WIP contribution nav

Reviewed-on: #133

.drone.yml

@@ -28,7 +28,7 @@ steps:
       - bundle install --jobs=3 --retry=3
       - yarn install
       - rake css:build
-      - rake spec
+      - bundle exec rspec
   - name: rebuild-cache
     image: drillster/drone-volume-cache
     volumes:

.env.example

@@ -1,11 +1,42 @@
+AKKOUNTS_DOMAIN=accounts.example.com
+
+SMTP_SERVER=smtp.example.com
+SMTP_PORT=587
+SMTP_LOGIN=accounts
+SMTP_PASSWORD=123abc
+SMTP_FROM_ADDRESS=accounts@example.com
+SMTP_DOMAIN=example.com
+SMTP_AUTH_METHOD=plain
+SMTP_ENABLE_STARTTLS=auto
+
+REDIS_URL='redis://localhost:6379/1'
+
 LDAP_HOST=localhost
 LDAP_PORT=389
 LDAP_ADMIN_PASSWORD=passthebutter
-LDAP_SUFFIX="dc=kosmos,dc=org"
+LDAP_SUFFIX='dc=kosmos,dc=org'
 
+WEBHOOKS_ALLOWED_IPS='10.1.1.163'
+
+DISCOURSE_PUBLIC_URL='https://community.kosmos.org'
+DISCOURSE_CONNECT_SECRET='discourse_connect_ftw'
+
+GITEA_PUBLIC_URL='https://gitea.kosmos.org'
+MASTODON_PUBLIC_URL='https://kosmos.social'
+MEDIAWIKI_PUBLIC_URL='https://wiki.kosmos.org'
+RS_STORAGE_URL='https://storage.kosmos.org'
+
+EJABBERD_ADMIN_URL='https://xmpp.kosmos.org/admin'
 EJABBERD_API_URL='https://xmpp.kosmos.org/api'
 
 BTCPAY_API_URL='http://localhost:23001/api/v1'
 
 LNDHUB_API_URL='http://localhost:3023'
 LNDHUB_PUBLIC_URL='https://lndhub.kosmos.org'
+LNDHUB_PUBLIC_KEY='0123d3be18617f39cf645851e3ba63f51fc13f0bb09e3bb25e6fd4de556486d946'
+LNDHUB_ADMIN_UI=true
+LNDHUB_PG_HOST=localhost
+LNDHUB_PG_PORT=5432
+LNDHUB_PG_DATABASE=lndhub
+LNDHUB_PG_USERNAME=lndhub
+LNDHUB_PG_PASSWORD=''

.env.production

@@ -1,4 +0,0 @@
-EJABBERD_API_URL='https://xmpp.kosmos.org:5443/api'
-BTCPAY_API_URL='http://10.1.1.163:23001/api/v1'
-LNDHUB_API_URL='http://10.1.1.163:3023'
-LNDHUB_PUBLIC_URL='https://lndhub.kosmos.org'

.env.test

@@ -1,4 +1,14 @@
+DISCOURSE_PUBLIC_URL='http://discourse.example.com'
+DISCOURSE_CONNECT_SECRET='discourse_connect_ftw'
+
 EJABBERD_API_URL='http://xmpp.example.com/api'
+
 BTCPAY_API_URL='http://btcpay.example.com/api/v1'
-LNDHUB_API_URL='http://localhost:3023'
+
+LNDHUB_API_URL='http://localhost:3026'
 LNDHUB_PUBLIC_URL='https://lndhub.kosmos.org'
+LNDHUB_PUBLIC_KEY='024cd3be18617f39cf645851e3ba63f51fc13f0bb09e3bb25e6fd4de556486d946'
+
+RS_STORAGE_URL='https://storage.kosmos.org'
+
+WEBHOOKS_ALLOWED_IPS='10.1.1.23'

.gitea/release-drafter.yml

@@ -0,0 +1,13 @@
+name-template: 'v$RESOLVED_VERSION'
+tag-template: 'v$RESOLVED_VERSION'
+version-resolver:
+  major:
+    labels:
+      - 'release/major'
+  minor:
+    labels:
+      - 'release/minor'
+  patch:
+    labels:
+      - 'release/patch'
+  default: patch

.gitea/workflows/release_drafter.yml

@@ -0,0 +1,11 @@
+name: Release Drafter
+on:
+  pull_request:
+    types: [closed]
+jobs:
+  release_drafter_job:
+    name: Update release notes draft
+    runs-on: ubuntu-latest
+    steps:
+      - name: Release Drafter
+        uses: https://github.com/raucao/gitea-release-drafter@dev

Dockerfile

@@ -1,21 +1,21 @@
 # syntax=docker/dockerfile:1
-FROM ruby:2.7
+FROM ruby:2.7.6
-RUN apt-get update -qq && apt-get install -y curl ldap-utils
+
+SHELL ["/bin/bash", "-o", "pipefail", "-c"]
+
+RUN apt-get update -qq && apt-get install -y --no-install-recommends curl \
+      ldap-utils tini
 RUN curl -fsSL https://deb.nodesource.com/setup_lts.x | bash -
 RUN apt-get update && apt-get install -y nodejs
+
 WORKDIR /akkounts
 COPY Gemfile /akkounts/Gemfile
 COPY Gemfile.lock /akkounts/Gemfile.lock
 COPY package.json /akkounts/package.json
 RUN bundle install
+RUN gem install foreman
 RUN npm install -g yarn
 RUN yarn install
 
-# Add a script to be executed every time the container starts.
+ENTRYPOINT ["/usr/bin/tini", "--"]
-COPY docker/entrypoint.sh /usr/bin/
-RUN chmod +x /usr/bin/entrypoint.sh
-ENTRYPOINT ["entrypoint.sh"]
 EXPOSE 3000
-
-# Configure the main process to run when running the image
-CMD ["bin", "dev"]

Gemfile

@@ -32,12 +32,17 @@ gem 'lockbox'
 
 # Authentication
 gem 'warden'
-gem 'devise'
+gem 'devise', '~> 4.9.0'
 gem 'devise_ldap_authenticatable'
 gem 'net-ldap'
 
 # Utilities
 gem "rqrcode", "~> 2.0"
+gem 'rails-settings-cached', '~> 2.8.3'
+gem 'pagy', '~> 6.0', '>= 6.0.2'
+gem 'flipper'
+gem 'flipper-active_record'
+gem 'flipper-ui'
 
 # HTTP requests
 gem 'faraday'
@@ -46,6 +51,13 @@ gem 'faraday'
 gem 'sidekiq', '< 7'
 gem 'sidekiq-scheduler'
 
+# Service integrations
+gem 'discourse_api'
+
+# Monitoring
+gem "sentry-ruby"
+gem "sentry-rails"
+
 group :development, :test do
   # Use sqlite3 as the database for Active Record
   gem 'sqlite3', '~> 1.4'
@@ -59,6 +71,8 @@ group :development do
   gem 'listen', '~> 3.2'
   gem 'letter_opener'
   gem 'letter_opener_web'
+  gem 'faker'
+  gem 'solargraph'
 end
 
 group :test do

Gemfile.lock

@@ -68,7 +68,10 @@ GEM
       tzinfo (~> 2.0)
     addressable (2.8.1)
       public_suffix (>= 2.0.2, < 6.0)
+    ast (2.4.2)
+    backport (1.2.0)
     bcrypt (3.1.18)
+    benchmark (0.2.1)
     bindex (0.8.1)
     builder (3.2.4)
     byebug (11.1.3)
@@ -95,7 +98,7 @@ GEM
       activerecord (>= 5.a)
       database_cleaner-core (~> 2.0.0)
     database_cleaner-core (2.0.1)
-    devise (4.8.1)
+    devise (4.9.0)
       bcrypt (~> 3.0)
       orm_adapter (~> 0.1)
       railties (>= 4.1.0)
@@ -105,10 +108,16 @@ GEM
       devise (>= 3.4.1)
       net-ldap (>= 0.16.0)
     diff-lcs (1.5.0)
+    discourse_api (2.0.0)
+      faraday (~> 2.7)
+      faraday-follow_redirects
+      faraday-multipart
+      rack (>= 1.6)
     dotenv (2.8.1)
     dotenv-rails (2.8.1)
       dotenv (= 2.8.1)
       railties (>= 3.2)
+    e2mmap (0.1.0)
     erubi (1.11.0)
     et-orbi (1.2.7)
       tzinfo
@@ -117,11 +126,28 @@ GEM
     factory_bot_rails (6.2.0)
       factory_bot (~> 6.2.0)
       railties (>= 5.0.0)
+    faker (3.0.0)
+      i18n (>= 1.8.11, < 2)
     faraday (2.7.1)
       faraday-net_http (>= 2.0, < 3.1)
       ruby2_keywords (>= 0.0.4)
+    faraday-follow_redirects (0.3.0)
+      faraday (>= 1, < 3)
+    faraday-multipart (1.0.4)
+      multipart-post (~> 2)
     faraday-net_http (3.0.2)
     ffi (1.15.5)
+    flipper (0.28.0)
+      concurrent-ruby (< 2)
+    flipper-active_record (0.28.0)
+      activerecord (>= 4.2, < 8)
+      flipper (~> 0.28.0)
+    flipper-ui (0.28.0)
+      erubi (>= 1.0.0, < 2.0.0)
+      flipper (~> 0.28.0)
+      rack (>= 1.4, < 3)
+      rack-protection (>= 1.5.3, <= 4.0.0)
+      sanitize (< 7)
     fugit (1.7.2)
       et-orbi (~> 1, >= 1.2.7)
       raabro (~> 1.4)
@@ -133,9 +159,15 @@ GEM
     importmap-rails (1.1.5)
       actionpack (>= 6.0.0)
       railties (>= 6.0.0)
+    jaro_winkler (1.5.4)
     jbuilder (2.11.5)
       actionview (>= 5.0.0)
       activesupport (>= 5.0.0)
+    json (2.6.3)
+    kramdown (2.4.0)
+      rexml
+    kramdown-parser-gfm (1.1.0)
+      kramdown (~> 2.0)
     launchy (2.5.0)
       addressable (~> 2.7)
     letter_opener (1.8.1)
@@ -160,6 +192,7 @@ GEM
     mini_mime (1.1.2)
     mini_portile2 (2.8.0)
     minitest (5.16.3)
+    multipart-post (2.3.0)
     net-imap (0.3.1)
       net-protocol
     net-ldap (0.17.1)
@@ -176,6 +209,10 @@ GEM
     nokogiri (1.13.9-x86_64-linux)
       racc (~> 1.4)
     orm_adapter (0.5.0)
+    pagy (6.0.2)
+    parallel (1.22.1)
+    parser (3.2.1.1)
+      ast (~> 2.4.1)
     pg (1.2.3)
     public_suffix (5.0.0)
     puma (4.3.12)
@@ -183,6 +220,8 @@ GEM
     raabro (1.4.0)
     racc (1.6.0)
     rack (2.2.4)
+    rack-protection (3.0.6)
+      rack
     rack-test (2.0.2)
       rack (>= 1.3)
     rails (7.0.4)
@@ -204,6 +243,9 @@ GEM
       nokogiri (>= 1.6)
     rails-html-sanitizer (1.4.3)
       loofah (~> 2.3)
+    rails-settings-cached (2.8.3)
+      activerecord (>= 5.0.0)
+      railties (>= 5.0.0)
     railties (7.0.4)
       actionpack (= 7.0.4)
       activesupport (= 7.0.4)
@@ -211,6 +253,7 @@ GEM
       rake (>= 12.2)
       thor (~> 1.0)
       zeitwerk (~> 2.5)
+    rainbow (3.1.1)
     rake (13.0.6)
     rb-fsevent (0.11.2)
     rb-inotify (0.10.1)
@@ -220,9 +263,11 @@ GEM
     redis-client (0.11.2)
       connection_pool
     regexp_parser (2.6.1)
-    responders (3.0.1)
+    responders (3.1.0)
-      actionpack (>= 5.0)
+      actionpack (>= 5.2)
-      railties (>= 5.0)
+      railties (>= 5.2)
+    reverse_markdown (2.1.1)
+      nokogiri
     rexml (3.2.5)
     rqrcode (2.1.2)
       chunky_png (~> 1.0)
@@ -245,9 +290,30 @@ GEM
       rspec-mocks (~> 3.11)
       rspec-support (~> 3.11)
     rspec-support (3.12.0)
+    rubocop (1.48.1)
+      json (~> 2.3)
+      parallel (~> 1.10)
+      parser (>= 3.2.0.0)
+      rainbow (>= 2.2.2, < 4.0)
+      regexp_parser (>= 1.8, < 3.0)
+      rexml (>= 3.2.5, < 4.0)
+      rubocop-ast (>= 1.26.0, < 2.0)
+      ruby-progressbar (~> 1.7)
+      unicode-display_width (>= 2.4.0, < 3.0)
+    rubocop-ast (1.28.0)
+      parser (>= 3.2.1.0)
+    ruby-progressbar (1.13.0)
     ruby2_keywords (0.0.5)
     rufus-scheduler (3.8.2)
       fugit (~> 1.1, >= 1.1.6)
+    sanitize (6.0.1)
+      crass (~> 1.0.2)
+      nokogiri (>= 1.12.0)
+    sentry-rails (5.8.0)
+      railties (>= 5.0)
+      sentry-ruby (~> 5.8.0)
+    sentry-ruby (5.8.0)
+      concurrent-ruby (~> 1.0, >= 1.0.2)
     sidekiq (6.5.5)
       connection_pool (>= 2.2.2)
       rack (~> 2.0)
@@ -257,6 +323,21 @@ GEM
       rufus-scheduler (~> 3.2)
       sidekiq (>= 4, < 7)
       tilt (>= 1.4.0)
+    solargraph (0.48.0)
+      backport (~> 1.2)
+      benchmark
+      bundler (>= 1.17.2)
+      diff-lcs (~> 1.4)
+      e2mmap
+      jaro_winkler (~> 1.5)
+      kramdown (~> 2.3)
+      kramdown-parser-gfm (~> 1.1)
+      parser (~> 3.0)
+      reverse_markdown (>= 1.0.5, < 3)
+      rubocop (>= 0.52)
+      thor (~> 1.0)
+      tilt (~> 2.0)
+      yard (~> 0.9, >= 0.9.24)
     sprockets (4.1.1)
       concurrent-ruby (~> 1.0)
       rack (> 1, < 3)
@@ -278,6 +359,7 @@ GEM
       railties (>= 6.0.0)
     tzinfo (2.0.5)
       concurrent-ruby (~> 1.0)
+    unicode-display_width (2.4.2)
     view_component (2.78.0)
       activesupport (>= 5.0.0, < 8.0)
       concurrent-ruby (~> 1.0)
@@ -293,11 +375,14 @@ GEM
       addressable (>= 2.8.0)
       crack (>= 0.3.2)
       hashdiff (>= 0.4.0, < 2.0.0)
+    webrick (1.7.0)
     websocket-driver (0.7.5)
       websocket-extensions (>= 0.1.0)
     websocket-extensions (0.1.5)
     xpath (3.2.0)
       nokogiri (~> 1.8)
+    yard (0.9.28)
+      webrick (~> 1.7.0)
     zeitwerk (2.6.6)
 
