.org&via=ellis.link&via=matrix.org) has also gained a bunch of new and interesting rooms - be there or be square."
+            "date": "2026-04-24",
+            "message": "[v0.5.8](https://forgejo.ellis.link/continuwuation/continuwuity/releases/tag/v0.5.8) is out! This is a patch release which fixes a bug in 0.5.7's email support -- upgrade soon if you use that feature."
        }
    ]
 }
@@ -0,0 +1,43 @@
+# Continuwuity - Behind Traefik Reverse Proxy
+
+services:
+  homeserver:
+    image: "forgejo.ellis.link/continuwuation/continuwuity:latest"
+    restart: unless-stopped
+    command: /sbin/conduwuit
+    volumes:
+      - db:/var/lib/continuwuity
+      - ./continuwuity-resolv.conf:/etc/resolv.conf # use custom resolvers rather than Docker's
+      #- ./continuwuity.toml:/etc/continuwuity.toml
+    networks:
+      - proxy
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.continuwuity.rule=(Host(`matrix.example.com`) || (Host(`example.com`) && PathPrefix(`/.well-known/matrix`)))"
+      - "traefik.http.routers.continuwuity.entrypoints=websecure" # your HTTPS entry point
+      - "traefik.http.routers.continuwuity.tls=true"
+      - "traefik.http.routers.continuwuity.service=continuwuity"
+      - "traefik.http.services.continuwuity.loadbalancer.server.port=8008"
+      # possibly, depending on your config:
+      # - "traefik.http.routers.continuwuity.tls.certresolver=letsencrypt"
+    environment:
+      CONTINUWUITY_SERVER_NAME: example.com # EDIT THIS
+      CONTINUWUITY_DATABASE_PATH: /var/lib/continuwuity
+      CONTINUWUITY_ADDRESS: 0.0.0.0
+      CONTINUWUITY_PORT: 8008 # This must match with traefik's loadbalancer label
+      #CONTINUWUITY_CONFIG: '/etc/continuwuity.toml' # Uncomment if you mapped config toml above
+
+      # Serve .well-known files to tell others to reach Continuwuity on port :443
+      CONTINUWUITY_WELL_KNOWN: |
+        {
+        client=https://matrix.example.com,
+        server=matrix.example.com:443
+        }
+
+volumes:
+  db:
+
+networks:
+  # This must match the network name that Traefik listens on
+  proxy:
+    external: true
@@ -0,0 +1,54 @@
+# Continuwuity - With Caddy Labels
+
+services:
+    caddy:
+    # This compose file uses caddy-docker-proxy as the reverse proxy for Continuwuity!
+    # For more info, visit https://github.com/lucaslorentz/caddy-docker-proxy
+        image: "docker.io/lucaslorentz/caddy-docker-proxy:ci-alpine"
+        ports:
+            - 80:80
+            - 443:443
+        environment:
+            - CADDY_INGRESS_NETWORKS=caddy
+        networks:
+            - caddy
+        volumes:
+            - /var/run/docker.sock:/var/run/docker.sock
+            - ./data:/data
+        restart: unless-stopped
+        labels:
+            caddy: example.com
+            caddy.reverse_proxy: /.well-known/matrix/* homeserver:8008
+
+    homeserver:
+        image: "forgejo.ellis.link/continuwuation/continuwuity:latest"
+        restart: unless-stopped
+        command: /sbin/conduwuit
+        volumes:
+            - db:/var/lib/continuwuity
+            - ./continuwuity-resolv.conf:/etc/resolv.conf # use custom resolvers rather than Docker's
+            #- ./continuwuity.toml:/etc/continuwuity.toml
+        environment:
+            CONTINUWUITY_SERVER_NAME: example.com # EDIT THIS
+            CONTINUWUITY_DATABASE_PATH: /var/lib/continuwuity
+            CONTINUWUITY_ADDRESS: 0.0.0.0
+            CONTINUWUITY_PORT: 8008
+            #CONTINUWUITY_CONFIG: '/etc/continuwuity.toml' # Uncomment if you mapped config toml above
+
+            # Serve .well-known files to tell others to reach Continuwuity on port :443
+            CONTINUWUITY_WELL_KNOWN: |
+                {
+                client=https://matrix.example.com,
+                server=matrix.example.com:443
+                }
+
+        networks:
+            - caddy
+        labels:
+            caddy: matrix.example.com
+            caddy.reverse_proxy: "{{upstreams 8008}}"
+volumes:
+    db:
+
+networks:
+    caddy:
@@ -0,0 +1,57 @@
+# Continuwuity - Using Caddy Docker Image
+
+services:
+    caddy:
+        image: "docker.io/caddy:latest"
+        ports:
+            - 80:80
+            - 443:443
+        networks:
+            - caddy
+        volumes:
+            - ./data:/data
+        restart: unless-stopped
+        configs:
+            - source: Caddyfile
+              target: /etc/caddy/Caddyfile
+
+    homeserver:
+        image: "forgejo.ellis.link/continuwuation/continuwuity:latest"
+        restart: unless-stopped
+        command: /sbin/conduwuit
+        volumes:
+            - db:/var/lib/continuwuity
+            - ./continuwuity-resolv.conf:/etc/resolv.conf # use custom resolvers rather than Docker's
+            #- ./continuwuity.toml:/etc/continuwuity.toml
+        environment:
+            CONTINUWUITY_SERVER_NAME: example.com
+            CONTINUWUITY_DATABASE_PATH: /var/lib/continuwuity
+            CONTINUWUITY_ADDRESS: 0.0.0.0
+            CONTINUWUITY_PORT: 8008
+            #CONTINUWUITY_CONFIG: '/etc/continuwuity.toml' # Uncomment if you mapped config toml above
+
+            ## Serve .well-known files to tell others to reach Continuwuity on port :443
+            CONTINUWUITY_WELL_KNOWN: |
+                {
+                client=https://matrix.example.com,
+                server=matrix.example.com:443
+                }
+
+        networks:
+            - caddy
+
+networks:
+    caddy:
+
+volumes:
+    db:
+
+configs:
+    Caddyfile:
+        content: |
+            https://matrix.example.com:443 {
+                reverse_proxy http://homeserver:8008
+            }
+            https://example.com:443 {
+                reverse_proxy /.well-known/matrix* http://homeserver:8008
+            }
@@ -0,0 +1,85 @@
+# Continuwuity - With Traefik Reverse Proxy
+
+services:
+  homeserver:
+    image: "forgejo.ellis.link/continuwuation/continuwuity:latest"
+    restart: unless-stopped
+    command: /sbin/conduwuit
+    volumes:
+      - db:/var/lib/continuwuity
+      - ./continuwuity-resolv.conf:/etc/resolv.conf # use custom resolvers rather than Docker's
+      #- ./continuwuity.toml:/etc/continuwuity.toml
+    networks:
+      - proxy
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.continuwuity.rule=(Host(`matrix.example.com`) || (Host(`example.com`) && PathPrefix(`/.well-known/matrix`)))"
+      - "traefik.http.routers.continuwuity.entrypoints=websecure"
+      - "traefik.http.routers.continuwuity.tls.certresolver=letsencrypt"
+      - "traefik.http.services.continuwuity.loadbalancer.server.port=8008"
+    environment:
+      CONTINUWUITY_SERVER_NAME: example.com # EDIT THIS
+      CONTINUWUITY_DATABASE_PATH: /var/lib/continuwuity
+      CONTINUWUITY_ADDRESS: 0.0.0.0
+      CONTINUWUITY_PORT: 8008 # This must match with traefik's loadbalancer label
+      #CONTINUWUITY_CONFIG: '/etc/continuwuity.toml' # Uncomment if you mapped config toml above
+
+      # Serve .well-known files to tell others to reach Continuwuity on port :443
+      CONTINUWUITY_WELL_KNOWN: |
+        {
+          client=https://matrix.example.com,
+          server=matrix.example.com:443
+        }
+
+  traefik:
+    image: "docker.io/traefik:latest"
+    container_name: "traefik"
+    restart: "unless-stopped"
+    ports:
+      - "80:80"
+      - "443:443"
+    volumes:
+      - "/var/run/docker.sock:/var/run/docker.sock:ro"
+      - "acme:/etc/traefik/acme"
+    labels:
+      - "traefik.enable=true"
+
+      # middleware redirect
+      - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
+      # global redirect to https
+      - "traefik.http.routers.redirs.rule=hostregexp(`{host:.+}`)"
+      - "traefik.http.routers.redirs.entrypoints=web"
+      - "traefik.http.routers.redirs.middlewares=redirect-to-https"
+
+    environment:
+
+      TRAEFIK_LOG_LEVEL: DEBUG
+      TRAEFIK_ENTRYPOINTS_WEB: true
+      TRAEFIK_ENTRYPOINTS_WEB_ADDRESS: ":80"
+      TRAEFIK_ENTRYPOINTS_WEB_HTTP_REDIRECTIONS_ENTRYPOINT_TO: websecure
+
+      TRAEFIK_ENTRYPOINTS_WEBSECURE: true
+      TRAEFIK_ENTRYPOINTS_WEBSECURE_ADDRESS: ":443"
+      TRAEFIK_ENTRYPOINTS_WEBSECURE_HTTP_TLS_CERTRESOLVER: letsencrypt
+
+      TRAEFIK_CERTIFICATESRESOLVERS_LETSENCRYPT: true
+      # CHANGE THIS to desired email for ACME
+      TRAEFIK_CERTIFICATESRESOLVERS_LETSENCRYPT_ACME_EMAIL: user@example.com
+      TRAEFIK_CERTIFICATESRESOLVERS_LETSENCRYPT_ACME_HTTPCHALLENGE: true
+      TRAEFIK_CERTIFICATESRESOLVERS_LETSENCRYPT_ACME_HTTPCHALLENGE_ENTRYPOINT: web
+      TRAEFIK_CERTIFICATESRESOLVERS_LETSENCRYPT_ACME_STORAGE: "/etc/traefik/acme/acme.json"
+
+      # Since Traefik 3.6.3, paths with certain "encoded characters" are now blocked by default; we need a couple, or else things *will* break
+      TRAEFIK_ENTRYPOINTS_WEBSECURE_HTTP_ENCODEDCHARACTERS_ALLOWENCODEDSLASH: true
+      TRAEFIK_ENTRYPOINTS_WEBSECURE_HTTP_ENCODEDCHARACTERS_ALLOWENCODEDHASH: true
+
+      TRAEFIK_PROVIDERS_DOCKER: true
+      TRAEFIK_PROVIDERS_DOCKER_ENDPOINT: "unix:///var/run/docker.sock"
+      TRAEFIK_PROVIDERS_DOCKER_EXPOSEDBYDEFAULT: false
+
+volumes:
+  db:
+  acme:
+
+networks:
+  proxy:
@@ -2,7 +2,7 @@

 services:
  homeserver:
-    image: forgejo.ellis.link/continuwuation/continuwuity:latest
+    image: "forgejo.ellis.link/continuwuation/continuwuity:latest"
    restart: unless-stopped
    command: /sbin/conduwuit
    volumes:
@@ -38,7 +38,6 @@ volumes:
  db:

 networks:
-  # This is the network Traefik listens to, if your network has a different
-  # name, don't forget to change it here and in the docker-compose.override.yml
+  # This must match the network name that Traefik listens on
  proxy:
    external: true
@@ -1,10 +1,10 @@
-# Continuwuity - Traefik Reverse Proxy Labels
+# Continuwuity - Traefik Reverse Proxy Labels (override file)

 services:
  homeserver:
    labels:
      - "traefik.enable=true"
-      - "traefik.docker.network=proxy"  # Change this to the name of your Traefik docker proxy network
+      - "traefik.docker.network=proxy" # Change this to the name of your Traefik docker proxy network

      - "traefik.http.routers.to-continuwuity.rule=Host(`example.com`)"  # Change to the address on which Continuwuity is hosted
      - "traefik.http.routers.to-continuwuity.tls=true"
@@ -14,13 +14,10 @@ services:
      # This must match with CONTINUWUITY_PORT (default: 8008)
      - "traefik.http.services.to_continuwuity.loadbalancer.server.port=8008"

-      - "traefik.http.middlewares.cors-headers.headers.accessControlAllowOriginList=*"
-      - "traefik.http.middlewares.cors-headers.headers.accessControlAllowHeaders=Origin, X-Requested-With, Content-Type, Accept, Authorization"
-      - "traefik.http.middlewares.cors-headers.headers.accessControlAllowMethods=GET, POST, PUT, DELETE, OPTIONS"
-
      # If you want to have your account on <DOMAIN>, but host Continuwuity on a subdomain,
-      # you can let it only handle the well known file on that domain instead
-      #- "traefik.http.routers.to-matrix-wellknown.rule=Host(`example.com`) && PathPrefix(`/.well-known/matrix`)"
+      # you can let it only handle the well known file on the base domain instead
+      #
+      # - "traefik.http.routers.to-matrix-wellknown.rule=Host(`example.com`) && PathPrefix(`/.well-known/matrix`)"
      #- "traefik.http.routers.to-matrix-wellknown.tls=true"
      #- "traefik.http.routers.to-matrix-wellknown.tls.certresolver=letsencrypt"
      #- "traefik.http.routers.to-matrix-wellknown.middlewares=cors-headers@docker"
@@ -1,8 +1,10 @@
+# Continuwuity - With Caddy Labels
+
 services:
    caddy:
    # This compose file uses caddy-docker-proxy as the reverse proxy for Continuwuity!
    # For more info, visit https://github.com/lucaslorentz/caddy-docker-proxy
-        image: lucaslorentz/caddy-docker-proxy:ci-alpine
+        image: "docker.io/lucaslorentz/caddy-docker-proxy:ci-alpine"
        ports:
            - 80:80
            - 443:443
@@ -16,7 +18,7 @@ services:
        restart: unless-stopped

    homeserver:
-        image: forgejo.ellis.link/continuwuation/continuwuity:latest
+        image: "forgejo.ellis.link/continuwuation/continuwuity:latest"
        restart: unless-stopped
        command: /sbin/conduwuit
        volumes:
@@ -1,6 +1,8 @@
+# Continuwuity - Using Caddy Docker Image
+
 services:
    caddy:
-        image: docker.io/caddy:latest
+        image: "docker.io/caddy:latest"
        ports:
            - 80:80
            - 443:443
@@ -15,7 +17,7 @@ services:
              target: /etc/caddy/Caddyfile

    homeserver:
-        image: forgejo.ellis.link/continuwuation/continuwuity:latest
+        image: "forgejo.ellis.link/continuwuation/continuwuity:latest"
        restart: unless-stopped
        command: /sbin/conduwuit
        volumes:
@@ -37,7 +39,6 @@ services:
            #     server=example.com:443
            #     }

