ci: Compare against the merge base to avoid unneded triggers

See https://github.com/NixOS/nixpkgs/pull/501199

.forgejo/actions/sccache/action.yml

@@ -9,7 +9,7 @@ runs:
   - name: Install sccache
     uses: https://git.tomfos.tr/tom/sccache-action@v1
   - name: Configure sccache
-    uses: https://github.com/actions/github-script@v8
+    uses: https://github.com/actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9
     with:
       script: |
         core.exportVariable('ACTIONS_RESULTS_URL', process.env.ACTIONS_RESULTS_URL || '');

.forgejo/workflows/check-changelog.yml

@@ -1,8 +1,8 @@
-name: Check Changelog
+name: Checks / Changelog
 
 on:
   pull_request_target:
-    types: [opened, synchronize, reopened, ready_for_review]
+    types: [opened, synchronize, reopened, ready_for_review, labeled, unlabeled]
 
 
 concurrency:
@@ -16,7 +16,7 @@ permissions:
 
 jobs:
   check-changelog:
-    name: Check for changelog
+    name: Check changelog is added
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
@@ -33,9 +33,9 @@ jobs:
           git fetch origin ${GITHUB_BASE_REF}
 
           # Check for Added (A) or Modified (M) files in changelog.d
-          CHANGELOG_CHANGES=$(git diff --name-status origin/${GITHUB_BASE_REF} HEAD -- changelog.d/)
+          CHANGELOG_CHANGES=$(git diff --name-status origin/${GITHUB_BASE_REF}...HEAD -- changelog.d/)
 
-          SRC_CHANGES=$(git diff --name-status origin/${GITHUB_BASE_REF} HEAD -- src/)
+          SRC_CHANGES=$(git diff --name-status origin/${GITHUB_BASE_REF}...HEAD -- src/)
 
           echo "Changes in changelog.d/:"
           echo "$CHANGELOG_CHANGES"
@@ -54,8 +54,8 @@ jobs:
             echo "src_changed=false" >> $GITHUB_OUTPUT
           fi
 
-      - name: Manage PR Comment
-        uses: https://github.com/actions/github-script@v8
+      - name: Manage PR Labels
+        uses: https://github.com/actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9
         env:
           HAS_CHANGELOG: ${{ steps.check_files.outputs.has_changelog }}
           SRC_CHANGED: ${{ steps.check_files.outputs.src_changed }}
@@ -63,41 +63,37 @@ jobs:
           script: |
             const hasChangelog = process.env.HAS_CHANGELOG === 'true';
             const srcChanged = process.env.SRC_CHANGED === 'true';
-            const commentSignature = '<!-- changelog-check-action -->';
-            const commentBody = `${commentSignature}\nPlease add a changelog fragment to \`changelog.d/\` describing your changes.`;
 
-            const { data: currentUser } = await github.rest.users.getAuthenticated();
-
-            const { data: comments } = await github.rest.issues.listComments({
+            const { data: pullRequest } = await github.rest.pulls.get({
               owner: context.repo.owner,
               repo: context.repo.repo,
-              issue_number: context.issue.number,
+              pull_number: context.issue.number,
             });
 
-            const botComment = comments.find(comment =>
-              comment.user.id === currentUser.id &&
-              comment.body.includes(commentSignature)
-            );
+            const currentLabels = pullRequest.labels.map(l => l.name);
 
-            const shouldWarn = srcChanged && !hasChangelog;
-
-            if (!shouldWarn) {
-              if (botComment) {
-                console.log('Changelog found or not required. Deleting existing warning comment.');
-                await github.rest.issues.deleteComment({
-                  owner: context.repo.owner,
-                  repo: context.repo.repo,
-                  comment_id: botComment.id,
-                });
-              }
+            if (hasChangelog) {
+              console.log('PR has changelog');
+              await github.rest.issues.addLabels({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                issue_number: context.issue.number,
+                labels: ['Changelog/Added'],
+              });
+            } else if (currentLabels.includes('Changelog/None')) {
+              console.log('PR has Changelog/None label, skipping.');
+            } else if (srcChanged) {
+              console.log('PR is missing changelog');
+              await github.rest.issues.addLabels({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                issue_number: context.issue.number,
+                labels: ['Changelog/Missing'],
+              });
+              core.setFailed("Missing changelog entry (detected)");
+            } else if (currentLabels.includes('Changelog/Missing')) {
+              core.setFailed("Missing changelog entry (label)");
             } else {
-              if (!botComment) {
-                console.log('Changelog missing and required. Creating warning comment.');
-                await github.rest.issues.createComment({
-                  owner: context.repo.owner,
-                  repo: context.repo.repo,
-                  issue_number: context.issue.number,
-                  body: commentBody,
-                });
-              }
+              console.log('Changelog not needed');
+              // Changelog is probably not needed
             }

