docs(docker): Restructure deployment guide and add env var reference

Add Quick Run section with complete getting-started workflow including admin user creation via --execute flag. Consolidate Docker Compose to treat reverse proxy as essential with Traefik/Caddy/nginx examples. Move detailed image building to development guide, keeping deployment docs focused on using pre-built images. Create environment variables reference with practical examples and context. Clarify built-in TLS is for testing only; production should use reverse proxies.
2026-05-26 20:49:55 +00:00 · 2026-02-23 17:57:40 +00:00
34 changed files with 701 additions and 649 deletions
@@ -445,14 +445,13 @@ dependencies = [
 [[package]]
 name = "axum-extra"
-version = "0.12.5"
+version = "0.10.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "fef252edff26ddba56bbcdf2ee3307b8129acb86f5749b68990c168a6fcc9c76"
+checksum = "9963ff19f40c6102c76756ef0a46004c0d58957d87259fc9208ff8441c12ab96"
 dependencies = [
 "axum",
 "axum-core",
 "bytes",
 "futures-core",
 "futures-util",
 "headers",
 "http",
@@ -460,6 +459,8 @@ dependencies = [
 "http-body-util",
 "mime",
 "pin-project-lite",
 "rustversion",
 "serde_core",
 "tower-layer",
 "tower-service",
 "tracing",
@@ -1221,7 +1222,7 @@ dependencies = [
 [[package]]
 name = "continuwuity-admin-api"
 version = "0.1.0"
-source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=bb12ed288a31a23aa11b10ba0fad22b7f985eb88#bb12ed288a31a23aa11b10ba0fad22b7f985eb88"
+source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=e087ff15888156942ca2ffe6097d1b4c3fd27628#e087ff15888156942ca2ffe6097d1b4c3fd27628"
 dependencies = [
 "ruma-common",
 "serde",
@@ -1600,7 +1601,7 @@ dependencies = [
 [[package]]
 name = "draupnir-antispam"
 version = "0.1.0"
-source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=bb12ed288a31a23aa11b10ba0fad22b7f985eb88#bb12ed288a31a23aa11b10ba0fad22b7f985eb88"
+source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=e087ff15888156942ca2ffe6097d1b4c3fd27628#e087ff15888156942ca2ffe6097d1b4c3fd27628"
 dependencies = [
 "ruma-common",
 "serde",
@@ -3002,7 +3003,7 @@ checksum = "f8ca58f447f06ed17d5fc4043ce1b10dd205e060fb3ce5b979b8ed8e59ff3f79"
 [[package]]
 name = "meowlnir-antispam"
 version = "0.1.0"
-source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=bb12ed288a31a23aa11b10ba0fad22b7f985eb88#bb12ed288a31a23aa11b10ba0fad22b7f985eb88"
+source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=e087ff15888156942ca2ffe6097d1b4c3fd27628#e087ff15888156942ca2ffe6097d1b4c3fd27628"
 dependencies = [
 "ruma-common",
 "serde",
@@ -4094,7 +4095,7 @@ dependencies = [
 [[package]]
 name = "ruma"
 version = "0.10.1"
-source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=bb12ed288a31a23aa11b10ba0fad22b7f985eb88#bb12ed288a31a23aa11b10ba0fad22b7f985eb88"
+source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=e087ff15888156942ca2ffe6097d1b4c3fd27628#e087ff15888156942ca2ffe6097d1b4c3fd27628"
 dependencies = [
 "assign",
 "continuwuity-admin-api",
@@ -4117,7 +4118,7 @@ dependencies = [
 [[package]]
 name = "ruma-appservice-api"
 version = "0.10.0"
-source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=bb12ed288a31a23aa11b10ba0fad22b7f985eb88#bb12ed288a31a23aa11b10ba0fad22b7f985eb88"
+source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=e087ff15888156942ca2ffe6097d1b4c3fd27628#e087ff15888156942ca2ffe6097d1b4c3fd27628"
 dependencies = [
 "js_int",
 "ruma-common",
@@ -4129,7 +4130,7 @@ dependencies = [
 [[package]]
 name = "ruma-client-api"
 version = "0.18.0"
-source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=bb12ed288a31a23aa11b10ba0fad22b7f985eb88#bb12ed288a31a23aa11b10ba0fad22b7f985eb88"
+source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=e087ff15888156942ca2ffe6097d1b4c3fd27628#e087ff15888156942ca2ffe6097d1b4c3fd27628"
 dependencies = [
 "as_variant",
 "assign",
@@ -4152,7 +4153,7 @@ dependencies = [
 [[package]]
 name = "ruma-common"
 version = "0.13.0"
-source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=bb12ed288a31a23aa11b10ba0fad22b7f985eb88#bb12ed288a31a23aa11b10ba0fad22b7f985eb88"
+source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=e087ff15888156942ca2ffe6097d1b4c3fd27628#e087ff15888156942ca2ffe6097d1b4c3fd27628"
 dependencies = [
 "as_variant",
 "base64 0.22.1",
@@ -4184,7 +4185,7 @@ dependencies = [
 [[package]]
 name = "ruma-events"
 version = "0.28.1"
-source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=bb12ed288a31a23aa11b10ba0fad22b7f985eb88#bb12ed288a31a23aa11b10ba0fad22b7f985eb88"
+source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=e087ff15888156942ca2ffe6097d1b4c3fd27628#e087ff15888156942ca2ffe6097d1b4c3fd27628"
 dependencies = [
 "as_variant",
 "indexmap",
@@ -4209,7 +4210,7 @@ dependencies = [
 [[package]]
 name = "ruma-federation-api"
 version = "0.9.0"
-source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=bb12ed288a31a23aa11b10ba0fad22b7f985eb88#bb12ed288a31a23aa11b10ba0fad22b7f985eb88"
+source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=e087ff15888156942ca2ffe6097d1b4c3fd27628#e087ff15888156942ca2ffe6097d1b4c3fd27628"
 dependencies = [
 "bytes",
 "headers",
@@ -4231,7 +4232,7 @@ dependencies = [
 [[package]]
 name = "ruma-identifiers-validation"
 version = "0.9.5"
-source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=bb12ed288a31a23aa11b10ba0fad22b7f985eb88#bb12ed288a31a23aa11b10ba0fad22b7f985eb88"
+source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=e087ff15888156942ca2ffe6097d1b4c3fd27628#e087ff15888156942ca2ffe6097d1b4c3fd27628"
 dependencies = [
 "js_int",
 "thiserror 2.0.18",
@@ -4240,7 +4241,7 @@ dependencies = [
 [[package]]
 name = "ruma-identity-service-api"
 version = "0.9.0"
-source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=bb12ed288a31a23aa11b10ba0fad22b7f985eb88#bb12ed288a31a23aa11b10ba0fad22b7f985eb88"
+source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=e087ff15888156942ca2ffe6097d1b4c3fd27628#e087ff15888156942ca2ffe6097d1b4c3fd27628"
 dependencies = [
 "js_int",
 "ruma-common",
@@ -4250,7 +4251,7 @@ dependencies = [
 [[package]]
 name = "ruma-macros"
 version = "0.13.0"
-source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=bb12ed288a31a23aa11b10ba0fad22b7f985eb88#bb12ed288a31a23aa11b10ba0fad22b7f985eb88"
+source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=e087ff15888156942ca2ffe6097d1b4c3fd27628#e087ff15888156942ca2ffe6097d1b4c3fd27628"
 dependencies = [
 "cfg-if",
 "proc-macro-crate",
@@ -4265,7 +4266,7 @@ dependencies = [
 [[package]]
 name = "ruma-push-gateway-api"
 version = "0.9.0"
-source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=bb12ed288a31a23aa11b10ba0fad22b7f985eb88#bb12ed288a31a23aa11b10ba0fad22b7f985eb88"
+source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=e087ff15888156942ca2ffe6097d1b4c3fd27628#e087ff15888156942ca2ffe6097d1b4c3fd27628"
 dependencies = [
 "js_int",
 "ruma-common",
@@ -4277,7 +4278,7 @@ dependencies = [
 [[package]]
 name = "ruma-signatures"
 version = "0.15.0"
-source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=bb12ed288a31a23aa11b10ba0fad22b7f985eb88#bb12ed288a31a23aa11b10ba0fad22b7f985eb88"
+source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=e087ff15888156942ca2ffe6097d1b4c3fd27628#e087ff15888156942ca2ffe6097d1b4c3fd27628"
 dependencies = [
 "base64 0.22.1",
 "ed25519-dalek",
@@ -97,7 +97,7 @@ features = [
 ]
 [workspace.dependencies.axum-extra]
-version = "0.12.0"
+version = "0.10.1"
 default-features = false
 features = ["typed-header", "tracing"]
@@ -343,7 +343,7 @@ version = "0.1.2"
 [workspace.dependencies.ruma]
 git = "https://forgejo.ellis.link/continuwuation/ruwuma"
 #branch = "conduwuit-changes"
-rev = "bb12ed288a31a23aa11b10ba0fad22b7f985eb88"
+rev = "e087ff15888156942ca2ffe6097d1b4c3fd27628"
 features = [
    "compat",
    "rand",
@@ -363,7 +363,6 @@ features = [
    "unstable-msc2870",
    "unstable-msc3026",
    "unstable-msc3061",
    "unstable-msc3814",
    "unstable-msc3245",
    "unstable-msc3266",
    "unstable-msc3381", # polls
@@ -382,7 +381,6 @@ features = [
    "unstable-pdu",
    "unstable-msc4155",
    "unstable-msc4143", # livekit well_known response
    "unstable-msc4284"
 ]
 [workspace.dependencies.rust-rocksdb]
@@ -1 +0,0 @@
 Added MSC3814 Dehydrated Devices - you can now decrypt messages sent while all devices were logged out.
@@ -1 +0,0 @@
 Removed the `allow_public_room_directory_without_auth` config option. Contributed by @0xnim.
@@ -1 +0,0 @@
 Implement MSC4143 MatrixRTC transport discovery endpoint. Move RTC foci configuration from `[global.well_known]` to a new `[global.matrix_rtc]` section with a `foci` field. Contributed by @0xnim
@@ -1 +0,0 @@
 Fixed sliding sync v5 list ranges always starting from 0, causing extra rooms to be unnecessarily processed and returned. Contributed by @0xnim
@@ -1 +0,0 @@
 BREAKING: Added an entrypoint to the Docker image. This means you no longer need to specify the binary when running a command using the image. Contributed by @Jade
@@ -9,6 +9,7 @@ address = "0.0.0.0"
 allow_device_name_federation = true
 allow_guest_registration = true
 allow_public_room_directory_over_federation = true
 allow_public_room_directory_without_auth = true
 allow_registration = true
 database_path = "/database"
 log = "trace,h2=debug,hyper=debug"
@@ -546,6 +546,12 @@
 #
 #allow_public_room_directory_over_federation = false
 # Set this to true to allow your server's public room directory to be
 # queried without client authentication (access token) through the Client
 # APIs. Set this to false to protect against /publicRooms spiders.
 #
 #allow_public_room_directory_without_auth = false
 # Allow guests/unauthenticated users to access TURN credentials.
 #
 # This is the equivalent of Synapse's `turn_allow_guests` config option.
@@ -1844,13 +1850,14 @@
 #
 #support_mxid =
 # **DEPRECATED**: Use `[global.matrix_rtc].foci` instead.
 #
 # A list of MatrixRTC foci URLs which will be served as part of the
-# MSC4143 client endpoint at /.well-known/matrix/client.