-
        networks:
            - caddy

@@ -48,8 +49,8 @@ volumes:
    db:

 configs:
-    dynamic.yml:
+    Caddyfile:
        content: |
-            https://example.com, https://example.com:8448 {
+            https://example.com:443, https://example.com:8448 {
                reverse_proxy http://homeserver:8008
            }
@@ -1,8 +1,8 @@
-# Continuwuity - Behind Traefik Reverse Proxy
+# Continuwuity - With Traefik Reverse Proxy

 services:
  homeserver:
-    image: forgejo.ellis.link/continuwuation/continuwuity:latest
+    image: "forgejo.ellis.link/continuwuation/continuwuity:latest"
    restart: unless-stopped
    command: /sbin/conduwuit
    volumes:
@@ -32,14 +32,14 @@ services:
        }

  traefik:
-    image: "traefik:latest"
+    image: "docker.io/traefik:latest"
    container_name: "traefik"
    restart: "unless-stopped"
    ports:
      - "80:80"
      - "443:443"
    volumes:
-      - "/var/run/docker.sock:/var/run/docker.sock:z"
+      - "/var/run/docker.sock:/var/run/docker.sock:ro"
      - "acme:/etc/traefik/acme"
    labels:
      - "traefik.enable=true"
@@ -52,6 +52,7 @@ services:
      - "traefik.http.routers.redirs.middlewares=redirect-to-https"

    environment:
+
      TRAEFIK_LOG_LEVEL: DEBUG
      TRAEFIK_ENTRYPOINTS_WEB: true
      TRAEFIK_ENTRYPOINTS_WEB_ADDRESS: ":80"
@@ -1,12 +1,23 @@
-# Continuwuity
+# Continuwuity - Bare Configuration (for other reverse proxies)

 services:
    homeserver:
-        image: forgejo.ellis.link/continuwuation/continuwuity:latest
+        image: "forgejo.ellis.link/continuwuation/continuwuity:latest"
        restart: unless-stopped
        command: /sbin/conduwuit
        ports:
+
+            # If your reverse proxy is on the host, use this
+            # and configure it to connect to `127.0.0.1:8008`
            - 127.0.0.1:8008:8008
+
+            # If your reverse proxy is on another machine, use this
+            # and configure it to connect to <this-machine-ip>:8008
+            # - 8008:8008
+
+            # If your reverse proxy is a docker container on the same network,
+            # comment out the entire `ports` section, and configure it to connect to `continuwuity:8008`
+
        volumes:
            - db:/var/lib/continuwuity
            - ./continuwuity-resolv.conf:/etc/resolv.conf # use custom resolvers rather than Docker's
@@ -26,6 +37,5 @@ services:
            #     server=example.com:443
            #     }

-
 volumes:
    db:
@@ -7,7 +7,7 @@ ## Running commands

 * All commands listed here may be used by server administrators in the admin room by sending them as messages.
 * If the `admin_escape_commands` configuration option is enabled, server administrators may run certain commands in public rooms by prefixing them with a single backslash. These commands will only run on _their_ homeserver, even if they are a member of another homeserver's admin room. Some sensitive commands cannot be used outside the admin room and will return an error.
-* All commands listed here may be used in the server's console, if it is enabled. Commands entered in the console do not require the `!admin` prefix.
+* All commands listed here may be used in the server's console, if it is enabled. Commands entered in the console do not require the `!admin` prefix. If Continuwuity is deployed via Docker, be sure to set the appropriate options detailed in [the Docker deployment guide](../../deploying/docker.mdx#accessing-the-servers-console) to enable access to the server's console.