.forgejo/workflows/mirror-images.yml

@@ -51,10 +51,8 @@ jobs:
       #     owner: continuwuity
       #     repositories: continuwuity
 
-      - name: Install regctl
-        uses: https://forgejo.ellis.link/continuwuation/regclient-actions/regctl-installer@main
-        with:
-          binary: regsync
+      - name: Install regsync
+        uses: https://github.com/regclient/actions/regsync-installer@main
 
       - name: Check what images need mirroring
         run: |

Cargo.toml

@@ -39,7 +39,7 @@ features = ["ffi", "std", "union"]
 version = "0.7.0"
 
 [workspace.dependencies.ctor]
-version = "0.6.0"
+version = "0.9.0"
 
 [workspace.dependencies.cargo_toml]
 version = "0.22"
@@ -60,7 +60,7 @@ default-features = false
 
 # used for TURN server authentication
 [workspace.dependencies.hmac]
-version = "0.12.1"
+version = "0.13.0"
 default-features = false
 
 # used for checking if an IP is in specific subnets / CIDR ranges easier
@@ -159,7 +159,7 @@ features = ["raw_value"]
 
 # Used for appservice registration files
 [workspace.dependencies.serde-saphyr]
-version = "0.0.21"
+version = "0.0.23"
 
 # Used to load forbidden room/user regex from config
 [workspace.dependencies.serde_regex]
@@ -404,7 +404,7 @@ version = "0.10.8"
 default-features = false
 
 [workspace.dependencies.sha1]
-version = "0.10.6"
+version = "0.11.0"
 default-features = false
 
 # optional opentelemetry, performance measurements, flamegraphs, etc for performance measurements and monitoring
@@ -481,7 +481,7 @@ default-features = false
 features = ["resource"]
 
 [workspace.dependencies.sd-notify]
-version = "0.4.5"
+version = "0.5.0"
 default-features = false
 
 [workspace.dependencies.hardened_malloc-rs]

docker/Dockerfile

@@ -48,7 +48,7 @@ EOF
 
 # Developer tool versions
 # renovate: datasource=github-releases depName=cargo-bins/cargo-binstall
-ENV BINSTALL_VERSION=1.17.8
+ENV BINSTALL_VERSION=1.17.9
 # renovate: datasource=github-releases depName=psastras/sbom-rs
 ENV CARGO_SBOM_VERSION=0.9.1
 # renovate: datasource=crate depName=lddtree

docker/musl.Dockerfile

@@ -18,7 +18,7 @@ RUN --mount=type=cache,target=/etc/apk/cache apk add \
 
 # Developer tool versions
 # renovate: datasource=github-releases depName=cargo-bins/cargo-binstall
-ENV BINSTALL_VERSION=1.17.8
+ENV BINSTALL_VERSION=1.17.9
 # renovate: datasource=github-releases depName=psastras/sbom-rs
 ENV CARGO_SBOM_VERSION=0.9.1
 # renovate: datasource=crate depName=lddtree

docs/deploying/generic.mdx

@@ -14,6 +14,7 @@ Download the binary for your architecture (x86_64 or aarch64) -
 run the `uname -m` to check which you need.
 
 Prebuilt binaries are available from:
+
 - **Tagged releases**: [Latest release page](https://forgejo.ellis.link/continuwuation/continuwuity/releases/latest)
 - **Development builds**: CI artifacts from the `main` branch
   (includes Debian/Ubuntu packages)
@@ -42,32 +43,36 @@ build profile with
 [link-time optimisation (LTO)](https://doc.rust-lang.org/cargo/reference/profiles.html#lto)
 and, for amd64, target the haswell CPU architecture.
 
