fix: Don't break when encountering the server user, as there may be real users after

feat(sentry): Include the commit hash in the release name
chore(deps): Upgrade tracing / telemetry ecosystem
2026-05-26 20:49:55 +00:00 · 2025-11-10 23:56:02 +00:00 · 2025-11-10 16:57:24 +00:00 · 2025-11-10 16:42:28 +00:00 · 2025-11-10 15:56:09 +00:00 · 2025-11-10 05:03:16 +00:00
67 changed files with 1655 additions and 1670 deletions
@@ -40,6 +40,12 @@ creds:
  - registry: registry.gitlab.com
    user: "{{env \"GITLAB_USERNAME\"}}"
    pass: "{{env \"GITLAB_TOKEN\"}}"
  - registry: git.nexy7574.co.uk
    user: "{{env \"N7574_GIT_USERNAME\"}}"
    pass: "{{env \"N7574_GIT_TOKEN\"}}"
  - registry: ghcr.io
    user: "{{env \"GH_PACKAGES_USER\"}}"
    pass: "{{env \"GH_PACKAGES_TOKEN\"}}"
 # Global defaults
 defaults:
@@ -53,3 +59,11 @@ sync:
    target: registry.gitlab.com/continuwuity/continuwuity
    type: repository
    <<: *tags-main
  - source: *source
    target: git.nexy7574.co.uk/mirrored/continuwuity
    type: repository
    <<: *tags-releases
  - source: *source
    target: ghcr.io/continuwuity/continuwuity
    type: repository
    <<: *tags-main
@@ -55,7 +55,7 @@ jobs:
      - name: Setup Node.js
        if: steps.runner-env.outputs.node_major == '' || steps.runner-env.outputs.node_major < '20'
-        uses: https://github.com/actions/setup-node@v5
+        uses: https://github.com/actions/setup-node@v6
        with:
          node-version: 22
@@ -24,7 +24,7 @@ jobs:
    steps:
      - name: 📦 Setup Node.js
-        uses: https://github.com/actions/setup-node@v5
+        uses: https://github.com/actions/setup-node@v6
        with:
          node-version: "22"
@@ -11,7 +11,13 @@ on:
        required: false
        default: false
        type: boolean
-
+  push:
    branches:
      - main
    paths:
      # Re-run when config changes
      - '.forgejo/regsync/regsync.yml'
      - '.forgejo/workflows/mirror-images.yml'
 concurrency:
  group: "mirror-images"
  cancel-in-progress: true
@@ -24,12 +30,25 @@ jobs:
      BUILTIN_REGISTRY_PASSWORD: ${{ secrets.BUILTIN_REGISTRY_PASSWORD }}
      GITLAB_USERNAME: ${{ vars.GITLAB_USERNAME }}
      GITLAB_TOKEN: ${{ secrets.GITLAB_TOKEN }}
      N7574_GIT_USERNAME: ${{ vars.N7574_GIT_USERNAME }}
      N7574_GIT_TOKEN: ${{ secrets.N7574_GIT_TOKEN }}
      GH_PACKAGES_USER: ${{ vars.GH_PACKAGES_USER }}
      GH_PACKAGES_TOKEN: ${{ secrets.GH_PACKAGES_TOKEN }}
    steps:
      - name: Checkout repository
        uses: actions/checkout@v5
        with:
          persist-credentials: false
      # - uses: https://github.com/actions/create-github-app-token@v2
      #   id: app-token
      #   with:
      #     app-id: ${{ vars.GH_APP_ID }}
      #     private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
      #     github-api-url: https://api.github.com
      #     owner: continuwuity
      #     repositories: continuwuity
      - name: Install regctl
        uses: https://forgejo.ellis.link/continuwuation/regclient-actions/regctl-installer@main
        with:
@@ -7,6 +7,7 @@ on:
      - "Cargo.lock"
      - "Cargo.toml"
      - "rust-toolchain.toml"
      - "nix/**/*"
      - ".forgejo/workflows/update-flake-hashes.yml"
 jobs:
@@ -40,13 +41,22 @@ jobs:
          echo "Base: $base"
          echo "HEAD: $(git rev-parse HEAD)"
          git diff --name-only $base HEAD > changed_files.txt
-          echo "files=$(cat changed_files.txt)" >> $FORGEJO_OUTPUT
+          echo "detected changes in $(cat changed_files.txt)"
          # Join files with commas
          files=$(paste -sd, changed_files.txt)
          echo "files=$files" >> $FORGEJO_OUTPUT
      - name: Debug output
        run: |
          echo "State of output"
          echo "Changed files: ${{ steps.changes.outputs.files }}"
      - name: Get new toolchain hash
        if: contains(steps.changes.outputs.files, 'Cargo.toml') || contains(steps.changes.outputs.files, 'Cargo.lock') || contains(steps.changes.outputs.files, 'rust-toolchain.toml')
        run: |
          # Set the current sha256 to an empty hash to make `nix build` calculate a new one
-          awk '/fromToolchainFile *\{/{found=1; print; next} found && /sha256 =/{sub(/sha256 = .*/, "sha256 = pkgsHost.lib.fakeSha256;"); found=0} 1' flake.nix > temp.nix && mv temp.nix flake.nix
+          awk '/fromToolchainFile *\{/{found=1; print; next} found && /sha256 =/{sub(/sha256 = .*/, "sha256 = lib.fakeSha256;"); found=0} 1' nix/packages/rust.nix > temp.nix
          mv temp.nix nix/packages/rust.nix
          # Build continuwuity and filter for the new hash
          # We do `|| true` because we want this to fail without stopping the workflow
@@ -54,19 +64,21 @@ jobs:
          # Place the new hash in place of the empty hash
          new_hash=$(cat new_toolchain_hash.txt)
-          sed -i "s|pkgsHost.lib.fakeSha256|\"$new_hash\"|" flake.nix
+          sed -i "s|lib.fakeSha256|\"$new_hash\"|" nix/packages/rust.nix
          echo "New hash:"
-          awk -F'"' '/fromToolchainFile/{found=1; next} found && /sha256 =/{print $2; found=0}' flake.nix
+          awk -F'"' '/fromToolchainFile/{found=1; next} found && /sha256 =/{print $2; found=0}' nix/packages/rust.nix
          echo "Expected new hash:"
          cat new_toolchain_hash.txt
          rm new_toolchain_hash.txt
      - name: Get new rocksdb hash
        if: contains(steps.changes.outputs.files, '.nix') || contains(steps.changes.outputs.files, 'flake.lock')
        run: |
          # Set the current sha256 to an empty hash to make `nix build` calculate a new one
-          awk '/repo = "rocksdb";/{found=1; print; next} found && /sha256 =/{sub(/sha256 = .*/, "sha256 = pkgsHost.lib.fakeSha256;"); found=0} 1' flake.nix > temp.nix && mv temp.nix flake.nix
+          awk '/repo = "rocksdb";/{found=1; print; next} found && /sha256 =/{sub(/sha256 = .*/, "sha256 = lib.fakeSha256;"); found=0} 1' nix/packages/rocksdb/package.nix > temp.nix
          mv temp.nix nix/packages/rocksdb/package.nix
          # Build continuwuity and filter for the new hash
          # We do `|| true` because we want this to fail without stopping the workflow
@@ -74,17 +86,17 @@ jobs:
          # Place the new hash in place of the empty hash
          new_hash=$(cat new_rocksdb_hash.txt)
-          sed -i "s|pkgsHost.lib.fakeSha256|\"$new_hash\"|" flake.nix
+          sed -i "s|lib.fakeSha256|\"$new_hash\"|" nix/packages/rocksdb/package.nix
          echo "New hash:"
-          awk -F'"' '/repo = "rocksdb";/{found=1; next} found && /sha256 =/{print $2; found=0}' flake.nix
+          awk -F'"' '/repo = "rocksdb";/{found=1; next} found && /sha256 =/{print $2; found=0}' nix/packages/rocksdb/package.nix
          echo "Expected new hash:"
          cat new_rocksdb_hash.txt
          rm new_rocksdb_hash.txt
      - name: Show diff
-        run: git diff flake.nix
+        run: git diff flake.nix nix
      - name: Push changes
        run: |
@@ -7,7 +7,7 @@ default_stages:
 repos:
  - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v5.0.0
+    rev: v6.0.0
    hooks:
        - id: fix-byte-order-marker
        - id: check-case-conflict
@@ -23,7 +23,7 @@ repos:
        - id: check-added-large-files
  - repo: https://github.com/crate-ci/typos
-    rev: v1.26.0
+    rev: v1.39.0
    hooks:
      - id: typos
      - id: typos
@@ -166,8 +166,8 @@ default-features = false
 features = ["raw_value"]
 # Used for appservice registration files
-[workspace.dependencies.serde_yml]
+[workspace.dependencies.serde-saphyr]
-version = "0.0.12"
+version = "0.0.7"
 # Used to load forbidden room/user regex from config
 [workspace.dependencies.serde_regex]
@@ -210,13 +210,13 @@ default-features = false
 version = "0.1.41"
 default-features = false
 [workspace.dependencies.tracing-subscriber]
-version = "0.3.19"
+version = "0.3.20"
 default-features = false
 features = ["env-filter", "std", "tracing", "tracing-log", "ansi", "fmt"]
 [workspace.dependencies.tracing-journald]
 version = "0.3.1"
 [workspace.dependencies.tracing-core]
-version = "0.1.33"
+version = "0.1.34"
 default-features = false
 # for URL previews
@@ -286,7 +286,7 @@ features = [
 ]
 [workspace.dependencies.hyper-util]
-version = "0.1.11"
+version = "=0.1.17"
 default-features = false
 features = [
 	"server-auto",
@@ -351,7 +351,7 @@ version = "0.1.2"
 # Used for matrix spec type definitions and helpers
 [workspace.dependencies.ruma]
 git = "https://forgejo.ellis.link/continuwuation/ruwuma"
-rev = "d18823471ab3c09e77ff03eea346d4c07e572654"
+rev = "50b2a91b2ab8f9830eea80b9911e11234e0eac66"
 features = [
    "compat",
    "rand",
@@ -412,28 +412,27 @@ default-features = false
 # optional opentelemetry, performance measurements, flamegraphs, etc for performance measurements and monitoring
 [workspace.dependencies.opentelemetry]
-version = "0.30.0"
+version = "0.31.0"
 [workspace.dependencies.tracing-flame]
 version = "0.2.0"
 [workspace.dependencies.tracing-opentelemetry]
-version = "0.31.0"
+version = "0.32.0"
 [workspace.dependencies.opentelemetry_sdk]
-version = "0.30.0"
+version = "0.31.0"
 features = ["rt-tokio"]
 [workspace.dependencies.opentelemetry-otlp]
-version = "0.30.0"
+version = "0.31.0"
 features = ["http", "trace", "logs", "metrics"]
-[workspace.dependencies.opentelemetry-jaeger-propagator]
+
 version = "0.30.0"
 # optional sentry metrics for crash/panic reporting
 [workspace.dependencies.sentry]
-version = "0.42.0"
+version = "0.45.0"
 default-features = false
 features = [
    "backtrace",
@@ -449,9 +448,9 @@ features = [
 ]
 [workspace.dependencies.sentry-tracing]
-version = "0.42.0"
+version = "0.45.0"
 [workspace.dependencies.sentry-tower]
-version = "0.42.0"
+version = "0.45.0"
 # jemalloc usage
 [workspace.dependencies.tikv-jemalloc-sys]
@@ -477,7 +476,7 @@ default-features = false
 features = ["use_std"]
 [workspace.dependencies.console-subscriber]
-version = "0.4"
+version = "0.5"
 [workspace.dependencies.nix]
 version = "0.30.1"
@@ -564,19 +563,7 @@ version = "0.7.5"
 # backport of [https://github.com/tokio-rs/tracing/pull/2956] to the 0.1.x branch of tracing.
 # we can switch back to upstream if #2956 is merged and backported in the upstream repo.
-# https://forgejo.ellis.link/continuwuation/tracing/commit/b348dca742af641c47bc390261f60711c2af573c
+
 [patch.crates-io.tracing-subscriber]
 git = "https://forgejo.ellis.link/continuwuation/tracing"
 rev = "1e64095a8051a1adf0d1faa307f9f030889ec2aa"
 [patch.crates-io.tracing]
 git = "https://forgejo.ellis.link/continuwuation/tracing"
 rev = "1e64095a8051a1adf0d1faa307f9f030889ec2aa"
 [patch.crates-io.tracing-core]
 git = "https://forgejo.ellis.link/continuwuation/tracing"
 rev = "1e64095a8051a1adf0d1faa307f9f030889ec2aa"
 [patch.crates-io.tracing-log]
 git = "https://forgejo.ellis.link/continuwuation/tracing"
 rev = "1e64095a8051a1adf0d1faa307f9f030889ec2aa"
 # adds a tab completion callback: https://forgejo.ellis.link/continuwuation/rustyline-async/src/branch/main/.patchy/0002-add-tab-completion-callback.patch
 # adds event for CTRL+\: https://forgejo.ellis.link/continuwuation/rustyline-async/src/branch/main/.patchy/0001-add-event-for-ctrl.patch
@@ -600,7 +587,7 @@ rev = "9c8e51510c35077df888ee72a36b4b05637147da"
 # reverts hyperium#148 conflicting with our delicate federation resolver hooks
 [patch.crates-io.hyper-util]
 git = "https://forgejo.ellis.link/continuwuation/hyper-util"
-rev = "e4ae7628fe4fcdacef9788c4c8415317a4489941"
+rev = "5886d5292bf704c246206ad72d010d674a7b77d0"
 #
 # Our crates
@@ -957,6 +957,21 @@
 #
 #rocksdb_bottommost_compression = true
 # Compression algorithm for RocksDB's Write-Ahead-Log (WAL).
 #
 # At present, only ZSTD compression is supported by RocksDB for WAL
 # compression. Enabling this can reduce WAL size at the expense of some
 # CPU usage during writes.
 #
 # The options are:
 # - "none" = No compression
 # - "zstd" = ZSTD compression
 #
 # For more information on WAL compression, see:
 # https://github.com/facebook/rocksdb/wiki/WAL-Compression
 #
 #rocksdb_wal_compression = "zstd"
 # Database recovery mode (for RocksDB WAL corruption).
 #
 # Use this option when the server reports corruption and refuses to start.
@@ -1497,6 +1512,19 @@
 #
 #block_non_admin_invites = false
 # Enable or disable making requests to MSC4284 Policy Servers.
 # It is recommended you keep this enabled unless you experience frequent
 # connectivity issues, such as in a restricted networking environment.
 #
 #enable_msc4284_policy_servers = true
 # Enable running locally generated events through configured MSC4284
 # policy servers. You may wish to disable this if your server is
 # single-user for a slight speed benefit in some rooms, but otherwise
 # should leave it enabled.
 #
 #policy_server_check_own_events = true
 # Allow admins to enter commands in rooms other than "#admins" (admin
 # room) by prefixing your message with "\!admin" or "\\!admin" followed up
 # a normal continuwuity admin command. The reply will be publicly visible
@@ -48,7 +48,7 @@ EOF
 # Developer tool versions
 # renovate: datasource=github-releases depName=cargo-bins/cargo-binstall
-ENV BINSTALL_VERSION=1.15.7
+ENV BINSTALL_VERSION=1.15.10
 # renovate: datasource=github-releases depName=psastras/sbom-rs
 ENV CARGO_SBOM_VERSION=0.9.1
 # renovate: datasource=crate depName=lddtree
@@ -18,7 +18,7 @@ RUN --mount=type=cache,target=/etc/apk/cache apk add \
 # Developer tool versions
 # renovate: datasource=github-releases depName=cargo-bins/cargo-binstall
-ENV BINSTALL_VERSION=1.15.7
+ENV BINSTALL_VERSION=1.15.10
 # renovate: datasource=github-releases depName=psastras/sbom-rs
 ENV CARGO_SBOM_VERSION=0.9.1
 # renovate: datasource=crate depName=lddtree
@@ -1078,7 +1078,10 @@ Respecting homeservers put this file here for listing administration, moderation
 * `delete` — - Deletes a single media file from our database and on the filesystem via a single MXC URL or event ID (not redacted)
 * `delete-list` — - Deletes a codeblock list of MXC URLs from our database and on the filesystem. This will always ignore errors
-* `delete-past-remote-media` — - Deletes all remote (and optionally local) media created before or after [duration] time using filesystem metadata first created at date, or fallback to last modified date. This will always ignore errors by default
+* `delete-past-remote-media` — Deletes all remote (and optionally local) media created before/after
 [duration] ago, using filesystem metadata first created at date, or
 fallback to last modified date. This will always ignore errors by
 default.