 PLATFORMS
@@ -309,11 +394,16 @@ DEPENDENCIES
   capybara
   cssbundling-rails
   database_cleaner
-  devise
+  devise (~> 4.9.0)
   devise_ldap_authenticatable
+  discourse_api
   dotenv-rails
   factory_bot_rails
+  faker
   faraday
+  flipper
+  flipper-active_record
+  flipper-ui
   importmap-rails
   jbuilder (~> 2.7)
   letter_opener
@@ -321,13 +411,18 @@ DEPENDENCIES
   listen (~> 3.2)
   lockbox
   net-ldap
+  pagy (~> 6.0, >= 6.0.2)
   pg (~> 1.2.3)
   puma (~> 4.1)
   rails (~> 7.0.2)
+  rails-settings-cached (~> 2.8.3)
   rqrcode (~> 2.0)
   rspec-rails
+  sentry-rails
+  sentry-ruby
   sidekiq (< 7)
   sidekiq-scheduler
+  solargraph
   sprockets-rails
   sqlite3 (~> 1.4)
   stimulus-rails

README.md

@@ -7,6 +7,26 @@ credentials, invites, donations, etc..
 
 ## Development
 
+### Quick Start
+
+The easiest way to get a working development setup is using Docker Compose like
+so:
+
+1. Make sure [Docker Compose is installed][1] and Docker is running (included in
+   Docker Desktop)
+2. Uncomment the `redis`, `web`, and `sidekiq` sections in `docker-compose.yml`
+3. Run `docker compose up` and wait until 389ds announces its successful start
+   in the log output
+4. `docker-compose exec ldap dsconf localhost backend create --suffix="dc=kosmos,dc=org" --be-name="dev"`
+5. `docker compose run web rails ldap:setup`
+6. `docker compose run web rails db:setup`
+
+After these steps, you should have a working Rails app with a handful of test
+users running on [http://localhost:3000](http://localhost:3000).
+Log in with username "admin" and password "admin is admin". All users listed on
+[http://localhost:3000/admin/users](http://localhost:3000/admin/users)
+have the password "user is user".
+
 ### Rails app
 
 Installing dependencies:
@@ -33,16 +53,14 @@ Running all specs:
 
 ### Docker (Compose)
 
-There is a working Dockr Compose config file, which allows you to spin up both
+There is a working Docker Compose config file, which allows you to spin up both
 an app server for Rails as well as a local 389ds (LDAP) server.
 
 By default, `docker-compose up` will only start the LDAP server, listening on
-port 389 on your machine. Uncomment other services in `docker-compose.yml`.
+port 389 on your machine. Uncomment other services in `docker-compose.yml` if
+you want to use them.
 
-### LDAP server
+#### LDAP server
-
-See the previous section for quickly spinning up an LDAP server with Docker (or
-edit your environment configuration to use an existing one).
 
 After creating the Docker container for the first time (or after deleting it),
 you need to run the following command once, in order to create the dirsrv
@@ -52,19 +70,34 @@ back-end:
 
 Now you can seed the back-end with data using this Rails task:
 
-    bundle exec rails ldap:seed
+    bundle exec rails ldap:setup
 
-The seeds task will first delete any existing entries in the directory tree
+The setup task will first delete any existing entries in the directory tree
-("dc=kosmos,dc=org"), and then create our example/development entries.
+("dc=kosmos,dc=org"), and then create our development entries.
+
+Note that all 389ds data is stored in `tmp/389ds`. So if you want to start over
+with a fresh installation, delete both that directory as well as the container.
+
+### Solargraph
+
+[Solargraph](https://solargraph.org/) is a Ruby language server, which you may
+use with your editor to add features like auto-completion and syntax
+validation. You can add inline documentation for bundled gems with this
+command:
+
+    bundle exec yard gems
 
 ## Documentation
 
+### Rails
+
 * [Ruby on Rails](https://guides.rubyonrails.org/)
-* [Sass](https://sass-lang.com/documentation)
+* [Pagination](https://ddnexus.github.io/pagy/)
 
 ### Front-end
 
 * [Tailwind CSS](https://tailwindcss.com/)
+* [Sass](https://sass-lang.com/documentation)
 
 ### Testing
 
@@ -81,6 +114,12 @@ The seeds task will first delete any existing entries in the directory tree
 * [Sidekiq](https://github.com/mperham/sidekiq/wiki/)
 * [ActiveJob](https://github.com/mperham/sidekiq/wiki/Active-Job)
 
+### Feature Flags
+
+* [Flipper](https://www.flippercloud.io/docs/get-started/self-hosted)
+
 ## License
 
 [GNU Affero General Public License v3.0](https://choosealicense.com/licenses/agpl-3.0/)
+
+[1]: https://docs.docker.com/compose/install/

app/assets/stylesheets/application.tailwind.css

@@ -4,7 +4,9 @@
 
 @import "components/base";
 @import "components/buttons";
+@import "components/dashboard_services";
 @import "components/forms";
 @import "components/links";
 @import "components/notifications";
+@import "components/pagination";
 @import "components/tables";

app/assets/stylesheets/components/base.css

@@ -36,10 +36,18 @@
     @apply mb-4 leading-6;
   }
 
+  main p:last-child {
+    @apply mb-0;
+  }
+
   main ul {
     @apply mb-6;
   }
 
+  main ul:last-child {
+    @apply mb-0;
+  }
+
   main ul li {
     @apply leading-6;
   }

app/assets/stylesheets/components/buttons.css

@@ -1,17 +1,21 @@
 @layer components {
   .btn {
-    @apply font-semibold rounded-md leading-none cursor-pointer text-center
+    @apply inline-block font-semibold rounded-md leading-none cursor-pointer text-center
            transition-colors duration-75 focus:outline-none focus:ring-4;
   }
 
   .btn-md {
     @apply btn;
-    @apply py-2.5 px-5 shadow-md;
+    @apply py-3 px-6;
   }
 
   .btn-sm {
     @apply btn;
-    @apply py-1 px-2 text-sm shadow-sm;
+    @apply py-1 px-2 text-sm;
+  }
+
+  .btn-icon {
+    @apply px-3;
   }
 
   .btn-gray {

app/assets/stylesheets/components/dashboard_services.css

@@ -0,0 +1,5 @@
+@layer components {
+  .services > div > a {
+    background-image: linear-gradient(110deg, rgba(255,255,255,0.99) 0, rgba(255,255,255,0.88) 100%);
+  }
+}

app/assets/stylesheets/components/forms.css

@@ -1,13 +1,18 @@
 @layer components {
   input[type=text], input[type=email], input[type=password],
-  input[type=number], select {
+  input[type=number], select, textarea {
-    @apply mt-1 rounded-md bg-gray-100 focus:bg-white
+    @apply rounded-md bg-gray-100 focus:bg-white
            border-transparent focus:border-transparent focus:ring-2
            focus:ring-blue-600 focus:ring-opacity-75;
   }
 
-  .field_with_errors {
+  input[type=text]:disabled,
-    @apply inline-block;
+  input[type=email]:disabled {
+    @apply text-gray-700;
+  }
+
+  input.field_with_errors {
+    @apply border-b-red-600;
   }
 
   .error-msg {

app/assets/stylesheets/components/links.css

@@ -5,10 +5,4 @@
     &:visited { @apply text-indigo-600; }
     &:active  { @apply text-red-600; }
   }
-
-  .devise-links {
-    a {
-      @apply ks-text-link;
-    }
-  }
 }

app/assets/stylesheets/components/pagination.css

@@ -0,0 +1,45 @@
+@layer components {
+  .pagy-nav.pagination {
+    @apply isolate inline-flex -space-x-px rounded-md shadow-sm;
+  }
+
+  .pagy-nav .page:not(.prev):not(.next) {
+    @apply hidden sm:inline-block;
+  }
+
+  .pagy-nav .page.next a {
+    @apply relative inline-flex items-center rounded-r-md border
+           border-gray-300 bg-white px-3 py-2 text-sm font-medium
+           text-gray-500 hover:bg-gray-100 focus:z-20;
+  }
+
+  .pagy-nav .page.prev a {
+    @apply relative inline-flex items-center rounded-l-md border
+           border-gray-300 bg-white px-3 py-2 text-sm font-medium
+           text-gray-500 hover:bg-gray-100 focus:z-20;
+  }
+
+  .pagy-nav .page.next.disabled {
+    @apply relative inline-flex items-center rounded-r-md border
+           border-gray-300 bg-gray-100 px-3 py-2 text-sm font-medium
+           text-gray-400 focus:z-20;
+  }
+
+  .pagy-nav .page.prev.disabled {
+    @apply relative inline-flex items-center rounded-l-md border
+           border-gray-300 bg-gray-100 px-3 py-2 text-sm font-medium
+           text-gray-400 focus:z-20;
+  }
+
+  .pagy-nav .page a, .page.gap {
+    @apply bg-white border-gray-300 text-gray-500 hover:bg-gray-100 relative
+           inline-flex items-center border px-4 py-2 text-sm font-medium
+           focus:z-20;
+  }
+
+  .pagy-nav .page.active {
+    @apply z-10 border-indigo-500 bg-indigo-50 text-indigo-600 relative
+           inline-flex items-center border px-4 py-2 text-sm font-medium
+           focus:z-20;
+  }
+}

app/assets/stylesheets/components/tables.css

@@ -7,16 +7,30 @@
     @apply text-left;
   }
 
-  table th {
+  table thead th {
     @apply pb-3.5 text-sm font-normal uppercase text-gray-500;
   }
 
