feat: Ask remote servers for individual unknown events

Also change some links to the new ones, removing reliance on June's github repos in some places

.cargo/config.toml

@@ -0,0 +1,2 @@
+[alias]
+xtask = "run --package xtask --"

.editorconfig

@@ -23,6 +23,6 @@ indent_size = 2
 indent_style = tab
 max_line_length = 98
 
-[{.forgejo/**/*.yml,.github/**/*.yml}]
+[*.yml]
 indent_size = 2
 indent_style = space

.forgejo/actions/prefligit/action.yml

@@ -0,0 +1,27 @@
+name: prefligit
+description: |
+  Runs prefligit, pre-commit reimplemented in Rust.
+inputs:
+  extra_args:
+    description: options to pass to pre-commit run
+    required: false
+    default: '--all-files'
+
+runs:
+  using: composite
+  steps:
+  - name: Install uv
+    uses: https://github.com/astral-sh/setup-uv@v6
+    with:
+      enable-cache: true
+      ignore-nothing-to-cache: true
+  - name: Install Prefligit
+    shell: bash
+    run: |
+      curl --proto '=https' --tlsv1.2 -LsSf https://github.com/j178/prefligit/releases/download/v0.0.10/prefligit-installer.sh | sh
+  - uses: actions/cache@v3
+    with:
+      path: ~/.cache/prefligit
+      key: prefligit-0|${{ hashFiles('.pre-commit-config.yaml') }}
+  - run: prefligit run --show-diff-on-failure --color=always -v ${{ inputs.extra_args }}
+    shell: bash

.forgejo/actions/rust-toolchain/action.yml

@@ -19,11 +19,20 @@ outputs:
   rustc_version:
     description: The rustc version installed
     value: ${{ steps.rustc-version.outputs.version }}
+  rustup_version:
+    description: The rustup version installed
+    value: ${{ steps.rustup-version.outputs.version }}
 
 runs:
   using: composite
   steps:
+    - name: Check if rustup is already installed
+      shell: bash
+      id: rustup-version
+      run: |
+        echo "version=$(rustup --version)" >> $GITHUB_OUTPUT
     - name: Cache rustup toolchains
+      if: steps.rustup-version.outputs.version == ''
       uses: actions/cache@v3
       with:
         path: |
@@ -33,6 +42,7 @@ runs:
         # Requires repo to be cloned if toolchain is not specified
         key: ${{ runner.os }}-rustup-${{ inputs.toolchain || hashFiles('**/rust-toolchain.toml') }}
     - name: Install Rust toolchain
+      if: steps.rustup-version.outputs.version == ''
       shell: bash
       run: |
         if ! command -v rustup &> /dev/null ; then

.forgejo/regsync/regsync.yml

@@ -0,0 +1,55 @@
+version: 1
+
+x-source: &source forgejo.ellis.link/continuwuation/continuwuity
+
+x-tags:
+  releases: &tags-releases
+    tags:
+      allow:
+      - "latest"
+      - "v[0-9]+\\.[0-9]+\\.[0-9]+(-[a-z0-9\\.]+)?"
+      - "v[0-9]+\\.[0-9]+"
+      - "v[0-9]+"
+  main: &tags-main
+    tags:
+      allow:
+      - "latest"
+      - "v[0-9]+\\.[0-9]+\\.[0-9]+(-[a-z0-9\\.]+)?"
+      - "v[0-9]+\\.[0-9]+"
+      - "v[0-9]+"
+      - "main"
+  commits: &tags-commits
+    tags:
+      allow:
+      - "latest"
+      - "v[0-9]+\\.[0-9]+\\.[0-9]+(-[a-z0-9\\.]+)?"
+      - "v[0-9]+\\.[0-9]+"
+      - "v[0-9]+"
+      - "main"
+      - "sha-[a-f0-9]+"
+  all: &tags-all
+    tags:
+      allow:
+      - ".*"
+
+# Registry credentials
+creds:
+  - registry: forgejo.ellis.link
+    user: "{{env \"BUILTIN_REGISTRY_USER\"}}"
+    pass: "{{env \"BUILTIN_REGISTRY_PASSWORD\"}}"
+  - registry: registry.gitlab.com
+    user: "{{env \"GITLAB_USERNAME\"}}"
+    pass: "{{env \"GITLAB_TOKEN\"}}"
+
+# Global defaults
+defaults:
+  parallel: 3
+  interval: 2h
+  digestTags: true
+
+# Sync configuration - each registry gets different image sets
+sync:
+  - source: *source
+    target: registry.gitlab.com/continuwuity/continuwuity
+    type: repository
+    <<: *tags-main

.forgejo/workflows/documentation.yml

@@ -17,6 +17,7 @@ jobs:
   docs:
     name: Build and Deploy Documentation
     runs-on: ubuntu-latest
+    if: secrets.CLOUDFLARE_API_TOKEN != ''
 
     steps:
       - name: Sync repository

.forgejo/workflows/element.yml

@@ -11,16 +11,16 @@ concurrency:
 
 jobs:
   build-and-deploy:
-    name: Build and Deploy Element Web
+    name: 🏗️ Build and Deploy
     runs-on: ubuntu-latest
 
     steps:
-      - name: Setup Node.js
-        uses: https://code.forgejo.org/actions/setup-node@v4
+      - name: 📦 Setup Node.js
+        uses: https://github.com/actions/setup-node@v4
         with:
-          node-version: "20"
+          node-version: "22"
 
-      - name: Clone, setup, and build Element Web
+      - name: 🔨 Clone, setup, and build Element Web
         run: |
           echo "Cloning Element Web..."
           git clone https://github.com/maunium/element-web
@@ -64,7 +64,7 @@ jobs:
           echo "Checking for build output..."
           ls -la webapp/
 
-      - name: Create config.json
+      - name: ⚙️ Create config.json
         run: |
           cat <<EOF > ./element-web/webapp/config.json
           {
@@ -100,28 +100,25 @@ jobs:
           echo "Created ./element-web/webapp/config.json"
           cat ./element-web/webapp/config.json
 
-      - name: Upload Artifact
+      - name: 📤 Upload Artifact
         uses: https://code.forgejo.org/actions/upload-artifact@v3
         with:
           name: element-web
           path: ./element-web/webapp/
           retention-days: 14
 
-      - name: Install Wrangler
+      - name: 🛠️ Install Wrangler
         run: npm install --save-dev wrangler@latest
 
-      - name: Deploy to Cloudflare Pages (Production)
-        if: github.ref == 'refs/heads/main' && vars.CLOUDFLARE_PROJECT_NAME != ''
+      - name: 🚀 Deploy to Cloudflare Pages
+        if: vars.CLOUDFLARE_PROJECT_NAME != ''
+        id: deploy
         uses: https://github.com/cloudflare/wrangler-action@v3
         with:
           accountId: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
           apiToken: ${{ secrets.CLOUDFLARE_API_TOKEN }}
-          command: pages deploy ./element-web/webapp --branch="main" --commit-dirty=true --project-name="${{ vars.CLOUDFLARE_PROJECT_NAME }}-element"
-
-      - name: Deploy to Cloudflare Pages (Preview)
-        if: github.ref != 'refs/heads/main' && vars.CLOUDFLARE_PROJECT_NAME != ''
-        uses: https://github.com/cloudflare/wrangler-action@v3
-        with:
-          accountId: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
-          apiToken: ${{ secrets.CLOUDFLARE_API_TOKEN }}
-          command: pages deploy ./element-web/webapp --branch="${{ github.head_ref || github.ref_name }}" --commit-dirty=true --project-name="${{ vars.CLOUDFLARE_PROJECT_NAME }}-element"
+          command: >-
+            pages deploy ./element-web/webapp
+            --branch="${{ github.ref == 'refs/heads/main' && 'main' || github.head_ref || github.ref_name }}"
+            --commit-dirty=true
+            --project-name="${{ vars.CLOUDFLARE_PROJECT_NAME }}-element"

.forgejo/workflows/mirror-images.yml

@@ -0,0 +1,47 @@
+name: Mirror Container Images
+
+on:
+  schedule:
+    # Run every 2 hours
+    - cron: "0 */2 * * *"
+  workflow_dispatch:
+    inputs:
+      dry_run:
+        description: 'Dry run (check only, no actual mirroring)'
+        required: false
+        default: false
+        type: boolean
+
+concurrency:
+  group: "mirror-images"
+  cancel-in-progress: true
+
+jobs:
+  mirror-images:
+    runs-on: ubuntu-latest
+    env:
+      BUILTIN_REGISTRY_USER: ${{ vars.BUILTIN_REGISTRY_USER }}
+      BUILTIN_REGISTRY_PASSWORD: ${{ secrets.BUILTIN_REGISTRY_PASSWORD }}
+      GITLAB_USERNAME: ${{ vars.GITLAB_USERNAME }}
+      GITLAB_TOKEN: ${{ secrets.GITLAB_TOKEN }}
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+
+      - name: Install regctl
+        uses: https://forgejo.ellis.link/continuwuation/regclient-actions/regctl-installer@main
+        with:
+          binary: regsync
+
+      - name: Check what images need mirroring
+        run: |
+          echo "Checking images that need mirroring..."
+          regsync check -c .forgejo/regsync/regsync.yml -v info
+
+      - name: Mirror images
+        if: ${{ !inputs.dry_run }}
+        run: |
+          echo "Starting image mirroring..."
+          regsync once -c .forgejo/regsync/regsync.yml -v info

.forgejo/workflows/prefligit-checks.yml

@@ -0,0 +1,22 @@
+name: Checks / Prefligit
+
+on:
+  push:
+  pull_request:
+permissions:
+  contents: read
+
+jobs:
+  prefligit:
+    runs-on: ubuntu-latest
+    env:
+      FROM_REF: ${{ github.event.pull_request.base.sha || (!github.event.forced && ( github.event.before != '0000000000000000000000000000000000000000'  && github.event.before || github.sha )) || format('{0}~', github.sha) }}
+      TO_REF: ${{ github.sha }}
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v4
+      with:
+        persist-credentials: false
+    - uses: ./.forgejo/actions/prefligit
+      with:
+        extra_args: --all-files --hook-stage manual

.forgejo/workflows/release-image.yml

@@ -49,6 +49,7 @@ jobs:
             const platforms = ['linux/amd64', 'linux/arm64']
             core.setOutput('build_matrix', JSON.stringify({
               platform: platforms,
+              target_cpu: ['base'],
               include: platforms.map(platform => { return {
                 platform,
                 slug: platform.replace('/', '-')
@@ -57,7 +58,6 @@ jobs:
 
   build-image:
     runs-on: dind
-    container: ghcr.io/catthehacker/ubuntu:act-latest
     needs: define-variables
     permissions:
       contents: read
@@ -67,6 +67,8 @@ jobs:
     strategy:
       matrix:
         {
+          "target_cpu": ["base"],
+          "profile": ["release"],
           "include":
             [
               { "platform": "linux/amd64", "slug": "linux-amd64" },
@@ -74,6 +76,7 @@ jobs:
             ],
           "platform": ["linux/amd64", "linux/arm64"],
         }
+
     steps:
       - name: Echo strategy
         run: echo '${{ toJSON(fromJSON(needs.define-variables.outputs.build_matrix)) }}'
@@ -141,8 +144,8 @@ jobs:
         uses: actions/cache@v3
         with:
           path: |
-            cargo-target-${{ matrix.slug }}
-          key: cargo-target-${{ matrix.slug }}-${{hashFiles('**/Cargo.lock') }}-${{steps.rust-toolchain.outputs.rustc_version}}
+            cargo-target-${{ matrix.target_cpu }}-${{ matrix.slug }}-${{ matrix.profile }}
+          key: cargo-target-${{ matrix.target_cpu }}-${{ matrix.slug }}-${{ matrix.profile }}-${{hashFiles('**/Cargo.lock') }}-${{steps.rust-toolchain.outputs.rustc_version}}
       - name: Cache apt cache
         id: cache-apt
         uses: actions/cache@v3
@@ -164,9 +167,9 @@ jobs:
             {
               ".cargo/registry": "/usr/local/cargo/registry",
               ".cargo/git/db": "/usr/local/cargo/git/db",
-              "cargo-target-${{ matrix.slug }}": {
+              "cargo-target-${{ matrix.target_cpu }}-${{ matrix.slug }}-${{ matrix.profile }}": {
                 "target": "/app/target",
-                "id": "cargo-target-${{ matrix.platform }}"
+                "id": "cargo-target-${{ matrix.target_cpu }}-${{ matrix.slug }}-${{ matrix.profile }}"
               },
               "var-cache-apt-${{ matrix.slug }}": "/var/cache/apt",
               "var-lib-apt-${{ matrix.slug }}": "/var/lib/apt"
@@ -181,14 +184,14 @@ jobs:
           file: "docker/Dockerfile"
           build-args: |
             GIT_COMMIT_HASH=${{ github.sha }})
-            GIT_COMMIT_HASH_SHORT=${{ env.COMMIT_SHORT_SHA }})
+            GIT_COMMIT_HASH_SHORT=${{ env.COMMIT_SHORT_SHA }}
             GIT_REMOTE_URL=${{github.event.repository.html_url }}
             GIT_REMOTE_COMMIT_URL=${{github.event.head_commit.url }}
           platforms: ${{ matrix.platform }}
           labels: ${{ steps.meta.outputs.labels }}
           annotations: ${{ steps.meta.outputs.annotations }}
           cache-from: type=gha
-          cache-to: type=gha,mode=max
+          # cache-to: type=gha,mode=max
           sbom: true
           outputs: type=image,"name=${{ needs.define-variables.outputs.images_list }}",push-by-digest=true,name-canonical=true,push=true
         env:
@@ -201,17 +204,34 @@ jobs:
           digest="${{ steps.build.outputs.digest }}"
           touch "/tmp/digests/${digest#sha256:}"
 
+      - name: Extract binary from container (image)
+        id: extract-binary-image
+        run: |
+          mkdir -p /tmp/binaries
+          digest="${{ steps.build.outputs.digest }}"
+          echo "container_id=$(docker create --platform ${{ matrix.platform }} ${{ needs.define-variables.outputs.images_list }}@$digest)" >> $GITHUB_OUTPUT
+      - name: Extract binary from container (copy)
+        run: docker cp ${{ steps.extract-binary-image.outputs.container_id }}:/sbin/conduwuit /tmp/binaries/conduwuit-${{ matrix.target_cpu }}-${{ matrix.slug }}-${{ matrix.profile }}
+      - name: Extract binary from container (cleanup)
+        run: docker rm ${{ steps.extract-binary-image.outputs.container_id }}
+
+      - name: Upload binary artifact
+        uses: forgejo/upload-artifact@v4
+        with:
+          name: conduwuit-${{ matrix.target_cpu }}-${{ matrix.slug }}-${{ matrix.profile }}
+          path: /tmp/binaries/conduwuit-${{ matrix.target_cpu }}-${{ matrix.slug }}-${{ matrix.profile }}
+          if-no-files-found: error
+
       - name: Upload digest
         uses: forgejo/upload-artifact@v4
         with:
           name: digests-${{ matrix.slug }}
           path: /tmp/digests/*
           if-no-files-found: error
-          retention-days: 1
+          retention-days: 5
 
   merge:
     runs-on: dind
-    container: ghcr.io/catthehacker/ubuntu:act-latest
     needs: [define-variables, build-image]
     steps:
       - name: Download digests
@@ -236,12 +256,13 @@ jobs:
         uses: docker/metadata-action@v5
         with:
           tags: |
-            type=semver,pattern=v{{version}}
-            type=semver,pattern=v{{major}}.{{minor}},enable=${{ !startsWith(github.ref, 'refs/tags/v0.0.') }}
-            type=semver,pattern=v{{major}},enable=${{ !startsWith(github.ref, 'refs/tags/v0.') }}
+            type=semver,pattern={{version}},prefix=v
+            type=semver,pattern={{major}}.{{minor}},enable=${{ !startsWith(github.ref, 'refs/tags/v0.0.') }},prefix=v
+            type=semver,pattern={{major}},enable=${{ !startsWith(github.ref, 'refs/tags/v0.') }},prefix=v
             type=ref,event=branch,prefix=${{ format('refs/heads/{0}', github.event.repository.default_branch) != github.ref && 'branch-' || '' }}
             type=ref,event=pr
             type=sha,format=long
+            type=raw,value=latest,enable=${{ !startsWith(github.ref, 'refs/tags/v') }}
           images: ${{needs.define-variables.outputs.images}}
           # default labels & annotations: https://github.com/docker/metadata-action/blob/master/src/meta.ts#L509
         env:

.forgejo/workflows/rust-checks.yml

@@ -1,4 +1,4 @@
-name: Rust Checks
+name: Checks / Rust
 
 on:
   push:
@@ -80,6 +80,7 @@ jobs:
             -D warnings
 
       - name: Show sccache stats
+        if: always()
         run: sccache --show-stats
 
   cargo-test:
@@ -137,4 +138,5 @@ jobs:
             --no-fail-fast
 
       - name: Show sccache stats
+        if: always()
         run: sccache --show-stats

.git-blame-ignore-revs

@@ -5,3 +5,5 @@ f419c64aca300a338096b4e0db4c73ace54f23d0
 # use chain_width 60
 162948313c212193965dece50b816ef0903172ba
 5998a0d883d31b866f7c8c46433a8857eae51a89
+# trailing whitespace and newlines
+46c193e74b2ce86c48ce802333a0aabce37fd6e9

.gitattributes

@@ -84,4 +84,4 @@ Cargo.lock text
 *.zst      binary
 
 # Text files where line endings should be preserved
-*.patch    -text
+*.patch    -text

.github/FUNDING.yml

@@ -0,0 +1,5 @@
+github: [JadedBlueEyes]
+# Doesn't support an array, so we can only list nex
+ko_fi: nexy7574
+custom:
+  - https://ko-fi.com/JadedBlueEyes

.pre-commit-config.yaml

@@ -0,0 +1,47 @@
+default_install_hook_types:
+  - pre-commit
+  - commit-msg
+default_stages:
+  - pre-commit
+  - manual
+
+repos:
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v5.0.0
+    hooks:
+        - id: check-byte-order-marker
+        - id: check-case-conflict
+        - id: check-symlinks
+        - id: destroyed-symlinks
+        - id: check-yaml
+        - id: check-json
+        - id: check-toml
+        - id: end-of-file-fixer
+        - id: trailing-whitespace
+        - id: mixed-line-ending
+        - id: check-merge-conflict
+        - id: check-added-large-files
+
+  - repo: https://github.com/crate-ci/typos
+    rev: v1.26.0
+    hooks:
+      - id: typos
+      - id: typos
+        name: commit-msg-typos
+        stages: [commit-msg]
+
+  - repo: https://github.com/crate-ci/committed
+    rev: v1.1.7
+    hooks:
+    - id: committed
+
+  - repo: local
+    hooks:
+      - id: cargo-fmt
+        name: cargo fmt
+        entry: cargo +nightly fmt --
+        language: system
+        types: [rust]
+        pass_filenames: false
+        stages:
+            - pre-commit

CONTRIBUTING.md

@@ -1,6 +1,6 @@
 # Contributing guide
 
-This page is for about contributing to Continuwuity. The
+This page is about contributing to Continuwuity. The
 [development](./development.md) page may be of interest for you as well.
 
 If you would like to work on an [issue][issues] that is not assigned, preferably
@@ -10,7 +10,7 @@ and comment on it.
 ### Linting and Formatting
 
 It is mandatory all your changes satisfy the lints (clippy, rustc, rustdoc, etc)
-and your code is formatted via the **nightly** `cargo fmt`. A lot of the
+and your code is formatted via the **nightly** rustfmt (`cargo +nightly fmt`). A lot of the
 `rustfmt.toml` features depend on nightly toolchain. It would be ideal if they
 weren't nightly-exclusive features, but they currently still are. CI's rustfmt
 uses nightly.
@@ -21,67 +21,91 @@ comment saying why. Do not write inefficient code for the sake of satisfying
 lints. If a lint is wrong and provides a more inefficient solution or
 suggestion, allow the lint and mention that in a comment.
 
-### Running CI tests locally
+### Pre-commit Checks
 
-continuwuity's CI for tests, linting, formatting, audit, etc use
-[`engage`][engage]. engage can be installed from nixpkgs or `cargo install
-engage`. continuwuity's Nix flake devshell has the nixpkgs engage with `direnv`.
-Use `engage --help` for more usage details.
+Continuwuity uses pre-commit hooks to enforce various coding standards and catch common issues before they're committed. These checks include:
 
-To test, format, lint, etc that CI would do, install engage, allow the `.envrc`
-file using `direnv allow`, and run `engage`.
+- Code formatting and linting
+- Typo detection (both in code and commit messages)
+- Checking for large files
+- Ensuring proper line endings and no trailing whitespace
+- Validating YAML, JSON, and TOML files
+- Checking for merge conflicts
 
-All of the tasks are defined at the [engage.toml][engage.toml] file. You can
-view all of them neatly by running `engage list`
+You can run these checks locally by installing [prefligit](https://github.com/j178/prefligit):
 
-If you would like to run only a specific engage task group, use `just`:
 
-- `engage just <group>`
-- Example: `engage just lints`
+```bash
+# Install prefligit using cargo-binstall
+cargo binstall prefligit
 
-If you would like to run a specific engage task in a specific group, use `just
-<GROUP> [TASK]`: `engage just lints cargo-fmt`
+# Install git hooks to run checks automatically
+prefligit install
 
-The following binaries are used in [`engage.toml`][engage.toml]:
+# Run all checks
+prefligit --all-files
+```
 
-- [`engage`][engage]
-- `nix`
-- [`direnv`][direnv]
-- `rustc`
-- `cargo`
-- `cargo-fmt`
-- `rustdoc`
-- `cargo-clippy`
-- [`cargo-audit`][cargo-audit]
-- [`cargo-deb`][cargo-deb]
-- [`lychee`][lychee]
-- [`markdownlint-cli`][markdownlint-cli]
-- `dpkg`
+Alternatively, you can use [pre-commit](https://pre-commit.com/):
+```bash
+# Install pre-commit
+pip install pre-commit
+
+# Install the hooks
+pre-commit install
+
+# Run all checks manually
+pre-commit run --all-files
+```
+
+These same checks are run in CI via the prefligit-checks workflow to ensure consistency.
+
+### Running tests locally
+
+Tests, compilation, and linting can be run with standard Cargo commands:
+
+```bash
+# Run tests
+cargo test
+
+# Check compilation
+cargo check --workspace
+
+# Run lints
+cargo clippy --workspace
+# Auto-fix: cargo clippy --workspace --fix --allow-staged;
+
+# Format code (must use nightly)
+cargo +nightly fmt
+```
 
 ### Matrix tests
 
-CI runs [Complement][complement], but currently does not fail if results from
-the checked-in results differ with the new results. If your changes are done to
-fix Matrix tests, note that in your pull request. If more Complement tests start
-failing from your changes, please review the logs (they are uploaded as
-artifacts) and determine if they're intended or not.
+Continuwuity uses [Complement][complement] for Matrix protocol compliance testing. Complement tests are run manually by developers, and documentation on how to run these tests locally is currently being developed.
 
-If you'd like to run Complement locally using Nix, see the
-[testing](development/testing.md) page.
+If your changes are done to fix Matrix tests, please note that in your pull request. If more Complement tests start failing from your changes, please review the logs and determine if they're intended or not.
 
-[Sytest][sytest] support will come soon.
+[Sytest][sytest] is currently unsupported.
 
 ### Writing documentation
 
-Continuwuity's website uses [`mdbook`][mdbook] and deployed via CI using GitHub
-Pages in the [`documentation.yml`][documentation.yml] workflow file with Nix's
-mdbook in the devshell. All documentation is in the `docs/` directory at the top
-level. The compiled mdbook website is also uploaded as an artifact.
+Continuwuity's website uses [`mdbook`][mdbook] and is deployed via CI using Cloudflare Pages
+in the [`documentation.yml`][documentation.yml] workflow file. All documentation is in the `docs/`
+directory at the top level.
 
-To build the documentation using Nix, run: `bin/nix-build-and-cache just .#book`
+To build the documentation locally:
 
-The output of the mdbook generation is in `result/`. mdbooks can be opened in
-your browser from the individual HTML files without any web server needed.
+1. Install mdbook if you don't have it already:
+   ```bash
+   cargo install mdbook # or cargo binstall, or another method
+   ```
+
+2. Build the documentation:
+   ```bash
+   mdbook build
+   ```
+
+The output of the mdbook generation is in `public/`. You can open the HTML files directly in your browser without needing a web server.
 
 ### Inclusivity and Diversity
 
@@ -109,6 +133,40 @@ Rust's default style and standards with regards to [function names, variable
 names, comments](https://rust-lang.github.io/api-guidelines/naming.html), etc
 applies here.
 
+### Commit Messages
+
+Continuwuity follows the [Conventional Commits](https://www.conventionalcommits.org/) specification for commit messages. This provides a standardized format that makes the commit history more readable and enables automated tools to generate changelogs.
+
+The basic structure is:
+```
+<type>[(optional scope)]: <description>
+
+[optional body]
+
+[optional footer(s)]
+```
+
+The allowed types for commits are:
+- `fix`: Bug fixes
+- `feat`: New features
+- `docs`: Documentation changes
+- `style`: Changes that don't affect the meaning of the code (formatting, etc.)
+- `refactor`: Code changes that neither fix bugs nor add features
+- `perf`: Performance improvements
+- `test`: Adding or fixing tests
+- `build`: Changes to the build system or dependencies
+- `ci`: Changes to CI configuration
+- `chore`: Other changes that don't modify source or test files
+
+Examples:
+```
+feat: add user authentication
+fix(database): resolve connection pooling issue
+docs: update installation instructions
+```
+
+The project uses the `committed` hook to validate commit messages in pre-commit. This ensures all commits follow the conventional format.
+
 ### Creating pull requests
 
 Please try to keep contributions to the Forgejo Instance. While the mirrors of continuwuity
@@ -118,6 +176,13 @@ This prevents us from having to ping once in a while to double check the status
 of it, especially when the CI completed successfully and everything so it
 *looks* done.
 
+Before submitting a pull request, please ensure:
+1. Your code passes all CI checks (formatting, linting, typo detection, etc.)
+2. Your commit messages follow the conventional commits format
+3. Tests are added for new functionality
+4. Documentation is updated if needed
+
+
 
 Direct all PRs/MRs to the `main` branch.
 
