Merge pull request #4401 from Virkkunen/continuwuity-review

Update Continuwuity files
2025-07-07 16:44:30 +02:00 · 2025-07-05 13:36:22 +03:00
parent 25498851a0 f08bc17273
commit 5142b2ee90
4 changed files with 297 additions and 121 deletions
--- a/docs/configuring-playbook-continuwuity.md
+++ b/docs/configuring-playbook-continuwuity.md
@ -50,8 +50,8 @@ If a specific setting you'd like to change does not have a dedicated Ansible var
 ```yaml
 matrix_continuwuity_environment_variables_extension: |
-  continuwuity_MAX_REQUEST_SIZE=50000000
+  CONTINUWUITY_MAX_REQUEST_SIZE=50000000
-  continuwuity_REQUEST_TIMEOUT=60
+  CONTINUWUITY_REQUEST_TIMEOUT=60
 ```
 ## Creating the first user account
--- a/roles/custom/matrix-continuwuity/defaults/main.yml
+++ b/roles/custom/matrix-continuwuity/defaults/main.yml
@ -143,6 +143,9 @@ matrix_continuwuity_config_max_request_size: 20_000_000
 # Enables registration. If set to false, no users can register on this server.
 matrix_continuwuity_config_allow_registration: false
 # Controls if newly registered users are automatically suspended, requiring admin approval.
 matrix_continuwuity_config_suspend_on_register: false
 # Controls the `yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse` setting.
 # This is only used when `matrix_continuwuity_config_allow_registration` is set to true and no registration token is configured.
 matrix_continuwuity_config_yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse: false
@ -166,12 +169,11 @@ matrix_continuwuity_config_allow_check_for_updates: false
 # Controls the `emergency_password` setting.
 matrix_continuwuity_config_emergency_password: ''
-# Controls the `allow_federation` setting.
+# Controls the `matrix_continuwuity_trusted_servers`` setting.
-matrix_continuwuity_config_allow_federation: true
+matrix_continuwuity_config_trusted_servers:
 matrix_continuwuity_trusted_servers:
 - "matrix.org"
 # Controls the `matrix_continuwuity_config_log` setting.
 matrix_continuwuity_config_log: "info,state_res=warn,rocket=off,_=off,sled=off"
 # TURN integration.
@ -184,18 +186,23 @@ matrix_continuwuity_config_turn_password: ''
 # Controls whether the self-check feature should validate SSL certificates.
 matrix_continuwuity_self_check_validate_certificates: true
 # Controls server (de)federation settings.
 matrix_continuwuity_config_allow_federation: true
 matrix_continuwuity_config_allowed_remote_server_names: []
 matrix_continuwuity_config_forbidden_remote_server_names: []
 matrix_continuwuity_config_forbidden_remote_room_directory_server_names: []
 matrix_continuwuity_config_prevent_media_downloads_from: []
 matrix_continuwuity_config_ignore_messages_from_server_names: []
 # Controls the `url_preview_domain_contains_allowlist` setting.
 matrix_continuwuity_config_url_preview_domain_contains_allowlist: []
 # Additional environment variables to pass to the container.
 #
 # Environment variables take priority over settings in the configuration file.
 #
 # Example:
 # matrix_continuwuity_environment_variables_extension: |
-#   continuwuity_MAX_REQUEST_SIZE=50000000
+#   CONTINUWUITY_MAX_REQUEST_SIZE=50000000
-#   continuwuity_REQUEST_TIMEOUT=60
+#   CONTINUWUITY_REQUEST_TIMEOUT=60
 matrix_continuwuity_environment_variables_extension: ''
 matrix_continuwuity_forbidden_remote_server_names: []
 matrix_continuwuity_forbidden_remote_room_directory_server_names: []
 # Controls the `url_preview_domain_contains_allowlist` setting.
 matrix_continuwuity_url_preview_domain_contains_allowlist: []
--- a/roles/custom/matrix-continuwuity/tasks/validate_config.yml
+++ b/roles/custom/matrix-continuwuity/tasks/validate_config.yml
@ -13,3 +13,18 @@
    - {'name': 'matrix_continuwuity_hostname', when: true}
    - {'name': 'matrix_continuwuity_container_network', when: true}
    - {'name': 'matrix_continuwuity_container_labels_internal_client_api_traefik_entrypoints', when: "{{ matrix_continuwuity_container_labels_internal_client_api_enabled }}"}
 - name: (Deprecation) Catch and report renamed Continuwuity settings
  ansible.builtin.fail:
    msg: >-
      Your configuration contains a variable, which now has a different name.