 ## Categories

@@ -3,11 +3,11 @@
    "advisory-db": {
      "flake": false,
      "locked": {
-        "lastModified": 1775907537,
-        "narHash": "sha256-vbeLNgmsx1Z6TwnlDV0dKyeBCcon3UpkV9yLr/yc6HM=",
+        "lastModified": 1777645914,
+        "narHash": "sha256-P1T7QVQS13OvkXEuEhI91CLaQfyv6iqV9vW8IBLLDYg=",
        "owner": "rustsec",
        "repo": "advisory-db",
-        "rev": "d99f7b9eb81731bddebf80a355f8be7b2f8b1b28",
+        "rev": "d6ba1f7070ba91f45efe372d68eb648be67d0417",
        "type": "github"
      },
      "original": {
@@ -18,11 +18,11 @@
    },
    "crane": {
      "locked": {
-        "lastModified": 1775839657,
-        "narHash": "sha256-SPm9ck7jh3Un9nwPuMGbRU04UroFmOHjLP56T10MOeM=",
+        "lastModified": 1777335812,
+        "narHash": "sha256-bEg5xoAxAwsyfnGhkEX7RJViTIBIYPd8ISg4O1c0HFc=",
        "owner": "ipetkov",
        "repo": "crane",
-        "rev": "7cf72d978629469c4bd4206b95c402514c1f6000",
+        "rev": "5e0fb2f64edff2822249f21293b8304dedaaf676",
        "type": "github"
      },
      "original": {
@@ -39,11 +39,11 @@
        "rust-analyzer-src": "rust-analyzer-src"
      },
      "locked": {
-        "lastModified": 1775891769,
-        "narHash": "sha256-EOfVlTKw2n8w1uhfh46GS4hEGnQ7oWrIWQfIY6utIkI=",
+        "lastModified": 1777624102,
+        "narHash": "sha256-thSyElkje577x/kAbP72nHlfiFc1a+tCudskLPHXe9s=",
        "owner": "nix-community",
        "repo": "fenix",
-        "rev": "6fbc54dde15aee725bdc7aae5e478849685d5f56",
+        "rev": "4d81601e0b73f20d81d066754ad0e7d1e7f75a06",
        "type": "github"
      },
      "original": {
@@ -89,11 +89,11 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1775710090,
-        "narHash": "sha256-ar3rofg+awPB8QXDaFJhJ2jJhu+KqN/PRCXeyuXR76E=",
+        "lastModified": 1777268161,
+        "narHash": "sha256-bxrdOn8SCOv8tN4JbTF/TXq7kjo9ag4M+C8yzzIRYbE=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "4c1018dae018162ec878d42fec712642d214fdfa",
+        "rev": "1c3fe55ad329cbcb28471bb30f05c9827f724c76",
        "type": "github"
      },
      "original": {
@@ -132,11 +132,11 @@
    "rust-analyzer-src": {
      "flake": false,
      "locked": {
-        "lastModified": 1775843361,
-        "narHash": "sha256-j53ZgyDvmYf3Sjh1IPvvTjqa614qUfVQSzj59+MpzkY=",
+        "lastModified": 1777583169,
+        "narHash": "sha256-dVJ4+wrRKc8oIgp3rLOFSq1obt/sCKlXy3h47qof/w0=",
        "owner": "rust-lang",
        "repo": "rust-analyzer",
-        "rev": "9eb97ea96d8400e8957ddd56702e962614296583",
+        "rev": "aa64e4828a2bbba44463c1229a81c748d3cce583",
        "type": "github"
      },
      "original": {
@@ -8,7 +8,9 @@
  callPackage,
  rustPlatform,
  cargoExtraArgs ? "",
+  rustflags ? "",
  rocksdb ? callPackage ./rocksdb.nix { },
+  profile ? "release",
 }:
 let
  # see https://crane.dev/API.html#cranelibfiltercargosources
@@ -35,6 +37,8 @@ let
    env = {
      ROCKSDB_INCLUDE_DIR = "${rocksdb}/include";
      ROCKSDB_LIB_DIR = "${rocksdb}/lib";
+      CARGO_PROFILE = profile;
+      RUSTFLAGS = rustflags;
    };
  };
 in
@@ -5,6 +5,7 @@
 {
  perSystem =
    {
+      self',
      pkgs,
      craneLib,
      ...
@@ -12,7 +13,22 @@
    {
      packages = {
        rocksdb = pkgs.callPackage ./rocksdb.nix { };
-        default = pkgs.callPackage ./continuwuity.nix { inherit self craneLib; };
+        default = pkgs.callPackage ./continuwuity.nix {
+          inherit self craneLib;
+          # extra features via `cargoExtraArgs`
+          cargoExtraArgs = "-F http3";
+          # extra RUSTFLAGS via `rustflags`
+          # the stuff below is required for http3
+          rustflags = "--cfg reqwest_unstable";
+        };
+        # users may also override this with other cargo profiles to build for other feature sets
+        #
+        # other examples include:
+        #
+        # - release-high-perf
+        max-perf = self'.packages.default.override {
+          profile = "release-max-perf";
+        };
      };
    };
 }
@@ -16,26 +16,24 @@
      }
    },
    "node_modules/@emnapi/core": {
-      "version": "1.9.2",
-      "resolved": "https://registry.npmjs.org/@emnapi/core/-/core-1.9.2.tgz",
-      "integrity": "sha512-UC+ZhH3XtczQYfOlu3lNEkdW/p4dsJ1r/bP7H8+rhao3TTTMO1ATq/4DdIi23XuGoFY+Cz0JmCbdVl0hz9jZcA==",
+      "version": "1.10.0",
+      "resolved": "https://registry.npmjs.org/@emnapi/core/-/core-1.10.0.tgz",
+      "integrity": "sha512-yq6OkJ4p82CAfPl0u9mQebQHKPJkY7WrIuk205cTYnYe+k2Z8YBh11FrbRG/H6ihirqcacOgl2BIO8oyMQLeXw==",
      "dev": true,
      "license": "MIT",
      "optional": true,
-      "peer": true,
      "dependencies": {
        "@emnapi/wasi-threads": "1.2.1",
        "tslib": "^2.4.0"
      }
    },
    "node_modules/@emnapi/runtime": {
-      "version": "1.9.2",
-      "resolved": "https://registry.npmjs.org/@emnapi/runtime/-/runtime-1.9.2.tgz",
-      "integrity": "sha512-3U4+MIWHImeyu1wnmVygh5WlgfYDtyf0k8AbLhMFxOipihf6nrWC4syIm/SwEeec0mNSafiiNnMJwbza/Is6Lw==",
+      "version": "1.10.0",
+      "resolved": "https://registry.npmjs.org/@emnapi/runtime/-/runtime-1.10.0.tgz",
+      "integrity": "sha512-ewvYlk86xUoGI0zQRNq/mC+16R1QeDlKQy21Ki3oSYXNgLb45GV1P6A0M+/s6nyCuNDqe5VpaY84BzXGwVbwFA==",
      "dev": true,
      "license": "MIT",
      "optional": true,
-      "peer": true,
      "dependencies": {
        "tslib": "^2.4.0"
      }
@@ -47,7 +45,6 @@
      "dev": true,
      "license": "MIT",
      "optional": true,
-      "peer": true,
      "dependencies": {
        "tslib": "^2.4.0"
      }
@@ -109,9 +106,9 @@
      }
    },
    "node_modules/@napi-rs/wasm-runtime": {
-      "version": "1.1.2",
-      "resolved": "https://registry.npmjs.org/@napi-rs/wasm-runtime/-/wasm-runtime-1.1.2.tgz",
-      "integrity": "sha512-sNXv5oLJ7ob93xkZ1XnxisYhGYXfaG9f65/ZgYuAu3qt7b3NadcOEhLvx28hv31PgX8SZJRYrAIPQilQmFpLVw==",
+      "version": "1.1.4",
+      "resolved": "https://registry.npmjs.org/@napi-rs/wasm-runtime/-/wasm-runtime-1.1.4.tgz",
+      "integrity": "sha512-3NQNNgA1YSlJb/kMH1ildASP9HW7/7kYnRI2szWJaofaS1hWmbGI4H+d3+22aGzXXN9IJ+n+GiFVcGipJP18ow==",
      "dev": true,
      "license": "MIT",
      "optional": true,
@@ -128,13 +125,13 @@
      }
    },
    "node_modules/@rsbuild/core": {
-      "version": "2.0.0-rc.1",
-      "resolved": "https://registry.npmjs.org/@rsbuild/core/-/core-2.0.0-rc.1.tgz",
-      "integrity": "sha512-eqxtRlQiFSm/ibCNGiPj8ozsGSNK91NY+GksmPuTCPmWQExGtPqM1V+s13UYeWZS6fYbMRs7NlQKD896e0QkKA==",
+      "version": "2.0.3",
+      "resolved": "https://registry.npmjs.org/@rsbuild/core/-/core-2.0.3.tgz",
+      "integrity": "sha512-2myp7jUgGen50saxW8OJD/eMVKp7HnuBN5MUzwRb6mDbRZZVpoorfI4LQqiGSBNjGLB6jltvx/R2yHmcmnchwg==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
-        "@rspack/core": "2.0.0-rc.1",
+        "@rspack/core": "~2.0.1",
        "@swc/helpers": "^0.5.21"
      },
      "bin": {
@@ -153,17 +150,17 @@
      }
    },
    "node_modules/@rsbuild/plugin-react": {
-      "version": "1.4.6",
-      "resolved": "https://registry.npmjs.org/@rsbuild/plugin-react/-/plugin-react-1.4.6.tgz",
-      "integrity": "sha512-LAT6xHlEyZKA0VjF/ph5d50iyG+WSmBx+7g98HNZUwb94VeeTMZFB8qVptTkbIRMss3BNKOXmHOu71Lhsh9oEw==",
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/@rsbuild/plugin-react/-/plugin-react-2.0.0.tgz",
+      "integrity": "sha512-/1gzt39EGUSFEqB83g46QoOwsgv172HI18i6au1b6lgIaX4sv9stuX4ijdHbHCp8PqYEq+MyQ99jIQMO6I+etg==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
-        "@rspack/plugin-react-refresh": "^1.6.1",
+        "@rspack/plugin-react-refresh": "2.0.0",
        "react-refresh": "^0.18.0"
      },
      "peerDependencies": {
-        "@rsbuild/core": "^1.0.0 || ^2.0.0-0"
+        "@rsbuild/core": "^2.0.0-0"
      },
      "peerDependenciesMeta": {
        "@rsbuild/core": {
@@ -172,28 +169,28 @@
      }
    },
    "node_modules/@rspack/binding": {
-      "version": "2.0.0-rc.1",
-      "resolved": "https://registry.npmjs.org/@rspack/binding/-/binding-2.0.0-rc.1.tgz",
-      "integrity": "sha512-rhJqtbyiRPOjTAZW0xTZFbOrS5yP5yL1SF0DPE9kvFfzePz30IqjMDMxL0KuhkDZd/M1eUINJyoqd8NTbR9wHw==",
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/@rspack/binding/-/binding-2.0.1.tgz",
+      "integrity": "sha512-ynV1gw4KqFtQ0P+ZZh76SUj49wBb2FuHW3zSmHverHWuxBhzvrZS6/dZ+fCFQG8bTTPtrPz0RQUTN3uEDbPVBQ==",
      "dev": true,
      "license": "MIT",
      "optionalDependencies": {
-        "@rspack/binding-darwin-arm64": "2.0.0-rc.1",
-        "@rspack/binding-darwin-x64": "2.0.0-rc.1",
-        "@rspack/binding-linux-arm64-gnu": "2.0.0-rc.1",
-        "@rspack/binding-linux-arm64-musl": "2.0.0-rc.1",
-        "@rspack/binding-linux-x64-gnu": "2.0.0-rc.1",
-        "@rspack/binding-linux-x64-musl": "2.0.0-rc.1",
-        "@rspack/binding-wasm32-wasi": "2.0.0-rc.1",
-        "@rspack/binding-win32-arm64-msvc": "2.0.0-rc.1",
-        "@rspack/binding-win32-ia32-msvc": "2.0.0-rc.1",
-        "@rspack/binding-win32-x64-msvc": "2.0.0-rc.1"
+        "@rspack/binding-darwin-arm64": "2.0.1",
+        "@rspack/binding-darwin-x64": "2.0.1",
+        "@rspack/binding-linux-arm64-gnu": "2.0.1",
+        "@rspack/binding-linux-arm64-musl": "2.0.1",
+        "@rspack/binding-linux-x64-gnu": "2.0.1",
+        "@rspack/binding-linux-x64-musl": "2.0.1",
+        "@rspack/binding-wasm32-wasi": "2.0.1",
+        "@rspack/binding-win32-arm64-msvc": "2.0.1",
+        "@rspack/binding-win32-ia32-msvc": "2.0.1",
+        "@rspack/binding-win32-x64-msvc": "2.0.1"
      }
    },
    "node_modules/@rspack/binding-darwin-arm64": {
-      "version": "2.0.0-rc.1",
-      "resolved": "https://registry.npmjs.org/@rspack/binding-darwin-arm64/-/binding-darwin-arm64-2.0.0-rc.1.tgz",
-      "integrity": "sha512-fYbeDDDg6QKZzXYt/J0/j0Qhr01wQLuISUsYnNhu5MLwdXVUSVcqz+CTqgF3d0EQVVn6FqLV63lbNRzUGfSq9g==",
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/@rspack/binding-darwin-arm64/-/binding-darwin-arm64-2.0.1.tgz",
+      "integrity": "sha512-CGFO5zmajD1Itch1lxAI7+gvKiagzyqXopHv/jHG9Su2WWQ2/Nhn2/rkSpdp6ptE9ri6+6tCOOahf099/v/Xog==",
      "cpu": [
        "arm64"
      ],
@@ -205,9 +202,9 @@
      ]
    },
    "node_modules/@rspack/binding-darwin-x64": {
-      "version": "2.0.0-rc.1",
-      "resolved": "https://registry.npmjs.org/@rspack/binding-darwin-x64/-/binding-darwin-x64-2.0.0-rc.1.tgz",
-      "integrity": "sha512-MvXi9kr8xXn1y0PD1WI/4YphRNOdbykJjKdEsAG4JxEVoERmhIHOTwKvUqlejajizAwlVZcxQl/FacoPLsKN5Q==",
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/@rspack/binding-darwin-x64/-/binding-darwin-x64-2.0.1.tgz",
+      "integrity": "sha512-2vvBNBoS09/PurupBwSrlTZd8283o00B8v20ncsNUdEff41uCR/hzIrYoTIVWnVST+Gt5O1+cfcfORp397lajg==",
      "cpu": [
        "x64"
      ],
@@ -219,9 +216,9 @@
      ]
    },
    "node_modules/@rspack/binding-linux-arm64-gnu": {
-      "version": "2.0.0-rc.1",
-      "resolved": "https://registry.npmjs.org/@rspack/binding-linux-arm64-gnu/-/binding-linux-arm64-gnu-2.0.0-rc.1.tgz",
-      "integrity": "sha512-j6WsHEwGSdUoiy4BsQBW0RjFl+MBzozdybSYhkiyVSoHlbm7CPt3XaaS3elH5YcwuLHORmVHPP91QhwWl9UFJg==",
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/@rspack/binding-linux-arm64-gnu/-/binding-linux-arm64-gnu-2.0.1.tgz",
+      "integrity": "sha512-uvNXk6ahE3AH3h2avnd1Mgno68YQpS4cfX1OkOGWIC/roL+NrOP2XVXV4yfVAoydPALDO7AfbIfN0QdmBK3rsA==",
      "cpu": [
        "arm64"
      ],
@@ -236,9 +233,9 @@
      ]
    },
    "node_modules/@rspack/binding-linux-arm64-musl": {
-      "version": "2.0.0-rc.1",
-      "resolved": "https://registry.npmjs.org/@rspack/binding-linux-arm64-musl/-/binding-linux-arm64-musl-2.0.0-rc.1.tgz",
-      "integrity": "sha512-MPoZE0aS8oH+Wr0R5tIYch8gbUwYYf4LsiGdP6enMKMTrmpJyOVGlhPHVSwsrFgBg7fjTGOuxHuibtsvDUdLOQ==",
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/@rspack/binding-linux-arm64-musl/-/binding-linux-arm64-musl-2.0.1.tgz",
+      "integrity": "sha512-S/a6uN9PiZ5O/PjSqyIXhuRC1lVzeJkJV69NeLk5sIEUiDQ/aQGZG97uN+tluwpbo1tPbLJkdHYETfjspOX4Pg==",
      "cpu": [
        "arm64"
      ],
@@ -253,9 +250,9 @@
      ]
    },
    "node_modules/@rspack/binding-linux-x64-gnu": {
-      "version": "2.0.0-rc.1",
-      "resolved": "https://registry.npmjs.org/@rspack/binding-linux-x64-gnu/-/binding-linux-x64-gnu-2.0.0-rc.1.tgz",
-      "integrity": "sha512-gOlPCwtIg9GsFG/8ZdUyV5SyXDaGq2kmtXmyyFU7RO33MaalltNEBMf2hevRPj9z39eSzxwgJDonMOdx5Fo0Og==",
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/@rspack/binding-linux-x64-gnu/-/binding-linux-x64-gnu-2.0.1.tgz",
+      "integrity": "sha512-C13Kk0OkZiocZVj187Sf753UH6pDXnuEu6vzUvi3qv9ltibG1ki0H2Y8isXBYL2cHQOV+hk0g1S6/4z3TTB97A==",
      "cpu": [
        "x64"
      ],
@@ -270,9 +267,9 @@
      ]
    },
    "node_modules/@rspack/binding-linux-x64-musl": {
-      "version": "2.0.0-rc.1",
-      "resolved": "https://registry.npmjs.org/@rspack/binding-linux-x64-musl/-/binding-linux-x64-musl-2.0.0-rc.1.tgz",
-      "integrity": "sha512-K6Swk1rfP4z4b6bp84NlikGlUWMOPpIWCtlPr/W0TWgc2C/cd844oHdoIu7WtmOH7y9AwB5UG2bWpgFAVwykCw==",