+### Nix
+
+Theres a Nix package defined in our flake, available for Linux and MacOS. Add continuwuity as an input to your flake, and use `inputs.continuwuity.packages.${system}.default` to get a working Continuwuity package.
+
+If you simply wish to generate a binary using Nix, you can run `nix build git+https://forgejo.ellis.link/continuwuation/continuwuity` to generate a binary in `result/bin/conduwuit`.
+
 ### Compiling
 
 Alternatively, you may compile the binary yourself.
 
-### Building with the Rust toolchain
+#### Using Docker
 
-If wanting to build using standard Rust toolchains, make sure you install:
+If you would like to build using docker, you can run the command `docker build -f ./docker/Dockerfile -t forgejo.ellis.link/continuwuation/continuwuity:main .` to compile continuwuity.
 
-- (On linux) `liburing-dev` on the compiling machine, and `liburing` on the target host
-- (On linux) `pkg-config` on the compiling machine to allow finding `liburing`
-- A C++ compiler and (on linux) `libclang` for RocksDB
+#### Manual
+
+##### Dependencies
+
+- Run `nix develop` to get a devshell with everything you need
+- Or, install the following:
+    - (On linux) `liburing-dev` on the compiling machine, and `liburing` on the target host
+    - (On linux) `pkg-config` on the compiling machine to allow finding `liburing`
+    - A C++ compiler and (on linux) `libclang` for RocksDB
+
+##### Build
 
 You can build Continuwuity using `cargo build --release`.
 
 Continuwuity supports various optional features that can be enabled during compilation. Please see the Cargo.toml file for a comprehensive list, or ask in our rooms.
 
-### Building with Nix
-
-If you prefer, you can use Nix (or [Lix](https://lix.systems)) to build Continuwuity. This provides improved reproducibility and makes it easy to set up a build environment and generate output. This approach also allows for easy cross-compilation.
-
-You can run the `nix build -L .#static-x86_64-linux-musl-all-features` or
-`nix build -L .#static-aarch64-linux-musl-all-features` commands based
-on architecture to cross-compile the necessary static binary located at
-`result/bin/conduwuit`. This is reproducible with the static binaries produced
-in our CI.
-
 ## Adding a Continuwuity user
 
 While Continuwuity can run as any user, it is better to use dedicated users for
@@ -128,13 +133,11 @@ and entering the following:
 ReadWritePaths=/path/to/custom/database/path
 ```
 
-
 ### Example systemd Unit File
 
 <details>
 <summary>Click to expand systemd unit file (conduwuit.service)</summary>
 
-
 ```ini file="../../pkg/conduwuit.service"
 
 ```
@@ -202,23 +205,27 @@ sudo systemctl enable --now caddy
 As we prefer our users to use Caddy, we do not provide configuration files for other proxies.
 
 You will need to reverse proxy everything under the following routes:
+
 - `/_matrix/` - core Matrix C-S and S-S APIs
 - `/_conduwuit/` and/or `/_continuwuity/` - ad-hoc Continuwuity routes such as `/local_user_count` and
-`/server_version`
+  `/server_version`
 
 You can optionally reverse proxy the following individual routes:
+
 - `/.well-known/matrix/client` and `/.well-known/matrix/server` if using
-Continuwuity to perform delegation (see the `[global.well_known]` config section)
+  Continuwuity to perform delegation (see the `[global.well_known]` config section)
 - `/.well-known/matrix/support` if using Continuwuity to send the homeserver admin
-contact and support page (formerly known as MSC1929)
+  contact and support page (formerly known as MSC1929)
 - `/` if you would like to see `hewwo from conduwuit woof!` at the root
 
 See the following spec pages for more details on these files:
+
 - [`/.well-known/matrix/server`](https://spec.matrix.org/latest/client-server-api/#getwell-knownmatrixserver)
 - [`/.well-known/matrix/client`](https://spec.matrix.org/latest/client-server-api/#getwell-knownmatrixclient)
 - [`/.well-known/matrix/support`](https://spec.matrix.org/latest/client-server-api/#getwell-knownmatrixsupport)
 
 Examples of delegation:
+
 - https://continuwuity.org/.well-known/matrix/server
 - https://continuwuity.org/.well-known/matrix/client
 - https://ellis.link/.well-known/matrix/server
@@ -232,6 +239,7 @@ header, making federation non-functional. If you find a workaround, please share
 If using Apache, you need to use `nocanon` in your `ProxyPass` directive to prevent httpd from interfering with the `X-Matrix` header (note that Apache is not ideal as a general reverse proxy, so we discourage using it if alternatives are available).
 
 If using Nginx, you need to pass the request URI to Continuwuity using `$request_uri`, like this:
+
 - `proxy_pass http://127.0.0.1:6167$request_uri;`
 - `proxy_pass http://127.0.0.1:6167;`
 
@@ -271,17 +279,17 @@ curl https://your.server.name:8448/_matrix/federation/v1/version
 ```
 