 * `delete-all-from-user` — - Deletes all the local media from a local user on our server. This will always ignore errors by default
 * `delete-all-from-server` — - Deletes all remote media from the specified remote server. This will always ignore errors by default
 * `get-file-info` —
@@ -1110,13 +1113,25 @@ Respecting homeservers put this file here for listing administration, moderation
 ## `admin media delete-past-remote-media`
- Deletes all remote (and optionally local) media created before or after [duration] time using filesystem metadata first created at date, or fallback to last modified date. This will always ignore errors by default
+Deletes all remote (and optionally local) media created before/after
 [duration] ago, using filesystem metadata first created at date, or
 fallback to last modified date. This will always ignore errors by
 default.
 * Examples:
  * Delete all remote media older than a year:
    `!admin media delete-past-remote-media -b 1y`
  * Delete all remote and local media from 3 days ago, up until now:
    `!admin media delete-past-remote-media -a 3d --yes-i-want-to-delete-local-media`
 **Usage:** `admin media delete-past-remote-media [OPTIONS] <DURATION>`
 ###### **Arguments:**
-* `<DURATION>` — - The relative time (e.g. 30s, 5m, 7d) within which to search
+* `<DURATION>` — - The relative time (e.g. 30s, 5m, 7d) from now within which to search
 ###### **Options:**
@@ -241,7 +241,7 @@ lock_b.with_lock(|data_b| {
 ### Code Comments
 - Reference related documentation or parts of the specification
- When a task has multiple ways of being acheved, explain your reasoning for your decision
+- When a task has multiple ways of being achieved, explain your reasoning for your decision
 - Update comments when code changes
 ```rs
@@ -1,94 +1,28 @@
 {
  "nodes": {
-    "attic": {
+    "advisory-db": {
-      "inputs": {
+      "flake": false,
        "crane": "crane",
        "flake-compat": "flake-compat",
        "flake-parts": "flake-parts",
        "nix-github-actions": "nix-github-actions",
        "nixpkgs": "nixpkgs",
        "nixpkgs-stable": "nixpkgs-stable"
      },
      "locked": {
-        "lastModified": 1758711588,
+        "lastModified": 1761112158,
-        "narHash": "sha256-0nZlCCDC5PfndsQJXXtcyrtrfW49I3KadGMDlutzaGU=",
+        "narHash": "sha256-RIXu/7eyKpQHjsPuAUODO81I4ni8f+WYSb7K4mTG6+0=",
-        "owner": "zhaofengli",
+        "owner": "rustsec",
-        "repo": "attic",
+        "repo": "advisory-db",
-        "rev": "12cbeca141f46e1ade76728bce8adc447f2166c6",
+        "rev": "58f3aaec0e1776f4a900737be8cd7cb00972210d",
        "type": "github"
      },
      "original": {
-        "owner": "zhaofengli",
+        "owner": "rustsec",
-        "ref": "main",
+        "repo": "advisory-db",
        "repo": "attic",
        "type": "github"
      }
    },
    "cachix": {
      "inputs": {
        "devenv": "devenv",
        "flake-compat": "flake-compat_2",
        "git-hooks": "git-hooks",
        "nixpkgs": "nixpkgs_2"
      },
      "locked": {
        "lastModified": 1756385612,
        "narHash": "sha256-+NU5MMhuPHHRyvZZWNFG7zt+leRSPsJu1MwhOUzkPUk=",
        "owner": "cachix",
        "repo": "cachix",
        "rev": "dc24688cd67518c3711d511fa369c0f5a131063a",
        "type": "github"
      },
      "original": {
        "owner": "cachix",
        "ref": "master",
        "repo": "cachix",
        "type": "github"
      }
    },
    "cachix_2": {
      "inputs": {
        "devenv": [
          "cachix",
          "devenv"
        ],
        "flake-compat": [
          "cachix",
          "devenv"
        ],
        "git-hooks": [
          "cachix",
          "devenv",
          "git-hooks"
        ],
        "nixpkgs": [
          "cachix",
          "devenv",
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1748883665,
        "narHash": "sha256-R0W7uAg+BLoHjMRMQ8+oiSbTq8nkGz5RDpQ+ZfxxP3A=",
        "owner": "cachix",
        "repo": "cachix",
        "rev": "f707778d902af4d62d8dd92c269f8e70de09acbe",
        "type": "github"
      },
      "original": {
        "owner": "cachix",
        "ref": "latest",
        "repo": "cachix",
        "type": "github"
      }
    },
    "crane": {
      "locked": {
-        "lastModified": 1751562746,
+        "lastModified": 1760924934,
-        "narHash": "sha256-smpugNIkmDeicNz301Ll1bD7nFOty97T79m4GUMUczA=",
+        "narHash": "sha256-tuuqY5aU7cUkR71sO2TraVKK2boYrdW3gCSXUkF4i44=",
        "owner": "ipetkov",
        "repo": "crane",
-        "rev": "aed2020fd3dc26e1e857d4107a5a67a33ab6c1fd",
+        "rev": "c6b4d5308293d0d04fcfeee92705017537cad02f",
        "type": "github"
      },
      "original": {
@@ -97,53 +31,6 @@
        "type": "github"
      }
    },
    "crane_2": {
      "locked": {
        "lastModified": 1759893430,
        "narHash": "sha256-yAy4otLYm9iZ+NtQwTMEbqHwswSFUbhn7x826RR6djw=",
        "owner": "ipetkov",
        "repo": "crane",
        "rev": "1979a2524cb8c801520bd94c38bb3d5692419d93",
        "type": "github"
      },
      "original": {
        "owner": "ipetkov",
        "ref": "master",
        "repo": "crane",
        "type": "github"
      }
    },
    "devenv": {
      "inputs": {
        "cachix": "cachix_2",
        "flake-compat": [
          "cachix",
          "flake-compat"
        ],
        "git-hooks": [
          "cachix",
          "git-hooks"
        ],
        "nix": "nix",
        "nixpkgs": [
          "cachix",
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1754404745,
        "narHash": "sha256-BdbW/iTImczgcuATgQIa9sPGuYIBxVq2xqcvICsa2AQ=",
        "owner": "cachix",
        "repo": "devenv",
        "rev": "6563b21105168f90394dfaf58284b078af2d7275",
        "type": "github"
      },
      "original": {
        "owner": "cachix",
        "repo": "devenv",
        "type": "github"
      }
    },
    "fenix": {
      "inputs": {
        "nixpkgs": [
@@ -152,53 +39,20 @@
        "rust-analyzer-src": "rust-analyzer-src"
      },
      "locked": {
-        "lastModified": 1760337631,
+        "lastModified": 1761115517,
-        "narHash": "sha256-3nvEN2lEpWtM1x7nfuiwpYHLNDgEUiWeBbyvy4vtVw8=",
+        "narHash": "sha256-Fev/ag/c3Fp3JBwHfup3lpA5FlNXfkoshnQ7dssBgJ0=",
        "owner": "nix-community",
        "repo": "fenix",
-        "rev": "fee7cf67cbd80a74460563388ac358b394014238",
+        "rev": "320433651636186ea32b387cff05d6bbfa30cea7",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
        "ref": "main",
        "repo": "fenix",
        "type": "github"
      }
    },
    "flake-compat": {
      "flake": false,
      "locked": {
        "lastModified": 1747046372,
        "narHash": "sha256-CIVLLkVgvHYbgI2UpXvIIBJ12HWgX+fjA8Xf8PUmqCY=",
        "owner": "edolstra",
        "repo": "flake-compat",
        "rev": "9100a0f413b0c601e0533d1d94ffd501ce2e7885",
        "type": "github"
      },
      "original": {
        "owner": "edolstra",
        "repo": "flake-compat",
        "type": "github"
      }
    },
    "flake-compat_2": {
      "flake": false,
      "locked": {
        "lastModified": 1747046372,
        "narHash": "sha256-CIVLLkVgvHYbgI2UpXvIIBJ12HWgX+fjA8Xf8PUmqCY=",
        "owner": "edolstra",
        "repo": "flake-compat",
        "rev": "9100a0f413b0c601e0533d1d94ffd501ce2e7885",
        "type": "github"
      },
      "original": {
        "owner": "edolstra",
        "repo": "flake-compat",
        "type": "github"
      }
    },
    "flake-compat_3": {
      "flake": false,
      "locked": {
        "lastModified": 1747046372,
@@ -217,17 +71,14 @@
    },
    "flake-parts": {
      "inputs": {
-        "nixpkgs-lib": [
+        "nixpkgs-lib": "nixpkgs-lib"
          "attic",
          "nixpkgs"
        ]
      },
      "locked": {
-        "lastModified": 1751413152,
+        "lastModified": 1760948891,
-        "narHash": "sha256-Tyw1RjYEsp5scoigs1384gIg6e0GoBVjms4aXFfRssQ=",
+        "narHash": "sha256-TmWcdiUUaWk8J4lpjzu4gCGxWY6/Ok7mOK4fIFfBuU4=",
        "owner": "hercules-ci",
        "repo": "flake-parts",
-        "rev": "77826244401ea9de6e3bac47c2db46005e1f30b5",
+        "rev": "864599284fc7c0ba6357ed89ed5e2cd5040f0c04",
        "type": "github"
      },
      "original": {
@@ -236,214 +87,13 @@
        "type": "github"
      }
    },
    "flake-parts_2": {
      "inputs": {
        "nixpkgs-lib": [
          "cachix",
          "devenv",
          "nix",
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1733312601,
        "narHash": "sha256-4pDvzqnegAfRkPwO3wmwBhVi/Sye1mzps0zHWYnP88c=",
        "owner": "hercules-ci",
        "repo": "flake-parts",
        "rev": "205b12d8b7cd4802fbcb8e8ef6a0f1408781a4f9",
        "type": "github"
      },
      "original": {
        "owner": "hercules-ci",
        "repo": "flake-parts",
        "type": "github"
      }
    },
    "flake-utils": {
      "inputs": {
        "systems": "systems"
      },
      "locked": {
        "lastModified": 1731533236,
        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
        "owner": "numtide",
        "repo": "flake-utils",
        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
        "type": "github"
      },
      "original": {
        "owner": "numtide",
        "ref": "main",
        "repo": "flake-utils",
        "type": "github"
      }
    },
    "git-hooks": {
      "inputs": {
        "flake-compat": [
          "cachix",
          "flake-compat"
        ],
        "gitignore": "gitignore",
        "nixpkgs": [
          "cachix",
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1750779888,
        "narHash": "sha256-wibppH3g/E2lxU43ZQHC5yA/7kIKLGxVEnsnVK1BtRg=",
        "owner": "cachix",
        "repo": "git-hooks.nix",
        "rev": "16ec914f6fb6f599ce988427d9d94efddf25fe6d",
        "type": "github"
      },
      "original": {
        "owner": "cachix",
        "repo": "git-hooks.nix",
        "type": "github"
      }
    },
    "gitignore": {
      "inputs": {
        "nixpkgs": [
          "cachix",
          "git-hooks",
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1709087332,
        "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
        "owner": "hercules-ci",
        "repo": "gitignore.nix",
        "rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
        "type": "github"
      },
      "original": {
        "owner": "hercules-ci",
        "repo": "gitignore.nix",
        "type": "github"
      }
    },
    "nix": {
      "inputs": {
        "flake-compat": [
          "cachix",
          "devenv",
          "flake-compat"
        ],
        "flake-parts": "flake-parts_2",
        "git-hooks-nix": [
          "cachix",
          "devenv",
          "git-hooks"
        ],
        "nixpkgs": [
          "cachix",
          "devenv",
          "nixpkgs"
        ],
        "nixpkgs-23-11": [
          "cachix",
          "devenv"
        ],
        "nixpkgs-regression": [
          "cachix",
          "devenv"
        ]
      },
      "locked": {
        "lastModified": 1752773918,
        "narHash": "sha256-dOi/M6yNeuJlj88exI+7k154z+hAhFcuB8tZktiW7rg=",
        "owner": "cachix",
        "repo": "nix",
        "rev": "031c3cf42d2e9391eee373507d8c12e0f9606779",
        "type": "github"
      },
      "original": {
        "owner": "cachix",
        "ref": "devenv-2.30",
        "repo": "nix",
        "type": "github"
      }
    },
    "nix-filter": {
      "locked": {
        "lastModified": 1757882181,
        "narHash": "sha256-+cCxYIh2UNalTz364p+QYmWHs0P+6wDhiWR4jDIKQIU=",
        "owner": "numtide",
        "repo": "nix-filter",
        "rev": "59c44d1909c72441144b93cf0f054be7fe764de5",
        "type": "github"
      },
      "original": {
        "owner": "numtide",
        "ref": "main",
        "repo": "nix-filter",
        "type": "github"
      }
    },
    "nix-github-actions": {
      "inputs": {
        "nixpkgs": [
          "attic",
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1737420293,
        "narHash": "sha256-F1G5ifvqTpJq7fdkT34e/Jy9VCyzd5XfJ9TO8fHhJWE=",
        "owner": "nix-community",
        "repo": "nix-github-actions",
        "rev": "f4158fa080ef4503c8f4c820967d946c2af31ec9",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
        "repo": "nix-github-actions",
        "type": "github"
      }
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1751949589,
+        "lastModified": 1760878510,
-        "narHash": "sha256-mgFxAPLWw0Kq+C8P3dRrZrOYEQXOtKuYVlo9xvPntt8=",
+        "narHash": "sha256-K5Osef2qexezUfs0alLvZ7nQFTGS9DL2oTVsIXsqLgs=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "9b008d60392981ad674e04016d25619281550a9d",
+        "rev": "5e2a59a5b1a82f89f2c7e598302a9cacebb72a67",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
        "ref": "nixpkgs-unstable",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "nixpkgs-stable": {
      "locked": {
        "lastModified": 1751741127,
        "narHash": "sha256-t75Shs76NgxjZSgvvZZ9qOmz5zuBE8buUaYD28BMTxg=",
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "29e290002bfff26af1db6f64d070698019460302",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
        "ref": "nixos-25.05",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "nixpkgs_2": {
      "locked": {
        "lastModified": 1754214453,
        "narHash": "sha256-Q/I2xJn/j1wpkGhWkQnm20nShYnG7TI99foDBpXm1SY=",
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "5b09dc45f24cf32316283e62aec81ffee3c3e376",
        "type": "github"
      },
      "original": {
@@ -453,42 +103,40 @@
        "type": "github"
      }
    },
-    "nixpkgs_3": {
+    "nixpkgs-lib": {
      "locked": {
-        "lastModified": 1760256791,
+        "lastModified": 1754788789,
-        "narHash": "sha256-uTpzDHRASEDeFUuToWSQ46Re8beXyG9dx4W36FQa0/c=",
+        "narHash": "sha256-x2rJ+Ovzq0sCMpgfgGaaqgBSwY+LST+WbZ6TytnT9Rk=",
-        "owner": "NixOS",
+        "owner": "nix-community",
-        "repo": "nixpkgs",
+        "repo": "nixpkgs.lib",
-        "rev": "832e3b6db48508ae436c2c7bfc0cf914eac6938e",
+        "rev": "a73b9c743612e4244d865a2fdee11865283c04e6",
        "type": "github"
      },
      "original": {
-        "owner": "NixOS",
+        "owner": "nix-community",
-        "ref": "nixpkgs-unstable",
+        "repo": "nixpkgs.lib",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "root": {
      "inputs": {
-        "attic": "attic",
+        "advisory-db": "advisory-db",
-        "cachix": "cachix",
+        "crane": "crane",
        "crane": "crane_2",
        "fenix": "fenix",
-        "flake-compat": "flake-compat_3",
+        "flake-compat": "flake-compat",
-        "flake-utils": "flake-utils",
+        "flake-parts": "flake-parts",
-        "nix-filter": "nix-filter",
+        "nixpkgs": "nixpkgs",
-        "nixpkgs": "nixpkgs_3"
+        "treefmt-nix": "treefmt-nix"
      }
    },
    "rust-analyzer-src": {
      "flake": false,
      "locked": {
-        "lastModified": 1760260966,
+        "lastModified": 1761077270,
-        "narHash": "sha256-pOVvZz/aa+laeaUKyE6PtBevdo4rywMwjhWdSZE/O1c=",
+        "narHash": "sha256-O1uTuvI/rUlubJ8AXKyzh1WSWV3qCZX0huTFUvWLN4E=",
        "owner": "rust-lang",
        "repo": "rust-analyzer",
-        "rev": "c5181dbbe33af6f21b9d83e02fdb6fda298a3b65",
+        "rev": "39990a923c8bca38f5bd29dc4c96e20ee7808d5d",
        "type": "github"
      },
      "original": {
@@ -498,18 +146,23 @@
        "type": "github"
      }
    },
-    "systems": {
+    "treefmt-nix": {
      "inputs": {
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
-        "lastModified": 1681028828,
+        "lastModified": 1760945191,
-        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "narHash": "sha256-ZRVs8UqikBa4Ki3X4KCnMBtBW0ux1DaT35tgsnB1jM4=",
-        "owner": "nix-systems",
+        "owner": "numtide",
-        "repo": "default",
+        "repo": "treefmt-nix",