@@ -125,20 +190,13 @@ By sending a pull request or patch, you are agreeing that your changes are
 allowed to be licenced under the Apache-2.0 licence and all of your conduct is
 in line with the Contributor's Covenant, and continuwuity's Code of Conduct.
 
-Contribution by users who violate either of these code of conducts will not have
+Contribution by users who violate either of these code of conducts may not have
 their contributions accepted. This includes users who have been banned from
-continuwuityMatrix rooms for Code of Conduct violations.
+continuwuity Matrix rooms for Code of Conduct violations.
 
 [issues]: https://forgejo.ellis.link/continuwuation/continuwuity/issues
 [continuwuity-matrix]: https://matrix.to/#/#continuwuity:continuwuity.org
 [complement]: https://github.com/matrix-org/complement/
-[engage.toml]: https://forgejo.ellis.link/continuwuation/continuwuity/src/branch/main/engage.toml
-[engage]: https://charles.page.computer.surgery/engage/
 [sytest]: https://github.com/matrix-org/sytest/
-[cargo-deb]: https://github.com/kornelski/cargo-deb
-[lychee]: https://github.com/lycheeverse/lychee
-[markdownlint-cli]: https://github.com/igorshubovych/markdownlint-cli
-[cargo-audit]: https://github.com/RustSec/rustsec/tree/main/cargo-audit
-[direnv]: https://direnv.net/
 [mdbook]: https://rust-lang.github.io/mdBook/
 [documentation.yml]: https://forgejo.ellis.link/continuwuation/continuwuity/src/branch/main/.forgejo/workflows/documentation.yml

Cargo.toml

@@ -2,7 +2,7 @@
 
 [workspace]
 resolver = "2"
-members = ["src/*"]
+members = ["src/*", "xtask/*"]
 default-members = ["src/*"]
 
 [workspace.package]
@@ -21,7 +21,7 @@ license = "Apache-2.0"
 readme = "README.md"
 repository = "https://forgejo.ellis.link/continuwuation/continuwuity"
 rust-version = "1.86.0"
-version = "0.5.0-rc.5"
+version = "0.5.0-rc.6"
 
 [workspace.metadata.crane]
 name = "conduwuit"
@@ -213,6 +213,8 @@ default-features = false
 version = "0.3.19"
 default-features = false
 features = ["env-filter", "std", "tracing", "tracing-log", "ansi", "fmt"]
+[workspace.dependencies.tracing-journald]
+version = "0.3.1"
 [workspace.dependencies.tracing-core]
 version = "0.1.33"
 default-features = false
@@ -350,7 +352,7 @@ version = "0.1.2"
 [workspace.dependencies.ruma]
 git = "https://forgejo.ellis.link/continuwuation/ruwuma"
 #branch = "conduwuit-changes"
-rev = "d6870a7fb7f6cccff63f7fd0ff6c581bad80e983"
+rev = "a4b948b40417a65ab0282ae47cc50035dd455e02"
 features = [
     "compat",
     "rand",
@@ -381,7 +383,7 @@ features = [
     "unstable-msc4121",
     "unstable-msc4125",
     "unstable-msc4186",
-    "unstable-msc4203", # sending to-device events to appservices 
+    "unstable-msc4203", # sending to-device events to appservices
     "unstable-msc4210", # remove legacy mentions
     "unstable-extensible-events",
     "unstable-pdu",
@@ -556,11 +558,11 @@ rev = "1e64095a8051a1adf0d1faa307f9f030889ec2aa"
 git = "https://forgejo.ellis.link/continuwuation/tracing"
 rev = "1e64095a8051a1adf0d1faa307f9f030889ec2aa"
 
-# adds a tab completion callback: https://forgejo.ellis.link/continuwuation/rustyline-async/commit/de26100b0db03e419a3d8e1dd26895d170d1fe50
-# adds event for CTRL+\: https://forgejo.ellis.link/continuwuation/rustyline-async/commit/67d8c49aeac03a5ef4e818f663eaa94dd7bf339b
+# adds a tab completion callback: https://forgejo.ellis.link/continuwuation/rustyline-async/src/branch/main/.patchy/0002-add-tab-completion-callback.patch
+# adds event for CTRL+\: https://forgejo.ellis.link/continuwuation/rustyline-async/src/branch/main/.patchy/0001-add-event-for-ctrl.patch
 [patch.crates-io.rustyline-async]
 git = "https://forgejo.ellis.link/continuwuation/rustyline-async"
-rev = "deaeb0694e2083f53d363b648da06e10fc13900c"
+rev = "e9f01cf8c6605483cb80b3b0309b400940493d7f"
 
 # adds LIFO queue scheduling; this should be updated with PR progress.
 [patch.crates-io.event-listener]
@@ -580,12 +582,11 @@ rev = "9c8e51510c35077df888ee72a36b4b05637147da"
 git = "https://forgejo.ellis.link/continuwuation/hyper-util"
 rev = "e4ae7628fe4fcdacef9788c4c8415317a4489941"
 
-# allows no-aaaa option in resolv.conf
-# bumps rust edition and toolchain to 1.86.0 and 2024
-# use sat_add on line number errors
+# Allows no-aaaa option in resolv.conf
+# Use 1-indexed line numbers when displaying parse error messages
 [patch.crates-io.resolv-conf]
 git = "https://forgejo.ellis.link/continuwuation/resolv-conf"
-rev = "200e958941d522a70c5877e3d846f55b5586c68d"
+rev = "56251316cc4127bcbf36e68ce5e2093f4d33e227"
 
 #
 # Our crates
@@ -637,6 +638,11 @@ package = "conduwuit_build_metadata"
 path = "src/build_metadata"
 default-features = false
 
+
+[workspace.dependencies.conduwuit]
+package = "conduwuit"
+path = "src/main"
+
 ###############################################################################
 #
 # Release profiles
@@ -762,7 +768,8 @@ inherits = "dev"
 #	'-Clink-arg=-Wl,-z,nodlopen',
 #	'-Clink-arg=-Wl,-z,nodelete',
 #]
-
+[profile.dev.package.xtask-generate-commands]
+inherits = "dev"
 [profile.dev.package.conduwuit]
 inherits = "dev"
 #rustflags = [

README.md

@@ -4,6 +4,10 @@
 
 ## A community-driven [Matrix](https://matrix.org/) homeserver in Rust
 
+[![Chat on Matrix](https://img.shields.io/matrix/continuwuity%3Acontinuwuity.org?server_fqdn=matrix.continuwuity.org&fetchMode=summary&logo=matrix)](https://matrix.to/#/#continuwuity:continuwuity.org?via=continuwuity.org&via=ellis.link&via=explodie.org&via=matrix.org) [![Join the space](https://img.shields.io/matrix/space%3Acontinuwuity.org?server_fqdn=matrix.continuwuity.org&fetchMode=summary&logo=matrix&label=space)](https://matrix.to/#/#space:continuwuity.org?via=continuwuity.org&via=ellis.link&via=explodie.org&via=matrix.org)
+
+
+
 <!-- ANCHOR_END: catchphrase -->
 
 [continuwuity] is a Matrix homeserver written in Rust.
@@ -11,11 +15,13 @@ It's a community continuation of the [conduwuit](https://github.com/girlbossceo/
 
 <!-- ANCHOR: body -->
 
-[![forgejo.ellis.link](https://img.shields.io/badge/Ellis%20Git-main+packages-green?style=flat&logo=forgejo&labelColor=fff)](https://forgejo.ellis.link/continuwuation/continuwuity) ![](https://forgejo.ellis.link/continuwuation/continuwuity/badges/stars.svg?style=flat) [![](https://forgejo.ellis.link/continuwuation/continuwuity/badges/issues/open.svg?style=flat)](https://forgejo.ellis.link/continuwuation/continuwuity/issues?state=open) [![](https://forgejo.ellis.link/continuwuation/continuwuity/badges/pulls/open.svg?style=flat)](https://forgejo.ellis.link/continuwuation/continuwuity/pulls?state=open)
+[![forgejo.ellis.link](https://img.shields.io/badge/Ellis%20Git-main+packages-green?style=flat&logo=forgejo&labelColor=fff)](https://forgejo.ellis.link/continuwuation/continuwuity) [![Stars](https://forgejo.ellis.link/continuwuation/continuwuity/badges/stars.svg?style=flat)](https://forgejo.ellis.link/continuwuation/continuwuity/stars) [![Issues](https://forgejo.ellis.link/continuwuation/continuwuity/badges/issues/open.svg?style=flat)](https://forgejo.ellis.link/continuwuation/continuwuity/issues?state=open) [![Pull Requests](https://forgejo.ellis.link/continuwuation/continuwuity/badges/pulls/open.svg?style=flat)](https://forgejo.ellis.link/continuwuation/continuwuity/pulls?state=open)
 
-[![GitHub](https://img.shields.io/badge/GitHub-mirror-blue?style=flat&logo=github&labelColor=fff&logoColor=24292f)](https://github.com/continuwuity/continuwuity) ![](https://img.shields.io/github/stars/continuwuity/continuwuity?style=flat)
+[![GitHub](https://img.shields.io/badge/GitHub-mirror-blue?style=flat&logo=github&labelColor=fff&logoColor=24292f)](https://github.com/continuwuity/continuwuity) [![Stars](https://img.shields.io/github/stars/continuwuity/continuwuity?style=flat)](https://github.com/continuwuity/continuwuity/stargazers)
 
-[![Codeberg](https://img.shields.io/badge/Codeberg-mirror-2185D0?style=flat&logo=codeberg&labelColor=fff)](https://codeberg.org/nexy7574/continuwuity) ![](https://codeberg.org/nexy7574/continuwuity/badges/stars.svg?style=flat)
+[![GitLab](https://img.shields.io/badge/GitLab-mirror-blue?style=flat&logo=gitlab&labelColor=fff)](https://gitlab.com/continuwuity/continuwuity) [![Stars](https://img.shields.io/gitlab/stars/continuwuity/continuwuity?style=flat)](https://gitlab.com/continuwuity/continuwuity/-/starrers)
+
+[![Codeberg](https://img.shields.io/badge/Codeberg-mirror-2185D0?style=flat&logo=codeberg&labelColor=fff)](https://codeberg.org/continuwuity/continuwuity) [![Stars](https://codeberg.org/continuwuity/continuwuity/badges/stars.svg?style=flat)](https://codeberg.org/continuwuity/continuwuity/stars)
 
 ### Why does this exist?
 
@@ -59,8 +65,6 @@ There are currently no open registration Continuwuity instances available.
 
 We're working our way through all of the issues in the [Forgejo project](https://forgejo.ellis.link/continuwuation/continuwuity/issues).
 
-- [Replacing old conduwuit links with working continuwuity links](https://forgejo.ellis.link/continuwuation/continuwuity/issues/742)
-- [Getting CI and docs deployment working on the new Forgejo project](https://forgejo.ellis.link/continuwuation/continuwuity/issues/740)
 - [Packaging & availability in more places](https://forgejo.ellis.link/continuwuation/continuwuity/issues/747)
 - [Appservices bugs & features](https://forgejo.ellis.link/continuwuation/continuwuity/issues?q=&type=all&state=open&labels=178&milestone=0&assignee=0&poster=0)
 - [Improving compatibility and spec compliance](https://forgejo.ellis.link/continuwuation/continuwuity/issues?labels=119)

SECURITY.md

@@ -0,0 +1,63 @@
+# Security Policy for Continuwuity
+
+This document outlines the security policy for Continuwuity. Our goal is to maintain a secure platform for all users, and we take security matters seriously.
+
+## Supported Versions
+
+We provide security updates for the following versions of Continuwuity:
+
+| Version        | Supported        |
+| -------------- |:----------------:|
+| Latest release |        ✅        |
+| Main branch    |        ✅        |
+| Older releases |        ❌        |
+
+We may backport fixes to the previous release at our discretion, but we don't guarantee this.
+
+## Reporting a Vulnerability
+
+### Responsible Disclosure
+
+We appreciate the efforts of security researchers and the community in identifying and reporting vulnerabilities. To ensure that potential vulnerabilities are addressed properly, please follow these guidelines:
+
+1. **Contact members of the team directly** over E2EE private message.
+   - [@jade:ellis.link](https://matrix.to/#/@jade:ellis.link)
+   - [@nex:nexy7574.co.uk](https://matrix.to/#/@nex:nexy7574.co.uk) <!-- ? -->
+2. **Email the security team** at [security@continuwuity.org](mailto:security@continuwuity.org). This is not E2EE, so don't include sensitive details.
+3. **Do not disclose the vulnerability publicly** until it has been addressed
+4. **Provide detailed information** about the vulnerability, including:
+   - A clear description of the issue
+   - Steps to reproduce
+   - Potential impact
+   - Any possible mitigations
+   - Version(s) affected, including specific commits if possible
+
+If you have any doubts about a potential security vulnerability, contact us via private channels first! We'd prefer that you bother us, instead of having a vulnerability disclosed without a fix.
+
+### What to Expect
+
+When you report a security vulnerability:
+
+1. **Acknowledgment**: We will acknowledge receipt of your report.
+2. **Assessment**: We will assess the vulnerability and determine its impact on our users
+3. **Updates**: We will provide updates on our progress in addressing the vulnerability, and may request you help test mitigations
+4. **Resolution**: Once resolved, we will notify you and discuss coordinated disclosure
+5. **Credit**: We will recognize your contribution (unless you prefer to remain anonymous)
+
+## Security Update Process
+
+When security vulnerabilities are identified:
+
+1. We will develop and test fixes in a private fork
+2. Security updates will be released as soon as possible
+3. Release notes will include information about the vulnerabilities, avoiding details that could facilitate exploitation where possible
+4. Critical security updates may be backported to the previous stable release
+
+## Additional Resources
+
+- [Matrix Security Disclosure Policy](https://matrix.org/security-disclosure-policy/)
+- [Continuwuity Documentation](https://continuwuity.org/introduction)
+
+---
+
+This security policy was last updated on May 25, 2025.

arch/conduwuit.service

@@ -6,6 +6,7 @@ After=network-online.target
 Documentation=https://continuwuity.org/
 RequiresMountsFor=/var/lib/private/conduwuit
 Alias=matrix-conduwuit.service
+
 [Service]
 DynamicUser=yes
 Type=notify-reload
@@ -16,6 +17,10 @@ DeviceAllow=char-tty
 StandardInput=tty-force
 StandardOutput=tty
 StandardError=journal+console
+
+Environment="CONTINUWUITY_LOG_TO_JOURNALD=1"
+Environment="CONTINUWUITY_JOURNALD_IDENTIFIER=%N"
+
 TTYReset=yes
 # uncomment to allow buffer to be cleared every restart
 TTYVTDisallocate=no
@@ -59,7 +64,8 @@ StateDirectory=conduwuit
 RuntimeDirectory=conduwuit
 RuntimeDirectoryMode=0750
 
-Environment="CONTINUWUITY_CONFIG=/etc/conduwuit/conduwuit.toml"
+Environment=CONTINUWUITY_CONFIG=${CREDENTIALS_DIRECTORY}/config.toml
+LoadCredential=config.toml:/etc/conduwuit/conduwuit.toml
 BindPaths=/var/lib/private/conduwuit:/var/lib/matrix-conduit
 BindPaths=/var/lib/private/conduwuit:/var/lib/private/matrix-conduit
 

committed.toml

@@ -0,0 +1,3 @@
+style = "conventional"
+subject_length = 72
+allowed_types = ["ci", "build", "fix", "feat", "chore", "docs", "style", "refactor", "perf", "test"]

conduwuit-example.toml

@@ -398,6 +398,22 @@
 #
 #allow_registration = false
 
+# If registration is enabled, and this setting is true, new users
+# registered after the first admin user will be automatically suspended
+# and will require an admin to run `!admin users unsuspend <user_id>`.
+#
+# Suspended users are still able to read messages, make profile updates,
+# leave rooms, and deactivate their account, however cannot send messages,
+# invites, or create/join or otherwise modify rooms.
+# They are effectively read-only.
+#
+# If you want to use this to screen people who register on your server,
+# you should add a room to `auto_join_rooms` that is public, and contains
+# information that new users can read (since they won't be able to DM
+# anyone, or send a message, and may be confused).
+#
+#suspend_on_register = false
+
 # Enabling this setting opens registration to anyone without restrictions.
 # This makes your server vulnerable to abuse
 #
@@ -660,6 +676,21 @@
 #
 #log_thread_ids = false
 
+# Enable journald logging on Unix platforms
+#
+# When enabled, log output will be sent to the systemd journal
+# This is only supported on Unix platforms
+#
+#log_to_journald = false
+
+# The syslog identifier to use with journald logging
+#
+# Only used when journald logging is enabled
+#
+# Defaults to the binary name
+#
+#journald_identifier =
+
 # OpenID token expiration/TTL in seconds.
 #
 # These are the OpenID tokens that are primarily used for Matrix account
@@ -1053,6 +1084,13 @@
 #
 #presence_timeout_remote_users = true
 
+# Allow local read receipts.
+#
+# Disabling this will effectively also disable outgoing federated read
+# receipts.
+#
+#allow_local_read_receipts = true
+
 # Allow receiving incoming read receipts from remote servers.
 #
 #allow_incoming_read_receipts = true
@@ -1061,6 +1099,13 @@
 #
 #allow_outgoing_read_receipts = true
 
+# Allow local typing updates.
+#
+# Disabling this will effectively also disable outgoing federated typing
+# updates.
+#
+#allow_local_typing = true
+
 # Allow outgoing typing updates to federation.
 #
 #allow_outgoing_typing = true
@@ -1641,19 +1686,29 @@
 #
 #server =
 
-# This item is undocumented. Please contribute documentation for it.
+# URL to a support page for the server, which will be served as part of
+# the MSC1929 server support endpoint at /.well-known/matrix/support.
+# Will be included alongside any contact information
 #
 #support_page =
 
-# This item is undocumented. Please contribute documentation for it.
+# Role string for server support contacts, to be served as part of the
+# MSC1929 server support endpoint at /.well-known/matrix/support.
 #
-#support_role =
+#support_role = "m.role.admin"
 
-# This item is undocumented. Please contribute documentation for it.
+# Email address for server support contacts, to be served as part of the
+# MSC1929 server support endpoint.
+# This will be used along with support_mxid if specified.
 #
 #support_email =
 
-# This item is undocumented. Please contribute documentation for it.
+# Matrix ID for server support contacts, to be served as part of the
+# MSC1929 server support endpoint.
+# This will be used along with support_email if specified.
+#
+# If no email or mxid is specified, all of the server's admins will be
+# listed.
 #
 #support_mxid =
 

debian/conduwuit.service

@@ -14,6 +14,9 @@ Type=notify
 
 Environment="CONTINUWUITY_CONFIG=/etc/conduwuit/conduwuit.toml"
 
+Environment="CONTINUWUITY_LOG_TO_JOURNALD=1"
+Environment="CONTINUWUITY_JOURNALD_IDENTIFIER=%N"
+
 ExecStart=/usr/sbin/conduwuit
 
 ReadWritePaths=/var/lib/conduwuit /etc/conduwuit

docker/Dockerfile

@@ -1,15 +1,16 @@
 ARG RUST_VERSION=1
+ARG DEBIAN_VERSION=bookworm
 
 FROM --platform=$BUILDPLATFORM docker.io/tonistiigi/xx AS xx
-FROM --platform=$BUILDPLATFORM rust:${RUST_VERSION}-slim-bookworm AS base
-FROM --platform=$BUILDPLATFORM rust:${RUST_VERSION}-slim-bookworm AS toolchain
+FROM --platform=$BUILDPLATFORM rust:${RUST_VERSION}-slim-${DEBIAN_VERSION} AS base
+FROM --platform=$BUILDPLATFORM rust:${RUST_VERSION}-slim-${DEBIAN_VERSION} AS toolchain
 
 # Prevent deletion of apt cache
 RUN rm -f /etc/apt/apt.conf.d/docker-clean
 
 # Match Rustc version as close as possible
 # rustc -vV
-ARG LLVM_VERSION=19
+ARG LLVM_VERSION=20
 # ENV RUSTUP_TOOLCHAIN=${RUST_VERSION}
 
 # Install repo tools
@@ -19,10 +20,18 @@ ARG LLVM_VERSION=19
 RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
     --mount=type=cache,target=/var/lib/apt,sharing=locked \
     apt-get update && apt-get install -y \
-    clang-${LLVM_VERSION} lld-${LLVM_VERSION} pkg-config make jq \
-    curl git \
+    pkg-config make jq \
+    curl git software-properties-common \
     file
 
+# LLVM packages
+RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
+    --mount=type=cache,target=/var/lib/apt,sharing=locked \
+    curl https://apt.llvm.org/llvm.sh > llvm.sh && \
+    chmod +x llvm.sh && \
+    ./llvm.sh ${LLVM_VERSION} && \
+    rm llvm.sh
+
 # Create symlinks for LLVM tools
 RUN <<EOF
     set -o xtrace
@@ -39,7 +48,7 @@ EOF
 
 # Developer tool versions
 # renovate: datasource=github-releases depName=cargo-bins/cargo-binstall
-ENV BINSTALL_VERSION=1.12.3
+ENV BINSTALL_VERSION=1.13.0
 # renovate: datasource=github-releases depName=psastras/sbom-rs
 ENV CARGO_SBOM_VERSION=0.9.1
 # renovate: datasource=crate depName=lddtree
@@ -140,11 +149,12 @@ ENV GIT_REMOTE_COMMIT_URL=$GIT_REMOTE_COMMIT_URL
 ENV CONDUWUIT_VERSION_EXTRA=$CONDUWUIT_VERSION_EXTRA
 ENV CONTINUWUITY_VERSION_EXTRA=$CONTINUWUITY_VERSION_EXTRA
 
+ARG RUST_PROFILE=release
 
 # Build the binary
 RUN --mount=type=cache,target=/usr/local/cargo/registry \
     --mount=type=cache,target=/usr/local/cargo/git/db \
-    --mount=type=cache,target=/app/target,id=cargo-target-${TARGETPLATFORM} \
+    --mount=type=cache,target=/app/target,id=cargo-target-${TARGET_CPU}-${TARGETPLATFORM}-${RUST_PROFILE} \
     bash <<'EOF'
     set -o allexport
     set -o xtrace
@@ -153,7 +163,7 @@ RUN --mount=type=cache,target=/usr/local/cargo/registry \
             jq -r ".target_directory"))
     mkdir /out/sbin
     PACKAGE=conduwuit
-    xx-cargo build --locked --release \
+    xx-cargo build --locked --profile ${RUST_PROFILE} \
         -p $PACKAGE;
     BINARIES=($(cargo metadata --no-deps --format-version 1 | \
         jq -r ".packages[] | select(.name == \"$PACKAGE\") | .targets[] | select( .kind | map(. == \"bin\") | any ) | .name"))

docs/SUMMARY.md

@@ -15,8 +15,10 @@
 - [Appservices](appservices.md)
 - [Maintenance](maintenance.md)
 - [Troubleshooting](troubleshooting.md)
+- [Admin Command Reference](admin_reference.md)
 - [Development](development.md)
   - [Contributing](contributing.md)
   - [Testing](development/testing.md)
   - [Hot Reloading ("Live" Development)](development/hot_reload.md)
 - [Community (and Guidelines)](community.md)
+- [Security](security.md)

docs/deploying/arch-linux.md

@@ -1,3 +1,5 @@
 # Continuwuity for Arch Linux
 
-Continuwuity does not have any Arch Linux packages at this time.
+Continuwuity is available on the `archlinuxcn` repository and AUR, with the same package name `continuwuity`, which includes latest taggged version. The development version is available on AUR as `continuwuity-git`
+
+Simply install the `continuwuity` package. Configure the service in `/etc/conduwuit/conduwuit.toml`, then enable/start the continuwuity.service.

docs/deploying/docker-compose.override.yml

@@ -34,4 +34,3 @@ services:
   #         - "traefik.http.routers.to-element-web.tls.certresolver=letsencrypt"
 
 # vim: ts=2:sw=2:expandtab
-

docs/deploying/docker-compose.with-caddy.yml

@@ -26,7 +26,7 @@ services:
         restart: unless-stopped
         volumes:
             - db:/var/lib/continuwuity
-            - /etc/resolv.conf:/etc/resolv.conf:ro # Use the host's DNS resolver rather than Docker's. 
+            - /etc/resolv.conf:/etc/resolv.conf:ro # Use the host's DNS resolver rather than Docker's.
             #- ./continuwuity.toml:/etc/continuwuity.toml
         environment:
             CONTINUWUITY_SERVER_NAME: example.com # EDIT THIS

docs/deploying/docker-compose.with-traefik.yml

@@ -8,7 +8,7 @@ services:
     restart: unless-stopped
     volumes:
       - db:/var/lib/continuwuity
-      - /etc/resolv.conf:/etc/resolv.conf:ro # Use the host's DNS resolver rather than Docker's. 
+      - /etc/resolv.conf:/etc/resolv.conf:ro # Use the host's DNS resolver rather than Docker's.
       #- ./continuwuity.toml:/etc/continuwuity.toml
     networks:
       - proxy

docs/deploying/nixos.md

@@ -29,7 +29,7 @@ appropriately to use Continuwuity instead of Conduit.
 