      Please rename the variable (`{{ item.old }}` -> `{{ item.new }}`) on your configuration file (vars.yml).
  when: "item.old in vars"
  with_items:
    - {'old': 'matrix_continuwuity_allowed_remote_server_names', 'new': 'matrix_continuwuity_config_allowed_remote_server_names'}
    - {'old': 'matrix_continuwuity_forbidden_remote_room_directory_server_names', 'new': 'matrix_continuwuity_config_forbidden_remote_room_directory_server_names'}
    - {'old': 'matrix_continuwuity_forbidden_remote_server_names', 'new': 'matrix_continuwuity_config_forbidden_remote_server_names'}
    - {'old': 'matrix_continuwuity_ignore_messages_from_server_names', 'new': 'matrix_continuwuity_config_ignore_messages_from_server_names'}
    - {'old': 'matrix_continuwuity_prevent_media_downloads_from', 'new': 'matrix_continuwuity_config_prevent_media_downloads_from'}
    - {'old': 'matrix_continuwuity_trusted_servers', 'new': 'matrix_continuwuity_config_trusted_servers'}
    - {'old': 'matrix_continuwuity_url_preview_domain_contains_allowlist', 'new': 'matrix_continuwuity_config_url_preview_domain_contains_allowlist'}
--- a/roles/custom/matrix-continuwuity/templates/continuwuity.toml.j2
+++ b/roles/custom/matrix-continuwuity/templates/continuwuity.toml.j2
@ -7,8 +7,8 @@ SPDX-License-Identifier: AGPL-3.0-or-later
 #}
 ### continuwuity Configuration
-### See:
+### For more information, see:
-### https://continuwuity.org/configuration
+### https://continuwuity.org/configuration.html
 [global]
@ -16,7 +16,7 @@ SPDX-License-Identifier: AGPL-3.0-or-later
 # suffix for user and room IDs/aliases.
 #
 # See the docs for reverse proxying and delegation:
-# https://continuwuity.org/deploying/generic#setting-up-the-reverse-proxy
+# https://continuwuity.org/deploying/generic.html#setting-up-the-reverse-proxy
 #
 # Also see the `[global.well_known]` config section at the very bottom.
 #
@ -27,7 +27,7 @@ SPDX-License-Identifier: AGPL-3.0-or-later
 # YOU NEED TO EDIT THIS. THIS CANNOT BE CHANGED AFTER WITHOUT A DATABASE
 # WIPE.
 #
-# example: "continuwuity.woof"
+# example: "continuwuity.org"
 #
 server_name = {{ matrix_continuwuity_config_server_name | to_json }}
@ -44,7 +44,7 @@ address = "0.0.0.0"
 # The port(s) continuwuity will listen on.
 #
 # For reverse proxying, see:
-# https://continuwuity.org/deploying/generic#setting-up-the-reverse-proxy
+# https://continuwuity.org/deploying/generic.html#setting-up-the-reverse-proxy
 #
 # If you are using Docker, don't change this, you'll need to map an
 # external port to this.
@ -59,8 +59,9 @@ port = {{ matrix_continuwuity_config_port_number }}
 # listening on a UNIX socket, you MUST remove/comment the `address` key.
 #
 # Remember to make sure that your reverse proxy has access to this socket
-# file, either by adding your reverse proxy to the 'continuwuity' group or
+# file, either by adding your reverse proxy to the appropriate user group
-# granting world R/W permissions with `unix_socket_perms` (666 minimum).
+# or granting world R/W permissions with `unix_socket_perms` (666
 # minimum).
 #
 # example: "/run/continuwuity/continuwuity.sock"
 #
@ -70,8 +71,8 @@ port = {{ matrix_continuwuity_config_port_number }}
 #
 #unix_socket_perms = 660
-# This is the only directory where continuwuity will save its data, including
+# This is the only directory where continuwuity will save its data,
-# media. Note: this was previously "/var/lib/matrix-conduit".
+# including media. Note: this was previously "/var/lib/matrix-conduit".
 #
 # YOU NEED TO EDIT THIS.
 #
@ -79,9 +80,9 @@ port = {{ matrix_continuwuity_config_port_number }}
 #
 database_path = "/var/lib/continuwuity"
-# continuwuity supports online database backups using RocksDB's Backup engine
+# continuwuity supports online database backups using RocksDB's Backup
-# API. To use this, set a database backup path that continuwuity can write
+# engine API. To use this, set a database backup path that continuwuity
-# to.