+# MSC4143 client endpoint at /.well-known/matrix/client.  If you're
 # setting up livekit, you'd want something like:
 # rtc_focus_server_urls = [
 #     { type = "livekit", livekit_service_url = "https://livekit.example.com" },
 # ]
 #
-# This option is deprecated and will be removed in a future release.
+# To disable, set this to be an empty vector (`[]`).
 # Please migrate to the new `[global.matrix_rtc]` config section.
 #
 #rtc_focus_server_urls = []
@@ -1872,23 +1879,6 @@
 #
 #blurhash_max_raw_size = 33554432
 [global.matrix_rtc]
 # A list of MatrixRTC foci (transports) which will be served via the
 # MSC4143 RTC transports endpoint at
 # `/_matrix/client/v1/rtc/transports`. If you're setting up livekit,
 # you'd want something like:
 # ```toml
 # [global.matrix_rtc]
 # foci = [
 #     { type = "livekit", livekit_service_url = "https://livekit.example.com" },
 # ]
 # ```
 #
 # To disable, set this to an empty list (`[]`).
 #
 #foci = []
 [global.ldap]
 # Whether to enable LDAP login.
@@ -180,11 +180,6 @@ RUN --mount=type=cache,target=/usr/local/cargo/registry \
        export RUSTFLAGS="${RUSTFLAGS}"
    fi
    RUST_PROFILE_DIR="${RUST_PROFILE}"
    if [[ "${RUST_PROFILE}" == "dev" ]]; then
        RUST_PROFILE_DIR="debug"
    fi
    TARGET_DIR=($(cargo metadata --no-deps --format-version 1 | \
            jq -r ".target_directory"))
    mkdir /out/sbin
@@ -196,8 +191,8 @@ RUN --mount=type=cache,target=/usr/local/cargo/registry \
        jq -r ".packages[] | select(.name == \"$PACKAGE\") | .targets[] | select( .kind | map(. == \"bin\") | any ) | .name"))
    for BINARY in "${BINARIES[@]}"; do
        echo $BINARY
-        xx-verify $TARGET_DIR/$(xx-cargo --print-target-triple)/${RUST_PROFILE_DIR}/$BINARY
+        xx-verify $TARGET_DIR/$(xx-cargo --print-target-triple)/${RUST_PROFILE}/$BINARY
-        cp $TARGET_DIR/$(xx-cargo --print-target-triple)/${RUST_PROFILE_DIR}/$BINARY /out/sbin/$BINARY
+        cp $TARGET_DIR/$(xx-cargo --print-target-triple)/${RUST_PROFILE}/$BINARY /out/sbin/$BINARY
    done
 EOF
@@ -281,5 +276,4 @@ ENV LD_LIBRARY_PATH=/usr/lib
 # Continuwuity default port
 EXPOSE 8008
 ENTRYPOINT [ "/sbin/conduwuit" ]
 CMD ["/sbin/conduwuit"]
@@ -64,6 +64,11 @@
        "label": "Configuration Reference",
        "name": "/reference/config"
    },
    {
        "type": "file",
        "label": "Environment Variables",
        "name": "/reference/environment-variables"
    },
    {
        "type": "dir",
        "label": "Admin Command Reference",
@@ -78,19 +78,47 @@ You will need to allow ports `7881/tcp` and `50100:50200/udp` through your firew
 ### 3. Telling clients where to find LiveKit
-To tell clients where to find LiveKit, you need to add the address of your `lk-jwt-service` to the `[global.matrix_rtc]` config section using the `foci` option.
+To tell clients where to find LiveKit, you need to add the address of your `lk-jwt-service` to your client .well-known file. To do so, in the config section `global.well-known`, add (or modify) the option `rtc_focus_server_urls`.
-The variable should be a list of servers serving as MatrixRTC endpoints. Clients discover these via the `/_matrix/client/v1/rtc/transports` endpoint (MSC4143).
+The variable should be a list of servers serving as MatrixRTC endpoints to serve in the well-known file to the client.
 ```toml
-[global.matrix_rtc]
+rtc_focus_server_urls = [
 foci = [
    { type = "livekit", livekit_service_url = "https://livekit.example.com" },
 ]
 ```
 Remember to replace the URL with the address you are deploying your instance of lk-jwt-service to.
 #### Serving .well-known manually
 If you don't let Continuwuity serve your `.well-known` files, you need to add the following lines to your `.well-known/matrix/client` file, remembering to replace the URL with your own `lk-jwt-service` deployment:
 ```json
  "org.matrix.msc4143.rtc_foci": [
    {
      "type": "livekit",
      "livekit_service_url": "https://livekit.example.com"
    }
  ]
 ```
 The final file should look something like this:
 ```json
 {
  "m.homeserver": {
    "base_url":"https://matrix.example.com"
  },
  "org.matrix.msc4143.rtc_foci": [
    {
      "type": "livekit",
      "livekit_service_url": "https://livekit.example.com"
    }
  ]
 }
 ```
 ### 4. Configure your Reverse Proxy
 Reverse proxies can be configured in many different ways - so we can't provide a step by step for this.
@@ -8,7 +8,6 @@ services:
    restart: unless-stopped
    volumes:
      - db:/var/lib/continuwuity
      - /etc/resolv.conf:/etc/resolv.conf:ro # Use the host's DNS resolver rather than Docker's.
      #- ./continuwuity.toml:/etc/continuwuity.toml
    networks:
      - proxy
@@ -2,28 +2,26 @@
 ## Docker
-To run Continuwuity with Docker, you can either build the image yourself or pull it
+To run Continuwuity with Docker, you can either build the image yourself or pull
-from a registry.
+it from a registry.
 ### Use a registry
-OCI images for Continuwuity are available in the registries listed below.
+Available OCI images:
-| Registry        | Image                                                           | Notes                  |
+| Registry         | Image                                                                                                                                                       | Notes                                                                        |
-| --------------- | --------------------------------------------------------------- | -----------------------|
+| ---------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------- |
-| Forgejo Registry| [forgejo.ellis.link/continuwuation/continuwuity:latest](https://forgejo.ellis.link/continuwuation/-/packages/container/continuwuity/latest)     | Latest tagged image.   |
+| Forgejo Registry | [forgejo.ellis.link/continuwuation/continuwuity:latest](https://forgejo.ellis.link/continuwuation/-/packages/container/continuwuity/latest)                 | Latest tagged image.                                                         |
-| Forgejo Registry| [forgejo.ellis.link/continuwuation/continuwuity:main](https://forgejo.ellis.link/continuwuation/-/packages/container/continuwuity/main)       | Main branch image.     |
+| Forgejo Registry | [forgejo.ellis.link/continuwuation/continuwuity:main](https://forgejo.ellis.link/continuwuation/-/packages/container/continuwuity/main)                     | Main branch image.                                                           |
-| Forgejo Registry| [forgejo.ellis.link/continuwuation/continuwuity:latest-maxperf](https://forgejo.ellis.link/continuwuation/-/packages/container/continuwuity/latest-maxperf) | [Performance optimised version.](./generic.mdx#performance-optimised-builds) |
+| Forgejo Registry | [forgejo.ellis.link/continuwuation/continuwuity:latest-maxperf](https://forgejo.ellis.link/continuwuation/-/packages/container/continuwuity/latest-maxperf) | [Performance optimised version.](./generic.mdx#performance-optimised-builds) |
-| Forgejo Registry| [forgejo.ellis.link/continuwuation/continuwuity:main-maxperf](https://forgejo.ellis.link/continuwuation/-/packages/container/continuwuity/main-maxperf)   | [Performance optimised version.](./generic.mdx#performance-optimised-builds) |
+| Forgejo Registry | [forgejo.ellis.link/continuwuation/continuwuity:main-maxperf](https://forgejo.ellis.link/continuwuation/-/packages/container/continuwuity/main-maxperf)     | [Performance optimised version.](./generic.mdx#performance-optimised-builds) |
-Use
+**Example:**
 ```bash
-docker image pull $LINK
+docker image pull forgejo.ellis.link/continuwuation/continuwuity:main-maxperf
 ```
 to pull it to your machine.
 #### Mirrors
 Images are mirrored to multiple locations automatically, on a schedule:
@@ -33,39 +31,146 @@ Images are mirrored to multiple locations automatically, on a schedule:
 - `registry.gitlab.com/continuwuity/continuwuity`
 - `git.nexy7574.co.uk/mirrored/continuwuity` (releases only, no `main`)
-### Run
+### Quick Run
-When you have the image, you can simply run it with
+Get a working Continuwuity server with an admin user in four steps:
 #### Prerequisites
 Continuwuity requires HTTPS for Matrix federation. You'll need:
 - A domain name pointing to your server
 - A reverse proxy with SSL/TLS certificates (Traefik, Caddy, nginx, etc.)
 See [Docker Compose](#docker-compose) for complete examples.
 #### Environment Variables
 - `CONTINUWUITY_SERVER_NAME` - Your Matrix server's domain name
 - `CONTINUWUITY_DATABASE_PATH` - Where to store your database (must match the
  volume mount)
 - `CONTINUWUITY_ADDRESS` - Bind address (use `0.0.0.0` to listen on all
  interfaces)
 - `CONTINUWUITY_ALLOW_REGISTRATION` - Set to `false` to disable registration, or
  use with `CONTINUWUITY_REGISTRATION_TOKEN` to require a token (see
  [reference](../reference/environment-variables.mdx#registration--user-configuration)
  for details)
 See the
 [Environment Variables Reference](../reference/environment-variables.mdx) for
 more configuration options.
 #### 1. Pull the image
 ```bash
-docker run -d -p 8448:6167 \
+docker pull forgejo.ellis.link/continuwuation/continuwuity:latest
    -v db:/var/lib/continuwuity/ \
    -e CONTINUWUITY_SERVER_NAME="your.server.name" \
    -e CONTINUWUITY_ALLOW_REGISTRATION=false \
    --name continuwuity $LINK
 ```
-or you can use [Docker Compose](#docker-compose).