 Due to the lack of a Continuwuity NixOS module, when using the `services.matrix-conduit` module
 a workaround like the one below is necessary to use UNIX sockets. This is because the UNIX
-socket option does not exist in Conduit, and the module forcibly sets the `address` and 
+socket option does not exist in Conduit, and the module forcibly sets the `address` and
 `port` config options.
 
 ```nix

docs/development.md

@@ -68,31 +68,22 @@ do this if Rust supported workspace-level features to begin with.
 
 ## List of forked dependencies
 
-During Continuwuity development, we have had to fork
-some dependencies to support our use-cases in some areas. This ranges from
-things said upstream project won't accept for any reason, faster-paced
-development (unresponsive or slow upstream), Continuwuity-specific usecases, or
-lack of time to upstream some things.
+During Continuwuity (and prior projects) development, we have had to fork some dependencies to support our use-cases.
+These forks exist for various reasons including features that upstream projects won't accept,
+faster-paced development, Continuwuity-specific usecases, or lack of time to upstream changes.
 
-- [ruma/ruma][1]: <https://github.com/girlbossceo/ruwuma> - various performance
-improvements, more features, faster-paced development, better client/server interop
-hacks upstream won't accept, etc
-- [facebook/rocksdb][2]: <https://github.com/girlbossceo/rocksdb> - liburing
-build fixes and GCC debug build fix
-- [tikv/jemallocator][3]: <https://github.com/girlbossceo/jemallocator> - musl
-builds seem to be broken on upstream, fixes some broken/suspicious code in
-places, additional safety measures, and support redzones for Valgrind
-- [zyansheep/rustyline-async][4]:
-<https://github.com/girlbossceo/rustyline-async> - tab completion callback and
-`CTRL+\` signal quit event for Continuwuity console CLI
-- [rust-rocksdb/rust-rocksdb][5]:
-<https://github.com/girlbossceo/rust-rocksdb-zaidoon1> - [`@zaidoon1`][8]'s fork
-has quicker updates, more up to date dependencies, etc. Our fork fixes musl build
-issues, removes unnecessary `gtest` include, and uses our RocksDB and jemallocator
-forks.
-- [tokio-rs/tracing][6]: <https://github.com/girlbossceo/tracing> - Implements
-`Clone` for `EnvFilter` to support dynamically changing tracing envfilter's
-alongside other logging/metrics things
+All forked dependencies are maintained under the [continuwuation organization on Forgejo](https://forgejo.ellis.link/continuwuation):
+
+- [ruwuma][continuwuation-ruwuma] - Fork of [ruma/ruma][ruma] with various performance improvements, more features and better client/server interop
+- [rocksdb][continuwuation-rocksdb] - Fork of [facebook/rocksdb][rocksdb] via [`@zaidoon1`][8] with liburing build fixes and GCC debug build fixes
+- [jemallocator][continuwuation-jemallocator] - Fork of [tikv/jemallocator][jemallocator] fixing musl builds, suspicious code,
+  and adding support for redzones in Valgrind
+- [rustyline-async][continuwuation-rustyline-async] - Fork of [zyansheep/rustyline-async][rustyline-async] with tab completion callback
+  and `CTRL+\` signal quit event for Continuwuity console CLI
+- [rust-rocksdb][continuwuation-rust-rocksdb] - Fork of [rust-rocksdb/rust-rocksdb][rust-rocksdb] fixing musl build issues,
+  removing unnecessary `gtest` include, and using our RocksDB and jemallocator forks
+- [tracing][continuwuation-tracing] - Fork of [tokio-rs/tracing][tracing] implementing `Clone` for `EnvFilter` to
+  support dynamically changing tracing environments
 
 ## Debugging with `tokio-console`
 
@@ -113,12 +104,30 @@ You will also need to enable the `tokio_console` config option in Continuwuity w
 starting it. This was due to tokio-console causing gradual memory leak/usage
 if left enabled.
 
-[1]: https://github.com/ruma/ruma/
-[2]: https://github.com/facebook/rocksdb/
-[3]: https://github.com/tikv/jemallocator/
-[4]: https://github.com/zyansheep/rustyline-async/
-[5]: https://github.com/rust-rocksdb/rust-rocksdb/
-[6]: https://github.com/tokio-rs/tracing/
+## Building Docker Images
+
+To build a Docker image for Continuwuity, use the standard Docker build command:
+
+```bash
+docker build -f docker/Dockerfile .
+```
+
+The image can be cross-compiled for different architectures.
+
+[continuwuation-ruwuma]: https://forgejo.ellis.link/continuwuation/ruwuma
+[continuwuation-rocksdb]: https://forgejo.ellis.link/continuwuation/rocksdb
+[continuwuation-jemallocator]: https://forgejo.ellis.link/continuwuation/jemallocator
+[continuwuation-rustyline-async]: https://forgejo.ellis.link/continuwuation/rustyline-async
+[continuwuation-rust-rocksdb]: https://forgejo.ellis.link/continuwuation/rust-rocksdb
+[continuwuation-tracing]: https://forgejo.ellis.link/continuwuation/tracing
+
+[ruma]: https://github.com/ruma/ruma/
+[rocksdb]: https://github.com/facebook/rocksdb/
+[jemallocator]: https://github.com/tikv/jemallocator/
+[rustyline-async]: https://github.com/zyansheep/rustyline-async/
+[rust-rocksdb]: https://github.com/rust-rocksdb/rust-rocksdb/
+[tracing]: https://github.com/tokio-rs/tracing/
+
 [7]: https://docs.rs/tokio-console/latest/tokio_console/
 [8]: https://github.com/zaidoon1/
 [9]: https://github.com/rust-lang/cargo/issues/12162

docs/security.md

@@ -0,0 +1 @@
+{{#include ../SECURITY.md}}

docs/server_reference.md

@@ -0,0 +1,21 @@
+# Command-Line Help for `continuwuity`
+
+This document contains the help content for the `continuwuity` command-line program.
+
+**Command Overview:**
+
+* [`continuwuity`↴](#continuwuity)
+
+## `continuwuity`
+
+a very cool Matrix chat homeserver written in Rust
+
+**Usage:** `continuwuity [OPTIONS]`
+
+###### **Options:**
+
+* `-c`, `--config <CONFIG>` — Path to the config TOML file (optional)
+* `-O`, `--option <OPTION>` — Override a configuration variable using TOML 'key=value' syntax
+* `--read-only` — Run in a stricter read-only --maintenance mode
+* `--maintenance` — Run in maintenance mode while refusing connections
+* `--execute <EXECUTE>` — Execute console command automatically after startup

docs/static/_headers

@@ -3,4 +3,4 @@
   Content-Type: application/json
 /.well-known/continuwuity/*
   Access-Control-Allow-Origin: *
-  Content-Type: application/json
+  Content-Type: application/json

docs/static/announcements.json

@@ -4,6 +4,10 @@
         {
             "id": 1,
             "message": "Welcome to Continuwuity! Important announcements about the project will appear here."
+        },
+        {
+            "id": 2,
+            "message": "🎉 Continuwuity v0.5.0-rc.6 is now available! This release includes improved knock-restricted room handling, automatic support contact configuration, and a new HTML landing page. Check [the release notes for full details](https://forgejo.ellis.link/continuwuation/continuwuity/releases/tag/v0.5.0-rc.6) and upgrade instructions."
         }
     ]
-}
+}

docs/static/announcements.schema.json

@@ -3,7 +3,7 @@
     "$id": "https://continwuity.org/schema/announcements.schema.json",
     "type": "object",
     "properties": {
-      "updates": {
+      "announcements": {
         "type": "array",
         "items": {
           "type": "object",
@@ -16,6 +16,10 @@
             },
             "date": {
               "type": "string"
+            },
+            "mention_room": {
+              "type": "boolean",
+              "description": "Whether to mention the room (@room) when posting this announcement"
             }
           },
           "required": [
@@ -26,6 +30,6 @@
       }
     },
     "required": [
-      "updates"
+      "announcements"
     ]
-  }
+  }

docs/static/support

@@ -21,4 +21,4 @@
     }
   ],
   "support_page": "https://continuwuity.org/introduction#contact"
-}
+}

flake.lock

@@ -10,11 +10,11 @@
         "nixpkgs-stable": "nixpkgs-stable"
       },
       "locked": {
-        "lastModified": 1738524606,
-        "narHash": "sha256-hPYEJ4juK3ph7kbjbvv7PlU1D9pAkkhl+pwx8fZY53U=",
+        "lastModified": 1751403276,
+        "narHash": "sha256-V0EPQNsQko1a8OqIWc2lLviLnMpR1m08Ej00z5RVTfs=",
         "owner": "zhaofengli",
         "repo": "attic",
-        "rev": "ff8a897d1f4408ebbf4d45fa9049c06b3e1e3f4e",
+        "rev": "896ad88fa57ad5dbcd267c0ac51f1b71ccfcb4dd",
         "type": "github"
       },
       "original": {
@@ -32,11 +32,11 @@
         "nixpkgs": "nixpkgs_4"
       },
       "locked": {
-        "lastModified": 1737621947,
-        "narHash": "sha256-8HFvG7fvIFbgtaYAY2628Tb89fA55nPm2jSiNs0/Cws=",
+        "lastModified": 1748883665,
+        "narHash": "sha256-R0W7uAg+BLoHjMRMQ8+oiSbTq8nkGz5RDpQ+ZfxxP3A=",
         "owner": "cachix",
         "repo": "cachix",
-        "rev": "f65a3cd5e339c223471e64c051434616e18cc4f5",
+        "rev": "f707778d902af4d62d8dd92c269f8e70de09acbe",
         "type": "github"
       },
       "original": {
@@ -63,11 +63,11 @@
         "nixpkgs": "nixpkgs_2"
       },
       "locked": {
-        "lastModified": 1728672398,
-        "narHash": "sha256-KxuGSoVUFnQLB2ZcYODW7AVPAh9JqRlD5BrfsC/Q4qs=",
+        "lastModified": 1744206633,
+        "narHash": "sha256-pb5aYkE8FOoa4n123slgHiOf1UbNSnKe5pEZC+xXD5g=",
         "owner": "cachix",
         "repo": "cachix",
-        "rev": "aac51f698309fd0f381149214b7eee213c66ef0a",
+        "rev": "8a60090640b96f9df95d1ab99e5763a586be1404",
         "type": "github"
       },
       "original": {
@@ -77,23 +77,6 @@
         "type": "github"
       }
     },
-    "complement": {
-      "flake": false,
-      "locked": {
-        "lastModified": 1741891349,
-        "narHash": "sha256-YvrzOWcX7DH1drp5SGa+E/fc7wN3hqFtPbqPjZpOu1Q=",
-        "owner": "girlbossceo",
-        "repo": "complement",
-        "rev": "e587b3df569cba411aeac7c20b6366d03c143745",
-        "type": "github"
-      },
-      "original": {
-        "owner": "girlbossceo",
-        "ref": "main",
-        "repo": "complement",
-        "type": "github"
-      }
-    },
     "crane": {
       "inputs": {
         "nixpkgs": [
@@ -117,11 +100,11 @@
     },
     "crane_2": {
       "locked": {
-        "lastModified": 1739936662,
-        "narHash": "sha256-x4syUjNUuRblR07nDPeLDP7DpphaBVbUaSoeZkFbGSk=",
+        "lastModified": 1750266157,
+        "narHash": "sha256-tL42YoNg9y30u7zAqtoGDNdTyXTi8EALDeCB13FtbQA=",
         "owner": "ipetkov",
         "repo": "crane",
-        "rev": "19de14aaeb869287647d9461cbd389187d8ecdb7",
+        "rev": "e37c943371b73ed87faf33f7583860f81f1d5a48",
         "type": "github"
       },
       "original": {
@@ -149,11 +132,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1733323168,
-        "narHash": "sha256-d5DwB4MZvlaQpN6OQ4SLYxb5jA4UH5EtV5t5WOtjLPU=",
+        "lastModified": 1748273445,
+        "narHash": "sha256-5V0dzpNgQM0CHDsMzh+ludYeu1S+Y+IMjbaskSSdFh0=",
         "owner": "cachix",
         "repo": "devenv",
-        "rev": "efa9010b8b1cfd5dd3c7ed1e172a470c3b84a064",
+        "rev": "668a50d8b7bdb19a0131f53c9f6c25c9071e1ffb",
         "type": "github"
       },
       "original": {
@@ -170,11 +153,11 @@
         "rust-analyzer-src": "rust-analyzer-src"
       },
       "locked": {
-        "lastModified": 1740724364,
-        "narHash": "sha256-D1jLIueJx1dPrP09ZZwTrPf4cubV+TsFMYbpYYTVj6A=",
+        "lastModified": 1751525020,
+        "narHash": "sha256-oDO6lCYS5Bf4jUITChj9XV7k3TP38DE0Ckz5n5ORCME=",
         "owner": "nix-community",
         "repo": "fenix",
-        "rev": "edf7d9e431cda8782e729253835f178a356d3aab",
+        "rev": "a1a5f92f47787e7df9f30e5e5ac13e679215aa1e",
         "type": "github"
       },
       "original": {
@@ -203,11 +186,11 @@
     "flake-compat_2": {
       "flake": false,
       "locked": {
-        "lastModified": 1733328505,
-        "narHash": "sha256-NeCCThCEP3eCl2l/+27kNNK7QrwZB1IJCrXfrbv5oqU=",
+        "lastModified": 1747046372,
+        "narHash": "sha256-CIVLLkVgvHYbgI2UpXvIIBJ12HWgX+fjA8Xf8PUmqCY=",
         "owner": "edolstra",
         "repo": "flake-compat",
-        "rev": "ff81ac966bb2cae68946d5ed5fc4994f96d0ffec",
+        "rev": "9100a0f413b0c601e0533d1d94ffd501ce2e7885",
         "type": "github"
       },
       "original": {
@@ -219,11 +202,11 @@
     "flake-compat_3": {
       "flake": false,
       "locked": {
-        "lastModified": 1733328505,
-        "narHash": "sha256-NeCCThCEP3eCl2l/+27kNNK7QrwZB1IJCrXfrbv5oqU=",
+        "lastModified": 1747046372,
+        "narHash": "sha256-CIVLLkVgvHYbgI2UpXvIIBJ12HWgX+fjA8Xf8PUmqCY=",
         "owner": "edolstra",
         "repo": "flake-compat",
-        "rev": "ff81ac966bb2cae68946d5ed5fc4994f96d0ffec",
+        "rev": "9100a0f413b0c601e0533d1d94ffd501ce2e7885",
         "type": "github"
       },
       "original": {
@@ -306,15 +289,14 @@
         "nixpkgs": [
           "cachix",
           "nixpkgs"
-        ],
-        "nixpkgs-stable": "nixpkgs-stable_2"
+        ]
       },
       "locked": {
-        "lastModified": 1733318908,
-        "narHash": "sha256-SVQVsbafSM1dJ4fpgyBqLZ+Lft+jcQuMtEL3lQWx2Sk=",
+        "lastModified": 1747372754,
+        "narHash": "sha256-2Y53NGIX2vxfie1rOW0Qb86vjRZ7ngizoo+bnXU9D9k=",
         "owner": "cachix",
         "repo": "git-hooks.nix",
-        "rev": "6f4e2a2112050951a314d2733a994fbab94864c6",
+        "rev": "80479b6ec16fefd9c1db3ea13aeb038c60530f46",
         "type": "github"
       },
       "original": {
@@ -361,23 +343,6 @@
         "type": "github"
       }
     },
-    "liburing": {
-      "flake": false,
-      "locked": {
-        "lastModified": 1740613216,
-        "narHash": "sha256-NpPOBqNND3Qe9IwqYs0mJLGTmIx7e6FgUEBAnJ+1ZLA=",
-        "owner": "axboe",
-        "repo": "liburing",
-        "rev": "e1003e496e66f9b0ae06674869795edf772d5500",
-        "type": "github"
-      },
-      "original": {
-        "owner": "axboe",
-        "ref": "master",
-        "repo": "liburing",
-        "type": "github"
-      }
-    },
     "nix": {
       "inputs": {
         "flake-compat": [
@@ -401,11 +366,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1727438425,
-        "narHash": "sha256-X8ES7I1cfNhR9oKp06F6ir4Np70WGZU5sfCOuNBEwMg=",
+        "lastModified": 1745930071,
+        "narHash": "sha256-bYyjarS3qSNqxfgc89IoVz8cAFDkF9yPE63EJr+h50s=",
         "owner": "domenkozar",
         "repo": "nix",
-        "rev": "f6c5ae4c1b2e411e6b1e6a8181cc84363d6a7546",
+        "rev": "b455edf3505f1bf0172b39a735caef94687d0d9c",
         "type": "github"
       },
       "original": {
@@ -484,29 +449,13 @@
         "type": "github"
       }
     },
-    "nixpkgs-stable_2": {
-      "locked": {
-        "lastModified": 1730741070,
-        "narHash": "sha256-edm8WG19kWozJ/GqyYx2VjW99EdhjKwbY3ZwdlPAAlo=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "d063c1dd113c91ab27959ba540c0d9753409edf3",
-        "type": "github"
-      },
-      "original": {
-        "owner": "NixOS",
-        "ref": "nixos-24.05",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1730531603,
-        "narHash": "sha256-Dqg6si5CqIzm87sp57j5nTaeBbWhHFaVyG7V6L8k3lY=",
+        "lastModified": 1733212471,
+        "narHash": "sha256-M1+uCoV5igihRfcUKrr1riygbe73/dzNnzPsmaLCmpo=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "7ffd9ae656aec493492b44d0ddfb28e79a1ea25d",
+        "rev": "55d15ad12a74eb7d4646254e13638ad0c4128776",
         "type": "github"
       },
       "original": {
@@ -534,11 +483,11 @@
     },
     "nixpkgs_4": {
       "locked": {
-        "lastModified": 1733212471,
-        "narHash": "sha256-M1+uCoV5igihRfcUKrr1riygbe73/dzNnzPsmaLCmpo=",
+        "lastModified": 1748190013,
+        "narHash": "sha256-R5HJFflOfsP5FBtk+zE8FpL8uqE7n62jqOsADvVshhE=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "55d15ad12a74eb7d4646254e13638ad0c4128776",
+        "rev": "62b852f6c6742134ade1abdd2a21685fd617a291",
         "type": "github"
       },
       "original": {
@@ -550,11 +499,11 @@
     },
     "nixpkgs_5": {
       "locked": {
-        "lastModified": 1740547748,
-        "narHash": "sha256-Ly2fBL1LscV+KyCqPRufUBuiw+zmWrlJzpWOWbahplg=",
+        "lastModified": 1751498133,
+        "narHash": "sha256-QWJ+NQbMU+NcU2xiyo7SNox1fAuwksGlQhpzBl76g1I=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "3a05eebede89661660945da1f151959900903b6a",
+        "rev": "d55716bb59b91ae9d1ced4b1ccdea7a442ecbfdb",
         "type": "github"
       },
       "original": {
@@ -569,28 +518,26 @@
       "locked": {
         "lastModified": 1741308171,
         "narHash": "sha256-YdBvdQ75UJg5ffwNjxizpviCVwVDJnBkM8ZtGIduMgY=",
-        "owner": "girlbossceo",
-        "repo": "rocksdb",
+        "ref": "v9.11.1",
         "rev": "3ce04794bcfbbb0d2e6f81ae35fc4acf688b6986",
-        "type": "github"
+        "revCount": 13177,
+        "type": "git",
+        "url": "https://forgejo.ellis.link/continuwuation/rocksdb"
       },
       "original": {
-        "owner": "girlbossceo",
         "ref": "v9.11.1",
-        "repo": "rocksdb",
-        "type": "github"
+        "type": "git",
+        "url": "https://forgejo.ellis.link/continuwuation/rocksdb"
       }
     },
     "root": {
       "inputs": {
         "attic": "attic",
         "cachix": "cachix",
-        "complement": "complement",
         "crane": "crane_2",
         "fenix": "fenix",
         "flake-compat": "flake-compat_3",
         "flake-utils": "flake-utils",
-        "liburing": "liburing",
         "nix-filter": "nix-filter",
         "nixpkgs": "nixpkgs_5",
         "rocksdb": "rocksdb"
@@ -599,11 +546,11 @@
     "rust-analyzer-src": {
       "flake": false,
       "locked": {
-        "lastModified": 1740691488,
-        "narHash": "sha256-Fs6vBrByuiOf2WO77qeMDMTXcTGzrIMqLBv+lNeywwM=",
+        "lastModified": 1751433876,
+        "narHash": "sha256-IsdwOcvLLDDlkFNwhdD5BZy20okIQL01+UQ7Kxbqh8s=",
         "owner": "rust-lang",
         "repo": "rust-analyzer",
-        "rev": "fe3eda77d3a7ce212388bda7b6cec8bffcc077e5",
+        "rev": "11d45c881389dae90b0da5a94cde52c79d0fc7ef",
         "type": "github"
       },
       "original": {

flake.nix

@@ -2,577 +2,344 @@
   inputs = {
     attic.url = "github:zhaofengli/attic?ref=main";
     cachix.url = "github:cachix/cachix?ref=master";
-    complement = { url = "github:girlbossceo/complement?ref=main"; flake = false; };
-    crane = { url = "github:ipetkov/crane?ref=master"; };
-    fenix = { url = "github:nix-community/fenix?ref=main"; inputs.nixpkgs.follows = "nixpkgs"; };
-    flake-compat = { url = "github:edolstra/flake-compat?ref=master"; flake = false; };
+    crane = {
+      url = "github:ipetkov/crane?ref=master";
+    };
+    fenix = {
+      url = "github:nix-community/fenix?ref=main";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+    flake-compat = {
+      url = "github:edolstra/flake-compat?ref=master";
+      flake = false;
+    };
     flake-utils.url = "github:numtide/flake-utils?ref=main";
     nix-filter.url = "github:numtide/nix-filter?ref=main";
     nixpkgs.url = "github:NixOS/nixpkgs?ref=nixpkgs-unstable";
-    rocksdb = { url = "github:girlbossceo/rocksdb?ref=v9.11.1"; flake = false; };
-    liburing = { url = "github:axboe/liburing?ref=master"; flake = false; };
+    rocksdb = {
+      url = "git+https://forgejo.ellis.link/continuwuation/rocksdb?ref=v9.11.1";
+      flake = false;
+    };
   };
 
-  outputs = inputs:
-    inputs.flake-utils.lib.eachDefaultSystem (system:
-    let
-      pkgsHost = import inputs.nixpkgs{
-        inherit system;
-      };
-      pkgsHostStatic = pkgsHost.pkgsStatic;
-
-      # The Rust toolchain to use
-      toolchain = inputs.fenix.packages.${system}.fromToolchainFile {
-        file = ./rust-toolchain.toml;
-
-        # See also `rust-toolchain.toml`
-        sha256 = "sha256-X/4ZBHO3iW0fOenQ3foEvscgAPJYl2abspaBThDOukI=";
-      };
-
-      mkScope = pkgs: pkgs.lib.makeScope pkgs.newScope (self: {
-        inherit pkgs;
-        book = self.callPackage ./nix/pkgs/book {};
-        complement = self.callPackage ./nix/pkgs/complement {};
-        craneLib = ((inputs.crane.mkLib pkgs).overrideToolchain (_: toolchain));
-        inherit inputs;
-        main = self.callPackage ./nix/pkgs/main {};
-        oci-image = self.callPackage ./nix/pkgs/oci-image {};
-        tini = pkgs.tini.overrideAttrs {
-            # newer clang/gcc is unhappy with tini-static: <https://3.dog/~strawberry/pb/c8y4>
-            patches = [ (pkgs.fetchpatch {
-                url = "https://patch-diff.githubusercontent.com/raw/krallin/tini/pull/224.patch";
-                hash = "sha256-4bTfAhRyIT71VALhHY13hUgbjLEUyvgkIJMt3w9ag3k=";
-              })
-            ];
-        };
-        liburing = pkgs.liburing.overrideAttrs {
-          # Tests weren't building
-          outputs = [ "out" "dev" "man" ];
-          buildFlags = [ "library" ];
-          src = inputs.liburing;
-        };
-        rocksdb = (pkgs.rocksdb.override {
-          liburing = self.liburing;
-        }).overrideAttrs (old: {
-          src = inputs.rocksdb;
-          version = pkgs.lib.removePrefix
-            "v"
-            (builtins.fromJSON (builtins.readFile ./flake.lock))
-              .nodes.rocksdb.original.ref;
-          # we have this already at https://github.com/girlbossceo/rocksdb/commit/a935c0273e1ba44eacf88ce3685a9b9831486155
-          # unsetting this so i don't have to revert it and make this nix exclusive
-          patches = [];
-          cmakeFlags = pkgs.lib.subtractLists
-            [
-              # no real reason to have snappy or zlib, no one uses this
-              "-DWITH_SNAPPY=1"
-              "-DZLIB=1"
-              "-DWITH_ZLIB=1"
-              # we dont need to use ldb or sst_dump (core_tools)
-              "-DWITH_CORE_TOOLS=1"
-              # we dont need to build rocksdb tests
-              "-DWITH_TESTS=1"
-              # we use rust-rocksdb via C interface and dont need C++ RTTI
-              "-DUSE_RTTI=1"
-              # this doesn't exist in RocksDB, and USE_SSE is deprecated for
-              # PORTABLE=$(march)
-              "-DFORCE_SSE42=1"
-              # PORTABLE will get set in main/default.nix
-              "-DPORTABLE=1"
-            ]
-            old.cmakeFlags
-            ++ [
-              # no real reason to have snappy, no one uses this
-              "-DWITH_SNAPPY=0"
-              "-DZLIB=0"
-              "-DWITH_ZLIB=0"
-              # we dont need to use ldb or sst_dump (core_tools)
-              "-DWITH_CORE_TOOLS=0"
-              # we dont need trace tools
-              "-DWITH_TRACE_TOOLS=0"
-              # we dont need to build rocksdb tests
-              "-DWITH_TESTS=0"
-              # we use rust-rocksdb via C interface and dont need C++ RTTI
-              "-DUSE_RTTI=0"
-            ];
-
-          # outputs has "tools" which we dont need or use
-          outputs = [ "out" ];
-
-          # preInstall hooks has stuff for messing with ldb/sst_dump which we dont need or use
-          preInstall = "";
-        });
-      });
-
-      scopeHost = mkScope pkgsHost;
-      scopeHostStatic = mkScope pkgsHostStatic;
-      scopeCrossLinux = mkScope pkgsHost.pkgsLinux.pkgsStatic;
-      mkCrossScope = crossSystem:
-        let pkgsCrossStatic = (import inputs.nixpkgs {
+  outputs =
+    inputs:
+    inputs.flake-utils.lib.eachDefaultSystem (
+      system:
+      let
+        pkgsHost = import inputs.nixpkgs {
           inherit system;
-          crossSystem = {
-           config = crossSystem;
-          };
-        }).pkgsStatic;
-         in
-        mkScope pkgsCrossStatic;
-
-      mkDevShell = scope: scope.pkgs.mkShell {
-        env = scope.main.env // {
-          # Rust Analyzer needs to be able to find the path to default crate
-          # sources, and it can read this environment variable to do so. The
-          # `rust-src` component is required in order for this to work.
-          RUST_SRC_PATH = "${toolchain}/lib/rustlib/src/rust/library";
-
-          # Convenient way to access a pinned version of Complement's source
-          # code.
-          COMPLEMENT_SRC = inputs.complement.outPath;
-
-          # Needed for Complement: <https://github.com/golang/go/issues/52690>
-          CGO_CFLAGS = "-Wl,--no-gc-sections";
-          CGO_LDFLAGS = "-Wl,--no-gc-sections";
         };
 
-        # Development tools
-        packages = [