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/@rspack/binding-linux-x64-musl/-/binding-linux-x64-musl-2.0.1.tgz",
+      "integrity": "sha512-TQsiBFpEDGkuvK9tNdGj/Uc+AIytzqhxXH/1jKU6M24cWB1DTw/Cx7DdrkCBDyq3129K3POLdujvbWCGqBzQUw==",
      "cpu": [
        "x64"
      ],
@@ -287,9 +284,9 @@
      ]
    },
    "node_modules/@rspack/binding-wasm32-wasi": {
-      "version": "2.0.0-rc.1",
-      "resolved": "https://registry.npmjs.org/@rspack/binding-wasm32-wasi/-/binding-wasm32-wasi-2.0.0-rc.1.tgz",
-      "integrity": "sha512-aa9oUTqOb1QjwsHVlMr5sV+7mcBI4MLQ/xhFO2CIEcfVnJIPl8XpKUbDEgqMwcFlzcgzKmHg5cVmIvd82BLgow==",
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/@rspack/binding-wasm32-wasi/-/binding-wasm32-wasi-2.0.1.tgz",
+      "integrity": "sha512-wk3gyUgBW/ayP49bI54bkY8+EQnfBHxdoe9dz3oobSTZQc8AOWwmUUDEPltW8rUvPOM6dfHECTOUMnfaf2f5yA==",
      "cpu": [
        "wasm32"
      ],
@@ -297,13 +294,15 @@
      "license": "MIT",
      "optional": true,
      "dependencies": {
-        "@napi-rs/wasm-runtime": "1.1.2"
+        "@emnapi/core": "1.10.0",
+        "@emnapi/runtime": "1.10.0",
+        "@napi-rs/wasm-runtime": "1.1.4"
      }
    },
    "node_modules/@rspack/binding-win32-arm64-msvc": {
-      "version": "2.0.0-rc.1",
-      "resolved": "https://registry.npmjs.org/@rspack/binding-win32-arm64-msvc/-/binding-win32-arm64-msvc-2.0.0-rc.1.tgz",
-      "integrity": "sha512-+UxF0c7E9bE3siFbMHi+mmoeQJzcTKl1j3x+Y6MY/PJ3V70cU23wOaxMvmSsCyq2JNJBT2RCNZ9HaL+o3kReug==",
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/@rspack/binding-win32-arm64-msvc/-/binding-win32-arm64-msvc-2.0.1.tgz",
+      "integrity": "sha512-rHjLcy3VcAC3+x+PxH+gwhwv6tPe0JdXTNT5eAOs9wgZIM6T9p4wre49+K4Qy98+Fb7TTbLX0ObUitlOkGwTSA==",
      "cpu": [
        "arm64"
      ],
@@ -315,9 +314,9 @@
      ]
    },
    "node_modules/@rspack/binding-win32-ia32-msvc": {
-      "version": "2.0.0-rc.1",
-      "resolved": "https://registry.npmjs.org/@rspack/binding-win32-ia32-msvc/-/binding-win32-ia32-msvc-2.0.0-rc.1.tgz",
-      "integrity": "sha512-gc0JdkdxSWo+o/b1qTCT6mZ3DrlGe32eW+Ps3xInxcG4UHjUG7hTDgFtOgVQ6VhQ8WMUXG+TQOz0CySVpYjsoQ==",
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/@rspack/binding-win32-ia32-msvc/-/binding-win32-ia32-msvc-2.0.1.tgz",
+      "integrity": "sha512-Ad1vVqMBBnd4T8rsORngu9sl2kyRTlS4kMlvFudjzl1X2UFArEDBe0YVGNN7ZvahM12CErUx2WiN8Sd8pb+qXQ==",
      "cpu": [
        "ia32"
      ],
@@ -329,9 +328,9 @@
      ]
    },
    "node_modules/@rspack/binding-win32-x64-msvc": {
-      "version": "2.0.0-rc.1",
-      "resolved": "https://registry.npmjs.org/@rspack/binding-win32-x64-msvc/-/binding-win32-x64-msvc-2.0.0-rc.1.tgz",
-      "integrity": "sha512-Dnj0jthyVUikf65MGEyZy3akshtSmR1xsp/Xr0h/NWTo5JFWHKAFNYFE+jFfY0uzC8e4IDcLQLYoFomqV1DsEg==",
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/@rspack/binding-win32-x64-msvc/-/binding-win32-x64-msvc-2.0.1.tgz",
+      "integrity": "sha512-oPM2Jtm7HOlmxl/aBfleAVlL6t9VeHx6WvEets7BBJMInemFXAQd4CErRqybf7rXutACzLeUWBOue4Jpd1/ykw==",
      "cpu": [
        "x64"
      ],
@@ -343,13 +342,13 @@
      ]
    },
    "node_modules/@rspack/core": {
-      "version": "2.0.0-rc.1",
-      "resolved": "https://registry.npmjs.org/@rspack/core/-/core-2.0.0-rc.1.tgz",
-      "integrity": "sha512-OIfkYn05/IWtVIdZ8Y/a0y/k4ipzqfApxIZqnJM59G/bGwQKMBrLHpOMGgV2Wmq1j9UMXzF7ZtsFMUbYBhFb9A==",
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/@rspack/core/-/core-2.0.1.tgz",
+      "integrity": "sha512-lgfZiExh8kDR/3obgi3RQKwKG5av1Xf5qDN1aVde777W9pbmx0Pqvrww1qtNvJ+gobEjbrrn5HEZWYGe0VLmcA==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
-        "@rspack/binding": "2.0.0-rc.1"
+        "@rspack/binding": "2.0.1"
      },
      "engines": {
        "node": "^20.19.0 || >=22.12.0"
@@ -368,36 +367,33 @@
      }
    },
    "node_modules/@rspack/plugin-react-refresh": {
-      "version": "1.6.2",
-      "resolved": "https://registry.npmjs.org/@rspack/plugin-react-refresh/-/plugin-react-refresh-1.6.2.tgz",
-      "integrity": "sha512-k+/VrfTNgo+KirjI6V+8CWRj6y+DH9jOUWv8JorYY4vKf/9xfnZ8xHzuB4iqCwTtoZl9YnxOaOuoyjJipc2tiQ==",
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/@rspack/plugin-react-refresh/-/plugin-react-refresh-2.0.0.tgz",
+      "integrity": "sha512-Cf6CxBStNDJbiXMc/GmsvG1G8PRlUpa0MSfWsMTI+e8npzuTN/p8nwLs3shriBZOLciqgkSZpBtPTd10BLpj1g==",
      "dev": true,
      "license": "MIT",
-      "dependencies": {
-        "error-stack-parser": "^2.1.4"
-      },
      "peerDependencies": {
-        "react-refresh": ">=0.10.0 <1.0.0",
-        "webpack-hot-middleware": "2.x"
+        "@rspack/core": "^2.0.0-0",
+        "react-refresh": ">=0.10.0 <1.0.0"
      },
      "peerDependenciesMeta": {
-        "webpack-hot-middleware": {
+        "@rspack/core": {
          "optional": true
        }
      }
    },
    "node_modules/@rspress/core": {
-      "version": "2.0.9",
-      "resolved": "https://registry.npmjs.org/@rspress/core/-/core-2.0.9.tgz",
-      "integrity": "sha512-cfbqqbWtdimrWIsfeyPnQOTKwJpdNLr8VnwLIL4JYC2ZcRq+xcInpszLXVpV86nONL6qI19usr2Or7uzZJ+ynA==",
+      "version": "2.0.10",
+      "resolved": "https://registry.npmjs.org/@rspress/core/-/core-2.0.10.tgz",
+      "integrity": "sha512-DvoV7YUW538x0CVAGyYPKfjUHgEuq7Z8LZq1cpfUgBpA1DynFUK3Ls6spvdoAHAl3l0AN+xxOHpu/sRVhzqi/A==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
        "@mdx-js/mdx": "^3.1.1",
        "@mdx-js/react": "^3.1.1",
-        "@rsbuild/core": "2.0.0-rc.1",
-        "@rsbuild/plugin-react": "~1.4.6",
-        "@rspress/shared": "2.0.9",
+        "@rsbuild/core": "^2.0.2",
+        "@rsbuild/plugin-react": "~2.0.0",
+        "@rspress/shared": "2.0.10",
        "@shikijs/rehype": "^4.0.2",
        "@types/unist": "^3.0.3",
        "@unhead/react": "^2.1.13",
@@ -411,8 +407,8 @@
        "mdast-util-mdxjs-esm": "^2.0.1",
        "medium-zoom": "1.1.0",
        "nprogress": "^0.2.0",
-        "react": "^19.2.4",
-        "react-dom": "^19.2.4",
+        "react": "^19.2.5",
+        "react-dom": "^19.2.5",
        "react-lazy-with-preload": "^2.2.1",
        "react-reconciler": "0.33.0",
        "react-render-to-markdown": "19.0.1",
@@ -440,39 +436,39 @@
      }
    },
    "node_modules/@rspress/plugin-client-redirects": {
-      "version": "2.0.9",
-      "resolved": "https://registry.npmjs.org/@rspress/plugin-client-redirects/-/plugin-client-redirects-2.0.9.tgz",
-      "integrity": "sha512-r2GyHzOSt8CeS4UIsy/cPM5Zotekt1JVQFmgOYGapvll5ktUlVcd77HLtXDbZjtpgtj0XlaMLrXueOpV2gsBoQ==",
+      "version": "2.0.10",
+      "resolved": "https://registry.npmjs.org/@rspress/plugin-client-redirects/-/plugin-client-redirects-2.0.10.tgz",
+      "integrity": "sha512-ImOm3h/cbXiJXIvpwv3Wn9rM91xgdhKbD2WX+WlMlWO4AtQfKR4XFrVhIZZAkrt09eeotRIklA7nu8Nuzzzbsw==",
      "dev": true,
      "license": "MIT",
      "engines": {
        "node": "^20.19.0 || >=22.12.0"
      },
      "peerDependencies": {
-        "@rspress/core": "^2.0.9"
+        "@rspress/core": "^2.0.10"
      }
    },
    "node_modules/@rspress/plugin-sitemap": {
-      "version": "2.0.9",
-      "resolved": "https://registry.npmjs.org/@rspress/plugin-sitemap/-/plugin-sitemap-2.0.9.tgz",
-      "integrity": "sha512-GTuXuySaeaazUZoUxdk2vZ8p0ehIgulPjCP9C7gDg6lIh5JGpUbcjG4def4tWHsxUoKp2rIwu/93bHwKb8T0Mw==",
+      "version": "2.0.10",
+      "resolved": "https://registry.npmjs.org/@rspress/plugin-sitemap/-/plugin-sitemap-2.0.10.tgz",
+      "integrity": "sha512-PZLig9+OlnyLcy6x9BlEqWSRef6TzDWB6Dlh2/hY41FtKlhyb7d7U56RGlLselWaQV54SHVa6H/y611A56ZI2g==",
      "dev": true,
      "license": "MIT",
      "engines": {
        "node": "^20.19.0 || >=22.12.0"
      },
      "peerDependencies": {
-        "@rspress/core": "^2.0.9"
+        "@rspress/core": "^2.0.10"
      }
    },
    "node_modules/@rspress/shared": {
-      "version": "2.0.9",
-      "resolved": "https://registry.npmjs.org/@rspress/shared/-/shared-2.0.9.tgz",
-      "integrity": "sha512-G48n3pC7AVAR58pLqwClUCYj5Nt7ZgYEStR8VTBGFuPgXtzb3+KPfo/gz0hb6wxdKJ1cL5ohPsZ6EXqllu6lew==",
+      "version": "2.0.10",
+      "resolved": "https://registry.npmjs.org/@rspress/shared/-/shared-2.0.10.tgz",
+      "integrity": "sha512-Kx10OAHWqi2jvW7ScmBUbkGjnwv4E6rEoelUchcL8It8nQ4nAVk0xvvES7m64knEon55zDbs8JQumCjbHu801Q==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
-        "@rsbuild/core": "2.0.0-rc.1",
+        "@rsbuild/core": "^2.0.2",
        "@shikijs/rehype": "^4.0.2",
        "unified": "^11.0.5"
      }
@@ -972,16 +968,6 @@
        "url": "https://github.com/fb55/entities?sponsor=1"
      }
    },
-    "node_modules/error-stack-parser": {
-      "version": "2.1.4",
-      "resolved": "https://registry.npmjs.org/error-stack-parser/-/error-stack-parser-2.1.4.tgz",
-      "integrity": "sha512-Sk5V6wVazPhq5MhpO+AUxJn5x7XSXGl1R93Vn7i+zS15KDVxQijejNCrz8340/2bgLBjR9GtEG8ZVKONDjcqGQ==",
-      "dev": true,
-      "license": "MIT",
-      "dependencies": {
-        "stackframe": "^1.3.4"
-      }
-    },
    "node_modules/esast-util-from-estree": {
      "version": "2.0.0",
      "resolved": "https://registry.npmjs.org/esast-util-from-estree/-/esast-util-from-estree-2.0.0.tgz",
@@ -1413,9 +1399,9 @@
      }
    },
    "node_modules/hookable": {
-      "version": "6.1.0",
-      "resolved": "https://registry.npmjs.org/hookable/-/hookable-6.1.0.tgz",
-      "integrity": "sha512-ZoKZSJgu8voGK2geJS+6YtYjvIzu9AOM/KZXsBxr83uhLL++e9pEv/dlgwgy3dvHg06kTz6JOh1hk3C8Ceiymw==",
+      "version": "6.1.1",
+      "resolved": "https://registry.npmjs.org/hookable/-/hookable-6.1.1.tgz",
+      "integrity": "sha512-U9LYDy1CwhMCnprUfeAZWZGByVbhd54hwepegYTK7Pi5NvqEj63ifz5z+xukznehT7i6NIZRu89Ay1AZmRsLEQ==",
      "dev": true,
      "license": "MIT"
    },
@@ -2697,20 +2683,20 @@
      "license": "MIT"
    },
    "node_modules/oniguruma-parser": {
-      "version": "0.12.1",
-      "resolved": "https://registry.npmjs.org/oniguruma-parser/-/oniguruma-parser-0.12.1.tgz",
-      "integrity": "sha512-8Unqkvk1RYc6yq2WBYRj4hdnsAxVze8i7iPfQr8e4uSP3tRv0rpZcbGUDvxfQQcdwHt/e9PrMvGCsa8OqG9X3w==",
+      "version": "0.12.2",
+      "resolved": "https://registry.npmjs.org/oniguruma-parser/-/oniguruma-parser-0.12.2.tgz",
+      "integrity": "sha512-6HVa5oIrgMC6aA6WF6XyyqbhRPJrKR02L20+2+zpDtO5QAzGHAUGw5TKQvwi5vctNnRHkJYmjAhRVQF2EKdTQw==",
      "dev": true,
      "license": "MIT"
    },
    "node_modules/oniguruma-to-es": {
-      "version": "4.3.5",
-      "resolved": "https://registry.npmjs.org/oniguruma-to-es/-/oniguruma-to-es-4.3.5.tgz",
-      "integrity": "sha512-Zjygswjpsewa0NLTsiizVuMQZbp0MDyM6lIt66OxsF21npUDlzpHi1Mgb/qhQdkb+dWFTzJmFbEWdvZgRho8eQ==",
+      "version": "4.3.6",
+      "resolved": "https://registry.npmjs.org/oniguruma-to-es/-/oniguruma-to-es-4.3.6.tgz",
+      "integrity": "sha512-csuQ9x3Yr0cEIs/Zgx/OEt9iBw9vqIunAPQkx19R/fiMq2oGVTgcMqO/V3Ybqefr1TBvosI6jU539ksaBULJyA==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
-        "oniguruma-parser": "^0.12.1",
+        "oniguruma-parser": "^0.12.2",
        "regex": "^6.1.0",
        "regex-recursion": "^6.0.2"
      }
@@ -2836,9 +2822,9 @@
      }
    },
    "node_modules/react-router": {
-      "version": "7.14.0",
-      "resolved": "https://registry.npmjs.org/react-router/-/react-router-7.14.0.tgz",
-      "integrity": "sha512-m/xR9N4LQLmAS0ZhkY2nkPA1N7gQ5TUVa5n8TgANuDTARbn1gt+zLPXEm7W0XDTbrQ2AJSJKhoa6yx1D8BcpxQ==",
+      "version": "7.14.2",
+      "resolved": "https://registry.npmjs.org/react-router/-/react-router-7.14.2.tgz",
+      "integrity": "sha512-yCqNne6I8IB6rVCH7XUvlBK7/QKyqypBFGv+8dj4QBFJiiRX+FG7/nkdAvGElyvVZ/HQP5N19wzteuTARXi5Gw==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
@@ -2859,13 +2845,13 @@
      }
    },
    "node_modules/react-router-dom": {
-      "version": "7.14.0",
-      "resolved": "https://registry.npmjs.org/react-router-dom/-/react-router-dom-7.14.0.tgz",
-      "integrity": "sha512-2G3ajSVSZMEtmTjIklRWlNvo8wICEpLihfD/0YMDxbWK2UyP5EGfnoIn9AIQGnF3G/FX0MRbHXdFcD+rL1ZreQ==",
+      "version": "7.14.2",
+      "resolved": "https://registry.npmjs.org/react-router-dom/-/react-router-dom-7.14.2.tgz",
+      "integrity": "sha512-YZcM5ES8jJSM+KrJ9BdvHHqlnGTg5tH3sC5ChFRj4inosKctdyzBDhOyyHdGk597q2OT6NTrCA1OvB/YDwfekQ==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
-        "react-router": "7.14.0"
+        "react-router": "7.14.2"
      },
      "engines": {
        "node": ">=20.0.0"
@@ -3218,13 +3204,6 @@
        "url": "https://github.com/sponsors/wooorm"
      }
    },
-    "node_modules/stackframe": {
-      "version": "1.3.4",
-      "resolved": "https://registry.npmjs.org/stackframe/-/stackframe-1.3.4.tgz",
-      "integrity": "sha512-oeVtt7eWQS+Na6F//S4kJ2K2VbRlS9D43mAlMyVpVWovy9o+jfgH8O9agzANzaiLjclA0oYzUXEM4PurhSUChw==",
-      "dev": true,
-      "license": "MIT"
-    },
    "node_modules/stringify-entities": {
      "version": "4.0.4",
      "resolved": "https://registry.npmjs.org/stringify-entities/-/stringify-entities-4.0.4.tgz",
@@ -6,7 +6,9 @@ ### Installation

