style: Fix clippy

fix: Use to_str methods on room IDs
chore: cleanup
2026-05-26 20:49:55 +00:00 · 2026-04-09 15:37:39 +01:00 · 2026-04-09 15:32:32 +01:00 · 2026-04-09 15:32:32 +01:00 · 2026-04-09 15:32:32 +01:00 · 2026-04-09 15:32:31 +01:00
415 changed files with 14185 additions and 13389 deletions
@@ -44,7 +44,7 @@ runs:

    - name: Login to builtin registry
      if: ${{ env.BUILTIN_REGISTRY_ENABLED == 'true' }}
-      uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4
+      uses: docker/login-action@v4
      with:
        registry: ${{ env.BUILTIN_REGISTRY }}
        username: ${{ inputs.registry_user }}
@@ -52,7 +52,7 @@ runs:

    - name: Set up Docker Buildx
      if: ${{ env.BUILTIN_REGISTRY_ENABLED == 'true' }}
-      uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4
+      uses: docker/setup-buildx-action@v4
      with:
        # Use persistent BuildKit if BUILDKIT_ENDPOINT is set (e.g. tcp://buildkit:8125)
        driver: ${{ env.BUILDKIT_ENDPOINT != '' && 'remote' || 'docker-container' }}
@@ -61,7 +61,7 @@ runs:
    - name: Extract metadata (tags) for Docker
      if: ${{ env.BUILTIN_REGISTRY_ENABLED == 'true' }}
      id: meta
-      uses: docker/metadata-action@80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9 # v6
+      uses: docker/metadata-action@v6
      with:
        flavor: |
          latest=auto
@@ -67,7 +67,7 @@ runs:
      uses: ./.forgejo/actions/rust-toolchain

    - name: Set up Docker Buildx
-      uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4
+      uses: docker/setup-buildx-action@v4
      with:
        # Use persistent BuildKit if BUILDKIT_ENDPOINT is set (e.g. tcp://buildkit:8125)
        driver: ${{ env.BUILDKIT_ENDPOINT != '' && 'remote' || 'docker-container' }}
@@ -75,11 +75,11 @@ runs:

    - name: Set up QEMU
      if: ${{ env.BUILDKIT_ENDPOINT == '' }}
-      uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4
+      uses: docker/setup-qemu-action@v4

    - name: Login to builtin registry
      if: ${{ env.BUILTIN_REGISTRY_ENABLED == 'true' }}
-      uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4
+      uses: docker/login-action@v4
      with:
        registry: ${{ env.BUILTIN_REGISTRY }}
        username: ${{ inputs.registry_user }}
@@ -87,7 +87,7 @@ runs:

    - name: Extract metadata (labels, annotations) for Docker
      id: meta
-      uses: docker/metadata-action@80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9 # v6
+      uses: docker/metadata-action@v6
      with:
        images: ${{ inputs.images }}
        # default labels & annotations: https://github.com/docker/metadata-action/blob/master/src/meta.ts#L509
@@ -111,3 +111,59 @@ runs:

    - uses: ./.forgejo/actions/timelord
      id: timelord
+
+    - name: Cache Rust registry
+      if: ${{ env.BUILDKIT_ENDPOINT == '' }}
+      uses: actions/cache@v3
+      with:
+        path: |
+          .cargo/git
+          .cargo/git/checkouts
+          .cargo/registry
+          .cargo/registry/src
+        key: continuwuity-rust-registry-image-${{hashFiles('**/Cargo.lock') }}
+
+    - name: Cache cargo target
+      if: ${{ env.BUILDKIT_ENDPOINT == '' }}
+      id: cache-cargo-target
+      uses: actions/cache@v3
+      with:
+        path: |
+          cargo-target${{ env.CPU_SUFFIX }}-${{ inputs.slug }}-${{ inputs.profile }}
+        key: continuwuity-cargo-target${{ env.CPU_SUFFIX }}-${{ inputs.slug }}-${{ inputs.profile }}-${{hashFiles('**/Cargo.lock') }}-${{steps.rust-toolchain.outputs.rustc_version}}
+
+    - name: Cache apt cache
+      if: ${{ env.BUILDKIT_ENDPOINT == '' }}
+      id: cache-apt
+      uses: actions/cache@v3
+      with:
+        path: |
+          var-cache-apt-${{ inputs.slug }}
+        key: continuwuity-var-cache-apt-${{ inputs.slug }}
+
+    - name: Cache apt lib
+      if: ${{ env.BUILDKIT_ENDPOINT == '' }}
+      id: cache-apt-lib
+      uses: actions/cache@v3
+      with:
+        path: |
+          var-lib-apt-${{ inputs.slug }}
+        key: continuwuity-var-lib-apt-${{ inputs.slug }}
+
+    - name: inject cache into docker
+      if: ${{ env.BUILDKIT_ENDPOINT == '' }}
+      uses: https://github.com/reproducible-containers/buildkit-cache-dance@v3.3.2
+      with:
+        cache-map: |
+          {
+            ".cargo/registry": "/usr/local/cargo/registry",
+            ".cargo/git/db": "/usr/local/cargo/git/db",
+            "cargo-target${{ env.CPU_SUFFIX }}-${{ inputs.slug }}-${{ inputs.profile }}": {
+              "target": "/app/target",
+              "id": "cargo-target${{ env.CPU_SUFFIX }}-${{ inputs.slug }}-${{ inputs.profile }}"
+            },
+            "var-cache-apt-${{ inputs.slug }}": "/var/cache/apt",
+            "var-lib-apt-${{ inputs.slug }}": "/var/lib/apt",
+            "${{ steps.timelord.outputs.database-path }}":"/timelord"
+          }
+        skip-extraction: ${{ steps.cache.outputs.cache-hit }}
@@ -33,7 +33,7 @@ runs:
        echo "version=$(rustup --version)" >> $GITHUB_OUTPUT
    - name: Cache rustup toolchains
      if: steps.rustup-version.outputs.version == ''
-      uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5
+      uses: actions/cache@v3
      with:
        path: |
          ~/.rustup
@@ -9,7 +9,7 @@ runs:
  - name: Install sccache
    uses: https://git.tomfos.tr/tom/sccache-action@v1
  - name: Configure sccache
-    uses: https://github.com/actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9
+    uses: https://github.com/actions/github-script@v8
    with:
      script: |
        core.exportVariable('ACTIONS_RESULTS_URL', process.env.ACTIONS_RESULTS_URL || '');
@@ -17,7 +17,7 @@ inputs:
  llvm-version:
    description: 'LLVM version to install'
    required: false
-    default: '21'
+    default: '20'

 outputs:
  llvm-version:
@@ -57,7 +57,7 @@ runs:

    - name: Check for LLVM cache
      id: cache
-      uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5
+      uses: actions/cache@v4
      with:
        path: |
          /usr/bin/clang-*
@@ -120,7 +120,7 @@ runs:

    - name: Install additional packages
      if: inputs.extra-packages != ''
-      uses: https://github.com/awalsh128/cache-apt-pkgs-action@2c09a5e66da6c8016428a2172bd76e5e4f14bb17 # latest
+      uses: https://github.com/awalsh128/cache-apt-pkgs-action@latest
      with:
        packages: ${{ inputs.extra-packages }}
        version: 1.0
@@ -65,7 +65,7 @@ runs:

    - name: Cache toolchain binaries
      id: toolchain-cache
-      uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5
+      uses: actions/cache@v4
      with:
        path: |
          .cargo/bin
@@ -76,7 +76,7 @@ runs:

    - name: Cache Cargo registry and git
      id: registry-cache
-      uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5
+      uses: actions/cache@v4
      with:
        path: |
          .cargo/registry/index
@@ -149,6 +149,37 @@ runs:
    - name: Setup sccache
      uses: https://git.tomfos.tr/tom/sccache-action@v1

+    - name: Cache dependencies
+      id: deps-cache
+      uses: actions/cache@v4
+      with:
+        path: |
+          target/**/.fingerprint
+          target/**/deps
+          target/**/*.d
+          target/**/.cargo-lock
+          target/**/CACHEDIR.TAG
+          target/**/.rustc_info.json
+          /timelord/
+        # Dependencies cache - based on Cargo.lock, survives source code changes
+        key: >-
+          continuwuity-deps-${{ steps.runner-os.outputs.slug }}-${{ steps.runner-os.outputs.arch }}-${{ steps.rust-setup.outputs.version }}${{ inputs.cache-key-suffix && format('-{0}', inputs.cache-key-suffix) || '' }}-${{ hashFiles('rust-toolchain.toml', '**/Cargo.lock') }}
+        restore-keys: |
+          continuwuity-deps-${{ steps.runner-os.outputs.slug }}-${{ steps.runner-os.outputs.arch }}-${{ steps.rust-setup.outputs.version }}${{ inputs.cache-key-suffix && format('-{0}', inputs.cache-key-suffix) || '' }}-
+
+    - name: Cache incremental compilation
+      id: incremental-cache
+      uses: actions/cache@v4
+      with:
+        path: |
+          target/**/incremental
+        # Incremental cache - based on source code changes
+        key: >-
+          continuwuity-incremental-${{ steps.runner-os.outputs.slug }}-${{ steps.runner-os.outputs.arch }}-${{ steps.rust-setup.outputs.version }}${{ inputs.cache-key-suffix && format('-{0}', inputs.cache-key-suffix) || '' }}-${{ hashFiles('rust-toolchain.toml', '**/Cargo.lock') }}-${{ hashFiles('**/*.rs', '**/Cargo.toml') }}
+        restore-keys: |
+          continuwuity-incremental-${{ steps.runner-os.outputs.slug }}-${{ steps.runner-os.outputs.arch }}-${{ steps.rust-setup.outputs.version }}${{ inputs.cache-key-suffix && format('-{0}', inputs.cache-key-suffix) || '' }}-${{ hashFiles('rust-toolchain.toml', '**/Cargo.lock') }}-
+          continuwuity-incremental-${{ steps.runner-os.outputs.slug }}-${{ steps.runner-os.outputs.arch }}-${{ steps.rust-setup.outputs.version }}${{ inputs.cache-key-suffix && format('-{0}', inputs.cache-key-suffix) || '' }}-
+
    - name: End build cache restore group
      shell: bash
      run: echo "::endgroup::"
@@ -31,7 +31,7 @@ runs:

    - name: Restore binary cache
      id: binary-cache
-      uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5
+      uses: actions/cache/restore@v4
      with:
        path: |
          /usr/share/rust/.cargo/bin
@@ -71,13 +71,13 @@ runs:

    - name: Install timelord-cli and git-warp-time
      if: steps.check-binaries.outputs.need-install == 'true'
-      uses: https://github.com/taiki-e/install-action@920ab1831fbf4fb3ef75c8ead83556c918bb7290 # v2
+      uses: https://github.com/taiki-e/install-action@v2
      with:
        tool: git-warp-time,timelord-cli@3.0.1

    - name: Save binary cache
      if: steps.check-binaries.outputs.need-install == 'true'
-      uses: actions/cache/save@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5
+      uses: actions/cache/save@v4
      with:
        path: |
          /usr/share/rust/.cargo/bin
@@ -87,7 +87,7 @@ runs:

    - name: Restore timelord cache with fallbacks
      id: timelord-restore
-      uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5
+      uses: actions/cache/restore@v4
      with:
        path: ${{ env.TIMELORD_CACHE_PATH }}
        key: ${{ env.TIMELORD_KEY }}
@@ -114,7 +114,7 @@ runs:
        timelord sync --source-dir ${{ env.TIMELORD_PATH }} --cache-dir ${{ env.TIMELORD_CACHE_PATH }}

    - name: Save updated timelord cache immediately
-      uses: actions/cache/save@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5
+      uses: actions/cache/save@v4
      with:
        path: ${{ env.TIMELORD_CACHE_PATH }}
        key: ${{ env.TIMELORD_KEY }}
@@ -45,6 +45,7 @@ If you aren't sure about some, feel free to ask for clarification in #dev:contin
  - [ ] I have [tested my contribution][c1t] (or proof-read it for documentation-only changes)
        myself, if applicable. This includes ensuring code compiles.
  - [ ] My commit messages follow the [commit message format][c1cm] and are descriptive.
+  - [ ] I have written a [news fragment][n1] for this PR, if applicable<!--(can be done after hitting open!)-->.

 <!--
 Notes on these requirements:
@@ -78,3 +79,4 @@ Notes on these requirements:
 [c1pc]: https://forgejo.ellis.link/continuwuation/continuwuity/src/branch/main/CONTRIBUTING.md#pre-commit-checks
 [c1t]: https://forgejo.ellis.link/continuwuation/continuwuity/src/branch/main/CONTRIBUTING.md#running-tests-locally
 [c1cm]: https://forgejo.ellis.link/continuwuation/continuwuity/src/branch/main/CONTRIBUTING.md#commit-messages
+[n1]: https://towncrier.readthedocs.io/en/stable/tutorial.html#creating-news-fragments
@@ -1,56 +0,0 @@
-name: Auto Labeler
-
-on:
-  pull_request_target:
-    types: [opened, reopened]
-
-permissions:
-  contents: read
-  pull-requests: write
-  issues: write
-
-jobs:
-  auto-label:
-    name: Apply labels based on changed files
-    runs-on: ubuntu-latest
-    steps:
-      - name: Apply PR Labels
-        uses: https://github.com/actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9
-        with:
-          script: |
-            const allFiles = await github.paginate(github.rest.pulls.listFiles, {
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              pull_number: context.issue.number,
-            });
-
-            const fileNames = allFiles.map(f => f.filename);
-            const labelsToAdd = new Set();
-
-            for (const file of fileNames) {
-              if (file.startsWith('docs/') || file.startsWith('theme/') || (file.endsWith('.md') && !file.startsWith('changelog.d/')) || file == 'rspress.config.ts') {
-                labelsToAdd.add('Documentation');
-              }
-              if (file.startsWith('.forgejo/')) {
-                labelsToAdd.add('Meta/CI');
-              }
-              if (file.startsWith('pkg/') || file.startsWith('nix/') || file === 'flake.nix' || file === 'flake.lock' || file.startsWith('docker/')) {
-                labelsToAdd.add('Meta/Packaging');
-              }
-              if (file === 'Cargo.lock') {
-                labelsToAdd.add('Dependencies');
-              }
-            }
-
-            if (labelsToAdd.size > 0) {
-              const labelsArray = Array.from(labelsToAdd);
-              console.log('Adding labels:', labelsArray);
-              await github.rest.issues.addLabels({
-                owner: context.repo.owner,
-                repo: context.repo.repo,
-                issue_number: context.issue.number,
-                labels: labelsArray,
-              });
-            } else {
-              console.log('No files changed that require auto-labeling.');
-            }
@@ -54,13 +54,13 @@ jobs:
          fi

      - name: Checkout repository with full history
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        uses: actions/checkout@v6
        with:
          fetch-depth: 0
          ref: ${{ github.ref_name }}

      - name: Cache Cargo registry
-        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5
+        uses: actions/cache@v4
        with:
          path: |
            ~/.cargo/registry
@@ -92,13 +92,10 @@ jobs:
          BASE_VERSION=$(cargo metadata --no-deps --format-version 1 | jq -r ".packages[] | select(.name == \"conduwuit\").version" | sed 's/[^a-zA-Z0-9.+]/~/g')
          # VERSION is the package version, COMPONENT is used in
          # apt's repository config like a git repo branch
-          VERSION=$BASE_VERSION
-          if [[ ${{ forge.ref_name }} =~ ^v+[0-9]\.+[0-9]\.+[0-9]$ ]]; then
-            # Use the "stable" component for tagged semver releases
+          if [[ "${{ forge.ref }}" == "refs/tags/"* ]]; then
+            # Use the "stable" component for tagged releases
            COMPONENT="stable"
-          elif [[ ${{ forge.ref_name }} =~ ^v+[0-9]\.+[0-9]\.+[0-9] ]]; then
-            # Use the "unstable" component for tagged semver pre-releases
-            COMPONENT="unstable"
+            VERSION=$BASE_VERSION
          else
            # Use the "dev" component for development builds
            SHA=$(echo "${{ forge.sha }}" | cut -c1-7)
@@ -30,14 +30,14 @@ jobs:
          echo "Fedora version: $VERSION"

      - name: Checkout repository with full history
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        uses: actions/checkout@v6
        with:
          fetch-depth: 0
          ref: ${{ github.ref_name }}


      - name: Cache DNF packages
-        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5
+        uses: actions/cache@v4
        with:
          path: |
            /var/cache/dnf
@@ -47,7 +47,7 @@ jobs:
            dnf-fedora${{ steps.fedora.outputs.version }}-

      - name: Cache Cargo registry
-        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5
+        uses: actions/cache@v4
        with:
          path: |
            ~/.cargo/registry
@@ -57,7 +57,7 @@ jobs:
            cargo-fedora${{ steps.fedora.outputs.version }}-

      - name: Cache Rust build dependencies
-        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5
+        uses: actions/cache@v4
        with:
          path: |
            ~/rpmbuild/BUILD/*/target/release/deps
@@ -105,7 +105,7 @@ jobs:
            RELEASE_SUFFIX=""
            TAG_NAME="${{ github.ref_name }}"
            # Extract version from tag (remove v prefix if present)
-            TAG_VERSION=$(echo "$TAG_NAME" | sed 's/^v//' | tr '-' '~')
+            TAG_VERSION=$(echo "$TAG_NAME" | sed 's/^v//')

            # Create spec file with tag version
            sed -e "s/^Version:.*$/Version:        $TAG_VERSION/" \
@@ -270,13 +270,9 @@ jobs:

          # Determine the group based on ref type and branch
          if [[ "${{ github.ref }}" == "refs/tags/"* ]]; then
+            GROUP="stable"
            # For tags, extract the tag name for version info
            TAG_NAME="${{ github.ref_name }}"
-            if [[ "$TAG_NAME" == *"-"* ]]; then
-              GROUP="unstable"
-            else
-              GROUP="stable"
-            fi
          elif [ "${{ github.ref_name }}" = "main" ]; then
            GROUP="dev"
          else
@@ -1,8 +1,13 @@
-name: Checks / Changelog
+name: Check Changelog

 on:
  pull_request_target:
-    types: [opened, synchronize, reopened, ready_for_review, labeled, unlabeled]
+    types: [opened, synchronize, reopened, ready_for_review]
+
+
+concurrency:
+  group: "${{ github.workflow }}-${{ github.ref }}"
+  cancel-in-progress: true

 permissions:
  contents: read
@@ -11,11 +16,11 @@ permissions:

 jobs:
  check-changelog:
-    name: Check changelog is added
+    name: Check for changelog
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        uses: actions/checkout@v6
        with:
          ref: ${{ github.event.pull_request.head.sha }}
          fetch-depth: 0
@@ -28,9 +33,9 @@ jobs:
          git fetch origin ${GITHUB_BASE_REF}

          # Check for Added (A) or Modified (M) files in changelog.d
-          CHANGELOG_CHANGES=$(git diff --name-status origin/${GITHUB_BASE_REF}...HEAD -- changelog.d/)
+          CHANGELOG_CHANGES=$(git diff --name-status origin/${GITHUB_BASE_REF} HEAD -- changelog.d/)

-          SRC_CHANGES=$(git diff --name-status origin/${GITHUB_BASE_REF}...HEAD -- src/)
+          SRC_CHANGES=$(git diff --name-status origin/${GITHUB_BASE_REF} HEAD -- src/)

          echo "Changes in changelog.d/:"
          echo "$CHANGELOG_CHANGES"
@@ -49,8 +54,8 @@ jobs:
            echo "src_changed=false" >> $GITHUB_OUTPUT
          fi

-      - name: Manage PR Labels
-        uses: https://github.com/actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9
+      - name: Manage PR Comment
+        uses: https://github.com/actions/github-script@v8
        env:
          HAS_CHANGELOG: ${{ steps.check_files.outputs.has_changelog }}
          SRC_CHANGED: ${{ steps.check_files.outputs.src_changed }}
@@ -58,37 +63,41 @@ jobs:
          script: |
            const hasChangelog = process.env.HAS_CHANGELOG === 'true';
            const srcChanged = process.env.SRC_CHANGED === 'true';
+            const commentSignature = '<!-- changelog-check-action -->';
+            const commentBody = `${commentSignature}\nPlease add a changelog fragment to \`changelog.d/\` describing your changes.`;

-            const { data: pullRequest } = await github.rest.pulls.get({
+            const { data: currentUser } = await github.rest.users.getAuthenticated();
+
+            const { data: comments } = await github.rest.issues.listComments({
              owner: context.repo.owner,
              repo: context.repo.repo,
-              pull_number: context.issue.number,
+              issue_number: context.issue.number,
            });

-            const currentLabels = pullRequest.labels.map(l => l.name);
+            const botComment = comments.find(comment =>
+              comment.user.id === currentUser.id &&
+              comment.body.includes(commentSignature)
+            );

-            if (hasChangelog) {
-              console.log('PR has changelog');
-              await github.rest.issues.addLabels({
-                owner: context.repo.owner,
-                repo: context.repo.repo,
-                issue_number: context.issue.number,
-                labels: ['Changelog/Added'],
-              });
-            } else if (currentLabels.includes('Changelog/None')) {
-              console.log('PR has Changelog/None label, skipping.');
-            } else if (srcChanged) {
-              console.log('PR is missing changelog');
-              await github.rest.issues.addLabels({
-                owner: context.repo.owner,
-                repo: context.repo.repo,
-                issue_number: context.issue.number,
-                labels: ['Changelog/Missing'],
-              });
-              core.setFailed("Missing changelog entry (detected)");
-            } else if (currentLabels.includes('Changelog/Missing')) {
-              core.setFailed("Missing changelog entry (label)");
+            const shouldWarn = srcChanged && !hasChangelog;
+
+            if (!shouldWarn) {
+              if (botComment) {
+                console.log('Changelog found or not required. Deleting existing warning comment.');
+                await github.rest.issues.deleteComment({
+                  owner: context.repo.owner,
+                  repo: context.repo.repo,
+                  comment_id: botComment.id,
+                });
+              }
            } else {
-              console.log('Changelog not needed');
-              // Changelog is probably not needed
+              if (!botComment) {
+                console.log('Changelog missing and required. Creating warning comment.');
+                await github.rest.issues.createComment({
+                  owner: context.repo.owner,
+                  repo: context.repo.repo,
+                  issue_number: context.issue.number,
+                  body: commentBody,
+                });
+              }
            }
@@ -21,7 +21,7 @@ jobs:

    steps:
      - name: Sync repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        uses: actions/checkout@v6
        with:
          persist-credentials: false
          fetch-depth: 0
@@ -32,12 +32,12 @@ jobs:

      - name: Setup Node.js
        if: steps.runner-env.outputs.node_major == '' || steps.runner-env.outputs.node_major < '20'
-        uses: https://github.com/actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
+        uses: https://github.com/actions/setup-node@v6
        with:
          node-version: 22

      - name: Cache npm dependencies
-        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5
+        uses: actions/cache@v3
        with:
          path: ~/.npm
          key: continuwuity-rspress-${{ steps.runner-env.outputs.slug }}-${{ steps.runner-env.outputs.arch }}-node-${{ steps.runner-env.outputs.node_version }}-${{ hashFiles('package-lock.json') }}
@@ -56,7 +56,7 @@ jobs:

      - name: Deploy to Cloudflare Pages (Production)
        if: github.ref == 'refs/heads/main' && vars.CLOUDFLARE_PROJECT_NAME != ''
-        uses: https://github.com/cloudflare/wrangler-action@ebbaa1584979971c8614a24965b4405ff95890e0 # v4
+        uses: https://github.com/cloudflare/wrangler-action@v3
        with:
          accountId: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
          apiToken: ${{ secrets.CLOUDFLARE_API_TOKEN }}
@@ -64,7 +64,7 @@ jobs:

      - name: Deploy to Cloudflare Pages (Preview)
        if: github.ref != 'refs/heads/main' && vars.CLOUDFLARE_PROJECT_NAME != ''
-        uses: https://github.com/cloudflare/wrangler-action@ebbaa1584979971c8614a24965b4405ff95890e0 # v4
+        uses: https://github.com/cloudflare/wrangler-action@v3
        with:
          accountId: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
          apiToken: ${{ secrets.CLOUDFLARE_API_TOKEN }}
@@ -24,7 +24,7 @@ jobs:

    steps:
      - name: 📦 Setup Node.js
-        uses: https://github.com/actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
+        uses: https://github.com/actions/setup-node@v6
        with:
          node-version: "22"