-          # Always use nightly rustfmt because most of its options are unstable
-          #
-          # This needs to come before `toolchain` in this list, otherwise
-          # `$PATH` will have stable rustfmt instead.
-          inputs.fenix.packages.${system}.latest.rustfmt
+        # The Rust toolchain to use
+        toolchain = inputs.fenix.packages.${system}.fromToolchainFile {
+          file = ./rust-toolchain.toml;
 
-          toolchain
-        ]
-        ++ (with pkgsHost.pkgs; [
-          # Required by hardened-malloc.rs dep
-          binutils
+          # See also `rust-toolchain.toml`
+          sha256 = "sha256-KUm16pHj+cRedf8vxs/Hd2YWxpOrWZ7UOrwhILdSJBU=";
+        };
 
-          cargo-audit
-          cargo-auditable
+        mkScope =
+          pkgs:
+          pkgs.lib.makeScope pkgs.newScope (self: {
+            inherit pkgs inputs;
+            craneLib = (inputs.crane.mkLib pkgs).overrideToolchain (_: toolchain);
+            main = self.callPackage ./nix/pkgs/main { };
+            liburing = pkgs.liburing.overrideAttrs {
+              # Tests weren't building
+              outputs = [
+                "out"
+                "dev"
+                "man"
+              ];
+              buildFlags = [ "library" ];
+            };
+            rocksdb =
+              (pkgs.rocksdb_9_10.override {
+                # Override the liburing input for the build with our own so
+                # we have it built with the library flag
+                inherit (self) liburing;
+              }).overrideAttrs
+                (old: {
+                  src = inputs.rocksdb;
+                  version = "v9.11.1";
+                  cmakeFlags =
+                    pkgs.lib.subtractLists [
+                      # No real reason to have snappy or zlib, no one uses this
+                      "-DWITH_SNAPPY=1"
+                      "-DZLIB=1"
+                      "-DWITH_ZLIB=1"
+                      # We don't need to use ldb or sst_dump (core_tools)
+                      "-DWITH_CORE_TOOLS=1"
+                      # We don't need to build rocksdb tests
+                      "-DWITH_TESTS=1"
+                      # We use rust-rocksdb via C interface and don't need C++ RTTI
+                      "-DUSE_RTTI=1"
+                      # This doesn't exist in RocksDB, and USE_SSE is deprecated for
+                      # PORTABLE=$(march)
+                      "-DFORCE_SSE42=1"
+                      # PORTABLE will get set in main/default.nix
+                      "-DPORTABLE=1"
+                    ] old.cmakeFlags
+                    ++ [
+                      # No real reason to have snappy, no one uses this
+                      "-DWITH_SNAPPY=0"
+                      "-DZLIB=0"
+                      "-DWITH_ZLIB=0"
+                      # We don't need to use ldb or sst_dump (core_tools)
+                      "-DWITH_CORE_TOOLS=0"
+                      # We don't need trace tools
+                      "-DWITH_TRACE_TOOLS=0"
+                      # We don't need to build rocksdb tests
+                      "-DWITH_TESTS=0"
+                      # We use rust-rocksdb via C interface and don't need C++ RTTI
+                      "-DUSE_RTTI=0"
+                    ];
 
-          # Needed for producing Debian packages
-          cargo-deb
+                  # outputs has "tools" which we don't need or use
+                  outputs = [ "out" ];
 
-          # Needed for CI to check validity of produced Debian packages (dpkg-deb)
-          dpkg
+                  # preInstall hooks has stuff for messing with ldb/sst_dump which we don't need or use
+                  preInstall = "";
 
-	  engage
+                  # We have this already at https://forgejo.ellis.link/continuwuation/rocksdb/commit/a935c0273e1ba44eacf88ce3685a9b9831486155
+                  # Unsetting this so we don't have to revert it and make this nix exclusive
+                  patches = [ ];
 
-          # Needed for Complement
-          go
+                  postPatch = ''
+                    # Fix gcc-13 build failures due to missing <cstdint> and
+                    # <system_error> includes, fixed upstream since 8.x
+                    sed -e '1i #include <cstdint>' -i db/compaction/compaction_iteration_stats.h
+                    sed -e '1i #include <cstdint>' -i table/block_based/data_block_hash_index.h
+                    sed -e '1i #include <cstdint>' -i util/string_util.h
+                    sed -e '1i #include <cstdint>' -i include/rocksdb/utilities/checkpoint.h
+                  '';
+                });
+          });
 
-          # Needed for our script for Complement
-          jq
-          gotestfmt
+        scopeHost = mkScope pkgsHost;
+        mkCrossScope =
+          crossSystem:
+          let
+            pkgsCrossStatic =
+              (import inputs.nixpkgs {
+                inherit system;
+                crossSystem = {
+                  config = crossSystem;
+                };
+              }).pkgsStatic;
+          in
+          mkScope pkgsCrossStatic;
 
-          # Needed for finding broken markdown links
-          lychee
-
-          # Needed for linting markdown files
-          markdownlint-cli
-
-          # Useful for editing the book locally
-          mdbook
-
-          # used for rust caching in CI to speed it up
-          sccache
-        ]
-        # liburing is Linux-exclusive
-        ++ lib.optional stdenv.hostPlatform.isLinux liburing
-        ++ lib.optional stdenv.hostPlatform.isLinux numactl)
-        ++ scope.main.buildInputs
-        ++ scope.main.propagatedBuildInputs
-        ++ scope.main.nativeBuildInputs;
-      };
-    in
-    {
-      packages = {
-        default = scopeHost.main.override {
-            disable_features = [
-                # dont include experimental features
+      in
+      {
+        packages =
+          {
+            default = scopeHost.main.override {
+              disable_features = [
+                # Don't include experimental features
                 "experimental"
                 # jemalloc profiling/stats features are expensive and shouldn't
                 # be expected on non-debug builds.
                 "jemalloc_prof"
                 "jemalloc_stats"
-                # this is non-functional on nix for some reason
+                # This is non-functional on nix for some reason
                 "hardened_malloc"
                 # conduwuit_mods is a development-only hot reload feature
                 "conduwuit_mods"
-            ];
-        };
-        default-debug = scopeHost.main.override {
-            profile = "dev";
-            # debug build users expect full logs
-            disable_release_max_log_level = true;
-            disable_features = [
-                # dont include experimental features
+              ];
+            };
+            default-debug = scopeHost.main.override {
+              profile = "dev";
+              # Debug build users expect full logs
+              disable_release_max_log_level = true;
+              disable_features = [
+                # Don't include experimental features
+                "experimental"
+                # This is non-functional on nix for some reason
+                "hardened_malloc"
+                # conduwuit_mods is a development-only hot reload feature
+                "conduwuit_mods"
+              ];
+            };
+            # Just a test profile used for things like CI and complement
+            default-test = scopeHost.main.override {
+              profile = "test";
+              disable_release_max_log_level = true;
+              disable_features = [
+                # Don't include experimental features
                 "experimental"
                 # this is non-functional on nix for some reason
                 "hardened_malloc"
                 # conduwuit_mods is a development-only hot reload feature
                 "conduwuit_mods"
-            ];
-        };
-        # just a test profile used for things like CI and complement
-        default-test = scopeHost.main.override {
-            profile = "test";
-            disable_release_max_log_level = true;
-            disable_features = [
-                # dont include experimental features
-                "experimental"
-                # this is non-functional on nix for some reason
-                "hardened_malloc"
-                # conduwuit_mods is a development-only hot reload feature
-                "conduwuit_mods"
-            ];
-        };
-        all-features = scopeHost.main.override {
-            all_features = true;
-            disable_features = [
-                # dont include experimental features
+              ];
+            };
+            all-features = scopeHost.main.override {
+              all_features = true;
+              disable_features = [
+                # Don't include experimental features
                 "experimental"
                 # jemalloc profiling/stats features are expensive and shouldn't
                 # be expected on non-debug builds.
                 "jemalloc_prof"
                 "jemalloc_stats"
-                # this is non-functional on nix for some reason
+                # This is non-functional on nix for some reason
                 "hardened_malloc"
                 # conduwuit_mods is a development-only hot reload feature
                 "conduwuit_mods"
-            ];
-        };
-        all-features-debug = scopeHost.main.override {
-            profile = "dev";
-            all_features = true;
-            # debug build users expect full logs
-            disable_release_max_log_level = true;
-            disable_features = [
-                # dont include experimental features
+              ];
+            };
+            all-features-debug = scopeHost.main.override {
+              profile = "dev";
+              all_features = true;
+              # Debug build users expect full logs
+              disable_release_max_log_level = true;
+              disable_features = [
+                # Don't include experimental features
                 "experimental"
-                # this is non-functional on nix for some reason
+                # This is non-functional on nix for some reason
                 "hardened_malloc"
                 # conduwuit_mods is a development-only hot reload feature
                 "conduwuit_mods"
-            ];
-        };
-        hmalloc = scopeHost.main.override { features = ["hardened_malloc"]; };
+              ];
+            };
+            hmalloc = scopeHost.main.override { features = [ "hardened_malloc" ]; };
+          }
+          // builtins.listToAttrs (
+            builtins.concatLists (
+              builtins.map
+                (
+                  crossSystem:
+                  let
+                    binaryName = "static-${crossSystem}";
+                    scopeCrossStatic = mkCrossScope crossSystem;
+                  in
+                  [
+                    # An output for a statically-linked binary
+                    {
+                      name = binaryName;
+                      value = scopeCrossStatic.main;
+                    }
 
-        oci-image = scopeHost.oci-image;
-        oci-image-all-features = scopeHost.oci-image.override {
-          main = scopeHost.main.override {
-            all_features = true;
-            disable_features = [
-                # dont include experimental features
-                "experimental"
-                # jemalloc profiling/stats features are expensive and shouldn't
-                # be expected on non-debug builds.
-                "jemalloc_prof"
-                "jemalloc_stats"
-                # this is non-functional on nix for some reason
-                "hardened_malloc"
-                # conduwuit_mods is a development-only hot reload feature
-                "conduwuit_mods"
-            ];
-          };
-        };
-        oci-image-all-features-debug = scopeHost.oci-image.override {
-          main = scopeHost.main.override {
-            profile = "dev";
-            all_features = true;
-            # debug build users expect full logs
-            disable_release_max_log_level = true;
-            disable_features = [
-                # dont include experimental features
-                "experimental"
-                # this is non-functional on nix for some reason
-                "hardened_malloc"
-                # conduwuit_mods is a development-only hot reload feature
-                "conduwuit_mods"
-            ];
-          };
-        };
-        oci-image-hmalloc = scopeHost.oci-image.override {
-          main = scopeHost.main.override {
-            features = ["hardened_malloc"];
-          };
-        };
+                    # An output for a statically-linked binary with x86_64 haswell
+                    # target optimisations
+                    {
+                      name = "${binaryName}-x86_64-haswell-optimised";
+                      value = scopeCrossStatic.main.override {
+                        x86_64_haswell_target_optimised =
+                          if (crossSystem == "x86_64-linux-gnu" || crossSystem == "x86_64-linux-musl") then true else false;
+                      };
+                    }
 
-        book = scopeHost.book;
-
-        complement = scopeHost.complement;
-        static-complement = scopeHostStatic.complement;
-        # macOS containers don't exist, so the complement images must be forced to linux
-        linux-complement = (mkCrossScope "${pkgsHost.hostPlatform.qemuArch}-linux-musl").complement;
-      }
-      //
-      builtins.listToAttrs
-        (builtins.concatLists
-          (builtins.map
-            (crossSystem:
-              let
-                binaryName = "static-${crossSystem}";
-                scopeCrossStatic = mkCrossScope crossSystem;
-              in
-              [
-                # An output for a statically-linked binary
-                {
-                  name = binaryName;
-                  value = scopeCrossStatic.main;
-                }
-
-                # An output for a statically-linked binary with x86_64 haswell
-                # target optimisations
-                {
-                  name = "${binaryName}-x86_64-haswell-optimised";
-                  value = scopeCrossStatic.main.override {
-                    x86_64_haswell_target_optimised = (if (crossSystem == "x86_64-linux-gnu" || crossSystem == "x86_64-linux-musl") then true else false);
-                  };
-                }
-
-                # An output for a statically-linked unstripped debug ("dev") binary
-                {
-                  name = "${binaryName}-debug";
-                  value = scopeCrossStatic.main.override {
-                    profile = "dev";
-                    # debug build users expect full logs
-                    disable_release_max_log_level = true;
-                  };
-                }
-
-                # An output for a statically-linked unstripped debug binary with the
-                # "test" profile (for CI usage only)
-                {
-                  name = "${binaryName}-test";
-                  value = scopeCrossStatic.main.override {
-                    profile = "test";
-                    disable_release_max_log_level = true;
-                    disable_features = [
-                        # dont include experimental features
-                        "experimental"
-                        # this is non-functional on nix for some reason
-                        "hardened_malloc"
-                        # conduwuit_mods is a development-only hot reload feature
-                        "conduwuit_mods"
-                    ];
-                  };
-                }
-
-                # An output for a statically-linked binary with `--all-features`
-                {
-                  name = "${binaryName}-all-features";
-                  value = scopeCrossStatic.main.override {
-                    all_features = true;
-                    disable_features = [
-                        # dont include experimental features
-                        "experimental"
-                        # jemalloc profiling/stats features are expensive and shouldn't
-                        # be expected on non-debug builds.
-                        "jemalloc_prof"
-                        "jemalloc_stats"
-                        # this is non-functional on nix for some reason
-                        "hardened_malloc"
-                        # conduwuit_mods is a development-only hot reload feature
-                        "conduwuit_mods"
-                    ];
-                  };
-                }
-
-                # An output for a statically-linked binary with `--all-features` and with x86_64 haswell
-                # target optimisations
-                {
-                  name = "${binaryName}-all-features-x86_64-haswell-optimised";
-                  value = scopeCrossStatic.main.override {
-                    all_features = true;
-                    disable_features = [
-                        # dont include experimental features
-                        "experimental"
-                        # jemalloc profiling/stats features are expensive and shouldn't
-                        # be expected on non-debug builds.
-                        "jemalloc_prof"
-                        "jemalloc_stats"
-                        # this is non-functional on nix for some reason
-                        "hardened_malloc"
-                        # conduwuit_mods is a development-only hot reload feature
-                        "conduwuit_mods"
-                    ];
-                    x86_64_haswell_target_optimised = (if (crossSystem == "x86_64-linux-gnu" || crossSystem == "x86_64-linux-musl") then true else false);
-                  };
-                }
-
-                # An output for a statically-linked unstripped debug ("dev") binary with `--all-features`
-                {
-                  name = "${binaryName}-all-features-debug";
-                  value = scopeCrossStatic.main.override {
-                    profile = "dev";
-                    all_features = true;
-                    # debug build users expect full logs
-                    disable_release_max_log_level = true;
-                    disable_features = [
-                        # dont include experimental features
-                        "experimental"
-                        # this is non-functional on nix for some reason
-                        "hardened_malloc"
-                        # conduwuit_mods is a development-only hot reload feature
-                        "conduwuit_mods"
-                    ];
-                  };
-                }
-
-                # An output for a statically-linked binary with hardened_malloc
-                {
-                  name = "${binaryName}-hmalloc";
-                  value = scopeCrossStatic.main.override {
-                    features = ["hardened_malloc"];
-                  };
-                }
-
-                # An output for an OCI image based on that binary
-                {
-                  name = "oci-image-${crossSystem}";
-                  value = scopeCrossStatic.oci-image;
-                }
-
-                # An output for an OCI image based on that binary with x86_64 haswell
-                # target optimisations
-                {
-                  name = "oci-image-${crossSystem}-x86_64-haswell-optimised";
-                  value = scopeCrossStatic.oci-image.override {
-                    main = scopeCrossStatic.main.override {
-                      x86_64_haswell_target_optimised = (if (crossSystem == "x86_64-linux-gnu" || crossSystem == "x86_64-linux-musl") then true else false);
-                    };
-                  };
-                }
-
-                # An output for an OCI image based on that unstripped debug ("dev") binary
-                {
-                  name = "oci-image-${crossSystem}-debug";
-                  value = scopeCrossStatic.oci-image.override {
-                    main = scopeCrossStatic.main.override {
+                    # An output for a statically-linked unstripped debug ("dev") binary
+                    {
+                      name = "${binaryName}-debug";
+                      value = scopeCrossStatic.main.override {
                         profile = "dev";
                         # debug build users expect full logs
                         disable_release_max_log_level = true;
-                    };
-                  };
-                }
+                      };
+                    }
 
-                # An output for an OCI image based on that binary with `--all-features`
-                {
-                  name = "oci-image-${crossSystem}-all-features";
-                  value = scopeCrossStatic.oci-image.override {
-                    main = scopeCrossStatic.main.override {
-                      all_features = true;
-                      disable_features = [
-                        # dont include experimental features
-                        "experimental"
-                        # jemalloc profiling/stats features are expensive and shouldn't
-                        # be expected on non-debug builds.
-                        "jemalloc_prof"
-                        "jemalloc_stats"
-                        # this is non-functional on nix for some reason
-                        "hardened_malloc"
-                        # conduwuit_mods is a development-only hot reload feature
-                        "conduwuit_mods"
-                      ];
-                    };
-                  };
-                }
+                    # An output for a statically-linked unstripped debug binary with the
+                    # "test" profile (for CI usage only)
+                    {
+                      name = "${binaryName}-test";
+                      value = scopeCrossStatic.main.override {
+                        profile = "test";
+                        disable_release_max_log_level = true;
+                        disable_features = [
+                          # dont include experimental features
+                          "experimental"
+                          # this is non-functional on nix for some reason
+                          "hardened_malloc"
+                          # conduwuit_mods is a development-only hot reload feature
+                          "conduwuit_mods"
+                        ];
+                      };
+                    }
 
-                # An output for an OCI image based on that binary with `--all-features` and with x86_64 haswell
-                # target optimisations
-                {
-                  name = "oci-image-${crossSystem}-all-features-x86_64-haswell-optimised";
-                  value = scopeCrossStatic.oci-image.override {
-                    main = scopeCrossStatic.main.override {
-                      all_features = true;
-                      disable_features = [
-                        # dont include experimental features
-                        "experimental"
-                        # jemalloc profiling/stats features are expensive and shouldn't
-                        # be expected on non-debug builds.
-                        "jemalloc_prof"
-                        "jemalloc_stats"
-                        # this is non-functional on nix for some reason
-                        "hardened_malloc"
-                        # conduwuit_mods is a development-only hot reload feature
-                        "conduwuit_mods"
-                      ];
-                      x86_64_haswell_target_optimised = (if (crossSystem == "x86_64-linux-gnu" || crossSystem == "x86_64-linux-musl") then true else false);
-                    };
-                  };
-                }
+                    # An output for a statically-linked binary with `--all-features`
+                    {
+                      name = "${binaryName}-all-features";
+                      value = scopeCrossStatic.main.override {
+                        all_features = true;