+#### 2. Start the server with initial admin user
-The `-d` flag lets the container run in detached mode. You may supply an
+```bash
-optional `continuwuity.toml` config file, the example config can be found
+docker run -d \
-[here](../reference/config.mdx). You can pass in different env vars to
+  -p 6167:6167 \
-change config values on the fly. You can even configure Continuwuity completely by
+  -v continuwuity_db:/var/lib/continuwuity \
-using env vars. For an overview of possible values, please take a look at the
+  -e CONTINUWUITY_SERVER_NAME="matrix.example.com" \
-<a href="/examples/docker-compose.yml" target="_blank">`docker-compose.yml`</a> file.
+  -e CONTINUWUITY_DATABASE_PATH="/var/lib/continuwuity" \
  -e CONTINUWUITY_ADDRESS="0.0.0.0" \
  -e CONTINUWUITY_ALLOW_REGISTRATION="false" \
  --name continuwuity \
  forgejo.ellis.link/continuwuation/continuwuity:latest \
  --execute "users create-user admin"
 ```
-If you just want to test Continuwuity for a short time, you can use the `--rm`
+Replace `matrix.example.com` with your actual server name and `admin` with
-flag, which cleans up everything related to your container after you stop
+your preferred username.
-it.
+
 #### 3. Get your admin password
 ```bash
 docker logs continuwuity 2>&1 | grep "Created user"
 ```
 You'll see output like:
 ```
 Created user with user_id: @admin:matrix.example.com and password: `[auto-generated-password]`
 ```
 #### 4. Configure your reverse proxy
 Configure your reverse proxy to forward HTTPS traffic to Continuwuity. See
 [Docker Compose](#docker-compose) for examples.
 Once configured, log in with any Matrix client using `@admin:matrix.example.com`
 and the generated password. You'll automatically be invited to the admin room
 where you can manage your server.
 ### Docker Compose
-If the `docker run` command is not suitable for you or your setup, you can also use one
+Docker Compose is the recommended deployment method. These examples include
-of the provided `docker-compose` files.
+reverse proxy configurations for Matrix federation.
-Depending on your proxy setup, you can use one of the following files:
+#### Matrix Federation Requirements
-### For existing Traefik setup
+For Matrix federation to work, you need to serve `.well-known/matrix/client` and
 `.well-known/matrix/server` endpoints. You can achieve this either by:
 1. **Using a well-known service** - The compose files below include an nginx
   container to serve these files
 2. **Using Continuwuity's built-in delegation** (easier for Traefik) - Configure
   delegation files in your config, then proxy `/.well-known/matrix/*` to
   Continuwuity
 **Traefik example using built-in delegation:**
 ```yaml
 labels:
  traefik.http.routers.continuwuity.rule: >-
    (Host(`matrix.example.com`) ||
     (Host(`example.com`) && PathPrefix(`/.well-known/matrix`)))
 ```
 This routes your Matrix domain and well-known paths to Continuwuity.
 #### Creating Your First Admin User
 Add the `--execute` command to create an admin user on first startup. In your
 compose file, add under the `continuwuity` service:
 ```yaml
 services:
    continuwuity:
        image: forgejo.ellis.link/continuwuation/continuwuity:latest
        command: --execute "users create-user admin"
        # ... rest of configuration
 ```
 Then retrieve the auto-generated password:
 ```bash
 docker compose logs continuwuity | grep "Created user"
 ```
 #### Choose Your Reverse Proxy
 Select the compose file that matches your setup:
 :::note DNS Performance
 Docker's default DNS resolver can cause performance issues with Matrix
 federation. If you experience slow federation or DNS timeouts, you may need to
 use your host's DNS resolver instead. Add this volume mount to the
 `continuwuity` service:
 ```yaml
 volumes:
  - /etc/resolv.conf:/etc/resolv.conf:ro
 ```
 See [Troubleshooting - DNS Issues](../troubleshooting.mdx#potential-dns-issues-when-using-docker)
 for more details and alternative solutions.
 :::
 ##### For existing Traefik setup
 <details>
 <summary>docker-compose.for-traefik.yml</summary>
@@ -76,7 +181,7 @@ Depending on your proxy setup, you can use one of the following files:
 </details>
-### With Traefik included
+##### With Traefik included
 <details>
 <summary>docker-compose.with-traefik.yml</summary>
@@ -87,7 +192,7 @@ Depending on your proxy setup, you can use one of the following files:
 </details>
-### With Caddy Docker Proxy
+##### With Caddy Docker Proxy
 <details>
 <summary>docker-compose.with-caddy.yml</summary>
@@ -98,9 +203,15 @@ Replace all `example.com` placeholders with your own domain.
 ```
 If you don't already have a network for Caddy to monitor, create one first:
 ```bash
 docker network create caddy
 ```
 </details>
-### For other reverse proxies
+##### For other reverse proxies
 <details>
 <summary>docker-compose.yml</summary>
@@ -111,7 +222,7 @@ Replace all `example.com` placeholders with your own domain.
 </details>
-### Override file
+##### Override file for customisation
 <details>
 <summary>docker-compose.override.yml</summary>
@@ -122,98 +233,24 @@ Replace all `example.com` placeholders with your own domain.
 </details>
-When picking the Traefik-related compose file, rename it to
+#### Starting Your Server
 `docker-compose.yml`, and rename the override file to
 `docker-compose.override.yml`. Edit the latter with the values you want for your
 server.
-When picking the `caddy-docker-proxy` compose file, it's important to first
+1. Choose your compose file and rename it to `docker-compose.yml`
-create the `caddy` network before spinning up the containers:
+2. If using the override file, rename it to `docker-compose.override.yml` and
-
+   edit your values
-```bash
+3. Start the server:
 docker network create caddy
 ```
 After that, you can rename it to `docker-compose.yml` and spin up the
 containers!
 Additional info about deploying Continuwuity can be found [here](generic.mdx).
 ### Build
 Official Continuwuity images are built using **Docker Buildx** and the Dockerfile found at [`docker/Dockerfile`][dockerfile-path]. This approach uses common Docker tooling and enables efficient multi-platform builds.
 The resulting images are widely compatible with Docker and other container runtimes like Podman or containerd.
 The images *do not contain a shell*. They contain only the Continuwuity binary, required libraries, TLS certificates, and metadata.
 <details>
 <summary>Click to view the Dockerfile</summary>
 You can also <a href="https://forgejo.ellis.link/continuwuation/continuwuation/src/branch/main/docker/Dockerfile" target="_blank">view the Dockerfile on Forgejo</a>.
 ```dockerfile file="../../docker/Dockerfile"
 ```
 </details>
 To build an image locally using Docker Buildx, you can typically run a command like:
 ```bash
 # Build for the current platform and load into the local Docker daemon
 docker buildx build --load --tag continuwuity:latest -f docker/Dockerfile .
 # Example: Build for specific platforms and push to a registry.
 # docker buildx build --platform linux/amd64,linux/arm64 --tag registry.io/org/continuwuity:latest -f docker/Dockerfile . --push
 # Example: Build binary optimised for the current CPU (standard release profile)
 # docker buildx build --load \
 #   --tag continuwuity:latest \
 #   --build-arg TARGET_CPU=native \
 #   -f docker/Dockerfile .
 # Example: Build maxperf variant (release-max-perf profile with LTO)
 # Optimised for runtime performance and smaller binary size, but requires longer build time
 # docker buildx build --load \
 #   --tag continuwuity:latest-maxperf \
 #   --build-arg TARGET_CPU=native \
 #   --build-arg RUST_PROFILE=release-max-perf \
 #   -f docker/Dockerfile .
 ```
 Refer to the Docker Buildx documentation for more advanced build options.
 [dockerfile-path]: https://forgejo.ellis.link/continuwuation/continuwuation/src/branch/main/docker/Dockerfile
 ### Run
 If you have already built the image or want to use one from the registries, you
 can start the container and everything else in the compose file in detached
 mode with:
 ```bash
 docker compose up -d
 ```
-> **Note:** Don't forget to modify and adjust the compose file to your needs.
+See the [generic deployment guide](generic.mdx) for more deployment options.
-### Use Traefik as Proxy
+### Building Custom Images
-As a container user, you probably know about Traefik. It is an easy-to-use
+For information on building your own Continuwuity Docker images, see the
-reverse proxy for making containerized apps and services available through the
+[Building Docker Images](../development/index.mdx#building-docker-images)
-web. With the Traefik-related docker-compose files provided above, it is equally easy
+section in the development documentation.
 to deploy and use Continuwuity, with a small caveat. If you have already looked at
 the files, you should have seen the `well-known` service, which is the
 small caveat. Traefik is simply a proxy and load balancer and cannot
 serve any kind of content. For Continuwuity to federate, we need to either
 expose ports `443` and `8448` or serve two endpoints: `.well-known/matrix/client`
 and `.well-known/matrix/server`.
 With the service `well-known`, we use a single `nginx` container that serves
 those two files.
 Alternatively, you can use Continuwuity's built-in delegation file capability. Set up the delegation files in the configuration file, and then proxy paths under `/.well-known/matrix` to continuwuity. For example, the label ``traefik.http.routers.continuwuity.rule=(Host(`matrix.ellis.link`) || (Host(`ellis.link`) && PathPrefix(`/.well-known/matrix`)))`` does this for the domain `ellis.link`.
 ## Voice communication
@@ -2,7 +2,8 @@
 Information about developing the project. If you are only interested in using
 it, you can safely ignore this page. If you plan on contributing, see the
-[contributor's guide](./contributing.mdx) and [code style guide](./code_style.mdx).
+[contributor's guide](./contributing.mdx) and
 [code style guide](./code_style.mdx).
 ## Continuwuity project layout
@@ -12,86 +13,98 @@ members are under `src/`. The workspace definition is at the top level / root
 `Cargo.toml`.
 The crate names are generally self-explanatory:
 - `admin` is the admin room
 - `api` is the HTTP API, Matrix C-S and S-S endpoints, etc
- `core` is core Continuwuity functionality like config loading, error definitions,
+- `core` is core Continuwuity functionality like config loading, error
-global utilities, logging infrastructure, etc
+  definitions, global utilities, logging infrastructure, etc
- `database` is RocksDB methods, helpers, RocksDB config, and general database definitions,
+- `database` is RocksDB methods, helpers, RocksDB config, and general database
-utilities, or functions
+  definitions, utilities, or functions
- `macros` are Continuwuity Rust [macros][macros] like general helper macros, logging
+- `macros` are Continuwuity Rust [macros][macros] like general helper macros,
-and error handling macros, and [syn][syn] and [procedural macros][proc-macro]
+  logging and error handling macros, and [syn][syn] and [procedural
-used for admin room commands and others
+  macros][proc-macro] used for admin room commands and others
 - `main` is the "primary" sub-crate. This is where the `main()` function lives,
-tokio worker and async initialisation, Sentry initialisation, [clap][clap] init,
+  tokio worker and async initialisation, Sentry initialisation, [clap][clap]
-and signal handling. If you are adding new [Rust features][features], they *must*
+  init, and signal handling. If you are adding new [Rust features][features],
-go here.
+  they _must_ go here.