+  table tbody th {
+    @apply text-left font-normal text-gray-500;
+  }
+
   table th:not(:last-of-type),
   table td:not(:last-of-type) {
     @apply pr-2;
   }
 
-  table td {
+  table td, tbody th {
     @apply py-2;
   }
+
+  table.divided {
+    @apply divide-y divide-gray-300;
+  }
+  table.divided tbody {
+    @apply divide-y divide-gray-200;
+  }
+  table.divided td, table.divided tbody th {
+    @apply py-3;
+  }
 }

app/components/form_elements/fieldset_component.html.erb

@@ -0,0 +1,29 @@
+<%= tag.public_send(@tag, class: "mb-6 last:mb-0") do %>
+  <% if @positioning == :vertical %>
+  <label class="block">
+    <p class="font-bold <%= @descripton.present? ? "mb-1" : "mb-2" %>">
+      <%= @title %>
+    </p>
+    <% if @descripton.present? %>
+    <p class="text-gray-500">
+      <%= @descripton %>
+    </p>
+    <% end %>
+    <%= content %>
+  </label>
+  <% elsif @positioning == :horizontal %>
+  <label class="block flex items-center justify-between">
+    <div class="flex flex-col">
+      <label class="font-bold mb-1"><%= @title %></label>
+      <% if @descripton.present? %>
+      <p class="text-gray-500"><%= @descripton %></p>
+      <% end %>
+    </div>
+    <div class="relative ml-4 inline-flex flex-shrink-0">
+      <%= content %>
+    </div>
+  </label>
+  <% else %>
+  <p>Invalid <code>positioning<code> argument for <code>FieldsetComponent</code>.</p>
+  <% end %>
+<% end %>

app/components/form_elements/fieldset_component.rb

@@ -0,0 +1,12 @@
+# frozen_string_literal: true
+
+module FormElements
+  class FieldsetComponent < ViewComponent::Base
+    def initialize(tag: "li", positioning: :vertical, title:, description: nil)
+      @tag         = tag
+      @positioning = positioning
+      @title       = title
+      @descripton  = description
+    end
+  end
+end

app/components/form_elements/fieldset_toggle_component.html.erb

@@ -0,0 +1,33 @@
+<%= tag.public_send @tag, class: "flex items-center justify-between mb-6 last:mb-0",
+      data: @form_enabled ? {
+        controller: "settings--toggle",
+        :'settings--toggle-switch-enabled-value' => @enabled.to_s
+      } : nil do %>
+  <div class="flex flex-col">
+    <label class="font-bold mb-1"><%= @title %></label>
+    <p class="text-gray-500"><%= @descripton %></p>
+  </div>
+  <div class="relative ml-4 inline-flex flex-shrink-0">
+    <%= render FormElements::ToggleComponent.new(
+          enabled: @enabled,
+          input_enabled: @input_enabled,
+          class_names: @form_enabled ? "hidden" : nil,
+          data: {
+            :'settings--toggle-target' => "button",
+            action: "settings--toggle#toggleSwitch"
+          }) %>
+    <% if @form_enabled %>
+      <% if @attribute.present? %>
+        <%= @form.check_box @attribute, {
+              checked: @enabled,
+              data: { :'settings--toggle-target' => "checkbox" }
+            }, "true", "false" %>
+      <% else %>
+        <input name="<%= @field_name %>" type="hidden" value="false" autocomplete="off">
+        <%= check_box_tag @field_name, "true", @enabled, {
+              data: { :'settings--toggle-target' => "checkbox" }
+            } %>
+      <% end %>
+    <% end %>
+  </div>
+<% end %>

app/components/form_elements/fieldset_toggle_component.rb

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+module FormElements
+  class FieldsetToggleComponent < ViewComponent::Base
+    def initialize(tag: "li", form: nil, attribute: nil, field_name: nil,
+                   enabled: false, input_enabled: true, title:, description:)
+      @tag = tag
+      @form = form
+      @attribute = attribute
+      @field_name = field_name
+      @form_enabled = @form.present? || @field_name.present?
+      @enabled = enabled
+      @input_enabled = input_enabled
+      @title = title
+      @descripton = description
+      @button_text = @enabled ? "Switch off" : "Switch on"
+    end
+  end
+end

app/components/form_elements/toggle_component.html.erb

@@ -0,0 +1,15 @@
+<%= button_tag type: "button", name: "toggle", data: @data,
+      role: "switch", aria: { checked: @enabled.to_s },
+      tabindex: @tabindex, disabled: !@input_enabled,
+      class: "#{ @enabled ? 'bg-blue-600' : 'bg-gray-200' }
+              #{ @class_names.present? ? @class_names : '' }
+              relative inline-flex h-6 w-11 flex-shrink-0 cursor-pointer
+              rounded-full border-2 border-transparent transition-colors
+              duration-200 ease-in-out focus:outline-none focus:ring-2
+              focus:ring-blue-600 focus:ring-offset-2" do %>
+  <span class="sr-only"><%= @button_text %></span>
+  <span aria-hidden="true" data-settings--toggle-target="switch"
+        class="<%= @enabled ? 'translate-x-5' : 'translate-x-0' %>
+               pointer-events-none inline-block h-5 w-5 transform rounded-full
+               bg-white shadow ring-0 transition duration-200 ease-in-out"></span>
+<% end %>

app/components/form_elements/toggle_component.rb

@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+
+module FormElements
+  class ToggleComponent < ViewComponent::Base
+    def initialize(enabled:, input_enabled: true, data: nil, class_names: nil, tabindex: nil)
+      @enabled = !!enabled
+      @input_enabled = input_enabled
+      @data = data
+      @class_names = class_names
+      @tabindex = tabindex
+    end
+  end
+end

app/components/header_tab_link_component.html.erb

@@ -0,0 +1,3 @@
+<%= link_to @path, class: @link_class do %>
+  <%= @name %>
+<% end %>

app/components/header_tab_link_component.rb

@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+class HeaderTabLinkComponent < ViewComponent::Base
+  def initialize(name:, path:, active: false, disabled: false)
+    @name = name
+    @path = path
+    @active = active
+    @disabled = disabled
+    @link_class = class_names_link(path)
+  end
+
+  def class_names_link(path)
+    common = "block md:inline-block px-5 py-2 rounded-md font-medium text-base md:text-xl"
+    if @active
+      "#{common} bg-gray-900/50 text-white"
+    else
+      "#{common} text-gray-300 hover:bg-gray-900/30 hover:text-white active:bg-gray-900/30 active:text-white"
+    end
+  end
+end

app/components/header_with_tabs_component.html.erb

@@ -0,0 +1,12 @@
+<header class="py-10">
+  <div class="max-w-6xl md:flex md:gap-x-10 mx-auto px-4 sm:px-6 lg:px-8">
+    <% if @title.present? %>
+    <h1 class="text-3xl font-bold text-white">
+      <%= @title %>
+    </h1>
+    <% end %>
+    <nav class="md:grow flex gap-x-4 <%= @title.present? ? "justify-end" : "justify-start" %>" aria-label="Tabs">
+      <%= render partial: @tabnav_partial %>
+    </nav>
+  </div>
+</header>

app/components/header_with_tabs_component.rb

@@ -0,0 +1,8 @@
+# frozen_string_literal: true
+
+class HeaderWithTabsComponent < ViewComponent::Base
+  def initialize(title: nil, tabnav_partial:)
+    @title = title
+    @tabnav_partial = tabnav_partial
+  end
+end

app/components/main_simple_component.html.erb

@@ -1,5 +1,5 @@
 <main class="w-full max-w-6xl mx-auto pb-12 px-4 md:px-6 lg:px-8">
-  <div class="bg-white rounded-lg shadow px-6 sm:px-12 py-8 sm:py-12">
+  <div class="md:min-h-[50vh] bg-white rounded-lg shadow px-6 sm:px-12 py-8 sm:py-12">
     <%= content %>
   </div>
 </main>

app/components/main_with_sidenav_component.html.erb

@@ -1,6 +1,6 @@
 <main class="w-full max-w-6xl mx-auto pb-12 px-4 md:px-6 lg:px-8">
   <div class="bg-white rounded-lg shadow">
-    <div class="divide-y divide-gray-200 lg:grid lg:grid-cols-12 lg:divide-y-0 lg:divide-x">
+    <div class="md:min-h-[50vh] divide-y divide-gray-200 lg:grid lg:grid-cols-12 lg:divide-y-0 lg:divide-x">
       <aside class="py-6 sm:py-8 lg:col-span-3">
         <nav class="space-y-1">
           <%= render partial: @sidenav_partial %>

app/components/main_with_tabnav_component.html.erb

@@ -0,0 +1,10 @@
+<main class="w-full max-w-6xl mx-auto pb-12 px-4 md:px-6 lg:px-8">
+  <div class="bg-white rounded-lg shadow">
+    <div class="px-6 sm:px-12 pt-2 sm:pt-4">
+      <%= render partial: @tabnav_partial %>
+    </div>
+    <div class="px-6 sm:px-12 py-8 sm:py-12">
+      <%= content %>
+    </div>
+  </div>
+</main>

app/components/main_with_tabnav_component.rb

@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+class MainWithTabnavComponent < ViewComponent::Base
+  def initialize(tabnav_partial:)
+    @tabnav_partial = tabnav_partial
+  end
+end

app/components/quickstats_container_component.html.erb

@@ -0,0 +1,3 @@
+<dl class="grid grid-cols-2 lg:grid-cols-4 gap-6 sm:gap-12">
+  <%= content %>
+</dl>

app/components/quickstats_container_component.rb

@@ -0,0 +1,4 @@
+# frozen_string_literal: true
+
+class QuickstatsContainerComponent < ViewComponent::Base
+end

app/components/quickstats_item_component.html.erb

@@ -0,0 +1,18 @@
+<div class="">
+  <dt class="mb-2 text-gray-500">
+    <%= @title %>
+  </dt>
+  <dd>
+    <% if @type == :number %>
+      <span class="text-2xl"><%= number_with_delimiter @value %></span>
+    <% else %>
+      <span class="text-2xl"><%= @value %></span>
+    <% end %>
+    <% if @unit %>
+      <span><%= @unit %></span>
+    <% end %>
+    <% if @meta %>
+      <span class="text-gray-500"><%= @meta %></span>
+    <% end %>
+  </dd>
+</div>

app/components/quickstats_item_component.rb

@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+
+class QuickstatsItemComponent < ViewComponent::Base
+  def initialize(type:, title:, value:, unit: nil, meta: nil, icon_name: nil, icon_color_class: nil)
+    @type = type
+    @title = title
+    @value = value
+    @unit = unit
+    @meta = meta
+    @icon_name = icon_name
+    @icon_color_class = icon_color_class
+  end
+end