+                        disable_features = [
+                          # dont include experimental features
+                          "experimental"
+                          # jemalloc profiling/stats features are expensive and shouldn't
+                          # be expected on non-debug builds.
+                          "jemalloc_prof"
+                          "jemalloc_stats"
+                          # this is non-functional on nix for some reason
+                          "hardened_malloc"
+                          # conduwuit_mods is a development-only hot reload feature
+                          "conduwuit_mods"
+                        ];
+                      };
+                    }
 
-                # An output for an OCI image based on that unstripped debug ("dev") binary with `--all-features`
-                {
-                  name = "oci-image-${crossSystem}-all-features-debug";
-                  value = scopeCrossStatic.oci-image.override {
-                    main = scopeCrossStatic.main.override {
-                      profile = "dev";
-                      all_features = true;
-                      # debug build users expect full logs
-                      disable_release_max_log_level = true;
-                      disable_features = [
-                        # dont include experimental features
-                        "experimental"
-                        # this is non-functional on nix for some reason
-                        "hardened_malloc"
-                        # conduwuit_mods is a development-only hot reload feature
-                        "conduwuit_mods"
-                      ];
-                    };
-                  };
-                }
+                    # An output for a statically-linked binary with `--all-features` and with x86_64 haswell
+                    # target optimisations
+                    {
+                      name = "${binaryName}-all-features-x86_64-haswell-optimised";
+                      value = scopeCrossStatic.main.override {
+                        all_features = true;
+                        disable_features = [
+                          # dont include experimental features
+                          "experimental"
+                          # jemalloc profiling/stats features are expensive and shouldn't
+                          # be expected on non-debug builds.
+                          "jemalloc_prof"
+                          "jemalloc_stats"
+                          # this is non-functional on nix for some reason
+                          "hardened_malloc"
+                          # conduwuit_mods is a development-only hot reload feature
+                          "conduwuit_mods"
+                        ];
+                        x86_64_haswell_target_optimised =
+                          if (crossSystem == "x86_64-linux-gnu" || crossSystem == "x86_64-linux-musl") then true else false;
+                      };
+                    }
 
-                # An output for an OCI image based on that binary with hardened_malloc
-                {
-                  name = "oci-image-${crossSystem}-hmalloc";
-                  value = scopeCrossStatic.oci-image.override {
-                    main = scopeCrossStatic.main.override {
-                      features = ["hardened_malloc"];
-                    };
-                  };
-                }
+                    # An output for a statically-linked unstripped debug ("dev") binary with `--all-features`
+                    {
+                      name = "${binaryName}-all-features-debug";
+                      value = scopeCrossStatic.main.override {
+                        profile = "dev";
+                        all_features = true;
+                        # debug build users expect full logs
+                        disable_release_max_log_level = true;
+                        disable_features = [
+                          # dont include experimental features
+                          "experimental"
+                          # this is non-functional on nix for some reason
+                          "hardened_malloc"
+                          # conduwuit_mods is a development-only hot reload feature
+                          "conduwuit_mods"
+                        ];
+                      };
+                    }
 
-                # An output for a complement OCI image for the specified platform
-                {
-                  name = "complement-${crossSystem}";
-                  value = scopeCrossStatic.complement;
-                }
-              ]
+                    # An output for a statically-linked binary with hardened_malloc
+                    {
+                      name = "${binaryName}-hmalloc";
+                      value = scopeCrossStatic.main.override {
+                        features = [ "hardened_malloc" ];
+                      };
+                    }
+                  ]
+                )
+                [
+                  #"x86_64-apple-darwin"
+                  #"aarch64-apple-darwin"
+                  "x86_64-linux-gnu"
+                  "x86_64-linux-musl"
+                  "aarch64-linux-musl"
+                ]
             )
-            [
-              #"x86_64-apple-darwin"
-              #"aarch64-apple-darwin"
-              "x86_64-linux-gnu"
-              "x86_64-linux-musl"
-              "aarch64-linux-musl"
-            ]
-          )
-        );
-
-      devShells.default = mkDevShell scopeHostStatic;
-      devShells.all-features = mkDevShell
-        (scopeHostStatic.overrideScope (final: prev: {
-          main = prev.main.override {
-            all_features = true;
-            disable_features = [
-                # dont include experimental features
-                "experimental"
-                # jemalloc profiling/stats features are expensive and shouldn't
-                # be expected on non-debug builds.
-                "jemalloc_prof"
-                "jemalloc_stats"
-                # this is non-functional on nix for some reason
-                "hardened_malloc"
-                # conduwuit_mods is a development-only hot reload feature
-                "conduwuit_mods"
-            ];
-        };
-        }));
-      devShells.no-features = mkDevShell
-        (scopeHostStatic.overrideScope (final: prev: {
-          main = prev.main.override { default_features = false; };
-        }));
-      devShells.dynamic = mkDevShell scopeHost;
-    });
+          );
+      }
+    );
 }

nix/pkgs/book/default.nix

@@ -1,36 +0,0 @@
-{ inputs
-
-# Dependencies
-, main
-, mdbook
-, stdenv
-}:
-
-stdenv.mkDerivation {
-  inherit (main) pname version;
-
-  src = inputs.nix-filter {
-    root = inputs.self;
-    include = [
-      "book.toml"
-      "conduwuit-example.toml"
-      "CODE_OF_CONDUCT.md"
-      "CONTRIBUTING.md"
-      "README.md"
-      "development.md"
-      "debian/conduwuit.service"
-      "debian/README.md"
-      "arch/conduwuit.service"
-      "docs"
-      "theme"
-    ];
-  };
-
-  nativeBuildInputs = [
-    mdbook
-  ];
-
-  buildPhase = ''
-    mdbook build -d $out
-  '';
-}

nix/pkgs/complement/certificate.crt

@@ -1,21 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDfzCCAmegAwIBAgIUcrZdSPmCh33Evys/U6mTPpShqdcwDQYJKoZIhvcNAQEL
-BQAwPzELMAkGA1UEBhMCNjkxCzAJBgNVBAgMAjQyMRUwEwYDVQQKDAx3b29mZXJz
-IGluYy4xDDAKBgNVBAMMA2hzMTAgFw0yNTAzMTMxMjU4NTFaGA8yMDUyMDcyODEy
-NTg1MVowPzELMAkGA1UEBhMCNjkxCzAJBgNVBAgMAjQyMRUwEwYDVQQKDAx3b29m
-ZXJzIGluYy4xDDAKBgNVBAMMA2hzMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
-AQoCggEBANL+h2ZmK/FqN5uLJPtIy6Feqcyb6EX7MQBEtxuJ56bTAbjHuCLZLpYt
-/wOWJ91drHqZ7Xd5iTisGdMu8YS803HSnHkzngf4VXKhVrdzW2YDrpZRxmOhtp88
-awOHmP7mqlJyBbCOQw8aDVrT0KmEIWzA7g+nFRQ5Ff85MaP+sQrHGKZbo61q8HBp
-L0XuaqNckruUKtxnEqrm5xx5sYyYKg7rrSFE5JMFoWKB1FNWJxyWT42BhGtnJZsK
-K5c+NDSOU4TatxoN6mpNSBpCz/a11PiQHMEfqRk6JA4g3911dqPTfZBevUdBh8gl
-8maIzqeZGhvyeKTmull1Y0781yyuj98CAwEAAaNxMG8wCQYDVR0TBAIwADALBgNV
-HQ8EBAMCBPAwNgYDVR0RBC8wLYIRKi5kb2NrZXIuaW50ZXJuYWyCA2hzMYIDaHMy
-ggNoczOCA2hzNIcEfwAAATAdBgNVHQ4EFgQUr4VYrmW1d+vjBTJewvy7fJYhLDYw
-DQYJKoZIhvcNAQELBQADggEBADkYqkjNYxjWX8hUUAmFHNdCwzT1CpYe/5qzLiyJ
-irDSdMlC5g6QqMUSrpu7nZxo1lRe1dXGroFVfWpoDxyCjSQhplQZgtYqtyLfOIx+
-HQ7cPE/tUU/KsTGc0aL61cETB6u8fj+rQKUGdfbSlm0Rpu4v0gC8RnDj06X/hZ7e
-VkWU+dOBzxlqHuLlwFFtVDgCyyTatIROx5V+GpMHrVqBPO7HcHhwqZ30k2kMM8J3
-y1CWaliQM85jqtSZV+yUHKQV8EksSowCFJuguf+Ahz0i0/koaI3i8m4MRN/1j13d
-jbTaX5a11Ynm3A27jioZdtMRty6AJ88oCp18jxVzqTxNNO4=
------END CERTIFICATE-----

nix/pkgs/complement/config.toml

@@ -1,50 +0,0 @@
-[global]
-address = "0.0.0.0"
-allow_device_name_federation = true
-allow_guest_registration = true
-allow_public_room_directory_over_federation = true
-allow_public_room_directory_without_auth = true
-allow_registration = true
-database_path = "/database"
-log = "trace,h2=debug,hyper=debug"
-port = [8008, 8448]
-trusted_servers = []
-only_query_trusted_key_servers = false
-query_trusted_key_servers_first = false
-query_trusted_key_servers_first_on_join = false
-yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse = true
-ip_range_denylist = []
-url_preview_domain_contains_allowlist = ["*"]
-url_preview_domain_explicit_denylist = ["*"]
-media_compat_file_link = false
-media_startup_check = true
-prune_missing_media = true
-log_colors = true
-admin_room_notices = false
-allow_check_for_updates = false
-intentionally_unknown_config_option_for_testing = true
-rocksdb_log_level = "info"
-rocksdb_max_log_files = 1
-rocksdb_recovery_mode = 0
-rocksdb_paranoid_file_checks = true
-log_guest_registrations = false
-allow_legacy_media = true
-startup_netburst = true
-startup_netburst_keep = -1
-
-allow_invalid_tls_certificates_yes_i_know_what_the_fuck_i_am_doing_with_this_and_i_know_this_is_insecure = true
-
-# valgrind makes things so slow
-dns_timeout = 60
-dns_attempts = 20
-request_conn_timeout = 60
-request_timeout = 120
-well_known_conn_timeout = 60
-well_known_timeout = 60
-federation_idle_timeout = 300
-sender_timeout = 300
-sender_idle_timeout = 300
-sender_retry_backoff_limit = 300
-
-[global.tls]
-dual_protocol = true

nix/pkgs/complement/default.nix

@@ -1,89 +0,0 @@
-# Dependencies
-{ bashInteractive
-, buildEnv
-, coreutils
-, dockerTools
-, lib
-, main
-, stdenv
-, tini
-, writeShellScriptBin
-}:
-
-let
-  main' = main.override {
-    profile = "test";
-    all_features = true;
-    disable_release_max_log_level = true;
-    disable_features = [
-        # console/CLI stuff isn't used or relevant for complement
-        "console"
-        "tokio_console"
-        # sentry telemetry isn't useful for complement, disabled by default anyways
-        "sentry_telemetry"
-        "perf_measurements"
-        # this is non-functional on nix for some reason
-        "hardened_malloc"
-        # dont include experimental features
-        "experimental"
-        # compression isn't needed for complement
-        "brotli_compression"
-        "gzip_compression"
-        "zstd_compression"
-        # complement doesn't need hot reloading
-        "conduwuit_mods"
-        # complement doesn't have URL preview media tests
-        "url_preview"
-    ];
-  };
-
-  start = writeShellScriptBin "start" ''
-    set -euxo pipefail
-
-    ${lib.getExe' coreutils "env"} \
-      CONDUWUIT_SERVER_NAME="$SERVER_NAME" \
-      ${lib.getExe main'}
-  '';
-in
-
-dockerTools.buildImage {
-  name = "complement-conduwuit";
-  tag = "main";
-
-  copyToRoot = buildEnv {
-    name = "root";
-    pathsToLink = [
-      "/bin"
-    ];
-    paths = [
-      bashInteractive
-      coreutils
-      main'
-      start
-    ];
-  };
-
-  config = {
-    Cmd = [
-      "${lib.getExe start}"
-    ];
-
-    Entrypoint = if !stdenv.hostPlatform.isDarwin
-      # Use the `tini` init system so that signals (e.g. ctrl+c/SIGINT)
-      # are handled as expected
-      then [ "${lib.getExe' tini "tini"}" "--" ]
-      else [];
-
-    Env = [
-      "CONTINUWUITY_TLS__KEY=${./private_key.key}"
-      "CONTINUWUITY_TLS__CERTS=${./certificate.crt}"
-      "CONTINUWUITY_CONFIG=${./config.toml}"
-      "RUST_BACKTRACE=full"
-    ];
-
-    ExposedPorts = {
-      "8008/tcp" = {};
-      "8448/tcp" = {};
-    };
-  };
-}

nix/pkgs/complement/private_key.key

@@ -1,28 +0,0 @@
------BEGIN PRIVATE KEY-----
-MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDS/odmZivxajeb
-iyT7SMuhXqnMm+hF+zEARLcbieem0wG4x7gi2S6WLf8DlifdXax6me13eYk4rBnT
-LvGEvNNx0px5M54H+FVyoVa3c1tmA66WUcZjobafPGsDh5j+5qpScgWwjkMPGg1a
-09CphCFswO4PpxUUORX/OTGj/rEKxximW6OtavBwaS9F7mqjXJK7lCrcZxKq5ucc
-ebGMmCoO660hROSTBaFigdRTVicclk+NgYRrZyWbCiuXPjQ0jlOE2rcaDepqTUga
-Qs/2tdT4kBzBH6kZOiQOIN/ddXaj032QXr1HQYfIJfJmiM6nmRob8nik5rpZdWNO
-/Ncsro/fAgMBAAECggEAITCCkfv+a5I+vwvrPE/eIDso0JOxvNhfg+BLQVy3AMnu
-WmeoMmshZeREWgcTrEGg8QQnk4Sdrjl8MnkO6sddJ2luza3t7OkGX+q7Hk5aETkB
-DIo+f8ufU3sIhlydF3OnVSK0fGpUaBq8AQ6Soyeyrk3G5NVufmjgae5QPbDBnqUb
-piOGyfcwagL4JtCbZsMk8AT7vQSynLm6zaWsVzWNd71jummLqtVV063K95J9PqVN
-D8meEcP3WR5kQrvf+mgy9RVgWLRtVWN8OLZfJ9yrnl4Efj62elrldUj4jaCFezGQ
-8f0W+d8jjt038qhmEdymw2MWQ+X/b0R79lJar1Up8QKBgQD1DtHxauhl+JUoI3y+
-3eboqXl7YPJt1/GTnChb4b6D1Z1hvLsOKUa7hjGEfruYGbsWXBCRMICdfzp+iWcq
-/lEOp7/YU9OaW4lQMoG4sXMoBWd9uLgg0E+aH6VDJOBvxsfafqM4ufmtspzwEm90
-FU1cq6oImomFnPChSq4X+3+YpwKBgQDcalaK9llCcscWA8HAP8WVVNTjCOqiDp9q
-td61E9IO/FIB/gW5y+JkaFRrA2CN1zY3s3K92uveLTNYTArecWlDcPNNFDuaYu2M
-Roz4bC104HGh+zztJ0iPVzELL81Lgg6wHhLONN+eVi4gTftJxzJFXybyb+xVT25A
-91ynKXB+CQKBgQC+Ub43MoI+/6pHvBfb3FbDByvz6D0flgBmVXb6tP3TQYmzKHJV
-8zSd2wCGGC71V7Z3DRVIzVR1/SOetnPLbivhp+JUzfWfAcxI3pDksdvvjxLrDxTh
-VycbWcxtsywjY0w/ou581eLVRcygnpC0pP6qJCAwAmUfwd0YRvmiYo6cLQKBgHIW
-UIlJDdaJFmdctnLOD3VGHZMOUHRlYTqYvJe5lKbRD5mcZFZRI/OY1Ok3LEj+tj+K
-kL+YizHK76KqaY3N4hBYbHbfHCLDRfWvptQHGlg+vFJ9eoG+LZ6UIPyLV5XX0cZz
-KoS1dXG9Zc6uznzXsDucDsq6B/f4TzctUjXsCyARAoGAOKb4HtuNyYAW0jUlujR7
-IMHwUesOGlhSXqFtP9aTvk6qJgvV0+3CKcWEb4y02g+uYftP8BLNbJbIt9qOqLYh
-tOVyzCoamAi8araAhjA0w4dXvqDCDK7k/gZFkojmKQtRijoxTHnWcDc3vAjYCgaM
-9MVtdgSkuh2gwkD/mMoAJXM=
------END PRIVATE KEY-----

nix/pkgs/complement/signing_request.csr

@@ -1,16 +0,0 @@
------BEGIN CERTIFICATE REQUEST-----
-MIIChDCCAWwCAQAwPzELMAkGA1UEBhMCNjkxCzAJBgNVBAgMAjQyMRUwEwYDVQQK
-DAx3b29mZXJzIGluYy4xDDAKBgNVBAMMA2hzMTCCASIwDQYJKoZIhvcNAQEBBQAD
-ggEPADCCAQoCggEBANL+h2ZmK/FqN5uLJPtIy6Feqcyb6EX7MQBEtxuJ56bTAbjH
-uCLZLpYt/wOWJ91drHqZ7Xd5iTisGdMu8YS803HSnHkzngf4VXKhVrdzW2YDrpZR
-xmOhtp88awOHmP7mqlJyBbCOQw8aDVrT0KmEIWzA7g+nFRQ5Ff85MaP+sQrHGKZb
-o61q8HBpL0XuaqNckruUKtxnEqrm5xx5sYyYKg7rrSFE5JMFoWKB1FNWJxyWT42B
-hGtnJZsKK5c+NDSOU4TatxoN6mpNSBpCz/a11PiQHMEfqRk6JA4g3911dqPTfZBe
-vUdBh8gl8maIzqeZGhvyeKTmull1Y0781yyuj98CAwEAAaAAMA0GCSqGSIb3DQEB
-CwUAA4IBAQDR/gjfxN0IID1MidyhZB4qpdWn3m6qZnEQqoTyHHdWalbfNXcALC79
-ffS+Smx40N5hEPvqy6euR89N5YuYvt8Hs+j7aWNBn7Wus5Favixcm2JcfCTJn2R3
-r8FefuSs2xGkoyGsPFFcXE13SP/9zrZiwvOgSIuTdz/Pbh6GtEx7aV4DqHJsrXnb
-XuPxpQleoBqKvQgSlmaEBsJg13TQB+Fl2foBVUtqAFDQiv+RIuircf0yesMCKJaK
-MPH4Oo+r3pR8lI8ewfJPreRhCoV+XrGYMubaakz003TJ1xlOW8M+N9a6eFyMVh76
-U1nY/KP8Ua6Lgaj9PRz7JCRzNoshZID/
------END CERTIFICATE REQUEST-----

nix/pkgs/complement/v3.ext

@@ -1,12 +0,0 @@
-authorityKeyIdentifier=keyid,issuer
-basicConstraints=CA:FALSE
-keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
-subjectAltName = @alt_names
-
-[alt_names]
-DNS.1 = *.docker.internal
-DNS.2 = hs1
-DNS.3 = hs2
-DNS.4 = hs3
-DNS.5 = hs4
-IP.1 = 127.0.0.1

nix/pkgs/main/cross-compilation-env.nix

@@ -4,51 +4,47 @@
 , stdenv
 }:
 
-lib.optionalAttrs stdenv.hostPlatform.isStatic {
-  ROCKSDB_STATIC = "";
-}
+lib.optionalAttrs stdenv.hostPlatform.isStatic
+  {
+    ROCKSDB_STATIC = "";
+  }
 //
 {
   CARGO_BUILD_RUSTFLAGS =
     lib.concatStringsSep
       " "
-      ([]
-        # This disables PIE for static builds, which isn't great in terms
-        # of security. Unfortunately, my hand is forced because nixpkgs'
-        # `libstdc++.a` is built without `-fPIE`, which precludes us from
-        # leaving PIE enabled.
-        ++ lib.optionals
-          stdenv.hostPlatform.isStatic
-          [ "-C" "relocation-model=static" ]
-        ++ lib.optionals
-          (stdenv.buildPlatform.config != stdenv.hostPlatform.config)
-          [
-            "-l"
-            "c"
+      (lib.optionals
+        stdenv.hostPlatform.isStatic
+        [ "-C" "relocation-model=static" ]
+      ++ lib.optionals
+        (stdenv.buildPlatform.config != stdenv.hostPlatform.config)
+        [
+          "-l"
+          "c"
 
-            "-l"
-            "stdc++"
+          "-l"
+          "stdc++"
 
-            "-L"
-            "${stdenv.cc.cc.lib}/${stdenv.hostPlatform.config}/lib"
-          ]
+          "-L"
+          "${stdenv.cc.cc.lib}/${stdenv.hostPlatform.config}/lib"
+        ]
       );
 }
 
-# What follows is stolen from [here][0]. Its purpose is to properly
-# configure compilers and linkers for various stages of the build, and
-# even covers the case of build scripts that need native code compiled and
-# run on the build platform (I think).
-#
-# [0]: https://github.com/NixOS/nixpkgs/blob/nixpkgs-unstable/pkgs/build-support/rust/lib/default.nix#L48-L68
-//
+  # What follows is stolen from [here][0]. Its purpose is to properly
+  # configure compilers and linkers for various stages of the build, and
+  # even covers the case of build scripts that need native code compiled and
+  # run on the build platform (I think).
+  #
+  # [0]: https://github.com/NixOS/nixpkgs/blob/nixpkgs-unstable/pkgs/build-support/rust/lib/default.nix#L48-L68
+  //
 (
   let
     inherit (rust.lib) envVars;
   in
   lib.optionalAttrs
     (stdenv.targetPlatform.rust.rustcTarget
-      != stdenv.hostPlatform.rust.rustcTarget)
+    != stdenv.hostPlatform.rust.rustcTarget)
     (
       let
         inherit (stdenv.targetPlatform.rust) cargoEnvVarTarget;

nix/pkgs/main/default.nix

@@ -12,144 +12,146 @@
 , rust-jemalloc-sys
 , stdenv
 
-# Options (keep sorted)
+  # Options (keep sorted)
 , all_features ? false
 , default_features ? true
-# default list of disabled features
+  # default list of disabled features
 , disable_features ? [
-  # dont include experimental features
-  "experimental"
-  # jemalloc profiling/stats features are expensive and shouldn't
-  # be expected on non-debug builds.
-  "jemalloc_prof"
-  "jemalloc_stats"
-  # this is non-functional on nix for some reason
-  "hardened_malloc"
-  # conduwuit_mods is a development-only hot reload feature
-  "conduwuit_mods"
-]
+    # dont include experimental features
+    "experimental"
+    # jemalloc profiling/stats features are expensive and shouldn't
+    # be expected on non-debug builds.
+    "jemalloc_prof"
+    "jemalloc_stats"
+    # this is non-functional on nix for some reason
+    "hardened_malloc"
+    # conduwuit_mods is a development-only hot reload feature
+    "conduwuit_mods"
+  ]
 , disable_release_max_log_level ? false
-, features ? []
+, features ? [ ]
 , profile ? "release"
-# rocksdb compiled with -march=haswell and target-cpu=haswell rustflag
-# haswell is pretty much any x86 cpu made in the last 12 years, and
-# supports modern CPU extensions that rocksdb can make use of.
-# disable if trying to make a portable x86_64 build for very old hardware
+  # rocksdb compiled with -march=haswell and target-cpu=haswell rustflag
+  # haswell is pretty much any x86 cpu made in the last 12 years, and
+  # supports modern CPU extensions that rocksdb can make use of.
+  # disable if trying to make a portable x86_64 build for very old hardware
 , x86_64_haswell_target_optimised ? false
 }:
 
 let
-# We perform default-feature unification in nix, because some of the dependencies
-# on the nix side depend on feature values.
-crateFeatures = path:
-  let manifest = lib.importTOML "${path}/Cargo.toml"; in
-  lib.remove "default" (lib.attrNames manifest.features);
-crateDefaultFeatures = path:
-  (lib.importTOML "${path}/Cargo.toml").features.default;
-allDefaultFeatures = crateDefaultFeatures "${inputs.self}/src/main";
-allFeatures = crateFeatures "${inputs.self}/src/main";
-features' = lib.unique
-  (features ++
-    lib.optionals default_features allDefaultFeatures ++
-    lib.optionals all_features allFeatures);
-disable_features' = disable_features ++ lib.optionals disable_release_max_log_level ["release_max_log_level"];
-features'' = lib.subtractLists disable_features' features';
+  # We perform default-feature unification in nix, because some of the dependencies
+  # on the nix side depend on feature values.
+  crateFeatures = path:
+    let manifest = lib.importTOML "${path}/Cargo.toml"; in
+    lib.remove "default" (lib.attrNames manifest.features);
+  crateDefaultFeatures = path:
+    (lib.importTOML "${path}/Cargo.toml").features.default;
+  allDefaultFeatures = crateDefaultFeatures "${inputs.self}/src/main";
+  allFeatures = crateFeatures "${inputs.self}/src/main";
+  features' = lib.unique
+    (features ++
+      lib.optionals default_features allDefaultFeatures ++
+      lib.optionals all_features allFeatures);
+  disable_features' = disable_features ++ lib.optionals disable_release_max_log_level [ "release_max_log_level" ];
+  features'' = lib.subtractLists disable_features' features';
 
-featureEnabled = feature : builtins.elem feature features'';
+  featureEnabled = feature: builtins.elem feature features'';
 
-enableLiburing = featureEnabled "io_uring" && !stdenv.hostPlatform.isDarwin;
+  enableLiburing = featureEnabled "io_uring" && !stdenv.hostPlatform.isDarwin;
 
-# This derivation will set the JEMALLOC_OVERRIDE variable, causing the
-# tikv-jemalloc-sys crate to use the nixpkgs jemalloc instead of building it's
-# own. In order for this to work, we need to set flags on the build that match
-# whatever flags tikv-jemalloc-sys was going to use. These are dependent on
-# which features we enable in tikv-jemalloc-sys.
-rust-jemalloc-sys' = (rust-jemalloc-sys.override {
-  # tikv-jemalloc-sys/unprefixed_malloc_on_supported_platforms feature
-  unprefixed = true;
-}).overrideAttrs (old: {
-  configureFlags = old.configureFlags ++
-    # we dont need docs
-    [ "--disable-doc" ] ++
-    # we dont need cxx/C++ integration
-    [ "--disable-cxx" ] ++
-    # tikv-jemalloc-sys/profiling feature
-    lib.optional (featureEnabled "jemalloc_prof") "--enable-prof" ++
-    # tikv-jemalloc-sys/stats feature
-    (if (featureEnabled "jemalloc_stats") then [ "--enable-stats" ] else [ "--disable-stats" ]);
-});
-
-buildDepsOnlyEnv =
-  let
-    rocksdb' = (rocksdb.override {
-      jemalloc = lib.optional (featureEnabled "jemalloc") rust-jemalloc-sys';
-      # rocksdb fails to build with prefixed jemalloc, which is required on
-      # darwin due to [1]. In this case, fall back to building rocksdb with
-      # libc malloc. This should not cause conflicts, because all of the
-      # jemalloc symbols are prefixed.
-      #
-      # [1]: https://github.com/tikv/jemallocator/blob/ab0676d77e81268cd09b059260c75b38dbef2d51/jemalloc-sys/src/env.rs#L17
-      enableJemalloc = featureEnabled "jemalloc" && !stdenv.hostPlatform.isDarwin;
-
-      # for some reason enableLiburing in nixpkgs rocksdb is default true
-      # which breaks Darwin entirely
-      enableLiburing = enableLiburing;
-    }).overrideAttrs (old: {
-      enableLiburing = enableLiburing;
-      cmakeFlags = (if x86_64_haswell_target_optimised then (lib.subtractLists [
-        # dont make a portable build if x86_64_haswell_target_optimised is enabled
-        "-DPORTABLE=1"
-      ] old.cmakeFlags
-      ++ [ "-DPORTABLE=haswell" ]) else ([ "-DPORTABLE=1" ])
-      )
-      ++ old.cmakeFlags;
-
-      # outputs has "tools" which we dont need or use
-      outputs = [ "out" ];
-
-      # preInstall hooks has stuff for messing with ldb/sst_dump which we dont need or use
-      preInstall = "";
-    });
-  in
-  {
-    # https://crane.dev/faq/rebuilds-bindgen.html
-    NIX_OUTPATH_USED_AS_RANDOM_SEED = "aaaaaaaaaa";
-
-    CARGO_PROFILE = profile;
-    ROCKSDB_INCLUDE_DIR = "${rocksdb'}/include";
-    ROCKSDB_LIB_DIR = "${rocksdb'}/lib";
-  }
-  //
-  (import ./cross-compilation-env.nix {
-    # Keep sorted
-    inherit
-      lib
-      pkgsBuildHost
-      rust
-      stdenv;
+  # This derivation will set the JEMALLOC_OVERRIDE variable, causing the
+  # tikv-jemalloc-sys crate to use the nixpkgs jemalloc instead of building it's