-        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "rev": "f56b1934f5f8fcab8deb5d38d42fd692632b47c2",
        "type": "github"
      },
      "original": {
-        "owner": "nix-systems",
+        "owner": "numtide",
-        "repo": "default",
+        "repo": "treefmt-nix",
        "type": "github"
      }
    }
@@ -1,351 +1,46 @@
 {
  description = "A nix flake for the continuwuity project";
  inputs = {
-    attic.url = "github:zhaofengli/attic?ref=main";
+    # basics
-    cachix.url = "github:cachix/cachix?ref=master";
+    flake-parts.url = "github:hercules-ci/flake-parts";
-    crane = {
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
-      url = "github:ipetkov/crane?ref=master";
+
-    };
+    # for rust via nix
    crane.url = "github:ipetkov/crane";
    fenix = {
-      url = "github:nix-community/fenix?ref=main";
+      url = "github:nix-community/fenix";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    # for vuln checks
    advisory-db = {
      url = "github:rustsec/advisory-db";
      flake = false;
    };
    treefmt-nix = {
      url = "github:numtide/treefmt-nix";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    # for default.nix
    flake-compat = {
      url = "github:edolstra/flake-compat?ref=master";
      flake = false;
    };
-    flake-utils.url = "github:numtide/flake-utils?ref=main";
+
    nix-filter.url = "github:numtide/nix-filter?ref=main";
    nixpkgs.url = "github:NixOS/nixpkgs?ref=nixpkgs-unstable";
  };
  outputs =
-    inputs:
+    inputs@{ flake-parts, ... }:
-    inputs.flake-utils.lib.eachDefaultSystem (
+    flake-parts.lib.mkFlake { inherit inputs; } {
-      system:
+      imports = [ ./nix ];
-      let
+      systems = [
-        pkgsHost = import inputs.nixpkgs {
+        # good support
-          inherit system;
+        "x86_64-linux"
-        };
+        # support untested but theoretically there
-
+        "aarch64-linux"
-        fnx = inputs.fenix.packages.${system};
+      ];
-        # The Rust toolchain to use
+    };
        toolchain = fnx.combine [
          (fnx.fromToolchainFile {
            file = ./rust-toolchain.toml;
            # See also `rust-toolchain.toml`
            sha256 = "sha256-+9FmLhAOezBZCOziO0Qct1NOrfpjNsXxc/8I0c7BdKE=";
          })
          fnx.complete.rustfmt
        ];
        mkScope =
          pkgs:
          pkgs.lib.makeScope pkgs.newScope (self: {
            inherit pkgs inputs;
            craneLib = (inputs.crane.mkLib pkgs).overrideToolchain (_: toolchain);
            main = self.callPackage ./pkg/nix/pkgs/main { };
            liburing = pkgs.liburing.overrideAttrs {
              # Tests weren't building
              outputs = [
                "out"
                "dev"
                "man"
              ];
              buildFlags = [ "library" ];
            };
            rocksdb =
              (pkgs.rocksdb_9_10.override {
                # Override the liburing input for the build with our own so
                # we have it built with the library flag
                inherit (self) liburing;
              }).overrideAttrs
                (old: {
                  src = pkgsHost.fetchFromGitea {
                    domain = "forgejo.ellis.link";
                    owner = "continuwuation";
                    repo = "rocksdb";
                    rev = "10.5.fb";
                    sha256 = "sha256-X4ApGLkHF9ceBtBg77dimEpu720I79ffLoyPa8JMHaU=";
                  };
                  version = "v10.5.fb";
                  cmakeFlags =
                    pkgs.lib.subtractLists [
                      # No real reason to have snappy or zlib, no one uses this
                      "-DWITH_SNAPPY=1"
                      "-DZLIB=1"
                      "-DWITH_ZLIB=1"
                      # We don't need to use ldb or sst_dump (core_tools)
                      "-DWITH_CORE_TOOLS=1"
                      # We don't need to build rocksdb tests
                      "-DWITH_TESTS=1"
                      # We use rust-rocksdb via C interface and don't need C++ RTTI
                      "-DUSE_RTTI=1"
                      # This doesn't exist in RocksDB, and USE_SSE is deprecated for
                      # PORTABLE=$(march)
                      "-DFORCE_SSE42=1"
                      # PORTABLE will get set in main/default.nix
                      "-DPORTABLE=1"
                    ] old.cmakeFlags
                    ++ [
                      # No real reason to have snappy, no one uses this
                      "-DWITH_SNAPPY=0"
                      "-DZLIB=0"
                      "-DWITH_ZLIB=0"
                      # We don't need to use ldb or sst_dump (core_tools)
                      "-DWITH_CORE_TOOLS=0"
                      # We don't need trace tools
                      "-DWITH_TRACE_TOOLS=0"
                      # We don't need to build rocksdb tests
                      "-DWITH_TESTS=0"
                      # We use rust-rocksdb via C interface and don't need C++ RTTI
                      "-DUSE_RTTI=0"
                    ];
                  # outputs has "tools" which we don't need or use
                  outputs = [ "out" ];
                  # preInstall hooks has stuff for messing with ldb/sst_dump which we don't need or use
                  preInstall = "";
                  # We have this already at https://forgejo.ellis.link/continuwuation/rocksdb/commit/a935c0273e1ba44eacf88ce3685a9b9831486155
                  # Unsetting this so we don't have to revert it and make this nix exclusive
                  patches = [ ];
                  postPatch = ''
                    # Fix gcc-13 build failures due to missing <cstdint> and
                    # <system_error> includes, fixed upstream since 8.x
                    sed -e '1i #include <cstdint>' -i db/compaction/compaction_iteration_stats.h
                    sed -e '1i #include <cstdint>' -i table/block_based/data_block_hash_index.h
                    sed -e '1i #include <cstdint>' -i util/string_util.h
                    sed -e '1i #include <cstdint>' -i include/rocksdb/utilities/checkpoint.h
                  '';
                });
          });
        scopeHost = mkScope pkgsHost;
        mkCrossScope =
          crossSystem:
          let
            pkgsCrossStatic =
              (import inputs.nixpkgs {
                inherit system;
                crossSystem = {
                  config = crossSystem;
                };
              }).pkgsStatic;
          in
          mkScope pkgsCrossStatic;
      in
      {
        packages =
          {
            default = scopeHost.main.override {
              disable_features = [
                # Don't include experimental features
                "experimental"
                # jemalloc profiling/stats features are expensive and shouldn't
                # be expected on non-debug builds.
                "jemalloc_prof"
                "jemalloc_stats"
                # This is non-functional on nix for some reason
                "hardened_malloc"
                # conduwuit_mods is a development-only hot reload feature
                "conduwuit_mods"
              ];
            };
            default-debug = scopeHost.main.override {
              profile = "dev";
              # Debug build users expect full logs
              disable_release_max_log_level = true;
              disable_features = [
                # Don't include experimental features
                "experimental"
                # This is non-functional on nix for some reason
                "hardened_malloc"
                # conduwuit_mods is a development-only hot reload feature
                "conduwuit_mods"
              ];
            };
            # Just a test profile used for things like CI and complement
            default-test = scopeHost.main.override {
              profile = "test";
              disable_release_max_log_level = true;
              disable_features = [
                # Don't include experimental features
                "experimental"
                # this is non-functional on nix for some reason
                "hardened_malloc"
                # conduwuit_mods is a development-only hot reload feature
                "conduwuit_mods"
              ];
            };
            all-features = scopeHost.main.override {
              all_features = true;
              disable_features = [
                # Don't include experimental features
                "experimental"
                # jemalloc profiling/stats features are expensive and shouldn't
                # be expected on non-debug builds.
                "jemalloc_prof"
                "jemalloc_stats"
                # This is non-functional on nix for some reason
                "hardened_malloc"
                # conduwuit_mods is a development-only hot reload feature
                "conduwuit_mods"
              ];
            };
            all-features-debug = scopeHost.main.override {
              profile = "dev";
              all_features = true;
              # Debug build users expect full logs
              disable_release_max_log_level = true;
              disable_features = [
                # Don't include experimental features
                "experimental"
                # This is non-functional on nix for some reason
                "hardened_malloc"
                # conduwuit_mods is a development-only hot reload feature
                "conduwuit_mods"
              ];
            };
            hmalloc = scopeHost.main.override { features = [ "hardened_malloc" ]; };
          }
          // builtins.listToAttrs (
            builtins.concatLists (
              builtins.map
                (
                  crossSystem:
                  let
                    binaryName = "static-${crossSystem}";
                    scopeCrossStatic = mkCrossScope crossSystem;
                  in
                  [
                    # An output for a statically-linked binary
                    {
                      name = binaryName;
                      value = scopeCrossStatic.main;
                    }
                    # An output for a statically-linked binary with x86_64 haswell
                    # target optimisations
                    {
                      name = "${binaryName}-x86_64-haswell-optimised";
                      value = scopeCrossStatic.main.override {
                        x86_64_haswell_target_optimised =
                          if (crossSystem == "x86_64-linux-gnu" || crossSystem == "x86_64-linux-musl") then true else false;
                      };
                    }
                    # An output for a statically-linked unstripped debug ("dev") binary
                    {
                      name = "${binaryName}-debug";
                      value = scopeCrossStatic.main.override {
                        profile = "dev";
                        # debug build users expect full logs
                        disable_release_max_log_level = true;
                      };
                    }
                    # An output for a statically-linked unstripped debug binary with the
                    # "test" profile (for CI usage only)
                    {
                      name = "${binaryName}-test";
                      value = scopeCrossStatic.main.override {
                        profile = "test";
                        disable_release_max_log_level = true;
                        disable_features = [
                          # dont include experimental features
                          "experimental"
                          # this is non-functional on nix for some reason
                          "hardened_malloc"
                          # conduwuit_mods is a development-only hot reload feature
                          "conduwuit_mods"
                        ];
                      };
                    }
                    # An output for a statically-linked binary with `--all-features`
                    {
                      name = "${binaryName}-all-features";
                      value = scopeCrossStatic.main.override {
                        all_features = true;
                        disable_features = [
                          # dont include experimental features
                          "experimental"
                          # jemalloc profiling/stats features are expensive and shouldn't
                          # be expected on non-debug builds.
                          "jemalloc_prof"
                          "jemalloc_stats"
                          # this is non-functional on nix for some reason
                          "hardened_malloc"
                          # conduwuit_mods is a development-only hot reload feature
                          "conduwuit_mods"
                        ];
                      };
                    }
                    # An output for a statically-linked binary with `--all-features` and with x86_64 haswell
                    # target optimisations
                    {
                      name = "${binaryName}-all-features-x86_64-haswell-optimised";
                      value = scopeCrossStatic.main.override {
                        all_features = true;
                        disable_features = [
                          # dont include experimental features
                          "experimental"
                          # jemalloc profiling/stats features are expensive and shouldn't
                          # be expected on non-debug builds.
                          "jemalloc_prof"
                          "jemalloc_stats"
                          # this is non-functional on nix for some reason
                          "hardened_malloc"
                          # conduwuit_mods is a development-only hot reload feature
                          "conduwuit_mods"
                        ];
                        x86_64_haswell_target_optimised =
                          if (crossSystem == "x86_64-linux-gnu" || crossSystem == "x86_64-linux-musl") then true else false;
                      };
                    }
                    # An output for a statically-linked unstripped debug ("dev") binary with `--all-features`
                    {
                      name = "${binaryName}-all-features-debug";
                      value = scopeCrossStatic.main.override {
                        profile = "dev";
                        all_features = true;
                        # debug build users expect full logs
                        disable_release_max_log_level = true;
                        disable_features = [
                          # dont include experimental features
                          "experimental"
                          # this is non-functional on nix for some reason
                          "hardened_malloc"
                          # conduwuit_mods is a development-only hot reload feature
                          "conduwuit_mods"
                        ];
                      };
                    }
                    # An output for a statically-linked binary with hardened_malloc
                    {
                      name = "${binaryName}-hmalloc";
                      value = scopeCrossStatic.main.override {
                        features = [ "hardened_malloc" ];
                      };
                    }
                  ]
                )
                [
                  #"x86_64-apple-darwin"
                  #"aarch64-apple-darwin"
                  "x86_64-linux-gnu"
                  "x86_64-linux-musl"
                  "aarch64-linux-musl"
                ]
            )
          );
      }
    );
 }
@@ -0,0 +1,108 @@
 { inputs, ... }:
 {
  perSystem =
    {
      self',
      lib,
      pkgs,
      ...