app/components/sidenav_link_component.html.erb

@@ -1,4 +1,4 @@
-<%= link_to @path, class: @link_class do %>
+<%= link_to @path, class: @link_class, title: (@disabled ? "Coming soon" : nil) do %>
   <%= render partial: "icons/#{@icon}", locals: { custom_class: @icon_class } %>
   <span class="truncate"><%= @name %></span>
 <% end %>

app/components/sidenav_link_component.rb

@@ -1,8 +1,9 @@
 # frozen_string_literal: true
 
 class SidenavLinkComponent < ViewComponent::Base
-  def initialize(name:, path:, icon:, active: false, disabled: false)
+  def initialize(name:, level: 1, path:, icon:, active: false, disabled: false)
     @name = name
+    @level = level
     @path = path
     @icon = icon
     @active = active
@@ -12,12 +13,15 @@ class SidenavLinkComponent < ViewComponent::Base
   end
 
   def class_names_link(path)
+    px = @level == 1 ? "px-4" : "pl-8 pr-4"
+    base = "#{px} py-2 group border-l-4 flex items-center text-base font-medium"
+
     if @active
-      "bg-teal-50 border-teal-500 text-teal-700 hover:bg-teal-50 hover:text-teal-700 group border-l-4 px-4 py-2 flex items-center text-base font-medium" 
+      "#{base} bg-teal-50 border-teal-500 text-teal-700 hover:bg-teal-50 hover:text-teal-700"
     elsif @disabled
-      "border-transparent text-gray-400 hover:bg-gray-50 group border-l-4 px-4 py-2 flex items-center text-base font-medium"
+      "#{base} border-transparent text-gray-400 hover:bg-gray-50"
     else
-      "border-transparent text-gray-900 hover:bg-gray-50 hover:text-gray-900 group border-l-4 px-4 py-2 flex items-center text-base font-medium"
+      "#{base} border-transparent text-gray-900 hover:bg-gray-50 hover:text-gray-900"
     end
   end
 

app/components/tabnav_link_component.html.erb

@@ -0,0 +1,3 @@
+<%= link_to @path, class: @link_class do %>
+  <%= @name %>
+<% end %>

app/components/tabnav_link_component.rb

@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+
+class TabnavLinkComponent < ViewComponent::Base
+  def initialize(name:, path:, active: false, disabled: false)
+    @name = name
+    @path = path
+    @active = active
+    @disabled = disabled
+    @link_class = class_names_link(path)
+  end
+
+  def class_names_link(path)
+    if @active
+      "border-indigo-500 text-indigo-600 w-1/2 py-4 px-1 text-center border-b-2"
+    elsif @disabled
+      "border-transparent text-gray-500 hover:text-gray-700 hover:border-gray-300 w-1/2 py-4 px-1 text-center border-b-2"
+    else
+      "border-transparent text-gray-500 hover:text-gray-700 hover:border-gray-300 w-1/2 py-4 px-1 text-center border-b-2"
+    end
+  end
+end

app/components/wallet_summary_component.html.erb

@@ -7,10 +7,14 @@
   <div class="md:col-span-4 mt-4 md:mt-0">
     <p class="font-mono md:text-right mb-0 p-4 border border-gray-300 rounded-lg overflow-hidden">
     <% if @balance %>
-      <span class="text-xl"><%= number_with_delimiter @balance %> sats</span><br>
+      <span class="text-2xl"><%= number_with_delimiter @balance %></span>
+      <span class="text-xl">sats</span>
+      <br>
       <span class="text-sm text-gray-500">Available balance</span>
     <% else %>
-      <span class="text-xl">n/a sats</span><br>
+      <span class="text-2xl">n/a</span>
+      <span class="text-xl">sats</span>
+      <br>
       <span class="text-sm text-gray-500">Balance unavailable</span>
     <% end %>
     </p>

app/controllers/account_controller.rb

@@ -0,0 +1,7 @@
+class AccountController < ApplicationController
+  before_action :authenticate_user!
+
+  def index
+    @current_section = :account
+  end
+end

app/controllers/admin/base_controller.rb

@@ -1,4 +1,5 @@
 class Admin::BaseController < ApplicationController
+  include Pagy::Backend
 
   before_action :authenticate_user!
   before_action :authorize_admin
@@ -7,5 +8,4 @@ class Admin::BaseController < ApplicationController
   def set_context
     @context = :admin
   end
-
 end

app/controllers/admin/donations_controller.rb

@@ -5,7 +5,12 @@ class Admin::DonationsController < Admin::BaseController
   # GET /donations
   # GET /donations.json
   def index
-    @donations = Donation.all
+    @pagy, @donations = pagy(Donation.all.order('created_at desc'))
+
+    @stats = {
+      overall_sats: @donations.all.sum("amount_sats"),
+      donor_count: Donation.distinct.count(:user_id)
+    }
   end
 
   # GET /donations/1
@@ -29,10 +34,14 @@ class Admin::DonationsController < Admin::BaseController
 
     respond_to do |format|
       if @donation.save
-        format.html { redirect_to admin_donation_url(@donation), notice: 'Donation was successfully created.' }
+        format.html do
+          redirect_to admin_donation_url(@donation), flash: {
+            success: 'Donation was successfully created.'
+          }
+        end
         format.json { render :show, status: :created, location: @donation }
       else
-        format.html { render :new }
+        format.html { render :new, status: :unprocessable_entity }
         format.json { render json: @donation.errors, status: :unprocessable_entity }
       end
     end
@@ -43,10 +52,14 @@ class Admin::DonationsController < Admin::BaseController
   def update
     respond_to do |format|
       if @donation.update(donation_params)
-        format.html { redirect_to admin_donation_url(@donation), notice: 'Donation was successfully updated.' }
+        format.html do
+          redirect_to admin_donation_url(@donation), flash: {
+            success: 'Donation was successfully updated.'
+          }
+        end
         format.json { render :show, status: :ok, location: @donation }
       else
-        format.html { render :edit }
+        format.html { render :edit, status: :unprocessable_entity }
         format.json { render json: @donation.errors, status: :unprocessable_entity }
       end
     end
@@ -57,7 +70,10 @@ class Admin::DonationsController < Admin::BaseController
   def destroy
     @donation.destroy
     respond_to do |format|
-      format.html { redirect_to admin_donations_url, notice: 'Donation was successfully destroyed.' }
+      format.html do redirect_to admin_donations_url, flash: {
+        success: 'Donation was successfully destroyed.'
+      }
+      end
       format.json { head :no_content }
     end
   end

app/controllers/admin/invitations_controller.rb

@@ -1,8 +1,12 @@
 class Admin::InvitationsController < Admin::BaseController
   def index
     @current_section = :invitations
-    @invitations_unused_count = Invitation.unused.count
+    @pagy, @invitations_used = pagy(Invitation.used.order('used_at desc'))
-    @users_with_referrals_count = Invitation.used.distinct.count(:user_id)
+
-    @invitations_used = Invitation.used.order('used_at desc')
+    @stats = {
+      available: Invitation.unused.count,
+      accepted: @invitations_used.length,
+      users_with_referrals: Invitation.used.distinct.count(:user_id)
+    }
   end
 end

app/controllers/admin/ldap_users_controller.rb

@@ -1,45 +0,0 @@
-class Admin::LdapUsersController < Admin::BaseController
-  before_action :set_current_section
-
-  def index
-    attributes = %w{dn cn uid mail admin}
-    filter = Net::LDAP::Filter.eq("uid", "*")
-
-    @ou = params[:ou] || "kosmos.org"
-    treebase = "ou=#{@ou},cn=users,dc=kosmos,dc=org"
-
-    entries = ldap_client.search(base: treebase, filter: filter, attributes: attributes)
-    entries.sort_by! { |e| e.cn[0] }
-
-    @entries = entries.collect do |e|
-      {
-        uid: e.uid.first,
-        mail: e.try(:mail) ? e.mail.first : nil,
-        admin: e.try(:admin) ? 'admin' : nil
-        # password: e.userpassword.first
-      }
-    end
-    # ldap_client.get_operation_result
-  end
-
-  private
-
-  def ldap_client
-    ldap_client ||= Net::LDAP.new host: ldap_config['host'],
-      port: ldap_config['port'],
-      encryption: ldap_config['ssl'],
-      auth: {
-        method: :simple,
-        username: ldap_config['admin_user'],
-        password: ldap_config['admin_password']
-      }
-  end
-
-  def ldap_config
-    ldap_config ||= YAML.load(ERB.new(File.read("#{Rails.root}/config/ldap.yml")).result)[Rails.env]
-  end
-
-  def set_current_section
-    @current_section = :ldap_users
-  end
-end

app/controllers/admin/lightning_controller.rb

@@ -0,0 +1,21 @@
+class Admin::LightningController < Admin::BaseController
+  before_action :check_feature_enabled
+
+  def index
+    @current_section = :lightning
+
+    @users = User.pluck(:cn, :ou, :ln_account)
+    @accounts = LndhubAccount.with_balances.order(balance: :desc).to_a
+
+    @ln = {}
+    @ln[:current_balance] = LndhubAccount.current.joins(:ledgers).sum("account_ledgers.amount")
+    @ln[:users_with_sats] = @accounts.length
+  end
+
+  def check_feature_enabled
+    if !Setting.lndhub_admin_enabled?
+      flash[:alert] = "Lightning Admin UI not enabled"
+      redirect_to admin_root_path and return
+    end
+  end
+end

app/controllers/admin/settings/registrations_controller.rb

@@ -0,0 +1,12 @@
+class Admin::Settings::RegistrationsController < Admin::SettingsController
+  def index
+  end
+
+  def create
+    update_settings
+
+    redirect_to admin_settings_registrations_path, flash: {
+      success: "Settings saved"
+    }
+  end
+end

app/controllers/admin/settings/services_controller.rb

@@ -0,0 +1,19 @@
+class Admin::Settings::ServicesController < Admin::SettingsController
+  def index
+    @service = params[:s]
+
+    if @service.blank?
+      redirect_to admin_settings_services_path(params: { s: "discourse" })
+    end
+  end
+
+  def create
+    service = params.require(:service)
+
+    update_settings
+
+    redirect_to admin_settings_services_path(params: { s: service }), flash: {
+      success: "Settings saved"
+    }
+  end
+end

app/controllers/admin/settings_controller.rb

@@ -0,0 +1,40 @@
+class Admin::SettingsController < Admin::BaseController
+  before_action :set_current_section
+
+  def index
+  end
+
+  def update_settings
+    @errors = ActiveModel::Errors.new(Setting.new)
+    changed_keys = []
+
+    setting_params.keys.each do |key|
+      next if setting_params[key].nil? ||
+              (Setting.send(key).to_s == setting_params[key].strip)
+      changed_keys.push(key)
+      setting = Setting.new(var: key)
+      setting.value = setting_params[key].strip
+      unless setting.valid?
+        @errors.merge!(setting.errors)
+      end
+    end
+
+    if @errors.any?
+      render :index and return
+    end
+
+    changed_keys.each do |key|
+      Setting.send("#{key}=", setting_params[key].strip)
+    end
+  end
+
+  private
+
+    def set_current_section
+      @current_section = :settings
+    end
+
+    def setting_params
+      params.require(:setting).permit(Setting.editable_keys.map(&:to_sym))
+    end
+end

app/controllers/admin/users_controller.rb

@@ -0,0 +1,35 @@
+class Admin::UsersController < Admin::BaseController
+  before_action :set_user, only: [:show]
+  before_action :set_current_section
+
+  def index
+    ldap   = LdapService.new
+    @ou    = params[:ou] || "kosmos.org"
+    @orgs  = ldap.fetch_organizations
+    @pagy, @users = pagy(User.where(ou: @ou).order(cn: :asc))
+
+    @stats = {
+      users_confirmed: User.where(ou: @ou).confirmed.count,
+      users_pending: User.where(ou: @ou).pending.count
+    }
+  end
+
+  def show
+    if Setting.lndhub_admin_enabled?
+      @lndhub_user = @user.lndhub_user
+    end
+
+    @services_enabled = @user.services_enabled
+  end
+
+  private
+
+  def set_user
+    address = params[:address].split("@")
+    @user = User.where(cn: address.first, ou: address.last).first
+  end
+
+  def set_current_section
+    @current_section = :users
+  end
+end

app/controllers/application_controller.rb

@@ -3,6 +3,18 @@ class ApplicationController < ActionController::Base
     render :text => exception, :status => 500
   end
 
+  before_action :sentry_set_user
+
+  def sentry_set_user
+    return unless Setting.sentry_enabled
+
+    if user_signed_in?
+      Sentry.set_user(id: current_user.id, username: current_user.cn)
+    else
+      Sentry.set_user({})
+    end
+  end
+
   def require_user_signed_in
     unless user_signed_in?
       redirect_to welcome_path and return

app/controllers/contributions/donations_controller.rb

@@ -1,5 +1,5 @@
-class DonationsController < ApplicationController
+class Contributions::DonationsController < ApplicationController
-  before_action :require_user_signed_in
+  before_action :authenticate_user!
 