+  # own. In order for this to work, we need to set flags on the build that match
+  # whatever flags tikv-jemalloc-sys was going to use. These are dependent on
+  # which features we enable in tikv-jemalloc-sys.
+  rust-jemalloc-sys' = (rust-jemalloc-sys.override {
+    # tikv-jemalloc-sys/unprefixed_malloc_on_supported_platforms feature
+    unprefixed = true;
+  }).overrideAttrs (old: {
+    configureFlags = old.configureFlags ++
+      # we dont need docs
+      [ "--disable-doc" ] ++
+      # we dont need cxx/C++ integration
+      [ "--disable-cxx" ] ++
+      # tikv-jemalloc-sys/profiling feature
+      lib.optional (featureEnabled "jemalloc_prof") "--enable-prof" ++
+      # tikv-jemalloc-sys/stats feature
+      (if (featureEnabled "jemalloc_stats") then [ "--enable-stats" ] else [ "--disable-stats" ]);
   });
 
-buildPackageEnv = {
-  GIT_COMMIT_HASH = inputs.self.rev or inputs.self.dirtyRev or "";
-  GIT_COMMIT_HASH_SHORT = inputs.self.shortRev or inputs.self.dirtyShortRev or "";
-} // buildDepsOnlyEnv // {
-  # Only needed in static stdenv because these are transitive dependencies of rocksdb
-  CARGO_BUILD_RUSTFLAGS = buildDepsOnlyEnv.CARGO_BUILD_RUSTFLAGS
-    + lib.optionalString (enableLiburing && stdenv.hostPlatform.isStatic)
+  buildDepsOnlyEnv =
+    let
+      rocksdb' = (rocksdb.override {
+        jemalloc = lib.optional (featureEnabled "jemalloc") rust-jemalloc-sys';
+        # rocksdb fails to build with prefixed jemalloc, which is required on
+        # darwin due to [1]. In this case, fall back to building rocksdb with
+        # libc malloc. This should not cause conflicts, because all of the
+        # jemalloc symbols are prefixed.
+        #
+        # [1]: https://github.com/tikv/jemallocator/blob/ab0676d77e81268cd09b059260c75b38dbef2d51/jemalloc-sys/src/env.rs#L17
+        enableJemalloc = featureEnabled "jemalloc" && !stdenv.hostPlatform.isDarwin;
+
+        # for some reason enableLiburing in nixpkgs rocksdb is default true
+        # which breaks Darwin entirely
+        inherit enableLiburing;
+      }).overrideAttrs (old: {
+        inherit enableLiburing;
+        cmakeFlags = (if x86_64_haswell_target_optimised then
+          (lib.subtractLists [
+            # dont make a portable build if x86_64_haswell_target_optimised is enabled
+            "-DPORTABLE=1"
+          ]
+            old.cmakeFlags
+          ++ [ "-DPORTABLE=haswell" ]) else [ "-DPORTABLE=1" ]
+        )
+        ++ old.cmakeFlags;
+
+        # outputs has "tools" which we dont need or use
+        outputs = [ "out" ];
+
+        # preInstall hooks has stuff for messing with ldb/sst_dump which we dont need or use
+        preInstall = "";
+      });
+    in
+    {
+      # https://crane.dev/faq/rebuilds-bindgen.html
+      NIX_OUTPATH_USED_AS_RANDOM_SEED = "aaaaaaaaaa";
+
+      CARGO_PROFILE = profile;
+      ROCKSDB_INCLUDE_DIR = "${rocksdb'}/include";
+      ROCKSDB_LIB_DIR = "${rocksdb'}/lib";
+    }
+    //
+    (import ./cross-compilation-env.nix {
+      # Keep sorted
+      inherit
+        lib
+        pkgsBuildHost
+        rust
+        stdenv;
+    });
+
+  buildPackageEnv = {
+    GIT_COMMIT_HASH = inputs.self.rev or inputs.self.dirtyRev or "";
+    GIT_COMMIT_HASH_SHORT = inputs.self.shortRev or inputs.self.dirtyShortRev or "";
+  } // buildDepsOnlyEnv // {
+    # Only needed in static stdenv because these are transitive dependencies of rocksdb
+    CARGO_BUILD_RUSTFLAGS = buildDepsOnlyEnv.CARGO_BUILD_RUSTFLAGS
+      + lib.optionalString (enableLiburing && stdenv.hostPlatform.isStatic)
       " -L${lib.getLib liburing}/lib -luring"
-    + lib.optionalString x86_64_haswell_target_optimised
+      + lib.optionalString x86_64_haswell_target_optimised
       " -Ctarget-cpu=haswell";
-};
+  };
 
 
 
-commonAttrs = {
-  inherit
-    (craneLib.crateNameFromCargoToml {
-      cargoToml = "${inputs.self}/Cargo.toml";
-    })
-    pname
-    version;
+  commonAttrs = {
+    inherit
+      (craneLib.crateNameFromCargoToml {
+        cargoToml = "${inputs.self}/Cargo.toml";
+      })
+      pname
+      version;
 
     src = let filter = inputs.nix-filter.lib; in filter {
       root = inputs.self;
@@ -160,6 +162,7 @@ commonAttrs = {
         "Cargo.lock"
         "Cargo.toml"
         "src"
+        "xtask"
       ];
     };
 
@@ -167,22 +170,22 @@ commonAttrs = {
 
     cargoExtraArgs = "--no-default-features --locked "
       + lib.optionalString
-        (features'' != [])
-        "--features " + (builtins.concatStringsSep "," features'');
+      (features'' != [ ])
+      "--features " + (builtins.concatStringsSep "," features'');
 
     dontStrip = profile == "dev" || profile == "test";
     dontPatchELF = profile == "dev" || profile == "test";
 
     buildInputs = lib.optional (featureEnabled "jemalloc") rust-jemalloc-sys'
-    # needed to build Rust applications on macOS
-    ++ lib.optionals stdenv.hostPlatform.isDarwin [
-        # https://github.com/NixOS/nixpkgs/issues/206242
-        # ld: library not found for -liconv
-        libiconv
-        # https://stackoverflow.com/questions/69869574/properly-adding-darwin-apple-sdk-to-a-nix-shell
-        # https://discourse.nixos.org/t/compile-a-rust-binary-on-macos-dbcrossbar/8612
-        pkgsBuildHost.darwin.apple_sdk.frameworks.Security
-      ];
+      # needed to build Rust applications on macOS
+      ++ lib.optionals stdenv.hostPlatform.isDarwin [
+      # https://github.com/NixOS/nixpkgs/issues/206242
+      # ld: library not found for -liconv
+      libiconv
+      # https://stackoverflow.com/questions/69869574/properly-adding-darwin-apple-sdk-to-a-nix-shell
+      # https://discourse.nixos.org/t/compile-a-rust-binary-on-macos-dbcrossbar/8612
+      pkgsBuildHost.darwin.apple_sdk.frameworks.Security
+    ];
 
     nativeBuildInputs = [
       # bindgen needs the build platform's libclang. Apparently due to "splicing
@@ -195,11 +198,11 @@ commonAttrs = {
       # differing values for `NIX_CFLAGS_COMPILE`, which contributes to spurious
       # rebuilds of bindgen and its depedents.
       jq
-  ];
- };
+    ];
+  };
 in
 
-craneLib.buildPackage ( commonAttrs // {
+craneLib.buildPackage (commonAttrs // {
   cargoArtifacts = craneLib.buildDepsOnly (commonAttrs // {
     env = buildDepsOnlyEnv;
   });
@@ -208,8 +211,8 @@ craneLib.buildPackage ( commonAttrs // {
 
   cargoExtraArgs = "--no-default-features --locked "
     + lib.optionalString
-      (features'' != [])
-      "--features " + (builtins.concatStringsSep "," features'');
+    (features'' != [ ])
+    "--features " + (builtins.concatStringsSep "," features'');
 
   env = buildPackageEnv;
 

nix/pkgs/oci-image/default.nix

@@ -1,46 +0,0 @@
-{ inputs
-
-# Dependencies
-, dockerTools
-, lib
-, main
-, stdenv
-, tini
-}:
-
-dockerTools.buildLayeredImage {
-  name = main.pname;
-  tag = "main";
-  created = "@${toString inputs.self.lastModified}";
-  contents = [
-    dockerTools.caCertificates
-    main
-  ];
-  config = {
-    Entrypoint = if !stdenv.hostPlatform.isDarwin
-      # Use the `tini` init system so that signals (e.g. ctrl+c/SIGINT)
-      # are handled as expected
-      then [ "${lib.getExe' tini "tini"}" "--" ]
-      else [];
-    Cmd = [
-      "${lib.getExe main}"
-    ];
-    Env = [
-      "RUST_BACKTRACE=full"
-    ];
-    Labels = {
-      "org.opencontainers.image.authors" = "June Clementine Strawberry <june@girlboss.ceo> and Jason Volk
-      <jason@zemos.net>";
-      "org.opencontainers.image.created" ="@${toString inputs.self.lastModified}";
-      "org.opencontainers.image.description" = "a very cool Matrix chat homeserver written in Rust";
-      "org.opencontainers.image.documentation" = "https://continuwuity.org/";
-      "org.opencontainers.image.licenses" = "Apache-2.0";
-      "org.opencontainers.image.revision" = inputs.self.rev or inputs.self.dirtyRev or "";
-      "org.opencontainers.image.source" = "https://forgejo.ellis.link/continuwuation/continuwuity";
-      "org.opencontainers.image.title" = main.pname;
-      "org.opencontainers.image.url" = "https://continuwuity.org/";
-      "org.opencontainers.image.vendor" = "continuwuation";
-      "org.opencontainers.image.version" = main.version;
-    };
-  };
-}

rust-toolchain.toml

@@ -9,7 +9,7 @@
 # If you're having trouble making the relevant changes, bug a maintainer.
 
 [toolchain]
-channel = "1.86.0"
+channel = "1.87.0"
 profile = "minimal"
 components = [
     # For rust-analyzer
@@ -19,11 +19,3 @@ components = [
     "rustfmt",
     "clippy",
 ]
-targets = [
-    #"x86_64-apple-darwin",
-    "x86_64-unknown-linux-gnu",
-    "x86_64-unknown-linux-musl",
-    "aarch64-unknown-linux-musl",
-    "aarch64-unknown-linux-gnu",
-    #"aarch64-apple-darwin",
-]

src/admin/admin.rs

@@ -9,8 +9,8 @@ use crate::{
 };
 
 #[derive(Debug, Parser)]
-#[command(name = "conduwuit", version = conduwuit::version())]
-pub(super) enum AdminCommand {
+#[command(name = conduwuit_core::name(), version = conduwuit_core::version())]
+pub enum AdminCommand {
 	#[command(subcommand)]
 	/// - Commands for managing appservices
 	Appservices(AppserviceCommand),

src/admin/appservice/mod.rs

@@ -7,7 +7,7 @@ use crate::admin_command_dispatch;
 
 #[derive(Debug, Subcommand)]
 #[admin_command_dispatch]
-pub(super) enum AppserviceCommand {
+pub enum AppserviceCommand {
 	/// - Register an appservice using its registration YAML
 	///
 	/// This command needs a YAML generated by an appservice (such as a bridge),

src/admin/check/mod.rs

@@ -7,6 +7,6 @@ use crate::admin_command_dispatch;
 
 #[admin_command_dispatch]
 #[derive(Debug, Subcommand)]
-pub(super) enum CheckCommand {
+pub enum CheckCommand {
 	CheckAllUsers,
 }

src/admin/context.rs

@@ -7,13 +7,14 @@ use futures::{
 	io::{AsyncWriteExt, BufWriter},
 	lock::Mutex,
 };
-use ruma::EventId;
+use ruma::{EventId, UserId};
 
 pub(crate) struct Context<'a> {
 	pub(crate) services: &'a Services,
 	pub(crate) body: &'a [&'a str],
 	pub(crate) timer: SystemTime,
 	pub(crate) reply_id: Option<&'a EventId>,
+	pub(crate) sender: Option<&'a UserId>,
 	pub(crate) output: Mutex<BufWriter<Vec<u8>>>,
 }
 
@@ -36,4 +37,10 @@ impl Context<'_> {
 			output.write_all(s.as_bytes()).map_err(Into::into).await
 		})
 	}
+
+	/// Get the sender as a string, or service user ID if not available
+	pub(crate) fn sender_or_service_user(&self) -> &UserId {
+		self.sender
+			.unwrap_or_else(|| self.services.globals.server_user.as_ref())
+	}
 }

src/admin/debug/commands.rs

@@ -7,7 +7,10 @@ use std::{
 
 use conduwuit::{
 	Err, Result, debug_error, err, info,
-	matrix::pdu::{PduEvent, PduId, RawPduId},
+	matrix::{
+		Event,
+		pdu::{PduEvent, PduId, RawPduId},
+	},
 	trace, utils,
 	utils::{
 		stream::{IterStream, ReadyExt},
@@ -19,7 +22,7 @@ use futures::{FutureExt, StreamExt, TryStreamExt};
 use ruma::{
 	CanonicalJsonObject, CanonicalJsonValue, EventId, OwnedEventId, OwnedRoomId,
 	OwnedRoomOrAliasId, OwnedServerName, RoomId, RoomVersionId,
-	api::federation::event::get_room_state,
+	api::federation::event::get_room_state, events::AnyStateEvent, serde::Raw,
 };
 use service::rooms::{
 	short::{ShortEventId, ShortRoomId},
@@ -239,10 +242,11 @@ pub(super) async fn get_remote_pdu(
 		})
 		.await
 	{
-		| Err(e) =>
+		| Err(e) => {
 			return Err!(
 				"Remote server did not have PDU or failed sending request to remote server: {e}"
-			),
+			);
+		},
 		| Ok(response) => {
 			let json: CanonicalJsonObject =
 				serde_json::from_str(response.pdu.get()).map_err(|e| {
@@ -295,12 +299,12 @@ pub(super) async fn get_remote_pdu(
 #[admin_command]
 pub(super) async fn get_room_state(&self, room: OwnedRoomOrAliasId) -> Result {
 	let room_id = self.services.rooms.alias.resolve(&room).await?;
-	let room_state: Vec<_> = self
+	let room_state: Vec<Raw<AnyStateEvent>> = self
 		.services
 		.rooms
 		.state_accessor
 		.room_state_full_pdus(&room_id)
-		.map_ok(PduEvent::into_state_event)
+		.map_ok(Event::into_format)
 		.try_collect()
 		.await?;
 
@@ -384,8 +388,9 @@ pub(super) async fn change_log_level(&self, filter: Option<String>, reset: bool)
 			.reload
 			.reload(&old_filter_layer, Some(handles))
 		{
-			| Err(e) =>
-				return Err!("Failed to modify and reload the global tracing log level: {e}"),
+			| Err(e) => {
+				return Err!("Failed to modify and reload the global tracing log level: {e}");
+			},
 			| Ok(()) => {
 				let value = &self.services.server.config.log;
 				let out = format!("Successfully changed log level back to config value {value}");
@@ -407,9 +412,12 @@ pub(super) async fn change_log_level(&self, filter: Option<String>, reset: bool)
 			.reload
 			.reload(&new_filter_layer, Some(handles))
 		{
-			| Ok(()) => return self.write_str("Successfully changed log level").await,
-			| Err(e) =>
-				return Err!("Failed to modify and reload the global tracing log level: {e}"),
+			| Ok(()) => {
+				return self.write_str("Successfully changed log level").await;
+			},
+			| Err(e) => {
+				return Err!("Failed to modify and reload the global tracing log level: {e}");
+			},
 		}
 	}
 
@@ -529,6 +537,7 @@ pub(super) async fn force_set_room_state_from_server(
 	&self,
 	room_id: OwnedRoomId,
 	server_name: OwnedServerName,
+	at_event: Option<OwnedEventId>,
 ) -> Result {
 	if !self
 		.services
@@ -540,13 +549,18 @@ pub(super) async fn force_set_room_state_from_server(
 		return Err!("We are not participating in the room / we don't know about the room ID.");
 	}
 
-	let first_pdu = self
-		.services
-		.rooms
-		.timeline
-		.latest_pdu_in_room(&room_id)
-		.await
-		.map_err(|_| err!(Database("Failed to find the latest PDU in database")))?;
+	let at_event_id = match at_event {
+		| Some(event_id) => event_id,
+		| None => self
+			.services
+			.rooms
+			.timeline
+			.latest_pdu_in_room(&room_id)
+			.await
+			.map_err(|_| err!(Database("Failed to find the latest PDU in database")))?
+			.event_id()
+			.to_owned(),
+	};
 
 	let room_version = self.services.rooms.state.get_room_version(&room_id).await?;
 
@@ -557,7 +571,7 @@ pub(super) async fn force_set_room_state_from_server(
 		.sending
 		.send_federation_request(&server_name, get_room_state::v1::Request {
 			room_id: room_id.clone(),
-			event_id: first_pdu.event_id.clone(),
+			event_id: at_event_id,
 		})
 		.await?;
 

src/admin/debug/mod.rs

@@ -11,7 +11,7 @@ use crate::admin_command_dispatch;
 
 #[admin_command_dispatch]
 #[derive(Debug, Subcommand)]
-pub(super) enum DebugCommand {
+pub enum DebugCommand {
 	/// - Echo input of admin command
 	Echo {
 		message: Vec<String>,
@@ -32,13 +32,13 @@ pub(super) enum DebugCommand {
 	/// the command.
 	ParsePdu,
 
-	/// - Retrieve and print a PDU by EventID from the conduwuit database
+	/// - Retrieve and print a PDU by EventID from the Continuwuity database
 	GetPdu {
 		/// An event ID (a $ followed by the base64 reference hash)
 		event_id: OwnedEventId,
 	},
 
-	/// - Retrieve and print a PDU by PduId from the conduwuit database
+	/// - Retrieve and print a PDU by PduId from the Continuwuity database
 	GetShortPdu {
 		/// Shortroomid integer
 		shortroomid: ShortRoomId,
@@ -125,13 +125,13 @@ pub(super) enum DebugCommand {
 		reset: bool,
 	},
 
-	/// - Verify json signatures
+	/// - Sign JSON blob
 	///
 	/// This command needs a JSON blob provided in a Markdown code block below
 	/// the command.
 	SignJson,
 
-	/// - Verify json signatures
+	/// - Verify JSON signatures
 	///
 	/// This command needs a JSON blob provided in a Markdown code block below
 	/// the command.
@@ -177,9 +177,12 @@ pub(super) enum DebugCommand {
 		room_id: OwnedRoomId,
 		/// The server we will use to query the room state for
 		server_name: OwnedServerName,
+		/// The event ID of the latest known PDU in the room. Will be found
+		/// automatically if not provided.
+		event_id: Option<OwnedEventId>,
 	},
 
-	/// - Runs a server name through conduwuit's true destination resolution
+	/// - Runs a server name through Continuwuity's true destination resolution
 	///   process
 	///
 	/// Useful for debugging well-known issues

src/admin/debug/tester.rs

@@ -4,7 +4,7 @@ use crate::{admin_command, admin_command_dispatch};
 
 #[admin_command_dispatch]
 #[derive(Debug, clap::Subcommand)]
-pub(crate) enum TesterCommand {
+pub enum TesterCommand {
 	Panic,
 	Failure,
 	Tester,

src/admin/federation/mod.rs

@@ -8,7 +8,7 @@ use crate::admin_command_dispatch;
 
 #[admin_command_dispatch]
 #[derive(Debug, Subcommand)]
-pub(super) enum FederationCommand {
+pub enum FederationCommand {
 	/// - List all rooms we are currently handling an incoming pdu from
 	IncomingFederation,
 

src/admin/media/mod.rs

@@ -9,7 +9,7 @@ use crate::admin_command_dispatch;
 
 #[admin_command_dispatch]
 #[derive(Debug, Subcommand)]
-pub(super) enum MediaCommand {
+pub enum MediaCommand {
 	/// - Deletes a single media file from our database and on the filesystem
 	///   via a single MXC URL or event ID (not redacted)
 	Delete {
@@ -90,10 +90,10 @@ pub(super) enum MediaCommand {
 		#[arg(short, long, default_value("10000"))]
 		timeout: u32,
 
-		#[arg(short, long, default_value("800"))]
+		#[arg(long, default_value("800"))]
 		width: u32,
 
-		#[arg(short, long, default_value("800"))]
+		#[arg(long, default_value("800"))]
 		height: u32,
 	},
 }

src/admin/mod.rs

@@ -33,6 +33,8 @@ conduwuit::mod_ctor! {}
 conduwuit::mod_dtor! {}
 conduwuit::rustc_flags_capture! {}
 
+pub use crate::admin::AdminCommand;
+
 /// Install the admin command processor
 pub async fn init(admin_service: &service::admin::Service) {
 	_ = admin_service

src/admin/processor.rs

@@ -63,6 +63,7 @@ async fn process_command(services: Arc<Services>, input: &CommandInput) -> Proce
 		body: &body,
 		timer: SystemTime::now(),
 		reply_id: input.reply_id.as_deref(),
+		sender: input.sender.as_deref(),
 		output: BufWriter::new(Vec::new()).into(),
 	};
 
@@ -93,8 +94,7 @@ async fn process_command(services: Arc<Services>, input: &CommandInput) -> Proce
 
 #[allow(clippy::result_large_err)]
 fn handle_panic(error: &Error, command: &CommandInput) -> ProcessorResult {
-	let link =
-		"Please submit a [bug report](https://forgejo.ellis.link/continuwuation/continuwuity/issues/new). 🥺";
+	let link = "Please submit a [bug report](https://forgejo.ellis.link/continuwuation/continuwuity/issues/new). 🥺";
 	let msg = format!("Panic occurred while processing command:\n```\n{error:#?}\n```\n{link}");
 	let content = RoomMessageEventContent::notice_markdown(msg);
 	error!("Panic while processing command: {error:?}");

src/admin/query/account_data.rs

@@ -8,7 +8,7 @@ use crate::{admin_command, admin_command_dispatch};
 #[admin_command_dispatch]
 #[derive(Debug, Subcommand)]
 /// All the getters and iterators from src/database/key_value/account_data.rs
-pub(crate) enum AccountDataCommand {
+pub enum AccountDataCommand {
 	/// - Returns all changes to the account data that happened after `since`.
 	ChangesSince {
 		/// Full user ID

src/admin/query/appservice.rs

@@ -6,7 +6,7 @@ use crate::Context;
 
 #[derive(Debug, Subcommand)]
 /// All the getters and iterators from src/database/key_value/appservice.rs
-pub(crate) enum AppserviceCommand {
+pub enum AppserviceCommand {
 	/// - Gets the appservice registration info/details from the ID as a string
 	GetRegistration {
 		/// Appservice registration ID

src/admin/query/globals.rs

@@ -6,7 +6,7 @@ use crate::Context;
 
 #[derive(Debug, Subcommand)]
 /// All the getters and iterators from src/database/key_value/globals.rs
-pub(crate) enum GlobalsCommand {
+pub enum GlobalsCommand {
 	DatabaseVersion,
 
 	CurrentCount,

src/admin/query/mod.rs

@@ -27,7 +27,7 @@ use crate::admin_command_dispatch;
 #[admin_command_dispatch]
 #[derive(Debug, Subcommand)]
 /// Query tables from database
-pub(super) enum QueryCommand {
+pub enum QueryCommand {
 	/// - account_data.rs iterators and getters
 	#[command(subcommand)]
 	AccountData(AccountDataCommand),

src/admin/query/presence.rs

@@ -7,7 +7,7 @@ use crate::Context;
 
 #[derive(Debug, Subcommand)]
 /// All the getters and iterators from src/database/key_value/presence.rs
-pub(crate) enum PresenceCommand {
+pub enum PresenceCommand {
 	/// - Returns the latest presence event for the given user.
 	GetPresence {
 		/// Full user ID

src/admin/query/pusher.rs

@@ -5,7 +5,7 @@ use ruma::OwnedUserId;
 use crate::Context;
 
 #[derive(Debug, Subcommand)]
-pub(crate) enum PusherCommand {
+pub enum PusherCommand {
 	/// - Returns all the pushers for the user.
 	GetPushers {
 		/// Full user ID

src/admin/query/raw.rs

@@ -19,7 +19,7 @@ use crate::{admin_command, admin_command_dispatch};
 #[derive(Debug, Subcommand)]
 #[allow(clippy::enum_variant_names)]
 /// Query tables from database
-pub(crate) enum RawCommand {
+pub enum RawCommand {
 	/// - List database maps
 	RawMaps,
 

src/admin/query/resolver.rs

@@ -8,7 +8,7 @@ use crate::{admin_command, admin_command_dispatch};
 #[admin_command_dispatch]
 #[derive(Debug, Subcommand)]
 /// Resolver service and caches
-pub(crate) enum ResolverCommand {
+pub enum ResolverCommand {
 	/// Query the destinations cache
 	DestinationsCache {
 		server_name: Option<OwnedServerName>,

src/admin/query/room_alias.rs

@@ -7,7 +7,7 @@ use crate::Context;
 
 #[derive(Debug, Subcommand)]
 /// All the getters and iterators from src/database/key_value/rooms/alias.rs
-pub(crate) enum RoomAliasCommand {
+pub enum RoomAliasCommand {
 	ResolveLocalAlias {
 		/// Full room alias
 		alias: OwnedRoomAliasId,

src/admin/query/room_state_cache.rs

@@ -6,7 +6,7 @@ use ruma::{OwnedRoomId, OwnedServerName, OwnedUserId};
 use crate::Context;
 
 #[derive(Debug, Subcommand)]
-pub(crate) enum RoomStateCacheCommand {
+pub enum RoomStateCacheCommand {
 	ServerInRoom {
 		server: OwnedServerName,
 		room_id: OwnedRoomId,

src/admin/query/room_timeline.rs

@@ -8,7 +8,7 @@ use crate::{admin_command, admin_command_dispatch};
 #[admin_command_dispatch]
 #[derive(Debug, Subcommand)]
 /// Query tables from database
-pub(crate) enum RoomTimelineCommand {
+pub enum RoomTimelineCommand {
 	Pdus {
 		room_id: OwnedRoomOrAliasId,
 

src/admin/query/sending.rs

@@ -8,7 +8,7 @@ use crate::Context;
 
 #[derive(Debug, Subcommand)]
 /// All the getters and iterators from src/database/key_value/sending.rs
-pub(crate) enum SendingCommand {
+pub enum SendingCommand {
 	/// - Queries database for all `servercurrentevent_data`
 	ActiveRequests,
 

src/admin/query/short.rs

@@ -7,7 +7,7 @@ use crate::{admin_command, admin_command_dispatch};
 #[admin_command_dispatch]
 #[derive(Debug, Subcommand)]
 /// Query tables from database
-pub(crate) enum ShortCommand {
+pub enum ShortCommand {
 	ShortEventId {
 		event_id: OwnedEventId,
 	},

src/admin/query/users.rs

@@ -8,7 +8,7 @@ use crate::{admin_command, admin_command_dispatch};
 #[admin_command_dispatch]
 #[derive(Debug, Subcommand)]
 /// All the getters and iterators from src/database/key_value/users.rs
-pub(crate) enum UsersCommand {
+pub enum UsersCommand {
 	CountUsers,
 
 	IterUsers,

src/admin/room/alias.rs

@@ -8,7 +8,7 @@ use ruma::{OwnedRoomAliasId, OwnedRoomId};
 use crate::Context;
 
 #[derive(Debug, Subcommand)]
-pub(crate) enum RoomAliasCommand {
+pub enum RoomAliasCommand {
 	/// - Make an alias point to a room.
 	Set {
 		#[arg(short, long)]

src/admin/room/directory.rs

@@ -6,7 +6,7 @@ use ruma::OwnedRoomId;
 use crate::{Context, PAGE_SIZE, get_room_info};
 
 #[derive(Debug, Subcommand)]
-pub(crate) enum RoomDirectoryCommand {
+pub enum RoomDirectoryCommand {
 	/// - Publish a room to the room directory
 	Publish {
 		/// The room id of the room to publish

src/admin/room/info.rs

@@ -7,7 +7,7 @@ use crate::{admin_command, admin_command_dispatch};
 
 #[admin_command_dispatch]
 #[derive(Debug, Subcommand)]
-pub(crate) enum RoomInfoCommand {
+pub enum RoomInfoCommand {
 	/// - List joined members in a room
 	ListJoinedMembers {
 		room_id: OwnedRoomId,

src/admin/room/mod.rs

@@ -16,7 +16,7 @@ use crate::admin_command_dispatch;
 
 #[admin_command_dispatch]
 #[derive(Debug, Subcommand)]
-pub(super) enum RoomCommand {
+pub enum RoomCommand {
 	/// - List all rooms the server knows about
 	#[clap(alias = "list")]
 	ListRooms {

src/admin/room/moderation.rs

@@ -1,18 +1,18 @@
 use api::client::leave_room;
 use clap::Subcommand;
 use conduwuit::{
-	Err, Result, debug,
+	Err, Result, debug, info,