    }:
    let
      uwulib = inputs.self.uwulib.init pkgs;
      rocksdbAllFeatures = self'.packages.rocksdb.override {
        enableJemalloc = true;
        enableLiburing = true;
      };
      commonAttrs = (uwulib.build.commonAttrs { }) // {
        buildInputs = [
          pkgs.liburing
          pkgs.rust-jemalloc-sys-unprefixed
          rocksdbAllFeatures
        ];
        nativeBuildInputs = [
          pkgs.pkg-config
          # bindgen needs the build platform's libclang. Apparently due to "splicing
          # weirdness", pkgs.rustPlatform.bindgenHook on its own doesn't quite do the
          # right thing here.
          pkgs.rustPlatform.bindgenHook
        ];
        env = {
          LIBCLANG_PATH = lib.makeLibraryPath [ pkgs.llvmPackages.libclang.lib ];
          LD_LIBRARY_PATH = lib.makeLibraryPath [
            pkgs.liburing
            pkgs.rust-jemalloc-sys-unprefixed
            rocksdbAllFeatures
          ];
        }
        // uwulib.environment.buildPackageEnv
        // {
          ROCKSDB_INCLUDE_DIR = "${rocksdbAllFeatures}/include";
          ROCKSDB_LIB_DIR = "${rocksdbAllFeatures}/lib";
        };
      };
      cargoArtifacts = self'.packages.continuwuity-all-features-deps;
    in
    {
      # taken from
      #
      # https://crane.dev/examples/quick-start.html
      checks = {
        continuwuity-all-features-build = self'.packages.continuwuity-all-features-bin;
        continuwuity-all-features-clippy = uwulib.build.craneLibForChecks.cargoClippy (
          commonAttrs
          // {
            inherit cargoArtifacts;
            cargoClippyExtraArgs = "-- --deny warnings";
          }
        );
        continuwuity-all-features-docs = uwulib.build.craneLibForChecks.cargoDoc (
          commonAttrs
          // {
            inherit cargoArtifacts;
            # This can be commented out or tweaked as necessary, e.g. set to
            # `--deny rustdoc::broken-intra-doc-links` to only enforce that lint
            env.RUSTDOCFLAGS = "--deny warnings";
          }
        );
        # Check formatting
        continuwuity-all-features-fmt = uwulib.build.craneLibForChecks.cargoFmt {
          src = uwulib.build.src;
        };
        continuwuity-all-features-toml-fmt = uwulib.build.craneLibForChecks.taploFmt {
          src = pkgs.lib.sources.sourceFilesBySuffices uwulib.build.src [ ".toml" ];
          # taplo arguments can be further customized below as needed
          taploExtraArgs = "--config ${inputs.self}/taplo.toml";
        };
        # Audit dependencies
        continuwuity-all-features-audit = uwulib.build.craneLibForChecks.cargoAudit {
          inherit (inputs) advisory-db;
          src = uwulib.build.src;
        };
        # Audit licenses
        continuwuity-all-features-deny = uwulib.build.craneLibForChecks.cargoDeny {
          src = uwulib.build.src;
        };
        # Run tests with cargo-nextest
        # Consider setting `doCheck = false` on `continuwuity-all-features` if you do not want
        # the tests to run twice
        continuwuity-all-features-nextest = uwulib.build.craneLibForChecks.cargoNextest (
          commonAttrs
          // {
            inherit cargoArtifacts;
            partitions = 1;
            partitionType = "count";
            cargoNextestPartitionsExtraArgs = "--no-tests=pass";
          }
        );
      };
    };
 }
@@ -0,0 +1,11 @@
 {
  imports = [
    ./checks
    ./packages
    ./shells
    ./tests
    ./hydra.nix
    ./fmt.nix
  ];
 }
@@ -0,0 +1,37 @@
 { inputs, ... }:
 {
  # load the flake module from upstream
  imports = [ inputs.treefmt-nix.flakeModule ];
  perSystem =
    { self', lib, ... }:
    {
      treefmt = {
        # repo root as project root
        projectRoot = inputs.self;
        # the formatters
        programs = {
          nixfmt.enable = true;
          typos = {
            enable = true;
            configFile = "${inputs.self}/.typos.toml";
          };
          taplo = {
            enable = true;
            settings = lib.importTOML "${inputs.self}/taplo.toml";
          };
        };
        settings.formatter.rustfmt = {
          command = "${lib.getExe' self'.packages.dev-toolchain "rustfmt"}";
          includes = [ "**/*.rs" ];
          options = [
            "--unstable-features"
            "--edition=2024"
            "--config-path=${inputs.self}/rustfmt.toml"
          ];
        };
      };
    };
 }
@@ -0,0 +1,9 @@
 { inputs, ... }:
 let
  lib = inputs.nixpkgs.lib;
 in
 {
  flake.hydraJobs.packages = builtins.mapAttrs (
    _name: lib.hydraJob
  ) inputs.self.packages.x86_64-linux;
 }
@@ -0,0 +1,60 @@
 { inputs, ... }:
 {
  perSystem =
    {
      self',
      lib,
      pkgs,
      ...
    }:
    let
      uwulib = inputs.self.uwulib.init pkgs;
    in
    {
      packages =
        lib.pipe
          [
            # this is the default variant
            {
              variantName = "default";
              commonAttrsArgs.profile = "release";
              rocksdb = self'.packages.rocksdb;
              features = { };
            }
            # this is the variant with all features enabled (liburing + jemalloc)
            {
              variantName = "all-features";
              commonAttrsArgs.profile = "release";
              rocksdb = self'.packages.rocksdb.override {
                enableJemalloc = true;
                enableLiburing = true;
              };
              features = {
                enabledFeatures = "all";
                disabledFeatures = uwulib.features.defaultDisabledFeatures ++ [ "bindgen-static" ];
              };
            }
          ]
          [
            (builtins.map (cfg: rec {
              deps = {
                name = "continuwuity-${cfg.variantName}-deps";
                value = uwulib.build.buildDeps {
                  features = uwulib.features.calcFeatures cfg.features;
                  inherit (cfg) commonAttrsArgs rocksdb;
                };
              };
              bin = {
                name = "continuwuity-${cfg.variantName}-bin";
                value = uwulib.build.buildPackage {
                  deps = self'.packages.${deps.name};
                  features = uwulib.features.calcFeatures cfg.features;
                  inherit (cfg) commonAttrsArgs rocksdb;
                };
              };
            }))
            (builtins.concatMap builtins.attrValues)
            builtins.listToAttrs
          ];
    };
 }
@@ -0,0 +1,14 @@
 {
  imports = [
    ./continuwuity
    ./rocksdb
    ./rust.nix
    ./uwulib
  ];
  perSystem =
    { self', ... }:
    {
      packages.default = self'.packages.continuwuity-default-bin;
    };
 }
@@ -0,0 +1,12 @@
 {
  perSystem =
    {
      pkgs,
      ...
    }:
    {
      packages = {
        rocksdb = pkgs.callPackage ./package.nix { };
      };
    };
 }
@@ -0,0 +1,88 @@
 {
  lib,
  stdenv,
  rocksdb,
  liburing,
  rust-jemalloc-sys-unprefixed,
  enableJemalloc ? false,
  enableLiburing ? false,
  fetchFromGitea,
  ...
 }:
 let
  notDarwin = !stdenv.hostPlatform.isDarwin;
 in
 (rocksdb.override {
  # Override the liburing input for the build with our own so
  # we have it built with the library flag
  inherit liburing;
  jemalloc = rust-jemalloc-sys-unprefixed;
  # rocksdb fails to build with prefixed jemalloc, which is required on
  # darwin due to [1]. In this case, fall back to building rocksdb with
  # libc malloc. This should not cause conflicts, because all of the
  # jemalloc symbols are prefixed.
  #
  # [1]: https://github.com/tikv/jemallocator/blob/ab0676d77e81268cd09b059260c75b38dbef2d51/jemalloc-sys/src/env.rs#L17
  enableJemalloc = enableJemalloc && notDarwin;
  # for some reason enableLiburing in nixpkgs rocksdb is default true
  # which breaks Darwin entirely
  enableLiburing = enableLiburing && notDarwin;
 }).overrideAttrs
  (old: {
    src = fetchFromGitea {
      domain = "forgejo.ellis.link";
      owner = "continuwuation";
      repo = "rocksdb";
      rev = "10.5.fb";
      sha256 = "sha256-X4ApGLkHF9ceBtBg77dimEpu720I79ffLoyPa8JMHaU=";
    };
    version = "10.5.fb";
    cmakeFlags =
      lib.subtractLists (builtins.map (flag: lib.cmakeBool flag true) [
        # No real reason to have snappy or zlib, no one uses this
        "WITH_SNAPPY"
        "ZLIB"
        "WITH_ZLIB"
        # We don't need to use ldb or sst_dump (core_tools)
        "WITH_CORE_TOOLS"
        # We don't need to build rocksdb tests
        "WITH_TESTS"
        # We use rust-rocksdb via C interface and don't need C++ RTTI
        "USE_RTTI"
        # This doesn't exist in RocksDB, and USE_SSE is deprecated for
        # PORTABLE=$(march)
        "FORCE_SSE42"
      ]) old.cmakeFlags
      ++ (builtins.map (flag: lib.cmakeBool flag false) [
        # No real reason to have snappy, no one uses this
        "WITH_SNAPPY"
        "ZLIB"
        "WITH_ZLIB"
        # We don't need to use ldb or sst_dump (core_tools)
        "WITH_CORE_TOOLS"
        # We don't need trace tools
        "WITH_TRACE_TOOLS"
        # We don't need to build rocksdb tests
        "WITH_TESTS"
        # We use rust-rocksdb via C interface and don't need C++ RTTI
        "USE_RTTI"
      ]);
    enableLiburing = enableLiburing && notDarwin;
    # outputs has "tools" which we don't need or use
    outputs = [ "out" ];
    # preInstall hooks has stuff for messing with ldb/sst_dump which we don't need or use
    preInstall = "";
    # We have this already at https://forgejo.ellis.link/continuwuation/rocksdb/commit/a935c0273e1ba44eacf88ce3685a9b9831486155
    # Unsetting `patches` so we don't have to revert it and make this nix exclusive
    patches = [ ];
  })
@@ -0,0 +1,32 @@
 { inputs, ... }:
 {
  perSystem =
    {
      system,
      lib,
      ...
    }:
    {
      packages =
        let
          fnx = inputs.fenix.packages.${system};
          stable = fnx.fromToolchainFile {
            file = inputs.self + "/rust-toolchain.toml";
            # See also `rust-toolchain.toml`
            sha256 = "sha256-+9FmLhAOezBZCOziO0Qct1NOrfpjNsXxc/8I0c7BdKE=";
          };
        in
        {
          # used for building nix stuff (doesn't include rustfmt overhead)
          build-toolchain = stable;
          # used for dev shells
          dev-toolchain = fnx.combine [
            stable
            # use the nightly rustfmt because we use nightly features
            fnx.complete.rustfmt
          ];
        };
    };
 }
@@ -0,0 +1,108 @@
 args@{ pkgs, inputs, ... }:
 let
  inherit (pkgs) lib;
  uwuenv = import ./environment.nix args;
  selfpkgs = inputs.self.packages.${pkgs.stdenv.system};
 in
 rec {
  # basic, very minimal instance of the crane library with a minimal rust toolchain
  craneLib = (inputs.crane.mkLib pkgs).overrideToolchain (_: selfpkgs.build-toolchain);
  # the checks require more rust toolchain components, hence we have this separate instance of the crane library
  craneLibForChecks = (inputs.crane.mkLib pkgs).overrideToolchain (_: selfpkgs.dev-toolchain);
  # meta information (name, version, etc) of the rust crate based on the Cargo.toml
  crateInfo = craneLib.crateNameFromCargoToml { cargoToml = "${inputs.self}/Cargo.toml"; };
  src =
    let
      # see https://crane.dev/API.html#cranelibfiltercargosources
      #
      # we need to keep the `web` directory which would be filtered out by the regular source filtering function
      #
      # https://crane.dev/API.html#cranelibcleancargosource
      isWebTemplate = path: _type: builtins.match ".*src/web.*" path != null;
      isRust = craneLib.filterCargoSources;
      isNix = path: _type: builtins.match ".+/nix.*" path != null;
      webOrRustNotNix = p: t: !(isNix p t) && (isWebTemplate p t || isRust p t);
    in
    lib.cleanSourceWith {
      src = inputs.self;
      filter = webOrRustNotNix;
      name = "source";
    };
  # common attrs that are shared between building continuwuity's deps and the package itself
  commonAttrs =
    {
      profile ? "dev",
      ...
    }:
    {
      inherit (crateInfo)
        pname
        version
        ;
      inherit src;
      # this prevents unnecessary rebuilds
      strictDeps = true;
      dontStrip = profile == "dev" || profile == "test";
      dontPatchELF = profile == "dev" || profile == "test";
      doCheck = true;
      nativeBuildInputs = [
        # bindgen needs the build platform's libclang. Apparently due to "splicing
        # weirdness", pkgs.rustPlatform.bindgenHook on its own doesn't quite do the
        # right thing here.
        pkgs.rustPlatform.bindgenHook
      ];
    };
  makeRocksDBEnv =
    { rocksdb }:
    {
      ROCKSDB_INCLUDE_DIR = "${rocksdb}/include";
      ROCKSDB_LIB_DIR = "${rocksdb}/lib";
    };
  # function that builds the continuwuity dependencies derivation
  buildDeps =
    {
      rocksdb,
      features,
      commonAttrsArgs,
    }:
    craneLib.buildDepsOnly (
      (commonAttrs commonAttrsArgs)
      // {
        env = uwuenv.buildDepsOnlyEnv // (makeRocksDBEnv { inherit rocksdb; });
        inherit (features) cargoExtraArgs;
      }
    );
  # function that builds the continuwuity package
  buildPackage =
    {
      deps,
      rocksdb,
      features,
      commonAttrsArgs,
    }:
    let
      rocksdbEnv = makeRocksDBEnv { inherit rocksdb; };
    in
    craneLib.buildPackage (
      (commonAttrs commonAttrsArgs)
      // {
        cargoArtifacts = deps;
        doCheck = true;
        env = uwuenv.buildPackageEnv // rocksdbEnv;
        passthru.env = uwuenv.buildPackageEnv // rocksdbEnv;
        meta.mainProgram = crateInfo.pname;
        inherit (features) cargoExtraArgs;
      }
    );
 }
@@ -0,0 +1,10 @@
 { inputs, ... }:
 {
  flake.uwulib = {
    init = pkgs: {
      features = import ./features.nix { inherit pkgs inputs; };
      environment = import ./environment.nix { inherit pkgs inputs; };
      build = import ./build.nix { inherit pkgs inputs; };
    };
  };
 }
@@ -0,0 +1,18 @@
 args@{ pkgs, inputs, ... }:
 let
  uwubuild = import ./build.nix args;
 in
 rec {
  buildDepsOnlyEnv = {
    # https://crane.dev/faq/rebuilds-bindgen.html
    NIX_OUTPATH_USED_AS_RANDOM_SEED = "aaaaaaaaaa";
    CARGO_PROFILE = "release";
  }
  // uwubuild.craneLib.mkCrossToolchainEnv (p: pkgs.clangStdenv);
  buildPackageEnv = {
    GIT_COMMIT_HASH = inputs.self.rev or inputs.self.dirtyRev or "";
    GIT_COMMIT_HASH_SHORT = inputs.self.shortRev or inputs.self.dirtyShortRev or "";
  }
  // buildDepsOnlyEnv;
 }
@@ -0,0 +1,77 @@
 { pkgs, inputs, ... }:
 let
  inherit (pkgs) lib;
 in
 rec {
  defaultDisabledFeatures = [
    # dont include experimental features
    "experimental"
    # jemalloc profiling/stats features are expensive and shouldn't
    # be expected on non-debug builds.
    "jemalloc_prof"
    "jemalloc_stats"
    # this is non-functional on nix for some reason
    "hardened_malloc"
    # conduwuit_mods is a development-only hot reload feature
    "conduwuit_mods"
    # we don't want to enable this feature set by default but be more specific about it
    "full"
  ];
  # We perform default-feature unification in nix, because some of the dependencies
  # on the nix side depend on feature values.
  calcFeatures =
    {
      tomlPath ? "${inputs.self}/src/main",
      # either a list of feature names or a string "all" which enables all non-default features
      enabledFeatures ? [ ],
      disabledFeatures ? defaultDisabledFeatures,
      default_features ? true,
      disable_release_max_log_level ? false,
    }:
    let
      # simple helper to get the contents of a Cargo.toml file in a nix format
      getToml = path: lib.importTOML "${path}/Cargo.toml";
      # get all the features except for the default features
      allFeatures = lib.pipe tomlPath [
        getToml
        (manifest: manifest.features)
        lib.attrNames
        (lib.remove "default")
      ];
      # get just the default enabled features
      allDefaultFeatures = lib.pipe tomlPath [
        getToml
        (manifest: manifest.features.default)
      ];
      # depending on the value of enabledFeatures choose just a set or all non-default features
      #
      # - [ list of features ] -> choose exactly the features listed
      # - "all" -> choose all non-default features
      additionalFeatures = if enabledFeatures == "all" then allFeatures else enabledFeatures;
      # unification with default features (if enabled)
      features = lib.unique (additionalFeatures ++ lib.optionals default_features allDefaultFeatures);
      # prepare the features that are subtracted from the set
      disabledFeatures' =
        disabledFeatures ++ lib.optionals disable_release_max_log_level [ "release_max_log_level" ];
      # construct the final feature set
      finalFeatures = lib.subtractLists disabledFeatures' features;
    in
    {
      # final feature set, useful for querying it
      features = finalFeatures;
      # crane flag with the relevant features
      cargoExtraArgs = builtins.concatStringsSep " " [
        "--no-default-features"
        "--locked"
        (lib.optionalString (finalFeatures != [ ]) "--features")
        (builtins.concatStringsSep "," finalFeatures)
      ];
    };
 }
@@ -0,0 +1,29 @@
 { inputs, ... }:
 {
  perSystem =
    {
      self',
      lib,
      pkgs,
      ...