   # GET /donations
   # GET /donations.json

app/controllers/contributions/projects_controller.rb

@@ -0,0 +1,8 @@
+class Contributions::ProjectsController < ApplicationController
+  before_action :authenticate_user!
+
+  # GET /contributions
+  def index
+    @current_section = :contributions
+  end
+end

app/controllers/dashboard_controller.rb

@@ -2,6 +2,6 @@ class DashboardController < ApplicationController
   before_action :require_user_signed_in
 
   def index
-    @current_section = :dashboard
+    @current_section = :services
   end
 end

app/controllers/discourse/sso_controller.rb

@@ -0,0 +1,17 @@
+class Discourse::SsoController < ApplicationController
+  before_action :authenticate_user!
+
+  def connect
+    secret = Setting.discourse_connect_secret
+    sso = DiscourseApi::SingleSignOn.parse(request.query_string, secret)
+    sso.external_id = current_user.id
+    sso.email = current_user.email
+    sso.username = current_user.cn
+    sso.name = current_user.display_name
+    sso.admin = current_user.is_admin?
+    sso.sso_secret = secret
+
+    redirect_to sso.to_url("#{Setting.discourse_public_url}/session/sso_login"),
+                allow_other_host: true
+  end
+end

app/controllers/invitations_controller.rb

@@ -1,11 +1,11 @@
 class InvitationsController < ApplicationController
-  before_action :require_user_signed_in, except: ["show"]
+  before_action :authenticate_user!, except: ["show"]
   before_action :require_user_signed_out, only: ["show"]
 
   # GET /invitations
   def index
     @invitations_unused = current_user.invitations.unused
-    @invitations_used   = current_user.invitations.used
+    @invitations_used   = current_user.invitations.used.order('used_at desc')
     @current_section = :invitations
   end
 
@@ -27,7 +27,10 @@ class InvitationsController < ApplicationController
 
     respond_to do |format|
       if @invitation.save
-        format.html { redirect_to @invitation, notice: 'Invitation was successfully created.' }
+        format.html do redirect_to @invitation, flash: {
+          success: 'Invitation was successfully created.'
+        }
+        end
         format.json { render :show, status: :created, location: @invitation }
       else
         format.html { render :new }

app/controllers/lnurlpay_controller.rb

@@ -1,4 +1,5 @@
 class LnurlpayController < ApplicationController
+  before_action :check_feature_enabled
   before_action :find_user_by_address
 
   MIN_SATS = 10
@@ -17,6 +18,20 @@ class LnurlpayController < ApplicationController
     }
   end
 
+  def keysend
+    http_status :not_found and return unless Setting.lndhub_keysend_enabled?
+
+    render json: {
+      status: "OK",
+      tag: "keysend",
+      pubkey: Setting.lndhub_public_key,
+      customData: [{
+        customKey: "696969",
+        customValue: @user.ln_account
+      }]
+    }
+  end
+
   def invoice
     amount = params[:amount].to_i / 1000 # msats
     address = params[:address]
@@ -32,7 +47,7 @@ class LnurlpayController < ApplicationController
       return
     end
 
-    memo = "Sats for #{address}"
+    memo = "To #{address}"
     memo = "#{memo}: \"#{comment}\"" if comment.present?
 
     payment_request = @user.ln_create_invoice({
@@ -72,4 +87,9 @@ class LnurlpayController < ApplicationController
     comment.length <= MAX_COMMENT_CHARS
   end
 
+  private
+
+  def check_feature_enabled
+    http_status :not_found unless Setting.lndhub_enabled?
+  end
 end

app/controllers/security_controller.rb

@@ -1,7 +0,0 @@
-class SecurityController < ApplicationController
-  before_action :require_user_signed_in
-
-  def index
-    @current_section = :security
-  end
-end

app/controllers/services/lightning_controller.rb

@@ -1,13 +1,13 @@
 require "rqrcode"
 
-class WalletController < ApplicationController
+class Services::LightningController < ApplicationController
-  before_action :require_user_signed_in
+  before_action :authenticate_user!
   before_action :authenticate_with_lndhub
   before_action :set_current_section
   before_action :fetch_balance
 
   def index
-    @wallet_url = "lndhub://#{current_user.ln_login}:#{current_user.ln_password}@#{ENV['LNDHUB_PUBLIC_URL']}"
+    @wallet_url = "lndhub://#{current_user.ln_account}:#{current_user.ln_password}@#{ENV['LNDHUB_PUBLIC_URL']}"
 
     qrcode = RQRCode::QRCode.new(@wallet_url)
     @svg = qrcode.as_svg(
@@ -28,35 +28,44 @@ class WalletController < ApplicationController
 
   private
 
-  def authenticate_with_lndhub
+  def authenticate_with_lndhub(options={})
-    if session["ln_auth_token"].present?
+    if session[:ln_auth_token].present? && !options[:force_reauth]
-      @ln_auth_token = session["ln_auth_token"]
+      @ln_auth_token = session[:ln_auth_token]
     else
       lndhub = Lndhub.new
       auth_token = lndhub.authenticate(current_user)
-      session["ln_auth_token"] = auth_token
+      session[:ln_auth_token] = auth_token
       @ln_auth_token = auth_token
     end
-  rescue
+  rescue => e
-    # TODO add exception tracking
+    Sentry.capture_exception(e) if Setting.sentry_enabled?
   end
 
   def set_current_section
-    @current_section = :wallet
+    @current_section = :services
   end
 
   def fetch_balance
     lndhub = Lndhub.new
     data = lndhub.balance @ln_auth_token
     @balance = data["BTC"]["AvailableBalance"] rescue nil
+  rescue AuthError
+    authenticate_with_lndhub(force_reauth: true)
+    raise if @fetch_balance_retried
+    @fetch_balance_retried = true
+    fetch_balance
   end
 
   def fetch_transactions
     lndhub = Lndhub.new
     txs = lndhub.gettxs @ln_auth_token
     invoices = lndhub.getuserinvoices(@ln_auth_token).select{|i| i["ispaid"]}
-
     process_transactions(txs + invoices)
+  rescue AuthError
+    authenticate_with_lndhub(force_reauth: true)
+    raise if @fetch_transactions_retried
+    @fetch_transactions_retried = true
+    fetch_transactions
   end
 
   def process_transactions(txs)
@@ -69,6 +78,7 @@ class WalletController < ApplicationController
         tx["received"] = true
       else
         tx["amount_sats"] = tx["value"] || tx["amt"]
+        tx["fee"] = tx["type"] == "paid_invoice" ? tx["fee"] : nil
         tx["datetime"] = Time.at(tx["timestamp"].to_i)
         tx["title"] = tx["type"] == "paid_invoice" ? "Sent" : "Received"
         tx["description"] = tx["memo"] || tx["description"]
@@ -76,6 +86,10 @@ class WalletController < ApplicationController
       end
     end
 
+    # Handle an edge case where lndhub.go includes a failed payment in the
+    # list, which wasn't actually booked
+    txs.reject!{ |tx| tx["type"] == "paid_invoice" && tx["payment_preimage"].blank? }
+
     txs.sort{ |a,b| b["datetime"] <=> a["datetime"] }
   end
 end

app/controllers/services/remotestorage_controller.rb

@@ -0,0 +1,30 @@
+class Services::RemotestorageController < ApplicationController
+  before_action :require_user_signed_in
+  before_action :require_service_enabled
+  before_action :require_feature_enabled
+  before_action :set_current_section
+
+  def dashboard
+    # unless current_user.services_enabled.include?(:remotestorage)
+    #   redirect_to service_remotestorage_info_path
+    # end
+  end
+
+  private
+
+    def require_feature_enabled
+      unless Flipper.enabled?(:remotestorage, current_user)
+        http_status :forbidden
+      end
+    end
+
+    def require_service_enabled
+      unless Setting.remotestorage_enabled?
+        http_status :not_found
+      end
+    end
+
+    def set_current_section
+      @current_section = :services
+    end
+end

app/controllers/settings_controller.rb

@@ -1,7 +1,49 @@
 class SettingsController < ApplicationController
-  before_action :require_user_signed_in
+  before_action :authenticate_user!
+  before_action :set_main_nav_section
+  before_action :set_settings_section, only: [:show, :update, :update_email]
+  before_action :set_user, only: [:show, :update, :update_email]
 
   def index
+    redirect_to setting_path(:profile)
+  end
+
+  def show
+  end
+
+  def update
+    @user.preferences.merge!(user_params[:preferences] || {})
+    @user.display_name = user_params[:display_name]
+
+    if @user.save
+      if @user.display_name && (@user.display_name != @user.ldap_entry[:display_name])
+        LdapManager::UpdateDisplayName.call(@user.dn, user_params[:display_name])
+      end
+
+      redirect_to setting_path(@settings_section), flash: {
+        success: 'Settings saved.'
+      }
+    else
+      @validation_errors = @user.errors
+      render :show, status: :unprocessable_entity
+    end
+  end
+
+  def update_email
+    if @user.valid_ldap_authentication?(email_params[:current_password])
+      if @user.update email: email_params[:email]
+        redirect_to setting_path(:account), flash: {
+          notice: 'Please confirm your new address using the confirmation link we just sent you.'
+        }
+      else
+        @validation_errors = @user.errors
+        render :show, status: :unprocessable_entity
+      end
+    else
+      redirect_to setting_path(:account), flash: {
+        error: 'Password did not match your current password. Try again.'
+      }
+    end
   end
 
   def reset_password
@@ -10,4 +52,34 @@ class SettingsController < ApplicationController
     msg = "We have sent you an email with a link to reset your password."
     redirect_to check_your_email_path, notice: msg
   end
+
+  private
+
+    def set_main_nav_section
+      @current_section = :settings
+    end
+
+    def set_settings_section
+      @settings_section = params[:section]
+      allowed_sections = [:profile, :account, :lightning, :xmpp]
+
+      unless allowed_sections.include?(@settings_section.to_sym)
+        redirect_to setting_path(:profile)
+      end
+    end
+
+    def set_user
+      @user = current_user
+    end
+
+    def user_params
+      params.require(:user).permit(:display_name, preferences: [
+        :lightning_notify_sats_received,
+        :xmpp_exchange_contacts_with_invitees
+      ])
+    end
+
+    def email_params
+      params.require(:user).permit(:email, :current_password)
+    end
 end

app/controllers/turbo_controller.rb

@@ -0,0 +1,18 @@
+class TurboController < ApplicationController
+  class Responder < ActionController::Responder
+    def to_turbo_stream
+      controller.render(options.merge(formats: :html))
+    rescue ActionView::MissingTemplate => error
+      if get?
+        raise error
+      elsif has_errors? && default_action
+        render rendering_options.merge(formats: :html, status: :unprocessable_entity)
+      else
+        redirect_to navigation_location
+      end
+    end
+  end
+
+  self.responder = Responder
+  respond_to :html, :turbo_stream
+end