 	utils::{IterStream, ReadyExt},
 	warn,
 };
-use futures::StreamExt;
+use futures::{FutureExt, StreamExt};
 use ruma::{OwnedRoomId, OwnedRoomOrAliasId, RoomAliasId, RoomId, RoomOrAliasId};
 
 use crate::{admin_command, admin_command_dispatch, get_room_info};
 
 #[admin_command_dispatch]
 #[derive(Debug, Subcommand)]
-pub(crate) enum RoomModerationCommand {
+pub enum RoomModerationCommand {
 	/// - Bans a room from local users joining and evicts all our local users
 	///   (including server
 	/// admins)
@@ -70,7 +70,6 @@ async fn ban_room(&self, room: OwnedRoomOrAliasId) -> Result {
 		};
 
 		debug!("Room specified is a room ID, banning room ID");
-		self.services.rooms.metadata.ban_room(room_id, true);
 
 		room_id.to_owned()
 	} else if room.is_room_alias_id() {
@@ -90,47 +89,25 @@ async fn ban_room(&self, room: OwnedRoomOrAliasId) -> Result {
 			 locally, if not using get_alias_helper to fetch room ID remotely"
 		);
 
-		let room_id = match self
+		match self
 			.services
 			.rooms
 			.alias
-			.resolve_local_alias(room_alias)
+			.resolve_alias(room_alias, None)
 			.await
 		{
-			| Ok(room_id) => room_id,
-			| _ => {
+			| Ok((room_id, servers)) => {
 				debug!(
-					"We don't have this room alias to a room ID locally, attempting to fetch \
-					 room ID over federation"
+					?room_id,
+					?servers,
+					"Got federation response fetching room ID for room {room}"
 				);
-
-				match self
-					.services
-					.rooms
-					.alias
-					.resolve_alias(room_alias, None)
-					.await
-				{
-					| Ok((room_id, servers)) => {
-						debug!(
-							?room_id,
-							?servers,
-							"Got federation response fetching room ID for {room_id}"
-						);
-						room_id
-					},
-					| Err(e) => {
-						return Err!(
-							"Failed to resolve room alias {room_alias} to a room ID: {e}"
-						);
-					},
-				}
+				room_id
 			},
-		};
-
-		self.services.rooms.metadata.ban_room(&room_id, true);
-
-		room_id
+			| Err(e) => {
+				return Err!("Failed to resolve room alias {room} to a room ID: {e}");
+			},
+		}
 	} else {
 		return Err!(
 			"Room specified is not a room ID or room alias. Please note that this requires a \
@@ -139,7 +116,7 @@ async fn ban_room(&self, room: OwnedRoomOrAliasId) -> Result {
 		);
 	};
 
-	debug!("Making all users leave the room {room_id} and forgetting it");
+	info!("Making all users leave the room {room_id} and forgetting it");
 	let mut users = self
 		.services
 		.rooms
@@ -150,12 +127,15 @@ async fn ban_room(&self, room: OwnedRoomOrAliasId) -> Result {
 		.boxed();
 
 	while let Some(ref user_id) = users.next().await {
-		debug!(
+		info!(
 			"Attempting leave for user {user_id} in room {room_id} (ignoring all errors, \
 			 evicting admins too)",
 		);
 
-		if let Err(e) = leave_room(self.services, user_id, &room_id, None).await {
+		if let Err(e) = leave_room(self.services, user_id, &room_id, None)
+			.boxed()
+			.await
+		{
 			warn!("Failed to leave room: {e}");
 		}
 
@@ -177,10 +157,9 @@ async fn ban_room(&self, room: OwnedRoomOrAliasId) -> Result {
 		})
 		.await;
 
-	// unpublish from room directory
-	self.services.rooms.directory.set_not_public(&room_id);
-
-	self.services.rooms.metadata.disable_room(&room_id, true);
+	self.services.rooms.directory.set_not_public(&room_id); // remove from the room directory
+	self.services.rooms.metadata.ban_room(&room_id, true); // prevent further joins
+	self.services.rooms.metadata.disable_room(&room_id, true); // disable federation
 
 	self.write_str(
 		"Room banned, removed all our local users, and disabled incoming federation with room.",
@@ -302,8 +281,6 @@ async fn ban_list_of_rooms(&self) -> Result {
 	}
 
 	for room_id in room_ids {
-		self.services.rooms.metadata.ban_room(&room_id, true);
-
 		debug!("Banned {room_id} successfully");
 		room_ban_count = room_ban_count.saturating_add(1);
 
@@ -323,7 +300,10 @@ async fn ban_list_of_rooms(&self) -> Result {
 				 evicting admins too)",
 			);
 
-			if let Err(e) = leave_room(self.services, user_id, &room_id, None).await {
+			if let Err(e) = leave_room(self.services, user_id, &room_id, None)
+				.boxed()
+				.await
+			{
 				warn!("Failed to leave room: {e}");
 			}
 
@@ -346,9 +326,9 @@ async fn ban_list_of_rooms(&self) -> Result {
 			})
 			.await;
 
+		self.services.rooms.metadata.ban_room(&room_id, true);
 		// unpublish from room directory, ignore errors
 		self.services.rooms.directory.set_not_public(&room_id);
-
 		self.services.rooms.metadata.disable_room(&room_id, true);
 	}
 

src/admin/server/mod.rs

@@ -9,7 +9,7 @@ use crate::admin_command_dispatch;
 
 #[admin_command_dispatch]
 #[derive(Debug, Subcommand)]
-pub(super) enum ServerCommand {
+pub enum ServerCommand {
 	/// - Time elapsed since startup
 	Uptime,
 

src/admin/user/commands.rs

@@ -1,14 +1,16 @@
 use std::{collections::BTreeMap, fmt::Write as _};
 
-use api::client::{full_user_deactivate, join_room_by_id_helper, leave_room};
+use api::client::{
+	full_user_deactivate, join_room_by_id_helper, leave_all_rooms, leave_room, update_avatar_url,
+	update_displayname,
+};
 use conduwuit::{
 	Err, Result, debug, debug_warn, error, info, is_equal_to,
-	matrix::pdu::PduBuilder,
+	matrix::{Event, pdu::PduBuilder},
 	utils::{self, ReadyExt},
 	warn,
 };
-use conduwuit_api::client::{leave_all_rooms, update_avatar_url, update_displayname};
-use futures::StreamExt;
+use futures::{FutureExt, StreamExt};
 use ruma::{
 	OwnedEventId, OwnedRoomId, OwnedRoomOrAliasId, OwnedUserId, UserId,
 	events::{
@@ -224,6 +226,47 @@ pub(super) async fn deactivate(&self, no_leave_rooms: bool, user_id: String) ->
 		.await
 }
 
+#[admin_command]
+pub(super) async fn suspend(&self, user_id: String) -> Result {
+	let user_id = parse_local_user_id(self.services, &user_id)?;
+
+	if user_id == self.services.globals.server_user {
+		return Err!("Not allowed to suspend the server service account.",);
+	}
+
+	if !self.services.users.exists(&user_id).await {
+		return Err!("User {user_id} does not exist.");
+	}
+	if self.services.users.is_admin(&user_id).await {
+		return Err!("Admin users cannot be suspended.");
+	}
+	// TODO: Record the actual user that sent the suspension where possible
+	self.services
+		.users
+		.suspend_account(&user_id, self.sender_or_service_user())
+		.await;
+
+	self.write_str(&format!("User {user_id} has been suspended."))
+		.await
+}
+
+#[admin_command]
+pub(super) async fn unsuspend(&self, user_id: String) -> Result {
+	let user_id = parse_local_user_id(self.services, &user_id)?;
+
+	if user_id == self.services.globals.server_user {
+		return Err!("Not allowed to unsuspend the server service account.",);
+	}
+
+	if !self.services.users.exists(&user_id).await {
+		return Err!("User {user_id} does not exist.");
+	}
+	self.services.users.unsuspend_account(&user_id).await;
+
+	self.write_str(&format!("User {user_id} has been unsuspended."))
+		.await
+}
+
 #[admin_command]
 pub(super) async fn reset_password(&self, username: String, password: Option<String>) -> Result {
 	let user_id = parse_local_user_id(self.services, &username)?;
@@ -243,8 +286,9 @@ pub(super) async fn reset_password(&self, username: String, password: Option<Str
 		.set_password(&user_id, Some(new_password.as_str()))
 	{
 		| Err(e) => return Err!("Couldn't reset the password for user {user_id}: {e}"),
-		| Ok(()) =>
-			write!(self, "Successfully reset the password for user {user_id}: `{new_password}`"),
+		| Ok(()) => {
+			write!(self, "Successfully reset the password for user {user_id}: `{new_password}`")
+		},
 	}
 	.await
 }
@@ -655,7 +699,9 @@ pub(super) async fn force_leave_room(
 		return Err!("{user_id} is not joined in the room");
 	}
 
-	leave_room(self.services, &user_id, &room_id, None).await?;
+	leave_room(self.services, &user_id, &room_id, None)
+		.boxed()
+		.await?;
 
 	self.write_str(&format!("{user_id} has left {room_id}.",))
 		.await
@@ -692,7 +738,7 @@ pub(super) async fn force_demote(&self, user_id: String, room_id: OwnedRoomOrAli
 		.state_accessor
 		.room_state_get(&room_id, &StateEventType::RoomCreate, "")
 		.await
-		.is_ok_and(|event| event.sender == user_id);
+		.is_ok_and(|event| event.sender() == user_id);
 
 	if !user_can_demote_self {
 		return Err!("User is not allowed to modify their own power levels in the room.",);
@@ -843,10 +889,7 @@ pub(super) async fn redact_event(&self, event_id: OwnedEventId) -> Result {
 		return Err!("Event is already redacted.");
 	}
 
-	let room_id = event.room_id;
-	let sender_user = event.sender;
-
-	if !self.services.globals.user_is_local(&sender_user) {
+	if !self.services.globals.user_is_local(event.sender()) {
 		return Err!("This command only works on local users.");
 	}
 
@@ -856,21 +899,21 @@ pub(super) async fn redact_event(&self, event_id: OwnedEventId) -> Result {
 	);
 
 	let redaction_event_id = {
-		let state_lock = self.services.rooms.state.mutex.lock(&room_id).await;
+		let state_lock = self.services.rooms.state.mutex.lock(event.room_id()).await;
 
 		self.services
 			.rooms
 			.timeline
 			.build_and_append_pdu(
 				PduBuilder {
-					redacts: Some(event.event_id.clone()),
+					redacts: Some(event.event_id().to_owned()),
 					..PduBuilder::timeline(&RoomRedactionEventContent {
-						redacts: Some(event.event_id.clone()),
+						redacts: Some(event.event_id().to_owned()),
 						reason: Some(reason),
 					})
 				},
-				&sender_user,
-				&room_id,
+				event.sender(),
+				event.room_id(),
 				&state_lock,
 			)
 			.await?

src/admin/user/mod.rs

@@ -8,7 +8,7 @@ use crate::admin_command_dispatch;
 
 #[admin_command_dispatch]
 #[derive(Debug, Subcommand)]
-pub(super) enum UserCommand {
+pub enum UserCommand {
 	/// - Create a new user
 	#[clap(alias = "create")]
 	CreateUser {
@@ -59,6 +59,28 @@ pub(super) enum UserCommand {
 		force: bool,
 	},
 
+	/// - Suspend a user
+	///
+	/// Suspended users are able to log in, sync, and read messages, but are not
+	/// able to send events nor redact them, cannot change their profile, and
+	/// are unable to join, invite to, or knock on rooms.
+	///
+	/// Suspended users can still leave rooms and deactivate their account.
+	/// Suspending them effectively makes them read-only.
+	Suspend {
+		/// Username of the user to suspend
+		user_id: String,
+	},
+
+	/// - Unsuspend a user
+	///
+	/// Reverses the effects of the `suspend` command, allowing the user to send
+	/// messages, change their profile, create room invites, etc.
+	Unsuspend {
+		/// Username of the user to unsuspend
+		user_id: String,
+	},
+
 	/// - List local users in the database
 	#[clap(alias = "list")]
 	ListUsers,

src/api/client/account.rs

@@ -3,10 +3,9 @@ use std::fmt::Write;
 use axum::extract::State;
 use axum_client_ip::InsecureClientIp;
 use conduwuit::{
-	Err, Error, Result, debug_info, err, error, info, is_equal_to,
+	Err, Error, Event, Result, debug_info, err, error, info, is_equal_to,
 	matrix::pdu::PduBuilder,
-	utils,
-	utils::{ReadyExt, stream::BroadbandExt},
+	utils::{self, ReadyExt, stream::BroadbandExt},
 	warn,
 };
 use conduwuit_service::Services;
@@ -151,16 +150,32 @@ pub(crate) async fn register_route(
 	if !services.config.allow_registration && body.appservice_info.is_none() {
 		match (body.username.as_ref(), body.initial_device_display_name.as_ref()) {
 			| (Some(username), Some(device_display_name)) => {
-				info!(%is_guest, user = %username, device_name = %device_display_name, "Rejecting registration attempt as registration is disabled");
+				info!(
+					%is_guest,
+					user = %username,
+					device_name = %device_display_name,
+					"Rejecting registration attempt as registration is disabled"
+				);
 			},
 			| (Some(username), _) => {
-				info!(%is_guest, user = %username, "Rejecting registration attempt as registration is disabled");
+				info!(
+					%is_guest,
+					user = %username,
+					"Rejecting registration attempt as registration is disabled"
+				);
 			},
 			| (_, Some(device_display_name)) => {
-				info!(%is_guest, device_name = %device_display_name, "Rejecting registration attempt as registration is disabled");
+				info!(
+					%is_guest,
+					device_name = %device_display_name,
+					"Rejecting registration attempt as registration is disabled"
+				);
 			},
 			| (None, _) => {
-				info!(%is_guest, "Rejecting registration attempt as registration is disabled");
+				info!(
+					%is_guest,
+					"Rejecting registration attempt as registration is disabled"
+				);
 			},
 		}
 
@@ -351,8 +366,7 @@ pub(crate) async fn register_route(
 	if !services.globals.new_user_displayname_suffix().is_empty()
 		&& body.appservice_info.is_none()
 	{
-		write!(displayname, " {}", services.server.config.new_user_displayname_suffix)
-			.expect("should be able to write to string buffer");
+		write!(displayname, " {}", services.server.config.new_user_displayname_suffix)?;
 	}
 
 	services
@@ -370,8 +384,7 @@ pub(crate) async fn register_route(
 				content: ruma::events::push_rules::PushRulesEventContent {
 					global: push::Ruleset::server_default(&user_id),
 				},
-			})
-			.expect("to json always works"),
+			})?,
 		)
 		.await?;
 
@@ -416,32 +429,21 @@ pub(crate) async fn register_route(
 	// log in conduit admin channel if a non-guest user registered
 	if body.appservice_info.is_none() && !is_guest {
 		if !device_display_name.is_empty() {
-			info!(
-				"New user \"{user_id}\" registered on this server with device display name: \
-				 \"{device_display_name}\""
+			let notice = format!(
+				"New user \"{user_id}\" registered on this server from IP {client} and device \
+				 display name \"{device_display_name}\""
 			);
 
+			info!("{notice}");
 			if services.server.config.admin_room_notices {
-				services
-					.admin
-					.send_message(RoomMessageEventContent::notice_plain(format!(
-						"New user \"{user_id}\" registered on this server from IP {client} and \
-						 device display name \"{device_display_name}\""
-					)))
-					.await
-					.ok();
+				services.admin.notice(&notice).await;
 			}
 		} else {
-			info!("New user \"{user_id}\" registered on this server.");
+			let notice = format!("New user \"{user_id}\" registered on this server.");
 
+			info!("{notice}");
 			if services.server.config.admin_room_notices {
-				services
-					.admin
-					.send_message(RoomMessageEventContent::notice_plain(format!(
-						"New user \"{user_id}\" registered on this server from IP {client}"
-					)))
-					.await
-					.ok();
+				services.admin.notice(&notice).await;
 			}
 		}
 	}
@@ -454,24 +456,22 @@ pub(crate) async fn register_route(
 			if services.server.config.admin_room_notices {
 				services
 					.admin
-					.send_message(RoomMessageEventContent::notice_plain(format!(
+					.notice(&format!(
 						"Guest user \"{user_id}\" with device display name \
 						 \"{device_display_name}\" registered on this server from IP {client}"
-					)))
-					.await
-					.ok();
+					))
+					.await;
 			}
 		} else {
 			#[allow(clippy::collapsible_else_if)]
 			if services.server.config.admin_room_notices {
 				services
 					.admin
-					.send_message(RoomMessageEventContent::notice_plain(format!(
+					.notice(&format!(
 						"Guest user \"{user_id}\" with no device display name registered on \
 						 this server from IP {client}",
-					)))
-					.await
-					.ok();
+					))
+					.await;
 			}
 		}
 	}
@@ -490,6 +490,25 @@ pub(crate) async fn register_route(
 			{
 				services.admin.make_user_admin(&user_id).await?;
 				warn!("Granting {user_id} admin privileges as the first user");
+			} else if services.config.suspend_on_register {
+				// This is not an admin, suspend them.
+				// Note that we can still do auto joins for suspended users
+				services
+					.users
+					.suspend_account(&user_id, &services.globals.server_user)
+					.await;
+				// And send an @room notice to the admin room, to prompt admins to review the
+				// new user and ideally unsuspend them if deemed appropriate.
+				if services.server.config.admin_room_notices {
+					services
+						.admin
+						.send_loud_message(RoomMessageEventContent::text_plain(format!(
+							"User {user_id} has been suspended as they are not the first user \
+							 on this server. Please review and unsuspend them if appropriate."
+						)))
+						.await
+						.ok();
+				}
 			}
 		}
 	}
@@ -584,7 +603,6 @@ pub(crate) async fn change_password_route(
 		.sender_user
 		.as_ref()
 		.ok_or_else(|| err!(Request(MissingToken("Missing access token."))))?;
-	let sender_device = body.sender_device();
 
 	let mut uiaainfo = UiaaInfo {
 		flows: vec![AuthFlow { stages: vec![AuthType::Password] }],
@@ -598,7 +616,7 @@ pub(crate) async fn change_password_route(
 		| Some(auth) => {
 			let (worked, uiaainfo) = services
 				.uiaa
-				.try_auth(sender_user, sender_device, auth, &uiaainfo)
+				.try_auth(sender_user, body.sender_device(), auth, &uiaainfo)
 				.await?;
 
 			if !worked {
@@ -612,7 +630,7 @@ pub(crate) async fn change_password_route(
 				uiaainfo.session = Some(utils::random_string(SESSION_ID_LENGTH));
 				services
 					.uiaa
-					.create(sender_user, sender_device, &uiaainfo, json);
+					.create(sender_user, body.sender_device(), &uiaainfo, json);
 
 				return Err(Error::Uiaa(uiaainfo));
 			},
@@ -631,7 +649,7 @@ pub(crate) async fn change_password_route(
 		services
 			.users
 			.all_device_ids(sender_user)
-			.ready_filter(|id| *id != sender_device)
+			.ready_filter(|id| *id != body.sender_device())
 			.for_each(|id| services.users.remove_device(sender_user, id))
 			.await;
 
@@ -640,17 +658,17 @@ pub(crate) async fn change_password_route(
 			.pusher
 			.get_pushkeys(sender_user)
 			.map(ToOwned::to_owned)
-			.broad_filter_map(|pushkey| async move {
+			.broad_filter_map(async |pushkey| {
 				services
 					.pusher
 					.get_pusher_device(&pushkey)
 					.await
 					.ok()
-					.filter(|pusher_device| pusher_device != sender_device)
+					.filter(|pusher_device| pusher_device != body.sender_device())
 					.is_some()
 					.then_some(pushkey)
 			})
-			.for_each(|pushkey| async move {
+			.for_each(async |pushkey| {
 				services.pusher.delete_pusher(sender_user, &pushkey).await;
 			})
 			.await;
@@ -661,11 +679,8 @@ pub(crate) async fn change_password_route(
 	if services.server.config.admin_room_notices {
 		services
 			.admin
-			.send_message(RoomMessageEventContent::notice_plain(format!(
-				"User {sender_user} changed their password."
-			)))
-			.await
-			.ok();
+			.notice(&format!("User {sender_user} changed their password."))
+			.await;
 	}
 
 	Ok(change_password::v3::Response {})
@@ -680,13 +695,10 @@ pub(crate) async fn whoami_route(
 	State(services): State<crate::State>,
 	body: Ruma<whoami::v3::Request>,
 ) -> Result<whoami::v3::Response> {
-	let sender_user = body.sender_user.as_ref().expect("user is authenticated");
-	let device_id = body.sender_device.clone();
-
 	Ok(whoami::v3::Response {
-		user_id: sender_user.clone(),
-		device_id,
-		is_guest: services.users.is_deactivated(sender_user).await?
+		user_id: body.sender_user().to_owned(),
+		device_id: body.sender_device.clone(),
+		is_guest: services.users.is_deactivated(body.sender_user()).await?
 			&& body.appservice_info.is_none(),
 	})
 }
@@ -714,7 +726,6 @@ pub(crate) async fn deactivate_route(
 		.sender_user
 		.as_ref()
 		.ok_or_else(|| err!(Request(MissingToken("Missing access token."))))?;
-	let sender_device = body.sender_device();
 
 	let mut uiaainfo = UiaaInfo {
 		flows: vec![AuthFlow { stages: vec![AuthType::Password] }],
@@ -728,7 +739,7 @@ pub(crate) async fn deactivate_route(
 		| Some(auth) => {
 			let (worked, uiaainfo) = services
 				.uiaa
-				.try_auth(sender_user, sender_device, auth, &uiaainfo)
+				.try_auth(sender_user, body.sender_device(), auth, &uiaainfo)
 				.await?;
 
 			if !worked {
@@ -741,7 +752,7 @@ pub(crate) async fn deactivate_route(
 				uiaainfo.session = Some(utils::random_string(SESSION_ID_LENGTH));
 				services
 					.uiaa
-					.create(sender_user, sender_device, &uiaainfo, json);
+					.create(sender_user, body.sender_device(), &uiaainfo, json);
 
 				return Err(Error::Uiaa(uiaainfo));
 			},
@@ -763,18 +774,17 @@ pub(crate) async fn deactivate_route(
 	super::update_displayname(&services, sender_user, None, &all_joined_rooms).await;
 	super::update_avatar_url(&services, sender_user, None, None, &all_joined_rooms).await;
 
-	full_user_deactivate(&services, sender_user, &all_joined_rooms).await?;
+	full_user_deactivate(&services, sender_user, &all_joined_rooms)
+		.boxed()
+		.await?;
 
 	info!("User {sender_user} deactivated their account.");
 
 	if services.server.config.admin_room_notices {
 		services
 			.admin
-			.send_message(RoomMessageEventContent::notice_plain(format!(
-				"User {sender_user} deactivated their account."
-			)))
-			.await
-			.ok();
+			.notice(&format!("User {sender_user} deactivated their account."))
+			.await;
 	}
 
 	Ok(deactivate::v3::Response {
@@ -851,6 +861,7 @@ pub async fn full_user_deactivate(
 	all_joined_rooms: &[OwnedRoomId],
 ) -> Result<()> {
 	services.users.deactivate_account(user_id).await.ok();
+
 	super::update_displayname(services, user_id, None, all_joined_rooms).await;
 	super::update_avatar_url(services, user_id, None, None, all_joined_rooms).await;
 
@@ -887,7 +898,7 @@ pub async fn full_user_deactivate(
 				.state_accessor
 				.room_state_get(room_id, &StateEventType::RoomCreate, "")
 				.await
-				.is_ok_and(|event| event.sender == user_id);
+				.is_ok_and(|event| event.sender() == user_id);
 
 		if user_can_demote_self {
 			let mut power_levels_content = room_power_levels.unwrap_or_default();
@@ -915,7 +926,7 @@ pub async fn full_user_deactivate(
 		}
 	}
 
-	super::leave_all_rooms(services, user_id).await;
+	super::leave_all_rooms(services, user_id).boxed().await;
 
 	Ok(())
 }

src/api/client/alias.rs

@@ -17,7 +17,10 @@ pub(crate) async fn create_alias_route(
 	State(services): State<crate::State>,
 	body: Ruma<create_alias::v3::Request>,
 ) -> Result<create_alias::v3::Response> {
-	let sender_user = body.sender_user.as_ref().expect("user is authenticated");
+	let sender_user = body.sender_user();
+	if services.users.is_suspended(sender_user).await? {
+		return Err!(Request(UserSuspended("You cannot perform this action while suspended.")));
+	}
 
 	services
 		.rooms
@@ -62,7 +65,10 @@ pub(crate) async fn delete_alias_route(
 	State(services): State<crate::State>,
 	body: Ruma<delete_alias::v3::Request>,
 ) -> Result<delete_alias::v3::Response> {
-	let sender_user = body.sender_user.as_ref().expect("user is authenticated");
+	let sender_user = body.sender_user();
+	if services.users.is_suspended(sender_user).await? {
+		return Err!(Request(UserSuspended("You cannot perform this action while suspended.")));
+	}
 
 	services
 		.rooms

src/api/client/backup.rs

@@ -2,8 +2,10 @@ use std::cmp::Ordering;
 
 use axum::extract::State;
 use conduwuit::{Err, Result, err};
+use conduwuit_service::Services;
+use futures::{FutureExt, future::try_join};
 use ruma::{
-	UInt,
+	UInt, UserId,
 	api::client::backup::{
 		add_backup_keys, add_backup_keys_for_room, add_backup_keys_for_session,
 		create_backup_version, delete_backup_keys, delete_backup_keys_for_room,
@@ -58,21 +60,9 @@ pub(crate) async fn get_latest_backup_info_route(
 		.await
 		.map_err(|_| err!(Request(NotFound("Key backup does not exist."))))?;
 
-	Ok(get_latest_backup_info::v3::Response {
-		algorithm,
-		count: (UInt::try_from(
-			services
-				.key_backups
-				.count_keys(body.sender_user(), &version)
-				.await,
-		)
-		.expect("user backup keys count should not be that high")),
-		etag: services
-			.key_backups
-			.get_etag(body.sender_user(), &version)
-			.await,
-		version,
-	})
+	let (count, etag) = get_count_etag(&services, body.sender_user(), &version).await?;
+
+	Ok(get_latest_backup_info::v3::Response { algorithm, count, etag, version })
 }
 
 /// # `GET /_matrix/client/v3/room_keys/version/{version}`
@@ -90,17 +80,12 @@ pub(crate) async fn get_backup_info_route(
 			err!(Request(NotFound("Key backup does not exist at version {:?}", body.version)))
 		})?;
 
+	let (count, etag) = get_count_etag(&services, body.sender_user(), &body.version).await?;
+
 	Ok(get_backup_info::v3::Response {
 		algorithm,
-		count: services
-			.key_backups
