0.8.1

Reviewed-on: #145

.drone.yml

@@ -0,0 +1,59 @@
+---
+kind: pipeline
+type: docker
+name: CI build
+
+steps:
+  - name: restore-cache
+    image: drillster/drone-volume-cache
+    volumes:
+    - name: cache
+      path: /cache
+    settings:
+      restore: true
+      mount:
+      - ./vendor/cache
+    when:
+      branch:
+        - master
+  - name: rspec
+    image: guildeducation/rails:2.7.2-14.20.0
+    environment:
+      RAILS_ENV: test
+      REDIS_URL: redis://redis:6379/0
+      RS_REDIS_URL: redis://redis:6379/1
+    commands:
+      - bundle config unset deployment
+      - bundle config set cache_all 'true'
+      - bundle config set cache_path 'vendor/cache'
+      - bundle config set with 'development test'
+      - bundle install --jobs=3 --retry=3
+      - yarn install
+      - rake css:build
+      - bundle exec rspec
+  - name: rebuild-cache
+    image: drillster/drone-volume-cache
+    volumes:
+    - name: cache
+      path: /cache
+    settings:
+      rebuild: true
+      mount:
+      - ./vendor/cache
+    when:
+      branch:
+        - master
+
+services:
+  - name: redis
+    image: redis
+
+volumes:
+  - name: cache
+    host:
+      path: /var/lib/drone/tmp
+---
+kind: signature
+hmac: f9a8cf97f6596625721365f6238f6f298aa5a7a4de10c3fb61c57202ae9d1ee1
+
+...

.env.example

@@ -1,8 +1,46 @@
-LDAP_HOST=192.168.33.10
+PRIMARY_DOMAIN=kosmos.org
+AKKOUNTS_DOMAIN=accounts.example.com
+
+SMTP_SERVER=smtp.example.com
+SMTP_PORT=587
+SMTP_LOGIN=accounts
+SMTP_PASSWORD=123abc
+SMTP_FROM_ADDRESS=accounts@example.com
+SMTP_DOMAIN=example.com
+SMTP_AUTH_METHOD=plain
+SMTP_ENABLE_STARTTLS=auto
+
+LDAP_HOST=localhost
 LDAP_PORT=389
-#
-# Production LDAP server:
-#
-# LDAP_HOST=ldap.kosmos.org
-# LDAP_PORT=636
-# LDAP_USE_TLS=true
+LDAP_ADMIN_PASSWORD=passthebutter
+LDAP_SUFFIX='dc=kosmos,dc=org'
+
+REDIS_URL='redis://localhost:6379/1'
+
+WEBHOOKS_ALLOWED_IPS='10.1.1.163'
+
+DISCOURSE_PUBLIC_URL='https://community.kosmos.org'
+DISCOURSE_CONNECT_SECRET='discourse_connect_ftw'
+
+DRONECI_PUBLIC_URL='https://drone.kosmos.org'
+
+GITEA_PUBLIC_URL='https://gitea.kosmos.org'
+MASTODON_PUBLIC_URL='https://kosmos.social'
+MEDIAWIKI_PUBLIC_URL='https://wiki.kosmos.org'
+RS_STORAGE_URL='https://storage.kosmos.org'
+RS_REDIS_URL='redis://localhost:6379/2'
+
+EJABBERD_ADMIN_URL='https://xmpp.kosmos.org/admin'
+EJABBERD_API_URL='https://xmpp.kosmos.org/api'
+
+BTCPAY_API_URL='http://localhost:23001/api/v1'
+
+LNDHUB_API_URL='http://localhost:3023'
+LNDHUB_PUBLIC_URL='https://lndhub.kosmos.org'
+LNDHUB_PUBLIC_KEY='0123d3be18617f39cf645851e3ba63f51fc13f0bb09e3bb25e6fd4de556486d946'
+LNDHUB_ADMIN_UI=true
+LNDHUB_PG_HOST=localhost
+LNDHUB_PG_PORT=5432
+LNDHUB_PG_DATABASE=lndhub
+LNDHUB_PG_USERNAME=lndhub
+LNDHUB_PG_PASSWORD=''

.env.test

@@ -0,0 +1,19 @@
+PRIMARY_DOMAIN=kosmos.org
+
+REDIS_URL='redis://localhost:6379/0'
+
+DISCOURSE_PUBLIC_URL='http://discourse.example.com'
+DISCOURSE_CONNECT_SECRET='discourse_connect_ftw'
+
+EJABBERD_API_URL='http://xmpp.example.com/api'
+
+BTCPAY_API_URL='http://btcpay.example.com/api/v1'
+
+LNDHUB_API_URL='http://localhost:3026'
+LNDHUB_PUBLIC_URL='https://lndhub.kosmos.org'
+LNDHUB_PUBLIC_KEY='024cd3be18617f39cf645851e3ba63f51fc13f0bb09e3bb25e6fd4de556486d946'
+
+RS_STORAGE_URL='https://storage.kosmos.org'
+RS_REDIS_URL='redis://localhost:6379/1'
+
+WEBHOOKS_ALLOWED_IPS='10.1.1.23'

.gitea/release-drafter.yml

@@ -0,0 +1,14 @@
+name-template: 'v$RESOLVED_VERSION'
+tag-template: 'v$RESOLVED_VERSION'
+version-resolver:
+  major:
+    labels:
+      - 'release/major'
+  minor:
+    labels:
+      - 'release/minor'
+      - 'feature'
+  patch:
+    labels:
+      - 'release/patch'
+  default: patch

.gitea/workflows/release_drafter.yml

@@ -0,0 +1,11 @@
+name: Release Drafter
+on:
+  pull_request:
+    types: [closed]
+jobs:
+  release_drafter_job:
+    name: Update release notes draft
+    runs-on: ubuntu-latest
+    steps:
+      - name: Release Drafter
+        uses: https://github.com/raucao/gitea-release-drafter@dev

.gitignore

@@ -39,3 +39,10 @@ yarn-debug.log*
 
 # Ignore local dotenv config file
 .env
+.env.development
+
+# Ignore redis dumps from sidekiq
+dump.rdb
+
+/app/assets/builds/*
+!/app/assets/builds/.keep

.ruby-version

@@ -1 +1 @@
-2.6.1
+2.7.2

Dockerfile

@@ -0,0 +1,21 @@
+# syntax=docker/dockerfile:1
+FROM ruby:2.7.6
+
+SHELL ["/bin/bash", "-o", "pipefail", "-c"]
+
+RUN apt-get update -qq && apt-get install -y --no-install-recommends curl \
+      ldap-utils tini
+RUN curl -fsSL https://deb.nodesource.com/setup_lts.x | bash -
+RUN apt-get update && apt-get install -y nodejs
+
+WORKDIR /akkounts
+
+COPY ["Gemfile", "Gemfile.lock", "package.json", "./"]
+
+RUN bundle install
+RUN gem install foreman
+RUN npm install -g yarn
+RUN yarn install
+
+ENTRYPOINT ["/usr/bin/tini", "--"]
+EXPOSE 3000

Gemfile

@@ -1,20 +1,22 @@
 source 'https://rubygems.org'
 git_source(:github) { |repo| "https://github.com/#{repo}.git" }
 
-ruby '2.6.1'
-
 # Bundle edge Rails instead: gem 'rails', github: 'rails/rails'
-gem 'rails', '~> 6.0.3', '>= 6.0.3.4'
-# Use sqlite3 as the database for Active Record
-gem 'sqlite3', '~> 1.4'
+gem 'rails', '~> 7.0.2'
 # Use Puma as the app server
 gem 'puma', '~> 4.1'
-# Use SCSS for stylesheets
-gem 'sass-rails', '>= 6'
-# Transpile app-like JavaScript. Read more: https://github.com/rails/webpacker
-gem 'webpacker', '~> 4.0'
-# Turbolinks makes navigating your web application faster. Read more: https://github.com/turbolinks/turbolinks
-gem 'turbolinks', '~> 5'
+# View components
+gem "view_component"
+# Separate dependency since Rails 7.0
+gem 'sprockets-rails'
+# Allows custom JS build tasks to integrate with the asset pipeline
+gem 'cssbundling-rails'
+# Use JavaScript with ESM import maps [https://github.com/rails/importmap-rails]
+gem "importmap-rails"
+# Hotwire's SPA-like page accelerator [https://turbo.hotwired.dev]
+gem "turbo-rails"
+# Hotwire's modest JavaScript framework [https://stimulus.hotwired.dev]
+gem "stimulus-rails"
 # Build JSON APIs with ease. Read more: https://github.com/rails/jbuilder
 gem 'jbuilder', '~> 2.7'
 # Use Redis adapter to run Action Cable in production
@@ -22,38 +24,70 @@ gem 'jbuilder', '~> 2.7'
 # Use Active Model has_secure_password
 # gem 'bcrypt', '~> 3.1.7'
 
-# Reduces boot times through caching; required in config/boot.rb
-gem 'bootsnap', '>= 1.4.2', require: false
+# Configuration
+gem 'dotenv-rails'
 
-gem 'dotenv-rails', groups: [:development, :test]
+# Security
+gem 'lockbox'
 
+# Authentication
 gem 'warden'
-gem 'devise'
+gem 'devise', '~> 4.9.0'
 gem 'devise_ldap_authenticatable'
 gem 'net-ldap'
 
+# Utilities
+gem "rqrcode", "~> 2.0"
+gem 'rails-settings-cached', '~> 2.8.3'
+gem 'pagy', '~> 6.0', '>= 6.0.2'
+gem 'flipper'
+gem 'flipper-active_record'
+gem 'flipper-ui'
+
+# HTTP requests
+gem 'faraday'
+
+# Background/scheduled jobs
+gem 'sidekiq', '< 7'
+gem 'sidekiq-scheduler'
+
+# Monitoring
+gem "sentry-ruby"
+gem "sentry-rails"
+
+# Services
+gem 'discourse_api'
+gem "lnurl"
+gem 'nostr', git: 'https://gitea.kosmos.org/kosmos/nostr-gem.git', branch: 'feature/ruby_2.7_compat'
+
 group :development, :test do
-  # Call 'byebug' anywhere in the code to stop execution and get a debugger console
-  gem 'byebug', platforms: [:mri, :mingw, :x64_mingw]
+  # Use sqlite3 as the database for Active Record
+  gem 'sqlite3', '~> 1.4'
+  gem 'rspec-rails'
+  gem 'rails-controller-testing'
+  gem "byebug", "~> 11.1"
 end
 
 group :development do
   # Access an interactive console on exception pages or by calling 'console' anywhere in the code.
   gem 'web-console', '>= 3.3.0'
   gem 'listen', '~> 3.2'
-  # Spring speeds up development by keeping your application running in the background. Read more: https://github.com/rails/spring
-  gem 'spring'
-  gem 'spring-watcher-listen', '~> 2.0.0'
   gem 'letter_opener'
   gem 'letter_opener_web'
+  gem 'faker'
+  gem 'solargraph'
 end
 
 group :test do
-  gem 'rspec-rails'
   gem 'factory_bot_rails'
   gem 'capybara'
   gem 'database_cleaner'
+  gem 'webmock'
 end
 