- `router` is the webserver and request handling bits, using axum, tower, tower-http,
+- `router` is the webserver and request handling bits, using axum, tower,
-hyper, etc, and the [global server state][state] to access `services`.
+  tower-http, hyper, etc, and the [global server state][state] to access
  `services`.
 - `service` is the high-level database definitions and functions for data,
-outbound/sending code, and other business logic such as media fetching.
+  outbound/sending code, and other business logic such as media fetching.
-It is highly unlikely you will ever need to add a new workspace member, but
+It is highly unlikely you will ever need to add a new workspace member, but if
-if you truly find yourself needing to, we recommend reaching out to us in
+you truly find yourself needing to, we recommend reaching out to us in the
-the Matrix room for discussions about it beforehand.
+Matrix room for discussions about it beforehand.
 The primary inspiration for this design was apart of hot reloadable development,
-to support "Continuwuity as a library" where specific parts can simply be swapped out.
+to support "Continuwuity as a library" where specific parts can simply be
-There is evidence Conduit wanted to go this route too as `axum` is technically an
+swapped out. There is evidence Conduit wanted to go this route too as `axum` is
-optional feature in Conduit, and can be compiled without the binary or axum library
+technically an optional feature in Conduit, and can be compiled without the
-for handling inbound web requests; but it was never completed or worked.
+binary or axum library for handling inbound web requests; but it was never
 completed or worked.
-See the Rust documentation on [Workspaces][workspaces] for general questions
+See the Rust documentation on [Workspaces][workspaces] for general questions and
-and information on Cargo workspaces.
+information on Cargo workspaces.
 ## Adding compile-time [features][features]
-If you'd like to add a compile-time feature, you must first define it in
+If you'd like to add a compile-time feature, you must first define it in the
-the `main` workspace crate located in `src/main/Cargo.toml`. The feature must
+`main` workspace crate located in `src/main/Cargo.toml`. The feature must enable
-enable a feature in the other workspace crate(s) you intend to use it in. Then
+a feature in the other workspace crate(s) you intend to use it in. Then the said
-the said workspace crate(s) must define the feature there in its `Cargo.toml`.
+workspace crate(s) must define the feature there in its `Cargo.toml`.
-So, if this is adding a feature to the API such as `woof`, you define the feature
+So, if this is adding a feature to the API such as `woof`, you define the
-in the `api` crate's `Cargo.toml` as `woof = []`. The feature definition in `main`'s
+feature in the `api` crate's `Cargo.toml` as `woof = []`. The feature definition
-`Cargo.toml` will be `woof = ["conduwuit-api/woof"]`.
+in `main`'s `Cargo.toml` will be `woof = ["conduwuit-api/woof"]`.
-The rationale for this is due to Rust / Cargo not supporting
+The rationale for this is due to Rust / Cargo not supporting ["workspace level
-["workspace level features"][9], we must make a choice of; either scattering
+features"][9], we must make a choice of; either scattering features all over the
-features all over the workspace crates, making it difficult for anyone to add
+workspace crates, making it difficult for anyone to add or remove default
-or remove default features; or define all the features in one central workspace
+features; or define all the features in one central workspace crate that
-crate that propagate down/up to the other workspace crates. It is a Cargo pitfall,
+propagate down/up to the other workspace crates. It is a Cargo pitfall, and we'd
-and we'd like to see better developer UX in Rust's Workspaces.
+like to see better developer UX in Rust's Workspaces.
-Additionally, the definition of one single place makes "feature collection" in our
+Additionally, the definition of one single place makes "feature collection" in
-Nix flake a million times easier instead of collecting and deduping them all from
+our Nix flake a million times easier instead of collecting and deduping them all
-searching in all the workspace crates' `Cargo.toml`s. Though we wouldn't need to
+from searching in all the workspace crates' `Cargo.toml`s. Though we wouldn't
-do this if Rust supported workspace-level features to begin with.
+need to do this if Rust supported workspace-level features to begin with.
 ## List of forked dependencies
-During Continuwuity (and prior projects) development, we have had to fork some dependencies to support our use-cases.
+During Continuwuity (and prior projects) development, we have had to fork some
-These forks exist for various reasons including features that upstream projects won't accept,
+dependencies to support our use-cases. These forks exist for various reasons
-faster-paced development, Continuwuity-specific usecases, or lack of time to upstream changes.
+including features that upstream projects won't accept, faster-paced
 development, Continuwuity-specific usecases, or lack of time to upstream
 changes.
-All forked dependencies are maintained under the [continuwuation organization on Forgejo](https://forgejo.ellis.link/continuwuation):
+All forked dependencies are maintained under the
 [continuwuation organization on Forgejo](https://forgejo.ellis.link/continuwuation):
- [ruwuma][continuwuation-ruwuma] - Fork of [ruma/ruma][ruma] with various performance improvements, more features and better client/server interop
+- [ruwuma][continuwuation-ruwuma] - Fork of [ruma/ruma][ruma] with various
- [rocksdb][continuwuation-rocksdb] - Fork of [facebook/rocksdb][rocksdb] via [`@zaidoon1`][8] with liburing build fixes and GCC debug build fixes
+  performance improvements, more features and better client/server interop
- [jemallocator][continuwuation-jemallocator] - Fork of [tikv/jemallocator][jemallocator] fixing musl builds, suspicious code,
+- [rocksdb][continuwuation-rocksdb] - Fork of [facebook/rocksdb][rocksdb] via
-  and adding support for redzones in Valgrind
+  [`@zaidoon1`][8] with liburing build fixes and GCC debug build fixes
- [rustyline-async][continuwuation-rustyline-async] - Fork of [zyansheep/rustyline-async][rustyline-async] with tab completion callback
+- [jemallocator][continuwuation-jemallocator] - Fork of
-  and `CTRL+\` signal quit event for Continuwuity console CLI
+  [tikv/jemallocator][jemallocator] fixing musl builds, suspicious code, and
- [rust-rocksdb][continuwuation-rust-rocksdb] - Fork of [rust-rocksdb/rust-rocksdb][rust-rocksdb] fixing musl build issues,
+  adding support for redzones in Valgrind
-  removing unnecessary `gtest` include, and using our RocksDB and jemallocator forks
+- [rustyline-async][continuwuation-rustyline-async] - Fork of
- [tracing][continuwuation-tracing] - Fork of [tokio-rs/tracing][tracing] implementing `Clone` for `EnvFilter` to
+  [zyansheep/rustyline-async][rustyline-async] with tab completion callback and
-  support dynamically changing tracing environments
+  `CTRL+\` signal quit event for Continuwuity console CLI
 - [rust-rocksdb][continuwuation-rust-rocksdb] - Fork of
  [rust-rocksdb/rust-rocksdb][rust-rocksdb] fixing musl build issues, removing
  unnecessary `gtest` include, and using our RocksDB and jemallocator forks
 - [tracing][continuwuation-tracing] - Fork of [tokio-rs/tracing][tracing]
  implementing `Clone` for `EnvFilter` to support dynamically changing tracing
  environments
 ## Debugging with `tokio-console`
 [`tokio-console`][7] can be a useful tool for debugging and profiling. To make a
-`tokio-console`-enabled build of Continuwuity, enable the `tokio_console` feature,
+`tokio-console`-enabled build of Continuwuity, enable the `tokio_console`
-disable the default `release_max_log_level` feature, and set the `--cfg
+feature, disable the default `release_max_log_level` feature, and set the
-tokio_unstable` flag to enable experimental tokio APIs. A build might look like
+`--cfg tokio_unstable` flag to enable experimental tokio APIs. A build might
-this:
+look like this:
 ```bash
 RUSTFLAGS="--cfg tokio_unstable" cargo +nightly build \
@@ -100,34 +113,84 @@ RUSTFLAGS="--cfg tokio_unstable" cargo +nightly build \
    --features=systemd,element_hacks,gzip_compression,brotli_compression,zstd_compression,tokio_console
 ```
-You will also need to enable the `tokio_console` config option in Continuwuity when
+You will also need to enable the `tokio_console` config option in Continuwuity
-starting it. This was due to tokio-console causing gradual memory leak/usage
+when starting it. This was due to tokio-console causing gradual memory
-if left enabled.
+leak/usage if left enabled.
 ## Building Docker Images
-To build a Docker image for Continuwuity, use the standard Docker build command:
+Official Continuwuity images are built using **Docker Buildx** and the
 Dockerfile found at [`docker/Dockerfile`][dockerfile-path].
 The images are compatible with Docker and other container runtimes like Podman
 or containerd.
 The images _do not contain a shell_. They contain only the Continuwuity binary,
 required libraries, TLS certificates, and metadata.
 <details>
 <summary>Click to view the Dockerfile</summary>
 You can also
 <a
    href="<https://forgejo.ellis.link/continuwuation/continuwuation/src/branch/main/docker/Dockerfile>"
    target="_blank"
 >
    view the Dockerfile on Forgejo
 </a>
 .
 ```dockerfile file="../../docker/Dockerfile"
 ```bash
 docker build -f docker/Dockerfile .
 ```
-The image can be cross-compiled for different architectures.
+</details>
 ### Building Locally
 To build an image locally using Docker Buildx:
 ```bash
 # Build for the current platform and load into the local Docker daemon
 docker buildx build --load --tag continuwuity:latest -f docker/Dockerfile .
 # Example: Build for specific platforms and push to a registry
 # docker buildx build --platform linux/amd64,linux/arm64 --tag registry.io/org/continuwuity:latest -f docker/Dockerfile . --push
 # Example: Build binary optimised for the current CPU (standard release profile)
 # docker buildx build --load \
 #   --tag continuwuity:latest \
 #   --build-arg TARGET_CPU=native \
 #   -f docker/Dockerfile .
 # Example: Build maxperf variant (release-max-perf profile with LTO)
 # docker buildx build --load \
 #   --tag continuwuity:latest-maxperf \
 #   --build-arg TARGET_CPU=native \
 #   --build-arg RUST_PROFILE=release-max-perf \
 #   -f docker/Dockerfile .
 ```
 Refer to the Docker Buildx documentation for more advanced build options.