@@ -121,7 +121,7 @@ jobs:
      - name: 🚀 Deploy to Cloudflare Pages
        if: vars.CLOUDFLARE_PROJECT_NAME != ''
        id: deploy
-        uses: https://github.com/cloudflare/wrangler-action@ebbaa1584979971c8614a24965b4405ff95890e0 # v4
+        uses: https://github.com/cloudflare/wrangler-action@v3
        with:
          accountId: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
          apiToken: ${{ secrets.CLOUDFLARE_API_TOKEN }}
@@ -2,11 +2,8 @@ name: Mirror Container Images

 on:
  schedule:
-    # Run nightly
-    - cron: "25 2 * * *"
-
-  workflow_call:
-
+    # Run every 2 hours
+    - cron: "0 */2 * * *"
  workflow_dispatch:
    inputs:
      dry_run:
@@ -41,7 +38,7 @@ jobs:
      DOCKER_MIRROR_TOKEN: ${{ secrets.DOCKER_MIRROR_TOKEN }}
    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        uses: actions/checkout@v6
        with:
          persist-credentials: false

@@ -54,8 +51,10 @@ jobs:
      #     owner: continuwuity
      #     repositories: continuwuity

-      - name: Install regsync
-        uses: https://github.com/regclient/actions/regsync-installer@c70ad64367908075211b10dcd2ab9fad4bfa1816 # main
+      - name: Install regctl
+        uses: https://forgejo.ellis.link/continuwuation/regclient-actions/regctl-installer@main
+        with:
+          binary: regsync

      - name: Check what images need mirroring
        run: |
@@ -9,7 +9,6 @@ on:

 permissions:
  contents: read
-  pull-requests: read

 jobs:
  fast-checks:
@@ -17,7 +16,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        uses: actions/checkout@v6
        with:
          persist-credentials: false

@@ -41,36 +40,14 @@ jobs:
          cargo +nightly fmt --all -- --check && \
            echo "✅ Formatting check passed" || \
            exit 1
-  check-changes:
-    name: Check changed files
-    runs-on: ubuntu-latest
-    outputs:
-      rust: ${{ steps.filter.outputs.rust }}
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-        with:
-          persist-credentials: false
-
-      - name: Check for file changes
-        uses: https://github.com/dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # v4
-        id: filter
-        with:
-          filters: |
-            rust:
-              - '**/*.rs'
-              - '**/Cargo.toml'
-              - '**/Cargo.lock'

  clippy-and-tests:
    name: Clippy and Cargo Tests
    runs-on: ubuntu-latest
-    needs: check-changes
-    if: needs.check-changes.outputs.rust == 'true'

    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        uses: actions/checkout@v6
        with:
          persist-credentials: false

@@ -9,9 +9,6 @@ on:
    paths-ignore:
      - "*.md"
      - "**/*.md"
-      - "*.mdx"
-      - "**/*.mdx"
-      - "changelog.d/**"
      - ".gitlab-ci.yml"
      - ".gitignore"
      - "renovate.json"
@@ -46,7 +43,7 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        uses: actions/checkout@v6
        with:
          persist-credentials: false
      - name: Prepare Docker build environment
@@ -62,7 +59,7 @@ jobs:
          registry_password: ${{ secrets.BUILTIN_REGISTRY_PASSWORD || secrets.GITHUB_TOKEN }}
      - name: Build and push Docker image by digest
        id: build
-        uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7
+        uses: docker/build-push-action@v7
        with:
          context: .
          file: "docker/Dockerfile"
@@ -100,7 +97,7 @@ jobs:
    needs: build-release
    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        uses: actions/checkout@v6
        with:
          persist-credentials: false
      - name: Create multi-platform manifest
@@ -133,7 +130,7 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        uses: actions/checkout@v6
        with:
          persist-credentials: false
      - name: Prepare max-perf Docker build environment
@@ -149,7 +146,7 @@ jobs:
          registry_password: ${{ secrets.BUILTIN_REGISTRY_PASSWORD || secrets.GITHUB_TOKEN }}
      - name: Build and push max-perf Docker image by digest
        id: build
-        uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7
+        uses: docker/build-push-action@v7
        with:
          context: .
          file: "docker/Dockerfile"
@@ -187,7 +184,7 @@ jobs:
    needs: build-maxperf
    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        uses: actions/checkout@v6
        with:
          persist-credentials: false
      - name: Create max-perf manifest
@@ -198,34 +195,3 @@ jobs:
          images: ${{ env.IMAGE_PATH }}
          registry_user: ${{ vars.BUILTIN_REGISTRY_USER || github.actor }}
          registry_password: ${{ secrets.BUILTIN_REGISTRY_PASSWORD || secrets.GITHUB_TOKEN }}
-
-  release-binaries:
-    name: "Release Binaries"
-    runs-on: ubuntu-latest
-    needs:
-      - build-release
-      - build-maxperf
-    permissions:
-      contents: write
-    if: startsWith(github.ref, 'refs/tags/')
-    steps:
-      - name: Download binary artifacts
-        uses: forgejo/download-artifact@v4
-        with:
-          pattern: conduwuit*
-          path: binaries
-          merge-multiple: true
-      - name: Create Release and Upload
-        uses: https://github.com/softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda # v3
-        with:
-          draft: true
-          files: binaries/*
-
-  mirror_images:
-    name: "Mirror Images"
-    runs-on: ubuntu-latest
-    needs:
-      - merge-maxperf
-      - merge-release
-    secrets: inherit
-    uses: ./.forgejo/workflows/mirror-images.yml
@@ -43,11 +43,11 @@ jobs:
    name: Renovate
    runs-on: ubuntu-latest
    container:
-      image: ghcr.io/renovatebot/renovate:43.195.3@sha256:868dffc3d6a46f42dfefe48b6978cc063d8df9c1d58a93a694c8989afa503e34
+      image: ghcr.io/renovatebot/renovate:43.59.4@sha256:f951508dea1e7d71cbe6deca298ab0a05488e7631229304813f630cc06010892
      options: --tmpfs /tmp:exec
    steps:
      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        uses: actions/checkout@v6
        with:
          show-progress: false

@@ -55,7 +55,7 @@ jobs:
        run: /usr/local/renovate/node -e 'console.log(`node heap limit = ${require("v8").getHeapStatistics().heap_size_limit / (1024 * 1024)} Mb`)'

      - name: Restore renovate repo cache
-        uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5
+        uses: actions/cache/restore@v4
        with:
          path: |
            /tmp/renovate/cache/renovate/repository
@@ -64,7 +64,7 @@ jobs:
            renovate-repo-cache-

      - name: Restore renovate package cache
-        uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5
+        uses: actions/cache/restore@v4
        with:
          path: |
            /tmp/renovate/cache/renovate/renovate-cache-sqlite
@@ -73,7 +73,7 @@ jobs:
            renovate-package-cache-

      - name: Restore renovate OSV cache
-        uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5
+        uses: actions/cache/restore@v4
        with:
          path: |
            /tmp/osv
@@ -90,12 +90,12 @@ jobs:
          RENOVATE_PLATFORM: forgejo
          RENOVATE_ENDPOINT: ${{ github.server_url }}
          RENOVATE_AUTODISCOVER: 'false'
-          RENOVATE_REPOSITORIES: '["${{ github.repository }}", "continuwuation/resolvematrix"]'
+          RENOVATE_REPOSITORIES: '["${{ github.repository }}"]'

          RENOVATE_GIT_TIMEOUT: 60000

          RENOVATE_REQUIRE_CONFIG: 'required'
-          # RENOVATE_ONBOARDING: 'false'
+          RENOVATE_ONBOARDING: 'false'
          RENOVATE_INHERIT_CONFIG: 'true'

          RENOVATE_GITHUB_TOKEN_WARN: 'false'
@@ -109,7 +109,7 @@ jobs:
      - name: Save renovate repo cache
        if: always()
        uses:
-          actions/cache/save@v5
+          actions/cache/save@v4
        with:
          path: |
            /tmp/renovate/cache/renovate/repository
@@ -117,7 +117,7 @@ jobs:

      - name: Save renovate package cache
        if: always()
-        uses: actions/cache/save@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5
+        uses: actions/cache/save@v4
        with:
          path: |
            /tmp/renovate/cache/renovate/renovate-cache-sqlite
@@ -125,7 +125,7 @@ jobs:

      - name: Save renovate OSV cache
        if: always()
-        uses: actions/cache/save@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5
+        uses: actions/cache/save@v4
        with:
          path: |
            /tmp/osv
@@ -14,7 +14,7 @@ jobs:
  update-flake-hashes:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      - uses: actions/checkout@v6
        with:
          persist-credentials: true
          token: ${{ secrets.FORGEJO_TOKEN }}
@@ -24,7 +24,7 @@ repos:
        - id: check-added-large-files

  - repo: https://github.com/crate-ci/typos
-    rev: v1.46.2
+    rev: v1.45.0
    hooks:
      - id: typos
      - id: typos
@@ -1,62 +1,3 @@
-# Continuwuity 0.5.8 (2026-04-24)
-
-## Features
-
- LDAP can now optionally be connected to using StartTLS, and you may unsafely skip verification. Contributed by @getz (#1389)
- Users will now be prevented from removing their email if the server is configured to require an email when registering an account.
-
-## Bugfixes
-
- Fixed a situation where multiple email addresses could be associated with one user when that user changes their email address.
-
-## Improved Documentation
-
- Updated config docs to state we support room version 12, and set it as default. Contributed by @ezera. (#1622)
- Improve instructions for generic deployments, removing unnecessary parts and documenting the new initial registration token flow. Contributed by @stratself (#1677)
-
-
-# Continuwuity v0.5.7 (2026-04-17)
-
-## Features
-
- Re-added support for reading registration tokens from a file. Contributed by @ginger and @benbot. (#1371)
- Add new config option to allow or disallow search engine indexing through a `<meta ../>` tag. Defaults to blocking indexing (`content="noindex"`). Contributed by @s1lv3r and @ginger. (#1527)
- Add new config option for [MSC4439](https://github.com/matrix-org/matrix-spec-proposals/pull/4439)
-  PGP key URIs. Contributed by LogN. (#1609)
- Added `!admin users reset-push-rules` command to reset the notification settings of users. Contributed by @nex. (#1613)
- Notification pushers are now automatically removed when their associated device is. Admin commands now exist for manual cleanup too. Contributed by @nex. (#1614)
- Implemented option to deprioritize servers for room join requests. Contributed by @ezera. (#1624)
- Added admin commands to get build information and features. Contributed by @Jade (#1629)
- Added support for associating email addresses with accounts, requiring email addresses for registration, and resetting passwords via email. Contributed by @ginger
- Added support for requiring users to accept terms and conditions when registering.
- Added support for using an admin command to issue self-service password reset links.
-
-## Bugfixes
-
- Fixed corrupted appservice registrations causing the server to enter a crash loop. Contributed by @nex. (#1265)
- Prevent removing the admin room alias (`#admins`) to avoid accidentally breaking admin room functionality. Contributed by @0xnim (#1448)
- Stripped `join_authorised_via_users_server` from json if user is already in room (@partha:cxy.run) (#1542)
- Fixed internal server errors for fetching thumbnails. Contributed by @PerformativeJade (#1572)
- Fixed error 500 when joining non-existent rooms. Contributed by @ezera. (#1579)
- Refactored nix package. Breaking, since `all-features` package no longer exists. Continuwuity is now built with jemalloc and liburing by default. Contributed by @Henry-Hiles (QuadRadical). (#1596)
- Fixed resolving IP of servers that only use SRV delegation. Contributed by @tulir. (#1615)
- Fixed "Sender must be a local user" error for make_join, make_knock, and make_leave federation routes. Contributed by @nex. (#1623)
- Fixed restricted joins not being signed when we are being used as an authorising server. Contributed by @nex, reported by [vel](matrix:u/vel:nhjkl.com?action=chat). (#1630)
- Fixed room alias deletion so removing one local alias no longer removes other aliases from room alias listings.
- Stopped left rooms from being unconditionally sent on initial sync, hopefully fixing spurious appearances of left rooms in some clients (and making sync faster as a bonus). Contributed by @ginger
- Correct the response field name for MatrixRTC transports. Contributed by @spaetz
-
-## Improved Documentation
-
- Added Testing and Troubleshooting instructions for Livekit documentation. Contributed by @stratself. (#1429)
- Refactored docker docs to include new initial token workflow, and add Caddyfile example. Contributed by @stratself. (#1594)
- Add DNS tuning guide for Continuwuity. Users are recommended to set up a local caching resolver following the guide's advice. Contributed by @stratself (#1601)
-
-## Misc
-
- Fixed compiler warning in cf_opts.rs when building in release. Contributed by @ezera. (#1620)
-
-
 # Continuwuity 0.5.6 (2026-03-03)

 ## Security
@@ -1 +1 @@
-Contributors are expected to follow the [Continuwuity Community Guidelines](https://continuwuity.org/community/guidelines).
+Contributors are expected to follow the [Continuwuity Community Guidelines](continuwuity.org/community/guidelines).
@@ -137,9 +137,9 @@ The allowed types for commits are:

 Examples:
 ```
-feat: Add user authentication
-fix(database): Resolve connection pooling issue
-docs: Update installation instructions
+feat: add user authentication
+fix(database): resolve connection pooling issue
+docs: update installation instructions
 ```

 The project uses the `committed` hook to validate commit messages in pre-commit. This ensures all commits follow the conventional format.
@@ -12,7 +12,7 @@ license = "Apache-2.0"
 # See also `rust-toolchain.toml`
 readme = "README.md"
 repository = "https://forgejo.ellis.link/continuwuation/continuwuity"
-version = "0.5.9"
+version = "0.5.7-alpha.1"

 [workspace.metadata.crane]
 name = "conduwuit"
@@ -36,13 +36,10 @@ version = "0.3"
 features = ["ffi", "std", "union"]

 [workspace.dependencies.const-str]
-version = "1.1.0"
+version = "0.7.0"

 [workspace.dependencies.ctor]
-version = "1.0.6"
-
-[workspace.dependencies.dtor]
-version = "1.0.0"
+version = "0.6.0"

 [workspace.dependencies.cargo_toml]
 version = "0.22"
@@ -50,9 +47,9 @@ default-features = false
 features = ["features"]

 [workspace.dependencies.toml]
-version = "1.1.2"
+version = "0.9.5"
 default-features = false
-features = ["parse", "serde"]
+features = ["parse"]

 [workspace.dependencies.sanitize-filename]
 version = "0.6.0"
@@ -63,7 +60,7 @@ default-features = false

 # used for TURN server authentication
 [workspace.dependencies.hmac]
-version = "0.13.0"
+version = "0.12.1"
 default-features = false

 # used for checking if an IP is in specific subnets / CIDR ranges easier
@@ -71,7 +68,7 @@ default-features = false
 version = "0.1.3"

 [workspace.dependencies.rand]
-version = "0.10.1"
+version = "0.10.0"

 # Used for the http request / response body type for Ruma endpoints used with reqwest
 [workspace.dependencies.bytes]
@@ -105,18 +102,15 @@ default-features = false
 features = ["typed-header", "tracing", "cookie"]

 [workspace.dependencies.axum-server]
-version = "0.8.0"
+version = "0.7.2"
 default-features = false

 # to listen on both HTTP and HTTPS if listening on TLS dierctly from conduwuit for complement or sytest
 [workspace.dependencies.axum-server-dual-protocol]
-# version = "0.7"
-git = "https://github.com/vinchona/axum-server-dual-protocol.git"
-rev = "ca6db055254255b74238673ce4135698e347d71c" # feat!: bump axum_server to 0.8.0
-default-features = false
+version = "0.7"

 [workspace.dependencies.axum-client-ip]
-version = "1.3"
+version = "0.7"

 [workspace.dependencies.tower]
 version = "0.5.2"
@@ -140,12 +134,13 @@ features = [
 [workspace.dependencies.rustls]
 version = "0.23.25"
 default-features = false
+features = ["aws_lc_rs"]

 [workspace.dependencies.reqwest]
-version = "0.13.2"
+version = "0.12.15"
 default-features = false
 features = [
-    "rustls-no-provider",
+    "rustls-tls-native-roots",
    "socks",
    "hickory-dns",
    "http2",
@@ -164,7 +159,7 @@ features = ["raw_value"]

 # Used for appservice registration files
 [workspace.dependencies.serde-saphyr]
-version = "0.0.26"
+version = "0.0.21"

 # Used to load forbidden room/user regex from config
 [workspace.dependencies.serde_regex]
@@ -172,7 +167,7 @@ version = "1.1.0"

 # Used for ruma wrapper
 [workspace.dependencies.serde_html_form]
-version = "0.4.0"
+version = "0.2.6"

 # Used for password hashing
 [workspace.dependencies.argon2]
@@ -180,7 +175,7 @@ version = "0.5.3"
 features = ["alloc", "rand"]
 default-features = false

-# Used to generate thumbnails for images
+# Used to generate thumbnails for images & blurhashes
 [workspace.dependencies.image]
 version = "0.25.5"
 default-features = false
@@ -191,6 +186,14 @@ features = [
    "webp",
 ]

+[workspace.dependencies.blurhash]
+version = "0.2.3"
+default-features = false
+features = [
+    "fast-linear-to-srgb",
+    "image",
+]
+
 # logging
 [workspace.dependencies.log]
 version = "0.4.27"
@@ -248,7 +251,7 @@ features = [
 ]

 [workspace.dependencies.tokio-metrics]
-version = "0.5.0"
+version = "0.4.0"

 [workspace.dependencies.libloading]
 version = "0.9.0"
@@ -337,54 +340,56 @@ version = "0.1.88"
 [workspace.dependencies.lru-cache]
 version = "0.1.2"

-[workspace.dependencies.assign]
-version = "1.1.1"
-
 # Used for matrix spec type definitions and helpers
 [workspace.dependencies.ruma]
-# version = "0.14.1"
-git = "https://github.com/ruma/ruma.git"
-rev = "9c9dccc93f054bbd28f23f630223fffa6289ecbc"
+git = "https://forgejo.ellis.link/continuwuation/ruwuma"
+#branch = "conduwuit-changes"
+rev = "1415caf8a32af4d943580c5ea4e12be1974593c2"
 features = [
+    "compat",
+    "rand",
    "appservice-api-c",
    "client-api",
    "federation-api",
-    "push-gateway-api-c",
-    "state-res",
-    "rand",
    "markdown",
+    "push-gateway-api-c",
+    "unstable-exhaustive-types",
    "ring-compat",
    "compat-upload-signatures",
-    "compat-optional-txn-pdus",
+    "identifiers-validation",
+    "unstable-unspecified",
+    "unstable-msc2448",
    "unstable-msc2666",
    "unstable-msc2867",
    "unstable-msc2870",
+    "unstable-msc3026",
    "unstable-msc3061",
    "unstable-msc3814",
    "unstable-msc3245",
-    "unstable-msc3381",
-    "unstable-msc3489",
-    "unstable-msc3930",
+    "unstable-msc3266",
+    "unstable-msc3381", # polls
+    "unstable-msc3489", # beacon / live location
+    "unstable-msc3575",
+    "unstable-msc3930", # polls push rules
    "unstable-msc4075",
    "unstable-msc4095",
    "unstable-msc4121",
    "unstable-msc4125",
+    "unstable-msc4155",
    "unstable-msc4186",
-    "unstable-msc4195",
-    "unstable-msc4203",
-    "unstable-msc4310",
-    "unstable-msc4373",
-    "unstable-msc4380",
-    "unstable-msc4143",
-    "unstable-msc4293",
-    "unstable-msc4406",
-    "unstable-msc4439",
+    "unstable-msc4203", # sending to-device events to appservices
+    "unstable-msc4210", # remove legacy mentions
    "unstable-extensible-events",
+    "unstable-pdu",
+    "unstable-msc4155",
+    "unstable-msc4143", # livekit well_known response
+    "unstable-msc4284",
+    "unstable-msc4439", # pgp_key in .well_known/matrix/support
 ]

 [workspace.dependencies.rust-rocksdb]
 git = "https://forgejo.ellis.link/continuwuation/rust-rocksdb-zaidoon1"
-rev = "0a25ff92f7c09b55eec496b9c192c7d5136ab2b8"
+rev = "31fb8f772c7afcdc0061ab6a40cfa3a1be2fccd9"
 default-features = false
 features = [
    "multi-threaded-cf",
@@ -395,42 +400,43 @@ features = [
 ]

 [workspace.dependencies.sha2]
-version = "0.11.0"
+version = "0.10.8"
 default-features = false

 [workspace.dependencies.sha1]
-version = "0.11.0"
+version = "0.10.6"
 default-features = false

 # optional opentelemetry, performance measurements, flamegraphs, etc for performance measurements and monitoring
 [workspace.dependencies.opentelemetry]
-version = "0.32.0"
+version = "0.31.0"

 [workspace.dependencies.tracing-flame]
 version = "0.2.0"

 [workspace.dependencies.tracing-opentelemetry]
-version = "0.33.0"
+version = "0.32.0"

 [workspace.dependencies.opentelemetry_sdk]
-version = "0.32.0"
+version = "0.31.0"
 features = ["rt-tokio"]

 [workspace.dependencies.opentelemetry-otlp]
-version = "0.32.0"
+version = "0.31.0"
 features = ["http", "grpc-tonic", "trace", "logs", "metrics"]



 # optional sentry metrics for crash/panic reporting
 [workspace.dependencies.sentry]
-version = "0.48.0"
+version = "0.46.0"
 default-features = false
 features = [
    "backtrace",
    "contexts",
    "debug-images",
    "panic",
+    "rustls",
    "tower",
    "tower-http",
    "tracing",
@@ -439,9 +445,9 @@ features = [
 ]

 [workspace.dependencies.sentry-tracing]
-version = "0.48.0"
+version = "0.46.0"
 [workspace.dependencies.sentry-tower]
-version = "0.48.0"
+version = "0.46.0"

 # jemalloc usage
 [workspace.dependencies.tikv-jemalloc-sys]
@@ -475,7 +481,7 @@ default-features = false
 features = ["resource"]

 [workspace.dependencies.sd-notify]
-version = "0.5.0"
+version = "0.4.5"
 default-features = false

 [workspace.dependencies.hardened_malloc-rs]
@@ -534,22 +540,27 @@ version = "2.1.1"
 features = ["std"]

 [workspace.dependencies.minicbor-serde]
-version = "0.7.0"
+version = "0.6.0"
 features = ["std"]

 [workspace.dependencies.maplit]
 version = "1.0.2"

+[workspace.dependencies.ldap3]
+version = "0.12.0"
+default-features = false
+features = ["sync", "tls-rustls", "rustls-provider"]
+
 [workspace.dependencies.yansi]
 version = "1.0.1"

 [workspace.dependencies.askama]
-version = "0.16.0"
+version = "0.15.0"

 [workspace.dependencies.lettre]
 version = "0.11.19"
 default-features = false
-features = ["smtp-transport", "pool", "hostname", "builder", "rustls", "rustls-native-certs", "tokio1", "rustls-no-provider", "tokio1-rustls", "tracing", "serde"]
+features = ["smtp-transport", "pool", "hostname", "builder", "rustls", "rustls-native-certs", "tokio1", "ring", "tokio1-rustls", "tracing", "serde"]

 [workspace.dependencies.governor]
 version = "0.10.4"
@@ -646,10 +657,6 @@ default-features = false
 package = "conduwuit"
 path = "src/main"