+group :production do
+  # Use postgresql as the database for Active Record
+  gem 'pg', '~> 1.2.3'
+end
 # Windows does not include zoneinfo files, so bundle the tzinfo-data gem
 gem 'tzinfo-data', platforms: [:mingw, :mswin, :x64_mingw, :jruby]

Gemfile.lock

@@ -1,81 +1,122 @@
+GIT
+  remote: https://gitea.kosmos.org/kosmos/nostr-gem.git
+  revision: 596529d9eb50d13b3f385245636698fccf37b442
+  branch: feature/ruby_2.7_compat
+  specs:
+    nostr (0.4.0)
+      bech32 (~> 1.3)
+      bip-schnorr (~> 0.4)
+      ecdsa (~> 1.2)
+      event_emitter (~> 0.2)
+      faye-websocket (~> 0.11)
+      json (~> 2.6)
+
 GEM
   remote: https://rubygems.org/
   specs:
-    actioncable (6.0.3.4)
-      actionpack (= 6.0.3.4)
+    actioncable (7.0.5)
+      actionpack (= 7.0.5)
+      activesupport (= 7.0.5)
       nio4r (~> 2.0)
       websocket-driver (>= 0.6.1)
-    actionmailbox (6.0.3.4)
-      actionpack (= 6.0.3.4)
-      activejob (= 6.0.3.4)
-      activerecord (= 6.0.3.4)
-      activestorage (= 6.0.3.4)
-      activesupport (= 6.0.3.4)
+    actionmailbox (7.0.5)
+      actionpack (= 7.0.5)
+      activejob (= 7.0.5)
+      activerecord (= 7.0.5)
+      activestorage (= 7.0.5)
+      activesupport (= 7.0.5)
       mail (>= 2.7.1)
-    actionmailer (6.0.3.4)
-      actionpack (= 6.0.3.4)
-      actionview (= 6.0.3.4)
-      activejob (= 6.0.3.4)
+      net-imap
+      net-pop
+      net-smtp
+    actionmailer (7.0.5)
+      actionpack (= 7.0.5)
+      actionview (= 7.0.5)
+      activejob (= 7.0.5)
+      activesupport (= 7.0.5)
       mail (~> 2.5, >= 2.5.4)
+      net-imap
+      net-pop
+      net-smtp
       rails-dom-testing (~> 2.0)
-    actionpack (6.0.3.4)
-      actionview (= 6.0.3.4)
-      activesupport (= 6.0.3.4)
-      rack (~> 2.0, >= 2.0.8)
+    actionpack (7.0.5)
+      actionview (= 7.0.5)
+      activesupport (= 7.0.5)
+      rack (~> 2.0, >= 2.2.4)
       rack-test (>= 0.6.3)
       rails-dom-testing (~> 2.0)
       rails-html-sanitizer (~> 1.0, >= 1.2.0)
-    actiontext (6.0.3.4)
-      actionpack (= 6.0.3.4)
-      activerecord (= 6.0.3.4)
-      activestorage (= 6.0.3.4)
-      activesupport (= 6.0.3.4)
+    actiontext (7.0.5)
+      actionpack (= 7.0.5)
+      activerecord (= 7.0.5)
+      activestorage (= 7.0.5)
+      activesupport (= 7.0.5)
+      globalid (>= 0.6.0)
       nokogiri (>= 1.8.5)
-    actionview (6.0.3.4)
-      activesupport (= 6.0.3.4)
+    actionview (7.0.5)
+      activesupport (= 7.0.5)
       builder (~> 3.1)
       erubi (~> 1.4)
       rails-dom-testing (~> 2.0)
       rails-html-sanitizer (~> 1.1, >= 1.2.0)
-    activejob (6.0.3.4)
-      activesupport (= 6.0.3.4)
+    activejob (7.0.5)
+      activesupport (= 7.0.5)
       globalid (>= 0.3.6)
-    activemodel (6.0.3.4)
-      activesupport (= 6.0.3.4)
-    activerecord (6.0.3.4)
-      activemodel (= 6.0.3.4)
-      activesupport (= 6.0.3.4)
-    activestorage (6.0.3.4)
-      actionpack (= 6.0.3.4)
-      activejob (= 6.0.3.4)
-      activerecord (= 6.0.3.4)
-      marcel (~> 0.3.1)
-    activesupport (6.0.3.4)
+    activemodel (7.0.5)
+      activesupport (= 7.0.5)
+    activerecord (7.0.5)
+      activemodel (= 7.0.5)
+      activesupport (= 7.0.5)
+    activestorage (7.0.5)
+      actionpack (= 7.0.5)
+      activejob (= 7.0.5)
+      activerecord (= 7.0.5)
+      activesupport (= 7.0.5)
+      marcel (~> 1.0)
+      mini_mime (>= 1.1.0)
+    activesupport (7.0.5)
       concurrent-ruby (~> 1.0, >= 1.0.2)
-      i18n (>= 0.7, < 2)
-      minitest (~> 5.1)
-      tzinfo (~> 1.1)
-      zeitwerk (~> 2.2, >= 2.2.2)
-    addressable (2.7.0)
-      public_suffix (>= 2.0.2, < 5.0)
-    bcrypt (3.1.16)
+      i18n (>= 1.6, < 2)
+      minitest (>= 5.1)
+      tzinfo (~> 2.0)
+    addressable (2.8.4)
+      public_suffix (>= 2.0.2, < 6.0)
+    ast (2.4.2)
+    backport (1.2.0)
+    bcrypt (3.1.18)
+    bech32 (1.3.0)
+      thor (>= 1.1.0)
+    benchmark (0.2.1)
     bindex (0.8.1)
-    bootsnap (1.5.0)
-      msgpack (~> 1.0)
+    bip-schnorr (0.6.0)
+      ecdsa_ext (~> 0.5.0)
     builder (3.2.4)
     byebug (11.1.3)
-    capybara (3.33.0)
+    capybara (3.39.2)
       addressable
+      matrix
       mini_mime (>= 0.1.3)
       nokogiri (~> 1.8)
       rack (>= 1.6.0)
       rack-test (>= 0.6.3)
-      regexp_parser (~> 1.5)
+      regexp_parser (>= 1.5, < 3.0)
       xpath (~> 3.2)
-    concurrent-ruby (1.1.7)
+    chunky_png (1.4.0)
+    concurrent-ruby (1.2.2)
+    connection_pool (2.4.1)
+    crack (0.4.5)
+      rexml
     crass (1.0.6)
-    database_cleaner (1.8.5)
-    devise (4.7.3)
+    cssbundling-rails (1.1.2)
+      railties (>= 6.0.0)
+    database_cleaner (2.0.2)
+      database_cleaner-active_record (>= 2, < 3)
+    database_cleaner-active_record (2.1.0)
+      activerecord (>= 5.a)
+      database_cleaner-core (~> 2.0.0)
+    database_cleaner-core (2.0.1)
+    date (3.3.3)
+    devise (4.9.2)
       bcrypt (~> 3.0)
       orm_adapter (~> 0.1)
       railties (>= 4.1.0)
@@ -84,192 +125,347 @@ GEM
     devise_ldap_authenticatable (0.8.7)
       devise (>= 3.4.1)
       net-ldap (>= 0.16.0)
-    diff-lcs (1.4.4)
-    dotenv (2.7.2)
-    dotenv-rails (2.7.2)
-      dotenv (= 2.7.2)
-      railties (>= 3.2, < 6.1)
-    erubi (1.9.0)
-    factory_bot (6.1.0)
-      activesupport (>= 5.0.0)
-    factory_bot_rails (6.1.0)
-      factory_bot (~> 6.1.0)
-      railties (>= 5.0.0)
-    ffi (1.13.1)
-    globalid (0.4.2)
-      activesupport (>= 4.2.0)
-    i18n (1.8.5)
-      concurrent-ruby (~> 1.0)
-    jbuilder (2.10.1)
-      activesupport (>= 5.0.0)
-    launchy (2.4.3)
-      addressable (~> 2.3)
-    letter_opener (1.7.0)
-      launchy (~> 2.2)
-    letter_opener_web (1.3.4)
-      actionmailer (>= 3.2)
-      letter_opener (~> 1.0)
+    diff-lcs (1.5.0)
+    discourse_api (2.0.1)
+      faraday (~> 2.7)
+      faraday-follow_redirects
+      faraday-multipart
+      rack (>= 1.6)
+    dotenv (2.8.1)
+    dotenv-rails (2.8.1)
+      dotenv (= 2.8.1)
       railties (>= 3.2)
-    listen (3.2.1)
+    e2mmap (0.1.0)
+    ecdsa (1.2.0)
+    ecdsa_ext (0.5.0)
+      ecdsa (~> 1.2.0)
+    erubi (1.12.0)
+    et-orbi (1.2.7)
+      tzinfo
+    event_emitter (0.2.6)
+    eventmachine (1.2.7)
+    factory_bot (6.2.1)
+      activesupport (>= 5.0.0)
+    factory_bot_rails (6.2.0)
+      factory_bot (~> 6.2.0)
+      railties (>= 5.0.0)
+    faker (3.2.0)
+      i18n (>= 1.8.11, < 2)
+    faraday (2.7.6)
+      faraday-net_http (>= 2.0, < 3.1)
+      ruby2_keywords (>= 0.0.4)
+    faraday-follow_redirects (0.3.0)
+      faraday (>= 1, < 3)
+    faraday-multipart (1.0.4)
+      multipart-post (~> 2)
+    faraday-net_http (3.0.2)
+    faye-websocket (0.11.2)
+      eventmachine (>= 0.12.0)
+      websocket-driver (>= 0.5.1)
+    ffi (1.15.5)
+    flipper (0.28.0)
+      concurrent-ruby (< 2)
+    flipper-active_record (0.28.0)
+      activerecord (>= 4.2, < 8)
+      flipper (~> 0.28.0)
+    flipper-ui (0.28.0)
+      erubi (>= 1.0.0, < 2.0.0)
+      flipper (~> 0.28.0)
+      rack (>= 1.4, < 3)
+      rack-protection (>= 1.5.3, <= 4.0.0)
+      sanitize (< 7)
+    fugit (1.8.1)
+      et-orbi (~> 1, >= 1.2.7)
+      raabro (~> 1.4)
+    globalid (1.1.0)
+      activesupport (>= 5.0)
+    hashdiff (1.0.1)
+    i18n (1.14.1)
+      concurrent-ruby (~> 1.0)
+    importmap-rails (1.1.6)
+      actionpack (>= 6.0.0)
+      railties (>= 6.0.0)
+    jaro_winkler (1.5.6)
+    jbuilder (2.11.5)
+      actionview (>= 5.0.0)
+      activesupport (>= 5.0.0)
+    json (2.6.3)
+    kramdown (2.4.0)
+      rexml
+    kramdown-parser-gfm (1.1.0)
+      kramdown (~> 2.0)
+    launchy (2.5.2)
+      addressable (~> 2.8)
+    letter_opener (1.8.1)
+      launchy (>= 2.2, < 3)
+    letter_opener_web (2.0.0)
+      actionmailer (>= 5.2)
+      letter_opener (~> 1.7)
+      railties (>= 5.2)
+      rexml
+    listen (3.8.0)
       rb-fsevent (~> 0.10, >= 0.10.3)
       rb-inotify (~> 0.9, >= 0.9.10)
-    loofah (2.7.0)
+    lnurl (1.0.1)
+      bech32 (~> 1.1)
+    lockbox (1.2.0)