 To add the Continuwuation apt repository:
 ```bash
-# Replace with `"dev"` for bleeding-edge builds at your own risk
+# Component `"stable"` contains all tagged releases. Use `"stable unstable"` to additionally include all pre-releases (alpha, beta, rc,...)
+# Replace with `"dev"` for bleeding-edge builds at your own risk, these contain
+# automatic nightly builds and might or might not work.
 export COMPONENT="stable"
 # Import the Continuwuation signing key
 sudo curl https://forgejo.ellis.link/api/packages/continuwuation/debian/repository.key -o /etc/apt/keyrings/forgejo-continuwuation.asc
@@ -20,7 +20,11 @@ export default defineConfig({
                    '/deploying/docker-compose.for-traefik.yml',
                    '/deploying/docker-compose.with-traefik.yml',
                    `/deploying/docker-compose.override.yml`,
-                    `/deploying/docker-compose.yml`
+                    `/deploying/docker-compose.yml`,
+                    '/advanced/delegated.docker-compose.with-caddy.yml',
+                    '/advanced/delegated.docker-compose.with-caddy-labels.yml',
+                    '/advanced/delegated.docker-compose.for-traefik.yml',
+                    '/advanced/delegated.docker-compose.with-traefik.yml',
                ]
            },
        },
@@ -81,9 +81,11 @@ conduwuit-macros.workspace = true
 conduwuit-service.workspace = true
 const-str.workspace = true
 ctor.workspace = true
+dtor.workspace = true
 futures.workspace = true
 lettre.workspace = true
 log.workspace = true
+assign.workspace = true
 ruma.workspace = true
 serde_json.workspace = true
 serde-saphyr.workspace = true
@@ -7,7 +7,7 @@
 #[implement(Context, params = "<'_>")]
 pub(super) async fn check_all_users(&self) -> Result {
 	let timer = tokio::time::Instant::now();
-	let users = self.services.users.iter().collect::<Vec<_>>().await;
+	let users = self.services.users.stream().collect::<Vec<_>>().await;
 	let query_time = timer.elapsed();

 	let total = users.len();
@@ -79,12 +79,14 @@ pub(super) async fn parse_pdu(&self) -> Result {
 	}

 	let string = self.body[1..self.body.len().saturating_sub(1)].join("\n");
+	let room_version_rules = RoomVersionId::V12.rules().unwrap();
+
 	match serde_json::from_str(&string) {
 		| Err(e) => return Err!("Invalid json in command body: {e}"),
-		| Ok(value) => match ruma::signatures::reference_hash(&value, &RoomVersionId::V6) {
+		| Ok(value) => match ruma::signatures::reference_hash(&value, &room_version_rules) {
 			| Err(e) => return Err!("Could not parse PDU JSON: {e:?}"),
 			| Ok(hash) => {
-				let event_id = OwnedEventId::parse(format!("${hash}"));
+				let event_id = EventId::parse(format!("${hash}"));
 				match serde_json::from_value::<PduEvent>(serde_json::to_value(value)?) {
 					| Err(e) => return Err!("EventId: {event_id:?}\nCould not parse event: {e}"),
 					| Ok(pdu) => write!(self, "EventId: {event_id:?}\n{pdu:#?}"),
@@ -119,7 +121,7 @@ pub(super) async fn get_pdu(&self, event_id: OwnedEventId) -> Result {
 			} else {
 				"PDU found in our database"
 			};
-			write!(self, "{msg}\n```json\n{text}\n```",)
+			write!(self, "{msg}\n```json\n{text}\n```")
 		},
 	}
 	.await
@@ -187,10 +189,7 @@ pub(super) async fn get_remote_pdu_list(&self, server: OwnedServerName, force: b

 	for event_id in list {
 		if force {
-			match self
-				.get_remote_pdu(event_id.to_owned(), server.clone())
-				.await
-			{
+			match self.get_remote_pdu(event_id.clone(), server.clone()).await {
 				| Err(e) => {
 					failed_count = failed_count.saturating_add(1);
 					self.services
@@ -205,7 +204,7 @@ pub(super) async fn get_remote_pdu_list(&self, server: OwnedServerName, force: b
 				},
 			}
 		} else {
-			self.get_remote_pdu(event_id.to_owned(), server.clone())
+			self.get_remote_pdu(event_id.clone(), server.clone())
 				.await?;
 			success_count = success_count.saturating_add(1);
 		}
@@ -237,10 +236,10 @@ pub(super) async fn get_remote_pdu(
 	match self
 		.services
 		.sending
-		.send_federation_request(&server, ruma::api::federation::event::get_event::v1::Request {
-			event_id: event_id.clone(),
-			include_unredacted_content: None,
-		})
+		.send_federation_request(
+			&server,
+			ruma::api::federation::event::get_event::v1::Request::new(event_id.clone()),
+		)
 		.await
 	{
 		| Err(e) => {
@@ -330,9 +329,9 @@ pub(super) async fn ping(&self, server: OwnedServerName) -> Result {
 	match self
 		.services
 		.sending
-		.send_federation_request(
+		.send_unauthenticated_request(
 			&server,
-			ruma::api::federation::discovery::get_server_version::v1::Request {},
+			ruma::api::federation::discovery::get_server_version::v1::Request::new(),
 		)
 		.await
 	{
@@ -361,7 +360,7 @@ pub(super) async fn force_device_list_updates(&self) -> Result {
 	self.services
 		.users
 		.stream()
-		.for_each(|user_id| self.services.users.mark_device_key_update(user_id))
+		.for_each(async |user_id| self.services.users.mark_device_key_update(&user_id).await)
 		.await;

 	write!(self, "Marked all devices for all users as having new keys to update").await
@@ -430,9 +429,16 @@ pub(super) async fn verify_json(&self) -> Result {
 	}

 	let string = self.body[1..self.body.len().checked_sub(1).unwrap()].join("\n");
+	let room_version_rules = RoomVersionId::V12.rules().unwrap();
+
 	match serde_json::from_str::<CanonicalJsonObject>(&string) {
 		| Err(e) => return Err!("Invalid json: {e}"),
-		| Ok(value) => match self.services.server_keys.verify_json(&value, None).await {
+		| Ok(value) => match self
+			.services
+			.server_keys
+			.verify_json(&value, &room_version_rules)
+			.await
+		{
 			| Err(e) => return Err!("Signature verification failed: {e}"),
 			| Ok(()) => write!(self, "Signature correct"),
 		},
@@ -445,9 +451,15 @@ pub(super) async fn verify_pdu(&self, event_id: OwnedEventId) -> Result {
 	use ruma::signatures::Verified;

 	let mut event = self.services.rooms.timeline.get_pdu_json(&event_id).await?;
+	let room_version_rules = RoomVersionId::V12.rules().unwrap();

 	event.remove("event_id");
-	let msg = match self.services.server_keys.verify_event(&event, None).await {
+	let msg = match self
+		.services
+		.server_keys
+		.verify_event(&event, &room_version_rules)
+		.await
+	{
 		| Err(e) => return Err(e),
 		| Ok(Verified::Signatures) => "signatures OK, but content hash failed (redaction).",
 		| Ok(Verified::All) => "signatures and hashes OK.",
@@ -544,16 +556,17 @@ pub(super) async fn force_set_room_state_from_server(
 	};

 	let room_version = self.services.rooms.state.get_room_version(&room_id).await?;
+	let room_version_rules = room_version.rules().unwrap();

 	let mut state: HashMap<u64, OwnedEventId> = HashMap::new();

 	let remote_state_response = self
 		.services
 		.sending
-		.send_federation_request(&server_name, get_room_state::v1::Request {
-			room_id: room_id.clone(),
-			event_id: at_event_id,
-		})
+		.send_federation_request(
+			&server_name,
+			get_room_state::v1::Request::new(at_event_id, room_id.clone()),
+		)
 		.await?;

 	for pdu in remote_state_response.pdus.clone() {
@@ -576,7 +589,7 @@ pub(super) async fn force_set_room_state_from_server(
 	for result in remote_state_response.pdus.iter().map(|pdu| {
 		self.services
 			.server_keys
-			.validate_and_add_event_id(pdu, &room_version)
+			.validate_and_add_event_id(pdu, &room_version_rules)
 	}) {
 		let Ok((event_id, value)) = result.await else {
 			continue;
@@ -608,7 +621,7 @@ pub(super) async fn force_set_room_state_from_server(
 	for result in remote_state_response.auth_chain.iter().map(|pdu| {
 		self.services
 			.server_keys
-			.validate_and_add_event_id(pdu, &room_version)
+			.validate_and_add_event_id(pdu, &room_version_rules)
 	}) {
 		let Ok((event_id, value)) = result.await else {
 			continue;
@@ -625,7 +638,7 @@ pub(super) async fn force_set_room_state_from_server(
 		.services
 		.rooms
 		.event_handler
-		.resolve_state(&room_id, &room_version, state)
+		.resolve_state(&room_id, &room_version_rules, state)
 		.await?;

 	info!("Compressing new room state");
@@ -111,7 +111,7 @@ pub(super) async fn remote_user_in_rooms(&self, user_id: OwnedUserId) -> Result
 		.rooms
 		.state_cache
 		.rooms_joined(&user_id)
-		.then(|room_id| get_room_info(self.services, room_id))
+		.then(async |room_id| get_room_info(self.services, &room_id).await)
 		.collect()
 		.await;

@@ -129,6 +129,6 @@ pub(super) async fn remote_user_in_rooms(&self, user_id: OwnedUserId) -> Result
 		.collect::<Vec<_>>()
 		.join("\n");

-	self.write_str(&format!("Rooms {user_id} shares with us ({num}):\n```\n{body}\n```",))
+	self.write_str(&format!("Rooms {user_id} shares with us ({num}):\n```\n{body}\n```"))
 		.await
 }
@@ -6,7 +6,8 @@
 	warn,
 };
 use conduwuit_service::media::Dim;
-use ruma::{Mxc, OwnedEventId, OwnedMxcUri, OwnedServerName};
+use ruma::{OwnedEventId, OwnedMxcUri, OwnedServerName};
+use service::media::mxc::Mxc;

 use crate::{admin_command, utils::parse_local_user_id};

@@ -261,7 +262,7 @@ pub(super) async fn delete_past_remote_media(
 		)
 		.await?;

-	self.write_str(&format!("Deleted {deleted_count} total files.",))
+	self.write_str(&format!("Deleted {deleted_count} total files."))
 		.await
 }

@@ -271,7 +272,7 @@ pub(super) async fn delete_all_from_user(&self, username: String) -> Result {

 	let deleted_count = self.services.media.delete_from_user(&user_id).await?;

-	self.write_str(&format!("Deleted {deleted_count} total files.",))
+	self.write_str(&format!("Deleted {deleted_count} total files."))
 		.await
 }

@@ -330,7 +331,7 @@ pub(super) async fn delete_all_from_server(
 		}
 	}

-	self.write_str(&format!("Deleted {deleted_count} total files.",))
+	self.write_str(&format!("Deleted {deleted_count} total files."))
 		.await
 }

@@ -16,8 +16,8 @@
 use ruma::{
 	EventId,
 	events::{
-		relation::InReplyTo,
-		room::message::{Relation::Reply, RoomMessageEventContent},
+		relation::{InReplyTo, Reply},
+		room::message::{Relation, RoomMessageEventContent},
 	},
 };
 use service::{
@@ -38,6 +38,7 @@ pub(super) fn dispatch(services: Arc<Services>, command: CommandInput) -> Proces
 }

 #[tracing::instrument(skip_all, name = "admin", level = "info")]
+#[allow(clippy::result_large_err)]
 async fn handle_command(services: Arc<Services>, command: CommandInput) -> ProcessorResult {
 	AssertUnwindSafe(Box::pin(process_command(services, &command)))
 		.catch_unwind()
@@ -277,9 +278,8 @@ fn reply(
 	mut content: RoomMessageEventContent,
 	reply_id: Option<&EventId>,
 ) -> RoomMessageEventContent {
-	content.relates_to = reply_id.map(|event_id| Reply {
-		in_reply_to: InReplyTo { event_id: event_id.to_owned() },
-	});
+	content.relates_to =
+		reply_id.map(|event_id| Relation::Reply(Reply::new(InReplyTo::new(event_id.to_owned()))));

 	content
 }
@@ -50,7 +50,7 @@ async fn destinations_cache(&self, server_name: Option<OwnedServerName>) -> Resu

 	while let Some((name, CachedDest { dest, host, expire })) = destinations.next().await {
 		if let Some(server_name) = server_name.as_ref() {
-			if name != server_name {
+			if name != *server_name {
 				continue;
 			}
 		}
@@ -76,7 +76,7 @@ async fn overrides_cache(&self, server_name: Option<String>) -> Result {
 		overrides.next().await
 	{
 		if let Some(server_name) = server_name.as_ref() {
-			if name != server_name {
+			if name != *server_name {
 				continue;
 			}
 		}
@@ -41,7 +41,6 @@ pub(super) async fn process(subcommand: RoomAliasCommand, context: &Context<'_>)
 				.rooms
 				.alias
 				.local_aliases_for_room(&room_id)
-				.map(ToOwned::to_owned)
 				.collect()
 				.await;
 			let query_time = timer.elapsed();
@@ -54,7 +53,7 @@ pub(super) async fn process(subcommand: RoomAliasCommand, context: &Context<'_>)
 				.rooms
 				.alias
 				.all_local_aliases()
-				.map(|(room_id, alias)| (room_id.to_owned(), alias.to_owned()))
+				.map(|(room_id, alias)| (room_id, alias.to_owned()))
 				.collect::<Vec<_>>()
 				.await;
 			let query_time = timer.elapsed();
@@ -101,7 +101,6 @@ pub(super) async fn process(subcommand: RoomStateCacheCommand, context: &Context
 				.rooms
 				.state_cache
 				.room_servers(&room_id)
-				.map(ToOwned::to_owned)
 				.collect()
 				.await;
 			let query_time = timer.elapsed();
@@ -118,7 +117,6 @@ pub(super) async fn process(subcommand: RoomStateCacheCommand, context: &Context
 				.rooms
 				.state_cache
 				.server_rooms(&server)
-				.map(ToOwned::to_owned)
 				.collect()
 				.await;
 			let query_time = timer.elapsed();
@@ -135,7 +133,6 @@ pub(super) async fn process(subcommand: RoomStateCacheCommand, context: &Context
 				.rooms
 				.state_cache
 				.room_members(&room_id)
-				.map(ToOwned::to_owned)
 				.collect()
 				.await;
 			let query_time = timer.elapsed();
@@ -152,7 +149,6 @@ pub(super) async fn process(subcommand: RoomStateCacheCommand, context: &Context
 				.rooms
 				.state_cache
 				.local_users_in_room(&room_id)
-				.map(ToOwned::to_owned)
 				.collect()
 				.await;