-[workspace.dependencies.ruminuwuity]
-package = "ruminuwuity"
-path = "src/ruminuwuity"
-
 ###############################################################################
 #
 # Release profiles
@@ -0,0 +1 @@
+Added support for associating email addresses with accounts, requiring email addresses for registration, and resetting passwords via email. Contributed by @ginger
@@ -1 +0,0 @@
-The invite recipient's membership event is now included in invite stripped state, which should fix flaky invite display in some clients. Contributed by @ginger
@@ -0,0 +1 @@
+Added support for using an admin command to issue self-service password reset links.
@@ -0,0 +1 @@
+Stopped left rooms from being unconditionally sent on initial sync, hopefully fixing spurious appearances of left rooms in some clients (and making sync faster as a bonus). Contributed by @ginger
@@ -0,0 +1 @@
+Added support for requiring users to accept terms and conditions when registering.
@@ -1 +0,0 @@
-Switched from Continuwuity's fork of Ruma back to upstream Ruma. Contributed by @ginger.
@@ -0,0 +1 @@
+Fixed room alias deletion so removing one local alias no longer removes other aliases from room alias listings.
@@ -1 +0,0 @@
-Removed support for guest user registration, a little-used and deprecated approach to room previews.
@@ -1 +0,0 @@
-The deprecated `well_known.rtc_focus_server_urls` config option has been removed. MatrixRTC foci should be configured using the `matrix_rtc.foci` config option.
@@ -1 +0,0 @@
-The version of Debian that the Docker-based build process uses has been upgraded from Bookworm to Trixie, meaning that standalone binaries now have a minimum glibc of 2.41, and can no longer be used on distro versions from before 2025-01-30
@@ -1 +0,0 @@
-Support for server-side blurhashing (part of MSC2448) has been removed.
@@ -0,0 +1 @@
+Fixed corrupted appservice registrations causing the server to enter a crash loop. Contributed by @nex.
@@ -0,0 +1 @@
+Re-added support for reading registration tokens from a file. Contributed by @ginger and @benbot.
@@ -0,0 +1 @@
+Added Testing and Troubleshooting instructions for Livekit documentation. Contributed by @stratself.
@@ -0,0 +1 @@
+Prevent removing the admin room alias (`#admins`) to avoid accidentally breaking admin room functionality. Contributed by @0xnim
@@ -1 +0,0 @@
-Updated [MSC4284: Policy Servers](https://github.com/matrix-org/matrix-spec-proposals/pull/4284) implementation to support the newly stabilised proposal. Contributed by @nex.
@@ -1 +0,0 @@
-Add performance tuning documentation. Contributed by @stratself.
@@ -0,0 +1 @@
+Add new config option to allow or disallow search engine indexing through a `<meta ../>` tag. Defaults to blocking indexing (`content="noindex"`). Contributed by @s1lv3r and @ginger.
@@ -0,0 +1 @@
+Stripped `join_authorised_via_users_server` from json if user is already in room (@partha:cxy.run)
@@ -0,0 +1 @@
+Fixed internal server errors for fetching thumbnails. Contributed by @PerformativeJade
@@ -0,0 +1 @@
+Fixed error 500 when joining non-existent rooms. Contributed by @ezera.
@@ -0,0 +1 @@
+Refactored nix package. Breaking, since `all-features` package no longer exists. Continuwuity is now built with jemalloc and liburing by default. Contributed by @Henry-Hiles (QuadRadical).
@@ -0,0 +1,2 @@
+Add new config option for [MSC4439](https://github.com/matrix-org/matrix-spec-proposals/pull/4439)
+PGP key URIs. Contributed by LogN.
@@ -0,0 +1 @@
+Added `!admin users reset-push-rules` command to reset the notification settings of users. Contributed by @nex.
@@ -0,0 +1 @@
+Notification pushers are now automatically removed when their associated device is. Admin commands now exist for manual cleanup too. Contributed by @nex.
@@ -0,0 +1 @@
+Fixed resolving IP of servers that only use SRV delegation. Contributed by @tulir.
@@ -0,0 +1 @@
+Fixed compiler warning in cf_opts.rs when building in release. Contributed by @ezera.
@@ -0,0 +1 @@
+Fixed "Sender must be a local user" error for make_join, make_knock, and make_leave federation routes. Contributed by @nex.
@@ -0,0 +1 @@
+Fixed restricted joins not being signed when we are being used as an authorising server. Contributed by @nex, reported by [vel](matrix:u/vel:nhjkl.com?action=chat).
@@ -1 +0,0 @@
-Explain accessing Continuwuity's server console when deployed via Docker.
@@ -1 +0,0 @@
-Added config option for default room ACLs. Contributed by @eve.
@@ -1 +0,0 @@
-Removed support for LDAP.
@@ -1 +0,0 @@
-Clarified in the config that `max_request_size` affects federated media as well.
@@ -1 +0,0 @@
-Added support for fallback encryption keys.
@@ -1 +0,0 @@
-Fixed a bug that caused the server to drop events during processing if several events for the same room were sent in a singular transaction. Contributed by @nex.
@@ -1 +0,0 @@
-Add `!admin users reject-all-invites` to clean invite spam
@@ -1 +0,0 @@
-fix `!admin query account-data account-data-get` not returning the content
@@ -1,9 +0,0 @@
-Implemented event rejection, which should resolve and prevent future netsplits of the kinds observed
-within some Continuwuity rooms.
-Also resolved several bugs related to both soft-failing events, and event backfilling, which should
-improve state resolution stability.
-The `!admin debug get-pdu` command was updated to disambiguate event acceptance status, and
-`!admin debug show-auth-chain` was added to visually display event auth chains, which may assist
-developers in debugging strangely complex events.
-
-Contributed by @nex.
@@ -1 +0,0 @@
-Fixed an issue where Continuwuity would only advertise support for the unstable endpoint for Mutual Rooms (MSC2666), despite only supporting the stable endpoint. Contributed by @Henry-Hiles (QuadRadical)
@@ -1 +0,0 @@
-Fixed several bugs in the `POST /_matrix/client/v3/rooms/{roomId}/upgrade` endpoint. Contributed by @nex.
@@ -1 +0,0 @@
-Added full support for [MSC4168: Update `m.space.*` state on room upgrade](https://github.com/matrix-org/matrix-spec-proposals/pull/4168). Contributed by @nex.
@@ -7,6 +7,7 @@
 [global]
 address = "0.0.0.0"
 allow_device_name_federation = true
+allow_guest_registration = true
 allow_public_room_directory_over_federation = true
 allow_registration = true
 database_path = "/database"
@@ -31,6 +32,7 @@ rocksdb_log_level = "info"
 rocksdb_max_log_files = 1
 rocksdb_recovery_mode = 0
 rocksdb_paranoid_file_checks = true
+log_guest_registrations = false
 allow_legacy_media = true
 startup_netburst = true
 startup_netburst_keep = -1
@@ -291,7 +291,6 @@
 #ip_lookup_strategy = 5

 # Max request size for file uploads in bytes. Defaults to 20MB.
-# Also limits incoming federated media.
 #
 #max_request_size = 20971520

@@ -372,18 +371,21 @@
 #
 #federation_timeout = 60

-# Policy server request timeout (seconds). Generally policy
+# MSC4284 Policy server request timeout (seconds). Generally policy
 # servers should respond near instantly, however may slow down under
 # load. If a policy server doesn't respond in a short amount of time, the
 # room it is configured in may become unusable if this limit is set too
-# high. 30 seconds is a good default, however lower values may be
-# acceptable if temporary send failures are an okay trade-off.
+# high. 10 seconds is a good default, however dropping this to 3-5 seconds
+# can be acceptable.
 #
+# Please be aware that policy requests are *NOT* currently re-tried, so if
+# a spam check request fails, the event will be assumed to be not spam,
+# which in some cases may result in spam being sent to or received from
+# the room that would typically be prevented.
 #
 # About policy servers: https://matrix.org/blog/2025/04/introducing-policy-servers/
-# (Stabilized in Matrix v1.18)
 #
-#policy_server_request_timeout = 30
+#policy_server_request_timeout = 10

 # Federation client idle connection pool timeout (seconds).
 #
@@ -525,13 +527,13 @@
 # which users must agree to when registering an account.
 #
 # Example:
-# ```ignore
+# ```
 # [global.registration_terms.privacy_policy]
 # en = { name = "Privacy Policy", url = "https://homeserver.example/en/privacy_policy.html" }
 # es = { name = "Política de Privacidad", url = "https://homeserver.example/es/privacy_policy.html" }
 # ```
 #
-#registration_terms = {}
+#registration_terms = false

 # Controls whether encrypted rooms and events are allowed.
 #
@@ -571,6 +573,18 @@
 #
 #allow_public_room_directory_over_federation = false

+# Allow guests/unauthenticated users to access TURN credentials.
+#
+# This is the equivalent of Synapse's `turn_allow_guests` config option.
+# This allows any unauthenticated user to call the endpoint
+# `/_matrix/client/v3/voip/turnServer`.
+#
+# It is unlikely you need to enable this as all major clients support
+# authentication for this endpoint and prevents misuse of your TURN server
+# from potential bots.
+#
+#turn_allow_guests = false
+
 # Set this to true to lock down your server's public room directory and
 # only allow admins to publish rooms to the room directory. Unpublishing
 # is still allowed by all users with this enabled.
@@ -605,7 +619,7 @@
 # Set to false to disable users from joining or creating room versions
 # that aren't officially supported by continuwuity.
 #
-# continuwuity officially supports room versions 6 - 12.
+# continuwuity officially supports room versions 6 - 11.
 #
 # continuwuity has slightly experimental (though works fine in practice)
 # support for versions 3 - 5.
@@ -617,33 +631,9 @@
 # rather than an integer. Forgetting the quotes will make the server fail
 # to start!
 #
-# Per spec, room version "12" is the default.
+# Per spec, room version "11" is the default.
 #
-#default_room_version = "12"
-
-# A default allow value for the Access Control List when creating a room.
-#
-# If a list is provided, new rooms will be created with
-# a m.room.server_acl event. Only servers which match one of the patterns
-# in the list will be permitted to participate in the room.
-#
-# ACLs in existing rooms will not be updated automatically. This is not
-# a substitute for moderation bots.
-#
-#default_room_acl_allow =
-
-# A default deny value for the Access Control List when creating a room.
-#
-# If a list is provided, new rooms will be created with
-# a m.room.server_acl event. Servers which match one of the patterns
-# in the list will be NOT permitted to participate in the room.
-#
-# This config cannot be used if the default_room_acl_allow config is used.
-#
-# ACLs in existing rooms will not be updated automatically. This is not
-# a substitute for moderation bots.
-#
-#default_room_acl_deny =
+#default_room_version = "11"

 # Enable OpenTelemetry OTLP tracing export. This replaces the deprecated
 # Jaeger exporter. Traces will be sent via OTLP to a collector (such as
@@ -1292,6 +1282,21 @@
 #
 #brotli_compression = false

+# Set to true to allow user type "guest" registrations. Some clients like
+# Element attempt to register guest users automatically.
+#
+#allow_guest_registration = false
+
+# Set to true to log guest registrations in the admin room. Note that
+# these may be noisy or unnecessary if you're a public homeserver.
+#
+#log_guest_registrations = false
+
+# Set to true to allow guest registrations/users to auto join any rooms
+# specified in `auto_join_rooms`.
+#
+#allow_guests_auto_join_rooms = false
+
 # Enable the legacy unauthenticated Matrix media repository endpoints.
 # These endpoints consist of:
 # - /_matrix/media/*/config
@@ -1404,20 +1409,6 @@
 #
 #ignore_messages_from_server_names = []

-# List of server names that continuwuity will deprioritize (try last) when
-# a client requests to join a room.
-#
-# This can be used to potentially speed up room join requests, by
-# deprioritizing sending join requests through servers that are known to
-# be large or slow.
-#
-# continuwuity will still send join requests to servers in this list if
-# the room couldn't be joined via other servers it federates with.
-#
-# example: ["example.com"]
-#
-#deprioritize_joins_through_servers = []
-
 # Send messages from users that the user has ignored to the client.
 #
 # There is no way for clients to receive messages sent while a user was
@@ -1591,6 +1582,19 @@
 #
 #block_non_admin_invites = false

+# Enable or disable making requests to MSC4284 Policy Servers.
+# It is recommended you keep this enabled unless you experience frequent
+# connectivity issues, such as in a restricted networking environment.
+#
+#enable_msc4284_policy_servers = true
+
+# Enable running locally generated events through configured MSC4284
+# policy servers. You may wish to disable this if your server is
+# single-user for a slight speed benefit in some rooms, but otherwise
+# should leave it enabled.
+#
+#policy_server_check_own_events = true
+
 # Allow admins to enter commands in rooms other than "#admins" (admin
 # room) by prefixing your message with "\!admin" or "\\!admin" followed up
 # a normal continuwuity admin command. The reply will be publicly visible
@@ -1857,11 +1861,6 @@
 #
 #support_page =

-# The ed25519 public key for the policy server available at this server's
-# name. Must be unpadded base64.
-#
-#policy_server_public_key =
-
 # Role string for server support contacts, to be served as part of the
 # MSC1929 server support endpoint at /.well-known/matrix/support.
 #
@@ -1887,6 +1886,34 @@
 #
 #support_pgp_key =

+# **DEPRECATED**: Use `[global.matrix_rtc].foci` instead.
+#
+# A list of MatrixRTC foci URLs which will be served as part of the
+# MSC4143 client endpoint at /.well-known/matrix/client.
+#
+# This option is deprecated and will be removed in a future release.
+# Please migrate to the new `[global.matrix_rtc]` config section.
+#
+#rtc_focus_server_urls = []
+
+[global.blurhashing]
+
+# blurhashing x component, 4 is recommended by https://blurha.sh/
+#
+#components_x = 4
+
+# blurhashing y component, 3 is recommended by https://blurha.sh/
+#
+#components_y = 3
+
+# Max raw size that the server will blurhash, this is the size of the
+# image after converting it to raw data, it should be higher than the
+# upload limit but not too high. The higher it is the higher the
+# potential load will be for clients requesting blurhashes. The default
+# is 33.55MB. Setting it to 0 disables blurhashing.
+#
+#blurhash_max_raw_size = 33554432
+
 [global.matrix_rtc]

 # A list of MatrixRTC foci (transports) which will be served via the
@@ -1904,6 +1931,94 @@
 #
 #foci = []

+[global.ldap]
+
+# Whether to enable LDAP login.
+#
+# example: "true"
+#
+#enable = false
+
+# Whether to force LDAP authentication or authorize classical password
+# login.
+#
+# example: "true"
+#
+#ldap_only = false
+
+# URI of the LDAP server.
+#
+# example: "ldap://ldap.example.com:389"
+#
+#uri = ""
+
+# Root of the searches.
+#
+# example: "ou=users,dc=example,dc=org"
+#
+#base_dn = ""
+
+# Bind DN if anonymous search is not enabled.
+#
+# You can use the variable `{username}` that will be replaced by the
+# entered username. In such case, the password used to bind will be the
+# one provided for the login and not the one given by
+# `bind_password_file`. Beware: automatically granting admin rights will
+# not work if you use this direct bind instead of a LDAP search.
+#
+# example: "cn=ldap-reader,dc=example,dc=org" or
+# "cn={username},ou=users,dc=example,dc=org"
+#
+#bind_dn = ""
+
+# Path to a file on the system that contains the password for the
+# `bind_dn`.
+#
+# The server must be able to access the file, and it must not be empty.
+#
+#bind_password_file = ""
+
+# Search filter to limit user searches.
+#
+# You can use the variable `{username}` that will be replaced by the
+# entered username for more complex filters.
+#
+# example: "(&(objectClass=person)(memberOf=matrix))"
+#
+#filter = "(objectClass=*)"
+
+# Attribute to use to uniquely identify the user.
+#
+# example: "uid" or "cn"
+#
+#uid_attribute = "uid"
+
+# Attribute containing the display name of the user.
+#
+# example: "givenName" or "sn"
+#
+#name_attribute = "givenName"
+
+# Root of the searches for admin users.
+#
+# Defaults to `base_dn` if empty.
+#
+# example: "ou=admins,dc=example,dc=org"
+#
+#admin_base_dn = ""
+
+# The LDAP search filter to find administrative users for continuwuity.
+#
+# If left blank, administrative state must be configured manually for each
+# user.
+#
+# You can use the variable `{username}` that will be replaced by the
+# entered username for more complex filters.
+#
+# example: "(objectClass=conduwuitAdmin)" or "(uid={username})"
+#
+#admin_filter = ""
+
 #[global.antispam]

 #[global.antispam.meowlnir]
@@ -1972,18 +2087,12 @@
 #
 #sender =

-# Whether to allow public registration with an email address.
-#
-# Note that, if this option is enabled, anyone will be able to register an
-# account with just an email address.
-#
-# If either this option or `require_email_for_token_registration` are set,
-# users will not be allowed to remove their email address.
+# Whether to require that users provide an email address when they
+# register.
 #
 #require_email_for_registration = false

 # Whether to require that users who register with a registration token
-# provide an email address. This option is independent of
-# `require_email_for_registration`.
+# provide an email address.
 #
 #require_email_for_token_registration = false
@@ -1,5 +1,5 @@
 ARG RUST_VERSION=1
-ARG DEBIAN_VERSION=trixie
+ARG DEBIAN_VERSION=bookworm

 FROM --platform=$BUILDPLATFORM docker.io/tonistiigi/xx AS xx
 FROM --platform=$BUILDPLATFORM rust:${RUST_VERSION}-slim-${DEBIAN_VERSION} AS base
@@ -10,21 +10,19 @@ RUN rm -f /etc/apt/apt.conf.d/docker-clean

 # Match Rustc version as close as possible
 # rustc -vV
-ARG LLVM_VERSION=22
+ARG LLVM_VERSION=21
 # ENV RUSTUP_TOOLCHAIN=${RUST_VERSION}

 # Install repo tools
 # Line one: compiler tools
 # Line two: curl, for downloading binaries and wget because llvm.sh is broken with curl
 # Line three: for xx-verify
-# golang, cmake: For aws-lc-rs bindgen
 RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
    --mount=type=cache,target=/var/lib/apt,sharing=locked \
    apt-get update && apt-get install -y \
    pkg-config make jq \
-    wget curl git lsb-release gpg \
+    wget curl git software-properties-common \
    file
-    # golang cmake

 # LLVM packages
 RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
@@ -50,7 +48,7 @@ EOF

 # Developer tool versions
 # renovate: datasource=github-releases depName=cargo-bins/cargo-binstall
-ENV BINSTALL_VERSION=1.19.1
+ENV BINSTALL_VERSION=1.17.8
 # renovate: datasource=github-releases depName=psastras/sbom-rs
 ENV CARGO_SBOM_VERSION=0.9.1
 # renovate: datasource=crate depName=lddtree
@@ -164,7 +162,7 @@ ENV CONDUWUIT_VERSION_EXTRA=$CONDUWUIT_VERSION_EXTRA
 ENV CONTINUWUITY_VERSION_EXTRA=$CONTINUWUITY_VERSION_EXTRA

 ARG RUST_PROFILE=release
-ARG CARGO_FEATURES="default"
+ARG CARGO_FEATURES="default,http3"

 # Build the binary
 RUN --mount=type=cache,target=/usr/local/cargo/registry \
@@ -18,7 +18,7 @@ RUN --mount=type=cache,target=/etc/apk/cache apk add \

 # Developer tool versions
 # renovate: datasource=github-releases depName=cargo-bins/cargo-binstall
-ENV BINSTALL_VERSION=1.19.1
+ENV BINSTALL_VERSION=1.17.8
 # renovate: datasource=github-releases depName=psastras/sbom-rs
 ENV CARGO_SBOM_VERSION=0.9.1
 # renovate: datasource=crate depName=lddtree
@@ -69,6 +69,11 @@
        "label": "Configuration Reference",
        "name": "/reference/config"
    },
+    {
+        "type": "file",
+        "label": "Environment Variables",
+        "name": "/reference/environment-variables"
+    },
    {
        "type": "dir",
        "label": "Admin Command Reference",
@@ -3,16 +3,5 @@
        "type": "file",
        "name": "delegation",
        "label": "Delegation / split-domain"
-    },
-    {
-        "type": "file",
-        "name": "dns",
-        "label": "DNS tuning (recommended)"
-    },
-    {
-        "type": "file",
-        "name": "performance",
-        "label": "Performance tuning"
    }
-
 ]
@@ -18,14 +18,12 @@ Then, in the `[global.well_known]` section of your config file, add the followin
 ```toml
 [global.well_known]

-# defaults to port :443 if not specified
 client = "https://matrix.example.com"

 # port number MUST be specified
 server = "matrix.example.com:443"

 # (optional) customize your support contacts
-# Defaults to members of the admin room if unset
 #support_page =
 #support_role = "m.role.admin"
 #support_email =
@@ -44,12 +42,10 @@ services:
        client=https://matrix.example.com,
        server=matrix.example.com:443
        }
-
-      # You can also configure individual `.well-knowns` like this
-      # CONTINUWUITY_WELL_KNOWN__CLIENT: https://matrix.example.com
-      # CONTINUWUITY_WELL_KNOWN__SERVER: matrix.example.com:443
 ```

+## Serving with a reverse proxy
+
 After doing the steps above, Continuwuity will serve these 3 JSON files:

 - `/.well-known/matrix/client`: for Client-Server discovery
@@ -58,11 +54,9 @@ After doing the steps above, Continuwuity will serve these 3 JSON files:

 To enable full discovery, you will need to reverse proxy these paths from the base domain back to Continuwuity.

-## Reverse proxying well-known files to Continuwuity
-
 <details>

-<summary>For **Caddy**</summary>
+<summary>For Caddy</summary>

 ```
 matrix.example.com:443 {
@@ -78,7 +72,7 @@ example.com:443 {

 <details>

-<summary>For **Traefik** (via Docker labels)</summary>
+<summary>For Traefik (via Docker labels)</summary>

 ```
 services:
@@ -93,17 +87,16 @@ services:

 </details>

-
-For **Docker** users, consult the compose files in the [Appendix section](#docker-compose-examples).
-
-After applying these changes, restart Continuwuity and your reverse proxy.Visit these routes and check that the responses match the examples below:
+Restart Continuwuity and your reverse proxy. Once that's done, visit these routes and check that the responses match the examples below:

 <details open>

 <summary>`https://example.com/.well-known/matrix/server`</summary>

 ```json
-{ "m.server": "matrix.example.com:443" }
+{
+  "m.server": "matrix.example.com:443"
+}
 ```

 </details>
@@ -122,59 +115,12 @@ After applying these changes, restart Continuwuity and your reverse proxy.Visit

 </details>

-### Serving well-known files manually
-
-Instead of configuring `[global.well_known]` options and reverse proxying well-known URIs, you can serve these files directly as static JSON that match the ones above. This is useful if your base domain points to a different physical server, and reverse proxying isn't feasible.
-
-<details>
-
-<summary>Example Caddyfile **for the base domain**</summary>
-
-```
-https://example.com {
-
-    respond /.well-known/matrix/server 200 {
-        body `{"m.server":"matrix.example.com:443"}`
-    }
-
-    handle /.well-known/matrix/client {
-    header Access-Control-Allow-Origin *
-    respond <<JSON
-    {
-        "m.homeserver": {
-            "base_url": "https://matrix.example.com/"
-        }
-    }
-    JSON
-    }
-}
-```
-
-</details>
-
-Remember to set the `Access-Control-Allow-Origin: *` header in your `/.well-known/matrix/client` path for web clients to work.
-
 ## Troubleshooting

-Check that other servers can connect to you.
-Here are some tools that can help identify federation issues:
-
- [Matrix Connectivity Tester](https://federationtester.mtrnord.blog/)
- [Matrix Federation Tester](https://federationtester.matrix.org/)
-
 ### Cannot log in with web clients

 Make sure there is an `Access-Control-Allow-Origin: *` header in your `/.well-known/matrix/client` path. While Continuwuity serves this header by default, it may be dropped by reverse proxies or other middlewares.