app/controllers/users/confirmations_controller.rb

@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+class Users::ConfirmationsController < Devise::ConfirmationsController
+  # GET /resource/confirmation?confirmation_token=abcdef
+  def show
+    self.resource = resource_class.confirm_by_token(params[:confirmation_token])
+    yield resource if block_given?
+
+    if resource.errors.empty?
+      set_flash_message!(:success, :confirmed)
+      resource.devise_after_confirmation
+      respond_with_navigational(resource){ redirect_to after_confirmation_path_for(resource_name, resource) }
+    else
+      respond_with_navigational(resource.errors, status: :unprocessable_entity){ render :new }
+    end
+  end
+end

app/controllers/users/devise_controller.rb

@@ -0,0 +1,18 @@
+class Users::DeviseController < ApplicationController
+  class Responder < ActionController::Responder
+    def to_turbo_stream
+      controller.render(options.merge(formats: :html))
+    rescue ActionView::MissingTemplate => error
+      if get?
+        raise error
+      elsif has_errors? && default_action
+        render rendering_options.merge(formats: :html, status: :unprocessable_entity)
+      else
+        redirect_to navigation_location
+      end
+    end
+  end
+
+  self.responder = Responder
+  respond_to :html, :turbo_stream
+end

app/controllers/webfinger_controller.rb

@@ -0,0 +1,57 @@
+class WebfingerController < ApplicationController
+  before_action :allow_cross_origin_requests, only: [:show]
+
+  layout false
+
+  def show
+    resource = params[:resource]
+
+    if resource && resource.match(/acct:\w+/)
+      useraddress = resource.split(":").last
+      username, org = useraddress.split("@")
+      username.downcase!
+      unless User.where(cn: username, ou: org).any?
+        head 404 and return
+      end
+
+      render json: webfinger(useraddress).to_json,
+             content_type: "application/jrd+json"
+    else
+      head 422 and return
+    end
+  end
+
+  private
+
+  def webfinger(useraddress)
+    links = [];
+
+    links << remotestorage_link(useraddress) if Setting.remotestorage_enabled
+
+    { "links" => links }
+  end
+
+  def remotestorage_link(useraddress)
+    # TODO use when OAuth routes are available
+    # auth_url = new_rs_oauth_url(useraddress)
+    auth_url = "https://example.com/rs/oauth"
+    storage_url = "#{Setting.rs_storage_url}/#{useraddress}"
+
+    {
+      "rel" => "http://tools.ietf.org/id/draft-dejong-remotestorage",
+      "href" => storage_url,
+      "properties" => {
+        "http://remotestorage.io/spec/version" => "draft-dejong-remotestorage-13",
+        "http://tools.ietf.org/html/rfc6749#section-4.2" => auth_url,
+        "http://tools.ietf.org/html/rfc6750#section-2.3" => nil, # access token via a HTTP query parameter
+        "http://tools.ietf.org/html/rfc7233": "GET", # content range requests
+        "http://remotestorage.io/spec/web-authoring": nil
+      }
+    }
+  end
+
+  def allow_cross_origin_requests
+    headers['Access-Control-Allow-Origin'] = '*'
+    headers['Access-Control-Allow-Methods'] = 'GET, POST, PUT, OPTIONS'
+  end
+end

app/controllers/webhooks_controller.rb

@@ -0,0 +1,46 @@
+class WebhooksController < ApplicationController
+  skip_forgery_protection
+
+  before_action :authorize_request
+
+  def lndhub
+    begin
+      payload = JSON.parse(request.body.read, symbolize_names: true)
+      head :no_content and return unless payload[:type] == "incoming"
+    rescue
+      head :unprocessable_entity and return
+    end
+
+    user = User.find_by!(ln_account: payload[:user_login])
+    notify = user.preferences[:lightning_notify_sats_received]
+    case notify
+    when "xmpp"
+      notify_xmpp(user.address, payload[:amount], payload[:memo])
+    when "email"
+      NotificationMailer.with(user: user, amount_sats: payload[:amount])
+                        .lightning_sats_received.deliver_later
+    end
+
+    head :ok
+  end
+
+  private
+
+  # TODO refactor into mailer-like generic class/service
+  def notify_xmpp(address, amt_sats, memo)
+    payload = {
+      type: "normal",
+      from: "kosmos.org", # TODO domain config
+      to: address,
+      subject: "Sats received!",
+      body: "#{helpers.number_with_delimiter amt_sats} sats received in your Lightning wallet:\n> #{memo}"
+    }
+    XmppSendMessageJob.perform_later(payload)
+  end
+
+  def authorize_request
+    if !ENV['WEBHOOKS_ALLOWED_IPS'].split(',').include?(request.remote_ip)
+      head :forbidden and return
+    end
+  end
+end

app/errors/auth_error.rb

@@ -0,0 +1 @@
+class AuthError < StandardError; end

app/helpers/application_helper.rb

@@ -1,4 +1,6 @@
 module ApplicationHelper
+  include Pagy::Frontend
+
   def sats_to_btc(sats)
     sats.to_f / 100000000
   end
@@ -10,5 +12,10 @@ module ApplicationHelper
       "text-gray-300 hover:bg-gray-900/30 hover:text-white active:bg-gray-900/30 active:text-white px-3 py-2 rounded-md font-medium text-base md:text-sm block md:inline-block"
     end
   end
-end
 
+  # Colors available: gray, red, yellow, green, blue, purple, pink
+  # (Add more colors by adding classes to the safelist in tailwind.config.js)
+  def badge(text, color)
+    tag.span text, class: "inline-flex items-center rounded-full bg-#{color}-100 px-2.5 py-0.5 text-xs font-medium text-#{color}-800"
+  end
+end

app/helpers/ldap_users_helper.rb

@@ -1,2 +0,0 @@
-module LdapUsersHelper
-end

app/helpers/users_helper.rb

@@ -0,0 +1,2 @@
+module UsersHelper
+end

app/javascript/controllers/clipboard_controller.js

@@ -0,0 +1,16 @@
+import { Controller } from "@hotwired/stimulus"
+
+export default class extends Controller {
+  static targets = ["source", "trigger"]
+
+  copy (event) {
+    event.preventDefault();
+    navigator.clipboard.writeText(this.sourceTarget.value);
+    this.triggerTarget.querySelector('.content-initial').classList.add('hidden');
+    this.triggerTarget.querySelector('.content-active').classList.remove('hidden');
+    setTimeout(() => {
+      this.triggerTarget.querySelector('.content-initial').classList.remove('hidden');
+      this.triggerTarget.querySelector('.content-active').classList.add('hidden');
+    }, 2000)
+  }
+}

app/javascript/controllers/notification_controller.js

@@ -4,6 +4,10 @@ export default class extends Controller {
   static targets = ["buttons", "countdown"]
 
   connect() {
+    // Devise timeoutable ends up adding a second flash message without content
+    // TODO investigate bug
+    if (this.element.textContent.trim() == "true") return;
+
     const timeoutSeconds = parseInt(this.data.get("timeout"));
 
     setTimeout(() => {

app/javascript/controllers/settings/account/email_controller.js

@@ -0,0 +1,27 @@
+import { Controller } from "@hotwired/stimulus"
+
+export default class extends Controller {
+  static targets = [ "emailField", "editEmailButton" ]
+  static values = { validationFailed: Boolean }
+
+  connect () {
+    if (this.validationFailedValue) return;
+
+    this.emailFieldTarget.disabled = true;
+    this.element.querySelectorAll(".initial-hidden").forEach(el => {
+      el.classList.add("hidden");
+    })
+    this.element.querySelectorAll(".initial-visible").forEach(el => {
+      el.classList.remove("hidden");
+    })
+  }
+
+  editEmail () {
+    this.emailFieldTarget.disabled = false;
+    this.emailFieldTarget.select();
+    this.editEmailButtonTarget.classList.add("hidden");
+    this.element.querySelectorAll(".initial-hidden").forEach(el => {
+      el.classList.remove("hidden");
+    })
+  }
+}

app/javascript/controllers/settings/toggle_controller.js

@@ -0,0 +1,30 @@
+import { Controller } from "@hotwired/stimulus"
+
+export default class extends Controller {
+  static targets = [ "button", "switch", "checkbox" ]
+  static values = { switchEnabled: Boolean }
+
+  connect () {
+    this.buttonTarget.classList.remove("hidden")
+    this.checkboxTarget.classList.add("hidden")
+  }
+
+  toggleSwitch () {
+    this.switchEnabledValue = !this.switchEnabledValue
+    this.checkboxTarget.checked = this.switchEnabledValue
+
+    if (this.switchEnabledValue) {
+      this.buttonTarget.setAttribute("aria-checked", "true");
+      this.buttonTarget.classList.remove("bg-gray-200")
+      this.buttonTarget.classList.add("bg-blue-600")
+      this.switchTarget.classList.remove("translate-x-0")
+      this.switchTarget.classList.add("translate-x-5")
+    } else {
+      this.buttonTarget.setAttribute("aria-checked", "false");
+      this.buttonTarget.classList.remove("bg-blue-600")
+      this.buttonTarget.classList.add("bg-gray-200")
+      this.switchTarget.classList.remove("translate-x-5")
+      this.switchTarget.classList.add("translate-x-0")
+    }
+  }
+}

app/jobs/create_lndhub_account_job.rb

@@ -0,0 +1,13 @@
+class CreateLndhubAccountJob < ApplicationJob
+  queue_as :default
+
+  def perform(user)
+    return if user.ln_account.present? && user.ln_password.present?
+
+    lndhub = LndhubV2.new
+    credentials = lndhub.create_account
+
+    user.update! ln_account: credentials["login"],
+                 ln_password: credentials["password"]
+  end
+end

app/jobs/create_lndhub_wallet_job.rb

@@ -1,13 +0,0 @@
-class CreateLndhubWalletJob < ApplicationJob
-  queue_as :default
-
-  def perform(user)
-    return if user.ln_login.present? && user.ln_password.present?
-
-    lndhub = Lndhub.new
-    credentials = lndhub.create({ partnerid: user.ou, accounttype: "user" })
-
-    user.update! ln_login: credentials["login"],
-                 ln_password: credentials["password"]
-  end
-end

app/jobs/exchange_xmpp_contacts_job.rb

@@ -1,18 +0,0 @@
-class ExchangeXmppContactsJob < ApplicationJob
-  queue_as :default
-
-  def perform(inviter, username, domain)
-    ejabberd = EjabberdApiClient.new
-
-    ejabberd.add_rosteritem({
-      "localuser": username, "localhost": domain,
-      "user": inviter.cn, "host": inviter.ou,
-      "nick": inviter.cn, "group": "Friends", "subs": "both"
-    })
-    ejabberd.add_rosteritem({
-      "localuser": inviter.cn, "localhost": inviter.ou,
-      "user": username, "host": domain,
-      "nick": username, "group": "Friends", "subs": "both"
-    })
-  end
-end

app/jobs/xmpp_exchange_contacts_job.rb

@@ -0,0 +1,22 @@
+class XmppExchangeContactsJob < ApplicationJob
+  queue_as :default
+
+  def perform(inviter, invitee)
+    return unless inviter.services_enabled.include?("xmpp") &&
+                  invitee.services_enabled.include?("xmpp") &&
+                  inviter.preferences[:xmpp_exchange_contacts_with_invitees]
+
+    ejabberd = EjabberdApiClient.new
+
+    ejabberd.add_rosteritem({
+      "localuser": invitee.cn, "localhost": invitee.ou,
+      "user": inviter.cn, "host": inviter.ou,
+      "nick": inviter.cn, "group": Setting.ejabberd_buddy_roster, "subs": "both"
+    })
+    ejabberd.add_rosteritem({
+      "localuser": inviter.cn, "localhost": inviter.ou,
+      "user": invitee.cn, "host": invitee.ou,
+      "nick": invitee.cn, "group": Setting.ejabberd_buddy_roster, "subs": "both"
+    })
+  end
+end