+# can write to.
 #
 # For more information, see:
 # https://continuwuity.org/maintenance.html#backups
@ -108,17 +109,13 @@ database_path = "/var/lib/continuwuity"
 new_user_displayname_suffix = {{ matrix_continuwuity_config_new_user_displayname_suffix | to_json }}
 # If enabled, continuwuity will send a simple GET request periodically to
-# `https://pupbrain.dev/check-for-updates/stable` for any new
+# `https://continuwuity.org/.well-known/continuwuity/announcements` for any new
-# announcements made. Despite the name, this is not an update check
+# announcements or major updates. This is not an update check endpoint.
 # endpoint, it is simply an announcement check endpoint.
 #
 # This is disabled by default as this is rarely used except for security
 # updates or major updates.
 #
 allow_check_for_updates = {{ matrix_continuwuity_config_allow_check_for_updates | to_json }}
-# Set this to any float value to multiply continuwuity's in-memory LRU caches
+# Set this to any float value to multiply continuwuity's in-memory LRU
-# with such as "auth_chain_cache_capacity".
+# caches with such as "auth_chain_cache_capacity".
 #
 # May be useful if you have significant memory to spare to increase
 # performance.
@ -190,14 +187,6 @@ allow_check_for_updates = {{ matrix_continuwuity_config_allow_check_for_updates
 #
 #servernameevent_data_cache_capacity = varies by system
 # This item is undocumented. Please contribute documentation for it.
 #
 #server_visibility_cache_capacity = varies by system
 # This item is undocumented. Please contribute documentation for it.
 #
 #user_visibility_cache_capacity = varies by system
 # This item is undocumented. Please contribute documentation for it.
 #
 #stateinfo_cache_capacity = varies by system
@ -259,7 +248,7 @@ allow_check_for_updates = {{ matrix_continuwuity_config_allow_check_for_updates
 #
 # If you are running continuwuity in a container environment, this config
 # option may need to be enabled. For more details, see:
-# https://continuwuity.org/troubleshooting#potential-dns-issues-when-using-docker
+# https://continuwuity.org/troubleshooting.html#potential-dns-issues-when-using-docker
 #
 #query_over_tcp_only = false
@ -372,6 +361,26 @@ max_request_size = {{ matrix_continuwuity_config_max_request_size }}
 #
 #pusher_idle_timeout = 15
 # Maximum time to receive a request from a client (seconds).
 #
 #client_receive_timeout = 75
 # Maximum time to process a request received from a client (seconds).
 #
 #client_request_timeout = 180
 # Maximum time to transmit a response to a client (seconds)
 #
 #client_response_timeout = 120
 # Grace period for clean shutdown of client requests (seconds).
 #
 #client_shutdown_timeout = 10
 # Grace period for clean shutdown of federation requests (seconds).
 #
 #sender_shutdown_timeout = 5
 # Enables registration. If set to false, no users can register on this
 # server.
 #
@ -384,17 +393,27 @@ max_request_size = {{ matrix_continuwuity_config_max_request_size }}
 #
 allow_registration = {{ matrix_continuwuity_config_allow_registration | to_json }}
-yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse = {{ matrix_continuwuity_config_yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse | to_json }}
+# If registration is enabled, and this setting is true, new users
-
+# registered after the first admin user will be automatically suspended
-allow_federation = {{ matrix_continuwuity_config_allow_federation | to_json }}
+# and will require an admin to run `!admin users unsuspend <user_id>`.
 # This item is undocumented. Please contribute documentation for it.
 #
-#yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse = false
+# Suspended users are still able to read messages, make profile updates,
 # leave rooms, and deactivate their account, however cannot send messages,
 # invites, or create/join or otherwise modify rooms.
 # They are effectively read-only.
 #
 suspend_on_register = {{ matrix_continuwuity_config_suspend_on_register | to_json }}
 # Enabling this setting opens registration to anyone without restrictions.
 # This makes your server vulnerable to abuse
 #
 yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse = {{ matrix_continuwuity_config_yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse | to_json }}
 # A static registration token that new users will have to provide when
 # creating an account. If unset and `allow_registration` is true,
-# registration is open without any condition.
+# you must set
 # `yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse`
 # to true to allow open registration without any conditions.
 #
 # YOU NEED TO EDIT THIS OR USE registration_token_file.
 #
@ -402,8 +421,9 @@ allow_federation = {{ matrix_continuwuity_config_allow_federation | to_json }}
 #
 registration_token = {{ matrix_continuwuity_config_registration_token | to_json }}
-# Path to a file on the system that gets read for the registration token.