 - To check if your server can communicate with other homeservers, use the
-[Matrix Federation Tester](https://federationtester.mtrnord.blog/). If you can
-register but cannot join federated rooms, check your configuration and verify
-that port 8448 is open and forwarded correctly.
+  [Matrix Federation Tester](https://federationtester.mtrnord.blog/). If you can
+  register but cannot join federated rooms, check your configuration and verify
+  that port 8448 is open and forwarded correctly.
 
-# What's next?
+## What's next?
 
-## Audio/Video calls
+### Audio/Video calls
 
 For Audio/Video call functionality see the [Calls](../calls.md) page.
 
-## Appservices
+### Appservices
 
 If you want to set up an appservice, take a look at the [Appservice
 Guide](../appservices.md).

docs/deploying/nixos.mdx

@@ -1,40 +1,40 @@
 # Continuwuity for NixOS
 
-NixOS packages Continuwuity as `matrix-continuwuity`. This package includes both the Continuwuity software and a dedicated NixOS module for configuration and deployment.
+## Nix package
 
-## Installation methods
+You can get a Nix package for Continuwuity from the following sources:
 
-You can acquire Continuwuity with Nix (or [Lix][lix]) from these sources:
+- Directly from Nixpkgs: `pkgs.matrix-continuwuity`
+- Or, using `continuwuity.packages.${system}.default` from:
+    - The `flake.nix` at the root of the Continuwuity repo, by adding Continuwuity to your flake inputs:
 
-* Directly from Nixpkgs using the official package (`pkgs.matrix-continuwuity`)
-* The `flake.nix` at the root of the Continuwuity repo
-* The `default.nix` at the root of the Continuwuity repo
+    ```nix
+    inputs.continuwuity.url = "git+https://forgejo.ellis.link/continuwuation/continuwuity";
+    ```
+
+    - The `default.nix` at the root of the Continuwuity repo
 
 ## NixOS module
 
-Continuwuity now has an official NixOS module that simplifies configuration and deployment. The module is available in Nixpkgs as `services.matrix-continuwuity` from NixOS 25.05.
+Continuwuity has an official NixOS module that simplifies configuration and deployment. The module is available in Nixpkgs as `services.matrix-continuwuity`.
 
 Here's a basic example of how to use the module:
 
 ```nix
-{ config, pkgs, ... }:
+services.matrix-continuwuity = {
+  enable = true;
+  settings = {
+    global = {
+      server_name = "example.com";
 
-{
-  services.matrix-continuwuity = {
-    enable = true;
-    settings = {
-      global = {
-        server_name = "example.com";
-        # Listening on localhost by default
-        # address and port are handled automatically
-        allow_registration = false;
-        allow_encryption = true;
-        allow_federation = true;
-        trusted_servers = [ "matrix.org" ];
-      };
+      # Continuwuity listens on localhost by default,
+      # address and port are handled automatically
+
+      # You can add any further configuration here, e.g.
+	  # trusted_servers = [ "matrix.org" ];
     };
   };
-}
+};
 ```
 