-			.count_keys(body.sender_user(), &body.version)
-			.await
-			.try_into()?,
-		etag: services
-			.key_backups
-			.get_etag(body.sender_user(), &body.version)
-			.await,
+		count,
+		etag,
 		version: body.version.clone(),
 	})
 }
@@ -155,17 +140,9 @@ pub(crate) async fn add_backup_keys_route(
 		}
 	}
 
-	Ok(add_backup_keys::v3::Response {
-		count: services
-			.key_backups
-			.count_keys(body.sender_user(), &body.version)
-			.await
-			.try_into()?,
-		etag: services
-			.key_backups
-			.get_etag(body.sender_user(), &body.version)
-			.await,
-	})
+	let (count, etag) = get_count_etag(&services, body.sender_user(), &body.version).await?;
+
+	Ok(add_backup_keys::v3::Response { count, etag })
 }
 
 /// # `PUT /_matrix/client/r0/room_keys/keys/{roomId}`
@@ -198,17 +175,9 @@ pub(crate) async fn add_backup_keys_for_room_route(
 			.await?;
 	}
 
-	Ok(add_backup_keys_for_room::v3::Response {
-		count: services
-			.key_backups
-			.count_keys(body.sender_user(), &body.version)
-			.await
-			.try_into()?,
-		etag: services
-			.key_backups
-			.get_etag(body.sender_user(), &body.version)
-			.await,
-	})
+	let (count, etag) = get_count_etag(&services, body.sender_user(), &body.version).await?;
+
+	Ok(add_backup_keys_for_room::v3::Response { count, etag })
 }
 
 /// # `PUT /_matrix/client/r0/room_keys/keys/{roomId}/{sessionId}`
@@ -306,17 +275,9 @@ pub(crate) async fn add_backup_keys_for_session_route(
 			.await?;
 	}
 
-	Ok(add_backup_keys_for_session::v3::Response {
-		count: services
-			.key_backups
-			.count_keys(body.sender_user(), &body.version)
-			.await
-			.try_into()?,
-		etag: services
-			.key_backups
-			.get_etag(body.sender_user(), &body.version)
-			.await,
-	})
+	let (count, etag) = get_count_etag(&services, body.sender_user(), &body.version).await?;
+
+	Ok(add_backup_keys_for_session::v3::Response { count, etag })
 }
 
 /// # `GET /_matrix/client/r0/room_keys/keys`
@@ -379,17 +340,9 @@ pub(crate) async fn delete_backup_keys_route(
 		.delete_all_keys(body.sender_user(), &body.version)
 		.await;
 
-	Ok(delete_backup_keys::v3::Response {
-		count: services
-			.key_backups
-			.count_keys(body.sender_user(), &body.version)
-			.await
-			.try_into()?,
-		etag: services
-			.key_backups
-			.get_etag(body.sender_user(), &body.version)
-			.await,
-	})
+	let (count, etag) = get_count_etag(&services, body.sender_user(), &body.version).await?;
+
+	Ok(delete_backup_keys::v3::Response { count, etag })
 }
 
 /// # `DELETE /_matrix/client/r0/room_keys/keys/{roomId}`
@@ -404,17 +357,9 @@ pub(crate) async fn delete_backup_keys_for_room_route(
 		.delete_room_keys(body.sender_user(), &body.version, &body.room_id)
 		.await;
 
-	Ok(delete_backup_keys_for_room::v3::Response {
-		count: services
-			.key_backups
-			.count_keys(body.sender_user(), &body.version)
-			.await
-			.try_into()?,
-		etag: services
-			.key_backups
-			.get_etag(body.sender_user(), &body.version)
-			.await,
-	})
+	let (count, etag) = get_count_etag(&services, body.sender_user(), &body.version).await?;
+
+	Ok(delete_backup_keys_for_room::v3::Response { count, etag })
 }
 
 /// # `DELETE /_matrix/client/r0/room_keys/keys/{roomId}/{sessionId}`
@@ -429,15 +374,22 @@ pub(crate) async fn delete_backup_keys_for_session_route(
 		.delete_room_key(body.sender_user(), &body.version, &body.room_id, &body.session_id)
 		.await;
 
-	Ok(delete_backup_keys_for_session::v3::Response {
-		count: services
-			.key_backups
-			.count_keys(body.sender_user(), &body.version)
-			.await
-			.try_into()?,
-		etag: services
-			.key_backups
-			.get_etag(body.sender_user(), &body.version)
-			.await,
-	})
+	let (count, etag) = get_count_etag(&services, body.sender_user(), &body.version).await?;
+
+	Ok(delete_backup_keys_for_session::v3::Response { count, etag })
+}
+
+async fn get_count_etag(
+	services: &Services,
+	sender_user: &UserId,
+	version: &str,
+) -> Result<(UInt, String)> {
+	let count = services
+		.key_backups
+		.count_keys(sender_user, version)
+		.map(TryInto::try_into);
+
+	let etag = services.key_backups.get_etag(sender_user, version).map(Ok);
+
+	Ok(try_join(count, etag).await?)
 }

src/api/client/capabilities.rs

@@ -26,8 +26,8 @@ pub(crate) async fn get_capabilities_route(
 
 	let mut capabilities = Capabilities::default();
 	capabilities.room_versions = RoomVersionsCapability {
-		default: services.server.config.default_room_version.clone(),
 		available,
+		default: services.server.config.default_room_version.clone(),
 	};
 
 	// we do not implement 3PID stuff
@@ -38,16 +38,12 @@ pub(crate) async fn get_capabilities_route(
 	};
 
 	// MSC4133 capability
-	capabilities
-		.set("uk.tcpip.msc4133.profile_fields", json!({"enabled": true}))
-		.expect("this is valid JSON we created");
+	capabilities.set("uk.tcpip.msc4133.profile_fields", json!({"enabled": true}))?;
 
-	capabilities
-		.set(
-			"org.matrix.msc4267.forget_forced_upon_leave",
-			json!({"enabled": services.config.forget_forced_upon_leave}),
-		)
-		.expect("valid JSON we created");
+	capabilities.set(
+		"org.matrix.msc4267.forget_forced_upon_leave",
+		json!({"enabled": services.config.forget_forced_upon_leave}),
+	)?;
 
 	Ok(get_capabilities::v3::Response { capabilities })
 }

src/api/client/context.rs

@@ -1,8 +1,6 @@
 use axum::extract::State;
 use conduwuit::{
-	Err, Result, at, debug_warn, err,
-	matrix::pdu::PduEvent,
-	ref_at,
+	Err, Event, Result, at, debug_warn, err, ref_at,
 	utils::{
 		IterStream,
 		future::TryExtExt,
@@ -111,7 +109,7 @@ pub(crate) async fn get_context_route(
 
 	let lazy_loading_context = lazy_loading::Context {
 		user_id: sender_user,
-		device_id: sender_device,
+		device_id: Some(sender_device),
 		room_id,
 		token: Some(base_count.into_unsigned()),
 		options: Some(&filter.lazy_load_options),
@@ -179,12 +177,12 @@ pub(crate) async fn get_context_route(
 		.broad_filter_map(|event_id: &OwnedEventId| {
 			services.rooms.timeline.get_pdu(event_id.as_ref()).ok()
 		})
-		.map(PduEvent::into_state_event)
+		.map(Event::into_format)
 		.collect()
 		.await;
 
 	Ok(get_context::v3::Response {
-		event: base_event.map(at!(1)).map(PduEvent::into_room_event),
+		event: base_event.map(at!(1)).map(Event::into_format),
 
 		start: events_before
 			.last()
@@ -203,13 +201,13 @@ pub(crate) async fn get_context_route(
 		events_before: events_before
 			.into_iter()
 			.map(at!(1))
-			.map(PduEvent::into_room_event)
+			.map(Event::into_format)
 			.collect(),
 
 		events_after: events_after
 			.into_iter()
 			.map(at!(1))
-			.map(PduEvent::into_room_event)
+			.map(Event::into_format)
 			.collect(),
 
 		state,

src/api/client/device.rs

@@ -21,11 +21,9 @@ pub(crate) async fn get_devices_route(
 	State(services): State<crate::State>,
 	body: Ruma<get_devices::v3::Request>,
 ) -> Result<get_devices::v3::Response> {
-	let sender_user = body.sender_user.as_ref().expect("user is authenticated");
-
 	let devices: Vec<device::Device> = services
 		.users
-		.all_devices_metadata(sender_user)
+		.all_devices_metadata(body.sender_user())
 		.collect()
 		.await;
 
@@ -39,11 +37,9 @@ pub(crate) async fn get_device_route(
 	State(services): State<crate::State>,
 	body: Ruma<get_device::v3::Request>,
 ) -> Result<get_device::v3::Response> {
-	let sender_user = body.sender_user.as_ref().expect("user is authenticated");
-
 	let device = services
 		.users
-		.get_device_metadata(sender_user, &body.body.device_id)
+		.get_device_metadata(body.sender_user(), &body.body.device_id)
 		.await
 		.map_err(|_| err!(Request(NotFound("Device not found."))))?;
 

src/api/client/directory.rs

@@ -1,7 +1,7 @@
 use axum::extract::State;
 use axum_client_ip::InsecureClientIp;
 use conduwuit::{
-	Err, Result, err, info,
+	Err, Event, Result, err, info,
 	utils::{
 		TryFutureExtExt,
 		math::Expected,
@@ -128,6 +128,9 @@ pub(crate) async fn set_room_visibility_route(
 		// Return 404 if the room doesn't exist
 		return Err!(Request(NotFound("Room not found")));
 	}
+	if services.users.is_suspended(sender_user).await? {
+		return Err!(Request(UserSuspended("You cannot perform this action while suspended.")));
+	}
 
 	if services
 		.users
@@ -349,7 +352,7 @@ async fn user_can_publish_room(
 		.room_state_get(room_id, &StateEventType::RoomPowerLevels, "")
 		.await
 	{
-		| Ok(event) => serde_json::from_str(event.content.get())
+		| Ok(event) => serde_json::from_str(event.content().get())
 			.map_err(|_| err!(Database("Invalid event content for m.room.power_levels")))
 			.map(|content: RoomPowerLevelsEventContent| {
 				RoomPowerLevels::from(content)
@@ -362,7 +365,7 @@ async fn user_can_publish_room(
 				.room_state_get(room_id, &StateEventType::RoomCreate, "")
 				.await
 			{
-				| Ok(event) => Ok(event.sender == user_id),
+				| Ok(event) => Ok(event.sender() == user_id),
 				| _ => Err!(Request(Forbidden("User is not allowed to publish this room"))),
 			}
 		},

src/api/client/filter.rs

@@ -13,11 +13,9 @@ pub(crate) async fn get_filter_route(
 	State(services): State<crate::State>,
 	body: Ruma<get_filter::v3::Request>,
 ) -> Result<get_filter::v3::Response> {
-	let sender_user = body.sender_user.as_ref().expect("user is authenticated");
-
 	services
 		.users
-		.get_filter(sender_user, &body.filter_id)
+		.get_filter(body.sender_user(), &body.filter_id)
 		.await
 		.map(get_filter::v3::Response::new)
 		.map_err(|_| err!(Request(NotFound("Filter not found."))))
@@ -30,9 +28,9 @@ pub(crate) async fn create_filter_route(
 	State(services): State<crate::State>,
 	body: Ruma<create_filter::v3::Request>,
 ) -> Result<create_filter::v3::Response> {
-	let sender_user = body.sender_user.as_ref().expect("user is authenticated");
-
-	let filter_id = services.users.create_filter(sender_user, &body.filter);
+	let filter_id = services
+		.users
+		.create_filter(body.sender_user(), &body.filter);
 
 	Ok(create_filter::v3::Response::new(filter_id))
 }

src/api/client/keys.rs

@@ -126,7 +126,7 @@ pub(crate) async fn get_keys_route(
 	State(services): State<crate::State>,
 	body: Ruma<get_keys::v3::Request>,
 ) -> Result<get_keys::v3::Response> {
-	let sender_user = body.sender_user.as_ref().expect("user is authenticated");
+	let sender_user = body.sender_user();
 
 	get_keys_helper(
 		&services,
@@ -157,8 +157,7 @@ pub(crate) async fn upload_signing_keys_route(
 	State(services): State<crate::State>,
 	body: Ruma<upload_signing_keys::v3::Request>,
 ) -> Result<upload_signing_keys::v3::Response> {
-	let sender_user = body.sender_user.as_ref().expect("user is authenticated");
-	let sender_device = body.sender_device.as_ref().expect("user is authenticated");
+	let (sender_user, sender_device) = body.sender();
 
 	// UIAA
 	let mut uiaainfo = UiaaInfo {
@@ -203,12 +202,12 @@ pub(crate) async fn upload_signing_keys_route(
 					}
 					// Success!
 				},
-				| _ => match body.json_body {
+				| _ => match body.json_body.as_ref() {
 					| Some(json) => {
 						uiaainfo.session = Some(utils::random_string(SESSION_ID_LENGTH));
 						services
 							.uiaa
-							.create(sender_user, sender_device, &uiaainfo, &json);
+							.create(sender_user, sender_device, &uiaainfo, json);
 
 						return Err(Error::Uiaa(uiaainfo));
 					},
@@ -373,7 +372,7 @@ pub(crate) async fn get_key_changes_route(
 	State(services): State<crate::State>,
 	body: Ruma<get_key_changes::v3::Request>,
 ) -> Result<get_key_changes::v3::Response> {
-	let sender_user = body.sender_user.as_ref().expect("user is authenticated");
+	let sender_user = body.sender_user();
 
 	let mut device_list_updates = HashSet::new();
 

src/api/client/media.rs

@@ -51,7 +51,10 @@ pub(crate) async fn create_content_route(
 	InsecureClientIp(client): InsecureClientIp,
 	body: Ruma<create_content::v3::Request>,
 ) -> Result<create_content::v3::Response> {
-	let user = body.sender_user.as_ref().expect("user is authenticated");
+	let user = body.sender_user();
+	if services.users.is_suspended(user).await? {
+		return Err!(Request(UserSuspended("You cannot perform this action while suspended.")));
+	}
 
 	let filename = body.filename.as_deref();
 	let content_type = body.content_type.as_deref();
@@ -94,7 +97,7 @@ pub(crate) async fn get_content_thumbnail_route(
 	InsecureClientIp(client): InsecureClientIp,
 	body: Ruma<get_content_thumbnail::v1::Request>,
 ) -> Result<get_content_thumbnail::v1::Response> {
-	let user = body.sender_user.as_ref().expect("user is authenticated");
+	let user = body.sender_user();
 
 	let dim = Dim::from_ruma(body.width, body.height, body.method.clone())?;
 	let mxc = Mxc {
@@ -131,7 +134,7 @@ pub(crate) async fn get_content_route(
 	InsecureClientIp(client): InsecureClientIp,
 	body: Ruma<get_content::v1::Request>,
 ) -> Result<get_content::v1::Response> {
-	let user = body.sender_user.as_ref().expect("user is authenticated");
+	let user = body.sender_user();
 
 	let mxc = Mxc {
 		server_name: &body.server_name,
@@ -167,7 +170,7 @@ pub(crate) async fn get_content_as_filename_route(
 	InsecureClientIp(client): InsecureClientIp,
 	body: Ruma<get_content_as_filename::v1::Request>,
 ) -> Result<get_content_as_filename::v1::Response> {
-	let user = body.sender_user.as_ref().expect("user is authenticated");
+	let user = body.sender_user();
 
 	let mxc = Mxc {
 		server_name: &body.server_name,
@@ -203,7 +206,7 @@ pub(crate) async fn get_media_preview_route(
 	InsecureClientIp(client): InsecureClientIp,
 	body: Ruma<get_media_preview::v1::Request>,
 ) -> Result<get_media_preview::v1::Response> {
-	let sender_user = body.sender_user.as_ref().expect("user is authenticated");
+	let sender_user = body.sender_user();
 
 	let url = &body.url;
 	let url = Url::parse(&body.url).map_err(|e| {

src/api/client/media_legacy.rs

@@ -55,7 +55,7 @@ pub(crate) async fn get_media_preview_legacy_route(
 	InsecureClientIp(client): InsecureClientIp,
 	body: Ruma<get_media_preview::v3::Request>,
 ) -> Result<get_media_preview::v3::Response> {
-	let sender_user = body.sender_user.as_ref().expect("user is authenticated");
+	let sender_user = body.sender_user();
 
 	let url = &body.url;
 	let url = Url::parse(&body.url).map_err(|e| {

src/api/client/membership/ban.rs

@@ -0,0 +1,60 @@
+use axum::extract::State;
+use conduwuit::{Err, Result, matrix::pdu::PduBuilder};
+use ruma::{
+	api::client::membership::ban_user,
+	events::room::member::{MembershipState, RoomMemberEventContent},
+};
+
+use crate::Ruma;
+
+/// # `POST /_matrix/client/r0/rooms/{roomId}/ban`
+///
+/// Tries to send a ban event into the room.
+pub(crate) async fn ban_user_route(
+	State(services): State<crate::State>,
+	body: Ruma<ban_user::v3::Request>,
+) -> Result<ban_user::v3::Response> {
+	let sender_user = body.sender_user();
+
+	if sender_user == body.user_id {
+		return Err!(Request(Forbidden("You cannot ban yourself.")));
+	}
+
+	if services.users.is_suspended(sender_user).await? {
+		return Err!(Request(UserSuspended("You cannot perform this action while suspended.")));
+	}
+
+	let state_lock = services.rooms.state.mutex.lock(&body.room_id).await;
+
+	let current_member_content = services
+		.rooms
+		.state_accessor
+		.get_member(&body.room_id, &body.user_id)
+		.await
+		.unwrap_or_else(|_| RoomMemberEventContent::new(MembershipState::Ban));
+
+	services
+		.rooms
+		.timeline
+		.build_and_append_pdu(
+			PduBuilder::state(body.user_id.to_string(), &RoomMemberEventContent {
+				membership: MembershipState::Ban,
+				reason: body.reason.clone(),
+				displayname: None, // display name may be offensive
+				avatar_url: None,  // avatar may be offensive
+				is_direct: None,
+				join_authorized_via_users_server: None,
+				third_party_invite: None,
+				redact_events: body.redact_events,
+				..current_member_content
+			}),
+			sender_user,
+			&body.room_id,
+			&state_lock,
+		)
+		.await?;
+
+	drop(state_lock);
+
+	Ok(ban_user::v3::Response::new())
+}

src/api/client/membership/forget.rs

@@ -0,0 +1,52 @@
+use axum::extract::State;
+use conduwuit::{Err, Result, is_matching, result::NotFound, utils::FutureBoolExt};
+use futures::pin_mut;
+use ruma::{api::client::membership::forget_room, events::room::member::MembershipState};
+
+use crate::Ruma;
+
+/// # `POST /_matrix/client/v3/rooms/{roomId}/forget`
+///
+/// Forgets about a room.
+///
+/// - If the sender user currently left the room: Stops sender user from
+///   receiving information about the room
+///
+/// Note: Other devices of the user have no way of knowing the room was
+/// forgotten, so this has to be called from every device
+pub(crate) async fn forget_room_route(
+	State(services): State<crate::State>,
+	body: Ruma<forget_room::v3::Request>,
+) -> Result<forget_room::v3::Response> {
+	let user_id = body.sender_user();
+	let room_id = &body.room_id;
+
+	let joined = services.rooms.state_cache.is_joined(user_id, room_id);
+	let knocked = services.rooms.state_cache.is_knocked(user_id, room_id);
+	let invited = services.rooms.state_cache.is_invited(user_id, room_id);
+
+	pin_mut!(joined, knocked, invited);
+	if joined.or(knocked).or(invited).await {
+		return Err!(Request(Unknown("You must leave the room before forgetting it")));
+	}
+
+	let membership = services
+		.rooms
+		.state_accessor
+		.get_member(room_id, user_id)
+		.await;
+
+	if membership.is_not_found() {
+		return Err!(Request(Unknown("No membership event was found, room was never joined")));
+	}
+
+	let non_membership = membership
+		.map(|member| member.membership)
+		.is_ok_and(is_matching!(MembershipState::Leave | MembershipState::Ban));
+
+	if non_membership || services.rooms.state_cache.is_left(user_id, room_id).await {
+		services.rooms.state_cache.forget(room_id, user_id);
+	}
+
+	Ok(forget_room::v3::Response::new())
+}

src/api/client/membership/invite.rs

@@ -0,0 +1,238 @@
+use axum::extract::State;
+use axum_client_ip::InsecureClientIp;
+use conduwuit::{
+	Err, Result, debug_error, err, info,
+	matrix::{event::gen_event_id_canonical_json, pdu::PduBuilder},
+};
+use futures::{FutureExt, join};
+use ruma::{
+	OwnedServerName, RoomId, UserId,
+	api::{client::membership::invite_user, federation::membership::create_invite},
+	events::room::member::{MembershipState, RoomMemberEventContent},
+};
+use service::Services;
+
+use super::banned_room_check;
+use crate::Ruma;
+
+/// # `POST /_matrix/client/r0/rooms/{roomId}/invite`
+///
+/// Tries to send an invite event into the room.
+#[tracing::instrument(skip_all, fields(%client), name = "invite")]
+pub(crate) async fn invite_user_route(
+	State(services): State<crate::State>,
+	InsecureClientIp(client): InsecureClientIp,
+	body: Ruma<invite_user::v3::Request>,
+) -> Result<invite_user::v3::Response> {
+	let sender_user = body.sender_user();
+	if services.users.is_suspended(sender_user).await? {
+		return Err!(Request(UserSuspended("You cannot perform this action while suspended.")));
+	}
+
+	if !services.users.is_admin(sender_user).await && services.config.block_non_admin_invites {
+		debug_error!(
+			"User {sender_user} is not an admin and attempted to send an invite to room {}",
+			&body.room_id
+		);
+		return Err!(Request(Forbidden("Invites are not allowed on this server.")));
+	}
+
+	banned_room_check(
+		&services,
+		sender_user,
+		Some(&body.room_id),
+		body.room_id.server_name(),
+		client,
+	)
+	.await?;
+
+	match &body.recipient {
+		| invite_user::v3::InvitationRecipient::UserId { user_id } => {
+			let sender_ignored_recipient = services.users.user_is_ignored(sender_user, user_id);
+			let recipient_ignored_by_sender =
+				services.users.user_is_ignored(user_id, sender_user);
+
+			let (sender_ignored_recipient, recipient_ignored_by_sender) =
+				join!(sender_ignored_recipient, recipient_ignored_by_sender);
+
+			if sender_ignored_recipient {
+				return Ok(invite_user::v3::Response {});
+			}
+
+			if let Ok(target_user_membership) = services
+				.rooms
+				.state_accessor
+				.get_member(&body.room_id, user_id)
+				.await
+			{
+				if target_user_membership.membership == MembershipState::Ban {
+					return Err!(Request(Forbidden("User is banned from this room.")));
+				}
+			}
+
+			if recipient_ignored_by_sender {
+				// silently drop the invite to the recipient if they've been ignored by the
+				// sender, pretend it worked
+				return Ok(invite_user::v3::Response {});
+			}
+
+			invite_helper(
+				&services,
+				sender_user,
+				user_id,
+				&body.room_id,
+				body.reason.clone(),
+				false,
+			)
+			.boxed()
+			.await?;
+
+			Ok(invite_user::v3::Response {})
+		},
+		| _ => {
+			Err!(Request(NotFound("User not found.")))
+		},
+	}
+}
+
+pub(crate) async fn invite_helper(
+	services: &Services,
+	sender_user: &UserId,
+	user_id: &UserId,
+	room_id: &RoomId,
+	reason: Option<String>,
+	is_direct: bool,
+) -> Result {
+	if !services.users.is_admin(sender_user).await && services.config.block_non_admin_invites {
+		info!(
+			"User {sender_user} is not an admin and attempted to send an invite to room \
+			 {room_id}"
+		);
+		return Err!(Request(Forbidden("Invites are not allowed on this server.")));
+	}
+
+	if !services.globals.user_is_local(user_id) {
+		let (pdu, pdu_json, invite_room_state) = {
+			let state_lock = services.rooms.state.mutex.lock(room_id).await;
+
+			let content = RoomMemberEventContent {
+				avatar_url: services.users.avatar_url(user_id).await.ok(),
+				is_direct: Some(is_direct),
+				reason,
+				..RoomMemberEventContent::new(MembershipState::Invite)
+			};
+
+			let (pdu, pdu_json) = services
+				.rooms
+				.timeline
+				.create_hash_and_sign_event(
+					PduBuilder::state(user_id.to_string(), &content),
+					sender_user,
+					room_id,
+					&state_lock,
+				)
+				.await?;
+
+			let invite_room_state = services.rooms.state.summary_stripped(&pdu).await;
+
+			drop(state_lock);
+
+			(pdu, pdu_json, invite_room_state)
+		};
+
+		let room_version_id = services.rooms.state.get_room_version(room_id).await?;
+
+		let response = services
+			.sending
+			.send_federation_request(user_id.server_name(), create_invite::v2::Request {
+				room_id: room_id.to_owned(),
+				event_id: (*pdu.event_id).to_owned(),
+				room_version: room_version_id.clone(),
+				event: services
+					.sending
+					.convert_to_outgoing_federation_event(pdu_json.clone())
+					.await,
+				invite_room_state,
+				via: services
+					.rooms
+					.state_cache
+					.servers_route_via(room_id)
+					.await
+					.ok(),
+			})
+			.await?;
+
+		// We do not add the event_id field to the pdu here because of signature and
+		// hashes checks
+		let (event_id, value) = gen_event_id_canonical_json(&response.event, &room_version_id)
+			.map_err(|e| {
+				err!(Request(BadJson(warn!("Could not convert event to canonical JSON: {e}"))))
+			})?;
+
+		if pdu.event_id != event_id {
+			return Err!(Request(BadJson(warn!(
+				%pdu.event_id, %event_id,
+				"Server {} sent event with wrong event ID",
+				user_id.server_name()
+			))));
+		}
+
+		let origin: OwnedServerName = serde_json::from_value(serde_json::to_value(
+			value
+				.get("origin")
+				.ok_or_else(|| err!(Request(BadJson("Event missing origin field."))))?,
+		)?)
+		.map_err(|e| {
+			err!(Request(BadJson(warn!("Origin field in event is not a valid server name: {e}"))))
+		})?;
+
+		let pdu_id = services
+			.rooms
+			.event_handler
+			.handle_incoming_pdu(&origin, room_id, &event_id, value, true)
+			.boxed()
+			.await?
+			.ok_or_else(|| {
+				err!(Request(InvalidParam("Could not accept incoming PDU as timeline event.")))
+			})?;
+
+		return services.sending.send_pdu_room(room_id, &pdu_id).await;
+	}
+
+	if !services
+		.rooms
+		.state_cache
+		.is_joined(sender_user, room_id)
+		.await
+	{
+		return Err!(Request(Forbidden(
+			"You must be joined in the room you are trying to invite from."
+		)));
+	}
+
+	let state_lock = services.rooms.state.mutex.lock(room_id).await;
+
+	let content = RoomMemberEventContent {
+		displayname: services.users.displayname(user_id).await.ok(),
+		avatar_url: services.users.avatar_url(user_id).await.ok(),
+		blurhash: services.users.blurhash(user_id).await.ok(),
+		is_direct: Some(is_direct),
+		reason,
+		..RoomMemberEventContent::new(MembershipState::Invite)
+	};
+
+	services
+		.rooms
+		.timeline
+		.build_and_append_pdu(
+			PduBuilder::state(user_id.to_string(), &content),
+			sender_user,
+			room_id,
+			&state_lock,
+		)
+		.await?;
+
+	drop(state_lock);
+
+	Ok(())
+}