+    loofah (2.21.3)
       crass (~> 1.0.2)
-      nokogiri (>= 1.5.9)
-    mail (2.7.1)
+      nokogiri (>= 1.12.0)
+    mail (2.8.1)
       mini_mime (>= 0.1.1)
-    marcel (0.3.3)
-      mimemagic (~> 0.3.2)
+      net-imap
+      net-pop
+      net-smtp
+    marcel (1.0.2)
+    matrix (0.4.2)
     method_source (1.0.0)
-    mimemagic (0.3.5)
-    mini_mime (1.0.2)
-    mini_portile2 (2.4.0)
-    minitest (5.14.2)
-    msgpack (1.3.3)
-    net-ldap (0.16.3)
-    nio4r (2.5.4)
-    nokogiri (1.10.10)
-      mini_portile2 (~> 2.4.0)
+    mini_mime (1.1.2)
+    minitest (5.18.0)
+    multipart-post (2.3.0)
+    net-imap (0.3.6)
+      date
+      net-protocol
+    net-ldap (0.18.0)
+    net-pop (0.1.2)
+      net-protocol
+    net-protocol (0.2.1)
+      timeout
+    net-smtp (0.3.3)
+      net-protocol
+    nio4r (2.5.9)
+    nokogiri (1.15.2-arm64-darwin)
+      racc (~> 1.4)
+    nokogiri (1.15.2-x86_64-linux)
+      racc (~> 1.4)
     orm_adapter (0.5.0)
-    public_suffix (4.0.6)
-    puma (4.3.6)
+    pagy (6.0.4)
+    parallel (1.23.0)
+    parser (3.2.2.3)
+      ast (~> 2.4.1)
+      racc
+    pg (1.2.3)
+    public_suffix (5.0.1)
+    puma (4.3.12)
       nio4r (~> 2.0)
-    rack (2.2.3)
-    rack-proxy (0.6.5)
+    raabro (1.4.0)
+    racc (1.7.1)
+    rack (2.2.7)
+    rack-protection (3.0.6)
       rack
-    rack-test (1.1.0)
-      rack (>= 1.0, < 3)
-    rails (6.0.3.4)
-      actioncable (= 6.0.3.4)
-      actionmailbox (= 6.0.3.4)
-      actionmailer (= 6.0.3.4)
-      actionpack (= 6.0.3.4)
-      actiontext (= 6.0.3.4)
-      actionview (= 6.0.3.4)
-      activejob (= 6.0.3.4)
-      activemodel (= 6.0.3.4)
-      activerecord (= 6.0.3.4)
-      activestorage (= 6.0.3.4)
-      activesupport (= 6.0.3.4)
-      bundler (>= 1.3.0)
-      railties (= 6.0.3.4)
-      sprockets-rails (>= 2.0.0)
+    rack-test (2.1.0)
+      rack (>= 1.3)
+    rails (7.0.5)
+      actioncable (= 7.0.5)
+      actionmailbox (= 7.0.5)
+      actionmailer (= 7.0.5)
+      actionpack (= 7.0.5)
+      actiontext (= 7.0.5)
+      actionview (= 7.0.5)
+      activejob (= 7.0.5)
+      activemodel (= 7.0.5)
+      activerecord (= 7.0.5)
+      activestorage (= 7.0.5)
+      activesupport (= 7.0.5)
+      bundler (>= 1.15.0)
+      railties (= 7.0.5)
+    rails-controller-testing (1.0.5)
+      actionpack (>= 5.0.1.rc1)
+      actionview (>= 5.0.1.rc1)
+      activesupport (>= 5.0.1.rc1)
     rails-dom-testing (2.0.3)
       activesupport (>= 4.2.0)
       nokogiri (>= 1.6)
-    rails-html-sanitizer (1.3.0)
-      loofah (~> 2.3)
-    railties (6.0.3.4)
-      actionpack (= 6.0.3.4)
-      activesupport (= 6.0.3.4)
+    rails-html-sanitizer (1.6.0)
+      loofah (~> 2.21)
+      nokogiri (~> 1.14)
+    rails-settings-cached (2.8.3)
+      activerecord (>= 5.0.0)
+      railties (>= 5.0.0)
+    railties (7.0.5)
+      actionpack (= 7.0.5)
+      activesupport (= 7.0.5)
       method_source
-      rake (>= 0.8.7)
-      thor (>= 0.20.3, < 2.0)
-    rake (13.0.1)
-    rb-fsevent (0.10.4)
+      rake (>= 12.2)
+      thor (~> 1.0)
+      zeitwerk (~> 2.5)
+    rainbow (3.1.1)
+    rake (13.0.6)
+    rb-fsevent (0.11.2)
     rb-inotify (0.10.1)
       ffi (~> 1.0)
-    regexp_parser (1.8.2)
-    responders (3.0.1)
-      actionpack (>= 5.0)
+    rbs (2.8.4)
+    redis (4.8.1)
+    regexp_parser (2.8.1)
+    responders (3.1.0)
+      actionpack (>= 5.2)
+      railties (>= 5.2)
+    reverse_markdown (2.1.1)
+      nokogiri
+    rexml (3.2.5)
+    rqrcode (2.2.0)
+      chunky_png (~> 1.0)
+      rqrcode_core (~> 1.0)
+    rqrcode_core (1.2.0)
+    rspec-core (3.12.2)
+      rspec-support (~> 3.12.0)
+    rspec-expectations (3.12.3)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.12.0)
+    rspec-mocks (3.12.5)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.12.0)
+    rspec-rails (6.0.3)
+      actionpack (>= 6.1)
+      activesupport (>= 6.1)
+      railties (>= 6.1)
+      rspec-core (~> 3.12)
+      rspec-expectations (~> 3.12)
+      rspec-mocks (~> 3.12)
+      rspec-support (~> 3.12)
+    rspec-support (3.12.0)
+    rubocop (1.52.1)
+      json (~> 2.3)
+      parallel (~> 1.10)
+      parser (>= 3.2.2.3)
+      rainbow (>= 2.2.2, < 4.0)
+      regexp_parser (>= 1.8, < 3.0)
+      rexml (>= 3.2.5, < 4.0)
+      rubocop-ast (>= 1.28.0, < 2.0)
+      ruby-progressbar (~> 1.7)
+      unicode-display_width (>= 2.4.0, < 3.0)
+    rubocop-ast (1.29.0)
+      parser (>= 3.2.1.0)
+    ruby-progressbar (1.13.0)
+    ruby2_keywords (0.0.5)
+    rufus-scheduler (3.9.1)
+      fugit (~> 1.1, >= 1.1.6)
+    sanitize (6.0.1)
+      crass (~> 1.0.2)
+      nokogiri (>= 1.12.0)
+    sentry-rails (5.9.0)
       railties (>= 5.0)
-    rspec-core (3.10.0)
-      rspec-support (~> 3.10.0)
-    rspec-expectations (3.10.0)
-      diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.10.0)
-    rspec-mocks (3.10.0)
-      diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.10.0)
-    rspec-rails (4.0.1)
-      actionpack (>= 4.2)
-      activesupport (>= 4.2)
-      railties (>= 4.2)
-      rspec-core (~> 3.9)
-      rspec-expectations (~> 3.9)
-      rspec-mocks (~> 3.9)
-      rspec-support (~> 3.9)
-    rspec-support (3.10.0)
-    sass-rails (6.0.0)
-      sassc-rails (~> 2.1, >= 2.1.1)
-    sassc (2.4.0)
-      ffi (~> 1.9)
-    sassc-rails (2.1.2)
-      railties (>= 4.0.0)
-      sassc (>= 2.0)
-      sprockets (> 3.0)
-      sprockets-rails
-      tilt
-    spring (2.1.1)
-    spring-watcher-listen (2.0.1)
-      listen (>= 2.7, < 4.0)
-      spring (>= 1.2, < 3.0)
-    sprockets (4.0.2)
+      sentry-ruby (~> 5.9.0)
+    sentry-ruby (5.9.0)
+      concurrent-ruby (~> 1.0, >= 1.0.2)
+    sidekiq (6.5.9)
+      connection_pool (>= 2.2.5, < 3)
+      rack (~> 2.0)
+      redis (>= 4.5.0, < 5)
+    sidekiq-scheduler (5.0.3)
+      rufus-scheduler (~> 3.2)
+      sidekiq (>= 6, < 8)
+      tilt (>= 1.4.0)
+    solargraph (0.49.0)
+      backport (~> 1.2)
+      benchmark
+      bundler (~> 2.0)
+      diff-lcs (~> 1.4)
+      e2mmap
+      jaro_winkler (~> 1.5)
+      kramdown (~> 2.3)
+      kramdown-parser-gfm (~> 1.1)
+      parser (~> 3.0)
+      rbs (~> 2.0)
+      reverse_markdown (~> 2.0)
+      rubocop (~> 1.38)
+      thor (~> 1.0)
+      tilt (~> 2.0)
+      yard (~> 0.9, >= 0.9.24)
+    sprockets (4.2.0)
       concurrent-ruby (~> 1.0)
-      rack (> 1, < 3)
-    sprockets-rails (3.2.2)
-      actionpack (>= 4.0)
-      activesupport (>= 4.0)
+      rack (>= 2.2.4, < 4)
+    sprockets-rails (3.4.2)
+      actionpack (>= 5.2)
+      activesupport (>= 5.2)
       sprockets (>= 3.0.0)
-    sqlite3 (1.4.2)
-    thor (1.0.1)
-    thread_safe (0.3.6)
-    tilt (2.0.10)
-    turbolinks (5.2.1)
-      turbolinks-source (~> 5.2)
-    turbolinks-source (5.2.0)
-    tzinfo (1.2.7)
-      thread_safe (~> 0.1)
+    sqlite3 (1.6.3-arm64-darwin)
+    sqlite3 (1.6.3-x86_64-linux)
+    stimulus-rails (1.2.1)
+      railties (>= 6.0.0)
+    thor (1.2.2)
+    tilt (2.2.0)
+    timeout (0.3.2)
+    turbo-rails (1.4.0)
+      actionpack (>= 6.0.0)
+      activejob (>= 6.0.0)
+      railties (>= 6.0.0)
+    tzinfo (2.0.6)
+      concurrent-ruby (~> 1.0)
+    unicode-display_width (2.4.2)
+    view_component (3.2.0)
+      activesupport (>= 5.2.0, < 8.0)
+      concurrent-ruby (~> 1.0)
+      method_source (~> 1.0)
     warden (1.2.9)
       rack (>= 2.0.9)
-    web-console (4.1.0)
+    web-console (4.2.0)
       actionview (>= 6.0.0)
       activemodel (>= 6.0.0)
       bindex (>= 0.4.0)
       railties (>= 6.0.0)
-    webpacker (4.3.0)
-      activesupport (>= 4.2)
-      rack-proxy (>= 0.6.1)
-      railties (>= 4.2)
-    websocket-driver (0.7.3)
+    webmock (3.18.1)
+      addressable (>= 2.8.0)
+      crack (>= 0.3.2)
+      hashdiff (>= 0.4.0, < 2.0.0)
+    websocket-driver (0.7.5)
       websocket-extensions (>= 0.1.0)
     websocket-extensions (0.1.5)
     xpath (3.2.0)
       nokogiri (~> 1.8)
-    zeitwerk (2.4.1)
+    yard (0.9.34)
+    zeitwerk (2.6.8)
 