-### Issues with alternative setups
-
-As Matrix clients prioritize well-known URIs for their destination, this can lead to issues with alternative methods of accessing the server that doesn't use a publicly routeable IP and domain name. You will probably find yourself connecting to non-existent/undesired URLs in certain cases like:
-
- Accessing to the server via localhost IPs (e.g. for testing purposes)
- Accessing the server from behind a VPN, or from alternative networks (such as from an onionsite)
-
-In these scenarios, further configurations would be needed. Refer to the [Related Documentation](#related-documentation) section for resolution steps and see how they could apply to your use case.
-
 ---

 ## Using SRV records (not recommended)
@@ -258,45 +204,3 @@ See the following Matrix Specs for full details on client/server resolution mech
 - [Server-to-Server resolution](https://spec.matrix.org/v1.17/server-server-api/#resolving-server-names) (see this for more information on SRV records)
 - [Client-to-Server resolution](https://spec.matrix.org/v1.17/client-server-api/#server-discovery)
 - [MSC1929: Homeserver Admin Contact and Support page](https://github.com/matrix-org/matrix-spec-proposals/pull/1929)
-
-## Appendix
-
-### Docker Compose examples
-
-The following Compose files are taken from [Docker instructions](../deploying/docker.mdx) and reconfigured to support split-domain delegation. Note the updated `CONTINUWUITY_WELL_KNOWN` variable and relevant changes in reverse proxy rules.
-
-<details>
-<summary>Caddy (using Caddyfile) - delegated.docker-compose.with-caddy.yml ([view raw](/advanced/delegated.docker-compose.with-caddy.yml))</summary>
-
-```yaml file="../public/advanced/delegated.docker-compose.with-caddy.yml"
-
-```
-
-</details>
-
-<details>
-<summary>Caddy (using labels) - delegated.docker-compose.with-caddy-labels.yml ([view raw](/advanced/delegated.docker-compose.with-caddy-labels.yml))</summary>
-
-```yaml file="../public/advanced/delegated.docker-compose.with-caddy-labels.yml"
-
-```
-
-</details>
-
-<details>
-<summary>Traefik (for existing setup) - delegated.docker-compose.for-traefik.yml ([view raw](/advanced/delegated.docker-compose.for-traefik.yml))</summary>
-
-```yaml file="../public/advanced/delegated.docker-compose.for-traefik.yml"
-
-```
-
-</details>
-
-<details>
-<summary>Traefik included - delegated.docker-compose.with-traefik.yml ([view raw](/advanced/delegated.docker-compose.with-traefik.yml))</summary>
-
-```yaml file="../public/advanced/delegated.docker-compose.with-traefik.yml"
-
-```
-
-</details>
@@ -1,169 +0,0 @@
-# DNS Tuning (recommended)
-
-For federation, Matrix homeservers conduct an enormous amount of DNS requests, sometimes up to thousands of queries per minute. Normal DNS resolvers are simply not designed for this load, and running Continuwuity with them will likely result in various [DNS and federation errors](../troubleshooting#dns-issues).
-
-To solve this issue, it is strongly recommended to self-host a high-quality, external caching DNS resolver for Continuwuity. This guide will use [Unbound][unbound] as the recommended example, but the general principle applies to any resolver.
-
-[unbound]: https://wiki.archlinux.org/title/Unbound
-
-## Overview
-
-For generic deployments, install your resolver of choice and configure `/etc/resolv.conf` to point to it. The resolver should ideally reside on the same host as Continuwuity.
-
-```txt title="/etc/resolv.conf"
-nameserver 127.0.0.1
-```
-
-**Avoid using `systemd-resolved`** as it does **not** perform very well under high load, and we have identified its DNS caching to not be very effective.
-
-### For Docker users
-
-Docker bridge networks uses a non-performant resolver to intercept and respond to container hostnames, and **this should also be avoided**. Instead, mount a custom `/etc/resolv.conf` file into the container, and hardcode a resolver address to bypass Docker's.
-
-It is recommended to run a dedicated resolver container for Continuwuity, as to separate from the host's resolver setup. To do this, create a custom bridge network and IP range, and explicitly define an IP address for the resolver container.
-
-<details>
-<summary>Example Docker deployment with unbound</summary>
-
-```yaml title="docker-compose.yml"
-networks:
-  matrix_net:
-    ipam:
-      driver: default
-      config:
-        - subnet: "10.10.10.0/24"
-
-services:
-    homeserver:
-        # ...
-        volume:
-            - ./continuwuity-resolv.conf:/etc/resolv.conf:ro
-
-    unbound:
-        # ...
-        networks:
-            matrix_net:
-                ipv4_address: 10.10.10.20
-```
-
-```txt title="continuwuity-resolv.conf"
-nameserver 10.10.10.20
-```
-
-</details>
-
-### For IPv4-only users
-
-If you don't have IPv6 connectivity, changing `ip_lookup_strategy` to only resolve for IPv4 will reduce unnecessary AAAA queries.
-
-```toml title="continuwuity.toml"
-[global]
-# 1 - Ipv4Only (Only query for A records, no AAAA/IPv6)
-ip_lookup_strategy = 1
-```
-
-## Unbound
-
-[Unbound][unbound] is the recommended resolver to run with Continuwuity. For Docker users, the `docker.io/madnuttah/unbound` image ([Github repo][madnuttah-unbound-repo]) can be used.
-
-After installation, you can tune `/etc/unbound/unbound.conf` values according to your needs. While Continuwuity cannot recommend a "works-for-everyone" Unbound DNS setup guide, the official [Unbound tuning guide][unbound-tuning-guide] and the [Unbound Arch Linux wiki page][unbound-arch-linux] may be of interest.
-
-Some values that are commonly tuned include:
-
- Increase `rrset-cache-size` and `msg-cache-size` to something much higher than the default `4M`, such as `64M`.
-
- Increase `discard-timeout` to something like `4800` to wait longer for upstream resolvers, as recursion can take a long time to respond to some domains. Continuwuity default to `dns_timeout = 10` seconds, so dropping requests early would lead to unnecessary retries and/or failures.
-
-### Recursion versus forwarding
-
-Unbound by default employs **recursive resolution** and contacts many servers around the world. While this allows updated and authoritative answers and are generally viable for most users, sometimes these recursive queries can be too slow to fully resolve. As an alternative, you can consider **forwarding** your queries to public resolvers, and benefit from faster responses from their CDNs.
-
-Do note that most popular upstreams (such as Google DNS or Quad9) employ IP ratelimiting, so a generous cache is still needed to avoid making too many queries.
-
-If you want to use forwarders, configure it as follows:
-
-<details>
-
-<summary>unbound.conf</summary>
-
-```
-# Use cloudflare public resolvers as an example
-forward-zone:
-    name: "."
-    forward-addr: 1.0.0.1@53
-    forward-addr: 1.1.1.1@53
-    # Also use IPv6 ones if you're dual-stack
-    # forward-addr: 2606:4700:4700::1001@53
-    # forward-addr: 2606:4700:4700::1111@53
-
-# alternatively, use DNS-over-TLS for forwarders.
-# this will encrypt traffic between you and the forwarder,
-# but takes more time due to TLS overhead.
-# forward-zone:
-    # name: "."
-    # forward-tls-upstream: yes
-    # forward-addr: 1.0.0.1@853#cloudflare-dns.com
-    # forward-addr: 1.1.1.1@853#cloudflare-dns.com
-    # forward-addr: 2606:4700:4700::1001@853#cloudflare-dns.com
-    # forward-addr: 2606:4700:4700::1111@853#cloudflare-dns.com
-```
-
-</details>
-
-[madnuttah-unbound-repo]: https://github.com/madnuttah/unbound-docker/
-[unbound-tuning-guide]: https://unbound.docs.nlnetlabs.nl/en/latest/topics/core/performance.html
-[unbound-arch-linux]: https://wiki.archlinux.org/title/Unbound
-
-## Other resolvers
-
-### dnsproxy
-
-[Dnsproxy][dnsproxy] and its sister product [AdGuard Home][adguard-home] are known to work with Continuwuity and has an official Docker image. They have support for DNS-over-HTTPS as well as DNS-over-QUIC, but not recursion.
-
-To best utilise dnsproxy, you should enable proper caching with `--cache` and set `--cache-size` to something bigger, like `64000000`.
-
-[dnsproxy]: https://github.com/AdguardTeam/dnsproxy
-[adguard-home]: https://github.com/AdguardTeam/AdGuardHome
-
-### dnsmasq
-
-[dnsmasq][arch-linux-dnsmasq] can possibly work with Continuwuity, though it only supports forwarding rather than recursion. Increase the `cache-size` to something like `30000` for better caching performance.
-
-However, `dnsmasq` does not support TCP fallback which can be problematic when receiving large DNS responses such as from large SRV records. If you still want to use dnsmasq, make sure you disable `dns_tcp_fallback` in Continuwuity config.
-
-[arch-linux-dnsmasq]: https://wiki.archlinux.org/title/Dnsmasq
-
-### Technitium DNS
-
-[Technitium DNS Server][technitium] supports recursion as well as a myriad of forwarding protocols, allows saving cache to disk natively, and does work well with Continuwuity. Its out-of-the-box configs however ratelimits single-IP requests by a lot, and hence must be changed.
-
-You may consult this [community guide][technitium-continuwuity] for more details on setting up and fine-tuning a dedicated Technitium instance for Continuwuity.
-
-[technitium]: https://github.com/TechnitiumSoftware/DnsServer
-[technitium-continuwuity]: https://muoi.me/~stratself/articles/technitium-continuwuity/
-
-## Testing
-
-As a rough stress test, you can run `!admin query resolver flush-cache -a` or `!admin server clear-caches` to trigger a netburst of DNS queries. If your resolver can handle these loads without problem, then it should be ready for regular Continuwuity activity.
-
-To test connectivity against a specific server, use `!admin debug ping <SERVER_NAME>` and `!admin debug resolve-true-destination <SERVER_NAME>`.
-
-Note that it is expected that not all servers will be resolved, as some of them may be temporarily offline, have broken DNS and/or discovery configuration, or have been decommissioned.
-
-## Further steps
-
-It is recommended to set **`dns_cache_entries = 0`** inside Continuwuity to fully rely on the external resolver. While Continuwuity does have an internal cache, it can run into reliability issues if you're federating with many domains.
-
-Additionally, you can also make the following improvements:
-
- Consider employing **persistent cache to disk**, so your resolver can still run without hassle after a restart. Unbound, via [Cache DB module][unbound-cachedb], can use Redis as a storage backend for this feature.
-
- Consider [enabling **Serve Stale**][unbound-serve-stale] functionality to serve expired data beyond DNS TTLs. Since most Matrix homeservers have static IPs, this should still allow federating with them when upstream resolvers have timed out. For dnsproxy, this corresponds to its [optimistic caching options][dnsproxy-usage].
-
- If you still experience DNS performance issues, another step could be to **disable DNSSEC** (which is computationally expensive) at a cost of slightly decreased security. On Unbound this is done by commenting out `trust-anchors` config options and removing the `validator` module.
-
- Some users have reported that setting `query_over_tcp_only = true` in Continuwuity has improved DNS reliability at a slight performance cost due to TCP overhead. Generally this is not needed if your resolver and homeserver is on the same machine.
-
-[unbound-cachedb]: https://unbound.docs.nlnetlabs.nl/en/latest/manpages/unbound.conf.html#cache-db-module-options
-[unbound-serve-stale]: https://wiki.archlinux.org/title/Unbound#Serving_expired_records
-[dnsproxy-usage]: https://github.com/AdguardTeam/dnsproxy#usage
@@ -1,135 +0,0 @@
-# Performance tuning
-
-Continuwuity's default configs are suited for many typical setups and scales appropriately with the size of your hardware. However, there are many scenarios where additional modifications can be made to better utilize your server resources.
-
-This page aims to outline various performance tweaks for Continuwuity and their effects. These adjustments are especially helpful for homeservers that join many large federated rooms or have many users, and it will become increasingly necessary as the Matrix network expands. As always, your mileage may vary according to your setup's specifics. If you have further discussions or recommendations, please share them in the community rooms.
-
-## DNS tuning (recommended)
-
-Please see the dedicated [DNS tuning guide](./dns.mdx).
-
-## Cache capacities
-
-If you have memory to spare, consider increasing the `cache_capacity_modifier` value to a larger number to allow more data to be stored in hot memory. This *significantly* speeds up many intensive operations (such as state resolutions) and decreases CPU usage and disk I/O. Start with a baseline of `cache_capacity_modifier = 2.0` and tune up until you are satisfied with RAM usage.
-
-On the other hand, if your system doesn't have a lot of RAM, consider decreasing the cache capacity modifier to something smaller than `1.0` to avoid low-memory issues (at the cost of higher load on disk/CPU). This recommendation also works if your system has abnormally little RAM compared to the number of CPU cores (for example, 2GB RAM for 12 cores), as cache capacities scale according to number of available cores.
-
-## Disabling some features
-
-You can disable outgoing **typing notifications** and **read markers** to reduce strain on the CPU and network when actively participating in rooms.
-
-```toml
-# disables sending read receipts
-allow_outgoing_read_receipts = false
-# disables sending typing notifications
-allow_outgoing_typing = false
-```
-
-Outgoing presence updates are also considered very expensive and have been disabled by default (`allow_outgoing_presence = false`). For more savings, you may wish to disable _all_ processing of presence entirely.
-
-```toml title=continuwuity.toml
-# disabling presence updates entirely
-allow_local_presence = false
-allow_incoming_presence = false
-allow_outgoing_presence = false
-```
-
-## Tuning database compression
-
-:::warning
-These steps SHOULD be done **before** starting Continuwuity for the first time. While switching database compression midway through is theoretically possible, this has not been tested extensively in the wild.
-:::
-
-### Changing the compression algorithm
-
-For reduced CPU usage at a tradeoff of increased storage space, consider deploying Continuwuity with the faster and less intensive `lz4` algorithm instead of `zstd` for rocksdb, and disable WAL compression entirely:
-
-```toml
-### in continuwuity.toml ###
-rocksdb_compression_algo = "lz4"
-rocksdb_wal_compression = "none"
-```
-
-This tweak can especially be helpful if you have an older or less performant CPU (e.g. a Raspberry Pi) and disk space to spare.
-
-### Increasing bottommost layer compression (`zstd` only)
-
-The bottommost layer of the database usually contains old and read-only data, so it is a suitable place for further compression. In Continuwuity, this is possible by setting `rocksdb_bottommost_compression = true` and tuning `rocksdb_bottommost_compression_level` to a more compact level than the default one used in `rocksdb_compression_level`. This tweak comes at a cost of increased CPU usage, but may prevent your database from growing too large in the long run.
-
-For those using `zstd` compression, the compression level ranges from 1 to 22. An example like this could apply:
-
-```toml
-### in continuwuity.toml ###
-rocksdb_compression_algo = "zstd"
-rocksdb_compression_level = 32767 # magic number, translates to level 3 on zstd
-rocksdb_bottommost_compression = true
-rocksdb_bottommost_compression_level = 9 # level 9 on zstd
-```
-
-For `lz4` users, the default level (`-1`) is already the most compact. You can only further decrease it to favor compression speed over ratio.
-
-Consult these documents for more information on compression tuning and levels:
-
- [Rocksdb compression documentation][rocksdb-compression]
- [Rocksdb default compression levels][rocksdb-compression-defaults]
- [Zstd manual][zstd-manual]
- [Lz4 manual][lz4-manual]
-
-[rocksdb-compression]: https://github.com/facebook/rocksdb/wiki/Compression
-[rocksdb-compression-defaults]: https://github.com/facebook/rocksdb/blob/main/include/rocksdb/options.h#L208-L217
-[zstd-manual]: https://facebook.github.io/zstd/zstd_manual.html
-[lz4-manual]: https://github.com/lz4/lz4/blob/release/doc/lz4_manual.html
-
-## Other tweaks
-
-### Using UNIX sockets
-
-If your homeserver and reverse proxy live on the same machine, you may wish to expose Continuwuity on a UNIX socket instead of a port. This removes TCP overhead between the two programs.
-
-<details>
-
-<summary>Example config with Caddy</summary>
-
-```toml
-### in continuwuity.toml ###
-
-# `address` and `port` has to be commented out first
-#address = ["127.0.0.1", "::1"]
-#port = 8008
-unix_socket_path = "/run/continuwuity/continuwuity.sock"
-```
-
-```
-### in your Caddyfile ###
-https://matrix.example.com {
-    reverse_proxy unix//run/continuwuity/continuwuity.sock
-
-    # alternatively, use the http2-plaintext protocol
-    # reverse_proxy unix+h2c//run/continuwuity/continuwuity.sock
-}
-```
-
-</details>
-
-### Tuning your trusted servers
-
-:::info Vet your trusted servers!
-Trusted servers are your first point of contact when obtaining public keys from other servers, and they could theoretically impersonate other servers and cause significant harm to your deployment. Please thoroughly verify your trusted servers' credibility before adding them to your configuration.
-:::
-
-Trusted servers are queried sequentially in the order they are listed. If you have multiple trusted servers configured, put the faster ones first:
-
-```toml
-# Example config, using maintainers' recommended homeservers
-trusted_servers = ["codestorm.net","starstruck.systems","unredacted.org","matrix.org"]
-```
-
-Avoid prioritising `matrix.org` as your primary trusted server, as it tends to be quite slow.
-
-Some users have also reported that increasing `trusted_server_batch_size` has helped with faster joins for huge rooms. Start with doubling the default to `2048` until you find a suitable value.
-
-### Enable HTTP/3 on your reverse proxy
-
-Consider enabling the newer **HTTP/3** protocol for inbound connections to Continuwuity. In Caddy HTTP/3 is allowed by default, but you must expose port :443/**udp** on your firewall.
-
-HTTP/3 can vastly improve Client-Server connections especially on unstable networks, as it reduces packet losses and latency from TCP head-of-line blocking, includes workarounds for network switching, and reduces connection establishment handshakes. Continuwuity also includes experimental _outbound_ HTTP/3 support in its Docker images, so connections between Continuwuity servers can benefit from this too.
@@ -25,9 +25,9 @@ You must generate a key and secret to allow the Matrix service to authenticate w
 :::tip Generating the secrets
 LiveKit provides a utility to generate secure random keys
 ```bash
-docker run --rm livekit/livekit-server:latest generate-keys
-# API Key:  APIUxUnMnSkuFWV
-# API Secret:  t93ZVjPeoEdyx7Wbet3kG4L3NGZIZVEFvqe0UuiVc22A
+~$ docker run --rm livekit/livekit-server:latest generate-keys
+API Key:  APIUxUnMnSkuFWV
+API Secret:  t93ZVjPeoEdyx7Wbet3kG4L3NGZIZVEFvqe0UuiVc22A
 ```
 :::

@@ -91,7 +91,7 @@ You will need to allow ports `7881/tcp` and `50100:50200/udp` through your firew

 To tell clients where to find LiveKit, you need to add the address of your `lk-jwt-service` to the `[global.matrix_rtc]` config section using the `foci` option.

-The variable should be a list of servers serving as MatrixRTC endpoints. Replace the URL with the address you are deploying your instance of lk-jwt-service to:
+The variable should be a list of servers serving as MatrixRTC endpoints. Clients discover these via the `/_matrix/client/v1/rtc/transports` endpoint (MSC4143).

 ```toml
 [global.matrix_rtc]
@@ -100,10 +100,7 @@ foci = [
 ]
 ```

-This will expose LiveKit information on the following endpoints for clients to discover:
-
- `/_matrix/client/unstable/org.matrix.msc4143/rtc/transports` (MSC4143 unstable, behind auth)
- `/.well-known/matrix/client` (fallback, not behind auth. Only enabled if `[global.well_known].client` is set)
+Remember to replace the URL with the address you are deploying your instance of lk-jwt-service to.

 ### 4. Configure your Reverse Proxy

@@ -117,7 +114,6 @@ All paths should be forwarded to LiveKit by default, with the exception of the f

 <details>
    <summary>Example caddy config</summary>
-
    ```
    livekit.example.com {

@@ -131,12 +127,10 @@ All paths should be forwarded to LiveKit by default, with the exception of the f
        reverse_proxy 127.0.0.1:7880
    }
    ```
-
 </details>

 <details>
    <summary>Example nginx config</summary>
-
    ```
    server {
        server_name livekit.example.com;
@@ -173,19 +167,16 @@ All paths should be forwarded to LiveKit by default, with the exception of the f
        ''      close;
    }
    ```
-
 </details>

 <details>
    <summary>Example traefik router</summary>
-
    ```
    # on LiveKit itself
    traefik.http.routers.livekit.rule=Host(`livekit.example.com`)
    # on the JWT service
    traefik.http.routers.livekit-jwt.rule=Host(`livekit.example.com`) && (PathPrefix(`/sfu/get`) || PathPrefix(`/healthz`) || PathPrefix(`/get_token`))
    ```
-
 </details>


@@ -219,7 +210,7 @@ ports:
 ### if you're using `network_mode: host`, you can skip this part
 ```

-Recreate the LiveKit container (with `docker-compose up -d livekit`) to apply these changes. Remember to allow the new `3478/udp` and `50300:50400/udp` ports through your firewall.
+Recreate the LiveKit container (with `docker-compose up -d livekit`) to apply these changes. Remember to allow the new `3478/udp` and `50100:50200/udp` ports through your firewall.

 ### Integration with an external TURN server

@@ -262,29 +253,15 @@ Restart LiveKit and coturn to apply these changes.

 ## Testing

-To test that LiveKit is successfully integrated with Continuwuity, you will need to replicate its [Token Exchange Flow](https://github.com/element-hq/lk-jwt-service#%EF%B8%8F-how-it-works--token-exchange-flow). Follow the steps below while checking Docker logs (`docker-compose logs --follow`), in order to help [troubleshooting](#troubleshooting) any issues.
+To test that LiveKit is successfully integrated with Continuwuity, you will need to replicate its [Token Exchange Flow](https://github.com/element-hq/lk-jwt-service#%EF%B8%8F-how-it-works--token-exchange-flow).

 First, you will need an access token for your current login session. These can be found in your client's settings or obtained via [this website](https://timedout.uk/mxtoken.html).

-Then, using that token, fetch the discovery endpoints for MatrixRTC services:
+Then, using that token, request another OpenID token for use with the lk-jwt-service:

 ```bash
-curl -H "Authorization: Bearer <session-access-token>" \
-  https://matrix.example.com/_matrix/client/unstable/org.matrix.msc4143/rtc/transports
-```
-
-In the output, you should see the LiveKit URL matching the one [configured above](#3-telling-clients-where-to-find-livekit).
-
-With the same token, request another OpenID token for use with the lk-jwt-service:
-
-```bash
-curl -X POST -H "Authorization: Bearer <session-access-token>" \
+~$ curl -X POST -H "Authorization: Bearer <session-access-token>" \
  https://matrix.example.com/_matrix/client/v3/user/@user:example.com/openid/request_token
-```
-
-You will see a response as below:
-
-```json
 {"access_token":"<openid_access_token>","token_type":"Bearer","matrix_server_name":"example.com","expires_in":3600}
 ```

@@ -318,44 +295,30 @@ Replace `matrix_server_name` and `claimed_user_id` with your information, and `<
 You can then send this payload to the lk-jwt-service:

 ```bash
-curl -X POST -d @payload.json https://livekit.example.com/get_token
-```
-
-The lk-jwt-service will, after checking against Continuwuity, answer with a `jwt` token to create a LiveKit media room:
-
-```json
+~$ curl -X POST -d @payload.json https://livekit.example.com/get_token
 {"url":"wss://livekit.example.com","jwt":"a_really_really_long_string"}
 ```

-Use this token to test at the [LiveKit Connection Tester](https://livekit.io/connection-test). If everything works there, then you have set up LiveKit successfully!
+The lk-jwt-service will, after checking against Continuwuity, answer with a `jwt` token to create a LiveKit media room. Use this token to test at the [LiveKit Connection Tester](https://livekit.io/connection-test). If everything works there, then you have set up LiveKit successfully!

 ## Troubleshooting

-To debug any issues, you can place a call or redo the Testing instructions, and check the container logs for any specific errors. Use `docker-compose logs --follow` to follow these logs in real-time.
+To debug any issues, you can place a call or redo the Testing instructions, and check the container logs for any specific errors. Use `docker-compose logs --follow` to follow them in real-time.

 ### Common errors in Element Call UI

 - `MISSING_MATRIX_RTC_FOCUS`: LiveKit is missing from Continuwuity's config file
 - "Waiting for media" popup always showing: a LiveKit URL has been configured in Continuwuity, but your client cannot connect to it for some reason

-For browser-based clients, you can also inspect connections using DevTools' Networking tab, to see which requests are erroring out.
-
 ### Docker loopback networking issues

 Some distros do not allow Docker containers to connect to its host's public IP by default. This would cause `lk-jwt-service` to fail connecting to `livekit` or `continuwuity` on the same host. As a result, you would see connection refused/connection timeouts log entries in the JWT service, even when `LIVEKIT_URL` has been configured correctly.

-You can also test that this is the case by cURLing from a sidecar container:
-
-```bash
-docker run --rm --net container:lk-jwt-service docker.io/curlimages/curl https://livekit.example.com
-# --- some errors ---
-```
-
 To alleviate this, you can try one of the following workarounds:

 - Use `network_mode: host` for the `lk-jwt-service` container (instead of the default bridge networking).

- Add an `extra_hosts` file mapping livekit's (and continuwuity's) domain name to a locally-reachable address:
+- Add an `extra_hosts` file mapping livekit's (and continuwuity's) domain name to a localhost address:

    ```diff
    # in docker-compose.yaml
@@ -369,7 +332,12 @@ To alleviate this, you can try one of the following workarounds:

 - (**untested, use at your own risk**) Implement an iptables workaround as shown [here](https://forums.docker.com/t/unable-to-connect-to-host-service-from-inside-docker-container/145749/6).

-After implementing the changes and restarting your compose, `lk-jwt-service` should now connect to your other services. The sidecar container test above should now return an `OK` from LiveKit.
+After implementing the changes and restarting your compose, you can test whether the connection works by cURLing from a sidecar container:
+
+```bash
+~$ docker run --rm --net container:lk-jwt-service docker.io/curlimages/curl https://livekit.example.com
+OK
+```

 ### Workaround for non-federating servers

@@ -395,8 +363,8 @@ Guides:

 Specifications:

- [MSC4143 - MatrixRTC proposal](https://github.com/matrix-org/matrix-spec-proposals/pull/4143)
- [MSC4195 - LiveKit proposal](https://github.com/matrix-org/matrix-spec-proposals/pull/4195)
+- [MatrixRTC proposal](https://github.com/matrix-org/matrix-spec-proposals/pull/4143)
+- [LiveKit proposal](https://github.com/matrix-org/matrix-spec-proposals/pull/4195)

 Source code:

@@ -2,90 +2,66 @@

 This chapter describes various ways to configure Continuwuity.