 ### Available options
@@ -45,86 +45,30 @@ The NixOS module provides these configuration options:
 - `user`: The user to run Continuwuity as (defaults to "continuwuity")
 - `group`: The group to run Continuwuity as (defaults to "continuwuity")
 - `extraEnvironment`: Extra environment variables to pass to the Continuwuity server
-- `package`: The Continuwuity package to use
-- `settings`: The Continuwuity configuration (in TOML format)
+- `package`: The Continuwuity package to use, defaults to `pkgs.matrix-continuwuity`
+    - You may want to override this to be from our flake, for faster updates and unstable versions:
+    ```nix
+    package = inputs.continuwuity.packages.${pkgs.stdenv.hostPlatform.system}.default;
+    ```
+- `admin.enable`: Whether to add the `conduwuit` binary to `PATH` for administration (enabled by default)
+- `settings`: The Continuwuity configuration
 
 Use the `settings` option to configure Continuwuity itself. See the [example configuration file](../reference/config.mdx) for all available options.
 
-### UNIX sockets
-
-The NixOS module natively supports UNIX sockets through the `global.unix_socket_path` option. When using UNIX sockets, set `global.address` to `null`:
+Settings are automatically translated from Nix to TOML. For example, the following line of Nix:
 
 ```nix
-services.matrix-continuwuity = {
-  enable = true;
-  settings = {
-    global = {
-      server_name = "example.com";
-      address = null; # Must be null when using unix_socket_path
-      unix_socket_path = "/run/continuwuity/continuwuity.sock";
-      unix_socket_perms = 660; # Default permissions for the socket
-      # ...
-    };
-  };
-};
+settings.global.well_known.client = "https://matrix.example.com";
 ```
 
-The module automatically sets the correct `RestrictAddressFamilies` in the systemd service configuration to allow access to UNIX sockets.
+Would become this equivalent TOML configuration:
 