app/jobs/xmpp_send_message_job.rb

@@ -0,0 +1,8 @@
+class XmppSendMessageJob < ApplicationJob
+  queue_as :default
+
+  def perform(payload)
+    ejabberd = EjabberdApiClient.new
+    ejabberd.send_message payload
+  end
+end

app/jobs/xmpp_set_default_bookmarks_job.rb

@@ -0,0 +1,26 @@
+class XmppSetDefaultBookmarksJob < ApplicationJob
+  queue_as :default
+
+  def perform(user)
+    return unless Setting.xmpp_default_rooms.any?
+    @user = user
+    ejabberd = EjabberdApiClient.new
+    ejabberd.private_set user, storage_content
+  end
+
+  def storage_content
+    bookmarks = ""
+    Setting.xmpp_default_rooms.each do |r|
+      bookmarks << conference_element(
+        jid: r[/<(.+)>/, 1], name: r[/^(.+)\s/, 1], nick: @user.cn,
+        autojoin: Setting.xmpp_autojoin_default_rooms
+      )
+    end
+
+    "<storage xmlns='storage:bookmarks'>#{bookmarks}</storage>"
+  end
+
+  def conference_element(jid:, name:, autojoin: false, nick:)
+    "<conference jid='#{jid}' name='#{name}' autojoin='#{autojoin.to_s}'><nick>#{nick}</nick></conference>"
+  end
+end

app/mailers/application_mailer.rb

@@ -1,4 +1,3 @@
 class ApplicationMailer < ActionMailer::Base
-  default from: 'from@example.com'
   layout 'mailer'
 end

app/mailers/custom_mailer.rb

@@ -0,0 +1,23 @@
+# A custom mailer that can be used from the Rails console for one-off emails
+# today, and later connected from an admin panel mailing page.
+#
+# Assign any template variables you want to use:
+#
+#     user = User.first
+#
+# Create the email body from a custom email template file:
+#
+#     body = ERB.new(File.read('./tmp/mailer-1.txt.erb')).result binding
+#
+# Send email via Sidekiq:
+#
+#     CustomMailer.with(user: user, subject: "Important announcement", body: body).custom_message.deliver_later
+#
+class CustomMailer < ApplicationMailer
+  def custom_message
+    @user = params[:user]
+    @subject = params[:subject]
+    @body = params[:body]
+    mail(to: @user.email, subject: @subject)
+  end
+end

app/mailers/devise/mailer.rb

@@ -0,0 +1,34 @@
+# frozen_string_literal: true
+
+if defined?(ActionMailer)
+  class Devise::Mailer < Devise.parent_mailer.constantize
+    include Devise::Mailers::Helpers
+
+    def confirmation_instructions(record, token, opts = {})
+      @token = token
+      if record.pending_reconfirmation?
+        devise_mail(record, :reconfirmation_instructions, opts)
+      else
+        devise_mail(record, :confirmation_instructions, opts)
+      end
+    end
+
+    def reset_password_instructions(record, token, opts = {})
+      @token = token
+      devise_mail(record, :reset_password_instructions, opts)
+    end
+
+    def unlock_instructions(record, token, opts = {})
+      @token = token
+      devise_mail(record, :unlock_instructions, opts)
+    end
+
+    def email_changed(record, opts = {})
+      devise_mail(record, :email_changed, opts)
+    end
+
+    def password_change(record, opts = {})
+      devise_mail(record, :password_change, opts)
+    end
+  end
+end

app/mailers/notification_mailer.rb

@@ -0,0 +1,8 @@
+class NotificationMailer < ApplicationMailer
+  def lightning_sats_received
+    @user = params[:user]
+    @amount_sats = params[:amount_sats]
+    @subject = "Sats received"
+    mail to: @user.email, subject: @subject
+  end
+end

app/models/donation.rb

@@ -3,7 +3,9 @@ class Donation < ApplicationRecord
   belongs_to :user
 
   # Validations
+  validates_presence_of :user
   validates_presence_of :amount_sats
+  validates_presence_of :paid_at
 
   # Hooks
   # TODO before_create :store_fiat_value

app/models/invitation.rb

@@ -1,6 +1,7 @@
 class Invitation < ApplicationRecord
   # Relations
   belongs_to :user
+  belongs_to :invitee, class_name: "User", foreign_key: 'invited_user_id', optional: true
 
   # Validations
   validates_presence_of :user

app/models/lndhub_account.rb

@@ -0,0 +1,21 @@
+class LndhubAccount < LndhubBase
+  self.table_name = "accounts"
+  self.inheritance_column = :_type_disabled
+
+  has_many :ledgers, class_name: "LndhubAccountLedger",
+                     foreign_key: "account_id"
+
+  belongs_to :user, class_name: "LndhubUser",
+                    foreign_key: "user_id"
+
+  scope :current,  -> { where(type: "current") }
+  scope :outgoing, -> { where(type: "outgoing") }
+  scope :incoming, -> { where(type: "incoming") }
+  scope :fees,     -> { where(type: "fees") }
+
+  scope :with_balances, -> {
+    current.joins(:user).joins(:ledgers)
+      .group("accounts.id", "users.login")
+      .select("accounts.id, users.login, SUM(account_ledgers.amount) AS balance")
+  }
+end

app/models/lndhub_account_ledger.rb

@@ -0,0 +1,3 @@
+class LndhubAccountLedger < LndhubBase
+  self.table_name = "account_ledgers"
+end

app/models/lndhub_base.rb

@@ -0,0 +1,4 @@
+class LndhubBase < ActiveRecord::Base
+  self.abstract_class = true
+  establish_connection :lndhub
+end

app/models/lndhub_user.rb

@@ -0,0 +1,27 @@
+class LndhubUser < LndhubBase
+  self.table_name = "users"
+  self.inheritance_column = :_type_disabled
+
+  has_many :accounts, class_name: "LndhubAccount",
+                      foreign_key: "user_id"
+
+  belongs_to :user, class_name: "User",
+                    primary_key: "ln_account",
+                    foreign_key: "login"
+
+  def balance
+    accounts.current.first.ledgers.sum("account_ledgers.amount").to_i.abs
+  end
+
+  def sum_outgoing
+    accounts.outgoing.first.ledgers.sum("account_ledgers.amount").to_i.abs
+  end
+
+  def sum_incoming
+    accounts.incoming.first.ledgers.sum("account_ledgers.amount").to_i.abs
+  end
+
+  def sum_fees
+    accounts.fees.first.ledgers.sum("account_ledgers.amount").to_i.abs
+  end
+end

app/models/setting.rb

@@ -0,0 +1,130 @@
+# RailsSettings Model
+class Setting < RailsSettings::Base
+  cache_prefix { "v1" }
+
+  field :accounts_domain, type: :string,
+    default: ENV["AKKOUNTS_DOMAIN"].presence
+
+  #
+  # Internal services
+  #
+
+  field :redis_url, type: :string, readonly: true,
+    default: ENV["REDIS_URL"] || "redis://localhost:6379/0"
+
+  #
+  # Registrations
+  #
+
+  field :reserved_usernames, type: :array, default: %w[
+    account accounts donations mail webmaster support
+  ]
+
+  #
+  # XMPP
+  #
+
+  field :xmpp_default_rooms, type: :array, default: []
+  field :xmpp_autojoin_default_rooms, type: :boolean, default: false
+
+  #
+  # Sentry
+  #
+
+  field :sentry_enabled, type: :boolean, readonly: true,
+    default: (ENV["SENTRY_DSN"].present?.to_s || false)
+
+  #
+  # Discourse
+  #
+
+  field :discourse_public_url, type: :string, readonly: true,
+    default: ENV["DISCOURSE_PUBLIC_URL"].presence
+
+  field :discourse_enabled, type: :boolean,
+    default: (ENV["DISCOURSE_PUBLIC_URL"].present?.to_s || false)
+
+  field :discourse_connect_secret, type: :string, readonly: true,
+    default: ENV["DISCOURSE_CONNECT_SECRET"].presence
+
+  #
+  # ejabberd
+  #
+
+  field :ejabberd_enabled, type: :boolean,
+    default: (ENV["EJABBERD_API_URL"].present?.to_s || false)
+
+  field :ejabberd_api_url, type: :string, readonly: true,
+    default: ENV["EJABBERD_API_URL"].presence
+
+  field :ejabberd_admin_url, type: :string, readonly: true,
+    default: ENV["EJABBERD_ADMIN_URL"].presence
+
+  field :ejabberd_buddy_roster, type: :string,
+    default: "Buddies"
+
+  #
+  # Gitea
+  #
+
+  field :gitea_public_url, type: :string, readonly: true,
+    default: ENV["GITEA_PUBLIC_URL"].presence
+
+  field :gitea_enabled, type: :boolean,
+    default: (ENV["GITEA_PUBLIC_URL"].present?.to_s || false)
+
+  #
+  # Lightning Network
+  #
+
+  field :lndhub_api_url, type: :string, readonly: true,
+    default: ENV["LNDHUB_API_URL"].presence
+
+  field :lndhub_enabled, type: :boolean,
+    default: (ENV["LNDHUB_API_URL"].present?.to_s || false)
+
+  field :lndhub_admin_enabled, type: :boolean,
+    default: (ENV["LNDHUB_ADMIN_UI"] || false)
+
+  field :lndhub_public_key, type: :string, readonly: true,
+    default: (ENV["LNDHUB_PUBLIC_KEY"] || "")
+
+  field :lndhub_keysend_enabled, type: :boolean,
+    default: -> { self.lndhub_public_key.present?.to_s || false }
+
+  #
+  # Mastodon
+  #
+
+  field :mastodon_public_url, type: :string, readonly: true,
+    default: ENV["MASTODON_PUBLIC_URL"].presence
+
+  field :mastodon_enabled, type: :boolean,
+    default: (ENV["MASTODON_PUBLIC_URL"].present?.to_s || false)
+
+  #
+  # MediaWiki
+  #
+
+  field :mediawiki_public_url, type: :string, readonly: true,
+    default: ENV["MEDIAWIKI_PUBLIC_URL"].presence
+
+  field :mediawiki_enabled, type: :boolean,
+    default: (ENV["MEDIAWIKI_PUBLIC_URL"].present?.to_s || false)
+
+  #
+  # Nostr
+  #
+
+  field :nostr_enabled, type: :boolean, default: true
+
+  #
+  # RemoteStorage
+  #
+
+  field :remotestorage_enabled, type: :boolean,
+    default: (ENV["RS_STORAGE_URL"].present?.to_s || false)
+
+  field :rs_storage_url, type: :string,
+    default: ENV["RS_STORAGE_URL"].presence
+end

app/models/user.rb

@@ -1,30 +1,60 @@
 class User < ApplicationRecord
   include EmailValidatable
 
+  attr_accessor :display_name
+
+  serialize :preferences, UserPreferences
+
   # Relations
   has_many :invitations, dependent: :destroy
+  has_one  :invitation, inverse_of: :invitee, foreign_key: 'invited_user_id'
+  has_one  :inviter, through: :invitation, source: :user
+  has_many :invitees, through: :invitations
+
   has_many :donations, dependent: :nullify
 
+  has_one  :lndhub_user, class_name: "LndhubUser", inverse_of: "user",
+                         primary_key: "ln_account", foreign_key: "login"
+
+  has_many :accounts, through: :lndhub_user
+
   validates_uniqueness_of :cn
-  validates_length_of :cn, :minimum => 3
+  validates_length_of :cn, minimum: 3
+  validates_format_of :cn, with: /\A([a-z0-9\-])*\z/,
+                           if: Proc.new{ |u| u.cn.present? },
+                           message: "is invalid. Please use only letters, numbers and -"
+  validates_format_of :cn, without: /\A-/,
+                           if: Proc.new{ |u| u.cn.present? },
+                           message: "is invalid. Usernames need to start with a letter."
+  # FIXME This needs a server restart to apply values
+  validates_format_of :cn, without: /\A(#{Setting.reserved_usernames.join('|')})\z/i,
+                           message: "has already been taken"
+
   validates_uniqueness_of :email
   validates :email, email: true
 