 			let query_time = timer.elapsed();
@@ -169,7 +165,6 @@ pub(super) async fn process(subcommand: RoomStateCacheCommand, context: &Context
 				.rooms
 				.state_cache
 				.active_local_users_in_room(&room_id)
-				.map(ToOwned::to_owned)
 				.collect()
 				.await;
 			let query_time = timer.elapsed();
@@ -212,7 +207,6 @@ pub(super) async fn process(subcommand: RoomStateCacheCommand, context: &Context
 				.rooms
 				.state_cache
 				.room_useroncejoined(&room_id)
-				.map(ToOwned::to_owned)
 				.collect()
 				.await;
 			let query_time = timer.elapsed();
@@ -229,7 +223,6 @@ pub(super) async fn process(subcommand: RoomStateCacheCommand, context: &Context
 				.rooms
 				.state_cache
 				.room_members_invited(&room_id)
-				.map(ToOwned::to_owned)
 				.collect()
 				.await;
 			let query_time = timer.elapsed();
@@ -276,7 +269,6 @@ pub(super) async fn process(subcommand: RoomStateCacheCommand, context: &Context
 				.rooms
 				.state_cache
 				.rooms_joined(&user_id)
-				.map(ToOwned::to_owned)
 				.collect()
 				.await;
 			let query_time = timer.elapsed();
@@ -104,7 +104,6 @@ async fn get_shared_rooms(&self, user_a: OwnedUserId, user_b: OwnedUserId) -> Re
 		.rooms
 		.state_cache
 		.get_shared_rooms(&user_a, &user_b)
-		.map(ToOwned::to_owned)
 		.collect()
 		.await;
 	let query_time = timer.elapsed();
@@ -217,8 +216,7 @@ async fn iter_users2(&self) -> Result {
 	let result: Vec<_> = self.services.users.stream().collect().await;
 	let result: Vec<_> = result
 		.into_iter()
-		.map(ruma::UserId::as_bytes)
-		.map(String::from_utf8_lossy)
+		.map(|user_id| String::from_utf8_lossy(user_id.as_bytes()).into_owned())
 		.collect();

 	let query_time = timer.elapsed();
@@ -254,7 +252,6 @@ async fn list_devices(&self, user_id: OwnedUserId) -> Result {
 		.services
 		.users
 		.all_device_ids(&user_id)
-		.map(ToOwned::to_owned)
 		.collect::<Vec<_>>()
 		.await;

@@ -3,7 +3,7 @@
 use clap::Subcommand;
 use conduwuit::{Err, Result};
 use futures::StreamExt;
-use ruma::{OwnedRoomAliasId, OwnedRoomId};
+use ruma::{OwnedRoomAliasId, OwnedRoomId, RoomAliasId};

 use crate::Context;

@@ -52,7 +52,7 @@ pub(super) async fn process(command: RoomAliasCommand, context: &Context<'_>) ->
 		| RoomAliasCommand::Which { ref room_alias_localpart } => {
 			let room_alias_str =
 				format!("#{}:{}", room_alias_localpart, services.globals.server_name());
-			let room_alias = match OwnedRoomAliasId::parse(room_alias_str) {
+			let room_alias = match RoomAliasId::parse(room_alias_str) {
 				| Ok(alias) => alias,
 				| Err(err) => {
 					return Err!("Failed to parse alias: {err}");
@@ -139,7 +139,7 @@ pub(super) async fn process(command: RoomAliasCommand, context: &Context<'_>) ->
 					.rooms
 					.alias
 					.all_local_aliases()
-					.map(|(room_id, localpart)| (room_id.into(), localpart.into()))
+					.map(|(room_id, localpart)| (room_id, localpart.into()))
 					.collect::<Vec<(OwnedRoomId, String)>>()
 					.await;

@@ -22,14 +22,14 @@ pub(super) async fn list_rooms(
 		.metadata
 		.iter_ids()
 		.filter_map(|room_id| async move {
-			(!exclude_disabled || !self.services.rooms.metadata.is_disabled(room_id).await)
+			(!exclude_disabled || !self.services.rooms.metadata.is_disabled(&room_id).await)
 				.then_some(room_id)
 		})
 		.filter_map(|room_id| async move {
-			(!exclude_banned || !self.services.rooms.metadata.is_banned(room_id).await)
+			(!exclude_banned || !self.services.rooms.metadata.is_banned(&room_id).await)
 				.then_some(room_id)
 		})
-		.then(|room_id| get_room_info(self.services, room_id))
+		.then(async |room_id| get_room_info(self.services, &room_id).await)
 		.then(|(room_id, total_members, name)| async move {
 			let local_members: Vec<_> = self
 				.services
@@ -72,7 +72,7 @@ pub(super) async fn list_rooms(
 		.collect::<Vec<_>>()
 		.join("\n");

-	self.write_str(&format!("Rooms ({}):\n```\n{body}\n```", rooms.len(),))
+	self.write_str(&format!("Rooms ({}):\n```\n{body}\n```", rooms.len()))
 		.await
 }

@@ -43,7 +43,7 @@ pub(super) async fn process(command: RoomDirectoryCommand, context: &Context<'_>
 				.rooms
 				.directory
 				.public_rooms()
-				.then(|room_id| get_room_info(services, room_id))
+				.then(async |room_id| get_room_info(services, &room_id).await)
 				.collect()
 				.await;

@@ -67,7 +67,7 @@ pub(super) async fn process(command: RoomDirectoryCommand, context: &Context<'_>
 				.join("\n");

 			context
-				.write_str(&format!("Rooms (page {page}):\n```\n{body}\n```",))
+				.write_str(&format!("Rooms (page {page}):\n```\n{body}\n```"))
 				.await
 		},
 	}
@@ -46,7 +46,6 @@ async fn list_joined_members(&self, room_id: OwnedRoomId, local_only: bool) -> R
 				.then(|| self.services.globals.user_is_local(user_id))
 				.unwrap_or(true)
 		})
-		.map(ToOwned::to_owned)
 		.filter_map(|user_id| async move {
 			Some((
 				self.services
@@ -67,7 +66,7 @@ async fn list_joined_members(&self, room_id: OwnedRoomId, local_only: bool) -> R
 		.collect::<Vec<_>>()
 		.join("\n");

-	self.write_str(&format!("{num} Members in Room \"{room_name}\":\n```\n{body}\n```",))
+	self.write_str(&format!("{num} Members in Room \"{room_name}\":\n```\n{body}\n```"))
 		.await
 }

@@ -71,7 +71,7 @@ async fn ban_room(&self, room: OwnedRoomOrAliasId) -> Result {

 		debug!("Room specified is a room ID, banning room ID");

-		room_id.to_owned()
+		room_id.clone()
 	} else if room.is_room_alias_id() {
 		let room_alias = match RoomAliasId::parse(&room) {
 			| Ok(room_alias) => room_alias,
@@ -89,7 +89,7 @@ async fn ban_room(&self, room: OwnedRoomOrAliasId) -> Result {
 			 locally, if not using get_alias_helper to fetch room ID remotely"
 		);

-		match self.services.rooms.alias.resolve_alias(room_alias).await {
+		match self.services.rooms.alias.resolve_alias(&room_alias).await {
 			| Ok((room_id, servers)) => {
 				debug!(
 					%room_id,
@@ -116,7 +116,6 @@ async fn ban_room(&self, room: OwnedRoomOrAliasId) -> Result {
 		.rooms
 		.state_cache
 		.room_members(&room_id)
-		.map(ToOwned::to_owned)
 		.ready_filter(|user| self.services.globals.user_is_local(user))
 		.boxed();

@@ -140,7 +139,6 @@ async fn ban_room(&self, room: OwnedRoomOrAliasId) -> Result {
 		.rooms
 		.alias
 		.local_aliases_for_room(&room_id)
-		.map(ToOwned::to_owned)
 		.for_each(|local_alias| async move {
 			self.services
 				.rooms
@@ -205,7 +203,7 @@ async fn ban_list_of_rooms(&self) -> Result {
 						},
 					};

-					room_ids.push(room_id.to_owned());
+					room_ids.push(room_id.clone());
 				}

 				if room_alias_or_id.is_room_alias_id() {
@@ -215,7 +213,7 @@ async fn ban_list_of_rooms(&self) -> Result {
 								.services
 								.rooms
 								.alias
-								.resolve_local_alias(room_alias)
+								.resolve_local_alias(&room_alias)
 								.await
 							{
 								| Ok(room_id) => room_id,
@@ -229,7 +227,7 @@ async fn ban_list_of_rooms(&self) -> Result {
 										.services
 										.rooms
 										.alias
-										.resolve_alias(room_alias)
+										.resolve_alias(&room_alias)
 										.await
 									{
 										| Ok((room_id, servers)) => {
@@ -284,7 +282,6 @@ async fn ban_list_of_rooms(&self) -> Result {
 			.rooms
 			.state_cache
 			.room_members(&room_id)
-			.map(ToOwned::to_owned)
 			.ready_filter(|user| self.services.globals.user_is_local(user))
 			.boxed();

@@ -309,7 +306,6 @@ async fn ban_list_of_rooms(&self) -> Result {
 			.rooms
 			.alias
 			.local_aliases_for_room(&room_id)
-			.map(ToOwned::to_owned)
 			.for_each(|local_alias| async move {
 				self.services
 					.rooms
@@ -348,9 +344,9 @@ async fn unban_room(&self, room: OwnedRoomOrAliasId) -> Result {
 		};

 		debug!("Room specified is a room ID, unbanning room ID");
-		self.services.rooms.metadata.ban_room(room_id, false);
+		self.services.rooms.metadata.ban_room(&room_id, false);

-		room_id.to_owned()
+		room_id.clone()
 	} else if room.is_room_alias_id() {
 		let room_alias = match RoomAliasId::parse(&room) {
 			| Ok(room_alias) => room_alias,
@@ -372,7 +368,7 @@ async fn unban_room(&self, room: OwnedRoomOrAliasId) -> Result {
 			.services
 			.rooms
 			.alias
-			.resolve_local_alias(room_alias)
+			.resolve_local_alias(&room_alias)
 			.await
 		{
 			| Ok(room_id) => room_id,
@@ -382,7 +378,7 @@ async fn unban_room(&self, room: OwnedRoomOrAliasId) -> Result {
 					 room ID over federation"
 				);

-				match self.services.rooms.alias.resolve_alias(room_alias).await {
+				match self.services.rooms.alias.resolve_alias(&room_alias).await {
 					| Ok((room_id, servers)) => {
 						debug!(
 							%room_id,
@@ -453,6 +449,6 @@ async fn list_banned_rooms(&self, no_details: bool) -> Result {
 		.collect::<Vec<_>>()
 		.join("\n");

-	self.write_str(&format!("Rooms Banned ({num}):\n```\n{body}\n```",))
+	self.write_str(&format!("Rooms Banned ({num}):\n```\n{body}\n```"))
 		.await
 }
@@ -159,8 +159,8 @@ pub(super) async fn list_features(&self) -> Result {
 	let mut enabled_features = conduwuit::info::introspection::ENABLED_FEATURES
 		.lock()
 		.expect("locked")
-		.iter()
-		.flat_map(|(_, f)| f.iter())
+		.values()
+		.flat_map(|f| f.iter())
 		.collect::<Vec<_>>();

 	enabled_features.sort_unstable();
@@ -9,20 +9,18 @@
 };
 use conduwuit::{
 	Err, Result, debug_warn, error, info,
-	matrix::{Event, pdu::PduBuilder},
+	matrix::{Event, pdu::PartialPdu},
 	utils::{self, ReadyExt},
 	warn,
 };
 use futures::{FutureExt, StreamExt};
 use lettre::Address;
 use ruma::{
-	OwnedEventId, OwnedRoomId, OwnedRoomOrAliasId, OwnedServerName, OwnedUserId, UserId,
+	OwnedEventId, OwnedRoomId, OwnedRoomOrAliasId, OwnedServerName, OwnedUserId, ServerName,
+	UserId, assign,
 	events::{
-		RoomAccountDataEventType, StateEventType,
-		room::{
-			power_levels::{RoomPowerLevels, RoomPowerLevelsEventContent},
-			redaction::RoomRedactionEventContent,
-		},
+		RoomAccountDataEventType,
+		room::{power_levels::RoomPowerLevelsEventContent, redaction::RoomRedactionEventContent},
 		tag::{TagEvent, TagEventContent, TagInfo},
 	},
 };
@@ -41,7 +39,7 @@ pub(super) async fn list_users(&self) -> Result {
 		.services
 		.users
 		.list_local_users()
-		.map(ToString::to_string)
+		.map(|id| id.as_str().to_owned())
 		.collect()
 		.await;

@@ -72,7 +70,7 @@ pub(super) async fn create_user(&self, username: String, password: Option<String
 	// Create user
 	self.services
 		.users
-		.create(&user_id, Some(password.as_str()), None)
+		.create(&user_id, Some(password.as_str()))
 		.await?;

 	// Default to pretty displayname
@@ -103,11 +101,12 @@ pub(super) async fn create_user(&self, username: String, password: Option<String
 			ruma::events::GlobalAccountDataEventType::PushRules
 				.to_string()
 				.into(),
-			&serde_json::to_value(ruma::events::push_rules::PushRulesEvent {
-				content: ruma::events::push_rules::PushRulesEventContent {
-					global: ruma::push::Ruleset::server_default(&user_id),
-				},
-			})?,
+			&serde_json::to_value(ruma::events::push_rules::PushRulesEvent::new(
+				ruma::events::push_rules::PushRulesEventContent::new(
+					ruma::push::Ruleset::server_default(&user_id),
+				),
+			))
+			.unwrap(),
 		)
 		.await?;

@@ -292,7 +291,12 @@ pub(super) async fn reset_password(
 		self.services
 			.users
 			.all_device_ids(&user_id)
-			.for_each(|device_id| self.services.users.remove_device(&user_id, device_id))
+			.for_each(async |device_id| {
+				self.services
+					.users
+					.remove_device(&user_id, &device_id)
+					.await;
+			})
 			.await;
 		write!(self, "\nAll existing sessions have been logged out.").await?;
 	}
@@ -437,7 +441,7 @@ pub(super) async fn list_joined_rooms(&self, user_id: String) -> Result {
 		.rooms
 		.state_cache
 		.rooms_joined(&user_id)
-		.then(|room_id| get_room_info(self.services, room_id))
+		.then(async |room_id| get_room_info(self.services, &room_id).await)
 		.collect()
 		.await;

@@ -454,7 +458,7 @@ pub(super) async fn list_joined_rooms(&self, user_id: String) -> Result {
 		.collect::<Vec<_>>()
 		.join("\n");

-	self.write_str(&format!("Rooms {user_id} Joined ({}):\n```\n{body}\n```", rooms.len(),))
+	self.write_str(&format!("Rooms {user_id} Joined ({}):\n```\n{body}\n```", rooms.len()))
 		.await
 }

@@ -506,7 +510,7 @@ pub(super) async fn force_join_list_of_local_users(
 		.rooms
 		.state_cache
 		.room_members(&room_id)
-		.ready_any(|user_id| server_admins.contains(&user_id.to_owned()))
+		.ready_any(|user_id| server_admins.contains(&user_id))
 		.await
 	{
 		return Err!("There is not a single server admin in the room.",);
@@ -620,7 +624,7 @@ pub(super) async fn force_join_all_local_users(
 		.rooms
 		.state_cache
 		.room_members(&room_id)
-		.ready_any(|user_id| server_admins.contains(&user_id.to_owned()))
+		.ready_any(|user_id| server_admins.contains(&user_id))
 		.await
 	{
 		return Err!("There is not a single server admin in the room.",);
@@ -633,7 +637,6 @@ pub(super) async fn force_join_all_local_users(
 		.services
 		.users
 		.list_local_users()
-		.map(UserId::to_owned)