 PLATFORMS
-  ruby
+  arm64-darwin-22
+  x86_64-linux
 
 DEPENDENCIES
-  bootsnap (>= 1.4.2)
-  byebug
+  byebug (~> 11.1)
   capybara
+  cssbundling-rails
   database_cleaner
-  devise
+  devise (~> 4.9.0)
   devise_ldap_authenticatable
+  discourse_api
   dotenv-rails
   factory_bot_rails
+  faker
+  faraday
+  flipper
+  flipper-active_record
+  flipper-ui
+  importmap-rails
   jbuilder (~> 2.7)
   letter_opener
   letter_opener_web
   listen (~> 3.2)
+  lnurl
+  lockbox
   net-ldap
+  nostr!
+  pagy (~> 6.0, >= 6.0.2)
+  pg (~> 1.2.3)
   puma (~> 4.1)
-  rails (~> 6.0.3, >= 6.0.3.4)
+  rails (~> 7.0.2)
+  rails-controller-testing
+  rails-settings-cached (~> 2.8.3)
+  rqrcode (~> 2.0)
   rspec-rails
-  sass-rails (>= 6)
-  spring
-  spring-watcher-listen (~> 2.0.0)
+  sentry-rails
+  sentry-ruby
+  sidekiq (< 7)
+  sidekiq-scheduler
+  solargraph
+  sprockets-rails
   sqlite3 (~> 1.4)
-  turbolinks (~> 5)
+  stimulus-rails
+  turbo-rails
   tzinfo-data
+  view_component
   warden
   web-console (>= 3.3.0)
-  webpacker (~> 4.0)
-
-RUBY VERSION
-   ruby 2.6.1p33
+  webmock
 