+# Path to a file on the system that gets read for additional registration
-# this config option takes precedence/priority over "registration_token".
+# tokens. Multiple tokens can be added if you separate them with
 # whitespace
 #
 # continuwuity must be able to access the file, and it must not be empty
 #
@ -418,12 +438,21 @@ registration_token = {{ matrix_continuwuity_config_registration_token | to_json
 # Controls whether federation is allowed or not. It is not recommended to
 # disable this after the fact due to potential federation breakage.
 #
-#allow_federation = true
+allow_federation = {{ matrix_continuwuity_config_allow_federation | to_json }}
-# This item is undocumented. Please contribute documentation for it.
+# Allows federation requests to be made to itself
 #
 # This isn't intended and is very likely a bug if federation requests are
 # being sent to yourself. This currently mainly exists for development
 # purposes.
 #
 #federation_loopback = false
 # Always calls /forget on behalf of the user if leaving a room. This is a
 # part of MSC4267 "Automatically forgetting rooms on leave"
 #
 #forget_forced_upon_leave = false
 # Set this to true to require authentication on the normally
 # unauthenticated profile retrieval endpoints (GET)
 # "/_matrix/client/v3/profile/{userId}".
@ -501,9 +530,9 @@ registration_token = {{ matrix_continuwuity_config_registration_token | to_json
 # Default room version continuwuity will create rooms with.
 #
-# Per spec, room version 10 is the default.
+# Per spec, room version 11 is the default.
 #
-#default_room_version = 10
+#default_room_version = 11
 # This item is undocumented. Please contribute documentation for it.
 #
@ -568,9 +597,9 @@ registration_token = {{ matrix_continuwuity_config_registration_token | to_json
 # Currently, continuwuity doesn't support inbound batched key requests, so
 # this list should only contain other Synapse servers.
 #
-# example: ["matrix.org", "envs.net", "constellatory.net", "tchncs.de"]
+# example: ["matrix.org", "tchncs.de"]
 #
-trusted_servers = {{ matrix_continuwuity_trusted_servers | to_json }}
+trusted_servers = {{ matrix_continuwuity_config_trusted_servers | to_json }}
 # Whether to query the servers listed in trusted_servers first or query
 # the origin server first. For best security, querying the origin server
@ -627,8 +656,9 @@ log = {{ matrix_continuwuity_config_log | to_json }}
 #
 #log_span_events = "none"
-# Configures whether continuwuity_LOG EnvFilter matches values using regular
+# Configures whether CONTINUWUITY_LOG EnvFilter matches values using
-# expressions. See the tracing_subscriber documentation on Directives.
+# regular expressions. See the tracing_subscriber documentation on
 # Directives.
 #
 #log_filter_regex = true
@ -664,13 +694,17 @@ log = {{ matrix_continuwuity_config_log | to_json }}
 # ("turn_secret"), It is recommended to use a shared secret over static
 # credentials.
 #
-#turn_username = false
+{% if matrix_continuwuity_config_turn_username != ''  %}
 turn_username = {{ matrix_continuwuity_config_turn_username | to_json }}
 {% endif %}
 # Static TURN password to provide the client if not using a shared secret
 # ("turn_secret"). It is recommended to use a shared secret over static
 # credentials.
 #
-#turn_password = false
+{% if matrix_continuwuity_config_turn_password != '' %}
 turn_password = {{ matrix_continuwuity_config_turn_password | to_json }}
 {% endif %}
 # Vector list of TURN URIs/servers to use.
 #
@ -689,18 +723,10 @@ turn_uris = {{ matrix_continuwuity_config_turn_uris | to_json }}
 # This is more secure, but if needed you can use traditional static
 # username/password credentials.
 #
 #turn_secret = false
 {% if matrix_continuwuity_config_turn_secret != '' %}
 turn_secret = {{ matrix_continuwuity_config_turn_secret | to_json }}
 {% endif %}
 # If you have your TURN server configured to use a username and password
 # you can provide these information too. In this case comment out `turn_secret above`!
 {% if matrix_continuwuity_config_turn_username != '' or matrix_continuwuity_config_turn_password != '' %}
 turn_username = {{ matrix_continuwuity_config_turn_username | to_json }}
 turn_password = {{ matrix_continuwuity_config_turn_password | to_json }}
 {% endif %}
 # TURN secret to use that's read from the file path specified.
 #
 # This takes priority over "turn_secret" first, and falls back to
@ -714,12 +740,12 @@ turn_password = {{ matrix_continuwuity_config_turn_password | to_json }}
 #
 #turn_ttl = 86400
-# List/vector of room IDs or room aliases that continuwuity will make newly
+# List/vector of room IDs or room aliases that continuwuity will make
-# registered users join. The rooms specified must be rooms that you have
+# newly registered users join. The rooms specified must be rooms that you
-# joined at least once on the server, and must be public.