 		.collect::<Vec<_>>()
 		.await
 	{
@@ -684,7 +687,7 @@ pub(super) async fn force_join_room(
 	);
 	join_room_by_id_helper(self.services, &user_id, &room_id, None, &servers, &None).await?;

-	self.write_str(&format!("{user_id} has been joined to {room_id}.",))
+	self.write_str(&format!("{user_id} has been joined to {room_id}."))
 		.await
 }

@@ -716,7 +719,7 @@ pub(super) async fn force_leave_room(
 		.boxed()
 		.await?;

-	self.write_str(&format!("{user_id} has left {room_id}.",))
+	self.write_str(&format!("{user_id} has left {room_id}."))
 		.await
 }

@@ -730,42 +733,34 @@ pub(super) async fn force_demote(&self, user_id: String, room_id: OwnedRoomOrAli
 		"Parsed user_id must be a local user"
 	);

-	let state_lock = self.services.rooms.state.mutex.lock(&room_id).await;
+	let state_lock = self.services.rooms.state.mutex.lock(room_id.as_str()).await;

-	let room_power_levels: Option<RoomPowerLevelsEventContent> = self
+	let mut room_power_levels = self
 		.services
 		.rooms
 		.state_accessor
-		.room_state_get_content(&room_id, &StateEventType::RoomPowerLevels, "")
-		.await
-		.ok();
+		.get_room_power_levels(&room_id)
+		.await;

-	let user_can_demote_self = room_power_levels
-		.as_ref()
-		.is_some_and(|power_levels_content| {
-			RoomPowerLevels::from(power_levels_content.clone())
-				.user_can_change_user_power_level(&user_id, &user_id)
-		}) || self
-		.services
-		.rooms
-		.state_accessor
-		.room_state_get(&room_id, &StateEventType::RoomCreate, "")
-		.await
-		.is_ok_and(|event| event.sender() == user_id);
+	let user_can_demote_self =
+		room_power_levels.user_can_change_user_power_level(&user_id, &user_id);

 	if !user_can_demote_self {
 		return Err!("User is not allowed to modify their own power levels in the room.",);
 	}

-	let mut power_levels_content = room_power_levels.unwrap_or_default();
-	power_levels_content.users.remove(&user_id);
+	room_power_levels.users.remove(&user_id);

 	let event_id = self
 		.services
 		.rooms
 		.timeline
 		.build_and_append_pdu(
-			PduBuilder::state(String::new(), &power_levels_content),
+			PartialPdu::state(
+				String::new(),
+				&RoomPowerLevelsEventContent::try_from(room_power_levels)
+					.expect("PLs should be valid for room version"),
+			),
 			&user_id,
 			Some(&room_id),
 			&state_lock,
@@ -793,7 +788,7 @@ pub(super) async fn make_user_admin(&self, user_id: String) -> Result {
 		.boxed()
 		.await?;

-	self.write_str(&format!("{user_id} has been granted admin privileges.",))
+	self.write_str(&format!("{user_id} has been granted admin privileges."))
 		.await
 }

@@ -811,9 +806,7 @@ pub(super) async fn put_room_tag(
 		.account_data
 		.get_room(&room_id, &user_id, RoomAccountDataEventType::Tag)
 		.await
-		.unwrap_or(TagEvent {
-			content: TagEventContent { tags: BTreeMap::new() },
-		});
+		.unwrap_or_else(|_| TagEvent::new(TagEventContent::new(BTreeMap::new())));

 	tags_event
 		.content
@@ -850,9 +843,7 @@ pub(super) async fn delete_room_tag(
 		.account_data
 		.get_room(&room_id, &user_id, RoomAccountDataEventType::Tag)
 		.await
-		.unwrap_or(TagEvent {
-			content: TagEventContent { tags: BTreeMap::new() },
-		});
+		.unwrap_or_else(|_| TagEvent::new(TagEventContent::new(BTreeMap::new())));

 	tags_event.content.tags.remove(&tag.clone().into());

@@ -882,9 +873,7 @@ pub(super) async fn get_room_tags(&self, user_id: String, room_id: OwnedRoomId)
 		.account_data
 		.get_room(&room_id, &user_id, RoomAccountDataEventType::Tag)
 		.await
-		.unwrap_or(TagEvent {
-			content: TagEventContent { tags: BTreeMap::new() },
-		});
+		.unwrap_or_else(|_| TagEvent::new(TagEventContent::new(BTreeMap::new())));

 	self.write_str(&format!("```\n{:#?}\n```", tags_event.content.tags))
 		.await
@@ -921,19 +910,19 @@ pub(super) async fn redact_event(&self, event_id: OwnedEventId) -> Result {
 			.rooms
 			.state
 			.mutex
-			.lock(&event.room_id_or_hash())
+			.lock(event.room_id_or_hash().as_str())
 			.await;

 		self.services
 			.rooms
 			.timeline
 			.build_and_append_pdu(
-				PduBuilder {
+				PartialPdu {
 					redacts: Some(event.event_id().to_owned()),
-					..PduBuilder::timeline(&RoomRedactionEventContent {
+					..PartialPdu::timeline(&assign!(RoomRedactionEventContent::new_v1(), {
 						redacts: Some(event.event_id().to_owned()),
 						reason: Some(reason),
-					})
+					}))
 				},
 				event.sender(),
 				Some(&event.room_id_or_hash()),
@@ -963,7 +952,7 @@ pub(super) async fn force_leave_remote_room(
 		.resolve_with_servers(
 			&room_id,
 			if let Some(v) = via.clone() {
-				Some(vec![OwnedServerName::parse(v)?])
+				Some(vec![ServerName::parse(v)?])
 			} else {
 				None
 			},
@@ -976,7 +965,7 @@ pub(super) async fn force_leave_remote_room(
 	);
 	let mut vias: HashSet<OwnedServerName> = HashSet::new();
 	if let Some(via) = via {
-		vias.insert(OwnedServerName::parse(via)?);
+		vias.insert(ServerName::parse(via)?);
 	}
 	for server in vias_raw {
 		vias.insert(server);
@@ -1051,7 +1040,12 @@ pub(super) async fn logout(&self, user_id: String) -> Result {
 	self.services
 		.users
 		.all_device_ids(&user_id)
-		.for_each(|device_id| self.services.users.remove_device(&user_id, device_id))
+		.for_each(async |device_id| {
+			self.services
+				.users
+				.remove_device(&user_id, &device_id)
+				.await;
+		})
 		.await;
 	self.write_str(&format!("User {user_id} has been logged out from all devices."))
 		.await
@@ -1129,11 +1123,9 @@ pub(super) async fn get_user_by_email(&self, email: String) -> Result {

 	match self.services.threepid.get_localpart_for_email(&email).await {
 		| Some(localpart) => {
-			let user_id = OwnedUserId::parse(format!(
-				"@{localpart}:{}",
-				self.services.globals.server_name()
-			))
-			.unwrap();
+			let user_id =
+				UserId::parse(format!("@{localpart}:{}", self.services.globals.server_name()))
+					.unwrap();

 			self.write_str(&format!("{email} belongs to {user_id}."))
 				.await
@@ -29,10 +29,6 @@ gzip_compression = [
 	"conduwuit-service/gzip_compression",
 	"reqwest/gzip",
 ]
-http3 = [
-	"conduwuit-core/http3",
-	"conduwuit-service/http3",
-]
 io_uring = [
 	"conduwuit-service/io_uring",
 ]
@@ -52,9 +48,6 @@ jemalloc_stats = [
 	"conduwuit-core/jemalloc_stats",
 	"conduwuit-service/jemalloc_stats",
 ]
-ldap = [
-    "conduwuit-service/ldap"
-]
 release_max_log_level = [
 	"conduwuit-core/release_max_log_level",
 	"conduwuit-service/release_max_log_level",
@@ -81,6 +74,7 @@ conduwuit-macros.workspace = true
 conduwuit-service.workspace = true
 const-str.workspace = true
 ctor.workspace = true
+dtor.workspace = true
 futures.workspace = true
 hmac.workspace = true
 http.workspace = true
@@ -92,7 +86,9 @@ lettre.workspace = true
 log.workspace = true
 rand.workspace = true
 reqwest.workspace = true
+assign.workspace = true
 ruma.workspace = true
+ruminuwuity.workspace = true
 serde_html_form.workspace = true
 serde_json.workspace = true
 serde.workspace = true
@@ -1,10 +1,8 @@
 use axum::extract::State;
 use conduwuit::{Err, Result, info, utils::ReadyExt, warn};
 use futures::{FutureExt, StreamExt};
-use ruma::{
-	OwnedRoomAliasId, continuwuity_admin_api::rooms,
-	events::room::message::RoomMessageEventContent,
-};
+use ruma::{OwnedRoomAliasId, events::room::message::RoomMessageEventContent};
+use ruminuwuity::admin::continuwuity::rooms;

 use crate::{Ruma, client::leave_room};

@@ -36,7 +34,6 @@ pub(crate) async fn ban_room(
 			.rooms
 			.state_cache
 			.room_members(&body.room_id)
-			.map(ToOwned::to_owned)
 			.ready_filter(|user| services.globals.user_is_local(user))
 			.boxed();
 		let mut evicted = Vec::new();
@@ -63,9 +60,9 @@ pub(crate) async fn ban_room(
 			.rooms
 			.alias
 			.local_aliases_for_room(&body.room_id)
-			.map(ToOwned::to_owned)
-			.collect::<Vec<_>>()
+			.collect()
 			.await;
+
 		for alias in &aliases {
 			info!("Removing alias {} for banned room {}", alias, body.room_id);
 			services
@@ -1,7 +1,8 @@
 use axum::extract::State;
 use conduwuit::{Err, Result};
 use futures::StreamExt;
-use ruma::{OwnedRoomId, continuwuity_admin_api::rooms};
+use ruma::OwnedRoomId;
+use ruminuwuity::admin::continuwuity::rooms;

 use crate::Ruma;

@@ -22,8 +23,8 @@ pub(crate) async fn list_rooms(
 		.metadata
 		.iter_ids()
 		.filter_map(|room_id| async move {
-			if !services.rooms.metadata.is_banned(room_id).await {
-				Some(room_id.to_owned())
+			if !services.rooms.metadata.is_banned(&room_id).await {
+				Some(room_id.clone())
 			} else {
 				None
 			}
@@ -1,15 +1,15 @@
 use axum::extract::State;
-use axum_client_ip::InsecureClientIp;
+use axum_client_ip::ClientIp;
 use conduwuit::{
-	Err, Event, Result, err, info,
-	pdu::PduBuilder,
+	Err, Result, err, info,
+	pdu::PartialPdu,
 	utils::{ReadyExt, stream::BroadbandExt},
 };
 use conduwuit_service::Services;
 use futures::{FutureExt, StreamExt};
 use lettre::{Address, message::Mailbox};
 use ruma::{
-	OwnedRoomId, OwnedUserId, UserId,
+	OwnedRoomId, UserId,
 	api::client::{
 		account::{
 			ThirdPartyIdRemovalStatus, change_password, check_registration_token_validity,
@@ -18,12 +18,10 @@
 		},
 		uiaa::{AuthFlow, AuthType},
 	},
-	events::{
-		StateEventType,
-		room::{
-			member::{MembershipState, RoomMemberEventContent},
-			power_levels::{RoomPowerLevels, RoomPowerLevelsEventContent},
-		},
+	assign,
+	events::room::{
+		member::{MembershipState, RoomMemberEventContent},
+		power_levels::RoomPowerLevelsEventContent,
 	},
 };
 use service::{mailer::messages, uiaa::Identity};
@@ -48,7 +46,7 @@
 #[tracing::instrument(skip_all, fields(%client), name = "register_available", level = "info")]
 pub(crate) async fn get_register_available_route(
 	State(services): State<crate::State>,
-	InsecureClientIp(client): InsecureClientIp,
+	ClientIp(client): ClientIp,
 	body: Ruma<get_username_availability::v3::Request>,
 ) -> Result<get_username_availability::v3::Response> {
 	// Validate user id
@@ -87,7 +85,7 @@ pub(crate) async fn get_register_available_route(
 		return Err!(Request(Exclusive("Username is reserved by an appservice.")));
 	}

-	Ok(get_username_availability::v3::Response { available: true })
+	Ok(get_username_availability::v3::Response::new(true))
 }

 /// # `POST /_matrix/client/r0/account/password`
@@ -110,7 +108,7 @@ pub(crate) async fn get_register_available_route(
 #[tracing::instrument(skip_all, fields(%client), name = "change_password", level = "info")]
 pub(crate) async fn change_password_route(
 	State(services): State<crate::State>,
-	InsecureClientIp(client): InsecureClientIp,
+	ClientIp(client): ClientIp,
 	body: Ruma<change_password::v3::Request>,
 ) -> Result<change_password::v3::Response> {
 	let identity = if let Some(ref user_id) = body.sender_user {
@@ -143,7 +141,7 @@ pub(crate) async fn change_password_route(
 			.await?
 	};

-	let sender_user = OwnedUserId::parse(format!(
+	let sender_user = UserId::parse(format!(
 		"@{}:{}",
 		identity.localpart.expect("localpart should be known"),
 		services.globals.server_name()
@@ -161,7 +159,7 @@ pub(crate) async fn change_password_route(
 			.users
 			.all_device_ids(&sender_user)
 			.ready_filter(|id| *id != body.sender_device())
-			.for_each(|id| services.users.remove_device(&sender_user, id))
+			.for_each(async |id| services.users.remove_device(&sender_user, &id).await)
 			.await;

 		// Remove all pushers except the ones associated with this session
@@ -175,8 +173,8 @@ pub(crate) async fn change_password_route(
 					.get_pusher_device(&pushkey)
 					.await
 					.ok()
-					.filter(|pusher_device| pusher_device != body.sender_device())
-					.is_some()
+					.as_ref()
+					.is_some_and(|pusher_device| pusher_device != body.sender_device())
 					.then_some(pushkey)
 			})
 			.for_each(async |pushkey| {
@@ -194,7 +192,7 @@ pub(crate) async fn change_password_route(
 			.await;
 	}

-	Ok(change_password::v3::Response {})
+	Ok(change_password::v3::Response::new())
 }

 /// # `POST /_matrix/client/v3/account/password/email/requestToken`
@@ -215,7 +213,7 @@ pub(crate) async fn request_password_change_token_via_email_route(
 	};

 	let user_id =
-		OwnedUserId::parse(format!("@{localpart}:{}", services.globals.server_name())).unwrap();
+		UserId::parse(format!("@{localpart}:{}", services.globals.server_name())).unwrap();
 	let display_name = services.users.displayname(&user_id).await.ok();

 	let session = services
@@ -251,11 +249,10 @@ pub(crate) async fn whoami_route(
 		.map_err(|_| {
 			err!(Request(Forbidden("Application service has not registered this user.")))
 		})? && body.appservice_info.is_none();
-	Ok(whoami::v3::Response {
-		user_id: body.sender_user().to_owned(),
+
+	Ok(assign!(whoami::v3::Response::new(body.sender_user().to_owned(), is_guest), {
 		device_id: body.sender_device.clone(),
-		is_guest,
-	})
+	}))
 }

 /// # `POST /_matrix/client/r0/account/deactivate`
@@ -272,7 +269,7 @@ pub(crate) async fn whoami_route(
 #[tracing::instrument(skip_all, fields(%client), name = "deactivate", level = "info")]