-## Configuration file
+## Basics

-Continuwuity uses a TOML config file for all of its settings. This is the recommended way to configure Continuwuity. Please refer to the [example config file](./reference/config.mdx) for all of these settings.
+Continuwuity uses a config file for the majority of the settings, but also supports
+setting individual config options via commandline.

-You can specify the config file to be used by Continuwuity with the command-line flag `-c` or `--config`:
+Please refer to the [example config
+file](./reference/config.mdx) for all of those
+settings.

-```bash
-./conduwuit -c /path/to/continuwuity.toml
-```
+The config file to use can be specified on the commandline when running
+Continuwuity by specifying the `-c`, `--config` flag. Alternatively, you can use
+the environment variable `CONTINUWUITY_CONFIG` to specify the config file to be
+used; see [the section on environment variables](#environment-variables) for
+more information.

-Alternatively, you can use the environment variable `CONTINUWUITY_CONFIG` to specify the config file to be used; see [the section on environment variables](#environment-variables) for more information.
+## Option commandline flag

-## Environment variables
-
-All of the options in the config file can also be specified by using environment variables. This is ideal for containerised deployments and infrastructure-as-code scenarios.
-
-The environment variable names are represented in all caps and prefixed with `CONTINUWUITY_`. They are mapped to config options in the ways demonstrated below:
-
-```bash
-# Top-level options (those inside the [global] section) are simply capitalised
-CONTINUWUITY_SERVER_NAME="matrix.example.com"
-CONTINUWUITY_PORT="8008"
-CONTINUWUITY_DATABASE_PATH="/var/lib/continuwuity"
-
-# Nested config sections use double underscores `__`
-
-# This maps to the `server` field of the [global.well_known] section in TOML
-CONTINUWUITY_WELL_KNOWN__SERVER="example.com:443"
-
-# This maps to the `base_url` field of the `[global.antispam.draupnir]` section in TOML
-CONTINUWUITY_ANTISPAM__DRAUPNIR__BASE_URL="https://draupnir.example.com"
-
-# Alternatively, you can pass a (quoted) struct to define an entire section
-# This maps to the [global.well_known] section
-CONTINUWUITY_WELL_KNOWN="{ client=https://example.com,server=example.com:443 }"
-```
-
-### Alternative prefixes
-
-For backwards compatibility, Continuwuity also supports the following environment variable prefixes, in order of descending priority:
-
- `CONDUWUIT_*` (compatibility)
- `CONDUIT_*` (legacy)
-
-As an example, the environment variable `CONTINUWUITY_CONFIG` can also be expressed as `CONDUWUIT_CONFIG` or `CONDUIT_CONFIG`.
-
-## Option command-line flag
-
-Continuwuity also supports setting individual config options in TOML format from the `-O` / `--option` flag. For example, you can set your server name via `-O server_name=\"example.com\"`.
-
-Note that the config is parsed as TOML, and shells like `bash` will remove quotes. Therefore, if the config option is a string, quote escapes must be properly handled. If the config option is a number or a boolean, this does not apply.
+Continuwuity supports setting individual config options in TOML format from the
+`-O` / `--option` flag. For example, you can set your server name via `-O
+server_name=\"example.com\"`.

+Note that the config is parsed as TOML, and shells like bash will remove quotes.
+So unfortunately it is required to escape quotes if the config option takes a
+string. This does not apply to options that take booleans or numbers:
 - `--option allow_registration=true` works ✅
 - `-O max_request_size=99999999` works ✅
 - `-O server_name=example.com` does not work ❌
 - `--option log=\"debug\"` works ✅
 - `--option server_name='"example.com'"` works ✅

-## Order of priority
+## Execute commandline flag

-The above configuration methods are prioritised, in descending order, as below:
+Continuwuity supports running admin commands on startup using the commandline
+argument `--execute`. The most notable use for this is to create an admin user
+on first startup.

- Command-line `-o`/`--option` flags
- Environment variables
-    - `CONTINUWUITY_*` variables
-    - `CONDUWUIT_*` variables
-    - `CONDUIT_*` variables
- Config file
+The syntax of this is a standard admin command without the prefix such as
+`./conduwuit --execute "users create_user june"`

-Therefore, you can use environment variables or the options flags to override values in the config file.
-
---
-
-## Executing startup commands
-
-Continuwuity supports running admin commands on startup using the command-line flag `--execute`. This is treated as a standard admin command, without the need for the `!admin` prefix. For example, to create a new user:
-
-```bash
-# Equivalent to `!admin users create_user june`
-./conduwuit --execute "users create_user june"
+An example output of a success is:
+```
 INFO conduwuit_service::admin::startup: Startup command #0 completed:
 Created user with user_id: @june:girlboss.ceo and password: `<redacted>`
 ```

-Alternatively, you can configure `CONTINUWUITY_ADMIN_EXECUTE` or the config file value `admin_execute` with a list of commands.
+This commandline argument can be paired with the `--option` flag.

-This command-line argument can be paired with the `--option` flag.
+## Environment variables
+
+All of the settings that are found in the config file can be specified by using
+environment variables. The environment variable names should be all caps and
+prefixed with `CONTINUWUITY_`.
+
+For example, if the setting you are changing is `max_request_size`, then the
+environment variable to set is `CONTINUWUITY_MAX_REQUEST_SIZE`.
+
+To modify config options not in the `[global]` context such as
+`[global.well_known]`, use the `__` suffix split:
+`CONTINUWUITY_WELL_KNOWN__SERVER`
+
+Conduit and conduwuit's environment variables are also supported for backwards
+compatibility, via the `CONDUIT_` and `CONDUWUIT_` prefixes respectively (e.g.
+`CONDUIT_SERVER_NAME`).
@@ -34,11 +34,6 @@
        "name": "kubernetes",
        "label": "Kubernetes"
    },
-    {
-        "type": "file",
-        "name": "nomad",
-        "label": "Nomad"
-    },
    {
        "type": "file",
        "name": "freebsd",
@@ -0,0 +1,76 @@
+# Continuwuity - Behind Traefik Reverse Proxy
+
+services:
+  homeserver:
+    ### If you already built the continuwuity image with 'docker build' or want to use the Docker Hub image,
+    ### then you are ready to go.
+    image: forgejo.ellis.link/continuwuation/continuwuity:latest
+    restart: unless-stopped
+    command: /sbin/conduwuit
+    volumes:
+      - db:/var/lib/continuwuity
+      #- ./continuwuity.toml:/etc/continuwuity.toml
+    networks:
+      - proxy
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.continuwuity.rule=(Host(`matrix.example.com`) || (Host(`example.com`) && PathPrefix(`/.well-known/matrix`)))"
+      - "traefik.http.routers.continuwuity.entrypoints=websecure" # your HTTPS entry point
+      - "traefik.http.routers.continuwuity.tls=true"
+      - "traefik.http.routers.continuwuity.service=continuwuity"
+      - "traefik.http.services.continuwuity.loadbalancer.server.port=6167"
+      # possibly, depending on your config:
+      # - "traefik.http.routers.continuwuity.tls.certresolver=letsencrypt"
+    environment:
+      CONTINUWUITY_SERVER_NAME: your.server.name.example # EDIT THIS
+      CONTINUWUITY_DATABASE_PATH: /var/lib/continuwuity
+      CONTINUWUITY_PORT: 6167 # should match the loadbalancer traefik label
+      CONTINUWUITY_MAX_REQUEST_SIZE: 20000000 # in bytes, ~20 MB
+      CONTINUWUITY_ALLOW_REGISTRATION: 'true'
+      CONTINUWUITY_REGISTRATION_TOKEN: 'YOUR_TOKEN' # A registration token is required when registration is allowed.
+      #CONTINUWUITY_YES_I_AM_VERY_VERY_SURE_I_WANT_AN_OPEN_REGISTRATION_SERVER_PRONE_TO_ABUSE: 'true'
+      CONTINUWUITY_ALLOW_FEDERATION: 'true'
+      CONTINUWUITY_ALLOW_CHECK_FOR_UPDATES: 'true'
+      CONTINUWUITY_TRUSTED_SERVERS: '["matrix.org"]'
+      #CONTINUWUITY_LOG: warn,state_res=warn
+      CONTINUWUITY_ADDRESS: 0.0.0.0
+      #CONTINUWUITY_CONFIG: '/etc/continuwuity.toml' # Uncomment if you mapped config toml above
+
+      # We need some way to serve the client and server .well-known json. The simplest way is via the CONTINUWUITY_WELL_KNOWN
+      # variable / config option, there are multiple ways to do this, e.g. in the continuwuity.toml file, and in a separate
+      # see the override file for more information about delegation
+      CONTINUWUITY_WELL_KNOWN: |
+        {
+        client=https://your.server.name.example,
+        server=your.server.name.example:443
+        }
+    #cpuset: "0-4" # Uncomment to limit to specific CPU cores
+    ulimits: # Continuwuity uses quite a few file descriptors, and on some systems it defaults to 1024, so you can tell docker to increase it
+      nofile:
+        soft: 1048567
+        hard: 1048567
+
+    ### Uncomment if you want to use your own Element-Web App.
+    ### Note: You need to provide a config.json for Element and you also need a second
+    ###       Domain or Subdomain for the communication between Element and Continuwuity
+    ### Config-Docs: https://github.com/vector-im/element-web/blob/develop/docs/config.md
+    # element-web:
+    #     image: vectorim/element-web:latest
+    #     restart: unless-stopped
+    #     volumes:
+    #         - ./element_config.json:/app/config.json
+    #     networks:
+    #         - proxy
+    #     depends_on:
+    #         - homeserver
+
+volumes:
+  db:
+
+networks:
+  # This is the network Traefik listens to, if your network has a different
+  # name, don't forget to change it here and in the docker-compose.override.yml
+  proxy:
+    external: true
+
+# vim: ts=2:sw=2:expandtab
@@ -0,0 +1,36 @@
+# Continuwuity - Traefik Reverse Proxy Labels
+
+services:
+  homeserver:
+    labels:
+      - "traefik.enable=true"
+      - "traefik.docker.network=proxy"  # Change this to the name of your Traefik docker proxy network
+
+      - "traefik.http.routers.to-continuwuity.rule=Host(`<SUBDOMAIN>.<DOMAIN>`)"  # Change to the address on which Continuwuity is hosted
+      - "traefik.http.routers.to-continuwuity.tls=true"
+      - "traefik.http.routers.to-continuwuity.tls.certresolver=letsencrypt"
+      - "traefik.http.routers.to-continuwuity.middlewares=cors-headers@docker"
+      - "traefik.http.services.to_continuwuity.loadbalancer.server.port=6167"
+
+      - "traefik.http.middlewares.cors-headers.headers.accessControlAllowOriginList=*"
+      - "traefik.http.middlewares.cors-headers.headers.accessControlAllowHeaders=Origin, X-Requested-With, Content-Type, Accept, Authorization"
+      - "traefik.http.middlewares.cors-headers.headers.accessControlAllowMethods=GET, POST, PUT, DELETE, OPTIONS"
+
+      # If you want to have your account on <DOMAIN>, but host Continuwuity on a subdomain,
+      # you can let it only handle the well known file on that domain instead
+      #- "traefik.http.routers.to-matrix-wellknown.rule=Host(`<DOMAIN>`) && PathPrefix(`/.well-known/matrix`)"
+      #- "traefik.http.routers.to-matrix-wellknown.tls=true"
+      #- "traefik.http.routers.to-matrix-wellknown.tls.certresolver=letsencrypt"
+      #- "traefik.http.routers.to-matrix-wellknown.middlewares=cors-headers@docker"
+
+  ### Uncomment this if you uncommented Element-Web App in the docker-compose.yml
+  # element-web:
+  #     labels:
+  #         - "traefik.enable=true"
+  #         - "traefik.docker.network=proxy"  # Change this to the name of your Traefik docker proxy network
+
+  #         - "traefik.http.routers.to-element-web.rule=Host(`<SUBDOMAIN>.<DOMAIN>`)"  # Change to the address on which Element-Web is hosted
+  #         - "traefik.http.routers.to-element-web.tls=true"
+  #         - "traefik.http.routers.to-element-web.tls.certresolver=letsencrypt"
+
+# vim: ts=2:sw=2:expandtab
@@ -0,0 +1,60 @@
+services:
+    caddy:
+    # This compose file uses caddy-docker-proxy as the reverse proxy for Continuwuity!
+    # For more info, visit https://github.com/lucaslorentz/caddy-docker-proxy
+        image: lucaslorentz/caddy-docker-proxy:ci-alpine
+        ports:
+            - 80:80
+            - 443:443
+        environment:
+            - CADDY_INGRESS_NETWORKS=caddy
+        networks:
+            - caddy
+        volumes:
+            - /var/run/docker.sock:/var/run/docker.sock
+            - ./data:/data
+        restart: unless-stopped
+        labels:
+            caddy: example.com
+            caddy.reverse_proxy: /.well-known/matrix/* homeserver:6167
+
+    homeserver:
+        ### If you already built the Continuwuity image with 'docker build' or want to use a registry image,
+        ### then you are ready to go.
+        image: forgejo.ellis.link/continuwuation/continuwuity:latest
+        restart: unless-stopped
+        command: /sbin/conduwuit
+        volumes:
+            - db:/var/lib/continuwuity
+            - /etc/resolv.conf:/etc/resolv.conf:ro # Use the host's DNS resolver rather than Docker's.
+            #- ./continuwuity.toml:/etc/continuwuity.toml
+        environment:
+            CONTINUWUITY_SERVER_NAME: example.com # EDIT THIS
+            CONTINUWUITY_DATABASE_PATH: /var/lib/continuwuity
+            CONTINUWUITY_PORT: 6167
+            CONTINUWUITY_MAX_REQUEST_SIZE: 20000000 # in bytes, ~20 MB
+            CONTINUWUITY_ALLOW_REGISTRATION: 'true'
+            CONTINUWUITY_REGISTRATION_TOKEN: 'YOUR_TOKEN' # A registration token is required when registration is allowed.
+            #CONTINUWUITY_YES_I_AM_VERY_VERY_SURE_I_WANT_AN_OPEN_REGISTRATION_SERVER_PRONE_TO_ABUSE: 'true'
+            CONTINUWUITY_ALLOW_FEDERATION: 'true'
+            CONTINUWUITY_ALLOW_CHECK_FOR_UPDATES: 'true'
+            CONTINUWUITY_TRUSTED_SERVERS: '["matrix.org"]'
+            #CONTINUWUITY_LOG: warn,state_res=warn
+            CONTINUWUITY_ADDRESS: 0.0.0.0
+            #CONTINUWUITY_CONFIG: '/etc/continuwuity.toml' # Uncomment if you mapped config toml above
+
+            # Required for .well-known delegation - edit these according to your chosen domain
+            CONTINUWUITY_WELL_KNOWN__CLIENT: https://matrix.example.com
+            CONTINUWUITY_WELL_KNOWN__SERVER: matrix.example.com:443
+        networks:
+            - caddy
+        labels:
+            caddy: matrix.example.com
+            caddy.reverse_proxy: "{{upstreams 6167}}"
+
+volumes:
+    db:
+
+networks:
+    caddy:
+        external: true
@@ -0,0 +1,160 @@
+# Continuwuity - Behind Traefik Reverse Proxy
+
+services:
+  homeserver:
+    ### If you already built the Continuwuity image with 'docker build' or want to use the Docker Hub image,
+    ### then you are ready to go.
+    image: forgejo.ellis.link/continuwuation/continuwuity:latest
+    restart: unless-stopped
+    command: /sbin/conduwuit
+    volumes:
+      - db:/var/lib/continuwuity
+      - /etc/resolv.conf:/etc/resolv.conf:ro # Use the host's DNS resolver rather than Docker's.
+      #- ./continuwuity.toml:/etc/continuwuity.toml
+    networks:
+      - proxy
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.continuwuity.rule=(Host(`matrix.example.com`) || (Host(`example.com`) && PathPrefix(`/.well-known/matrix`)))"
+      - "traefik.http.routers.continuwuity.entrypoints=websecure"
+      - "traefik.http.routers.continuwuity.tls.certresolver=letsencrypt"
+      - "traefik.http.services.continuwuity.loadbalancer.server.port=6167"
+      # Uncomment and adjust the following if you want to use middleware
+      # - "traefik.http.routers.continuwuity.middlewares=secureHeaders@file"
+    environment:
+      CONTINUWUITY_SERVER_NAME: your.server.name.example # EDIT THIS
+      CONTINUWUITY_TRUSTED_SERVERS: '["matrix.org"]'
+      CONTINUWUITY_ALLOW_REGISTRATION: 'false' # After setting a secure registration token, you can enable this
+      CONTINUWUITY_REGISTRATION_TOKEN: "" # This is a token you can use to register on the server
+      #CONTINUWUITY_REGISTRATION_TOKEN_FILE: "" # Alternatively you can configure a path to a token file to read
+      CONTINUWUITY_ADDRESS: 0.0.0.0
+      CONTINUWUITY_PORT: 6167 # you need to match this with the traefik load balancer label if you're want to change it
+      CONTINUWUITY_DATABASE_PATH: /var/lib/continuwuity
+      #CONTINUWUITY_CONFIG: '/etc/continuwuity.toml' # Uncomment if you mapped config toml above
+      ### Uncomment and change values as desired, note that Continuwuity has plenty of config options, so you should check out the example example config too
+      # Available levels are: error, warn, info, debug, trace - more info at: https://docs.rs/env_logger/*/env_logger/#enabling-logging
+      # CONTINUWUITY_LOG: info  # default is: "warn,state_res=warn"
+      # CONTINUWUITY_ALLOW_ENCRYPTION: 'true'
+      # CONTINUWUITY_ALLOW_FEDERATION: 'true'
+      # CONTINUWUITY_ALLOW_CHECK_FOR_UPDATES: 'true'
+      # CONTINUWUITY_ALLOW_INCOMING_PRESENCE: true
+      # CONTINUWUITY_ALLOW_OUTGOING_PRESENCE: true
+      # CONTINUWUITY_ALLOW_LOCAL_PRESENCE: true
+      # CONTINUWUITY_WORKERS: 10
+      # CONTINUWUITY_MAX_REQUEST_SIZE: 20000000  # in bytes, ~20 MB
+      # CONTINUWUITY_NEW_USER_DISPLAYNAME_SUFFIX = "🏳<200d>⚧"
+
+      # We need some way to serve the client and server .well-known json. The simplest way is via the CONTINUWUITY_WELL_KNOWN
+      # variable / config option, there are multiple ways to do this, e.g. in the continuwuity.toml file, and in a separate
+      # reverse proxy, but since you do not have a reverse proxy and following this guide, this example is included
+      CONTINUWUITY_WELL_KNOWN: |
+        {
+          client=https://your.server.name.example,
+          server=your.server.name.example:443
+        }
+    #cpuset: "0-4" # Uncomment to limit to specific CPU cores
+    ulimits: # Continuwuity uses quite a few file descriptors, and on some systems it defaults to 1024, so you can tell docker to increase it
+      nofile:
+        soft: 1048567
+        hard: 1048567
+
+    ### Uncomment if you want to use your own Element-Web App.
+    ### Note: You need to provide a config.json for Element and you also need a second
+    ###       Domain or Subdomain for the communication between Element and Continuwuity
+    ### Config-Docs: https://github.com/vector-im/element-web/blob/develop/docs/config.md
+    # element-web:
+    #     image: vectorim/element-web:latest
+    #     restart: unless-stopped
+    #     volumes:
+    #         - ./element_config.json:/app/config.json
+    #     networks:
+    #         - proxy
+    #     depends_on:
+    #         - homeserver
+
+  traefik:
+    image: "traefik:latest"
+    container_name: "traefik"
+    restart: "unless-stopped"
+    ports:
+      - "80:80"
+      - "443:443"
+    volumes:
+      - "/var/run/docker.sock:/var/run/docker.sock:z"
+      - "acme:/etc/traefik/acme"
+      #- "./traefik_config:/etc/traefik:z"
+    labels:
+      - "traefik.enable=true"
+
+      # middleware redirect
+      - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
+      # global redirect to https
+      - "traefik.http.routers.redirs.rule=hostregexp(`{host:.+}`)"
+      - "traefik.http.routers.redirs.entrypoints=web"
+      - "traefik.http.routers.redirs.middlewares=redirect-to-https"
+
+    configs:
+      - source: dynamic.yml
+        target: /etc/traefik/dynamic.yml
+
+    environment:
+      TRAEFIK_LOG_LEVEL: DEBUG
+      TRAEFIK_ENTRYPOINTS_WEB: true
+      TRAEFIK_ENTRYPOINTS_WEB_ADDRESS: ":80"
+      TRAEFIK_ENTRYPOINTS_WEB_HTTP_REDIRECTIONS_ENTRYPOINT_TO: websecure
+
+      TRAEFIK_ENTRYPOINTS_WEBSECURE: true
+      TRAEFIK_ENTRYPOINTS_WEBSECURE_ADDRESS: ":443"
+      TRAEFIK_ENTRYPOINTS_WEBSECURE_HTTP_TLS_CERTRESOLVER: letsencrypt
+      #TRAEFIK_ENTRYPOINTS_WEBSECURE_HTTP_MIDDLEWARES: secureHeaders@file # if you want to enabled STS
+
+      TRAEFIK_CERTIFICATESRESOLVERS_LETSENCRYPT: true
+      TRAEFIK_CERTIFICATESRESOLVERS_LETSENCRYPT_ACME_EMAIL: # Set this to the email you want to receive certificate expiration emails for
+      TRAEFIK_CERTIFICATESRESOLVERS_LETSENCRYPT_ACME_KEYTYPE: EC384
+      TRAEFIK_CERTIFICATESRESOLVERS_LETSENCRYPT_ACME_HTTPCHALLENGE: true
+      TRAEFIK_CERTIFICATESRESOLVERS_LETSENCRYPT_ACME_HTTPCHALLENGE_ENTRYPOINT: web
+      TRAEFIK_CERTIFICATESRESOLVERS_LETSENCRYPT_ACME_STORAGE: "/etc/traefik/acme/acme.json"
+
+      # Since Traefik 3.6.3, paths with certain "encoded characters" are now blocked by default; we need a couple, or else things *will* break
+      TRAEFIK_ENTRYPOINTS_WEBSECURE_HTTP_ENCODEDCHARACTERS_ALLOWENCODEDSLASH: true
+      TRAEFIK_ENTRYPOINTS_WEBSECURE_HTTP_ENCODEDCHARACTERS_ALLOWENCODEDHASH: true
+
+      TRAEFIK_PROVIDERS_DOCKER: true
+      TRAEFIK_PROVIDERS_DOCKER_ENDPOINT: "unix:///var/run/docker.sock"
+      TRAEFIK_PROVIDERS_DOCKER_EXPOSEDBYDEFAULT: false
+
+      TRAEFIK_PROVIDERS_FILE: true
+      TRAEFIK_PROVIDERS_FILE_FILENAME: "/etc/traefik/dynamic.yml"
+
+configs:
+  dynamic.yml:
+    content: |
+      # Optionally set STS headers, like in https://hstspreload.org
+      # http:
+      #   middlewares:
+      #     secureHeaders:
+      #       headers:
+      #         forceSTSHeader: true
+      #         stsIncludeSubdomains: true
+      #         stsPreload: true
+      #         stsSeconds: 31536000
+      tls:
+        options:
+          default:
+            cipherSuites:
+              - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
+              - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+              - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
+              - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+              - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
+              - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
+            minVersion: VersionTLS12
+
+volumes:
+    db:
+    acme:
+
+networks:
+    proxy:
+
+# vim: ts=2:sw=2:expandtab
@@ -0,0 +1,45 @@
+# Continuwuity
+
+services:
+    homeserver:
+        ### If you already built the Continuwuity image with 'docker build' or want to use a registry image,
+        ### then you are ready to go.
+        image: forgejo.ellis.link/continuwuation/continuwuity:latest
+        restart: unless-stopped
+        command: /sbin/conduwuit
+        ports:
+            - 8448:6167
+        volumes:
+            - db:/var/lib/continuwuity
+            #- ./continuwuity.toml:/etc/continuwuity.toml
+        environment:
+            CONTINUWUITY_SERVER_NAME: your.server.name # EDIT THIS
+            CONTINUWUITY_DATABASE_PATH: /var/lib/continuwuity
+            CONTINUWUITY_PORT: 6167
+            CONTINUWUITY_MAX_REQUEST_SIZE: 20000000 # in bytes, ~20 MB
+            CONTINUWUITY_ALLOW_REGISTRATION: 'true'
+            CONTINUWUITY_REGISTRATION_TOKEN: 'YOUR_TOKEN' # A registration token is required when registration is allowed.
+            #CONTINUWUITY_YES_I_AM_VERY_VERY_SURE_I_WANT_AN_OPEN_REGISTRATION_SERVER_PRONE_TO_ABUSE: 'true'
+            CONTINUWUITY_ALLOW_FEDERATION: 'true'
+            CONTINUWUITY_ALLOW_CHECK_FOR_UPDATES: 'true'
+            CONTINUWUITY_TRUSTED_SERVERS: '["matrix.org"]'
+            #CONTINUWUITY_LOG: warn,state_res=warn
+            CONTINUWUITY_ADDRESS: 0.0.0.0
+            #CONTINUWUITY_CONFIG: '/etc/continuwuity.toml' # Uncomment if you mapped config toml above
+    #
+    ### Uncomment if you want to use your own Element-Web App.
+    ### Note: You need to provide a config.json for Element and you also need a second
+    ###       Domain or Subdomain for the communication between Element and Continuwuity
+    ### Config-Docs: https://github.com/vector-im/element-web/blob/develop/docs/config.md
+    # element-web:
+    #     image: vectorim/element-web:latest
+    #     restart: unless-stopped
+    #     ports:
+    #         - 8009:80
+    #     volumes:
+    #         - ./element_config.json:/app/config.json
+    #     depends_on:
+    #         - homeserver
+
+volumes:
+    db:
@@ -1,275 +1,257 @@
 # Continuwuity for Docker

-## Preparation
+## Docker

-### Choose an image
+To run Continuwuity with Docker, you can either build the image yourself or pull
+it from a registry.

-The following OCI images are available for Continuwuity:
+### Use a registry

-| Image                                                                                        | Notes                                                                                                     |
-| ------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------- |
-| [https://forgejo.ellis.link/continuwuation/continuwuity:**latest**][latest]                 | Latest tagged release. (recommended)                                                                      |
-| [https://forgejo.ellis.link/continuwuation/continuwuity:**main**][main]                     | Latest `main` branch commit.                                                                              |
-| [https://forgejo.ellis.link/continuwuation/continuwuity:**latest-maxperf**][latest-maxperf] | Latest tagged release, [performance optimised version](./generic.mdx#performance-optimised-builds).       |
-| [https://forgejo.ellis.link/continuwuation/continuwuity:**main-maxperf**][main-maxperf]     | Latest `main` branch commit, [performance optimised version](./generic.mdx#performance-optimised-builds). |
+Available OCI images:

-[latest]: https://forgejo.ellis.link/continuwuation/-/packages/container/continuwuity/latest
-[main]: https://forgejo.ellis.link/continuwuation/-/packages/container/continuwuity/main
-[latest-maxperf]: https://forgejo.ellis.link/continuwuation/-/packages/container/continuwuity/latest-maxperf
-[main-maxperf]: https://forgejo.ellis.link/continuwuation/-/packages/container/continuwuity/main-maxperf
+| Registry         | Image                                                                                                                                                       | Notes                                                                        |
+| ---------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------- |
+| Forgejo Registry | [forgejo.ellis.link/continuwuation/continuwuity:latest](https://forgejo.ellis.link/continuwuation/-/packages/container/continuwuity/latest)                 | Latest tagged image.                                                         |
+| Forgejo Registry | [forgejo.ellis.link/continuwuation/continuwuity:main](https://forgejo.ellis.link/continuwuation/-/packages/container/continuwuity/main)                     | Main branch image.                                                           |
+| Forgejo Registry | [forgejo.ellis.link/continuwuation/continuwuity:latest-maxperf](https://forgejo.ellis.link/continuwuation/-/packages/container/continuwuity/latest-maxperf) | [Performance optimised version.](./generic.mdx#performance-optimised-builds) |
+| Forgejo Registry | [forgejo.ellis.link/continuwuation/continuwuity:main-maxperf](https://forgejo.ellis.link/continuwuation/-/packages/container/continuwuity/main-maxperf)     | [Performance optimised version.](./generic.mdx#performance-optimised-builds) |

-If you want a specific version or commit hash, you can browse for them [here][oci-all-versions].
+**Example:**

-Images are also mirrored to these locations automatically, on a schedule:
-
- `ghcr.io/continuwuity/continuwuity` ([Github Registry][ghcr-io])
- `docker.io/jadedblueeyes/continuwuity` ([Docker Hub][docker-hub])
- `registry.gitlab.com/continuwuity/continuwuity` ([Gitlab Registry][gitlab-registry])
- `git.nexy7574.co.uk/mirrored/continuwuity` ([Nexy's forge][nexy-forge]. Releases only, no `main` tags)
-
-[oci-all-versions]: https://forgejo.ellis.link/continuwuation/-/packages/container/continuwuity/versions
-[ghcr-io]: https://github.com/continuwuity/continuwuity/pkgs/container/continuwuity/versions?filters%5Bversion_type%5D=tagged
-[docker-hub]: https://hub.docker.com/r/jadedblueeyes/continuwuity/
-[gitlab-registry]: https://gitlab.com/continuwuity/continuwuity/container_registry/8871720
-[nexy-forge]: https://git.nexy7574.co.uk/mirrored/-/packages/container/continuwuity/versions
-
-### Prerequisites
-
-Continuwuity requires HTTPS for Matrix federation. You'll need:
-
- A domain name pointing to your server's IP address - we will be using `example.com` in this guide.
- A reverse proxy with SSL/TLS certificates (Traefik, Caddy, nginx, etc.) - see [Docker Compose](#docker-compose) for complete examples.
- Port `:443` (for Client-Server traffic) and `:8448` (for federation traffic) opened on your server's firewall.
-
-    - Alternatively, if you want both client and federation traffic on `:443`, you can configure `CONTINUWUITY_WELL_KNOWN` following some of the [examples](#choose-your-reverse-proxy) below.
-
-:::tip Split-domain setups
-For more setups with `.well-known` delegation and split-domain deployments, consult the [Delegation/Split-domain](../advanced/delegation) page.
-:::
-
-## Docker Compose
-
-Docker Compose is the recommended deployment method for Continuwuity containers. The following environment variables will be set:
-
- `CONTINUWUITY_SERVER_NAME` - Your Matrix server's domain name. **This CANNOT be changed later without a data wipe.**
- `CONTINUWUITY_DATABASE_PATH` - Where to store your database. This must match the docker volume mount.
- `CONTINUWUITY_ADDRESS` - Bind address (for Docker, use `0.0.0.0` to listen on all interfaces).
-
-Alternatively, you can specify a path to mount the configuration file using the `CONTINUWUITY_CONFIG` environment variable.
-
-See the [reference configuration](../reference/config) page for all config options, and the [Configuration page](../configuration#environment-variables) on how to convert them into Environment Variables.
-
-### Choose Your Reverse Proxy
-
-These examples include reverse proxy configurations for Matrix federation, which will route your Matrix domain (and optionally .well-known paths) to Continuwuity.
-
-:::note Docker DNS Performance
-Docker's default DNS resolver are known to [cause timeout issues](../troubleshooting#dns-issues) for Matrix federation. To bypass it and use a more performant resolver, mount a custom `/etc/resolv.conf` config file into the Continuwuity container.
-
-```yaml title='docker-compose.yml'
-services:
-  homeserver:
-    # ...
-    volumes:
-      - ./continuwuity-resolv.conf:/etc/resolv.conf
+```bash
+docker image pull forgejo.ellis.link/continuwuation/continuwuity:main-maxperf
 ```