 [dockerfile-path]:
    https://forgejo.ellis.link/continuwuation/continuwuation/src/branch/main/docker/Dockerfile
 [continuwuation-ruwuma]: https://forgejo.ellis.link/continuwuation/ruwuma
 [continuwuation-rocksdb]: https://forgejo.ellis.link/continuwuation/rocksdb
-[continuwuation-jemallocator]: https://forgejo.ellis.link/continuwuation/jemallocator
+[continuwuation-jemallocator]:
-[continuwuation-rustyline-async]: https://forgejo.ellis.link/continuwuation/rustyline-async
+    https://forgejo.ellis.link/continuwuation/jemallocator
-[continuwuation-rust-rocksdb]: https://forgejo.ellis.link/continuwuation/rust-rocksdb
+[continuwuation-rustyline-async]:
    https://forgejo.ellis.link/continuwuation/rustyline-async
 [continuwuation-rust-rocksdb]:
    https://forgejo.ellis.link/continuwuation/rust-rocksdb
 [continuwuation-tracing]: https://forgejo.ellis.link/continuwuation/tracing
 [ruma]: https://github.com/ruma/ruma/
 [rocksdb]: https://github.com/facebook/rocksdb/
 [jemallocator]: https://github.com/tikv/jemallocator/
 [rustyline-async]: https://github.com/zyansheep/rustyline-async/
 [rust-rocksdb]: https://github.com/rust-rocksdb/rust-rocksdb/
 [tracing]: https://github.com/tokio-rs/tracing/
 [7]: https://docs.rs/tokio-console/latest/tokio_console/
 [8]: https://github.com/zaidoon1/
 [9]: https://github.com/rust-lang/cargo/issues/12162
@@ -4,6 +4,11 @@
        "name": "config",
        "label": "Configuration"
    },
    {
        "type": "file",
        "name": "environment-variables",
        "label": "Environment Variables"
    },
    {
        "type": "file",
        "name": "admin",
@@ -0,0 +1,281 @@
 # Environment Variables
 Continuwuity can be configured entirely through environment variables, making it
 ideal for containerised deployments and infrastructure-as-code scenarios.
 This is a convenience reference and may not be exhaustive. The
 [Configuration Reference](./config.mdx) is the primary source for all
 configuration options.
 ## Prefix System
 Continuwuity supports three environment variable prefixes for backwards
 compatibility:
 - `CONTINUWUITY_*` (current, recommended)
 - `CONDUWUIT_*` (compatibility)
 - `CONDUIT_*` (legacy)
 All three prefixes work identically. Use double underscores (`__`) to represent
 nested configuration sections from the TOML config.
 **Examples:**
 ```bash
 # Simple top-level config
 CONTINUWUITY_SERVER_NAME="matrix.example.com"
 CONTINUWUITY_PORT="8008"
 # Nested config sections use double underscores
 # This maps to [database] section in TOML
 CONTINUWUITY_DATABASE__PATH="/var/lib/continuwuity"
 # This maps to [tls] section in TOML
 CONTINUWUITY_TLS__CERTS="/path/to/cert.pem"
 ```
 ## Configuration File Override
 You can specify a custom configuration file path:
 - `CONTINUWUITY_CONFIG` - Path to continuwuity.toml (current)
 - `CONDUWUIT_CONFIG` - Path to config file (compatibility)
 - `CONDUIT_CONFIG` - Path to config file (legacy)
 ## Essential Variables
 These are the minimum variables needed for a working deployment:
 | Variable                     | Description                        | Default                |
 | ---------------------------- | ---------------------------------- | ---------------------- |
 | `CONTINUWUITY_SERVER_NAME`   | Your Matrix server's domain name   | Required               |
 | `CONTINUWUITY_DATABASE_PATH` | Path to RocksDB database directory | `/var/lib/conduwuit`   |
 | `CONTINUWUITY_ADDRESS`       | IP address to bind to              | `["127.0.0.1", "::1"]` |
 | `CONTINUWUITY_PORT`          | Port to listen on                  | `8008`                 |
 ## Network Configuration
 | Variable                         | Description                                     | Default                |
 | -------------------------------- | ----------------------------------------------- | ---------------------- |
 | `CONTINUWUITY_ADDRESS`           | Bind address (use `0.0.0.0` for all interfaces) | `["127.0.0.1", "::1"]` |
 | `CONTINUWUITY_PORT`              | HTTP port                                       | `8008`                 |
 | `CONTINUWUITY_UNIX_SOCKET_PATH`  | UNIX socket path (alternative to TCP)           | -                      |
 | `CONTINUWUITY_UNIX_SOCKET_PERMS` | Socket permissions (octal)                      | `660`                  |
 ## Database Configuration
 | Variable                                   | Description                 | Default              |
 | ------------------------------------------ | --------------------------- | -------------------- |
 | `CONTINUWUITY_DATABASE_PATH`               | RocksDB data directory      | `/var/lib/conduwuit` |
 | `CONTINUWUITY_DATABASE_BACKUP_PATH`        | Backup directory            | -                    |
 | `CONTINUWUITY_DATABASE_BACKUPS_TO_KEEP`    | Number of backups to retain | `1`                  |
 | `CONTINUWUITY_DB_CACHE_CAPACITY_MB`        | Database read cache (MB)    | -                    |
 | `CONTINUWUITY_DB_WRITE_BUFFER_CAPACITY_MB` | Write cache (MB)            | -                    |
 ## Cache Configuration
 | Variable                                 | Description              |
 | ---------------------------------------- | ------------------------ |
 | `CONTINUWUITY_CACHE_CAPACITY_MODIFIER`   | LRU cache multiplier     |
 | `CONTINUWUITY_PDU_CACHE_CAPACITY`        | PDU cache entries        |
 | `CONTINUWUITY_AUTH_CHAIN_CACHE_CAPACITY` | Auth chain cache entries |
 ## DNS Configuration
 Configure DNS resolution behaviour for federation and external requests.
 | Variable                             | Description                  | Default  |
 | ------------------------------------ | ---------------------------- | -------- |
 | `CONTINUWUITY_DNS_CACHE_ENTRIES`     | Max DNS cache entries        | `32768`  |
 | `CONTINUWUITY_DNS_MIN_TTL`           | Minimum cache TTL (seconds)  | `10800`  |
 | `CONTINUWUITY_DNS_MIN_TTL_NXDOMAIN`  | NXDOMAIN cache TTL (seconds) | `259200` |
 | `CONTINUWUITY_DNS_ATTEMPTS`          | Retry attempts               | -        |
 | `CONTINUWUITY_DNS_TIMEOUT`           | Query timeout (seconds)      | -        |
 | `CONTINUWUITY_DNS_TCP_FALLBACK`      | Allow TCP fallback           | -        |
 | `CONTINUWUITY_QUERY_ALL_NAMESERVERS` | Query all nameservers        | -        |
 | `CONTINUWUITY_QUERY_OVER_TCP_ONLY`   | TCP-only queries             | -        |
 ## Request Configuration
 | Variable                             | Description                   |
 | ------------------------------------ | ----------------------------- |
 | `CONTINUWUITY_MAX_REQUEST_SIZE`      | Max HTTP request size (bytes) |
 | `CONTINUWUITY_REQUEST_CONN_TIMEOUT`  | Connection timeout (seconds)  |
 | `CONTINUWUITY_REQUEST_TIMEOUT`       | Overall request timeout       |
 | `CONTINUWUITY_REQUEST_TOTAL_TIMEOUT` | Total timeout                 |
 | `CONTINUWUITY_REQUEST_IDLE_TIMEOUT`  | Idle timeout                  |
 | `CONTINUWUITY_REQUEST_IDLE_PER_HOST` | Idle connections per host     |
 ## Federation Configuration
 Control how your server federates with other Matrix servers.
 | Variable                                       | Description                   | Default |
 | ---------------------------------------------- | ----------------------------- | ------- |
 | `CONTINUWUITY_ALLOW_FEDERATION`                | Enable federation             | `true`  |
 | `CONTINUWUITY_FEDERATION_LOOPBACK`             | Allow loopback federation     | -       |
 | `CONTINUWUITY_FEDERATION_CONN_TIMEOUT`         | Connection timeout            | -       |
 | `CONTINUWUITY_FEDERATION_TIMEOUT`              | Request timeout               | -       |
 | `CONTINUWUITY_FEDERATION_IDLE_TIMEOUT`         | Idle timeout                  | -       |
 | `CONTINUWUITY_FEDERATION_IDLE_PER_HOST`        | Idle connections per host     | -       |
 | `CONTINUWUITY_TRUSTED_SERVERS`                 | JSON array of trusted servers | -       |
 | `CONTINUWUITY_QUERY_TRUSTED_KEY_SERVERS_FIRST` | Query trusted first           | -       |
 | `CONTINUWUITY_ONLY_QUERY_TRUSTED_KEY_SERVERS`  | Only query trusted            | -       |
 **Example:**
 ```bash
 # Trust matrix.org for key verification
 CONTINUWUITY_TRUSTED_SERVERS='["matrix.org"]'
 ```
 ## Registration & User Configuration
 Control user registration and account creation behaviour.
 | Variable                                   | Description           | Default |
 | ------------------------------------------ | --------------------- | ------- |
 | `CONTINUWUITY_ALLOW_REGISTRATION`          | Enable registration   | `true`  |
 | `CONTINUWUITY_REGISTRATION_TOKEN`          | Token requirement     | -       |
 | `CONTINUWUITY_SUSPEND_ON_REGISTER`         | Suspend new accounts  | -       |
 | `CONTINUWUITY_NEW_USER_DISPLAYNAME_SUFFIX` | Display name suffix   | 🏳️‍⚧️      |
 | `CONTINUWUITY_RECAPTCHA_SITE_KEY`          | reCAPTCHA site key    | -       |
 | `CONTINUWUITY_RECAPTCHA_PRIVATE_SITE_KEY`  | reCAPTCHA private key | -       |
 **Example:**
 ```bash
 # Disable open registration
 CONTINUWUITY_ALLOW_REGISTRATION="false"
 # Require a registration token
 CONTINUWUITY_REGISTRATION_TOKEN="your_secret_token_here"
 ```
 ## Feature Configuration
 | Variable                                                   | Description                | Default |
 | ---------------------------------------------------------- | -------------------------- | ------- |
 | `CONTINUWUITY_ALLOW_ENCRYPTION`                            | Enable E2EE                | `true`  |
 | `CONTINUWUITY_ALLOW_ROOM_CREATION`                         | Enable room creation       | -       |
 | `CONTINUWUITY_ALLOW_UNSTABLE_ROOM_VERSIONS`                | Allow unstable versions    | -       |
 | `CONTINUWUITY_DEFAULT_ROOM_VERSION`                        | Default room version       | `v11`   |
 | `CONTINUWUITY_REQUIRE_AUTH_FOR_PROFILE_REQUESTS`           | Auth for profiles          | -       |
 | `CONTINUWUITY_ALLOW_PUBLIC_ROOM_DIRECTORY_OVER_FEDERATION` | Federate directory         | -       |
 | `CONTINUWUITY_ALLOW_PUBLIC_ROOM_DIRECTORY_WITHOUT_AUTH`    | Unauth directory           | -       |
 | `CONTINUWUITY_ALLOW_DEVICE_NAME_FEDERATION`                | Device names in federation | -       |
 ## TLS Configuration
 Built-in TLS support is primarily for testing. **For production deployments,
 especially when federating on the internet, use a reverse proxy** (Traefik,
 Caddy, nginx) to handle TLS termination.