+# have joined at least once on the server, and must be public.
 #
-# example: ["#continuwuity:puppygock.gay",
+# example: ["#continuwuity:continuwuity.org",
-# "!eoIzvAvVwY23LPDay8:puppygock.gay"]
+# "!main-1:continuwuity.org"]
 #
 #auto_join_rooms = []
@ -742,10 +768,10 @@ turn_password = {{ matrix_continuwuity_config_turn_password | to_json }}
 #
 #auto_deactivate_banned_room_attempts = false
-# RocksDB log level. This is not the same as continuwuity's log level. This
+# RocksDB log level. This is not the same as continuwuity's log level.
-# is the log level for the RocksDB engine/library which show up in your
+# This is the log level for the RocksDB engine/library which show up in
-# database folder/path as `LOG` files. continuwuity will log RocksDB errors
+# your database folder/path as `LOG` files. continuwuity will log RocksDB
-# as normal through tracing or panics if severe for safety.
+# errors as normal through tracing or panics if severe for safety.
 #
 #rocksdb_log_level = "error"
@ -806,7 +832,7 @@ turn_password = {{ matrix_continuwuity_config_turn_password | to_json }}
 # Type of RocksDB database compression to use.
 #
-# Available options are "zstd", "zlib", "bz2", "lz4", or "none".
+# Available options are "zstd", "bz2", "lz4", or "none".
 #
 # It is best to use ZSTD as an overall good balance between
 # speed/performance, storage, IO amplification, and CPU usage. For more
@ -827,6 +853,9 @@ turn_password = {{ matrix_continuwuity_config_turn_password | to_json }}
 # magic number and translated to the library's default compression level
 # as they all differ. See their `kDefaultCompressionLevel`.
 #
 # Note when using the default value we may override it with a setting
 # tailored specifically for continuwuity.
 #
 #rocksdb_compression_level = 32767
 # Level of compression the specified compression algorithm for the
@ -840,6 +869,9 @@ turn_password = {{ matrix_continuwuity_config_turn_password | to_json }}
 # less likely for this data to be used. Research your chosen compression
 # algorithm.
 #
 # Note when using the default value we may override it with a setting
 # tailored specifically for continuwuity.
 #
 #rocksdb_bottommost_compression_level = 32767
 # Whether to enable RocksDB's "bottommost_compression".
@ -851,7 +883,7 @@ turn_password = {{ matrix_continuwuity_config_turn_password | to_json }}
 #
 # See https://github.com/facebook/rocksdb/wiki/Compression for more details.
 #
-#rocksdb_bottommost_compression = false
+#rocksdb_bottommost_compression = true
 # Database recovery mode (for RocksDB WAL corruption).
 #
@ -878,7 +910,7 @@ turn_password = {{ matrix_continuwuity_config_turn_password | to_json }}
 # 0 = AbsoluteConsistency
 # 1 = TolerateCorruptedTailRecords (default)
 # 2 = PointInTime (use me if trying to recover)
-# 3 = SkipAnyCorruptedRecord (you now voided your continuwuity warranty)
+# 3 = SkipAnyCorruptedRecord (you now voided your Continuwuity warranty)
 #
 # For more information on these modes, see:
 # https://github.com/facebook/rocksdb/wiki/WAL-Recovery-Modes
@ -897,6 +929,20 @@ turn_password = {{ matrix_continuwuity_config_turn_password | to_json }}
 #
 #rocksdb_paranoid_file_checks = false
 # Enables or disables checksum verification in rocksdb at runtime.
 # Checksums are usually hardware accelerated with low overhead; they are
 # enabled in rocksdb by default. Older or slower platforms may see gains
 # from disabling.
 #
 #rocksdb_checksums = true
 # Enables the "atomic flush" mode in rocksdb. This option is not intended
 # for users. It may be removed or ignored in future versions. Atomic flush
 # may be enabled by the paranoid to possibly improve database integrity at
 # the cost of performance.
 #
 #rocksdb_atomic_flush = false
 # Database repair mode (for RocksDB SST corruption).
 #
 # Use this option when the server reports corruption while running or
@ -934,10 +980,10 @@ turn_password = {{ matrix_continuwuity_config_turn_password | to_json }}
 #
 #rocksdb_compaction_ioprio_idle = true
-# Disables RocksDB compaction. You should never ever have to set this
+# Enables RocksDB compaction. You should never ever have to set this
-# option to true. If you for some reason find yourself needing to use this
+# option to false. If you for some reason find yourself needing to use
-# option as part of troubleshooting or a bug, please reach out to us in
+# this option as part of troubleshooting or a bug, please reach out to us
-# the continuwuity Matrix room with information and details.