-  lockbox_encrypts :ln_login
+  validates_length_of :display_name, minimum: 3, maximum: 35, allow_blank: true,
-  lockbox_encrypts :ln_password
+                                     if: -> { defined?(@display_name) }
+
+  scope :confirmed, -> { where.not(confirmed_at: nil) }
+  scope :pending,   -> { where(confirmed_at: nil) }
+
+  has_encrypted :ln_login, :ln_password
 
   # Include default devise modules. Others available are:
   # :confirmable, :lockable, :timeoutable, :trackable and :omniauthable
   devise :ldap_authenticatable,
          :confirmable,
          :recoverable,
-         :validatable
+         :validatable,
+         :timeoutable,
+         :rememberable
 
   def ldap_before_save
     self.email = Devise::LDAP::Adapter.get_ldap_param(self.cn, "mail").first
-
+    self.ou    = dn.split(',')
-    dn = Devise::LDAP::Adapter.get_ldap_param(self.cn, "dn")
+                   .select{|e| e[0..1] == "ou"}.first
-    self.ou = dn.split(',').select{|e| e[0..1] == "ou"}.first.delete_prefix("ou=")
+                   .delete_prefix("ou=")
 
     if self.confirmed_at.blank? && self.confirmation_token.blank?
       # User had an account with a trusted email address before akkounts was a thing
@@ -32,11 +62,33 @@ class User < ApplicationRecord
     end
   end
 
-  def reset_password(new_password, new_password_confirmation)
+  def devise_after_confirmation
-    if new_password == new_password_confirmation && ::Devise.ldap_update_password
+    if ldap_entry[:mail] != self.email
-      Devise::LDAP::Adapter.update_password(login_with, new_password)
+      # E-Mail update confirmed
+      LdapManager::UpdateEmail.call(self.dn, self.email)
+    else
+      # E-Mail from signup confirmed (i.e. account activation)
+      enable_service %w[ discourse gitea mediawiki xmpp ]
+
+      #TODO enable in development when we have easy setup of ejabberd etc.
+      return if Rails.env.development? || !Setting.ejabberd_enabled?
+
+      XmppExchangeContactsJob.perform_later(inviter, self) if inviter.present?
+      XmppSetDefaultBookmarksJob.perform_later(self)
     end
-    clear_reset_password_token if valid?
+  end
+
+  def send_devise_notification(notification, *args)
+    devise_mailer.send(notification, self, *args).deliver_later
+  end
+
+  def reset_password(new_password, new_password_confirmation)
+    self.password = new_password
+    self.password_confirmation = new_password_confirmation
+    return false unless valid?
+
+    Devise::LDAP::Adapter.update_password(login_with, new_password)
+    clear_reset_password_token
     save
   end
 
@@ -62,4 +114,47 @@ class User < ApplicationRecord
     lndhub.authenticate self
     lndhub.addinvoice payload
   end
+
+  def dn
+    return @dn if defined?(@dn)
+    @dn = Devise::LDAP::Adapter.get_dn(self.cn)
+  end
+
+  def ldap_entry(reload: false)
+    return @ldap_entry if defined?(@ldap_entry) && !reload
+    @ldap_entry = ldap.fetch_users(uid: self.cn, ou: self.ou).first
+  end
+
+  def display_name
+    @display_name ||= ldap_entry[:display_name]
+  end
+
+  def services_enabled
+    ldap_entry[:service] || []
+  end
+
+  def enable_service(service)
+    current_services = services_enabled
+    new_services = Array(service).map(&:to_s)
+    services = (current_services + new_services).uniq
+    ldap.replace_attribute(dn, :service, services)
+  end
+
+  def disable_service(service)
+    current_services = services_enabled
+    disabled_services = Array(service).map(&:to_s)
+    services = (current_services - disabled_services).uniq
+    ldap.replace_attribute(dn, :service, services)
+  end
+
+  def disable_all_services
+    ldap.delete_attribute(dn,:service)
+  end
+
+  private
+
+    def ldap
+      return @ldap_service if defined?(@ldap_service)
+      @ldap_service = LdapService.new
+    end
 end

app/models/user_preferences.rb

@@ -0,0 +1,29 @@
+DEFAULT_PREFS = YAML.load_file("#{Rails.root}/config/default_preferences.yml")
+
+class UserPreferences
+  def self.dump(value)
+    process(value).to_yaml
+  end
+
+  def self.load(string)
+    stored_prefs = YAML.load(string || "{}")
+    DEFAULT_PREFS.merge(stored_prefs).with_indifferent_access
+  end
+
+  def self.is_integer?(value)
+    value.to_i.to_s == value
+  end
+
+  def self.process(hash)
+    hash.each do |key, value|
+      if value == "true"
+        hash[key] = true
+      elsif value == "false"
+        hash[key] = false
+      elsif value.is_a?(String) && is_integer?(value)
+        hash[key] = value.to_i
+      end
+    end
+    hash.stringify_keys!.to_h
+  end
+end

app/services/create_account.rb

@@ -5,16 +5,16 @@ class CreateAccount < ApplicationService
     @email      = args[:email]
     @password   = args[:password]
     @invitation = args[:invitation]
+    @confirmed  = args[:confirmed]
   end
 
   def call
     user = create_user_in_database
     add_ldap_document
-    create_lndhub_wallet(user)
+    create_lndhub_account(user) if Setting.lndhub_enabled
 
     if @invitation.present?
       update_invitation(user.id)
-      exchange_xmpp_contacts
     end
   end
 
@@ -26,7 +26,8 @@ class CreateAccount < ApplicationService
       ou: @domain,
       email: @email,
       password: @password,
-      password_confirmation: @password
+      password_confirmation: @password,
+      confirmed_at: @confirmed ? DateTime.now : nil
     )
   end
 
@@ -35,32 +36,15 @@ class CreateAccount < ApplicationService
   end
 
   # TODO move to confirmation
+  # (and/or add email_confirmed to entry and use in login filter)
   def add_ldap_document
     hashed_pw = Devise.ldap_auth_password_builder.call(@password)
     CreateLdapUserJob.perform_later(@username, @domain, @email, hashed_pw)
   end
 
-  def exchange_xmpp_contacts
+  def create_lndhub_account(user)
-    #TODO enable in development when we have easy setup of ejabberd etc.
+    #TODO enable in development when we have a local lndhub (mock?) API
     return if Rails.env.development?
-    ExchangeXmppContactsJob.perform_later(@invitation.user, @username, @domain)
+    CreateLndhubAccountJob.perform_later(user)
-  end
-
-  def create_lndhub_wallet(user)
-    CreateLndhubWalletJob.perform_later(user)
-  end
-
-  def exchange_xmpp_contacts_between_inviter_and_invitee
-    ejabberd = EjabberdApiClient.new
-
-    EjabberdApiClient.add_roster_item({
-      "localuser": @username,
-      "localhost": @domain,
-      "user": @inviter.cn,
-      "host": @inviter.ou,
-      "nick": @username,
-      "group": "Friends",
-      "subs": "both"
-    })
   end
 end

app/services/ejabberd_api_client.rb

@@ -1,6 +1,6 @@
 class EjabberdApiClient
   def initialize
-    @base_url = ENV["EJABBERD_API_URL"]
+    @base_url = Setting.ejabberd_api_url
   end
 
   def post(endpoint, payload)
@@ -10,11 +10,20 @@ class EjabberdApiClient
     if res.status != 200
       Rails.logger.error "[ejabberd] API request failed:"
       Rails.logger.error res.body
-      #TODO add some kind of exception tracking/notifications
+      #TODO Send custom event to Sentry
     end
   end
 
   def add_rosteritem(payload)
     post "add_rosteritem", payload
   end
+
+  def send_message(payload)
+    post "send_message", payload
+  end
+
+  def private_set(user, content)
+    payload = { user: user.cn, host: user.ou, element: content }
+    post "private_set", payload
+  end
 end

app/services/ldap_manager/update_display_name.rb

@@ -0,0 +1,12 @@
+module LdapManager
+  class UpdateDisplayName < LdapManagerService
+    def initialize(dn, display_name)
+      @dn = dn
+      @display_name = display_name
+    end
+
+    def call
+      replace_attribute @dn, :displayName, @display_name
+    end
+  end
+end

app/services/ldap_manager/update_email.rb

@@ -0,0 +1,12 @@
+module LdapManager
+  class UpdateEmail < LdapManagerService
+    def initialize(dn, address)
+      @dn = dn
+      @address = address
+    end
+
+    def call
+      replace_attribute @dn, :mail, @address
+    end
+  end
+end

app/services/ldap_manager_service.rb

@@ -0,0 +1,2 @@
+class LdapManagerService < LdapService
+end

app/services/ldap_service.rb

@@ -3,6 +3,18 @@ class LdapService < ApplicationService
     @suffix = ENV["LDAP_SUFFIX"] || "dc=kosmos,dc=org"
   end
 
+  def add_attribute(dn, attr, values)
+    ldap_client.add_attribute dn, attr, values
+  end
+
+  def replace_attribute(dn, attr, values)
+    ldap_client.replace_attribute dn, attr, values
+  end
+
+  def delete_attribute(dn, attr)
+    ldap_client.delete_attribute dn, attr
+  end
+
   def add_entry(dn, attrs, interactive=false)
     puts "Adding entry: #{dn}" if interactive
     res = ldap_client.add dn: dn, attributes: attrs
@@ -17,7 +29,7 @@ class LdapService < ApplicationService
     res
   end
 
-  def delete_all_entries
+  def delete_all_entries!
     if Rails.env.production?
       raise "Mass deletion of entries not allowed in production"
     end
@@ -38,18 +50,18 @@ class LdapService < ApplicationService
       treebase = ldap_config["base"]
     end
 
-    attributes = %w{dn cn uid mail admin}
+    attributes = %w{dn cn uid mail displayName admin service}
-    filter     = Net::LDAP::Filter.eq("uid", "*")
+    filter     = Net::LDAP::Filter.eq("uid", args[:uid] || "*")
 
     entries = ldap_client.search(base: treebase, filter: filter, attributes: attributes)
     entries.sort_by! { |e| e.cn[0] }
-
     entries = entries.collect do |e|
       {
         uid: e.uid.first,
         mail: e.try(:mail) ? e.mail.first : nil,
-        admin: e.try(:admin) ? 'admin' : nil
+        display_name: e.try(:displayName) ? e.displayName.first : nil,
-        # password: e.userpassword.first
+        admin: e.try(:admin) ? 'admin' : nil,
+        service: e.try(:service)
       }
     end
   end
@@ -90,6 +102,26 @@ class LdapService < ApplicationService
     add_entry dn, attrs, interactive
   end
 
+  def reset_directory!
+    if Rails.env.production?
+      raise "Resetting the directory not allowed in production"
+    end
+
+    delete_all_entries!
+
+    user_read_aci = <<-EOS
+(target="ldap:///#{@suffix}")(targetattr="*") (version 3.0; acl "user-read-search-own-attributes"; allow (read,search) userdn="ldap:///self";)
+    EOS
+
+    add_entry @suffix, {
+      dc: "kosmos", objectClass: ["top", "domain"], aci: user_read_aci
+    }, true
+
+    add_entry "cn=users,#{@suffix}", {
+       cn: "users", objectClass: ["top", "organizationalRole"]
+    }, true
+  end
+
   private
 
   def ldap_client
@@ -107,5 +139,4 @@ class LdapService < ApplicationService
   def ldap_config
     ldap_config ||= YAML.load(ERB.new(File.read("#{Rails.root}/config/ldap.yml")).result)[Rails.env]
   end
-
 end