-### RocksDB database
-
-Continuwuity exclusively uses RocksDB as its database backend. The system configures the database path automatically to `/var/lib/continuwuity/` and you cannot change it due to the service's reliance on systemd's StateDir.
-
-If you're migrating from Conduit with SQLite, use this [tool to migrate a Conduit SQLite database to RocksDB](https://github.com/ShadowJonathan/conduit_toolbox/).
-
-### jemalloc and hardened profile
-
-Continuwuity uses jemalloc by default. This may interfere with the [`hardened.nix` profile][hardened.nix] because it uses `scudo` by default. Either disable/hide `scudo` from Continuwuity or disable jemalloc like this:
-
-```nix
-services.matrix-continuwuity = {
-  enable = true;
-  package = pkgs.matrix-continuwuity.override {
-    enableJemalloc = false;
-  };
-  # ...
-};
+```toml
+[global.well_known]
+client = "https://matrix.example.com"
 ```
 
-## Upgrading from Conduit
-
-If you previously used Conduit with the `services.matrix-conduit` module:
-
-1. Ensure your Conduit uses the RocksDB backend, or migrate from SQLite using the [migration tool](https://github.com/ShadowJonathan/conduit_toolbox/)
-2. Switch to the new module by changing `services.matrix-conduit` to `services.matrix-continuwuity` in your configuration
-3. Update any custom configuration to match the new module's structure
-
 ## Reverse proxy configuration
 
-You'll need to set up a reverse proxy (like nginx or caddy) to expose Continuwuity to the internet. Configure your reverse proxy to forward requests to `/_matrix` on port 443 and 8448 to your Continuwuity instance.
-
-Here's an example nginx configuration:
-
-```nginx
-server {
-    listen 443 ssl;
-    listen [::]:443 ssl;
-    listen 8448 ssl;
-    listen [::]:8448 ssl;
-
-    server_name example.com;
-
-    # SSL configuration here...
-
-    location /_matrix/ {
-        proxy_pass http://127.0.0.1:6167$request_uri;
-        proxy_set_header Host $host;
-        proxy_set_header X-Real-IP $remote_addr;
-        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-        proxy_set_header X-Forwarded-Proto $scheme;
-    }
-}
-```
-
-[lix]: https://lix.systems/
-[hardened.nix]: https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/profiles/hardened.nix
+You'll need to set up a reverse proxy (like NGINX or Caddy) to expose Continuwuity to the internet. You can configure your reverse proxy using NixOS options (e.g. `services.caddy`).
+See the [reverse proxy setup guide](./generic.mdx#setting-up-the-reverse-proxy) for information on correct reverse proxy configuration.

flake.lock

@@ -3,11 +3,11 @@
     "advisory-db": {
       "flake": false,
       "locked": {
-        "lastModified": 1773786698,
-        "narHash": "sha256-o/J7ZculgwSs1L4H4UFlFZENOXTJzq1X0n71x6oNNvY=",
+        "lastModified": 1775907537,
+        "narHash": "sha256-vbeLNgmsx1Z6TwnlDV0dKyeBCcon3UpkV9yLr/yc6HM=",
         "owner": "rustsec",
         "repo": "advisory-db",
-        "rev": "99e9de91bb8b61f06ef234ff84e11f758ecd5384",
+        "rev": "d99f7b9eb81731bddebf80a355f8be7b2f8b1b28",
         "type": "github"
       },
       "original": {
@@ -18,11 +18,11 @@
     },
     "crane": {
       "locked": {
-        "lastModified": 1773189535,
-        "narHash": "sha256-E1G/Or6MWeP+L6mpQ0iTFLpzSzlpGrITfU2220Gq47g=",
+        "lastModified": 1775839657,
+        "narHash": "sha256-SPm9ck7jh3Un9nwPuMGbRU04UroFmOHjLP56T10MOeM=",
         "owner": "ipetkov",
         "repo": "crane",
-        "rev": "6fa2fb4cf4a89ba49fc9dd5a3eb6cde99d388269",
+        "rev": "7cf72d978629469c4bd4206b95c402514c1f6000",
         "type": "github"
       },
       "original": {
@@ -39,11 +39,11 @@
         "rust-analyzer-src": "rust-analyzer-src"
       },
       "locked": {
-        "lastModified": 1773732206,
-        "narHash": "sha256-HKibxaUXyWd4Hs+ZUnwo6XslvaFqFqJh66uL9tphU4Q=",
+        "lastModified": 1775891769,
+        "narHash": "sha256-EOfVlTKw2n8w1uhfh46GS4hEGnQ7oWrIWQfIY6utIkI=",
         "owner": "nix-community",
         "repo": "fenix",
-        "rev": "0aa13c1b54063a8d8679b28a5cd357ba98f4a56b",