+# in the continuwuity Matrix room with information and details.
 #
 # Disabling compaction will lead to a significantly bloated and
 # explosively large database, gradually poor performance, unnecessarily
@ -970,7 +1016,9 @@ turn_password = {{ matrix_continuwuity_config_turn_password | to_json }}
 #
 # example: "F670$2CP@Hw8mG7RY1$%!#Ic7YA"
 #
 {% if matrix_continuwuity_config_emergency_password != '' %}
 emergency_password = {{ matrix_continuwuity_config_emergency_password | to_json }}
 {% endif %}
 # This item is undocumented. Please contribute documentation for it.
 #
@ -978,8 +1026,8 @@ emergency_password = {{ matrix_continuwuity_config_emergency_password | to_json
 # Allow local (your server only) presence updates/requests.
 #
-# Note that presence on continuwuity is very fast unlike Synapse's. If using
+# Note that presence on continuwuity is very fast unlike Synapse's. If
-# outgoing presence, this MUST be enabled.
+# using outgoing presence, this MUST be enabled.
 #
 #allow_local_presence = true
@ -995,8 +1043,8 @@ emergency_password = {{ matrix_continuwuity_config_emergency_password | to_json
 #
 # This option sends presence updates to other servers, but does not
 # receive any unless `allow_incoming_presence` is true. Note that presence
-# on continuwuity is very fast unlike Synapse's. If using outgoing presence,
+# on continuwuity is very fast unlike Synapse's. If using outgoing
-# you MUST enable `allow_local_presence` as well.
+# presence, you MUST enable `allow_local_presence` as well.
 #
 #allow_outgoing_presence = true
@ -1115,7 +1163,7 @@ emergency_password = {{ matrix_continuwuity_config_emergency_password | to_json
 # Check consistency of the media directory at startup:
 # 1. When `media_compat_file_link` is enabled, this check will upgrade
-#    media when switching back and forth between Conduit and continuwuity.
+#    media when switching back and forth between Conduit and conduwuit.
 #    Both options must be enabled to handle this.
 # 2. When media is deleted from the directory, this check will also delete
 #    its database entry.
@ -1150,27 +1198,71 @@ emergency_password = {{ matrix_continuwuity_config_emergency_password | to_json
 #
 #prune_missing_media = false
-# Vector list of servers that continuwuity will refuse to download remote
+# List of forbidden server names via regex patterns that we will block
-# media from.
+# incoming AND outgoing federation with, and block client room joins /
 # remote user invites.
 #
-#prevent_media_downloads_from = []
+# Note that your messages can still make it to forbidden servers through
-
+# backfilling. Events we receive from forbidden servers via backfill
-# List of forbidden server names that we will block incoming AND outgoing
+# from servers we *do* federate with will be stored in the database.
 # federation with, and block client room joins / remote user invites.
 #
 # This check is applied on the room ID, room alias, sender server name,
 # sender user's server name, inbound federation X-Matrix origin, and
 # outbound federation handler.
 #
-# Basically "global" ACLs.
+# You can set this to ["*"] to block all servers by default, and then
 # use `allowed_remote_server_names` to allow only specific servers.
 #
-forbidden_remote_server_names = {{ matrix_continuwuity_forbidden_remote_server_names | to_json }}
+# example: ["badserver\\.tld$", "badphrase", "19dollarfortnitecards"]
 #
 forbidden_remote_server_names = {{ matrix_continuwuity_config_forbidden_remote_server_names | to_json }}
-# List of forbidden server names that we will block all outgoing federated
+# List of allowed server names via regex patterns that we will allow,
-# room directory requests for. Useful for preventing our users from
+# regardless of if they match `forbidden_remote_server_names`.
 # wandering into bad servers or spaces.
 #
-forbidden_remote_room_directory_server_names = {{ matrix_continuwuity_forbidden_remote_room_directory_server_names | to_json }}
+# This option has no effect if `forbidden_remote_server_names` is empty.