 | Variable                          | Description               |
 | --------------------------------- | ------------------------- |
 | `CONTINUWUITY_TLS__CERTS`         | TLS certificate file path |
 | `CONTINUWUITY_TLS__KEY`           | TLS private key path      |
 | `CONTINUWUITY_TLS__DUAL_PROTOCOL` | Support TLS 1.2 + 1.3     |
 **Example (testing only):**
 ```bash
 CONTINUWUITY_TLS__CERTS="/etc/letsencrypt/live/matrix.example.com/fullchain.pem"
 CONTINUWUITY_TLS__KEY="/etc/letsencrypt/live/matrix.example.com/privkey.pem"
 ```
 ## Logging Configuration
 Control log output format and verbosity.
 | Variable                       | Description        | Default |
 | ------------------------------ | ------------------ | ------- |
 | `CONTINUWUITY_LOG`             | Log filter level   | -       |
 | `CONTINUWUITY_LOG_COLORS`      | ANSI colours       | `true`  |
 | `CONTINUWUITY_LOG_SPAN_EVENTS` | Log span events    | `none`  |
 | `CONTINUWUITY_LOG_THREAD_IDS`  | Include thread IDs | -       |
 **Examples:**
 ```bash
 # Set log level to info
 CONTINUWUITY_LOG="info"
 # Enable debug logging for specific modules
 CONTINUWUITY_LOG="warn,continuwuity::api=debug"
 # Disable colours for log aggregation
 CONTINUWUITY_LOG_COLORS="false"
 ```
 ## Observability Configuration
 | Variable                                 | Description           |
 | ---------------------------------------- | --------------------- |
 | `CONTINUWUITY_ALLOW_OTLP`                | Enable OpenTelemetry  |
 | `CONTINUWUITY_OTLP_FILTER`               | OTLP filter level     |
 | `CONTINUWUITY_OTLP_PROTOCOL`             | Protocol (http/grpc)  |
 | `CONTINUWUITY_TRACING_FLAME`             | Enable flame graphs   |
 | `CONTINUWUITY_TRACING_FLAME_FILTER`      | Flame graph filter    |
 | `CONTINUWUITY_TRACING_FLAME_OUTPUT_PATH` | Output directory      |
 | `CONTINUWUITY_SENTRY`                    | Enable Sentry         |
 | `CONTINUWUITY_SENTRY_ENDPOINT`           | Sentry DSN            |
 | `CONTINUWUITY_SENTRY_SEND_SERVER_NAME`   | Include server name   |
 | `CONTINUWUITY_SENTRY_TRACES_SAMPLE_RATE` | Sample rate (0.0-1.0) |
 ## Admin Configuration
 Configure admin users and automated command execution.
 | Variable                                   | Description                      | Default           |
 | ------------------------------------------ | -------------------------------- | ----------------- |
 | `CONTINUWUITY_ADMINS_LIST`                 | JSON array of admin user IDs     | -                 |
 | `CONTINUWUITY_ADMINS_FROM_ROOM`            | Derive admins from room          | -                 |
 | `CONTINUWUITY_ADMIN_ESCAPE_COMMANDS`       | Allow `\` prefix in public rooms | -                 |
 | `CONTINUWUITY_ADMIN_CONSOLE_AUTOMATIC`     | Auto-activate console            | -                 |
 | `CONTINUWUITY_ADMIN_EXECUTE`               | JSON array of startup commands   | -                 |
 | `CONTINUWUITY_ADMIN_EXECUTE_ERRORS_IGNORE` | Ignore command errors            | -                 |
 | `CONTINUWUITY_ADMIN_SIGNAL_EXECUTE`        | Commands on SIGUSR2              | -                 |
 | `CONTINUWUITY_ADMIN_ROOM_TAG`              | Admin room tag                   | `m.server_notice` |
 **Examples:**
 ```bash
 # Create admin user on startup
 CONTINUWUITY_ADMIN_EXECUTE='["users create-user admin", "users make-user-admin admin"]'
 # Specify admin users directly
 CONTINUWUITY_ADMINS_LIST='["@alice:example.com", "@bob:example.com"]'
 ```
 ## Media & URL Preview Configuration
 | Variable                                             | Description        |
 | ---------------------------------------------------- | ------------------ |
 | `CONTINUWUITY_URL_PREVIEW_BOUND_INTERFACE`           | Bind interface     |
 | `CONTINUWUITY_URL_PREVIEW_DOMAIN_CONTAINS_ALLOWLIST` | Domain allowlist   |
 | `CONTINUWUITY_URL_PREVIEW_DOMAIN_EXPLICIT_ALLOWLIST` | Explicit allowlist |
 | `CONTINUWUITY_URL_PREVIEW_DOMAIN_EXPLICIT_DENYLIST`  | Explicit denylist  |
 | `CONTINUWUITY_URL_PREVIEW_MAX_SPIDER_SIZE`           | Max fetch size     |
 | `CONTINUWUITY_URL_PREVIEW_TIMEOUT`                   | Fetch timeout      |
 | `CONTINUWUITY_IP_RANGE_DENYLIST`                     | IP range denylist  |
 ## Tokio Runtime Configuration
 These can be set as environment variables or CLI arguments:
 | Variable                                  | Description                |
 | ----------------------------------------- | -------------------------- |
 | `TOKIO_WORKER_THREADS`                    | Worker thread count        |
 | `TOKIO_GLOBAL_QUEUE_INTERVAL`             | Global queue interval      |
 | `TOKIO_EVENT_INTERVAL`                    | Event interval             |
 | `TOKIO_MAX_IO_EVENTS_PER_TICK`            | Max I/O events per tick    |
 | `CONTINUWUITY_RUNTIME_HISTOGRAM_INTERVAL` | Histogram bucket size (μs) |
 | `CONTINUWUITY_RUNTIME_HISTOGRAM_BUCKETS`  | Bucket count               |
 | `CONTINUWUITY_RUNTIME_WORKER_AFFINITY`    | Enable worker affinity     |
 ## See Also
 - [Configuration Reference](./config.mdx) - Complete TOML configuration
  documentation
 - [Admin Commands](./admin/) - Admin command reference
@@ -29,9 +29,7 @@ pub(super) async fn delete(
 			.delete(&mxc.as_str().try_into()?)
 			.await?;
-		return self
+		return Err!("Deleted the MXC from our database and on our filesystem.",);
 			.write_str("Deleted the MXC from our database and on our filesystem.")
 			.await;
 	}
 	if let Some(event_id) = event_id {
@@ -9,7 +9,7 @@ use ruma::{
 	},
 	events::{
 		AnyGlobalAccountDataEventContent, AnyRoomAccountDataEventContent,
-		RoomAccountDataEventType,
+		GlobalAccountDataEventType, RoomAccountDataEventType,
 	},
 	serde::Raw,
 };
@@ -126,6 +126,12 @@ async fn set_account_data(
 		)));
 	}
 	if event_type_s == GlobalAccountDataEventType::PushRules.to_cow_str() {
 		return Err!(Request(BadJson(
 			"This endpoint cannot be used for setting/configuring push rules."
 		)));
 	}
 	let data: serde_json::Value = serde_json::from_str(data.get())
 		.map_err(|e| err!(Request(BadJson(warn!("Invalid JSON provided: {e}")))))?;
@@ -1,121 +0,0 @@
 use axum::extract::State;
 use axum_client_ip::InsecureClientIp;
 use conduwuit::{Err, Result, at};
 use futures::StreamExt;
 use ruma::api::client::dehydrated_device::{
 	delete_dehydrated_device::unstable as delete_dehydrated_device,
 	get_dehydrated_device::unstable as get_dehydrated_device, get_events::unstable as get_events,
 	put_dehydrated_device::unstable as put_dehydrated_device,
 };
 use crate::Ruma;
 const MAX_BATCH_EVENTS: usize = 50;
 /// # `PUT /_matrix/client/../dehydrated_device`
 ///
 /// Creates or overwrites the user's dehydrated device.
 #[tracing::instrument(skip_all, fields(%client))]
 pub(crate) async fn put_dehydrated_device_route(
 	State(services): State<crate::State>,
 	InsecureClientIp(client): InsecureClientIp,
 	body: Ruma<put_dehydrated_device::Request>,
 ) -> Result<put_dehydrated_device::Response> {
 	let sender_user = body
 		.sender_user
 		.as_deref()
 		.expect("AccessToken authentication required");
 	let device_id = body.body.device_id.clone();
 	services
 		.users
 		.set_dehydrated_device(sender_user, body.body)
 		.await?;
 	Ok(put_dehydrated_device::Response { device_id })
 }
 /// # `DELETE /_matrix/client/../dehydrated_device`
 ///
 /// Deletes the user's dehydrated device without replacement.
 #[tracing::instrument(skip_all, fields(%client))]
 pub(crate) async fn delete_dehydrated_device_route(
 	State(services): State<crate::State>,
 	InsecureClientIp(client): InsecureClientIp,
 	body: Ruma<delete_dehydrated_device::Request>,
 ) -> Result<delete_dehydrated_device::Response> {
 	let sender_user = body.sender_user();
 	let device_id = services.users.get_dehydrated_device_id(sender_user).await?;
 	services.users.remove_device(sender_user, &device_id).await;
 	Ok(delete_dehydrated_device::Response { device_id })
 }
 /// # `GET /_matrix/client/../dehydrated_device`
 ///
 /// Gets the user's dehydrated device
 #[tracing::instrument(skip_all, fields(%client))]
 pub(crate) async fn get_dehydrated_device_route(
 	State(services): State<crate::State>,
 	InsecureClientIp(client): InsecureClientIp,
 	body: Ruma<get_dehydrated_device::Request>,
 ) -> Result<get_dehydrated_device::Response> {
 	let sender_user = body.sender_user();
 	let device = services.users.get_dehydrated_device(sender_user).await?;
 	Ok(get_dehydrated_device::Response {
 		device_id: device.device_id,
 		device_data: device.device_data,
 	})
 }
 /// # `GET /_matrix/client/../dehydrated_device/{device_id}/events`
 ///
 /// Paginates the events of the dehydrated device.