 pub(crate) async fn deactivate_route(
 	State(services): State<crate::State>,
-	InsecureClientIp(client): InsecureClientIp,
+	ClientIp(client): ClientIp,
 	body: Ruma<deactivate::v3::Request>,
 ) -> Result<deactivate::v3::Response> {
 	// Authentication for this endpoint is technically optional,
@@ -310,9 +307,7 @@ pub(crate) async fn deactivate_route(
 			.await;
 	}

-	Ok(deactivate::v3::Response {
-		id_server_unbind_result: ThirdPartyIdRemovalStatus::Success,
-	})
+	Ok(deactivate::v3::Response::new(ThirdPartyIdRemovalStatus::Success))
 }

 /// # `GET /_matrix/client/v1/register/m.login.registration_token/validity`
@@ -330,7 +325,7 @@ pub(crate) async fn check_registration_token_validity(
 		.await
 		.is_some();

-	Ok(check_registration_token_validity::v1::Response { valid })
+	Ok(check_registration_token_validity::v1::Response::new(valid))
 }

 /// Runs through all the deactivation steps:
@@ -354,13 +349,7 @@ pub async fn full_user_deactivate(
 			.await;
 	}

-	services
-		.users
-		.all_profile_keys(user_id)
-		.ready_for_each(|(profile_key, _)| {
-			services.users.set_profile_key(user_id, &profile_key, None);
-		})
-		.await;
+	services.users.clear_profile(user_id).await;

 	services
 		.pusher
@@ -372,62 +361,49 @@ pub async fn full_user_deactivate(

 	// TODO: Rescind all user invites

-	let mut pdu_queue: Vec<(PduBuilder, &OwnedRoomId)> = Vec::new();
+	let mut pdu_queue: Vec<(PartialPdu, &OwnedRoomId)> = Vec::new();

 	for room_id in all_joined_rooms {
 		let room_power_levels = services
 			.rooms
 			.state_accessor
-			.room_state_get_content::<RoomPowerLevelsEventContent>(
-				room_id,
-				&StateEventType::RoomPowerLevels,
-				"",
-			)
-			.await
-			.ok();
+			.get_room_power_levels(room_id)
+			.await;

 		let user_can_demote_self =
-			room_power_levels
-				.as_ref()
-				.is_some_and(|power_levels_content| {
-					RoomPowerLevels::from(power_levels_content.clone())
-						.user_can_change_user_power_level(user_id, user_id)
-				}) || services
-				.rooms
-				.state_accessor
-				.room_state_get(room_id, &StateEventType::RoomCreate, "")
-				.await
-				.is_ok_and(|event| event.sender() == user_id);
+			room_power_levels.user_can_change_user_power_level(user_id, user_id);

-		if user_can_demote_self {
-			let mut power_levels_content = room_power_levels.unwrap_or_default();
+		if user_can_demote_self
+			&& let Ok(mut power_levels_content) =
+				RoomPowerLevelsEventContent::try_from(room_power_levels)
+		{
 			power_levels_content.users.remove(user_id);
-			let pl_evt = PduBuilder::state(String::new(), &power_levels_content);
+			let pl_evt = PartialPdu::state(String::new(), &power_levels_content);
 			pdu_queue.push((pl_evt, room_id));
 		}

 		// Leave the room
 		pdu_queue.push((
-			PduBuilder::state(user_id.to_string(), &RoomMemberEventContent {
-				avatar_url: None,
-				blurhash: None,
-				membership: MembershipState::Leave,
-				displayname: None,
-				join_authorized_via_users_server: None,
-				reason: None,
-				is_direct: None,
-				third_party_invite: None,
-				redact_events: None,
-			}),
+			PartialPdu::state(
+				user_id.to_string(),
+				&RoomMemberEventContent::new(MembershipState::Leave),
+			),
 			room_id,
 		));

 		// TODO: Redact all messages sent by the user in the room
 	}

-	super::update_all_rooms(services, pdu_queue, user_id)
-		.boxed()
-		.await;
+	for (pdu, room_id) in pdu_queue {
+		let state_lock = services.rooms.state.mutex.lock(room_id.as_str()).await;
+
+		let _ = services
+			.rooms
+			.timeline
+			.build_and_append_pdu(pdu, user_id, Some(room_id.as_ref()), &state_lock)
+			.await;
+	}
+
 	for room_id in all_joined_rooms {
 		services.rooms.state_cache.forget(room_id, user_id);
 	}
@@ -1,7 +1,7 @@
 use std::{collections::HashMap, fmt::Write};

 use axum::extract::State;
-use axum_client_ip::InsecureClientIp;
+use axum_client_ip::ClientIp;
 use conduwuit::{
 	Err, Result, debug_info, error, info,
 	utils::{self},
@@ -20,7 +20,11 @@
 		},
 		uiaa::{AuthFlow, AuthType},
 	},
-	events::{GlobalAccountDataEventType, room::message::RoomMessageEventContent},
+	assign,
+	events::{
+		GlobalAccountDataEventType, push_rules::PushRulesEvent,
+		room::message::RoomMessageEventContent,
+	},
 	push,
 };
 use serde_json::value::RawValue;
@@ -52,7 +56,7 @@
 #[tracing::instrument(skip_all, fields(%client), name = "register", level = "info")]
 pub(crate) async fn register_route(
 	State(services): State<crate::State>,
-	InsecureClientIp(client): InsecureClientIp,
+	ClientIp(client): ClientIp,
 	body: Ruma<register::v3::Request>,
 ) -> Result<register::v3::Response> {
 	let is_guest = body.kind == RegistrationKind::Guest;
@@ -186,7 +190,7 @@ pub(crate) async fn register_route(
 	let password = if is_guest { None } else { body.password.as_deref() };

 	// Create user
-	services.users.create(&user_id, password, None).await?;
+	services.users.create(&user_id, password).await?;

 	// Set an initial display name
 	let mut displayname = user_id.localpart().to_owned();
@@ -209,23 +213,15 @@ pub(crate) async fn register_route(
 			None,
 			&user_id,
 			GlobalAccountDataEventType::PushRules.to_string().into(),
-			&serde_json::to_value(ruma::events::push_rules::PushRulesEvent {
-				content: ruma::events::push_rules::PushRulesEventContent {
-					global: push::Ruleset::server_default(&user_id),
-				},
-			})?,
+			&serde_json::to_value(PushRulesEvent::new(
+				push::Ruleset::server_default(&user_id).into(),
+			))
+			.expect("should be able to serialize push rules"),
 		)
 		.await?;

 	// Generate new device id if the user didn't specify one
-	let no_device = body.inhibit_login
-		|| body
-			.appservice_info
-			.as_ref()
-			.is_some_and(|aps| aps.registration.device_management);
-
-	let (token, device) = if !no_device {
-		// Don't create a device for inhibited logins
+	let (token, device) = if !body.inhibit_login {
 		let device_id = if is_guest { None } else { body.device_id.clone() }
 			.unwrap_or_else(|| utils::random_string(DEVICE_ID_LENGTH).into());

@@ -243,12 +239,14 @@ pub(crate) async fn register_route(
 				Some(client.to_string()),
 			)
 			.await?;
-		debug_info!(%user_id, %device_id, "User account was created");
 		(Some(new_token), Some(device_id))
 	} else {
+		// Don't create a device for inhibited logins
 		(None, None)
 	};

+	debug_info!(%user_id, ?device, "User account was created");
+
 	// If the user registered with an email, associate it with their account.
 	if let Some(identity) = identity
 		&& let Some(email) = identity.email
@@ -393,13 +391,12 @@ pub(crate) async fn register_route(
 		}
 	}

-	Ok(register::v3::Response {
+	Ok(assign!(register::v3::Response::new(user_id), {
 		access_token: token,
-		user_id,
 		device_id: device,
 		refresh_token: None,
 		expires_in: None,
-	})
+	}))
 }

 /// Determine which flows and parameters should be presented when
@@ -53,6 +53,10 @@ pub(crate) async fn request_3pid_management_token_via_email_route(
 	State(services): State<crate::State>,
 	body: Ruma<request_3pid_management_token_via_email::v3::Request>,
 ) -> Result<request_3pid_management_token_via_email::v3::Response> {
+	if !services.threepid.email_requirement().may_change() {
+		return Err!(Request(Forbidden("You may not change your email address.")));
+	}
+
 	let Ok(email) = Address::try_from(body.email.clone()) else {
 		return Err!(Request(InvalidParam("Invalid email address.")));
 	};
@@ -105,6 +109,10 @@ pub(crate) async fn add_3pid_route(
 ) -> Result<add_3pid::v3::Response> {
 	let sender_user = body.sender_user();

+	if !services.threepid.email_requirement().may_change() {
+		return Err!(Request(Forbidden("You may not change your email address.")));
+	}
+
 	// Require password auth to add an email
 	let _ = services
 		.uiaa
@@ -133,9 +141,11 @@ pub(crate) async fn delete_3pid_route(
 	let sender_user = body.sender_user();

 	if body.medium != Medium::Email {
-		return Ok(delete_3pid::v3::Response {
-			id_server_unbind_result: ThirdPartyIdRemovalStatus::NoSupport,
-		});
+		return Ok(delete_3pid::v3::Response::new(ThirdPartyIdRemovalStatus::NoSupport));
+	}
+
+	if !services.threepid.email_requirement().may_remove() {
+		return Err!(Request(Forbidden("You may not remove your email address.")));
 	}

 	if services
@@ -147,7 +157,5 @@ pub(crate) async fn delete_3pid_route(
 		return Err!(Request(ThreepidNotFound("Your account has no associated email.")));
 	}

-	Ok(delete_3pid::v3::Response {
-		id_server_unbind_result: ThirdPartyIdRemovalStatus::Success,
-	})
+	Ok(delete_3pid::v3::Response::new(ThirdPartyIdRemovalStatus::Success))
 }
@@ -7,10 +7,7 @@
 		get_global_account_data, get_room_account_data, set_global_account_data,
 		set_room_account_data,
 	},
-	events::{
-		AnyGlobalAccountDataEventContent, AnyRoomAccountDataEventContent,
-		RoomAccountDataEventType,
-	},
+	events::{AnyGlobalAccountDataEventContent, AnyRoomAccountDataEventContent},
 	serde::Raw,
 };
 use serde::Deserialize;
@@ -40,7 +37,7 @@ pub(crate) async fn set_global_account_data_route(
 	)
 	.await?;

-	Ok(set_global_account_data::v3::Response {})
+	Ok(set_global_account_data::v3::Response::new())
 }

 /// # `PUT /_matrix/client/r0/user/{userId}/rooms/{roomId}/account_data/{type}`
@@ -65,7 +62,7 @@ pub(crate) async fn set_room_account_data_route(
 	)
 	.await?;

-	Ok(set_room_account_data::v3::Response {})
+	Ok(set_room_account_data::v3::Response::new())
 }

 /// # `GET /_matrix/client/r0/user/{userId}/account_data/{type}`
@@ -87,7 +84,7 @@ pub(crate) async fn get_global_account_data_route(
 		.await
 		.map_err(|_| err!(Request(NotFound("Data not found."))))?;

-	Ok(get_global_account_data::v3::Response { account_data: account_data.content })
+	Ok(get_global_account_data::v3::Response::new(account_data.content))
 }

 /// # `GET /_matrix/client/r0/user/{userId}/rooms/{roomId}/account_data/{type}`
@@ -109,7 +106,7 @@ pub(crate) async fn get_room_account_data_route(
 		.await
 		.map_err(|_| err!(Request(NotFound("Data not found."))))?;

-	Ok(get_room_account_data::v3::Response { account_data: account_data.content })
+	Ok(get_room_account_data::v3::Response::new(account_data.content))
 }

 async fn set_account_data(
@@ -119,7 +116,7 @@ async fn set_account_data(
 	event_type_s: &str,
 	data: &RawJsonValue,
 ) -> Result {
-	if event_type_s == RoomAccountDataEventType::FullyRead.to_cow_str() {
+	if event_type_s == "m.fully_read" {
 		return Err!(Request(BadJson(
 			"This endpoint cannot be used for marking a room as fully read (setting \
 			 m.fully_read)"
@@ -1,7 +1,7 @@
 use axum::extract::State;
 use conduwuit::{Err, Result};
 use futures::future::{join, join3};
-use ruma::api::client::admin::{get_suspended, set_suspended};
+use ruminuwuity::admin::{get_suspended, set_suspended};

 use crate::Ruma;

@@ -1,6 +1,9 @@
 use axum::extract::State;
 use conduwuit::{Err, Result, err};
-use ruma::api::{appservice::ping, client::appservice::request_ping};
+use ruma::{
+	api::{appservice::ping, client::appservice::request_ping},
+	assign,
+};

 use crate::Ruma;

@@ -40,12 +43,12 @@ pub(crate) async fn appservice_ping(
 		.sending
 		.send_appservice_request(
 			appservice_info.registration.clone(),
-			ping::send_ping::v1::Request {
+			assign!(ping::send_ping::v1::Request::new(), {
 				transaction_id: body.transaction_id.clone(),
-			},
+			}),
 		)
 		.await?
 		.expect("We already validated if an appservice URL exists above");

-	Ok(request_ping::v1::Response { duration: timer.elapsed() })
+	Ok(request_ping::v1::Response::new(timer.elapsed()))
 }
--- a/Show More
+++ b/Show More
				`@@ -1 +0,0 @@`
				`Added support for associating email addresses with accounts, requiring email addresses for registration, and resetting passwords via email. Contributed by @ginger`
				`@@ -0,0 +1 @@`
				`The invite recipient's membership event is now included in invite stripped state, which should fix flaky invite display in some clients. Contributed by @ginger`
				`@@ -1 +0,0 @@`
				`Added support for using an admin command to issue self-service password reset links.`
				`@@ -1 +0,0 @@`
				`Stopped left rooms from being unconditionally sent on initial sync, hopefully fixing spurious appearances of left rooms in some clients (and making sync faster as a bonus). Contributed by @ginger`
				`@@ -1 +0,0 @@`
				`Added support for requiring users to accept terms and conditions when registering.`
				`@@ -0,0 +1 @@`
				`Switched from Continuwuity's fork of Ruma back to upstream Ruma. Contributed by @ginger.`
				`@@ -1 +0,0 @@`
				`Fixed room alias deletion so removing one local alias no longer removes other aliases from room alias listings.`
				`@@ -1 +0,0 @@`
				`Fixed corrupted appservice registrations causing the server to enter a crash loop. Contributed by @nex.`
				`@@ -1 +0,0 @@`
				`Re-added support for reading registration tokens from a file. Contributed by @ginger and @benbot.`
				`@@ -1 +0,0 @@`
				`Added Testing and Troubleshooting instructions for Livekit documentation. Contributed by @stratself.`