 #
 # example: ["goodserver\\.tld$", "goodphrase"]
 #
 allowed_remote_server_names = {{ matrix_continuwuity_config_allowed_remote_server_names | to_json }}
 # Vector list of regex patterns of server names that continuwuity will
 # refuse to download remote media from.
 #
 # example: ["badserver\.tld$", "badphrase", "19dollarfortnitecards"]
 #
 prevent_media_downloads_from = {{ matrix_continuwuity_config_prevent_media_downloads_from | to_json }}
 # List of forbidden server names via regex patterns that we will block all
 # outgoing federated room directory requests for. Useful for preventing
 # our users from wandering into bad servers or spaces.
 #
 # example: ["badserver\.tld$", "badphrase", "19dollarfortnitecards"]
 #
 forbidden_remote_room_directory_server_names = {{ matrix_continuwuity_config_forbidden_remote_room_directory_server_names | to_json }}
 # Vector list of regex patterns of server names that continuwuity will not
 # send messages to the client from.
 #
 # Note that there is no way for clients to receive messages once a server
 # has become unignored without doing a full sync. This is a protocol
 # limitation with the current sync protocols. This means this is somewhat
 # of a nuclear option.
 #
 # example: ["reallybadserver\.tld$", "reallybadphrase",
 # "69dollarfortnitecards"]
 #
 ignore_messages_from_server_names = {{ matrix_continuwuity_config_ignore_messages_from_server_names | to_json }}
 # Send messages from users that the user has ignored to the client.
 #
 # There is no way for clients to receive messages sent while a user was
 # ignored without doing a full sync. This is a protocol limitation with
 # the current sync protocols. Disabling this option will move
 # responsibility of ignoring messages to the client, which can avoid this
 # limitation.
 #
 #send_messages_from_ignored_users_to_client = false
 # Vector list of IPv4 and IPv6 CIDR ranges / subnets *in quotes* that you
 # do not want continuwuity to send outbound requests to. Defaults to
@ -1215,7 +1307,7 @@ forbidden_remote_room_directory_server_names = {{ matrix_continuwuity_forbidden_
 # attack surface to your server, you are expected to be aware of the risks
 # by doing so.
 #
-url_preview_domain_contains_allowlist = {{ matrix_continuwuity_url_preview_domain_contains_allowlist | to_json }}
+url_preview_domain_contains_allowlist = {{ matrix_continuwuity_config_url_preview_domain_contains_allowlist | to_json }}
 # Vector list of explicit domains allowed to send requests to for URL
 # previews.
@ -1279,7 +1371,7 @@ url_preview_domain_contains_allowlist = {{ matrix_continuwuity_url_preview_domai
 # used, and startup as warnings if any room aliases in your database have
 # a forbidden room alias/ID.
 #
-# example: ["19dollarfortnitecards", "b[4a]droom"]
+# example: ["19dollarfortnitecards", "b[4a]droom", "badphrase"]
 #
 #forbidden_alias_names = []
@ -1292,7 +1384,7 @@ url_preview_domain_contains_allowlist = {{ matrix_continuwuity_url_preview_domai
 # startup as warnings if any local users in your database have a forbidden
 # username.
 #
-# example: ["administrator", "b[a4]dusernam[3e]"]
+# example: ["administrator", "b[a4]dusernam[3e]", "badphrase"]
 #
 #forbidden_usernames = []
@ -1323,8 +1415,8 @@ url_preview_domain_contains_allowlist = {{ matrix_continuwuity_url_preview_domai
 # Allow admins to enter commands in rooms other than "#admins" (admin
 # room) by prefixing your message with "\!admin" or "\\!admin" followed up
-# a normal continuwuity admin command. The reply will be publicly visible to
+# a normal continuwuity admin command. The reply will be publicly visible
-# the room, originating from the sender.
+# to the room, originating from the sender.