-```txt title='continuwuity-resolv.conf'
-nameserver 1.0.0.1
-nameserver 1.1.1.1
-```
+#### Mirrors

-Consult the [**DNS tuning guide (recommended)**](../advanced/dns.mdx) for full solutions to this issue.
-:::
+Images are mirrored to multiple locations automatically, on a schedule:

-#### Caddy (using Caddyfile)
+- `ghcr.io/continuwuity/continuwuity`
+- `docker.io/jadedblueeyes/continuwuity`
+- `registry.gitlab.com/continuwuity/continuwuity`
+- `git.nexy7574.co.uk/mirrored/continuwuity` (releases only, no `main`)

-<details>
-<summary>docker-compose.with-caddy.yml ([view raw](/deploying/docker-compose.with-caddy.yml))</summary>
-
-```yaml file="../public/deploying/docker-compose.with-caddy.yml"
-
-```
-
-</details>
-
-#### Caddy (using labels)
-
-<details>
-<summary>docker-compose.with-caddy-labels.yml ([view raw](/deploying/docker-compose.with-caddy-labels.yml))</summary>
-
-```yaml file="../public/deploying/docker-compose.with-caddy-labels.yml"
-
-```
-
-</details>
-
-#### Traefik (for existing setup)
-
-<details>
-<summary>docker-compose.for-traefik.yml ([view raw](/deploying/docker-compose.for-traefik.yml))</summary>
-
-```yaml file="../public/deploying/docker-compose.for-traefik.yml"
-
-```
-
-</details>
-
-#### Traefik included
-
-<details>
-<summary>docker-compose.with-traefik.yml ([view raw](/deploying/docker-compose.with-traefik.yml))</summary>
-
-```yaml file="../public/deploying/docker-compose.with-traefik.yml"
-
-```
-
-</details>
-
-#### Traefik (as override file)
-
-<details>
-<summary>docker-compose.override.yml ([view raw](/deploying/docker-compose.override.yml))</summary>
-
-```yaml file="../public/deploying/docker-compose.override.yml"
-
-```
-
-</details>
-
-#### For other reverse proxies
-
-<details>
-<summary>docker-compose.yml ([view raw](/deploying/docker-compose.yml))</summary>
-
-```yaml file="../public/deploying/docker-compose.yml"
-
-```
-
-</details>
-
-See the [Other reverse proxies](generic.mdx#setting-up-the-reverse-proxy) section of the Generic page for further routing details.
-
-### Starting Your Server
-
-1. Choose your compose file from the above, and rename it to `docker-compose.yml`. Replace `example.com` with your homeserver's domain name, and edit other values as you see fit.
-2. If using the override file, rename it to `docker-compose.override.yml` and
-   edit your values.
-3. Start the server:
-
-    ```bash
-    docker compose up -d
-    ```
-
-4. Check your server logs for a registration token:
-
-    ```bash
-    docker-compose logs continuwuity 2>&1
-    ```
-
-    You'll see output as below.
-
-    ```
-    In order to use your new homeserver, you need to create its
-    first user account.
-    Open your Matrix client of choice and register an account
-    on example.com using registration token x5keUZ811RqvLsNa .
-    Pick your own username and password!
-    ```
-
-5. Log in to your server with any Matrix client, and register for an account with the registration token from step 4. You'll automatically be invited to the admin room where you can [manage your server](../reference/admin).
-
-See the [generic deployment guide](generic.mdx) for more deployment options.
-
-## Testing
-
-Test that your setup works by following these [instructions](./generic.mdx#how-do-i-know-it-works)
-
-Check your container logs using `docker-compose logs --follow` to debug any issues. See the [Troubleshooting](../troubleshooting.mdx) page for common errors and how to fix them.
-
-## Other deployment methods
-
-### Docker - Quick Run
-
-:::warning For testing only
-The instructions below are only meant for a quick demo of Continuwuity with **federation disabled**.
-For production deployment, we recommend using [Docker Compose](#docker-compose).
-:::
+### Quick Run

 Get a working Continuwuity server with an admin user in four steps:

-1. Pull the image
+#### Prerequisites

-    ```bash
-    docker pull forgejo.ellis.link/continuwuation/continuwuity:latest
-    ```
+Continuwuity requires HTTPS for Matrix federation. You'll need:

-2. Start the server for the first time. Replace `example.com` with your actual server name.
+- A domain name pointing to your server
+- A reverse proxy with SSL/TLS certificates (Traefik, Caddy, nginx, etc.)

-    ```bash
-    docker run -d \
-      -p 8008:8008 \
-      -v continuwuity_db:/var/lib/continuwuity \
-      -e CONTINUWUITY_SERVER_NAME="example.com" \
-      -e CONTINUWUITY_DATABASE_PATH="/var/lib/continuwuity" \
-      -e CONTINUWUITY_ADDRESS="0.0.0.0" \
-      -e CONTINUWUITY_ALLOW_FEDERATION="false" \
-      --name continuwuity \
-      forgejo.ellis.link/continuwuation/continuwuity:latest \
-      /sbin/conduwuit
-    ```
+See [Docker Compose](#docker-compose) for complete examples.

-3. Fetch the one-time initial registration token
+#### Environment Variables

-    ```bash
-    docker logs continuwuity 2>&1
-    ```
+- `CONTINUWUITY_SERVER_NAME` - Your Matrix server's domain name
+- `CONTINUWUITY_DATABASE_PATH` - Where to store your database (must match the
+  volume mount)
+- `CONTINUWUITY_ADDRESS` - Bind address (use `0.0.0.0` to listen on all
+  interfaces)
+- `CONTINUWUITY_ALLOW_REGISTRATION` - Set to `false` to disable registration, or
+  use with `CONTINUWUITY_REGISTRATION_TOKEN` to require a token (see
+  [reference](../reference/environment-variables.mdx#registration--user-configuration)
+  for details)

-    You'll see output as below.
+See the
+[Environment Variables Reference](../reference/environment-variables.mdx) for
+more configuration options.

-    ```
-    In order to use your new homeserver, you need to create its
-    first user account.
-    Open your Matrix client of choice and register an account
-    on example.com using registration token x5keUZ811RqvLsNa .
-    Pick your own username and password!
-    ```
+#### 1. Pull the image

-4. Configure your reverse proxy to forward HTTPS traffic to Continuwuity at port 8008. See [Docker Compose](#docker-compose) or the [Generic instructions](./generic.mdx#setting-up-the-reverse-proxy) for examples.
+```bash
+docker pull forgejo.ellis.link/continuwuation/continuwuity:latest
+```

-Once configured, log in to your server with any Matrix client, and register for an account with the registration token from step 3. If you did not configure step 4., log in via the `http://<your_server_ip>:8008` address. You will be automatically invited to the admin room where you can [manage your server](../reference/admin).
+#### 2. Start the server with initial admin user

-### (Optional) Building Custom Images
+```bash
+docker run -d \
+  -p 6167:6167 \
+  -v continuwuity_db:/var/lib/continuwuity \
+  -e CONTINUWUITY_SERVER_NAME="matrix.example.com" \
+  -e CONTINUWUITY_DATABASE_PATH="/var/lib/continuwuity" \
+  -e CONTINUWUITY_ADDRESS="0.0.0.0" \
+  -e CONTINUWUITY_ALLOW_REGISTRATION="false" \
+  --name continuwuity \
+  forgejo.ellis.link/continuwuation/continuwuity:latest \
+  /sbin/conduwuit --execute "users create-user admin"
+```
+
+Replace `matrix.example.com` with your actual server name and `admin` with
+your preferred username.
+
+#### 3. Get your admin password
+
+```bash
+docker logs continuwuity 2>&1 | grep "Created user"
+```
+
+You'll see output like:
+
+```
+Created user with user_id: @admin:matrix.example.com and password: `[auto-generated-password]`
+```
+
+#### 4. Configure your reverse proxy
+
+Configure your reverse proxy to forward HTTPS traffic to Continuwuity. See
+[Docker Compose](#docker-compose) for examples.
+
+Once configured, log in with any Matrix client using `@admin:matrix.example.com`
+and the generated password. You'll automatically be invited to the admin room
+where you can manage your server.
+
+### Docker Compose
+
+Docker Compose is the recommended deployment method. These examples include
+reverse proxy configurations for Matrix federation.
+
+#### Matrix Federation Requirements
+
+For Matrix federation to work, you need to serve `.well-known/matrix/client` and
+`.well-known/matrix/server` endpoints. You can achieve this either by:
+
+1. **Using a well-known service** - The compose files below include an nginx
+   container to serve these files
+2. **Using Continuwuity's built-in delegation** (easier for Traefik) - Configure
+   delegation files in your config, then proxy `/.well-known/matrix/*` to
+   Continuwuity
+
+**Traefik example using built-in delegation:**
+
+```yaml
+labels:
+  traefik.http.routers.continuwuity.rule: >-
+    (Host(`matrix.example.com`) ||
+     (Host(`example.com`) && PathPrefix(`/.well-known/matrix`)))
+```
+
+This routes your Matrix domain and well-known paths to Continuwuity.
+
+#### Creating Your First Admin User
+
+Add the `--execute` command to create an admin user on first startup. In your
+compose file, add under the `continuwuity` service:
+
+```yaml
+services:
+    continuwuity:
+        image: forgejo.ellis.link/continuwuation/continuwuity:latest
+        command: /sbin/conduwuit --execute "users create-user admin"
+        # ... rest of configuration
+```
+
+Then retrieve the auto-generated password:
+
+```bash
+docker compose logs continuwuity | grep "Created user"
+```
+
+#### Choose Your Reverse Proxy
+
+Select the compose file that matches your setup:
+
+:::note DNS Performance
+Docker's default DNS resolver can cause performance issues with Matrix
+federation. If you experience slow federation or DNS timeouts, you may need to
+use your host's DNS resolver instead. Add this volume mount to the
+`continuwuity` service:
+
+```yaml
+volumes:
+  - /etc/resolv.conf:/etc/resolv.conf:ro
+```
+
+See [Troubleshooting - DNS Issues](../troubleshooting.mdx#potential-dns-issues-when-using-docker)
+for more details and alternative solutions.
+:::
+
+##### For existing Traefik setup
+
+<details>
+<summary>docker-compose.for-traefik.yml</summary>
+
+```yaml file="./docker-compose.for-traefik.yml"
+
+```
+
+</details>
+
+##### With Traefik included
+
+<details>
+<summary>docker-compose.with-traefik.yml</summary>
+
+```yaml file="./docker-compose.with-traefik.yml"
+
+```
+
+</details>
+
+##### With Caddy Docker Proxy
+
+<details>
+<summary>docker-compose.with-caddy.yml</summary>
+
+Replace all `example.com` placeholders with your own domain.
+
+```yaml file="./docker-compose.with-caddy.yml"
+
+```
+
+If you don't already have a network for Caddy to monitor, create one first:
+
+```bash
+docker network create caddy
+```
+
+</details>
+
+##### For other reverse proxies
+
+<details>
+<summary>docker-compose.yml</summary>
+
+```yaml file="./docker-compose.yml"
+
+```
+
+</details>
+
+##### Override file for customisation
+
+<details>
+<summary>docker-compose.override.yml</summary>
+
+```yaml file="./docker-compose.override.yml"
+
+```
+
+</details>
+
+#### Starting Your Server
+
+1. Choose your compose file and rename it to `docker-compose.yml`
+2. If using the override file, rename it to `docker-compose.override.yml` and
+   edit your values
+3. Start the server:
+
+```bash
+docker compose up -d
+```
+
+See the [generic deployment guide](generic.mdx) for more deployment options.
+
+### Building Custom Images

 For information on building your own Continuwuity Docker images, see the
 [Building Docker Images](../development/index.mdx#building-docker-images)
 section in the development documentation.

-### Accessing the Server's Console
+## Voice communication

-Before you can access the server's console and [send admin commands](../reference/admin/index.md) from the CLI, you will need to make the container interactive and allocate a pseudo-tty. Make sure you set `admin_console_automatic` to `true` in [the config](../reference/config.mdx) as well for Continuwuity to activate the CLI on startup.
-
-For Docker Compose deployments this means adding `stdin_open: true` and `tty: true` to the container's declaration:
-
-```yaml
-services:
-    homeserver:
-        stdin_open: true
-        tty: true
-        # ...
-```
-
-If you choose to deploy via `docker run`, add the flags `-i`/`--interactive` and `-t`/`--tty` to the command.
-
-From there you can access the server's console by running `docker attach <container-name>`, which will show the server's prompt `uwu> `. To exit `docker attach`, press `CTRL+p` then `CTRL+q`.
-
-Note that using `CTRL+c` within `docker attach`'s context will forward the signal to the server, stopping it. See [Docker's reference][docker-attach-reference] for more information.
-
-[docker-attach-reference]: https://docs.docker.com/reference/cli/docker/container/attach/
-
-## Next steps
-
- For smooth federation, set up a caching resolver according to the [**DNS tuning guide**](../advanced/dns.mdx) (recommended)
- To set up Audio/Video communication, see the [**Calls**](../calls.mdx) page.
- Consult the [Maintenance](../maintenance.mdx) page for guidance on maintaining your homeserver.
- If you want to set up an appservice, take a look at the [**Appservice Guide**](../appservices.mdx).
+See the [Calls](../calls.mdx) page.
@@ -1,12 +1,10 @@
 # Generic deployment documentation

-:::tip Getting help
-If you run into any problems while setting up Continuwuity, ask us in
-`#continuwuity:continuwuity.org` or [open an issue on
-Forgejo][forgejo-new-issue].
-:::
-
-[forgejo-new-issue]: https://forgejo.ellis.link/continuwuation/continuwuity/issues/new
+> ### Getting help
+>
+> If you run into any problems while setting up Continuwuity, ask us in
+> `#continuwuity:continuwuity.org` or [open an issue on
+> Forgejo](https://forgejo.ellis.link/continuwuation/continuwuity/issues/new).

 ## Installing Continuwuity

@@ -16,17 +14,17 @@ Download the binary for your architecture (x86_64 or aarch64) -
 run the `uname -m` to check which you need.

 Prebuilt binaries are available from:
+- **Tagged releases**: [Latest release page](https://forgejo.ellis.link/continuwuation/continuwuity/releases/latest)
+- **Development builds**: CI artifacts from the `main` branch
+  (includes Debian/Ubuntu packages)

- **Tagged releases**: [see Release page][release-page]
- **Development builds**: CI artifacts from the `main` branch,
-  [see `release-image.yml` for details][release-image]
+When browsing CI artifacts, `ci-bins` contains binaries organised
+by commit hash, while `releases` contains tagged versions. Sort
+by last modified date to find the most recent builds.

 The binaries require jemalloc and io_uring on the host system. Currently
 we can't cross-build static binaries - contributions are welcome here.

-[release-page]: https://forgejo.ellis.link/continuwuation/continuwuity/releases/
-[release-image]: https://forgejo.ellis.link/continuwuation/continuwuity/actions/?workflow=release-image.yml
-
 #### Performance-optimised builds

 For x86_64 systems with CPUs from the last ~15 years, use the
@@ -39,43 +37,37 @@ compatibility and speed.
 If you're using Docker instead, equivalent performance-optimised
 images are available with the `-maxperf` suffix (e.g.
 `forgejo.ellis.link/continuwuation/continuwuity:latest-maxperf`).
-These images use the `release-max-perf` build profile with
-[link-time optimisation (LTO)][lto-rust-docs]
+These images use the `release-max-perf`
+build profile with
+[link-time optimisation (LTO)](https://doc.rust-lang.org/cargo/reference/profiles.html#lto)
 and, for amd64, target the haswell CPU architecture.

-[lto-rust-docs]: https://doc.rust-lang.org/cargo/reference/profiles.html#lto
-
-### Nix
-
-Theres a Nix package defined in our flake, available for Linux and MacOS. Add continuwuity as an input to your flake, and use `inputs.continuwuity.packages.${system}.default` to get a working Continuwuity package.
-
-If you simply wish to generate a binary using Nix, you can run `nix build git+https://forgejo.ellis.link/continuwuation/continuwuity` to generate a binary in `result/bin/conduwuit`.
-
 ### Compiling

 Alternatively, you may compile the binary yourself.

-#### Using Docker
+### Building with the Rust toolchain

-See the [Building Docker Images](../development/index.mdx#building-docker-images)
-section in the development documentation.
+If wanting to build using standard Rust toolchains, make sure you install:

-#### Manual
+- (On linux) `liburing-dev` on the compiling machine, and `liburing` on the target host
+- (On linux) `pkg-config` on the compiling machine to allow finding `liburing`
+- A C++ compiler and (on linux) `libclang` for RocksDB

-##### Dependencies
-
- Run `nix develop` to get a devshell with everything you need
- Or, install the following:
-    - (On linux) `liburing-dev` on the compiling machine, and `liburing` on the target host
-    - (On linux) `pkg-config` on the compiling machine to allow finding `liburing`
-    - A C++ compiler and (on linux) `libclang` for RocksDB
-
-##### Build
-
-You can now build Continuwuity using `cargo build --release`.
+You can build Continuwuity using `cargo build --release`.

 Continuwuity supports various optional features that can be enabled during compilation. Please see the Cargo.toml file for a comprehensive list, or ask in our rooms.