 #[tracing::instrument(skip_all, fields(%client))]
 pub(crate) async fn get_dehydrated_events_route(
 	State(services): State<crate::State>,
 	InsecureClientIp(client): InsecureClientIp,
 	body: Ruma<get_events::Request>,
 ) -> Result<get_events::Response> {
 	let sender_user = body.sender_user();
 	let device_id = &body.body.device_id;
 	let existing_id = services.users.get_dehydrated_device_id(sender_user).await;
 	if existing_id.as_ref().is_err()
 		|| existing_id
 			.as_ref()
 			.is_ok_and(|existing_id| existing_id != device_id)
 	{
 		return Err!(Request(Forbidden("Not the dehydrated device_id.")));
 	}
 	let since: Option<u64> = body
 		.body
 		.next_batch
 		.as_deref()
 		.map(str::parse)
 		.transpose()?;
 	let mut next_batch: Option<u64> = None;
 	let events = services
 		.users
 		.get_to_device_events(sender_user, device_id, since, None)
 		.take(MAX_BATCH_EVENTS)
 		.inspect(|&(count, _)| {
 			next_batch.replace(count);
 		})
 		.map(at!(1))
 		.collect()
 		.await;
 	Ok(get_events::Response {
 		events,
 		next_batch: next_batch.as_ref().map(ToString::to_string),
 	})
 }
@@ -6,7 +6,6 @@ pub(super) mod appservice;
 pub(super) mod backup;
 pub(super) mod capabilities;
 pub(super) mod context;
 pub(super) mod dehydrated_device;
 pub(super) mod device;
 pub(super) mod directory;
 pub(super) mod filter;
@@ -50,7 +49,6 @@ pub(super) use appservice::*;
 pub(super) use backup::*;
 pub(super) use capabilities::*;
 pub(super) use context::*;
 pub(super) use dehydrated_device::*;
 pub(super) use device::*;
 pub(super) use directory::*;
 pub(super) use filter::*;
@@ -11,7 +11,7 @@ use std::{
 use axum::extract::State;
 use axum_client_ip::InsecureClientIp;
 use conduwuit::{
-	Result, at, extract_variant,
+	Result, extract_variant,
 	utils::{
 		ReadyExt, TryFutureExtExt,
 		stream::{BroadbandExt, Tools, WidebandExt},
@@ -385,7 +385,6 @@ pub(crate) async fn build_sync_events(
 			last_sync_end_count,
 			Some(current_count),
 		)
 		.map(at!(1))
 		.collect::<Vec<_>>();
 	let device_one_time_keys_count = services
@@ -336,9 +336,7 @@ where
 		let ranges = list.ranges.clone();
 		for mut range in ranges {
-			range.0 = range
+			range.0 = uint!(0);
 				.0
 				.min(UInt::try_from(active_rooms.len()).unwrap_or(UInt::MAX));
 			range.1 = range.1.checked_add(uint!(1)).unwrap_or(range.1);
 			range.1 = range
 				.1
@@ -1029,7 +1027,6 @@ async fn collect_to_device(
 		events: services
 			.users
 			.get_to_device_events(sender_user, sender_device, None, Some(next_batch))
 			.map(at!(1))
 			.collect()
 			.await,
 	})
@@ -50,7 +50,6 @@ pub(crate) async fn get_supported_versions_route(
 			("org.matrix.msc2836".to_owned(), true), /* threading/threads (https://github.com/matrix-org/matrix-spec-proposals/pull/2836) */
 			("org.matrix.msc2946".to_owned(), true), /* spaces/hierarchy summaries (https://github.com/matrix-org/matrix-spec-proposals/pull/2946) */
 			("org.matrix.msc3026.busy_presence".to_owned(), true), /* busy presence status (https://github.com/matrix-org/matrix-spec-proposals/pull/3026) */
 			("org.matrix.msc3814".to_owned(), true),               /* dehydrated devices */
 			("org.matrix.msc3827".to_owned(), true), /* filtering of /publicRooms by room type (https://github.com/matrix-org/matrix-spec-proposals/pull/3827) */
 			("org.matrix.msc3952_intentional_mentions".to_owned(), true), /* intentional mentions (https://github.com/matrix-org/matrix-spec-proposals/pull/3952) */
 			("org.matrix.msc3916.stable".to_owned(), true), /* authenticated media (https://github.com/matrix-org/matrix-spec-proposals/pull/3916) */
@@ -27,32 +27,10 @@ pub(crate) async fn well_known_client(
 		identity_server: None,
 		sliding_sync_proxy: Some(SlidingSyncProxyInfo { url: client_url }),
 		tile_server: None,
-		rtc_foci: services
+		rtc_foci: services.config.well_known.rtc_focus_server_urls.clone(),
 			.config
 			.matrix_rtc
 			.effective_foci(&services.config.well_known.rtc_focus_server_urls)
 			.to_vec(),
 	})
 }
 /// # `GET /_matrix/client/v1/rtc/transports`
 /// # `GET /_matrix/client/unstable/org.matrix.msc4143/rtc/transports`
 ///
 /// Returns the list of MatrixRTC foci (transports) configured for this
 /// homeserver, implementing MSC4143.
 pub(crate) async fn get_rtc_transports(
 	State(services): State<crate::State>,
 	_body: Ruma<ruma::api::client::discovery::get_rtc_transports::Request>,
 ) -> Result<ruma::api::client::discovery::get_rtc_transports::Response> {
 	Ok(ruma::api::client::discovery::get_rtc_transports::Response::new(
 		services
 			.config
 			.matrix_rtc
 			.effective_foci(&services.config.well_known.rtc_focus_server_urls)
 			.to_vec(),
 	))
 }
 /// # `GET /.well-known/matrix/support`
 ///
 /// Server support contact and support page of a homeserver's domain.
@@ -160,10 +160,6 @@ pub fn build(router: Router<State>, server: &Server) -> Router<State> {
 		.ruma_route(&client::update_device_route)
 		.ruma_route(&client::delete_device_route)
 		.ruma_route(&client::delete_devices_route)
 		.ruma_route(&client::put_dehydrated_device_route)
 		.ruma_route(&client::delete_dehydrated_device_route)
 		.ruma_route(&client::get_dehydrated_device_route)
 		.ruma_route(&client::get_dehydrated_events_route)
 		.ruma_route(&client::get_tags_route)
 		.ruma_route(&client::update_tag_route)
 		.ruma_route(&client::delete_tag_route)
@@ -188,7 +184,6 @@ pub fn build(router: Router<State>, server: &Server) -> Router<State> {
 		.ruma_route(&client::put_suspended_status)
 		.ruma_route(&client::well_known_support)
 		.ruma_route(&client::well_known_client)
 		.ruma_route(&client::get_rtc_transports)
 		.route("/_conduwuit/server_version", get(client::conduwuit_server_version))
 		.route("/_continuwuity/server_version", get(client::conduwuit_server_version))
 		.ruma_route(&client::room_initial_sync_route)
@@ -67,17 +67,23 @@ pub(super) async fn auth(
 	if metadata.authentication == AuthScheme::None {
 		match metadata {
 			| &get_public_rooms::v3::Request::METADATA => {
-				match token {
+				if !services
-					| Token::Appservice(_) | Token::User(_) => {
+					.server
-						// we should have validated the token above
+					.config
-						// already
+					.allow_public_room_directory_without_auth
-					},
+				{
-					| Token::None | Token::Invalid => {
+					match token {
-						return Err(Error::BadRequest(
+						| Token::Appservice(_) | Token::User(_) => {
-							ErrorKind::MissingToken,
+							// we should have validated the token above
-							"Missing or invalid access token.",
+							// already
-						));
+						},
-					},
+						| Token::None | Token::Invalid => {
 							return Err(Error::BadRequest(
 								ErrorKind::MissingToken,
 								"Missing or invalid access token.",
 							));
 						},
 					}
 				}
 			},
 			| &get_profile::v3::Request::METADATA
@@ -678,6 +678,12 @@ pub struct Config {
 	#[serde(default)]
 	pub allow_public_room_directory_over_federation: bool,
 	/// Set this to true to allow your server's public room directory to be
 	/// queried without client authentication (access token) through the Client
 	/// APIs. Set this to false to protect against /publicRooms spiders.
 	#[serde(default)]
 	pub allow_public_room_directory_without_auth: bool,
 	/// Allow guests/unauthenticated users to access TURN credentials.
 	///
 	/// This is the equivalent of Synapse's `turn_allow_guests` config option.
@@ -2080,12 +2086,6 @@ pub struct Config {
 	/// display: nested
 	#[serde(default)]
 	pub blurhashing: BlurhashConfig,
 	/// Configuration for MatrixRTC (MSC4143) transport discovery.
 	/// display: nested
 	#[serde(default)]
 	pub matrix_rtc: MatrixRtcConfig,
 	#[serde(flatten)]
 	#[allow(clippy::zero_sized_map_values)]
 	// this is a catchall, the map shouldn't be zero at runtime
@@ -2151,16 +2151,17 @@ pub struct WellKnownConfig {
 	/// listed.
 	pub support_mxid: Option<OwnedUserId>,
 	/// **DEPRECATED**: Use `[global.matrix_rtc].foci` instead.
 	///
 	/// A list of MatrixRTC foci URLs which will be served as part of the
-	/// MSC4143 client endpoint at /.well-known/matrix/client.
+	/// MSC4143 client endpoint at /.well-known/matrix/client.  If you're
 	/// setting up livekit, you'd want something like:
 	/// rtc_focus_server_urls = [
 	///     { type = "livekit", livekit_service_url = "https://livekit.example.com" },
 	/// ]
 	///
-	/// This option is deprecated and will be removed in a future release.
+	/// To disable, set this to be an empty vector (`[]`).
 	/// Please migrate to the new `[global.matrix_rtc]` config section.
 	///
 	/// default: []
-	#[serde(default)]
+	#[serde(default = "default_rtc_focus_urls")]
 	pub rtc_focus_server_urls: Vec<RtcFocusInfo>,
 }
@@ -2189,43 +2190,6 @@ pub struct BlurhashConfig {
 	pub blurhash_max_raw_size: u64,
 }
 #[derive(Clone, Debug, Deserialize, Default)]
 #[config_example_generator(filename = "conduwuit-example.toml", section = "global.matrix_rtc")]
 pub struct MatrixRtcConfig {
 	/// A list of MatrixRTC foci (transports) which will be served via the
 	/// MSC4143 RTC transports endpoint at
 	/// `/_matrix/client/v1/rtc/transports`. If you're setting up livekit,
 	/// you'd want something like:
 	/// ```toml
 	/// [global.matrix_rtc]
 	/// foci = [
 	///     { type = "livekit", livekit_service_url = "https://livekit.example.com" },
 	/// ]
 	/// ```
 	///
 	/// To disable, set this to an empty list (`[]`).
 	///
 	/// default: []
 	#[serde(default)]
 	pub foci: Vec<RtcFocusInfo>,
 }
 impl MatrixRtcConfig {
 	/// Returns the effective foci, falling back to the deprecated
 	/// `rtc_focus_server_urls` if the new config is empty.