    }:
    let
      uwulib = inputs.self.uwulib.init pkgs;
      rocksdbAllFeatures = self'.packages.rocksdb.override {
        enableJemalloc = true;
        enableLiburing = true;
      };
    in
    {
      # basic nix shell containing all things necessary to build continuwuity in all flavors manually (on x86_64-linux)
      devShells.default = uwulib.build.craneLib.devShell {
        packages = [
          pkgs.pkg-config
          pkgs.liburing
          pkgs.rust-jemalloc-sys-unprefixed
          rocksdbAllFeatures
        ];
        env.LIBCLANG_PATH = lib.makeLibraryPath [ pkgs.llvmPackages.libclang.lib ];
      };
    };
 }
@@ -0,0 +1,124 @@
 {
  perSystem =
    {
      self',
      lib,
      pkgs,
      ...
    }:
    {
      # run some nixos tests as checks
      checks = lib.pipe self'.packages [
        # we take all packages (names)
        builtins.attrNames
        # we filter out all packages that end with `-bin` (which we are interested in for testing)
        (builtins.filter (lib.hasSuffix "-bin"))
        # for each of these binaries we built the basic nixos test
        #
        # this test was initially yoinked from
        #
        # https://github.com/NixOS/nixpkgs/blob/960ce26339661b1b69c6f12b9063ca51b688615f/nixos/tests/matrix/continuwuity.nix
        (builtins.map (name: {
          name = "test-${name}";
          value = pkgs.testers.runNixOSTest {
            inherit name;
            nodes = {
              continuwuity = {
                services.matrix-continuwuity = {
                  enable = true;
                  package = self'.packages.${name};
                  settings.global = {
                    server_name = name;
                    address = [ "0.0.0.0" ];
                    allow_registration = true;
                    yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse = true;
                  };
                  extraEnvironment.RUST_BACKTRACE = "yes";
                };
                networking.firewall.allowedTCPPorts = [ 6167 ];
              };
              client =
                { pkgs, ... }:
                {
                  environment.systemPackages = [
                    (pkgs.writers.writePython3Bin "do_test" { libraries = [ pkgs.python3Packages.matrix-nio ]; } ''
                      import asyncio
                      import nio
                      async def main() -> None:
                          # Connect to continuwuity
                          client = nio.AsyncClient("http://continuwuity:6167", "alice")
                          # Register as user alice
                          response = await client.register("alice", "my-secret-password")
                          # Log in as user alice
                          response = await client.login("my-secret-password")
                          # Create a new room
                          response = await client.room_create(federate=False)
                          print("Matrix room create response:", response)
                          assert isinstance(response, nio.RoomCreateResponse)
                          room_id = response.room_id
                          # Join the room
                          response = await client.join(room_id)
                          print("Matrix join response:", response)
                          assert isinstance(response, nio.JoinResponse)
                          # Send a message to the room
                          response = await client.room_send(
                              room_id=room_id,
                              message_type="m.room.message",
                              content={
                                  "msgtype": "m.text",
                                  "body": "Hello continuwuity!"
                              }
                          )
                          print("Matrix room send response:", response)
                          assert isinstance(response, nio.RoomSendResponse)
                          # Sync responses
                          response = await client.sync(timeout=30000)
                          print("Matrix sync response:", response)
                          assert isinstance(response, nio.SyncResponse)
                          # Check the message was received by continuwuity
                          last_message = response.rooms.join[room_id].timeline.events[-1].body
                          assert last_message == "Hello continuwuity!"
                          # Leave the room
                          response = await client.room_leave(room_id)
                          print("Matrix room leave response:", response)
                          assert isinstance(response, nio.RoomLeaveResponse)
                          # Close the client
                          await client.close()
                      if __name__ == "__main__":
                          asyncio.run(main())
                    '')
                  ];
                };
            };
            testScript = ''
              start_all()
              with subtest("start continuwuity"):
                    continuwuity.wait_for_unit("continuwuity.service")
                    continuwuity.wait_for_open_port(6167)
              with subtest("ensure messages can be exchanged"):
                    client.succeed("do_test >&2")
            '';
          };
        }))
        builtins.listToAttrs
      ];
    };
 }
@@ -12,13 +12,14 @@ Group=conduwuit
 Type=notify-reload
 ReloadSignal=SIGUSR1
 Environment="CONTINUWUITY_CONFIG=/etc/conduwuit/conduwuit.toml"
 Environment="CONTINUWUITY_LOG_TO_JOURNALD=true"
 Environment="CONTINUWUITY_JOURNALD_IDENTIFIER=%N"
-Environment="CONTINUWUITY_DATABASE_PATH=/var/lib/conduwuit"
+Environment="CONTINUWUITY_DATABASE_PATH=%S/conduwuit"
 Environment="CONTINUWUITY_CONFIG_RELOAD_SIGNAL=true"
-ExecStart=/usr/bin/conduwuit
+LoadCredential=conduwuit.toml:/etc/conduwuit/conduwuit.toml
 ExecStart=/usr/bin/conduwuit --config ${CREDENTIALS_DIRECTORY}/conduwuit.toml
 AmbientCapabilities=
 CapabilityBoundingSet=
@@ -52,8 +53,9 @@ SystemCallFilter=@system-service @resources
 SystemCallFilter=~@clock @debug @module @mount @reboot @swap @cpu-emulation @obsolete @timer @chown @setuid @privileged @keyring @ipc
 SystemCallErrorNumber=EPERM
 # ConfigurationDirectory isn't specified here because it's created by
 # the distro's package manager.
 StateDirectory=conduwuit
 ConfigurationDirectory=conduwuit
 RuntimeDirectory=conduwuit
 RuntimeDirectoryMode=0750
@@ -51,7 +51,7 @@ find .cargo/registry/ -executable -name "*.rs" -exec chmod -x {} +
 %install
 install -Dpm0755 target/rpm/conduwuit -t %{buildroot}%{_bindir}
 install -Dpm0644 pkg/conduwuit.service -t %{buildroot}%{_unitdir}
-install -Dpm0644 conduwuit-example.toml %{buildroot}%{_sysconfdir}/conduwuit/conduwuit.toml
+install -Dpm0600 conduwuit-example.toml %{buildroot}%{_sysconfdir}/conduwuit/conduwuit.toml
 %files
 %license LICENSE
@@ -60,7 +60,7 @@ install -Dpm0644 conduwuit-example.toml %{buildroot}%{_sysconfdir}/conduwuit/con
 %doc CONTRIBUTING.md
 %doc README.md
 %doc SECURITY.md
-%config %{_sysconfdir}/conduwuit/conduwuit.toml
+%config(noreplace) %{_sysconfdir}/conduwuit/conduwuit.toml
 %{_bindir}/conduwuit
 %{_unitdir}/conduwuit.service
@@ -1,83 +0,0 @@
 { lib
 , pkgsBuildHost
 , rust
 , stdenv
 }:
 lib.optionalAttrs stdenv.hostPlatform.isStatic
  {
    ROCKSDB_STATIC = "";
  }
 //
 {
  CARGO_BUILD_RUSTFLAGS =
    lib.concatStringsSep
      " "
      (lib.optionals
        stdenv.hostPlatform.isStatic
        [ "-C" "relocation-model=static" ]
      ++ lib.optionals
        (stdenv.buildPlatform.config != stdenv.hostPlatform.config)
        [
          "-l"
          "c"
          "-l"
          "stdc++"
          "-L"
          "${stdenv.cc.cc.lib}/${stdenv.hostPlatform.config}/lib"
        ]
      );
 }
  # What follows is stolen from [here][0]. Its purpose is to properly
  # configure compilers and linkers for various stages of the build, and
  # even covers the case of build scripts that need native code compiled and
  # run on the build platform (I think).
  #
  # [0]: https://github.com/NixOS/nixpkgs/blob/nixpkgs-unstable/pkgs/build-support/rust/lib/default.nix#L48-L68
  //
 (
  let
    inherit (rust.lib) envVars;
  in
  lib.optionalAttrs
    (stdenv.targetPlatform.rust.rustcTarget
    != stdenv.hostPlatform.rust.rustcTarget)
    (
      let
        inherit (stdenv.targetPlatform.rust) cargoEnvVarTarget;
      in
      {
        "CC_${cargoEnvVarTarget}" = envVars.ccForTarget;
        "CXX_${cargoEnvVarTarget}" = envVars.cxxForTarget;
        "CARGO_TARGET_${cargoEnvVarTarget}_LINKER" = envVars.ccForTarget;
      }
    )
  //
  (
    let
      inherit (stdenv.hostPlatform.rust) cargoEnvVarTarget rustcTarget;
    in
    {
      "CC_${cargoEnvVarTarget}" = envVars.ccForHost;
      "CXX_${cargoEnvVarTarget}" = envVars.cxxForHost;
      "CARGO_TARGET_${cargoEnvVarTarget}_LINKER" = envVars.ccForHost;
      CARGO_BUILD_TARGET = rustcTarget;
    }
  )
  //
  (
    let
      inherit (stdenv.buildPlatform.rust) cargoEnvVarTarget;
    in
    {
      "CC_${cargoEnvVarTarget}" = envVars.ccForBuild;
      "CXX_${cargoEnvVarTarget}" = envVars.cxxForBuild;
      "CARGO_TARGET_${cargoEnvVarTarget}_LINKER" = envVars.ccForBuild;
      HOST_CC = "${pkgsBuildHost.stdenv.cc}/bin/cc";
      HOST_CXX = "${pkgsBuildHost.stdenv.cc}/bin/c++";
    }
  )
 )
@@ -1,224 +0,0 @@
 # Dependencies (keep sorted)
 { craneLib
 , inputs
 , jq
 , lib
 , libiconv
 , liburing
 , pkgsBuildHost
 , rocksdb
 , removeReferencesTo
 , rust
 , rust-jemalloc-sys
 , stdenv
  # Options (keep sorted)
 , all_features ? false
 , default_features ? true
  # default list of disabled features
 , disable_features ? [
    # dont include experimental features
    "experimental"
    # jemalloc profiling/stats features are expensive and shouldn't
    # be expected on non-debug builds.
    "jemalloc_prof"
    "jemalloc_stats"
    # this is non-functional on nix for some reason
    "hardened_malloc"
    # conduwuit_mods is a development-only hot reload feature
    "conduwuit_mods"
  ]
 , disable_release_max_log_level ? false
 , features ? [ ]
 , profile ? "release"
  # rocksdb compiled with -march=haswell and target-cpu=haswell rustflag
  # haswell is pretty much any x86 cpu made in the last 12 years, and
  # supports modern CPU extensions that rocksdb can make use of.
  # disable if trying to make a portable x86_64 build for very old hardware
 , x86_64_haswell_target_optimised ? false
 }:
 let
  # We perform default-feature unification in nix, because some of the dependencies
  # on the nix side depend on feature values.
  crateFeatures = path:
    let manifest = lib.importTOML "${path}/Cargo.toml"; in
    lib.remove "default" (lib.attrNames manifest.features);
  crateDefaultFeatures = path:
    (lib.importTOML "${path}/Cargo.toml").features.default;
  allDefaultFeatures = crateDefaultFeatures "${inputs.self}/src/main";
  allFeatures = crateFeatures "${inputs.self}/src/main";
  features' = lib.unique
    (features ++
      lib.optionals default_features allDefaultFeatures ++
      lib.optionals all_features allFeatures);
  disable_features' = disable_features ++ lib.optionals disable_release_max_log_level [ "release_max_log_level" ];
  features'' = lib.subtractLists disable_features' features';
  featureEnabled = feature: builtins.elem feature features'';
  enableLiburing = featureEnabled "io_uring" && !stdenv.hostPlatform.isDarwin;
  # This derivation will set the JEMALLOC_OVERRIDE variable, causing the
  # tikv-jemalloc-sys crate to use the nixpkgs jemalloc instead of building it's
  # own. In order for this to work, we need to set flags on the build that match
  # whatever flags tikv-jemalloc-sys was going to use. These are dependent on
  # which features we enable in tikv-jemalloc-sys.
  rust-jemalloc-sys' = (rust-jemalloc-sys.override {
    # tikv-jemalloc-sys/unprefixed_malloc_on_supported_platforms feature
    unprefixed = true;
  }).overrideAttrs (old: {
    configureFlags = old.configureFlags ++
      # we dont need docs
      [ "--disable-doc" ] ++
      # we dont need cxx/C++ integration
      [ "--disable-cxx" ] ++
      # tikv-jemalloc-sys/profiling feature
      lib.optional (featureEnabled "jemalloc_prof") "--enable-prof" ++
      # tikv-jemalloc-sys/stats feature
      (if (featureEnabled "jemalloc_stats") then [ "--enable-stats" ] else [ "--disable-stats" ]);
  });
  buildDepsOnlyEnv =
    let
      rocksdb' = (rocksdb.override {
        jemalloc = lib.optional (featureEnabled "jemalloc") rust-jemalloc-sys';
        # rocksdb fails to build with prefixed jemalloc, which is required on
        # darwin due to [1]. In this case, fall back to building rocksdb with
        # libc malloc. This should not cause conflicts, because all of the
        # jemalloc symbols are prefixed.
        #
        # [1]: https://github.com/tikv/jemallocator/blob/ab0676d77e81268cd09b059260c75b38dbef2d51/jemalloc-sys/src/env.rs#L17
        enableJemalloc = featureEnabled "jemalloc" && !stdenv.hostPlatform.isDarwin;
        # for some reason enableLiburing in nixpkgs rocksdb is default true
        # which breaks Darwin entirely
        inherit enableLiburing;
      }).overrideAttrs (old: {
        inherit enableLiburing;
        cmakeFlags = (if x86_64_haswell_target_optimised then
          (lib.subtractLists [
            # dont make a portable build if x86_64_haswell_target_optimised is enabled
            "-DPORTABLE=1"
          ]
            old.cmakeFlags
          ++ [ "-DPORTABLE=haswell" ]) else [ "-DPORTABLE=1" ]
        )
        ++ old.cmakeFlags;
        # outputs has "tools" which we dont need or use
        outputs = [ "out" ];
        # preInstall hooks has stuff for messing with ldb/sst_dump which we dont need or use
        preInstall = "";
      });
    in
    {
      # https://crane.dev/faq/rebuilds-bindgen.html
      NIX_OUTPATH_USED_AS_RANDOM_SEED = "aaaaaaaaaa";
      CARGO_PROFILE = profile;
      ROCKSDB_INCLUDE_DIR = "${rocksdb'}/include";
      ROCKSDB_LIB_DIR = "${rocksdb'}/lib";
    }
    //
    (import ./cross-compilation-env.nix {
      # Keep sorted
      inherit
        lib
        pkgsBuildHost
        rust
        stdenv;
    });
  buildPackageEnv = {
    GIT_COMMIT_HASH = inputs.self.rev or inputs.self.dirtyRev or "";
    GIT_COMMIT_HASH_SHORT = inputs.self.shortRev or inputs.self.dirtyShortRev or "";
  } // buildDepsOnlyEnv // {
    # Only needed in static stdenv because these are transitive dependencies of rocksdb
    CARGO_BUILD_RUSTFLAGS = buildDepsOnlyEnv.CARGO_BUILD_RUSTFLAGS
      + lib.optionalString (enableLiburing && stdenv.hostPlatform.isStatic)
      " -L${lib.getLib liburing}/lib -luring"
      + lib.optionalString x86_64_haswell_target_optimised
      " -Ctarget-cpu=haswell";
  };
  commonAttrs = {
    inherit
      (craneLib.crateNameFromCargoToml {
        cargoToml = "${inputs.self}/Cargo.toml";
      })
      pname
      version;
    src = let filter = inputs.nix-filter.lib; in filter {
      root = inputs.self;
      # Keep sorted
      include = [
        ".cargo"
        "Cargo.lock"
        "Cargo.toml"
        "src"
        "xtask"
      ];
    };
    doCheck = true;
    cargoExtraArgs = "--no-default-features --locked "
      + lib.optionalString
      (features'' != [ ])
      "--features " + (builtins.concatStringsSep "," features'');
    dontStrip = profile == "dev" || profile == "test";
    dontPatchELF = profile == "dev" || profile == "test";
    buildInputs = lib.optional (featureEnabled "jemalloc") rust-jemalloc-sys'
      # needed to build Rust applications on macOS
      ++ lib.optionals stdenv.hostPlatform.isDarwin [
      # https://github.com/NixOS/nixpkgs/issues/206242
      # ld: library not found for -liconv
      libiconv
      # https://stackoverflow.com/questions/69869574/properly-adding-darwin-apple-sdk-to-a-nix-shell
      # https://discourse.nixos.org/t/compile-a-rust-binary-on-macos-dbcrossbar/8612
      pkgsBuildHost.darwin.apple_sdk.frameworks.Security
    ];