 BUNDLED WITH
-   2.0.2
+   2.3.7

LICENSE

@@ -0,0 +1,661 @@
+                    GNU AFFERO GENERAL PUBLIC LICENSE
+                       Version 3, 19 November 2007
+
+ Copyright (C) 2020 Kosmos Contributors <https://kosmos.org/>
+ Everyone is permitted to copy and distribute verbatim copies
+ of this license document, but changing it is not allowed.
+
+                            Preamble
+
+  The GNU Affero General Public License is a free, copyleft license for
+software and other kinds of works, specifically designed to ensure
+cooperation with the community in the case of network server software.
+
+  The licenses for most software and other practical works are designed
+to take away your freedom to share and change the works.  By contrast,
+our General Public Licenses are intended to guarantee your freedom to
+share and change all versions of a program--to make sure it remains free
+software for all its users.
+
+  When we speak of free software, we are referring to freedom, not
+price.  Our General Public Licenses are designed to make sure that you
+have the freedom to distribute copies of free software (and charge for
+them if you wish), that you receive source code or can get it if you
+want it, that you can change the software or use pieces of it in new
+free programs, and that you know you can do these things.
+
+  Developers that use our General Public Licenses protect your rights
+with two steps: (1) assert copyright on the software, and (2) offer
+you this License which gives you legal permission to copy, distribute
+and/or modify the software.
+
+  A secondary benefit of defending all users' freedom is that
+improvements made in alternate versions of the program, if they
+receive widespread use, become available for other developers to
+incorporate.  Many developers of free software are heartened and
+encouraged by the resulting cooperation.  However, in the case of
+software used on network servers, this result may fail to come about.
+The GNU General Public License permits making a modified version and
+letting the public access it on a server without ever releasing its
+source code to the public.
+
+  The GNU Affero General Public License is designed specifically to
+ensure that, in such cases, the modified source code becomes available
+to the community.  It requires the operator of a network server to
+provide the source code of the modified version running there to the
+users of that server.  Therefore, public use of a modified version, on
+a publicly accessible server, gives the public access to the source
+code of the modified version.
+
+  An older license, called the Affero General Public License and
+published by Affero, was designed to accomplish similar goals.  This is
+a different license, not a version of the Affero GPL, but Affero has
+released a new version of the Affero GPL which permits relicensing under
+this license.
+
+  The precise terms and conditions for copying, distribution and
+modification follow.
+
+                       TERMS AND CONDITIONS
+
+  0. Definitions.
+
+  "This License" refers to version 3 of the GNU Affero General Public License.
+
+  "Copyright" also means copyright-like laws that apply to other kinds of
+works, such as semiconductor masks.
+
+  "The Program" refers to any copyrightable work licensed under this
+License.  Each licensee is addressed as "you".  "Licensees" and
+"recipients" may be individuals or organizations.
+
+  To "modify" a work means to copy from or adapt all or part of the work
+in a fashion requiring copyright permission, other than the making of an
+exact copy.  The resulting work is called a "modified version" of the
+earlier work or a work "based on" the earlier work.
+
+  A "covered work" means either the unmodified Program or a work based
+on the Program.
+
+  To "propagate" a work means to do anything with it that, without
+permission, would make you directly or secondarily liable for
+infringement under applicable copyright law, except executing it on a
+computer or modifying a private copy.  Propagation includes copying,
+distribution (with or without modification), making available to the
+public, and in some countries other activities as well.
+
+  To "convey" a work means any kind of propagation that enables other
+parties to make or receive copies.  Mere interaction with a user through
+a computer network, with no transfer of a copy, is not conveying.
+
+  An interactive user interface displays "Appropriate Legal Notices"
+to the extent that it includes a convenient and prominently visible
+feature that (1) displays an appropriate copyright notice, and (2)
+tells the user that there is no warranty for the work (except to the
+extent that warranties are provided), that licensees may convey the
+work under this License, and how to view a copy of this License.  If
+the interface presents a list of user commands or options, such as a
+menu, a prominent item in the list meets this criterion.
+
+  1. Source Code.
+
+  The "source code" for a work means the preferred form of the work
+for making modifications to it.  "Object code" means any non-source
+form of a work.
+
+  A "Standard Interface" means an interface that either is an official
+standard defined by a recognized standards body, or, in the case of
+interfaces specified for a particular programming language, one that
+is widely used among developers working in that language.
+
+  The "System Libraries" of an executable work include anything, other
+than the work as a whole, that (a) is included in the normal form of
+packaging a Major Component, but which is not part of that Major
+Component, and (b) serves only to enable use of the work with that
+Major Component, or to implement a Standard Interface for which an
+implementation is available to the public in source code form.  A
+"Major Component", in this context, means a major essential component
+(kernel, window system, and so on) of the specific operating system
+(if any) on which the executable work runs, or a compiler used to
+produce the work, or an object code interpreter used to run it.
+
+  The "Corresponding Source" for a work in object code form means all
+the source code needed to generate, install, and (for an executable
+work) run the object code and to modify the work, including scripts to
+control those activities.  However, it does not include the work's
+System Libraries, or general-purpose tools or generally available free
+programs which are used unmodified in performing those activities but
+which are not part of the work.  For example, Corresponding Source
+includes interface definition files associated with source files for
+the work, and the source code for shared libraries and dynamically
+linked subprograms that the work is specifically designed to require,
+such as by intimate data communication or control flow between those
+subprograms and other parts of the work.
+
+  The Corresponding Source need not include anything that users
+can regenerate automatically from other parts of the Corresponding
+Source.
+
+  The Corresponding Source for a work in source code form is that
+same work.
+
+  2. Basic Permissions.
+
+  All rights granted under this License are granted for the term of
+copyright on the Program, and are irrevocable provided the stated
+conditions are met.  This License explicitly affirms your unlimited
+permission to run the unmodified Program.  The output from running a
+covered work is covered by this License only if the output, given its
+content, constitutes a covered work.  This License acknowledges your
+rights of fair use or other equivalent, as provided by copyright law.
+
+  You may make, run and propagate covered works that you do not
+convey, without conditions so long as your license otherwise remains
+in force.  You may convey covered works to others for the sole purpose
+of having them make modifications exclusively for you, or provide you
+with facilities for running those works, provided that you comply with
+the terms of this License in conveying all material for which you do
+not control copyright.  Those thus making or running the covered works
+for you must do so exclusively on your behalf, under your direction
+and control, on terms that prohibit them from making any copies of
+your copyrighted material outside their relationship with you.
+
+  Conveying under any other circumstances is permitted solely under
+the conditions stated below.  Sublicensing is not allowed; section 10
+makes it unnecessary.
+
+  3. Protecting Users' Legal Rights From Anti-Circumvention Law.
+
+  No covered work shall be deemed part of an effective technological
+measure under any applicable law fulfilling obligations under article
+11 of the WIPO copyright treaty adopted on 20 December 1996, or
+similar laws prohibiting or restricting circumvention of such
+measures.
+
+  When you convey a covered work, you waive any legal power to forbid
+circumvention of technological measures to the extent such circumvention
+is effected by exercising rights under this License with respect to
+the covered work, and you disclaim any intention to limit operation or
+modification of the work as a means of enforcing, against the work's
+users, your or third parties' legal rights to forbid circumvention of
+technological measures.
+
+  4. Conveying Verbatim Copies.
+
+  You may convey verbatim copies of the Program's source code as you
+receive it, in any medium, provided that you conspicuously and
+appropriately publish on each copy an appropriate copyright notice;
+keep intact all notices stating that this License and any
+non-permissive terms added in accord with section 7 apply to the code;
+keep intact all notices of the absence of any warranty; and give all
+recipients a copy of this License along with the Program.
+
+  You may charge any price or no price for each copy that you convey,
+and you may offer support or warranty protection for a fee.
+
+  5. Conveying Modified Source Versions.
+
+  You may convey a work based on the Program, or the modifications to
+produce it from the Program, in the form of source code under the
+terms of section 4, provided that you also meet all of these conditions:
+
+    a) The work must carry prominent notices stating that you modified
+    it, and giving a relevant date.
+
+    b) The work must carry prominent notices stating that it is
+    released under this License and any conditions added under section
+    7.  This requirement modifies the requirement in section 4 to
+    "keep intact all notices".
+
+    c) You must license the entire work, as a whole, under this
+    License to anyone who comes into possession of a copy.  This
+    License will therefore apply, along with any applicable section 7
+    additional terms, to the whole of the work, and all its parts,
+    regardless of how they are packaged.  This License gives no
+    permission to license the work in any other way, but it does not
+    invalidate such permission if you have separately received it.
+
+    d) If the work has interactive user interfaces, each must display
+    Appropriate Legal Notices; however, if the Program has interactive
+    interfaces that do not display Appropriate Legal Notices, your
+    work need not make them do so.
+
+  A compilation of a covered work with other separate and independent
+works, which are not by their nature extensions of the covered work,
+and which are not combined with it such as to form a larger program,
+in or on a volume of a storage or distribution medium, is called an
+"aggregate" if the compilation and its resulting copyright are not
+used to limit the access or legal rights of the compilation's users
+beyond what the individual works permit.  Inclusion of a covered work
+in an aggregate does not cause this License to apply to the other
+parts of the aggregate.
+
+  6. Conveying Non-Source Forms.
+
+  You may convey a covered work in object code form under the terms
+of sections 4 and 5, provided that you also convey the
+machine-readable Corresponding Source under the terms of this License,
+in one of these ways:
+
+    a) Convey the object code in, or embodied in, a physical product
+    (including a physical distribution medium), accompanied by the
+    Corresponding Source fixed on a durable physical medium
+    customarily used for software interchange.
+
+    b) Convey the object code in, or embodied in, a physical product
+    (including a physical distribution medium), accompanied by a
+    written offer, valid for at least three years and valid for as
+    long as you offer spare parts or customer support for that product
+    model, to give anyone who possesses the object code either (1) a
+    copy of the Corresponding Source for all the software in the
+    product that is covered by this License, on a durable physical
+    medium customarily used for software interchange, for a price no
+    more than your reasonable cost of physically performing this
+    conveying of source, or (2) access to copy the
+    Corresponding Source from a network server at no charge.
+
+    c) Convey individual copies of the object code with a copy of the
+    written offer to provide the Corresponding Source.  This
+    alternative is allowed only occasionally and noncommercially, and
+    only if you received the object code with such an offer, in accord
+    with subsection 6b.
+
+    d) Convey the object code by offering access from a designated
+    place (gratis or for a charge), and offer equivalent access to the
+    Corresponding Source in the same way through the same place at no
+    further charge.  You need not require recipients to copy the
+    Corresponding Source along with the object code.  If the place to
+    copy the object code is a network server, the Corresponding Source
+    may be on a different server (operated by you or a third party)
+    that supports equivalent copying facilities, provided you maintain
+    clear directions next to the object code saying where to find the
+    Corresponding Source.  Regardless of what server hosts the
+    Corresponding Source, you remain obligated to ensure that it is
+    available for as long as needed to satisfy these requirements.
+
+    e) Convey the object code using peer-to-peer transmission, provided
+    you inform other peers where the object code and Corresponding
+    Source of the work are being offered to the general public at no
+    charge under subsection 6d.
+
+  A separable portion of the object code, whose source code is excluded
+from the Corresponding Source as a System Library, need not be
+included in conveying the object code work.
+
+  A "User Product" is either (1) a "consumer product", which means any
+tangible personal property which is normally used for personal, family,
+or household purposes, or (2) anything designed or sold for incorporation
+into a dwelling.  In determining whether a product is a consumer product,
+doubtful cases shall be resolved in favor of coverage.  For a particular
+product received by a particular user, "normally used" refers to a
+typical or common use of that class of product, regardless of the status
+of the particular user or of the way in which the particular user
+actually uses, or expects or is expected to use, the product.  A product
+is a consumer product regardless of whether the product has substantial
+commercial, industrial or non-consumer uses, unless such uses represent
+the only significant mode of use of the product.
+
+  "Installation Information" for a User Product means any methods,
+procedures, authorization keys, or other information required to install
+and execute modified versions of a covered work in that User Product from
+a modified version of its Corresponding Source.  The information must
+suffice to ensure that the continued functioning of the modified object
+code is in no case prevented or interfered with solely because
+modification has been made.
+
+  If you convey an object code work under this section in, or with, or
+specifically for use in, a User Product, and the conveying occurs as
+part of a transaction in which the right of possession and use of the
+User Product is transferred to the recipient in perpetuity or for a
+fixed term (regardless of how the transaction is characterized), the
+Corresponding Source conveyed under this section must be accompanied
+by the Installation Information.  But this requirement does not apply
+if neither you nor any third party retains the ability to install
+modified object code on the User Product (for example, the work has
+been installed in ROM).
+
+  The requirement to provide Installation Information does not include a
+requirement to continue to provide support service, warranty, or updates
+for a work that has been modified or installed by the recipient, or for
+the User Product in which it has been modified or installed.  Access to a
+network may be denied when the modification itself materially and
+adversely affects the operation of the network or violates the rules and
+protocols for communication across the network.
+
+  Corresponding Source conveyed, and Installation Information provided,
+in accord with this section must be in a format that is publicly
+documented (and with an implementation available to the public in