+        "rev": "6fbc54dde15aee725bdc7aae5e478849685d5f56",
         "type": "github"
       },
       "original": {
@@ -74,11 +74,11 @@
         "nixpkgs-lib": "nixpkgs-lib"
       },
       "locked": {
-        "lastModified": 1772408722,
-        "narHash": "sha256-rHuJtdcOjK7rAHpHphUb1iCvgkU3GpfvicLMwwnfMT0=",
+        "lastModified": 1775087534,
+        "narHash": "sha256-91qqW8lhL7TLwgQWijoGBbiD4t7/q75KTi8NxjVmSmA=",
         "owner": "hercules-ci",
         "repo": "flake-parts",
-        "rev": "f20dc5d9b8027381c474144ecabc9034d6a839a3",
+        "rev": "3107b77cd68437b9a76194f0f7f9c55f2329ca5b",
         "type": "github"
       },
       "original": {
@@ -89,11 +89,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1773734432,
-        "narHash": "sha256-IF5ppUWh6gHGHYDbtVUyhwy/i7D261P7fWD1bPefOsw=",
+        "lastModified": 1775710090,
+        "narHash": "sha256-ar3rofg+awPB8QXDaFJhJ2jJhu+KqN/PRCXeyuXR76E=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "cda48547b432e8d3b18b4180ba07473762ec8558",
+        "rev": "4c1018dae018162ec878d42fec712642d214fdfa",
         "type": "github"
       },
       "original": {
@@ -105,11 +105,11 @@
     },
     "nixpkgs-lib": {
       "locked": {
-        "lastModified": 1772328832,
-        "narHash": "sha256-e+/T/pmEkLP6BHhYjx6GmwP5ivonQQn0bJdH9YrRB+Q=",
+        "lastModified": 1774748309,
+        "narHash": "sha256-+U7gF3qxzwD5TZuANzZPeJTZRHS29OFQgkQ2kiTJBIQ=",
         "owner": "nix-community",
         "repo": "nixpkgs.lib",
-        "rev": "c185c7a5e5dd8f9add5b2f8ebeff00888b070742",
+        "rev": "333c4e0545a6da976206c74db8773a1645b5870a",
         "type": "github"
       },
       "original": {
@@ -132,11 +132,11 @@
     "rust-analyzer-src": {
       "flake": false,
       "locked": {
-        "lastModified": 1773697963,
-        "narHash": "sha256-xdKI77It9PM6eNrCcDZsnP4SKulZwk8VkDgBRVMnCb8=",
+        "lastModified": 1775843361,
+        "narHash": "sha256-j53ZgyDvmYf3Sjh1IPvvTjqa614qUfVQSzj59+MpzkY=",
         "owner": "rust-lang",
         "repo": "rust-analyzer",
-        "rev": "2993637174252ff60a582fd1f55b9ab52c39db6d",
+        "rev": "9eb97ea96d8400e8957ddd56702e962614296583",
         "type": "github"
       },
       "original": {
@@ -153,11 +153,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1773297127,
-        "narHash": "sha256-6E/yhXP7Oy/NbXtf1ktzmU8SdVqJQ09HC/48ebEGBpk=",
+        "lastModified": 1775636079,
+        "narHash": "sha256-pc20NRoMdiar8oPQceQT47UUZMBTiMdUuWrYu2obUP0=",
         "owner": "numtide",
         "repo": "treefmt-nix",
-        "rev": "71b125cd05fbfd78cab3e070b73544abe24c5016",
+        "rev": "790751ff7fd3801feeaf96d7dc416a8d581265ba",
         "type": "github"
       },
       "original": {

src/api/client/directory.rs

@@ -1,7 +1,9 @@
+use std::iter::once;
+
 use axum::extract::State;
 use axum_client_ip::InsecureClientIp;
 use conduwuit::{
-	Err, Event, Result, err, info,
+	Err, Event, Result, RoomVersion, err, info,
 	utils::{
 		TryFutureExtExt,
 		math::Expected,
@@ -30,12 +32,14 @@ use ruma::{
 	events::{
 		StateEventType,
 		room::{
+			create::RoomCreateEventContent,
 			join_rules::{JoinRule, RoomJoinRulesEventContent},
 			power_levels::{RoomPowerLevels, RoomPowerLevelsEventContent},
 		},
 	},
 	uint,
 };
+use tokio::join;
 
 use crate::Ruma;
 
@@ -339,36 +343,63 @@ pub(crate) async fn get_public_rooms_filtered_helper(
 	})
 }
 
-/// Check whether the user can publish to the room directory via power levels of
-/// room history visibility event or room creator
+/// Checks whether the given user ID is allowed to publish the target room to
+/// the server's public room directory. Users are allowed to publish rooms if
+/// they are server admins, room creators (in v12), or have the power level to
+/// send `m.room.canonical_alias`.
 async fn user_can_publish_room(
 	services: &Services,
 	user_id: &UserId,
 	room_id: &RoomId,
 ) -> Result<bool> {
-	match services
-		.rooms
-		.state_accessor
-		.room_state_get(room_id, &StateEventType::RoomPowerLevels, "")
-		.await
+	if services.users.is_admin(user_id).await {