    nativeBuildInputs = [
      # bindgen needs the build platform's libclang. Apparently due to "splicing
      # weirdness", pkgs.rustPlatform.bindgenHook on its own doesn't quite do the
      # right thing here.
      pkgsBuildHost.rustPlatform.bindgenHook
      # We don't actually depend on `jq`, but crane's `buildPackage` does, but
      # its `buildDepsOnly` doesn't. This causes those two derivations to have
      # differing values for `NIX_CFLAGS_COMPILE`, which contributes to spurious
      # rebuilds of bindgen and its depedents.
      jq
    ];
  };
 in
 craneLib.buildPackage (commonAttrs // {
  cargoArtifacts = craneLib.buildDepsOnly (commonAttrs // {
    env = buildDepsOnlyEnv;
  });
  doCheck = true;
  cargoExtraArgs = "--no-default-features --locked "
    + lib.optionalString
    (features'' != [ ])
    "--features " + (builtins.concatStringsSep "," features'');
  env = buildPackageEnv;
  passthru = {
    env = buildPackageEnv;
  };
  meta.mainProgram = commonAttrs.pname;
 })
@@ -10,15 +10,19 @@
    "nix": {
        "enabled": true
    },
    "pre-commit": {
        "enabled": true
    },
    "labels": ["Dependencies", "Dependencies/Renovate"],
    "ignoreDeps": [
        "tikv-jemallocator",
        "tikv-jemalloc-sys",
        "tikv-jemalloc-ctl",
-        "opentelemetry",
+        "rustyline-async",
-        "opentelemetry_sdk",
+        "event-listener",
-        "opentelemetry-jaeger",
+        "async-channel",
-        "tracing-opentelemetry"
+        "core_affinity",
        "hyper-util"
    ],
    "github-actions": {
        "enabled": true,
@@ -85,7 +85,7 @@ futures.workspace = true
 log.workspace = true
 ruma.workspace = true
 serde_json.workspace = true
-serde_yml.workspace = true
+serde-saphyr.workspace = true
 tokio.workspace = true
 tracing-subscriber.workspace = true
 tracing.workspace = true
@@ -16,7 +16,7 @@ pub(super) async fn register(&self) -> Result {
 	let range = 1..checked!(body_len - 1)?;
 	let appservice_config_body = body[range].join("\n");
-	let parsed_config = serde_yml::from_str(&appservice_config_body);
+	let parsed_config = serde_saphyr::from_str(&appservice_config_body);
 	match parsed_config {
 		| Err(e) => return Err!("Could not parse appservice config as YAML: {e}"),
 		| Ok(registration) => match self
@@ -57,7 +57,7 @@ pub(super) async fn show_appservice_config(&self, appservice_identifier: String)
 	{
 		| None => return Err!("Appservice does not exist."),
 		| Some(config) => {
-			let config_str = serde_yml::to_string(&config)?;
+			let config_str = serde_saphyr::to_string(&config)?;
 			write!(self, "Config for {appservice_identifier}:\n\n```yaml\n{config_str}\n```")
 		},
 	}
@@ -2,7 +2,8 @@ use std::time::Duration;
 use conduwuit::{
 	Err, Result, debug, debug_info, debug_warn, error, info, trace,
-	utils::time::parse_timepoint_ago, warn,
+	utils::time::{TimeDirection, parse_timepoint_ago},
 	warn,
 };
 use conduwuit_service::media::Dim;
 use ruma::{Mxc, OwnedEventId, OwnedMxcUri, OwnedServerName};
@@ -235,14 +236,19 @@ pub(super) async fn delete_past_remote_media(
 	}
 	assert!(!(before && after), "--before and --after should not be specified together");
-	let duration = parse_timepoint_ago(&duration)?;
+	let direction = if after {
 		TimeDirection::After
 	} else {
 		TimeDirection::Before
 	};
 	let time_boundary = parse_timepoint_ago(&duration)?;
 	let deleted_count = self
 		.services
 		.media
-		.delete_all_remote_media_at_after_time(
+		.delete_all_media_within_timeframe(
-			duration,
+			time_boundary,
-			before,
+			direction,
 			after,
 			yes_i_want_to_delete_local_media,
 		)
 		.await?;
@@ -27,12 +27,24 @@ pub enum MediaCommand {
 	///   filesystem. This will always ignore errors.
 	DeleteList,
-	/// - Deletes all remote (and optionally local) media created before or
+	/// Deletes all remote (and optionally local) media created before/after
-	///   after [duration] time using filesystem metadata first created at date,
+	/// [duration] ago, using filesystem metadata first created at date, or
-	///   or fallback to last modified date. This will always ignore errors by
+	/// fallback to last modified date. This will always ignore errors by
-	///   default.
+	/// default.
 	///
 	/// * Examples:
 	///   * Delete all remote media older than a year:
 	///
 	///     `!admin media delete-past-remote-media -b 1y`
 	///
 	///   * Delete all remote and local media from 3 days ago, up until now:
 	///
 	///     `!admin media delete-past-remote-media -a 3d
 	/// --yes-i-want-to-delete-local-media`
 	#[command(verbatim_doc_comment)]
 	DeletePastRemoteMedia {
-		/// - The relative time (e.g. 30s, 5m, 7d) within which to search
+		/// - The relative time (e.g. 30s, 5m, 7d) from now within which to
 		///   search
 		duration: String,
 		/// - Only delete media created before [duration] ago
@@ -44,7 +44,7 @@ pub(crate) async fn get_hierarchy_route(
 		.as_ref()
 		.and_then(|s| PaginationToken::from_str(s).ok());
-	// Should prevent unexpeded behaviour in (bad) clients
+	// Should prevent unexpected behaviour in (bad) clients
 	if let Some(ref token) = key {
 		if token.suggested_only != body.suggested_only || token.max_depth != max_depth {
 			return Err!(Request(InvalidParam(
@@ -78,7 +78,7 @@ pub(crate) async fn well_known_support(
 			while let Some(user_id) = stream.next().await {
 				// Skip server user
 				if *user_id == services.globals.server_user {
-					break;
+					continue;
 				}
 				contacts.push(Contact {
 					role: role_value.clone(),
@@ -226,6 +226,7 @@ pub fn build(router: Router<State>, server: &Server) -> Router<State> {
 			.ruma_route(&server::well_known_server)
 			.ruma_route(&server::get_content_route)
 			.ruma_route(&server::get_content_thumbnail_route)
 			.ruma_route(&server::get_edutypes_route)
 			.route("/_conduwuit/local_user_count", get(client::conduwuit_local_user_count))
 			.route("/_continuwuity/local_user_count", get(client::conduwuit_local_user_count));
 	} else {
@@ -0,0 +1,19 @@
 use axum::extract::State;
 use conduwuit::Result;
 use ruma::api::federation::edutypes::get_edutypes;
 use crate::Ruma;
 /// # `GET /_matrix/federation/v1/edutypes`
 ///
 /// Lists EDU types we wish to receive
 pub(crate) async fn get_edutypes_route(
 	State(services): State<crate::State>,
 	_body: Ruma<get_edutypes::unstable::Request>,
 ) -> Result<get_edutypes::unstable::Response> {
 	Ok(get_edutypes::unstable::Response {
 		typing: services.config.allow_incoming_typing,
 		presence: services.config.allow_incoming_presence,
 		receipt: services.config.allow_incoming_read_receipts,
 	})
 }
@@ -1,6 +1,6 @@
 use axum::extract::State;
 use conduwuit::{
-	Err, Error, Result, debug_info, matrix::pdu::PduBuilder, utils::IterStream, warn,
+	Err, Error, Result, debug_info, info, matrix::pdu::PduBuilder, utils::IterStream, warn,
 };
 use conduwuit_service::Services;
 use futures::StreamExt;
@@ -22,6 +22,7 @@ use crate::Ruma;
 /// # `GET /_matrix/federation/v1/make_join/{roomId}/{userId}`
 ///
 /// Creates a join template.
 #[tracing::instrument(skip_all, fields(room_id = %body.room_id, user_id = %body.user_id, origin = %body.origin()))]
 pub(crate) async fn create_join_event_template_route(
 	State(services): State<crate::State>,
 	body: Ruma<prepare_join_event::v1::Request>,
@@ -72,11 +73,16 @@ pub(crate) async fn create_join_event_template_route(
 	}
 	let state_lock = services.rooms.state.mutex.lock(&body.room_id).await;
-
+	let is_invited = services
 		.rooms
 		.state_cache
 		.is_invited(&body.user_id, &body.room_id)
 		.await;
 	let join_authorized_via_users_server: Option<OwnedUserId> = {
 		use RoomVersionId::*;
-		if matches!(room_version_id, V1 | V2 | V3 | V4 | V5 | V6 | V7) {
+		if matches!(room_version_id, V1 | V2 | V3 | V4 | V5 | V6 | V7) || is_invited {
-			// room version does not support restricted join rules
+			// room version does not support restricted join rules, or the user is currently
 			// already invited
 			None
 		} else if user_can_perform_restricted_join(
 			&services,
@@ -103,6 +109,10 @@ pub(crate) async fn create_join_event_template_route(
 				.await
 				.map(ToOwned::to_owned)
 			else {
 				info!(
 					"No local user is able to authorize the join of {} into {}",
 					&body.user_id, &body.room_id
 				);
 				return Err!(Request(UnableToGrantJoin(
 					"No user on this server is able to assist in joining."
 				)));
@@ -167,6 +177,7 @@ pub(crate) async fn user_can_perform_restricted_join(
 		)
 		.await
 	else {
 		// No join rules means there's nothing to authorise (defaults to invite)
 		return Ok(false);
 	};
@@ -1,4 +1,5 @@
 pub(super) mod backfill;
 pub(super) mod edutypes;
 pub(super) mod event;
 pub(super) mod event_auth;
 pub(super) mod get_missing_events;
@@ -23,6 +24,7 @@ pub(super) mod version;
 pub(super) mod well_known;
 pub(super) use backfill::*;
 pub(super) use edutypes::*;
 pub(super) use event::*;
 pub(super) use event_auth::*;
 pub(super) use get_missing_events::*;
@@ -92,7 +92,7 @@ ruma.workspace = true
 sanitize-filename.workspace = true
 serde_json.workspace = true
 serde_regex.workspace = true
-serde_yml.workspace = true
+serde-saphyr.workspace = true
 serde.workspace = true
 smallvec.workspace = true
 smallstr.workspace = true
@@ -1128,6 +1128,23 @@ pub struct Config {
 	#[serde(default = "true_fn")]
 	pub rocksdb_bottommost_compression: bool,
 	/// Compression algorithm for RocksDB's Write-Ahead-Log (WAL).
 	///
 	/// At present, only ZSTD compression is supported by RocksDB for WAL
 	/// compression. Enabling this can reduce WAL size at the expense of some
 	/// CPU usage during writes.
 	///
 	/// The options are:
 	/// - "none" = No compression
 	/// - "zstd" = ZSTD compression
 	///
 	/// For more information on WAL compression, see:
 	/// https://github.com/facebook/rocksdb/wiki/WAL-Compression
 	///
 	/// default: "zstd"
 	#[serde(default = "default_rocksdb_wal_compression")]
 	pub rocksdb_wal_compression: String,
 	/// Database recovery mode (for RocksDB WAL corruption).
 	///
 	/// Use this option when the server reports corruption and refuses to start.
@@ -1710,6 +1727,19 @@ pub struct Config {
 	#[serde(default)]
 	pub block_non_admin_invites: bool,
 	/// Enable or disable making requests to MSC4284 Policy Servers.
 	/// It is recommended you keep this enabled unless you experience frequent
 	/// connectivity issues, such as in a restricted networking environment.
 	#[serde(default = "true_fn")]
 	pub enable_msc4284_policy_servers: bool,
 	/// Enable running locally generated events through configured MSC4284
 	/// policy servers. You may wish to disable this if your server is
 	/// single-user for a slight speed benefit in some rooms, but otherwise
 	/// should leave it enabled.
 	#[serde(default = "true_fn")]
 	pub policy_server_check_own_events: bool,
 	/// Allow admins to enter commands in rooms other than "#admins" (admin
 	/// room) by prefixing your message with "\!admin" or "\\!admin" followed up
 	/// a normal continuwuity admin command. The reply will be publicly visible
@@ -2441,6 +2471,8 @@ fn default_rocksdb_compression_algo() -> String {
 		.to_owned()
 }
 fn default_rocksdb_wal_compression() -> String { "zstd".to_owned() }
 /// Default RocksDB compression level is 32767, which is internally read by
 /// RocksDB as the default magic number and translated to the library's default
 /// compression level as they all differ. See their `kDefaultCompressionLevel`.
@@ -83,7 +83,9 @@ pub enum Error {
 	#[error(transparent)]
 	TypedHeader(#[from] axum_extra::typed_header::TypedHeaderRejection),
 	#[error(transparent)]
-	Yaml(#[from] serde_yml::Error),
+	YamlDe(#[from] serde_saphyr::Error),
 	#[error(transparent)]
 	YamlSer(#[from] serde_saphyr::ser_error::Error),
 	// ruma/conduwuit
 	#[error("Arithmetic operation failed: {0}")]
@@ -5,13 +5,17 @@
 use std::{collections::BTreeMap, sync::OnceLock};
-use crate::{SyncMutex, utils::exchange};
+use crate::utils::exchange;
 /// Raw capture of rustc flags used to build each crate in the project. Informed
 /// by rustc_flags_capture macro (one in each crate's mod.rs). This is
 /// done during static initialization which is why it's mutex-protected and pub.
 /// Should not be written to by anything other than our macro.
-pub static FLAGS: SyncMutex<BTreeMap<&str, &[&str]>> = SyncMutex::new(BTreeMap::new());
+///
 /// We specifically use a std mutex here because parking_lot cannot be used
 /// after thread local storage is destroyed on MacOS.
 pub static FLAGS: std::sync::Mutex<BTreeMap<&str, &[&str]>> =
 	std::sync::Mutex::new(BTreeMap::new());
 /// Processed list of enabled features across all project crates. This is
 /// generated from the data in FLAGS.