+### Building with Nix
+
+If you prefer, you can use Nix (or [Lix](https://lix.systems)) to build Continuwuity. This provides improved reproducibility and makes it easy to set up a build environment and generate output. This approach also allows for easy cross-compilation.
+
+You can run the `nix build -L .#static-x86_64-linux-musl-all-features` or
+`nix build -L .#static-aarch64-linux-musl-all-features` commands based
+on architecture to cross-compile the necessary static binary located at
+`result/bin/conduwuit`. This is reproducible with the static binaries produced
+in our CI.
+
 ## Adding a Continuwuity user

 While Continuwuity can run as any user, it is better to use dedicated users for
@@ -94,6 +86,27 @@ For distros without `adduser` (or where it's a symlink to `useradd`):
 sudo useradd -r --shell /usr/bin/nologin --no-create-home continuwuity
 ```

+## Forwarding ports in the firewall or the router
+
+Matrix's default federation port is 8448, and clients must use port 443.
+If you would like to use only port 443 or a different port, you will need to set up
+delegation. Continuwuity has configuration options for delegation, or you can configure
+your reverse proxy to manually serve the necessary JSON files for delegation
+(see the `[global.well_known]` config section).
+
+If Continuwuity runs behind a router or in a container and has a different public
+IP address than the host system, you need to forward these public ports directly
+or indirectly to the port mentioned in the configuration.
+
+Note for NAT users: if you have trouble connecting to your server from inside
+your network, check if your router supports "NAT
+hairpinning" or "NAT loopback".
+
+If your router does not support this feature, you need to research doing local
+DNS overrides and force your Matrix DNS records to use your local IP internally.
+This can be done at the host level using `/etc/hosts`. If you need this to be
+on the network level, consider something like NextDNS or Pi-Hole.
+
 ## Setting up a systemd service

 You can find an example unit for continuwuity below.
@@ -105,7 +118,7 @@ and OpenSUSE), put `$EscapeControlCharactersOnReceive off` inside
 `/etc/rsyslog.conf` to allow color in logs.

 If you are using a different `database_path` than the systemd unit's
-configured default (`/var/lib/conduwuit`), you need to add your path to the
+configured default `/var/lib/conduwuit`, you need to add your path to the
 systemd unit's `ReadWritePaths=`. You can do this by either directly editing
 `conduwuit.service` and reloading systemd, or by running `systemctl edit conduwuit.service`
 and entering the following:
@@ -115,20 +128,20 @@ and entering the following:
 ReadWritePaths=/path/to/custom/database/path
 ```

+
 ### Example systemd Unit File

 <details>
 <summary>Click to expand systemd unit file (conduwuit.service)</summary>

+
 ```ini file="../../pkg/conduwuit.service"

 ```

 </details>

-You can also [view the file on Foregejo][systemd-file].
-
-[systemd-file]: https://forgejo.ellis.link/continuwuation/continuwuity/src/branch/main/pkg/conduwuit.service
+You can also [view the file on Foregejo](https://forgejo.ellis.link/continuwuation/continuwuity/src/branch/main/pkg/conduwuit.service).

 ## Creating the Continuwuity configuration file

@@ -139,7 +152,9 @@ Now you need to create the Continuwuity configuration file in
 **Please take a moment to read the config. You need to change at least the
 server name.**

-### Setting the correct file permissions
+RocksDB is the only supported database backend.
+
+## Setting the correct file permissions

 If you are using a dedicated user for Continuwuity, you need to allow it to
 read the configuration. To do this, run:
@@ -157,29 +172,22 @@ sudo chown -R continuwuity:continuwuity /var/lib/conduwuit/
 sudo chmod 700 /var/lib/conduwuit/
 ```

-## Exposing ports in the firewall or the router
-
-Matrix's default federation port is **:8448**, and clients use port **:443**. You will need to
-expose these ports on your firewall or router. If you use UFW, the commands to allow them
-are: `ufw allow 8448/tcp` and `ufw allow 443/tcp`.
-
-:::tip Alternative port/domain setups
-If you would like to use only port 443, a different port, or a subdomain for the homeserver, you will need to set up `.well-known` delegation. Consult the `[global.well_known]` section of the config file, and the [**Delegation/Split-domain**](../advanced/delegation) page to learn more about these kinds of deployments.
-:::
-
 ## Setting up the Reverse Proxy

+We recommend Caddy as a reverse proxy because it is trivial to use and handles TLS certificates, reverse proxy headers, etc. transparently with proper defaults.
+For other software, please refer to their respective documentation or online guides.
+
 ### Caddy

-Caddy is the recommended reverse proxy as it is easy to use, has good defaults,
-and handle TLS certificates automatically. After installing Caddy via your preferred
-method, create `/etc/caddy/conf.d/conduwuit_caddyfile` and enter the following
-(substitute `example.com` with your actual server name):
+After installing Caddy via your preferred method, create `/etc/caddy/conf.d/conduwuit_caddyfile`
+and enter the following (substitute your actual server name):

 ```
-example.com, example.com:8448 {
+your.server.name, your.server.name:8448 {
    # TCP reverse_proxy
-    reverse_proxy 127.0.0.1:8008
+    reverse_proxy 127.0.0.1:6167
+    # UNIX socket
+    #reverse_proxy unix//run/conduwuit/conduwuit.sock
 }
 ```

@@ -191,45 +199,46 @@ sudo systemctl enable --now caddy

 ### Other Reverse Proxies

-Normally, your reverse proxy should route everything from port :8448 and :443 back to Continuwuity.
+As we prefer our users to use Caddy, we do not provide configuration files for other proxies.

-For more granular controls, you will need to proxy everything under these following routes:
-
- `/_matrix/` - core Matrix APIs, which includes:
-
-  - `/_matrix/federation` and `/_matrix/key` - core Server-Server APIs. These should be available on port :8448
-
-  - `/_matrix/client` - core Client-Server APIs. These should be available on port :443
-
- `/_conduwuit/` and `/_continuwuity/` - ad-hoc Continuwuity routes for password resets, email verification, and server details such as `/local_user_count` and `/server_version`.
+You will need to reverse proxy everything under the following routes:
+- `/_matrix/` - core Matrix C-S and S-S APIs
+- `/_conduwuit/` and/or `/_continuwuity/` - ad-hoc Continuwuity routes such as `/local_user_count` and
+`/server_version`

 You can optionally reverse proxy the following individual routes:
-
 - `/.well-known/matrix/client` and `/.well-known/matrix/server` if using
-  Continuwuity to perform delegation (see the `[global.well_known]` config section)
+Continuwuity to perform delegation (see the `[global.well_known]` config section)
 - `/.well-known/matrix/support` if using Continuwuity to send the homeserver admin
-  [contact and support page][well-known-support]
- `/` and `/_continuwuity/logo.svg` if you would like to see the Continuwuity landing page
+contact and support page (formerly known as MSC1929)
+- `/` if you would like to see `hewwo from conduwuit woof!` at the root

-Refer to the respective software's documentation and online guides on how to do so.
+See the following spec pages for more details on these files:
+- [`/.well-known/matrix/server`](https://spec.matrix.org/latest/client-server-api/#getwell-knownmatrixserver)
+- [`/.well-known/matrix/client`](https://spec.matrix.org/latest/client-server-api/#getwell-knownmatrixclient)
+- [`/.well-known/matrix/support`](https://spec.matrix.org/latest/client-server-api/#getwell-knownmatrixsupport)

-[well-known-support]: https://spec.matrix.org/v1.18/client-server-api/#getwell-knownmatrixsupport
+Examples of delegation:
+- https://continuwuity.org/.well-known/matrix/server
+- https://continuwuity.org/.well-known/matrix/client
+- https://ellis.link/.well-known/matrix/server
+- https://ellis.link/.well-known/matrix/client

-#### Caveats for specific reverse proxies
+For Apache and Nginx there are many examples available online.

- Lighttpd is not supported as it appears to interfere with the `X-Matrix` Authorization
+Lighttpd is not supported as it appears to interfere with the `X-Matrix` Authorization
 header, making federation non-functional. If you find a workaround, please share it so we can add it to this documentation.

- If using Apache, you need to use `nocanon` in your `ProxyPass` directive to prevent httpd from interfering with the `X-Matrix` header (note that Apache is not ideal as a general reverse proxy, so we discourage using it if alternatives are available).
+If using Apache, you need to use `nocanon` in your `ProxyPass` directive to prevent httpd from interfering with the `X-Matrix` header (note that Apache is not ideal as a general reverse proxy, so we discourage using it if alternatives are available).

- If using Nginx, you need to pass the request URI to Continuwuity using `$request_uri`, like this:
+If using Nginx, you need to pass the request URI to Continuwuity using `$request_uri`, like this:
+- `proxy_pass http://127.0.0.1:6167$request_uri;`
+- `proxy_pass http://127.0.0.1:6167;`

-    - `proxy_pass http://127.0.0.1:6167$request_uri;`
-    - `proxy_pass http://127.0.0.1:6167;`
+Nginx users need to increase the `client_max_body_size` setting (default is 1M) to match the
+`max_request_size` defined in conduwuit.toml.

-    Furthermore, Nginx users need to increase the `client_max_body_size` setting (default is 1M) to match the `max_request_size` defined in conduwuit.toml.
-
-## Starting Your Server
+## You're done

 Now you can start Continuwuity with:

@@ -243,58 +252,36 @@ Set it to start automatically when your system boots with:
 sudo systemctl enable conduwuit
 ```

-Check Continuwuity logs with the following command:
-
-```bash
-sudo journalctl -u conduwuit.service
-```
-
-If Continuwuity has successfully initialized, you'll see output as below.
-
-```
-In order to use your new homeserver, you need to create its
-first user account.
-Open your Matrix client of choice and register an account
-on example.com using registration token x5keUZ811RqvLsNa .
-Pick your own username and password!
-```
-
-You can then open [a Matrix client][matrix-clients],
-enter your homeserver address, and register with the provided token.
-By default, the first user is the instance's first admin. They will be added
-to the `#admin:example.com` room and be able to [issue admin commands](../reference/admin/index.md).
-
-[matrix-clients]: https://matrix.org/ecosystem/clients
-
 ## How do I know it works?

-To check if your server can communicate with other homeservers,
-use an external testing tool:
+You can open [a Matrix client](https://matrix.org/ecosystem/clients), enter your
+homeserver address, and try to register.

- [Matrix Connectivity Tester](https://federationtester.mtrnord.blog/)
- [Matrix Federation Tester](https://federationtester.matrix.org/)
-
-If you can register your account but cannot join federated rooms, check your configuration
-and verify that your federation endpoints are opened and forwarded correctly.
-
-As a quick health check, you can also use these cURL commands:
+You can also use these commands as a quick health check (replace
+`your.server.name`).

 ```bash
-curl https://example.com/_conduwuit/server_version
+curl https://your.server.name/_conduwuit/server_version

 # If using port 8448
-curl https://example.com:8448/_conduwuit/server_version
+curl https://your.server.name:8448/_conduwuit/server_version

 # If federation is enabled
-curl https://example.com:8448/_matrix/federation/v1/version
-
-# For client-server endpoints
-curl https://example.com/_matrix/client/versions
+curl https://your.server.name:8448/_matrix/federation/v1/version
 ```

-## What's next?
+- To check if your server can communicate with other homeservers, use the
+[Matrix Federation Tester](https://federationtester.mtrnord.blog/). If you can
+register but cannot join federated rooms, check your configuration and verify
+that port 8448 is open and forwarded correctly.

- For smooth federation, set up a caching resolver according to the [**DNS tuning guide**](../advanced/dns.mdx) (recommended)
- For Audio/Video call functionality see the [**Calls**](../calls.md) page.
- Consult the [Maintenance](../maintenance.mdx) page for guidance on maintaining your homeserver.
- If you want to set up an appservice, take a look at the [**Appservice Guide**](../appservices.md).
+# What's next?
+
+## Audio/Video calls
+
+For Audio/Video call functionality see the [Calls](../calls.md) page.
+
+## Appservices
+
+If you want to set up an appservice, take a look at the [Appservice
+Guide](../appservices.md).
@@ -1,40 +1,40 @@
 # Continuwuity for NixOS

-## Nix package
+NixOS packages Continuwuity as `matrix-continuwuity`. This package includes both the Continuwuity software and a dedicated NixOS module for configuration and deployment.

-You can get a Nix package for Continuwuity from the following sources:
+## Installation methods

- Directly from Nixpkgs: `pkgs.matrix-continuwuity`
- Or, using `continuwuity.packages.${system}.default` from:
-    - The `flake.nix` at the root of the Continuwuity repo, by adding Continuwuity to your flake inputs:
+You can acquire Continuwuity with Nix (or [Lix][lix]) from these sources:

-    ```nix
-    inputs.continuwuity.url = "git+https://forgejo.ellis.link/continuwuation/continuwuity";
-    ```
-
-    - The `default.nix` at the root of the Continuwuity repo
+* Directly from Nixpkgs using the official package (`pkgs.matrix-continuwuity`)
+* The `flake.nix` at the root of the Continuwuity repo
+* The `default.nix` at the root of the Continuwuity repo

 ## NixOS module

-Continuwuity has an official NixOS module that simplifies configuration and deployment. The module is available in Nixpkgs as `services.matrix-continuwuity`.
+Continuwuity now has an official NixOS module that simplifies configuration and deployment. The module is available in Nixpkgs as `services.matrix-continuwuity` from NixOS 25.05.

 Here's a basic example of how to use the module:

 ```nix
-services.matrix-continuwuity = {
-  enable = true;
-  settings = {
-    global = {
-      server_name = "example.com";
+{ config, pkgs, ... }:

-      # Continuwuity listens on localhost by default,
-      # address and port are handled automatically
-
-      # You can add any further configuration here, e.g.
-	  # trusted_servers = [ "matrix.org" ];
+{
+  services.matrix-continuwuity = {
+    enable = true;
+    settings = {
+      global = {
+        server_name = "example.com";
+        # Listening on localhost by default
+        # address and port are handled automatically
+        allow_registration = false;
+        allow_encryption = true;
+        allow_federation = true;
+        trusted_servers = [ "matrix.org" ];
+      };
    };
  };
-};
+}
 ```

 ### Available options
@@ -45,30 +45,86 @@ The NixOS module provides these configuration options:
 - `user`: The user to run Continuwuity as (defaults to "continuwuity")
 - `group`: The group to run Continuwuity as (defaults to "continuwuity")
 - `extraEnvironment`: Extra environment variables to pass to the Continuwuity server
- `package`: The Continuwuity package to use, defaults to `pkgs.matrix-continuwuity`
-    - You may want to override this to be from our flake, for faster updates and unstable versions:
-    ```nix
-    package = inputs.continuwuity.packages.${pkgs.stdenv.hostPlatform.system}.default;
-    ```
- `admin.enable`: Whether to add the `conduwuit` binary to `PATH` for administration (enabled by default)
- `settings`: The Continuwuity configuration
+- `package`: The Continuwuity package to use
+- `settings`: The Continuwuity configuration (in TOML format)

 Use the `settings` option to configure Continuwuity itself. See the [example configuration file](../reference/config.mdx) for all available options.

-Settings are automatically translated from Nix to TOML. For example, the following line of Nix:
+### UNIX sockets
+
+The NixOS module natively supports UNIX sockets through the `global.unix_socket_path` option. When using UNIX sockets, set `global.address` to `null`:

 ```nix
-settings.global.well_known.client = "https://matrix.example.com";
+services.matrix-continuwuity = {
+  enable = true;
+  settings = {
+    global = {
+      server_name = "example.com";
+      address = null; # Must be null when using unix_socket_path
+      unix_socket_path = "/run/continuwuity/continuwuity.sock";
+      unix_socket_perms = 660; # Default permissions for the socket
+      # ...
+    };
+  };
+};
 ```

-Would become this equivalent TOML configuration:
+The module automatically sets the correct `RestrictAddressFamilies` in the systemd service configuration to allow access to UNIX sockets.