+source code form), and must require no special password or key for
+unpacking, reading or copying.
+
+  7. Additional Terms.
+
+  "Additional permissions" are terms that supplement the terms of this
+License by making exceptions from one or more of its conditions.
+Additional permissions that are applicable to the entire Program shall
+be treated as though they were included in this License, to the extent
+that they are valid under applicable law.  If additional permissions
+apply only to part of the Program, that part may be used separately
+under those permissions, but the entire Program remains governed by
+this License without regard to the additional permissions.
+
+  When you convey a copy of a covered work, you may at your option
+remove any additional permissions from that copy, or from any part of
+it.  (Additional permissions may be written to require their own
+removal in certain cases when you modify the work.)  You may place
+additional permissions on material, added by you to a covered work,
+for which you have or can give appropriate copyright permission.
+
+  Notwithstanding any other provision of this License, for material you
+add to a covered work, you may (if authorized by the copyright holders of
+that material) supplement the terms of this License with terms:
+
+    a) Disclaiming warranty or limiting liability differently from the
+    terms of sections 15 and 16 of this License; or
+
+    b) Requiring preservation of specified reasonable legal notices or
+    author attributions in that material or in the Appropriate Legal
+    Notices displayed by works containing it; or
+
+    c) Prohibiting misrepresentation of the origin of that material, or
+    requiring that modified versions of such material be marked in
+    reasonable ways as different from the original version; or
+
+    d) Limiting the use for publicity purposes of names of licensors or
+    authors of the material; or
+
+    e) Declining to grant rights under trademark law for use of some
+    trade names, trademarks, or service marks; or
+
+    f) Requiring indemnification of licensors and authors of that
+    material by anyone who conveys the material (or modified versions of
+    it) with contractual assumptions of liability to the recipient, for
+    any liability that these contractual assumptions directly impose on
+    those licensors and authors.
+
+  All other non-permissive additional terms are considered "further
+restrictions" within the meaning of section 10.  If the Program as you
+received it, or any part of it, contains a notice stating that it is
+governed by this License along with a term that is a further
+restriction, you may remove that term.  If a license document contains
+a further restriction but permits relicensing or conveying under this
+License, you may add to a covered work material governed by the terms
+of that license document, provided that the further restriction does
+not survive such relicensing or conveying.
+
+  If you add terms to a covered work in accord with this section, you
+must place, in the relevant source files, a statement of the
+additional terms that apply to those files, or a notice indicating
+where to find the applicable terms.
+
+  Additional terms, permissive or non-permissive, may be stated in the
+form of a separately written license, or stated as exceptions;
+the above requirements apply either way.
+
+  8. Termination.
+
+  You may not propagate or modify a covered work except as expressly
+provided under this License.  Any attempt otherwise to propagate or
+modify it is void, and will automatically terminate your rights under
+this License (including any patent licenses granted under the third
+paragraph of section 11).
+
+  However, if you cease all violation of this License, then your
+license from a particular copyright holder is reinstated (a)
+provisionally, unless and until the copyright holder explicitly and
+finally terminates your license, and (b) permanently, if the copyright
+holder fails to notify you of the violation by some reasonable means
+prior to 60 days after the cessation.
+
+  Moreover, your license from a particular copyright holder is
+reinstated permanently if the copyright holder notifies you of the
+violation by some reasonable means, this is the first time you have
+received notice of violation of this License (for any work) from that
+copyright holder, and you cure the violation prior to 30 days after
+your receipt of the notice.
+
+  Termination of your rights under this section does not terminate the
+licenses of parties who have received copies or rights from you under
+this License.  If your rights have been terminated and not permanently
+reinstated, you do not qualify to receive new licenses for the same
+material under section 10.
+
+  9. Acceptance Not Required for Having Copies.
+
+  You are not required to accept this License in order to receive or
+run a copy of the Program.  Ancillary propagation of a covered work
+occurring solely as a consequence of using peer-to-peer transmission
+to receive a copy likewise does not require acceptance.  However,
+nothing other than this License grants you permission to propagate or
+modify any covered work.  These actions infringe copyright if you do
+not accept this License.  Therefore, by modifying or propagating a
+covered work, you indicate your acceptance of this License to do so.
+
+  10. Automatic Licensing of Downstream Recipients.
+
+  Each time you convey a covered work, the recipient automatically
+receives a license from the original licensors, to run, modify and
+propagate that work, subject to this License.  You are not responsible
+for enforcing compliance by third parties with this License.
+
+  An "entity transaction" is a transaction transferring control of an
+organization, or substantially all assets of one, or subdividing an
+organization, or merging organizations.  If propagation of a covered
+work results from an entity transaction, each party to that
+transaction who receives a copy of the work also receives whatever
+licenses to the work the party's predecessor in interest had or could
+give under the previous paragraph, plus a right to possession of the
+Corresponding Source of the work from the predecessor in interest, if
+the predecessor has it or can get it with reasonable efforts.
+
+  You may not impose any further restrictions on the exercise of the
+rights granted or affirmed under this License.  For example, you may
+not impose a license fee, royalty, or other charge for exercise of
+rights granted under this License, and you may not initiate litigation
+(including a cross-claim or counterclaim in a lawsuit) alleging that
+any patent claim is infringed by making, using, selling, offering for
+sale, or importing the Program or any portion of it.
+
+  11. Patents.
+
+  A "contributor" is a copyright holder who authorizes use under this
+License of the Program or a work on which the Program is based.  The
+work thus licensed is called the contributor's "contributor version".
+
+  A contributor's "essential patent claims" are all patent claims
+owned or controlled by the contributor, whether already acquired or
+hereafter acquired, that would be infringed by some manner, permitted
+by this License, of making, using, or selling its contributor version,
+but do not include claims that would be infringed only as a
+consequence of further modification of the contributor version.  For
+purposes of this definition, "control" includes the right to grant
+patent sublicenses in a manner consistent with the requirements of
+this License.
+
+  Each contributor grants you a non-exclusive, worldwide, royalty-free
+patent license under the contributor's essential patent claims, to
+make, use, sell, offer for sale, import and otherwise run, modify and
+propagate the contents of its contributor version.
+
+  In the following three paragraphs, a "patent license" is any express
+agreement or commitment, however denominated, not to enforce a patent
+(such as an express permission to practice a patent or covenant not to
+sue for patent infringement).  To "grant" such a patent license to a
+party means to make such an agreement or commitment not to enforce a
+patent against the party.
+
+  If you convey a covered work, knowingly relying on a patent license,
+and the Corresponding Source of the work is not available for anyone
+to copy, free of charge and under the terms of this License, through a
+publicly available network server or other readily accessible means,
+then you must either (1) cause the Corresponding Source to be so
+available, or (2) arrange to deprive yourself of the benefit of the
+patent license for this particular work, or (3) arrange, in a manner
+consistent with the requirements of this License, to extend the patent
+license to downstream recipients.  "Knowingly relying" means you have
+actual knowledge that, but for the patent license, your conveying the
+covered work in a country, or your recipient's use of the covered work
+in a country, would infringe one or more identifiable patents in that
+country that you have reason to believe are valid.
+
+  If, pursuant to or in connection with a single transaction or
+arrangement, you convey, or propagate by procuring conveyance of, a
+covered work, and grant a patent license to some of the parties
+receiving the covered work authorizing them to use, propagate, modify
+or convey a specific copy of the covered work, then the patent license
+you grant is automatically extended to all recipients of the covered
+work and works based on it.
+
+  A patent license is "discriminatory" if it does not include within
+the scope of its coverage, prohibits the exercise of, or is
+conditioned on the non-exercise of one or more of the rights that are
+specifically granted under this License.  You may not convey a covered
+work if you are a party to an arrangement with a third party that is
+in the business of distributing software, under which you make payment
+to the third party based on the extent of your activity of conveying
+the work, and under which the third party grants, to any of the
+parties who would receive the covered work from you, a discriminatory
+patent license (a) in connection with copies of the covered work
+conveyed by you (or copies made from those copies), or (b) primarily
+for and in connection with specific products or compilations that
+contain the covered work, unless you entered into that arrangement,
+or that patent license was granted, prior to 28 March 2007.
+
+  Nothing in this License shall be construed as excluding or limiting
+any implied license or other defenses to infringement that may
+otherwise be available to you under applicable patent law.
+
+  12. No Surrender of Others' Freedom.
+
+  If conditions are imposed on you (whether by court order, agreement or
+otherwise) that contradict the conditions of this License, they do not
+excuse you from the conditions of this License.  If you cannot convey a
+covered work so as to satisfy simultaneously your obligations under this
+License and any other pertinent obligations, then as a consequence you may
+not convey it at all.  For example, if you agree to terms that obligate you
+to collect a royalty for further conveying from those to whom you convey
+the Program, the only way you could satisfy both those terms and this
+License would be to refrain entirely from conveying the Program.
+
+  13. Remote Network Interaction; Use with the GNU General Public License.
+
+  Notwithstanding any other provision of this License, if you modify the
+Program, your modified version must prominently offer all users
+interacting with it remotely through a computer network (if your version
+supports such interaction) an opportunity to receive the Corresponding
+Source of your version by providing access to the Corresponding Source
+from a network server at no charge, through some standard or customary
+means of facilitating copying of software.  This Corresponding Source
+shall include the Corresponding Source for any work covered by version 3
+of the GNU General Public License that is incorporated pursuant to the
+following paragraph.
+
+  Notwithstanding any other provision of this License, you have
+permission to link or combine any covered work with a work licensed
+under version 3 of the GNU General Public License into a single
+combined work, and to convey the resulting work.  The terms of this
+License will continue to apply to the part which is the covered work,
+but the work with which it is combined will remain governed by version
+3 of the GNU General Public License.
+
+  14. Revised Versions of this License.
+
+  The Free Software Foundation may publish revised and/or new versions of
+the GNU Affero General Public License from time to time.  Such new versions
+will be similar in spirit to the present version, but may differ in detail to
+address new problems or concerns.
+
+  Each version is given a distinguishing version number.  If the
+Program specifies that a certain numbered version of the GNU Affero General
+Public License "or any later version" applies to it, you have the
+option of following the terms and conditions either of that numbered
+version or of any later version published by the Free Software
+Foundation.  If the Program does not specify a version number of the
+GNU Affero General Public License, you may choose any version ever published
+by the Free Software Foundation.
+
+  If the Program specifies that a proxy can decide which future
+versions of the GNU Affero General Public License can be used, that proxy's
+public statement of acceptance of a version permanently authorizes you
+to choose that version for the Program.
+
+  Later license versions may give you additional or different
+permissions.  However, no additional obligations are imposed on any
+author or copyright holder as a result of your choosing to follow a
+later version.
+
+  15. Disclaimer of Warranty.
+
+  THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
+APPLICABLE LAW.  EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
+HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
+OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
+THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+PURPOSE.  THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
+IS WITH YOU.  SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
+ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
+
+  16. Limitation of Liability.
+
+  IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
+WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS
+THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
+GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
+USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
+DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
+PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),
+EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
+SUCH DAMAGES.
+
+  17. Interpretation of Sections 15 and 16.
+
+  If the disclaimer of warranty and limitation of liability provided
+above cannot be given local legal effect according to their terms,
+reviewing courts shall apply local law that most closely approximates
+an absolute waiver of all civil liability in connection with the
+Program, unless a warranty or assumption of liability accompanies a
+copy of the Program in return for a fee.
+
+                     END OF TERMS AND CONDITIONS
+
+            How to Apply These Terms to Your New Programs
+
+  If you develop a new program, and you want it to be of the greatest
+possible use to the public, the best way to achieve this is to make it
+free software which everyone can redistribute and change under these terms.
+
+  To do so, attach the following notices to the program.  It is safest
+to attach them to the start of each source file to most effectively
+state the exclusion of warranty; and each file should have at least
+the "copyright" line and a pointer to where the full notice is found.
+
+    <one line to give the program's name and a brief idea of what it does.>
+    Copyright (C) <year>  <name of author>
+
+    This program is free software: you can redistribute it and/or modify
+    it under the terms of the GNU Affero General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU Affero General Public License for more details.
+
+    You should have received a copy of the GNU Affero General Public License
+    along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+Also add information on how to contact you by electronic and paper mail.
+
+  If your software can interact with users remotely through a computer
+network, you should also make sure that it provides a way for users to
+get its source.  For example, if your program is a web application, its
+interface could display a "Source" link that leads users to an archive
+of the code.  There are many ways you could offer source, and different
+solutions will be better for different programs; see section 13 for the
+specific requirements.
+
+  You should also get your employer (if you work as a programmer) or school,
+if any, to sign a "copyright disclaimer" for the program, if necessary.
+For more information on this, and how to apply and follow the GNU AGPL, see
+<https://www.gnu.org/licenses/>.