@@ -24,6 +28,7 @@ fn init_features() -> Vec<&'static str> {
 	let mut features = Vec::new();
 	FLAGS
 		.lock()
 		.expect("locked")
 		.iter()
 		.for_each(|(_, flags)| append_features(&mut features, flags));
@@ -615,15 +615,21 @@ where
 	Ok(true)
 }
-fn is_creator<EV>(v: &RoomVersion, c: &BTreeSet<OwnedUserId>, ce: &EV, user_id: &UserId) -> bool
+fn is_creator<EV>(
 	v: &RoomVersion,
 	c: &BTreeSet<OwnedUserId>,
 	ce: &EV,
 	user_id: &UserId,
 	have_pls: bool,
 ) -> bool
 where
 	EV: Event + Send + Sync,
 {
 	if v.explicitly_privilege_room_creators {
 		c.contains(user_id)
-	} else if v.use_room_create_sender {
+	} else if v.use_room_create_sender && !have_pls {
 		ce.sender() == user_id
-	} else {
+	} else if !have_pls {
 		#[allow(deprecated)]
 		let creator = from_json_str::<RoomCreateEventContent>(ce.content().get())
 			.unwrap()
@@ -632,6 +638,8 @@ where
 			.unwrap();
 		creator == user_id
 	} else {
 		false
 	}
 }
@@ -724,10 +732,11 @@ where
 	}
 	trace!(?creators, "creators for room");
-	let mut join_rules = JoinRule::Invite;
+	let join_rules = if let Some(jr) = &join_rules_event {
-	if let Some(jr) = &join_rules_event {
+		from_json_str::<RoomJoinRulesEventContent>(jr.content().get())?.join_rule
-		join_rules = from_json_str::<RoomJoinRulesEventContent>(jr.content().get())?.join_rule;
+	} else {
-	}
+		JoinRule::Invite
 	};
 	let power_levels_event_id = power_levels_event.as_ref().map(Event::event_id);
 	let sender_membership_event_id = sender_membership_event.as_ref().map(Event::event_id);
@@ -753,8 +762,13 @@ where
 			(int!(0), int!(0))
 		};
 		let user_joined = user_for_join_auth_membership == &MembershipState::Join;
-		let okay_power = is_creator(room_version, &creators, create_room, user_for_join_auth)
+		let okay_power = is_creator(
-			|| auth_user_pl >= invite_level;
+			room_version,
 			&creators,
 			create_room,
 			user_for_join_auth,
 			power_levels_event.as_ref().is_some(),
 		) || auth_user_pl >= invite_level;
 		trace!(
 			auth_user_pl=?auth_user_pl,
 			invite_level=?invite_level,
@@ -769,8 +783,20 @@ where
 		trace!("No auth user given for join auth");
 		false
 	};
-	let sender_creator = is_creator(room_version, &creators, create_room, sender);
+	let sender_creator = is_creator(
-	let target_creator = is_creator(room_version, &creators, create_room, target_user);
+		room_version,
 		&creators,
 		create_room,
 		sender,
 		power_levels_event.as_ref().is_some(),
 	);
 	let target_creator = is_creator(
 		room_version,
 		&creators,
 		create_room,
 		target_user,
 		power_levels_event.as_ref().is_some(),
 	);
 	Ok(match target_membership {
 		| MembershipState::Join => {
@@ -985,7 +1011,7 @@ where
 		},
 		| MembershipState::Leave => {
 			let can_unban = if target_user_current_membership == MembershipState::Ban {
-				sender_creator || sender_power.filter(|&p| p < &power_levels.ban).is_some()
+				sender_creator || sender_power.filter(|&p| p >= &power_levels.ban).is_some()
 			} else {
 				true
 			};
@@ -993,7 +1019,24 @@ where
 				target_user_current_membership,
 				MembershipState::Ban | MembershipState::Leave
 			) {
-				sender_creator || sender_power.filter(|&p| p < &power_levels.kick).is_some()
+				if sender_creator {
 					// sender is a creator
 					true
 				} else if sender_power.filter(|&p| p >= &power_levels.kick).is_none() {
 					// sender lacks kick power level
 					false
 				} else if let Some(sp) = sender_power {
 					if let Some(tp) = target_power {
 						// sender must have more power than target
 						sp > tp
 					} else {
 						// target has default power level
 						true
 					}
 				} else {
 					// sender has default power level
 					false
 				}
 			} else {
 				true
 			};
@@ -1023,7 +1066,7 @@ where
 					"sender cannot kick another user as they are not joined to the room",
 				);
 				false
-			} else if !can_unban {
+			} else if !(can_unban && can_kick) {
 				// If the target is banned, only a room creator or someone with ban power
 				// level can unban them
 				warn!(
@@ -217,14 +217,8 @@ where
 	)
 	.await?;
-	// Add unconflicted state to the resolved state
+	// Ensure unconflicting state is in the final state
 	// We priorities the unconflicting state
 	resolved_state.extend(clean);
 	if stateres_version == StateResolutionVersion::V2_1 {
 		resolved_state.extend(resolved_control);
 		// TODO(hydra): this feels disgusting and wrong but it allows
 		// the state to resolve properly?
 	}
 	debug!("state resolution finished");
 	trace!( map = ?resolved_state, "final resolved state" );
@@ -276,3 +276,22 @@ async fn set_intersection_sorted_stream2() {
 		.await;
 	assert!(r.eq(&["ccc", "ggg", "iii"]));
 }
 #[test]
 fn is_within_bounds() {
 	use std::time::{Duration, SystemTime};
 	use utils::time::{TimeDirection, is_within_bounds};
 	let now = SystemTime::now();
 	let yesterday = now - Duration::from_secs(86400);
 	assert!(is_within_bounds(yesterday, now, TimeDirection::Before));
 	assert!(!is_within_bounds(yesterday, now, TimeDirection::After));
 	let tomorrow = now + Duration::from_secs(86400);
 	assert!(is_within_bounds(tomorrow, now, TimeDirection::After));
 	assert!(!is_within_bounds(tomorrow, now, TimeDirection::Before));
 	assert!(is_within_bounds(now, now, TimeDirection::Before));
 	assert!(is_within_bounds(now, now, TimeDirection::After));
 }
@@ -126,3 +126,24 @@ pub enum Unit {
 	Micros(u128),
 	Nanos(u128),
 }
 #[derive(Eq, PartialEq, Clone, Copy, Debug)]
 pub enum TimeDirection {
 	Before,
 	After,
 }
 /// Checks if `item_time` is before or after `time_boundary`.
 /// If both times are the same, it will return true for both directions, as the
 /// matching is inclusive.
 #[must_use]
 pub fn is_within_bounds(
 	item_time: SystemTime,
 	time_boundary: SystemTime,
 	direction: TimeDirection,
 ) -> bool {
 	match direction {
 		| TimeDirection::Before => item_time <= time_boundary,
 		| TimeDirection::After => item_time >= time_boundary,
 	}
 }
@@ -1,7 +1,9 @@
 use std::{cmp, convert::TryFrom};
-use conduwuit::{Config, Result, utils};
+use conduwuit::{Config, Result, utils, warn};
-use rocksdb::{Cache, DBRecoveryMode, Env, LogLevel, Options, statistics::StatsLevel};
+use rocksdb::{
 	Cache, DBCompressionType, DBRecoveryMode, Env, LogLevel, Options, statistics::StatsLevel,
 };
 use super::{cf_opts::cache_size_f64, logger::handle as handle_log};
@@ -58,6 +60,20 @@ pub(crate) fn db_options(config: &Config, env: &Env, row_cache: &Cache) -> Resul
 	opts.set_max_total_wal_size(1024 * 1024 * 512);
 	opts.set_writable_file_max_buffer_size(1024 * 1024 * 2);
 	// WAL compression
 	let wal_compression = match config.rocksdb_wal_compression.as_ref() {
 		| "zstd" => DBCompressionType::Zstd,
 		| "none" => DBCompressionType::None,
 		| value => {
 			warn!(
 				"Invalid rocksdb_wal_compression value '{value}'. Supported values are 'none' \
 				 or 'zstd'. Defaulting to 'none'."
 			);
 			DBCompressionType::None
 		},
 	};
 	opts.set_wal_compression_type(wal_compression);
 	// Misc
 	opts.set_disable_auto_compactions(!config.rocksdb_compaction);
 	opts.create_missing_column_families(true);
@@ -15,13 +15,13 @@ pub(super) fn flags_capture(args: TokenStream) -> TokenStream {
 		#[ctor]
 		fn _set_rustc_flags() {
-			conduwuit_core::info::rustc::FLAGS.lock().insert(#crate_name, &RUSTC_FLAGS);
+			conduwuit_core::info::rustc::FLAGS.lock().expect("locked").insert(#crate_name, &RUSTC_FLAGS);
 		}
 		// static strings have to be yanked on module unload
 		#[dtor]
 		fn _unset_rustc_flags() {
-			conduwuit_core::info::rustc::FLAGS.lock().remove(#crate_name);
+			conduwuit_core::info::rustc::FLAGS.lock().expect("locked").remove(#crate_name);
 		}
 	};
@@ -62,7 +62,8 @@ standard = [
 	"media_thumbnail",
 	"systemd",
 	"url_preview",
-	"zstd_compression"
+	"zstd_compression",
    "sentry_telemetry"
 ]
 full = [
    "standard",
@@ -129,7 +130,6 @@ perf_measurements = [
 	"dep:tracing-opentelemetry",
 	"dep:opentelemetry_sdk",
 	"dep:opentelemetry-otlp",
 	"dep:opentelemetry-jaeger-propagator",
 	"conduwuit-core/perf_measurements",
 	"conduwuit-core/sentry_telemetry",
 ]
@@ -201,6 +201,7 @@ conduwuit-core.workspace = true
 conduwuit-database.workspace = true
 conduwuit-router.workspace = true
 conduwuit-service.workspace = true
 conduwuit-build-metadata.workspace = true
 clap.workspace = true
 console-subscriber.optional = true
@@ -212,8 +213,6 @@ opentelemetry.optional = true
 opentelemetry.workspace = true
 opentelemetry-otlp.optional = true
 opentelemetry-otlp.workspace = true
 opentelemetry-jaeger-propagator.optional = true
 opentelemetry-jaeger-propagator.workspace = true
 opentelemetry_sdk.optional = true
 opentelemetry_sdk.workspace = true
 sentry-tower.optional = true
@@ -94,7 +94,7 @@ pub(crate) fn init(
 		let otlp_layer = config.allow_otlp.then(|| {
 			opentelemetry::global::set_text_map_propagator(
-				opentelemetry_jaeger_propagator::Propagator::new(),
+				opentelemetry_sdk::propagation::TraceContextPropagator::new(),
 			);
 			let exporter = opentelemetry_otlp::SpanExporter::builder()
@@ -1,10 +1,12 @@
 #![cfg(feature = "sentry_telemetry")]
 use std::{
 	borrow::Cow,
 	str::FromStr,
 	sync::{Arc, OnceLock},
 };
 use conduwuit_build_metadata as build;
 use conduwuit_core::{config::Config, debug, trace};
 use sentry::{
 	Breadcrumb, ClientOptions, Level,
@@ -44,7 +46,7 @@ fn options(config: &Config) -> ClientOptions {
 		server_name,
 		traces_sample_rate: config.sentry_traces_sample_rate,
 		debug: cfg!(debug_assertions),
-		release: sentry::release_name!(),
+		release: release_name(),
 		user_agent: conduwuit_core::version::user_agent().into(),
 		attach_stacktrace: config.sentry_attach_stacktrace,
 		before_send: Some(Arc::new(before_send)),
@@ -91,3 +93,21 @@ fn before_breadcrumb(crumb: Breadcrumb) -> Option<Breadcrumb> {
 	trace!("Sentry breadcrumb: {crumb:?}");
 	Some(crumb)
 }
 fn release_name() -> Option<Cow<'static, str>> {
 	static RELEASE: OnceLock<Option<String>> = OnceLock::new();
 	RELEASE
 		.get_or_init(|| {
 			let pkg_name = env!("CARGO_PKG_NAME");
 			let pkg_version = env!("CARGO_PKG_VERSION");
 			if let Some(commit_short) = build::GIT_COMMIT_HASH_SHORT {
 				Some(format!("{pkg_name}@{pkg_version}+{commit_short}"))
 			} else {
 				Some(format!("{pkg_name}@{pkg_version}"))
 			}
 		})
 		.as_ref()
 		.map(|s| Cow::Borrowed(s.as_str()))
 }
@@ -108,7 +108,7 @@ rustyline-async.workspace = true
 rustyline-async.optional = true
 serde_json.workspace = true
 serde.workspace = true
-serde_yml.workspace = true
+serde-saphyr.workspace = true
 sha2.workspace = true
 termimad.workspace = true
 termimad.optional = true
@@ -271,7 +271,7 @@ impl Service {
 			.id_appserviceregistrations
 			.get(id)
 			.await
-			.and_then(|ref bytes| serde_yml::from_slice(bytes).map_err(Into::into))
+			.and_then(|ref bytes| serde_saphyr::from_slice(bytes).map_err(Into::into))
 			.map_err(|e| err!(Database("Invalid appservice {id:?} registration: {e:?}")))
 	}
@@ -11,7 +11,10 @@ use async_trait::async_trait;
 use base64::{Engine as _, engine::general_purpose};
 use conduwuit::{
 	Err, Result, Server, debug, debug_error, debug_info, debug_warn, err, error, trace,
-	utils::{self, MutexMap},
+	utils::{
 		self, MutexMap,
 		time::{self, TimeDirection},
 	},
 	warn,
 };
 use ruma::{Mxc, OwnedMxcUri, UserId, http_headers::ContentDisposition};
@@ -226,13 +229,12 @@ impl Service {
 		Ok(mxcs)
 	}
-	/// Deletes all remote only media files in the given at or after
+	/// Deletes all media files in the given time frame.
-	/// time/duration. Returns a usize with the amount of media files deleted.
+	/// Returns a usize with the amount of media files deleted.
-	pub async fn delete_all_remote_media_at_after_time(
+	pub async fn delete_all_media_within_timeframe(
 		&self,
-		time: SystemTime,
+		time_boundary: SystemTime,
-		before: bool,
+		direction: TimeDirection,
 		after: bool,
 		yes_i_want_to_delete_local_media: bool,
 	) -> Result<usize> {
 		let all_keys = self.db.get_all_media_keys().await;
@@ -299,18 +301,14 @@ impl Service {
 			debug!("File created at: {file_created_at:?}");
-			if file_created_at >= time && before {
+			if time::is_within_bounds(file_created_at, time_boundary, direction) {
 				debug!(
-					"File is within (before) user duration, pushing to list of file paths and \
+					"File is within bounds ({direction:?} {time_boundary:?}), pushing to list \
-					 keys to delete."
+					 of file paths and keys to delete.",
 				);
 				remote_mxcs.push(mxc.to_string());
 			} else if file_created_at <= time && after {
 				debug!(
 					"File is not within (after) user duration, pushing to list of file paths \
 					 and keys to delete."
 				);
 				remote_mxcs.push(mxc.to_string());
 			} else {
 				debug!("File is outside bounds ({direction:?} {time_boundary:?}), ignoring.");
 			}
 		}
@@ -318,7 +316,7 @@ impl Service {
 			return Err!(Database("Did not found any eligible MXCs to delete."));
 		}
-		debug_info!("Deleting media now in the past {time:?}");
+		debug_info!("Deleting media now {direction:?} {time_boundary:?}");
 		let mut deletion_count: usize = 0;
@@ -5,9 +5,9 @@
 use std::time::Duration;
-use conduwuit::{Err, Event, PduEvent, Result, debug, implement, warn};
+use conduwuit::{Err, Event, PduEvent, Result, debug, debug_info, implement, trace, warn};
 use ruma::{
-	RoomId, ServerName,
+	CanonicalJsonObject, RoomId, ServerName,
 	api::federation::room::policy::v1::Request as PolicyRequest,
 	events::{StateEventType, room::policy::RoomPolicyEventContent},
 };
@@ -25,7 +25,25 @@ use ruma::{
 /// fail-open operation.