+		// Server admins can always publish to their own room directory.
+		return Ok(true);
+	}
+	let (create_event, room_version, power_levels_content) = join!(
+		services
+			.rooms
+			.state_accessor
+			.room_state_get(room_id, &StateEventType::RoomCreate, ""),
+		services.rooms.state.get_room_version(room_id),
+		services
+			.rooms
+			.state_accessor
+			.room_state_get_content::<RoomPowerLevelsEventContent>(
+				room_id,
+				&StateEventType::RoomPowerLevels,
+				""
+			)
+	);
+	let room_version = room_version
+		.as_ref()
+		.map_err(|_| err!(Request(NotFound("Unknown room"))))?;
+	let create_event = create_event.map_err(|_| err!(Request(NotFound("Unknown room"))))?;
+	if RoomVersion::new(room_version)
+		.expect("room version must be supported")
+		.explicitly_privilege_room_creators
 	{
-		| Ok(event) => serde_json::from_str(event.content().get())
-			.map_err(|_| err!(Database("Invalid event content for m.room.power_levels")))
-			.map(|content: RoomPowerLevelsEventContent| {
-				RoomPowerLevels::from(content)
-					.user_can_send_state(user_id, StateEventType::RoomHistoryVisibility)
-			}),
-		| _ => {
-			match services
-				.rooms
-				.state_accessor
-				.room_state_get(room_id, &StateEventType::RoomCreate, "")
-				.await
-			{
-				| Ok(event) => Ok(event.sender() == user_id),
-				| _ => Err!(Request(Forbidden("User is not allowed to publish this room"))),
-			}
-		},
+		let create_content: RoomCreateEventContent =
+			serde_json::from_str(create_event.content().get())
+				.map_err(|_| err!(Database("Invalid event content for m.room.create")))?;
+		let is_creator = create_content
+			.additional_creators
+			.unwrap_or_default()
+			.into_iter()
+			.chain(once(create_event.sender().to_owned()))
+			.any(|sender| sender == user_id);
+		if is_creator {
+			return Ok(true);
+		}
+	}
+	match power_levels_content.map(RoomPowerLevels::from) {
+		| Ok(pl) => Ok(pl.user_can_send_state(user_id, StateEventType::RoomCanonicalAlias)),
+		| Err(e) =>
+			if e.is_not_found() {
+				Ok(create_event.sender() == user_id)
+			} else {
+				Err!(Database("Invalid event content for m.room.power_levels: {e}"))
+			},
 	}
 }
 

src/api/client/voip.rs

@@ -3,7 +3,7 @@ use std::time::{Duration, SystemTime};
 use axum::extract::State;
 use base64::{Engine as _, engine::general_purpose};
 use conduwuit::{Err, Result, utils};
-use hmac::{Hmac, Mac};
+use hmac::{Hmac, KeyInit, Mac};
 use ruma::{SecondsSinceUnixEpoch, UserId, api::client::voip::get_turn_server_info};
 use sha1::Sha1;
 

src/router/run.rs

@@ -73,7 +73,7 @@ pub(crate) async fn start(server: Arc<Server>) -> Result<Arc<Services>> {
 	let services = Services::build(server).await?.start().await?;
 
 	#[cfg(all(feature = "systemd", target_os = "linux"))]
-	sd_notify::notify(false, &[sd_notify::NotifyState::Ready])
+	sd_notify::notify(&[sd_notify::NotifyState::Ready])
 		.expect("failed to notify systemd of ready state");
 
 	debug!("Started");
@@ -86,7 +86,7 @@ pub(crate) async fn stop(services: Arc<Services>) -> Result<()> {
 	debug!("Shutting down...");
 
 	#[cfg(all(feature = "systemd", target_os = "linux"))]
-	sd_notify::notify(false, &[sd_notify::NotifyState::Stopping])
+	sd_notify::notify(&[sd_notify::NotifyState::Stopping])
 		.expect("failed to notify systemd of stopping state");
 
 	// Wait for all completions before dropping or we'll lose them to the module

src/service/config/mod.rs

@@ -70,7 +70,7 @@ impl Deref for Service {
 fn handle_reload(&self) -> Result {
 	if self.server.config.config_reload_signal {
 		#[cfg(all(feature = "systemd", target_os = "linux"))]
-		sd_notify::notify(false, &[
+		sd_notify::notify(&[
 			sd_notify::NotifyState::Reloading,
 			sd_notify::NotifyState::monotonic_usec_now().expect("Failed to read monotonic time"),
 		])
@@ -80,7 +80,7 @@ fn handle_reload(&self) -> Result {
 		self.reload(&config_paths)?;
 
 		#[cfg(all(feature = "systemd", target_os = "linux"))]
-		sd_notify::notify(false, &[sd_notify::NotifyState::Ready])
+		sd_notify::notify(&[sd_notify::NotifyState::Ready])
 			.expect("failed to notify systemd of ready state");
 	}