Procfile.dev

@@ -0,0 +1,2 @@
+web: bin/rails server -b 0.0.0.0 -p 3000
+css: yarn build:css --watch

README.md

@@ -1,28 +1,135 @@
-# README
+[![Build Status](https://drone.kosmos.org/api/badges/kosmos/akkounts/status.svg)](https://drone.kosmos.org/kosmos/akkounts)
 
-This README would normally document whatever steps are necessary to get the
-application up and running.
+# Akkounts
 
-Things you may want to cover:
+This app allows Kosmos/LDAP users to manage their accounts, including
+credentials, invites, donations, etc..
 
-* Ruby version
+## Development
 
-* System dependencies
+### Quick Start
 
-* Configuration
+The easiest way to get a working development setup is using Docker Compose like
+so:
 
-* Database creation
+1. Make sure [Docker Compose is installed][1] and Docker is running (included in
+   Docker Desktop)
+3. Run `docker compose up` and wait until 389ds announces its successful start
+   in the log output
+4. `docker-compose exec ldap dsconf localhost backend create --suffix="dc=kosmos,dc=org" --be-name="dev"`
+5. `docker compose run web rails ldap:setup`
+6. `docker compose run web rails db:setup`
 
-* Database initialization
+After these steps, you should have a working Rails app with a handful of test
+users running on [http://localhost:3000](http://localhost:3000).
+Log in with username "admin" and password "admin is admin". All users listed on
+[http://localhost:3000/admin/users](http://localhost:3000/admin/users)
+have the password "user is user".
 
-* How to run the test suite
+### Rails app
 
-* Services (job queues, cache servers, search engines, etc.)
+Installing dependencies:
 
-* Deployment instructions
+    bundle install
+    yarn install
 
-* ...
+Setting up local database (SQLite):
+
+    bundle exec rails db:create
+    bundle exec rails db:migrate
+
+Running the dev server and auto-building CSS files on change:
+
+    bin/dev
+
+Running the background workers (requires Redis):
+
+    bundle exec sidekiq -C config/sidekiq.yml
+
+Running all specs:
+
+    bundle exec rspec
+
+### Docker (Compose)
+
+There is a working Docker Compose config file, which define a number of services including
+an app server for Rails as well as a local 389ds (LDAP) server.
+
+For Rails developers, you probably just want to start the LDAP server: `docker-compose up ldap`, 
+listening on port 389 on your machine. 
+
+You can pick and choose your services adding them by name (listed in `docker-compose.yml`) at 
+the end of the docker compose command. eg. `docker compose up ldap redis`
+
+#### LDAP server
+
+After creating the Docker container for the first time (or after deleting it),
+you need to run the following command once, in order to create the dirsrv
+back-end:
+
+    docker-compose exec ldap dsconf localhost backend create --suffix="dc=kosmos,dc=org" --be-name="dev"
+
+Now you can seed the back-end with data using this Rails task:
+
+    bundle exec rails ldap:setup
+
+The setup task will first delete any existing entries in the directory tree
+("dc=kosmos,dc=org"), and then create our development entries.
+
+Note that all 389ds data is stored in `tmp/389ds`. So if you want to start over
+with a fresh installation, delete both that directory as well as the container.
+
+### Adding npm modules to use with Stimulus controllers
+
+The following command downloads the specified npm module to `vendor/javascript`
+and adds an entry for it to `config/importmap.rb`.
+
+    bin/importmap pin bech32 --download
+
+### Solargraph
+
+[Solargraph](https://solargraph.org/) is a Ruby language server, which you may
+use with your editor to add features like auto-completion and syntax
+validation. You can add inline documentation for bundled gems with this
+command:
+
+    bundle exec yard gems
 
 ## Documentation
 
+### Rails
+
+* [Ruby on Rails](https://guides.rubyonrails.org/)
+* [Pagination](https://ddnexus.github.io/pagy/)
+
+### Front-end
+
+* [Tailwind CSS](https://tailwindcss.com/)
+* [Sass](https://sass-lang.com/documentation)
+* [Stimulus](https://stimulus.hotwired.dev/handbook/)
+* [Tailwind Stimulus Components](https://github.com/excid3/tailwindcss-stimulus-components)
+
+### Testing
+
+* [RSpec](https://rspec.info/documentation/)
+* [Capybara](https://rubydoc.info/github/teamcapybara/capybara/master)
+
+### LDAP / Auth
+
+* [devise_ldap_authenticatable](https://github.com/cschiewek/devise_ldap_authenticatable)
 * [net/ldap](https://www.rubydoc.info/gems/net-ldap/Net/LDAP)
+
+### Asynchronous jobs/workers
+
+* [Sidekiq](https://github.com/mperham/sidekiq/wiki/)
+* [ActiveJob](https://github.com/mperham/sidekiq/wiki/Active-Job)
+
+### Feature Flags
+
+* [Flipper](https://www.flippercloud.io/docs/get-started/self-hosted)
+
+## License
+
+[GNU Affero General Public License v3.0](https://choosealicense.com/licenses/agpl-3.0/)
+
+[1]: https://docs.docker.com/compose/install/

app/assets/config/manifest.js

@@ -1,2 +1,4 @@
 //= link_tree ../images
-//= link_directory ../stylesheets .css
+//= link_tree ../../javascript .js
+//= link_tree ../builds
+//= link_tree ../../../vendor/javascript .js

app/assets/stylesheets/_reset.scss

@@ -1,13 +0,0 @@
-html, body, h1, h2, h3, h4, h5, h6, p, pre, a, dl, dt, dd, ol, ul, li {
-  font-size: 100%;
-  vertical-align: baseline;
-  background: transparent;
-  box-sizing: border-box;
-  overflow: visible;
-  margin: 0;
-  padding: 0;
-}
-
-body {
-  line-height: 1;
-}

app/assets/stylesheets/application.css

@@ -1,15 +0,0 @@
-/*
- * This is a manifest file that'll be compiled into application.css, which will include all the files
- * listed below.
- *
- * Any CSS and SCSS file within this directory, lib/assets/stylesheets, or any plugin's
- * vendor/assets/stylesheets directory can be referenced here using a relative path.
- *
- * You're free to add application-wide styles to this file and they'll appear at the bottom of the
- * compiled file so the styles you add here take precedence over styles defined in any other CSS/SCSS
- * files in this directory. Styles in this file should be added after the last require_* statement.
- * It is generally better to create a new file per style scope.
- *
- *= require_tree .
- *= require_self
- */

app/assets/stylesheets/application.tailwind.css

@@ -0,0 +1,13 @@
+@import "tailwindcss/base";
+@import "tailwindcss/components";
+@import "tailwindcss/utilities";
+
+@import "components/animations";
+@import "components/base";
+@import "components/buttons";
+@import "components/dashboard_services";
+@import "components/forms";
+@import "components/links";
+@import "components/notifications";
+@import "components/pagination";
+@import "components/tables";

app/assets/stylesheets/components/animations.css

@@ -0,0 +1,16 @@
+@keyframes scaleIn {
+  from {
+    transform: scale(0.5);
+    opacity: 0;
+  }
+  to {
+    transform: scale(1);
+    opacity: 1;
+  }
+}
+
+.animate-scale-in {
+  animation-name: scaleIn;
+  animation-duration: 0.15s;
+  animation-timing-function: cubic-bezier(0.2, 0, 0.13, 1);
+}

app/assets/stylesheets/components/base.css

@@ -0,0 +1,58 @@
+@layer base {
+  html {
+    font-size: 14px;
+  }
+
+  body {
+    @apply leading-none bg-cover bg-fixed;
+    background-image: linear-gradient(35deg, rgba(255,0,255,0.2) 0, rgba(13,79,153,0.8) 100%), url('/img/bg-1.jpg');
+  }
+
+  body#admin {
+    background-image: linear-gradient(35deg, rgba(255,0,255,0.2) 0, rgba(153,12,14,0.9) 100%), url('/img/bg-1.jpg');
+  }
+
+  h1 {
+    @apply text-3xl uppercase;
+  }
+
+  h2 {
+    @apply text-2xl mb-8;
+  }
+
+  h3 {
+    @apply text-xl mb-6;
+  }
+
+  h4 {
+    @apply font-bold mb-4 leading-6;
+  }
+
+  main section {
+    @apply pt-8 sm:pt-12;
+  }
+
+  main section:first-of-type {
+    @apply pt-0;
+  }
+
+  main p {
+    @apply mb-4 leading-6;
+  }
+
+  main p:last-child {
+    @apply mb-0;
+  }
+
+  main ul {
+    @apply mb-6;
+  }
+
+  main ul:last-child {
+    @apply mb-0;
+  }
+
+  main ul li {
+    @apply leading-6;
+  }
+}

app/assets/stylesheets/components/buttons.css

@@ -0,0 +1,44 @@
+@layer components {
+  .btn {
+    @apply inline-block font-semibold rounded-md leading-none cursor-pointer text-center
+           transition-colors duration-75 focus:outline-none focus:ring-4;
+  }
+
+  .btn-md {
+    @apply btn;
+    @apply py-3 px-6;
+  }
+
+  .btn-sm {
+    @apply btn;
+    @apply py-1 px-2 text-sm;
+  }
+
+  .btn-icon {
+    @apply py-2 px-3;
+  }
+
+  .btn-outline {
+    @apply py-2 border-2 border-gray-100 hover:bg-gray-100;
+  }
+
+  .btn-gray {
+    @apply bg-gray-100 hover:bg-gray-200
+           focus:ring-gray-300 focus:ring-opacity-75;
+  }
+
+  .btn-blue {
+    @apply bg-blue-500 hover:bg-blue-600 text-white
+           focus:ring-blue-400 focus:ring-opacity-75;
+  }
+
+  .btn-red {
+    @apply bg-red-600 hover:bg-red-700 text-white
+           focus:ring-red-500 focus:ring-opacity-75;
+  }
+
+  .btn:disabled {
+    @apply bg-gray-100 hover:bg-gray-200 text-gray-400
+           focus:ring-gray-300 focus:ring-opacity-75;
+  }
+}

app/assets/stylesheets/components/dashboard_services.css

@@ -0,0 +1,5 @@
+@layer components {
+  .services > div > a {
+    background-image: linear-gradient(110deg, rgba(255,255,255,0.99) 0, rgba(255,255,255,0.88) 100%);
+  }
+}

app/assets/stylesheets/components/forms.css

@@ -0,0 +1,25 @@
+@layer components {
+  input[type=text], input[type=email], input[type=password],
+  input[type=number], select, textarea {
+    @apply rounded-md bg-gray-100 focus:bg-white
+           border-transparent focus:border-transparent focus:ring-2
+           focus:ring-blue-600 focus:ring-opacity-75;
+  }
+
+  input[type=text]:disabled,
+  input[type=email]:disabled {
+    @apply text-gray-700;
+  }
+
+  input.field_with_errors {
+    @apply border-b-red-600;
+  }
+
+  .field_with_errors {
+    @apply inline-block;
+  }
+
+  .error-msg {
+    @apply text-red-700;
+  }
+}

app/assets/stylesheets/components/links.css

@@ -0,0 +1,8 @@
+@layer components {
+  .ks-text-link {
+    @apply text-blue-600;
+    &:hover   { @apply underline; }
+    &:visited { @apply text-indigo-600; }
+    &:active  { @apply text-red-600; }
+  }
+}