-```toml
-[global.well_known]
-client = "https://matrix.example.com"
+### RocksDB database
+
+Continuwuity exclusively uses RocksDB as its database backend. The system configures the database path automatically to `/var/lib/continuwuity/` and you cannot change it due to the service's reliance on systemd's StateDir.
+
+If you're migrating from Conduit with SQLite, use this [tool to migrate a Conduit SQLite database to RocksDB](https://github.com/ShadowJonathan/conduit_toolbox/).
+
+### jemalloc and hardened profile
+
+Continuwuity uses jemalloc by default. This may interfere with the [`hardened.nix` profile][hardened.nix] because it uses `scudo` by default. Either disable/hide `scudo` from Continuwuity or disable jemalloc like this:
+
+```nix
+services.matrix-continuwuity = {
+  enable = true;
+  package = pkgs.matrix-continuwuity.override {
+    enableJemalloc = false;
+  };
+  # ...
+};
 ```

+## Upgrading from Conduit
+
+If you previously used Conduit with the `services.matrix-conduit` module:
+
+1. Ensure your Conduit uses the RocksDB backend, or migrate from SQLite using the [migration tool](https://github.com/ShadowJonathan/conduit_toolbox/)
+2. Switch to the new module by changing `services.matrix-conduit` to `services.matrix-continuwuity` in your configuration
+3. Update any custom configuration to match the new module's structure
+
 ## Reverse proxy configuration

-You'll need to set up a reverse proxy (like NGINX or Caddy) to expose Continuwuity to the internet. You can configure your reverse proxy using NixOS options (e.g. `services.caddy`).
-See the [reverse proxy setup guide](./generic.mdx#setting-up-the-reverse-proxy) for information on correct reverse proxy configuration.
+You'll need to set up a reverse proxy (like nginx or caddy) to expose Continuwuity to the internet. Configure your reverse proxy to forward requests to `/_matrix` on port 443 and 8448 to your Continuwuity instance.
+
+Here's an example nginx configuration:
+
+```nginx
+server {
+    listen 443 ssl;
+    listen [::]:443 ssl;
+    listen 8448 ssl;
+    listen [::]:8448 ssl;
+
+    server_name example.com;
+
+    # SSL configuration here...
+
+    location /_matrix/ {
+        proxy_pass http://127.0.0.1:6167$request_uri;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+}
+```
+
+[lix]: https://lix.systems/
+[hardened.nix]: https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/profiles/hardened.nix
@@ -1,118 +0,0 @@
-# Continuwuity for Nomad
-
-You can either pass the configuration as environment variables or mount a file containing the configuration from consul.
-This given configuration assumes that you have a traefik reverse proxy running.
-
-## Persistence
-The database being a RockDB file, it is recommended to use a volume to persist the data.
-The example below uses a volume, you need to configure the CSI driver on your cluster.
-
-| Volume Name | Mount Path | Purpose |
-|-------------|------------|---------|
-| continuwuity-volume | `/var/lib/continuwuity` | Store the database |
-| continuwuity-media-volume | `/var/lib/continuwuity/media` | Store uploaded media |
-
-## Configuration
-### Using environment variables
-```hcl
-job "continuwuity" {
-  datacenters = ["dc1"]
-  type      = "service"
-  node_pool = "default"
-
-  group "continuwuity" {
-    count = 1
-
-    network {
-      port "http" {
-        static = 6167
-      }
-    }
-
-    service {
-      name = "continuwuity"
-      port = "http"
-      tags = [
-        "traefik.enable=true",
-        "traefik.http.routers.continuwuity.rule=(Host(`matrix.example.com`) || (Host(`example.com`) && PathPrefix(`/.well-known/matrix`)))",
-        "traefik.http.routers.continuwuity.entrypoints=https",
-        "traefik.http.routers.continuwuity.tls=true",
-        "traefik.http.routers.continuwuity.tls.certresolver=letsencrypt",
-        "traefik.http.routers.continuwuity-http.rule=(Host(`matrix.example.com`) || (Host(`example.com`) && PathPrefix(`/.well-known/matrix`)))",
-        "traefik.http.routers.continuwuity-http.entrypoints=http",
-        "traefik.http.routers.continuwuity-http.middlewares=continuwuity-redirect",
-        "traefik.http.middlewares.continuwuity-redirect.redirectscheme.scheme=https",
-        "traefik.http.middlewares.continuwuity-redirect.redirectscheme.permanent=true",
-      ]
-    }
-
-    volume "continuwuity-volume" {
-      type            = "csi"
-      read_only       = false
-      source          = "continuwuity-volume"
-      attachment_mode = "file-system"
-      access_mode     = "single-node-writer"
-      per_alloc       = false
-    }
-
-    volume "continuwuity-media-volume" {
-      type            = "csi"
-      read_only       = false
-      source          = "continuwuity-media-volume"
-      attachment_mode = "file-system"
-      access_mode     = "single-node-writer"
-      per_alloc       = false
-
-      mount_options {
-        mount_flags = []
-      }
-    }
-
-    task "continuwuity" {
-      driver = "docker"
-
-      env {
-        CONTINUWUITY_SERVER_NAME        = "matrix.example.com"
-        CONTINUWUITY_TRUSTED_SERVERS    = "[\"matrix.org\", \"mozilla.org\"]"
-        CONTINUWUITY_ALLOW_REGISTRATION = false
-        CONTINUWUITY_ADDRESS            = "0.0.0.0"
-        CONTINUWUITY_PORT               = 6167
-        CONTINUWUITY_DATABASE_PATH      = "/var/lib/continuwuity"
-        CONTINUWUITY_WELL_KNOWN         = <<EOF
-{
-client=https://matrix.example.com,
-server=matrix.example.com:443
-}
-EOF
-      }
-
-      config {
-        image = "forgejo.ellis.link/continuwuation/continuwuity:latest"
-        ports = ["http"]
-      }
-
-      volume_mount {
-        volume      = "continuwuity-volume"
-        destination = "/var/lib/continuwuity"
-      }
-
-      volume_mount {
-        volume      = "continuwuity-media-volume"
-        destination = "/var/lib/continuwuity/media"
-      }
-    }
-  }
-}
-```
-
-### Using consul
-```hcl
-...
-      template {
-        data = <<EOF
-{{key "config/continuwuity"}}
-EOF
-        destination = "local/conduwuit.toml"
-      }
-...
-```
@@ -81,6 +81,8 @@ changes.
 All forked dependencies are maintained under the
 [continuwuation organization on Forgejo](https://forgejo.ellis.link/continuwuation):

+- [ruwuma][continuwuation-ruwuma] - Fork of [ruma/ruma][ruma] with various
+  performance improvements, more features and better client/server interop
 - [rocksdb][continuwuation-rocksdb] - Fork of [facebook/rocksdb][rocksdb] via
  [`@zaidoon1`][8] with liburing build fixes and GCC debug build fixes
 - [jemallocator][continuwuation-jemallocator] - Fork of
@@ -6,10 +6,10 @@
            "message": "Welcome to Continuwuity! Important announcements about the project will appear here."
        },
        {
-            "id": 13,
-            "mention_room": true,
-            "date": "2026-05-08",
-            "message": "[v0.5.9](https://forgejo.ellis.link/continuwuation/continuwuity/releases/tag/v0.5.9) has been released, fixing a few low-severity federation-related vulnerabilities. It is recommended you read the changelog and update as soon as possible. There are no new features or other changes in this release, only related bugfixes. Deployments tracking the main branch should also update to the latest commit."
+            "id": 10,
+            "mention_room": false,
+            "date": "2026-03-03",
+            "message": "We've just released [v0.5.6](https://forgejo.ellis.link/continuwuation/continuwuity/releases/tag/v0.5.6), which contains a few  security improvements - plus significant reliability and performance improvements. Please update as soon as possible. \n\nWe released [v0.5.5](https://forgejo.ellis.link/continuwuation/continuwuity/releases/tag/v0.5.5) two weeks ago, but it skipped your admin room straight to [our announcements channel](https://matrix.to/#/!jIdNjSM5X-V5JVx2h2kAhUZIIQ08GyzPL55NFZAH1vM?via=ellis.link&via=gingershaped.computer&via=matrix.org). Make sure you're there to get important information as soon as we announce it! [Our space](https://matrix.to/#/!8cR4g-i9ucof69E4JHNg9LbPVkGprHb3SzcrGBDDJgk?via=continuwuity.org&via=ellis.link&via=matrix.org) has also gained a bunch of new and interesting rooms - be there or be square."
        }
    ]
 }
@@ -1,43 +0,0 @@
-# Continuwuity - Behind Traefik Reverse Proxy
-
-services:
-  homeserver:
-    image: "forgejo.ellis.link/continuwuation/continuwuity:latest"
-    restart: unless-stopped
-    command: /sbin/conduwuit
-    volumes:
-      - db:/var/lib/continuwuity
-      - ./continuwuity-resolv.conf:/etc/resolv.conf # use custom resolvers rather than Docker's
-      #- ./continuwuity.toml:/etc/continuwuity.toml
-    networks:
-      - proxy
-    labels:
-      - "traefik.enable=true"
-      - "traefik.http.routers.continuwuity.rule=(Host(`matrix.example.com`) || (Host(`example.com`) && PathPrefix(`/.well-known/matrix`)))"
-      - "traefik.http.routers.continuwuity.entrypoints=websecure" # your HTTPS entry point
-      - "traefik.http.routers.continuwuity.tls=true"
-      - "traefik.http.routers.continuwuity.service=continuwuity"
-      - "traefik.http.services.continuwuity.loadbalancer.server.port=8008"
-      # possibly, depending on your config:
-      # - "traefik.http.routers.continuwuity.tls.certresolver=letsencrypt"
-    environment:
-      CONTINUWUITY_SERVER_NAME: example.com # EDIT THIS
-      CONTINUWUITY_DATABASE_PATH: /var/lib/continuwuity
-      CONTINUWUITY_ADDRESS: 0.0.0.0
-      CONTINUWUITY_PORT: 8008 # This must match with traefik's loadbalancer label
-      #CONTINUWUITY_CONFIG: '/etc/continuwuity.toml' # Uncomment if you mapped config toml above
-
-      # Serve .well-known files to tell others to reach Continuwuity on port :443
-      CONTINUWUITY_WELL_KNOWN: |
-        {
-        client=https://matrix.example.com,
-        server=matrix.example.com:443
-        }
-
-volumes:
-  db:
-
-networks:
-  # This must match the network name that Traefik listens on
-  proxy:
-    external: true
@@ -1,54 +0,0 @@
-# Continuwuity - With Caddy Labels
-
-services:
-    caddy:
-    # This compose file uses caddy-docker-proxy as the reverse proxy for Continuwuity!
-    # For more info, visit https://github.com/lucaslorentz/caddy-docker-proxy
-        image: "docker.io/lucaslorentz/caddy-docker-proxy:ci-alpine"
-        ports:
-            - 80:80
-            - 443:443
-        environment:
-            - CADDY_INGRESS_NETWORKS=caddy
-        networks:
-            - caddy
-        volumes:
-            - /var/run/docker.sock:/var/run/docker.sock
-            - ./data:/data
-        restart: unless-stopped
-        labels:
-            caddy: example.com
-            caddy.reverse_proxy: /.well-known/matrix/* homeserver:8008
-
-    homeserver:
-        image: "forgejo.ellis.link/continuwuation/continuwuity:latest"
-        restart: unless-stopped
-        command: /sbin/conduwuit
-        volumes:
-            - db:/var/lib/continuwuity
-            - ./continuwuity-resolv.conf:/etc/resolv.conf # use custom resolvers rather than Docker's
-            #- ./continuwuity.toml:/etc/continuwuity.toml
-        environment:
-            CONTINUWUITY_SERVER_NAME: example.com # EDIT THIS
-            CONTINUWUITY_DATABASE_PATH: /var/lib/continuwuity
-            CONTINUWUITY_ADDRESS: 0.0.0.0
-            CONTINUWUITY_PORT: 8008
-            #CONTINUWUITY_CONFIG: '/etc/continuwuity.toml' # Uncomment if you mapped config toml above
-
-            # Serve .well-known files to tell others to reach Continuwuity on port :443
-            CONTINUWUITY_WELL_KNOWN: |
-                {
-                client=https://matrix.example.com,
-                server=matrix.example.com:443
-                }
-
-        networks:
-            - caddy
-        labels:
-            caddy: matrix.example.com
-            caddy.reverse_proxy: "{{upstreams 8008}}"
-volumes:
-    db:
-
-networks:
-    caddy:
@@ -1,57 +0,0 @@
-# Continuwuity - Using Caddy Docker Image
-
-services:
-    caddy:
-        image: "docker.io/caddy:latest"
-        ports:
-            - 80:80
-            - 443:443
-        networks:
-            - caddy
-        volumes:
-            - ./data:/data
-        restart: unless-stopped
-        configs:
-            - source: Caddyfile
-              target: /etc/caddy/Caddyfile
-
-    homeserver:
-        image: "forgejo.ellis.link/continuwuation/continuwuity:latest"
-        restart: unless-stopped
-        command: /sbin/conduwuit
-        volumes:
-            - db:/var/lib/continuwuity
-            - ./continuwuity-resolv.conf:/etc/resolv.conf # use custom resolvers rather than Docker's
-            #- ./continuwuity.toml:/etc/continuwuity.toml
-        environment:
-            CONTINUWUITY_SERVER_NAME: example.com
-            CONTINUWUITY_DATABASE_PATH: /var/lib/continuwuity
-            CONTINUWUITY_ADDRESS: 0.0.0.0
-            CONTINUWUITY_PORT: 8008
-            #CONTINUWUITY_CONFIG: '/etc/continuwuity.toml' # Uncomment if you mapped config toml above
-
-            ## Serve .well-known files to tell others to reach Continuwuity on port :443
-            CONTINUWUITY_WELL_KNOWN: |
-                {
-                client=https://matrix.example.com,
-                server=matrix.example.com:443
-                }
-
-        networks:
-            - caddy
-
-networks:
-    caddy:
-
-volumes:
-    db:
-
-configs:
-    Caddyfile:
-        content: |
-            https://matrix.example.com:443 {
-                reverse_proxy http://homeserver:8008
-            }
-            https://example.com:443 {
-                reverse_proxy /.well-known/matrix* http://homeserver:8008
-            }
@@ -1,85 +0,0 @@
-# Continuwuity - With Traefik Reverse Proxy
-
-services:
-  homeserver:
-    image: "forgejo.ellis.link/continuwuation/continuwuity:latest"
-    restart: unless-stopped
-    command: /sbin/conduwuit
-    volumes:
-      - db:/var/lib/continuwuity
-      - ./continuwuity-resolv.conf:/etc/resolv.conf # use custom resolvers rather than Docker's
-      #- ./continuwuity.toml:/etc/continuwuity.toml
-    networks:
-      - proxy
-    labels:
-      - "traefik.enable=true"
-      - "traefik.http.routers.continuwuity.rule=(Host(`matrix.example.com`) || (Host(`example.com`) && PathPrefix(`/.well-known/matrix`)))"
-      - "traefik.http.routers.continuwuity.entrypoints=websecure"
-      - "traefik.http.routers.continuwuity.tls.certresolver=letsencrypt"
-      - "traefik.http.services.continuwuity.loadbalancer.server.port=8008"
-    environment:
-      CONTINUWUITY_SERVER_NAME: example.com # EDIT THIS
-      CONTINUWUITY_DATABASE_PATH: /var/lib/continuwuity
-      CONTINUWUITY_ADDRESS: 0.0.0.0
-      CONTINUWUITY_PORT: 8008 # This must match with traefik's loadbalancer label
-      #CONTINUWUITY_CONFIG: '/etc/continuwuity.toml' # Uncomment if you mapped config toml above
-
-      # Serve .well-known files to tell others to reach Continuwuity on port :443
-      CONTINUWUITY_WELL_KNOWN: |
-        {
-          client=https://matrix.example.com,
-          server=matrix.example.com:443
-        }
-
-  traefik:
-    image: "docker.io/traefik:latest"
-    container_name: "traefik"
-    restart: "unless-stopped"
-    ports:
-      - "80:80"
-      - "443:443"
-    volumes:
-      - "/var/run/docker.sock:/var/run/docker.sock:ro"
-      - "acme:/etc/traefik/acme"
-    labels:
-      - "traefik.enable=true"
-
-      # middleware redirect
-      - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
-      # global redirect to https
-      - "traefik.http.routers.redirs.rule=hostregexp(`{host:.+}`)"
-      - "traefik.http.routers.redirs.entrypoints=web"
-      - "traefik.http.routers.redirs.middlewares=redirect-to-https"
-
-    environment:
-
-      TRAEFIK_LOG_LEVEL: DEBUG
-      TRAEFIK_ENTRYPOINTS_WEB: true
-      TRAEFIK_ENTRYPOINTS_WEB_ADDRESS: ":80"
-      TRAEFIK_ENTRYPOINTS_WEB_HTTP_REDIRECTIONS_ENTRYPOINT_TO: websecure
-
-      TRAEFIK_ENTRYPOINTS_WEBSECURE: true
-      TRAEFIK_ENTRYPOINTS_WEBSECURE_ADDRESS: ":443"
-      TRAEFIK_ENTRYPOINTS_WEBSECURE_HTTP_TLS_CERTRESOLVER: letsencrypt
-
-      TRAEFIK_CERTIFICATESRESOLVERS_LETSENCRYPT: true
-      # CHANGE THIS to desired email for ACME
-      TRAEFIK_CERTIFICATESRESOLVERS_LETSENCRYPT_ACME_EMAIL: user@example.com
-      TRAEFIK_CERTIFICATESRESOLVERS_LETSENCRYPT_ACME_HTTPCHALLENGE: true
-      TRAEFIK_CERTIFICATESRESOLVERS_LETSENCRYPT_ACME_HTTPCHALLENGE_ENTRYPOINT: web
-      TRAEFIK_CERTIFICATESRESOLVERS_LETSENCRYPT_ACME_STORAGE: "/etc/traefik/acme/acme.json"
-
-      # Since Traefik 3.6.3, paths with certain "encoded characters" are now blocked by default; we need a couple, or else things *will* break
-      TRAEFIK_ENTRYPOINTS_WEBSECURE_HTTP_ENCODEDCHARACTERS_ALLOWENCODEDSLASH: true
-      TRAEFIK_ENTRYPOINTS_WEBSECURE_HTTP_ENCODEDCHARACTERS_ALLOWENCODEDHASH: true
-
-      TRAEFIK_PROVIDERS_DOCKER: true
-      TRAEFIK_PROVIDERS_DOCKER_ENDPOINT: "unix:///var/run/docker.sock"
-      TRAEFIK_PROVIDERS_DOCKER_EXPOSEDBYDEFAULT: false
-
-volumes:
-  db:
-  acme:
-
-networks:
-  proxy:
@@ -1,43 +0,0 @@
-# Continuwuity - Behind Traefik Reverse Proxy
-
-services:
-  homeserver:
-    image: "forgejo.ellis.link/continuwuation/continuwuity:latest"
-    restart: unless-stopped
-    command: /sbin/conduwuit
-    volumes:
-      - db:/var/lib/continuwuity
-      - ./continuwuity-resolv.conf:/etc/resolv.conf # use custom resolvers rather than Docker's
-      #- ./continuwuity.toml:/etc/continuwuity.toml
-    networks:
-      - proxy
-    labels:
-      - "traefik.enable=true"
-      - "traefik.http.routers.continuwuity.rule=(Host(`example.com`))"
-      - "traefik.http.routers.continuwuity.entrypoints=websecure" # your HTTPS entry point
-      - "traefik.http.routers.continuwuity.tls=true"
-      - "traefik.http.routers.continuwuity.service=continuwuity"
-      - "traefik.http.services.continuwuity.loadbalancer.server.port=8008"
-      # possibly, depending on your config:
-      # - "traefik.http.routers.continuwuity.tls.certresolver=letsencrypt"
-    environment:
-      CONTINUWUITY_SERVER_NAME: example.com
-      CONTINUWUITY_DATABASE_PATH: /var/lib/continuwuity
-      CONTINUWUITY_ADDRESS: 0.0.0.0
-      CONTINUWUITY_PORT: 8008 # This must match with traefik's loadbalancer label
-      #CONTINUWUITY_CONFIG: '/etc/continuwuity.toml' # Uncomment if you mapped config toml above
-
-      # Serve .well-known files to tell others to reach Continuwuity on port :443
-      CONTINUWUITY_WELL_KNOWN: |
-        {
-        client=https://example.com,
-        server=example.com:443
-        }
-
-volumes:
-  db:
-
-networks:
-  # This must match the network name that Traefik listens on
-  proxy:
-    external: true
@@ -1,23 +0,0 @@
-# Continuwuity - Traefik Reverse Proxy Labels (override file)
-
-services:
-  homeserver:
-    labels:
-      - "traefik.enable=true"
-      - "traefik.docker.network=proxy" # Change this to the name of your Traefik docker proxy network
-
-      - "traefik.http.routers.to-continuwuity.rule=Host(`example.com`)"  # Change to the address on which Continuwuity is hosted
-      - "traefik.http.routers.to-continuwuity.tls=true"
-      - "traefik.http.routers.to-continuwuity.tls.certresolver=letsencrypt"
-      - "traefik.http.routers.to-continuwuity.middlewares=cors-headers@docker"
-
-      # This must match with CONTINUWUITY_PORT (default: 8008)
-      - "traefik.http.services.to_continuwuity.loadbalancer.server.port=8008"
-
-      # If you want to have your account on <DOMAIN>, but host Continuwuity on a subdomain,
-      # you can let it only handle the well known file on the base domain instead
-      #
-      # - "traefik.http.routers.to-matrix-wellknown.rule=Host(`example.com`) && PathPrefix(`/.well-known/matrix`)"
-      #- "traefik.http.routers.to-matrix-wellknown.tls=true"
-      #- "traefik.http.routers.to-matrix-wellknown.tls.certresolver=letsencrypt"
-      #- "traefik.http.routers.to-matrix-wellknown.middlewares=cors-headers@docker"
@@ -1,51 +0,0 @@
-# Continuwuity - With Caddy Labels
-
-services:
-    caddy:
-    # This compose file uses caddy-docker-proxy as the reverse proxy for Continuwuity!
-    # For more info, visit https://github.com/lucaslorentz/caddy-docker-proxy
-        image: "docker.io/lucaslorentz/caddy-docker-proxy:ci-alpine"
-        ports:
-            - 80:80
-            - 443:443
-        environment:
-            - CADDY_INGRESS_NETWORKS=caddy
-        networks:
-            - caddy
-        volumes:
-            - /var/run/docker.sock:/var/run/docker.sock
-            - ./data:/data
-        restart: unless-stopped
-
-    homeserver:
-        image: "forgejo.ellis.link/continuwuation/continuwuity:latest"
-        restart: unless-stopped
-        command: /sbin/conduwuit
-        volumes:
-            - db:/var/lib/continuwuity
-            - ./continuwuity-resolv.conf:/etc/resolv.conf # use custom resolvers rather than Docker's
-            #- ./continuwuity.toml:/etc/continuwuity.toml
-        environment:
-            CONTINUWUITY_SERVER_NAME: example.com
-            CONTINUWUITY_DATABASE_PATH: /var/lib/continuwuity
-            CONTINUWUITY_ADDRESS: 0.0.0.0
-            CONTINUWUITY_PORT: 8008
-            #CONTINUWUITY_CONFIG: '/etc/continuwuity.toml' # Uncomment if you mapped config toml above
-
-            # Serve .well-known files to tell others to reach Continuwuity on port :443
-            CONTINUWUITY_WELL_KNOWN: |
-                {
-                client=https://example.com,
-                server=example.com:443
-                }
-
-        networks:
-            - caddy
-        labels:
-            caddy: example.com
-            caddy.reverse_proxy: "{{upstreams 8008}}"
-volumes:
-    db:
-
-networks:
-    caddy:
@@ -1,56 +0,0 @@
-# Continuwuity - Using Caddy Docker Image
-
-services:
-    caddy:
-        image: "docker.io/caddy:latest"
-        ports:
-            - 80:80
-            - 443:443
-            - 8448:8448
-        networks:
-            - caddy
-        volumes:
-            - ./data:/data
-        restart: unless-stopped
-        configs:
-            - source: Caddyfile
-              target: /etc/caddy/Caddyfile
-
-    homeserver:
-        image: "forgejo.ellis.link/continuwuation/continuwuity:latest"
-        restart: unless-stopped
-        command: /sbin/conduwuit
-        volumes:
-            - db:/var/lib/continuwuity
-            - ./continuwuity-resolv.conf:/etc/resolv.conf # use custom resolvers rather than Docker's
-            #- ./continuwuity.toml:/etc/continuwuity.toml
-        environment:
-            CONTINUWUITY_SERVER_NAME: example.com
-            CONTINUWUITY_DATABASE_PATH: /var/lib/continuwuity
-            CONTINUWUITY_ADDRESS: 0.0.0.0
-            CONTINUWUITY_PORT: 8008
-            #CONTINUWUITY_CONFIG: '/etc/continuwuity.toml' # Uncomment if you mapped config toml above
-
-            ## (Optional) Serve .well-known files to tell others to reach Continuwuity on port :443
-            ## If you do this, remove all routes to port :8448 from the compose and Caddyfile
-            # CONTINUWUITY_WELL_KNOWN: |
-            #     {
-            #     client=https://example.com,
-            #     server=example.com:443
-            #     }
-
-        networks:
-            - caddy
-
-networks:
-    caddy:
-
-volumes:
-    db:
-
-configs:
-    Caddyfile:
-        content: |
-            https://example.com:443, https://example.com:8448 {
-                reverse_proxy http://homeserver:8008
-            }
@@ -1,85 +0,0 @@
-# Continuwuity - With Traefik Reverse Proxy
-
-services:
-  homeserver:
-    image: "forgejo.ellis.link/continuwuation/continuwuity:latest"
-    restart: unless-stopped
-    command: /sbin/conduwuit
-    volumes:
-      - db:/var/lib/continuwuity
-      - ./continuwuity-resolv.conf:/etc/resolv.conf # use custom resolvers rather than Docker's
-      #- ./continuwuity.toml:/etc/continuwuity.toml
-    networks:
-      - proxy
-    labels:
-      - "traefik.enable=true"
-      - "traefik.http.routers.continuwuity.rule=(Host(`example.com`))"
-      - "traefik.http.routers.continuwuity.entrypoints=websecure"
-      - "traefik.http.routers.continuwuity.tls.certresolver=letsencrypt"
-      - "traefik.http.services.continuwuity.loadbalancer.server.port=8008"
-    environment:
-      CONTINUWUITY_SERVER_NAME: example.com
-      CONTINUWUITY_DATABASE_PATH: /var/lib/continuwuity
-      CONTINUWUITY_ADDRESS: 0.0.0.0
-      CONTINUWUITY_PORT: 8008 # This must match with traefik's loadbalancer label
-      #CONTINUWUITY_CONFIG: '/etc/continuwuity.toml' # Uncomment if you mapped config toml above
-
-      # Serve .well-known files to tell others to reach Continuwuity on port :443
-      CONTINUWUITY_WELL_KNOWN: |
-        {
-          client=https://example.com,
-          server=example.com:443
-        }
-
-  traefik:
-    image: "docker.io/traefik:latest"
-    container_name: "traefik"
-    restart: "unless-stopped"
-    ports:
-      - "80:80"
-      - "443:443"
-    volumes:
-      - "/var/run/docker.sock:/var/run/docker.sock:ro"
-      - "acme:/etc/traefik/acme"
-    labels:
-      - "traefik.enable=true"
-
-      # middleware redirect
-      - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
-      # global redirect to https
-      - "traefik.http.routers.redirs.rule=hostregexp(`{host:.+}`)"
-      - "traefik.http.routers.redirs.entrypoints=web"
-      - "traefik.http.routers.redirs.middlewares=redirect-to-https"
-
-    environment:
-
-      TRAEFIK_LOG_LEVEL: DEBUG
-      TRAEFIK_ENTRYPOINTS_WEB: true
-      TRAEFIK_ENTRYPOINTS_WEB_ADDRESS: ":80"
-      TRAEFIK_ENTRYPOINTS_WEB_HTTP_REDIRECTIONS_ENTRYPOINT_TO: websecure
-
-      TRAEFIK_ENTRYPOINTS_WEBSECURE: true
-      TRAEFIK_ENTRYPOINTS_WEBSECURE_ADDRESS: ":443"
-      TRAEFIK_ENTRYPOINTS_WEBSECURE_HTTP_TLS_CERTRESOLVER: letsencrypt
-
-      TRAEFIK_CERTIFICATESRESOLVERS_LETSENCRYPT: true
-      # CHANGE THIS to desired email for ACME
-      TRAEFIK_CERTIFICATESRESOLVERS_LETSENCRYPT_ACME_EMAIL: user@example.com
-      TRAEFIK_CERTIFICATESRESOLVERS_LETSENCRYPT_ACME_HTTPCHALLENGE: true
-      TRAEFIK_CERTIFICATESRESOLVERS_LETSENCRYPT_ACME_HTTPCHALLENGE_ENTRYPOINT: web
-      TRAEFIK_CERTIFICATESRESOLVERS_LETSENCRYPT_ACME_STORAGE: "/etc/traefik/acme/acme.json"
-
-      # Since Traefik 3.6.3, paths with certain "encoded characters" are now blocked by default; we need a couple, or else things *will* break
-      TRAEFIK_ENTRYPOINTS_WEBSECURE_HTTP_ENCODEDCHARACTERS_ALLOWENCODEDSLASH: true
-      TRAEFIK_ENTRYPOINTS_WEBSECURE_HTTP_ENCODEDCHARACTERS_ALLOWENCODEDHASH: true
-
-      TRAEFIK_PROVIDERS_DOCKER: true
-      TRAEFIK_PROVIDERS_DOCKER_ENDPOINT: "unix:///var/run/docker.sock"
-      TRAEFIK_PROVIDERS_DOCKER_EXPOSEDBYDEFAULT: false
-
-volumes:
-  db:
-  acme:
-
-networks:
-  proxy:
@@ -1,41 +0,0 @@
-# Continuwuity - Bare Configuration (for other reverse proxies)
-
-services:
-    homeserver:
-        image: "forgejo.ellis.link/continuwuation/continuwuity:latest"
-        restart: unless-stopped
-        command: /sbin/conduwuit
-        ports:
-
-            # If your reverse proxy is on the host, use this
-            # and configure it to connect to `127.0.0.1:8008`
-            - 127.0.0.1:8008:8008
-
-            # If your reverse proxy is on another machine, use this
-            # and configure it to connect to <this-machine-ip>:8008
-            # - 8008:8008
-
-            # If your reverse proxy is a docker container on the same network,
-            # comment out the entire `ports` section, and configure it to connect to `continuwuity:8008`
-
-        volumes:
-            - db:/var/lib/continuwuity
-            - ./continuwuity-resolv.conf:/etc/resolv.conf # use custom resolvers rather than Docker's
-            #- ./continuwuity.toml:/etc/continuwuity.toml
-        environment:
-            CONTINUWUITY_SERVER_NAME: example.com # EDIT THIS
-            CONTINUWUITY_DATABASE_PATH: /var/lib/continuwuity
-            CONTINUWUITY_ADDRESS: 0.0.0.0
-            CONTINUWUITY_PORT: 8008
-            #CONTINUWUITY_CONFIG: '/etc/continuwuity.toml' # Uncomment if you mapped config toml above
-
-            ## (Optional) Serve .well-known files to tell others to reach Continuwuity on port :443
-            ## If you do this, remove all routes to port :8448 on your reverse proxy
-            # CONTINUWUITY_WELL_KNOWN: |
-            #     {
-            #     client=https://example.com,
-            #     server=example.com:443
-            #     }
-
-volumes:
-    db:
@@ -4,6 +4,11 @@
        "name": "config",
        "label": "Configuration"
    },
+    {
+        "type": "file",
+        "name": "environment-variables",
+        "label": "Environment Variables"
+    },
    {
        "type": "file",
        "name": "admin",
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Jade Ellis	8e65da6723	style: Fix clippy	2026-04-09 15:37:39 +01:00
Jade Ellis	ad6f6079e7	fix: Use to_str methods on room IDs	2026-04-09 15:32:32 +01:00
Jade Ellis	24766f1b3b	chore: cleanup	2026-04-09 15:32:32 +01:00
Jade Ellis	4e6e64a238	chore: Fix more complicated clippy warnings	2026-04-09 15:32:32 +01:00
Jade Ellis	3494e528ba	feat: Add command to purge sync tokens for empty rooms	2026-04-09 15:32:31 +01:00
Jade Ellis	873496388f	feat: Add admin command to delete sync tokens from a room	2026-04-09 15:32:30 +01:00
				`@@ -0,0 +1 @@`
				`Added support for associating email addresses with accounts, requiring email addresses for registration, and resetting passwords via email. Contributed by @ginger`
				`@@ -1 +0,0 @@`
				`The invite recipient's membership event is now included in invite stripped state, which should fix flaky invite display in some clients. Contributed by @ginger`
				`@@ -0,0 +1 @@`
				`Added support for using an admin command to issue self-service password reset links.`
				`@@ -0,0 +1 @@`
				`Stopped left rooms from being unconditionally sent on initial sync, hopefully fixing spurious appearances of left rooms in some clients (and making sync faster as a bonus). Contributed by @ginger`
				`@@ -0,0 +1 @@`
				`Added support for requiring users to accept terms and conditions when registering.`
				`@@ -1 +0,0 @@`
				`Switched from Continuwuity's fork of Ruma back to upstream Ruma. Contributed by @ginger.`
				`@@ -0,0 +1 @@`
				`Fixed room alias deletion so removing one local alias no longer removes other aliases from room alias listings.`
				`@@ -1 +0,0 @@`
				`Removed support for guest user registration, a little-used and deprecated approach to room previews.`
				`@@ -1 +0,0 @@`
				The deprecated `well_known.rtc_focus_server_urls` config option has been removed. MatrixRTC foci should be configured using the `matrix_rtc.foci` config option.