 #[implement(super::Service)]
 #[tracing::instrument(skip_all, level = "debug")]
-pub async fn ask_policy_server(&self, pdu: &PduEvent, room_id: &RoomId) -> Result<bool> {
+pub async fn ask_policy_server(
 	&self,
 	pdu: &PduEvent,
 	pdu_json: &CanonicalJsonObject,
 	room_id: &RoomId,
 ) -> Result<bool> {
 	if !self.services.server.config.enable_msc4284_policy_servers {
 		return Ok(true); // don't ever contact policy servers
 	}
 	if self.services.server.config.policy_server_check_own_events
 		&& pdu.origin.is_some()
 		&& self
 			.services
 			.server
 			.is_ours(pdu.origin.as_ref().unwrap().as_str())
 	{
 		return Ok(true); // don't contact policy servers for locally generated events
 	}
 	if *pdu.event_type() == StateEventType::RoomPolicy.into() {
 		debug!(
 			room_id = %room_id,
@@ -47,12 +65,12 @@ pub async fn ask_policy_server(&self, pdu: &PduEvent, room_id: &RoomId) -> Resul
 	let via = match policyserver.via {
 		| Some(ref via) => ServerName::parse(via)?,
 		| None => {
-			debug!("No policy server configured for room {room_id}");
+			trace!("No policy server configured for room {room_id}");
 			return Ok(true);
 		},
 	};
 	if via.is_empty() {
-		debug!("Policy server is empty for room {room_id}, skipping spam check");
+		trace!("Policy server is empty for room {room_id}, skipping spam check");
 		return Ok(true);
 	}
 	if !self.services.state_cache.server_in_room(via, room_id).await {
@@ -66,12 +84,12 @@ pub async fn ask_policy_server(&self, pdu: &PduEvent, room_id: &RoomId) -> Resul
 	let outgoing = self
 		.services
 		.sending
-		.convert_to_outgoing_federation_event(pdu.to_canonical_object())
+		.convert_to_outgoing_federation_event(pdu_json.clone())
 		.await;
-	debug!(
+	debug_info!(
 		room_id = %room_id,
 		via = %via,
-		outgoing = ?outgoing,
+		outgoing = ?pdu_json,
 		"Checking event for spam with policy server"
 	);
 	let response = tokio::time::timeout(
@@ -85,7 +103,10 @@ pub async fn ask_policy_server(&self, pdu: &PduEvent, room_id: &RoomId) -> Resul
 	)
 	.await;
 	let response = match response {
-		| Ok(Ok(response)) => response,
+		| Ok(Ok(response)) => {
 			debug!("Response from policy server: {:?}", response);
 			response
 		},
 		| Ok(Err(e)) => {
 			warn!(
 				via = %via,
@@ -97,16 +118,18 @@ pub async fn ask_policy_server(&self, pdu: &PduEvent, room_id: &RoomId) -> Resul
 			// default.
 			return Err(e);
 		},
-		| Err(_) => {
+		| Err(elapsed) => {
 			warn!(
-				via = %via,
+				%via,
 				event_id = %pdu.event_id(),
-				room_id = %room_id,
+				%room_id,
 				%elapsed,
 				"Policy server request timed out after 10 seconds"
 			);
 			return Err!("Request to policy server timed out");
 		},
 	};
 	trace!("Recommendation from policy server was {}", response.recommendation);
 	if response.recommendation == "spam" {
 		warn!(
 			via = %via,
@@ -255,7 +255,10 @@ where
 		// 14-pre. If the event is not a state event, ask the policy server about it
 		if incoming_pdu.state_key.is_none() {
 			debug!(event_id = %incoming_pdu.event_id, "Checking policy server for event");
-			match self.ask_policy_server(&incoming_pdu, room_id).await {
+			match self
 				.ask_policy_server(&incoming_pdu, &incoming_pdu.to_canonical_object(), room_id)
 				.await
 			{
 				| Ok(false) => {
 					warn!(
 						event_id = %incoming_pdu.event_id,
@@ -1,9 +1,10 @@
-use conduwuit::{Err, Result, implement, matrix::Event, pdu::PduBuilder};
+use conduwuit::{Err, Result, RoomVersion, implement, matrix::Event, pdu::PduBuilder};
 use ruma::{
 	EventId, RoomId, UserId,
 	events::{
 		StateEventType, TimelineEventType,
 		room::{
 			create::RoomCreateEventContent,
 			history_visibility::{HistoryVisibility, RoomHistoryVisibilityEventContent},
 			member::{MembershipState, RoomMemberEventContent},
 			power_levels::{RoomPowerLevels, RoomPowerLevelsEventContent},
@@ -44,6 +45,23 @@ pub async fn user_can_redact(
 		)));
 	}
 	let room_create = self
 		.room_state_get(room_id, &StateEventType::RoomCreate, "")
 		.await?;
 	let create_content: RoomCreateEventContent =
 		serde_json::from_str(room_create.content().get())?;
 	let room_features = RoomVersion::new(&create_content.room_version)?;
 	if room_features.explicitly_privilege_room_creators {
 		let sender_owned = sender.to_owned();
 		if sender == room_create.sender()
 			|| create_content
 				.additional_creators
 				.is_some_and(|cs| cs.contains(&sender_owned))
 		{
 			return Ok(true);
 		}
 	}
 	match self
 		.room_state_get_content::<RoomPowerLevelsEventContent>(
 			room_id,
@@ -68,18 +86,10 @@ pub async fn user_can_redact(
 		},
 		| _ => {
 			// Falling back on m.room.create to judge power level
-			match self
+			Ok(room_create.sender() == sender
-				.room_state_get(room_id, &StateEventType::RoomCreate, "")
+				|| redacting_event
-				.await
+					.as_ref()
-			{
+					.is_ok_and(|redacting_event| redacting_event.sender() == sender))
 				| Ok(room_create) => Ok(room_create.sender() == sender
 					|| redacting_event
 						.as_ref()
 						.is_ok_and(|redacting_event| redacting_event.sender() == sender)),
 				| _ => Err!(Database(
 					"No m.room.power_levels or m.room.create events in database for room"
 				)),
 			}
 		},
 	}
 }
@@ -9,6 +9,7 @@ use conduwuit_core::{
 		state_res::{self, RoomVersion},
 	},
 	utils::{self, IterStream, ReadyExt, stream::TryIgnore},
 	warn,
 };
 use futures::{StreamExt, TryStreamExt, future, future::ready};
 use ruma::{
@@ -19,7 +20,6 @@ use ruma::{
 	uint,
 };
 use serde_json::value::{RawValue, to_raw_value};
 use tracing::warn;
 use super::RoomMutexGuard;
@@ -267,23 +267,19 @@ pub async fn create_hash_and_sign_event(
 			| _ => Err!(Request(Unknown(warn!("Signing event failed: {e}")))),
 		};
 	}
 	// Generate event id
 	pdu.event_id = gen_event_id(&pdu_json, &room_version_id)?;
 	pdu_json.insert("event_id".into(), CanonicalJsonValue::String(pdu.event_id.clone().into()));
 	// Check with the policy server
 	pdu_json.insert("event_id".into(), CanonicalJsonValue::String(pdu.event_id.clone().into()));
 	if room_id.is_some() {
 		trace!(
-			"Checking event {} in room {} with policy server",
+			"Checking event in room {} with policy server",
 			pdu.event_id,
 			pdu.room_id.as_ref().map_or("None", |id| id.as_str())
 		);
 		match self
 			.services
 			.event_handler
-			.ask_policy_server(&pdu, &pdu.room_id_or_hash())
+			.ask_policy_server(&pdu, &pdu_json, pdu.room_id().expect("has room ID"))
 			.await
 		{
 			| Ok(true) => {},
@@ -345,7 +345,7 @@ impl Service {
 	}
 	/// Sets a new displayname or removes it if displayname is None. You still
-	/// need to nofify all rooms of this change.
+	/// need to notify all rooms of this change.
 	pub fn set_displayname(&self, user_id: &UserId, displayname: Option<String>) {
 		if let Some(displayname) = displayname {
 			self.db.userid_displayname.insert(user_id, displayname);
@@ -0,0 +1,6 @@
 [formatting]
 align_entries = true # Align entries vertically. Entries that have table headers, comments, or blank lines between them are not aligned.
 reorder_arrays        = true # Alphabetically reorder array values that are not separated by blank lines.
 reorder_inline_tables = true # Alphabetically reorder inline tables.
 reorder_keys          = true # Alphabetically reorder keys that are not separated by blank lines.
Author	SHA1	Message	Date
Jade	45e4053883	fix: Don't break when encountering the server user, as there may be real users after	2025-11-10 23:56:02 +00:00
Jade Ellis	c0b617f4f1	feat(sentry): Include the commit hash in the release name	2025-11-10 16:57:24 +00:00
Jade Ellis	a28cfd284b	chore(deps): Upgrade tracing / telemetry ecosystem We no longer need the tracing patches, so I've removed those and unpinned them in renovate. otel's jaeger propagator is deprecated too, so it's replaced with the builtin W3C TraceContext propagator	2025-11-10 16:42:28 +00:00
Jade Ellis	a5b9cb69bd	fix(deps): Pin hyper-util back to the patched version	2025-11-10 15:56:09 +00:00
Renovate Bot	3c8f252a14	chore(deps): update opentelemetry-rust monorepo to 0.31.0	2025-11-10 05:03:16 +00:00
Jade	8a63818f31	feat: Enable sentry compilation feature	2025-11-10 01:33:50 +00:00
Renovate Bot	5b5e26e529	chore(deps): update dependency cargo-bins/cargo-binstall to v1.15.10	2025-11-09 19:05:26 +00:00
aviac	866769c054	chore: replace serde-yml with serde-saphyr - serde-yml has an un-addressed [security issue][sec-issue] - [saphyr][saphyr] is a pretty recent and active crate that deals with YAML parsing - based on that, someone recently created [serde-saphyr][serde-saphyr] --- The change was pretty straightforward and mostly "just a search and replace". The new crate has it's `Error` type split into serialization and derserialization errors. Hence I created one Continuwuity-Error variant for each instead of just having a single `Yaml` variant. This was already done previously with the `Toml` errors so I thought this would be rather acceptable. [sec-issue]: https://github.com/advisories/GHSA-gfxp-f68g-8x78 [saphyr]: https://github.com/saphyr-rs/saphyr [serde-saphyr]: https://github.com/saphyr-rs/saphyr/issues/66#issuecomment-3353212289	2025-11-09 11:23:32 +01:00
Renovate Bot	2e3b71f5f1	chore(deps): update rust-patch-updates	2025-11-08 23:57:36 +00:00
Jade	1312d61141	revert `f7867cf6ca` revert ci: Clean up old images	2025-11-08 23:56:02 +00:00
Jade Ellis	f7867cf6ca	ci: Clean up old images	2025-11-08 23:29:25 +00:00
Jade Ellis	2ca6887a5d	chore(ci): Fix merge error	2025-11-08 23:08:10 +00:00
Jade Ellis	368685f8cd	ci: Re-run mirror script when files change	2025-11-08 23:00:37 +00:00
Jade Ellis	ad2d192b94	ci: Use PATs for github registry https://stackoverflow.com/questions/76821352/how-can-you-authenticate-to-the-github-container-registry-using-a-github-app thx github	2025-11-08 23:00:31 +00:00
Jade Ellis	3214e94cdb	ci: Mirror to ghcr	2025-11-08 22:59:27 +00:00
timedout	37c537379d	chore(ci): Add git.nexy7574.co.uk image mirror (#1149 ) secrets were added to the org Reviewed-on: https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1149 Co-authored-by: timedout <git@nexy7574.co.uk> Co-committed-by: timedout <git@nexy7574.co.uk>	2025-11-08 22:56:16 +00:00
Jade Ellis	3c01c5f085	chore: Don't try to update patched deps automatically	2025-11-08 21:17:04 +00:00
Renovate Bot	4c552bb8ca	chore(deps): update pre-commit hook pre-commit/pre-commit-hooks to v6	2025-11-08 20:56:00 +00:00
Jade Ellis	ce73d29855	chore: Fix typos	2025-11-08 20:54:49 +00:00
Renovate Bot	d6e314744b	chore(deps): update pre-commit hook crate-ci/typos to v1.39.0	2025-11-08 14:34:13 +00:00
Jade	ec603188de	ci: Enable pre-commit in renovate	2025-11-08 14:31:35 +00:00
timedout	fbf48addc7	fix(user_can): Fix room creators being unable to redact events in v12 rooms	2025-10-27 14:34:50 +00:00
nexy7574	cbf726580f	fix: Kicks in !v12 are impossible	2025-10-27 14:34:50 +00:00
nexy7574	28f258fc8c	fix: Incorrect interpretation of 5.5.4	2025-10-27 14:34:50 +00:00
nexy7574	8b3acfd770	fix: Inverted creatorship check	2025-10-27 14:34:50 +00:00
nexy7574	a581e8de01	fix: Don't check restricted join rules for invite joins	2025-10-27 14:34:50 +00:00
nexy7574	7c74db5e74	fix: Weird re-application of partially resolved state	2025-10-27 14:34:50 +00:00
nexy7574	b17b4235f3	fix: Unbans and kicks incorrectly checked creatorship in !v12	2025-10-27 14:34:50 +00:00
aviac	ec3564e8aa	chore: use upstream rust-jemalloc-sys-unprefixed after flake.lock update	2025-10-27 12:55:21 +00:00
aviac	9a887ac04b	chore: fix CI to make all checks green - define a nix default package - try to fix CI - fix/improve (?) CI even more (??)	2025-10-27 12:55:21 +00:00
aviac	fed808a3c6	feat: add taplo.toml to check now that we have it	2025-10-27 12:55:21 +00:00
aviac	37983b33a2	feat: add treefmt	2025-10-27 12:55:21 +00:00
aviac	1b2224fac6	feat: add hydra jobs to build all packages	2025-10-27 12:55:21 +00:00
aviac	c1c165ab48	fix: apply rocksdb changes in checks and shll	2025-10-27 12:55:20 +00:00
aviac	68bea1816f	feat(nix): flake-parts, first draft	2025-10-27 12:55:20 +00:00
Odd E. Ebbesen	cb7875e479	fix(#1134 ): Update docs and implementation of `admin media delete-past-remote-media` (#1136 ) Reviewed-on: https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1136 Co-authored-by: Odd E. Ebbesen <git@oddware.net> Co-committed-by: Odd E. Ebbesen <git@oddware.net>	2025-10-27 12:31:25 +00:00
Jade Ellis	910a3182f7	fix: Prevent crash on process exit on MacOS	2025-10-26 17:42:08 +00:00
Jade Ellis	05886f8dcb	feat: Add option to control WAL compression Also enables zstd compression by default	2025-10-26 17:30:42 +00:00
timedout	cff3c27729	fix: Bump ruwuma, export new route, config loading	2025-10-24 16:37:22 -04:00
Kierre	80be2ca22c	Repair	2025-10-24 16:07:06 -04:00
Kierre	d133b6c0c3	feat: set MSC4373 values	2025-10-24 15:33:16 -04:00
Ginger	a3592bd3b7	feat: Make a few improvements to the systemd unit - Use systemd's credential system to supply our config file - Remove `ConfigurationDirectory` to prevent conflicts with package managers - Set `config_reload_signal` to true using an envvar	2025-10-17 13:37:42 +00:00
Ginger	70e8e96302	fix: Use mode 600 for config files on Fedora because they contain secret info	2025-10-17 13:37:42 +00:00
timedout	6002edccd3	perf: Remove extraneous policy server check	2025-10-16 23:57:07 +01:00
timedout	d189004d65	feat: Add more granular controls for policy server calling (#1127 ) Adds two new toggles to the configuration, the first of which allows disabling the policy server checks entirely, and the second of which allows disabling checking events created locally. They're both enabled by default for maximum PS efficacy but allowing them to be disabled allows people who frequently cannot contact policy servers, for example those in censored countries, to be able to still use rooms with pace, allows single-user/trusted-only homeservers to disable the preliminary check on their own events, and also gives an escape hatch in case an issue like #1060 happens again, especially with MSCs not in FCP being moving targets. In future, I think we should gate all MSC implementations behind config flags, even if they default to on. Reviewed-on: https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1127 Reviewed-by: Jade Ellis <jade@ellis.link> Co-authored-by: timedout <git@nexy7574.co.uk> Co-committed-by: timedout <git@nexy7574.co.uk>	2025-10-16 22:45:23 +00:00
timedout	26b700bf51	fix: Policy server calls use the correct JSON object (#1126 ) Fixes #1060 Reviewed-on: https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1126 Reviewed-by: Jacob Taylor <aranjedeath@noreply.forgejo.ellis.link> Co-authored-by: timedout <git@nexy7574.co.uk> Co-committed-by: timedout <git@nexy7574.co.uk>	2025-10-16 21:06:54 +00:00
Renovate Bot	09f24745c3	chore(deps): lock file maintenance	2025-10-15 19:05:50 +00:00
Renovate Bot	7ffbbe6890	chore(deps): update https://github.com/actions/setup-node action to v6	2025-10-15 18:55:02 +00:00
Renovate Bot	ad94c112fe	chore(deps): update rust-patch-updates	2025-10-15 17:55:58 +00:00