 #
 # example: \\!admin debug ping puppygock.gay
 #
@ -1341,8 +1433,8 @@ url_preview_domain_contains_allowlist = {{ matrix_continuwuity_url_preview_domai
 # This option can also be configured with the `--execute` continuwuity
 # argument and can take standard shell commands and environment variables
 #
-# For example: `./continuwuity --execute "server admin-notice continuwuity has
+# For example: `./continuwuity --execute "server admin-notice continuwuity
-# started up at $(date)"`
+# has started up at $(date)"`
 #
 # example: admin_execute = ["debug ping puppygock.gay", "debug echo hi"]`
 #
@ -1355,6 +1447,13 @@ url_preview_domain_contains_allowlist = {{ matrix_continuwuity_url_preview_domai
 #
 #admin_execute_errors_ignore = false
 # List of admin commands to execute on SIGUSR2.
 #
 # Similar to admin_execute, but these commands are executed when the
 # server receives SIGUSR2 on supporting platforms.
 #
 #admin_signal_execute = []
 # Controls the max log level for admin command log captures (logs
 # generated from running admin commands). Defaults to "info" on release
 # builds, else "debug" on debug builds.
@ -1364,21 +1463,20 @@ url_preview_domain_contains_allowlist = {{ matrix_continuwuity_url_preview_domai
 # The default room tag to apply on the admin room.
 #
 # On some clients like Element, the room tag "m.server_notice" is a
-# special pinned room at the very bottom of your room list. The continuwuity
+# special pinned room at the very bottom of your room list. The
-# admin room can be pinned here so you always have an easy-to-access
+# continuwuity admin room can be pinned here so you always have an
-# shortcut dedicated to your admin room.
+# easy-to-access shortcut dedicated to your admin room.
 #
 #admin_room_tag = "m.server_notice"
 # Sentry.io crash/panic reporting, performance monitoring/metrics, etc.
-# This is NOT enabled by default. continuwuity's default Sentry reporting
+# This is NOT enabled by default.
 # endpoint domain is `o4506996327251968.ingest.us.sentry.io`.
 #
 #sentry = false
 # Sentry reporting URL, if a custom one is desired.
 #
-#sentry_endpoint = "https://fe2eb4536aa04949e28eff3128d64757@o4506996327251968.ingest.us.sentry.io/4506996334657536"
+#sentry_endpoint = ""
 # Report your continuwuity server_name in Sentry.io crash reports and
 # metrics.
@ -1512,6 +1610,34 @@ url_preview_domain_contains_allowlist = {{ matrix_continuwuity_url_preview_domai
 #
 #sender_workers = 0
 # Enables listener sockets; can be set to false to disable listening. This
 # option is intended for developer/diagnostic purposes only.
 #
 #listening = true
 # Enables configuration reload when the server receives SIGUSR1 on
 # supporting platforms.
 #
 #config_reload_signal = true
 [global.tls]
 # Path to a valid TLS certificate file.
 #
 # example: "/path/to/my/certificate.crt"
 #
 #certs =
 # Path to a valid TLS certificate private key.
 #
 # example: "/path/to/my/certificate.key"
 #
 #key =
 # Whether to listen and allow for HTTP and HTTPS connections (insecure!)
 #
 #dual_protocol = false
 [global.well_known]
 # The server URL that the client well-known file will serve. This should
@ -1529,18 +1655,46 @@ url_preview_domain_contains_allowlist = {{ matrix_continuwuity_url_preview_domai
 #
 #server =
-# This item is undocumented. Please contribute documentation for it.
+# URL to a support page for the server, which will be served as part of
 # the MSC1929 server support endpoint at /.well-known/matrix/support.
 # Will be included alongside any contact information
 #
 #support_page =
-# This item is undocumented. Please contribute documentation for it.
+# Role string for server support contacts, to be served as part of the
 # MSC1929 server support endpoint at /.well-known/matrix/support.
 #
-#support_role =
+#support_role = "m.role.admin"
-# This item is undocumented. Please contribute documentation for it.
+# Email address for server support contacts, to be served as part of the
 # MSC1929 server support endpoint.
 # This will be used along with support_mxid if specified.
 #
 #support_email =
-# This item is undocumented. Please contribute documentation for it.
+# Matrix ID for server support contacts, to be served as part of the
 # MSC1929 server support endpoint.
 # This will be used along with support_email if specified.
 #
 # If no email or mxid is specified, all of the server's admins will be
 # listed.
 #
 #support_mxid =
 [global.blurhashing]
 # blurhashing x component, 4 is recommended by https://blurha.sh/
 #
 #components_x = 4
 # blurhashing y component, 3 is recommended by https://blurha.sh/
 #
 #components_y = 3
 # Max raw size that the server will blurhash, this is the size of the
 # image after converting it to raw data, it should be higher than the
 # upload limit but not too high. The higher it is the higher the
 # potential load will be for clients requesting blurhashes. The default
 # is 33.55MB. Setting it to 0 disables blurhashing.
 #
 #blurhash_max_raw_size = 33554432