 	#[must_use]
 	pub fn effective_foci<'a>(
 		&'a self,
 		deprecated_foci: &'a [RtcFocusInfo],
 	) -> &'a [RtcFocusInfo] {
 		if !self.foci.is_empty() {
 			&self.foci
 		} else {
 			deprecated_foci
 		}
 	}
 }
 #[derive(Clone, Debug, Default, Deserialize)]
 #[config_example_generator(filename = "conduwuit-example.toml", section = "global.ldap")]
 pub struct LdapConfig {
@@ -2419,7 +2383,6 @@ const DEPRECATED_KEYS: &[&str] = &[
 	"well_known_support_email",
 	"well_known_support_mxid",
 	"registration_token_file",
 	"well_known.rtc_focus_server_urls",
 ];
 impl Config {
@@ -2703,6 +2666,9 @@ fn default_rocksdb_stats_level() -> u8 { 1 }
 #[inline]
 pub fn default_default_room_version() -> RoomVersionId { RoomVersionId::V11 }
 #[must_use]
 pub fn default_rtc_focus_urls() -> Vec<RtcFocusInfo> { vec![] }
 fn default_ip_range_denylist() -> Vec<String> {
 	vec![
 		"127.0.0.0/8".to_owned(),
@@ -362,10 +362,6 @@ pub(super) static MAPS: &[Descriptor] = &[
 		name: "userid_blurhash",
 		..descriptor::RANDOM_SMALL
 	},
 	Descriptor {
 		name: "userid_dehydrateddevice",
 		..descriptor::RANDOM_SMALL
 	},
 	Descriptor {
 		name: "userid_devicelistversion",
 		..descriptor::RANDOM_SMALL
@@ -63,9 +63,7 @@ where
 			},
 			| hash_map::Entry::Occupied(_) => {
 				return Err!(Database(
-					"State event's type and state_key combination exists multiple times: {}, {}",
+					"State event's type and state_key combination exists multiple times.",
 					pdu.kind(),
 					state_key
 				));
 			},
 		}
@@ -162,9 +162,7 @@ where
 			},
 			| hash_map::Entry::Occupied(_) => {
 				return Err!(Request(InvalidParam(
-					"Auth event's type and state_key combination exists multiple times: {}, {}",
+					"Auth event's type and state_key combination exists multiple times.",
 					auth_event.kind,
 					auth_event.state_key().unwrap_or("")
 				)));
 			},
 		}
@@ -10,7 +10,7 @@ use std::{
 use base64::{Engine as _, engine::general_purpose::URL_SAFE_NO_PAD};
 use conduwuit_core::{
-	Error, Event, Result, at, debug, err, error,
+	Error, Event, Result, debug, err, error,
 	result::LogErr,
 	trace,
 	utils::{
@@ -175,7 +175,7 @@ impl Service {
 		if !new_events.is_empty() {
 			self.db.mark_as_active(new_events.iter());
-			let new_events_vec = new_events.into_iter().map(at!(1)).collect();
+			let new_events_vec = new_events.into_iter().map(|(_, event)| event).collect();
 			futures.push(self.send_events(dest.clone(), new_events_vec));
 		} else {
 			statuses.remove(dest);
@@ -1,149 +0,0 @@
 use conduwuit::{Err, Result, implement, trace};
 use conduwuit_database::{Deserialized, Json};
 use ruma::{
 	DeviceId, OwnedDeviceId, UserId,
 	api::client::dehydrated_device::{
 		DehydratedDeviceData, put_dehydrated_device::unstable::Request,
 	},
 	serde::Raw,
 };
 use serde::{Deserialize, Serialize};
 #[derive(Clone, Debug, Serialize, Deserialize)]
 pub struct DehydratedDevice {
 	/// Unique ID of the device.
 	pub device_id: OwnedDeviceId,
 	/// Contains serialized and encrypted private data.
 	pub device_data: Raw<DehydratedDeviceData>,
 }
 /// Creates or recreates the user's dehydrated device.
 #[implement(super::Service)]
 #[tracing::instrument(
 	level = "info",
 	skip_all,
 	fields(
 		%user_id,
 		device_id = %request.device_id,
 		display_name = ?request.initial_device_display_name,
 	)
 )]
 pub async fn set_dehydrated_device(&self, user_id: &UserId, request: Request) -> Result {
 	assert!(
 		self.exists(user_id).await,
 		"Tried to create dehydrated device for non-existent user"
 	);
 	let existing_id = self.get_dehydrated_device_id(user_id).await;
 	if existing_id.is_err()
 		&& self
 			.get_device_metadata(user_id, &request.device_id)
 			.await
 			.is_ok()
 	{
 		return Err!("A hydrated device already exists with that ID.");
 	}
 	if let Ok(existing_id) = existing_id {
 		self.remove_device(user_id, &existing_id).await;
 	}
 	self.create_device(
 		user_id,
 		&request.device_id,
 		"",
 		request.initial_device_display_name.clone(),
 		None,
 	)
 	.await?;
 	trace!(device_data = ?request.device_data);
 	self.db.userid_dehydrateddevice.raw_put(
 		user_id,
 		Json(&DehydratedDevice {
 			device_id: request.device_id.clone(),
 			device_data: request.device_data,
 		}),
 	);
 	trace!(device_keys = ?request.device_keys);
 	self.add_device_keys(user_id, &request.device_id, &request.device_keys)
 		.await;
 	trace!(one_time_keys = ?request.one_time_keys);
 	for (one_time_key_key, one_time_key_value) in &request.one_time_keys {
 		self.add_one_time_key(user_id, &request.device_id, one_time_key_key, one_time_key_value)
 			.await?;
 	}
 	Ok(())
 }
 /// Removes a user's dehydrated device.
 ///
 /// Calling this directly will remove the dehydrated data but leak the frontage
 /// device. Thus this is called by the regular device interface such that the
 /// dehydrated data will not leak instead.
 ///
 /// If device_id is given, the user's dehydrated device must match or this is a
 /// no-op, but an Err is still returned to indicate that. Otherwise returns the
 /// removed dehydrated device_id.
 #[implement(super::Service)]
 #[tracing::instrument(
 	level = "debug",
 	skip_all,
 	fields(
 		%user_id,
 		device_id = ?maybe_device_id,
 	)
 )]
 pub(super) async fn remove_dehydrated_device(
 	&self,
 	user_id: &UserId,
 	maybe_device_id: Option<&DeviceId>,
 ) -> Result<OwnedDeviceId> {
 	let Ok(device_id) = self.get_dehydrated_device_id(user_id).await else {
 		return Err!(Request(NotFound("No dehydrated device for this user.")));
 	};
 	if let Some(maybe_device_id) = maybe_device_id {
 		if maybe_device_id != device_id {
 			return Err!(Request(NotFound("Not the user's dehydrated device.")));
 		}
 	}
 	self.db.userid_dehydrateddevice.remove(user_id);
 	Ok(device_id)
 }
 /// Get the device_id of the user's dehydrated device.
 #[implement(super::Service)]
 #[tracing::instrument(
 	level = "debug",
 	skip_all,
 	fields(%user_id)
 )]
 pub async fn get_dehydrated_device_id(&self, user_id: &UserId) -> Result<OwnedDeviceId> {
 	self.get_dehydrated_device(user_id)
 		.await
 		.map(|device| device.device_id)
 }
 /// Get the dehydrated device private data
 #[implement(super::Service)]
 #[tracing::instrument(
 	level = "debug",
 	skip_all,
 	fields(%user_id),
 	ret,
 )]
 pub async fn get_dehydrated_device(&self, user_id: &UserId) -> Result<DehydratedDevice> {
 	self.db
 		.userid_dehydrateddevice
 		.get(user_id)
 		.await
 		.deserialized()
 }
@@ -1,5 +1,3 @@
 pub(super) mod dehydrated_device;
 #[cfg(feature = "ldap")]
 use std::collections::HashMap;
 use std::{collections::BTreeMap, mem, net::IpAddr, sync::Arc};
@@ -7,7 +5,7 @@ use std::{collections::BTreeMap, mem, net::IpAddr, sync::Arc};
 #[cfg(feature = "ldap")]
 use conduwuit::result::LogErr;
 use conduwuit::{
-	Err, Error, Result, Server, debug_warn, err, is_equal_to, trace,
+	Err, Error, Result, Server, at, debug_warn, err, is_equal_to, trace,
 	utils::{self, ReadyExt, stream::TryIgnore, string::Unquoted},
 };
 #[cfg(feature = "ldap")]
@@ -72,7 +70,6 @@ struct Data {
 	userfilterid_filter: Arc<Map>,
 	userid_avatarurl: Arc<Map>,
 	userid_blurhash: Arc<Map>,
 	userid_dehydrateddevice: Arc<Map>,
 	userid_devicelistversion: Arc<Map>,
 	userid_displayname: Arc<Map>,
 	userid_lastonetimekeyupdate: Arc<Map>,
@@ -113,7 +110,6 @@ impl crate::Service for Service {
 				userfilterid_filter: args.db["userfilterid_filter"].clone(),
 				userid_avatarurl: args.db["userid_avatarurl"].clone(),
 				userid_blurhash: args.db["userid_blurhash"].clone(),
 				userid_dehydrateddevice: args.db["userid_dehydrateddevice"].clone(),
 				userid_devicelistversion: args.db["userid_devicelistversion"].clone(),
 				userid_displayname: args.db["userid_displayname"].clone(),
 				userid_lastonetimekeyupdate: args.db["userid_lastonetimekeyupdate"].clone(),
@@ -484,11 +480,6 @@ impl Service {
 	/// Removes a device from a user.
 	pub async fn remove_device(&self, user_id: &UserId, device_id: &DeviceId) {
 		// Remove dehydrated device if this is the dehydrated device
 		let _: Result<_> = self
 			.remove_dehydrated_device(user_id, Some(device_id))
 			.await;
 		let userdeviceid = (user_id, device_id);
 		// Remove tokens
@@ -1012,7 +1003,7 @@ impl Service {
 		device_id: &'a DeviceId,
 		since: Option<u64>,
 		to: Option<u64>,
-	) -> impl Stream<Item = (u64, Raw<AnyToDeviceEvent>)> + Send + 'a {
+	) -> impl Stream<Item = Raw<AnyToDeviceEvent>> + Send + 'a {
 		type Key<'a> = (&'a UserId, &'a DeviceId, u64);
 		let from = (user_id, device_id, since.map_or(0, |since| since.saturating_add(1)));
@@ -1026,7 +1017,7 @@ impl Service {
 					&& device_id == *device_id_
 					&& to.is_none_or(|to| *count <= to)
 			})
-			.map(|((_, _, count), event)| (count, event))
+			.map(at!(1))
 	}
 	pub async fn remove_to_device_events<Until>(
		`@@ -1 +0,0 @@`
			`Added MSC3814 Dehydrated Devices - you can now decrypt messages sent while all devices were logged out.`
		`@@ -1 +0,0 @@`
			Removed the `allow_public_room_directory_without_auth` config option. Contributed by @0xnim.
		`@@ -1 +0,0 @@`
			Implement MSC4143 MatrixRTC transport discovery endpoint. Move RTC foci configuration from `[global.well_known]` to a new `[global.matrix_rtc]` section with a `foci` field. Contributed by @0xnim
		`@@ -1 +0,0 @@`
			`Fixed sliding sync v5 list ranges always starting from 0, causing extra rooms to be unnecessarily processed and returned. Contributed by @0xnim`
		`@@ -1 +0,0 @@`
			`BREAKING: Added an entrypoint to the Docker image. This means you no longer need to specify the binary when running a command using the image. Contributed by @Jade`