app/assets/stylesheets/components/notifications.css

@@ -0,0 +1,39 @@
+@layer components {
+  @keyframes notification-countdown {
+    from { width: 100%; }
+    to   { width: 0; }
+  }
+
+  .notification-enter {
+    @apply transform ease-out duration-300 transition;
+  }
+
+  .notification-enter-from {
+    @apply translate-y-2 opacity-0;
+  }
+
+  .notification-enter-to {
+    @apply translate-y-0 opacity-100;
+  }
+
+  @screen sm {
+    .notification-enter-from {
+      @apply translate-y-0 translate-x-2;
+    }
+    .notification-enter-to {
+      @apply translate-x-0;
+    }
+  }
+
+  .notification-leave {
+    @apply transition ease-in duration-100;
+  }
+
+  .notification-leave-from {
+    @apply opacity-100;
+  }
+
+  .notification-leave-to {
+    @apply opacity-0;
+  }
+}

app/assets/stylesheets/components/pagination.css

@@ -0,0 +1,45 @@
+@layer components {
+  .pagy-nav.pagination {
+    @apply isolate inline-flex -space-x-px rounded-md shadow-sm;
+  }
+
+  .pagy-nav .page:not(.prev):not(.next) {
+    @apply hidden sm:inline-block;
+  }
+
+  .pagy-nav .page.next a {
+    @apply relative inline-flex items-center rounded-r-md border
+           border-gray-300 bg-white px-3 py-2 text-sm font-medium
+           text-gray-500 hover:bg-gray-100 focus:z-20;
+  }
+
+  .pagy-nav .page.prev a {
+    @apply relative inline-flex items-center rounded-l-md border
+           border-gray-300 bg-white px-3 py-2 text-sm font-medium
+           text-gray-500 hover:bg-gray-100 focus:z-20;
+  }
+
+  .pagy-nav .page.next.disabled {
+    @apply relative inline-flex items-center rounded-r-md border
+           border-gray-300 bg-gray-100 px-3 py-2 text-sm font-medium
+           text-gray-400 focus:z-20;
+  }
+
+  .pagy-nav .page.prev.disabled {
+    @apply relative inline-flex items-center rounded-l-md border
+           border-gray-300 bg-gray-100 px-3 py-2 text-sm font-medium
+           text-gray-400 focus:z-20;
+  }
+
+  .pagy-nav .page a, .page.gap {
+    @apply bg-white border-gray-300 text-gray-500 hover:bg-gray-100 relative
+           inline-flex items-center border px-4 py-2 text-sm font-medium
+           focus:z-20;
+  }
+
+  .pagy-nav .page.active {
+    @apply z-10 border-indigo-500 bg-indigo-50 text-indigo-600 relative
+           inline-flex items-center border px-4 py-2 text-sm font-medium
+           focus:z-20;
+  }
+}

app/assets/stylesheets/components/tables.css

@@ -0,0 +1,36 @@
+@layer components {
+  table {
+    @apply w-full;
+  }
+
+  table thead tr {
+    @apply text-left;
+  }
+
+  table thead th {
+    @apply pb-3.5 text-sm font-normal uppercase text-gray-500;
+  }
+
+  table tbody th {
+    @apply text-left font-normal text-gray-500;
+  }
+
+  table th:not(:last-of-type),
+  table td:not(:last-of-type) {
+    @apply pr-2;
+  }
+
+  table td, tbody th {
+    @apply py-2;
+  }
+
+  table.divided {
+    @apply divide-y divide-gray-300;
+  }
+  table.divided tbody {
+    @apply divide-y divide-gray-200;
+  }
+  table.divided td, table.divided tbody th {
+    @apply py-3;
+  }
+}

app/assets/stylesheets/fonts.scss

@@ -1,20 +0,0 @@
-@font-face {
-  font-family: 'Raleway';
-  src: url('/fonts/raleway-light.woff') format('woff2');
-  font-weight: 300;
-  font-style: normal;
-}
-
-body {
-  font-family: "Open Sans", Helvetica, Arial, sans-serif;
-  font-weight: 400;
-}
-
-h1, h2, h3 {
-  font-family: Raleway, inherit;
-  font-weight: 300;
-}
-
-h1 {
-  text-transform: uppercase;
-}

app/assets/stylesheets/layout.scss

@@ -1,146 +0,0 @@
-$content-width: 800px;
-$content-max-width: 100%;
-
-body {
-}
-
-#wrapper {
-  width: 100%;
-  text-align: center;
-
-  > header {
-    margin: 0 auto;
-    padding: 4rem 0;
-    text-align: center;
-    background: #0d4f99;
-    background: linear-gradient(35deg, #8955a0 0, #0d4f99 100%);
-
-    h1 {
-      font-size: 1.8rem;
-      color: #fff;
-
-      span.project-name {
-        display: none;
-        // font-size: .5em;
-        // text-transform: none;
-        // vertical-align: super;
-      }
-
-      span.beta {
-        font-size: .5em;
-        font-style: italic;
-        text-transform: none;
-        vertical-align: super;
-      }
-
-      span.bolt {
-        color: #ffd000;
-      }
-    }
-
-    p.current-user {
-      margin-top: 2rem;
-      color: rgba(255,255,255,0.6);
-
-      strong {
-        font-weight: 400;
-        color: #fff;
-        // color: #ffd000;
-        // color: #ccff40;
-      }
-    }
-
-    a {
-      color: rgba(255,255,255,0.6);
-      transition: color 0.1s linear;
-
-      &:hover, &:active {
-        color: #fff;
-      }
-    }
-  }
-}
-
-.flash-msg {
-  width: 100%;
-  text-align: center;
-  padding: 2rem 0;
-
-  &.notice {
-    background: #efffc4;
-  }
-
-  &.alert {
-    background: #fff4c2;
-  }
-}
-
-main {
-  width: $content-width;
-  max-width: $content-max-width;
-  margin: 4rem auto;
-  text-align: left;
-
-  h2, h3 {
-    margin-bottom: 1.5em;
-  }
-
-  h2 {
-    font-size: 1.5rem;
-  }
-
-  h3 {
-    font-size: 1.25rem;
-  }
-
-  p {
-    line-height: 1.5rem;
-    margin-bottom: 1rem;
-
-    &.notice {
-      text-align: center;
-    }
-  }
-
-  ul {
-    margin-bottom: 1.5rem;
-
-    li {
-      line-height: 1.5rem;
-    }
-  }
-
-  th, td {
-    line-height: 1.5rem;
-    padding-right: 1rem;
-  }
-
-  section {
-    border-bottom: 1px dotted #ccc;
-    padding-bottom: 4rem;
-    margin-bottom: 4rem;
-  }
-}
-
-.grid {
-  display: grid;
-
-  &.services {
-    grid-template-columns: 1fr 1fr 1fr;
-    grid-row-gap: 1rem;
-    grid-column-gap: 2rem;
-
-    margin-top: 3rem;
-
-    h3 {
-      margin-bottom: 1rem;
-    }
-
-    .grid-item {
-      p {
-        color: #888;
-        font-size: 0.85rem;
-      }
-    }
-  }
-}

app/components/app_info_component.html.erb

@@ -0,0 +1,15 @@
+<div class="flex">
+  <div class="<%= @icon_container_class %>">
+    <%= image_tag(@icon_path, class: 'h-full w-full') %>
+  </div>
+  <div class="flex-1 px-4">
+    <h4 class="sm:pt-2 mb-2 text-lg font-bold"><%= @name %></h4>
+    <p class="leading-snug"><%= @description %></p>
+    <p class="leading-snug flex flex-wrap gap-3">
+      <% @links.each do |link| %>
+        <a href="<%= link[1] %>" target="_blank"
+           class="flex-0 btn-sm btn-gray"><%= link[0] %></a>
+      <% end %>
+    </p>
+  </div>
+</div>

app/components/app_info_component.rb

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+class AppInfoComponent < ViewComponent::Base
+  def initialize(name:, description:, icon_path: , icon_fill_box: false, links: [])
+    @name = name
+    @description = description
+    @icon_path = icon_path
+    @icon_container_class = icon_container_class(icon_fill_box)
+    @links = links
+  end
+
+  def icon_container_class(icon_fill_box)
+    str = "flex-0 h-16 w-16 sm:h-28 sm:w-28 bg-white rounded-3xl overflow-hidden"
+    unless icon_fill_box
+      str += " p-2 border border-gray-200"
+    end
+    str
+  end
+end

app/components/form_elements/fieldset_component.html.erb

@@ -0,0 +1,45 @@
+<%= tag.public_send(@tag, class: "mb-6 last:mb-0", data: {
+      :'field-name' => @field_name
+    }) do %>
+  <% if @positioning == :vertical %>
+  <label class="block">
+    <p class="font-bold <%= @descripton.present? ? "mb-1" : "mb-2" %>">
+      <%= @title %>
+    </p>
+    <% if @descripton.present? %>
+    <p class="text-gray-500">
+      <%= @descripton %>
+    </p>
+    <% end %>
+
+    <%= tag.p class: "flex gap-x-1", data: {
+                controller: @resettable ? "settings--resettable-field" : nil,
+              } do %>
+      <%= content %>
+      <% if @resettable %>
+        <button type="button"
+                class="relative grow-0 shrink-0 btn-md btn-outline text-red-700"
+                title="Reset to default value"
+                data-settings--resettable-field-target="resetButton"
+                data-action="settings--resettable-field#resetField">
+          Reset
+        </button>
+      <% end %>
+    <% end %>
+  </label>
+  <% elsif @positioning == :horizontal %>
+  <label class="block flex items-center justify-between">
+    <div class="flex flex-col">
+      <label class="font-bold mb-1"><%= @title %></label>
+      <% if @descripton.present? %>
+      <p class="text-gray-500"><%= @descripton %></p>
+      <% end %>
+    </div>
+    <div class="relative ml-4 inline-flex flex-shrink-0">
+      <%= content %>
+    </div>
+  </label>
+  <% else %>
+  <p>Invalid <code>positioning<code> argument for <code>FieldsetComponent</code>.</p>
+  <% end %>
+<% end %>

app/components/form_elements/fieldset_component.rb

@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+module FormElements
+  class FieldsetComponent < ViewComponent::Base
+    def initialize(tag: "li", positioning: :vertical,
+                   title:, description: nil,
+                   field_name: nil, resettable: false)
+      @tag         = tag
+      @positioning = positioning
+      @title       = title
+      @descripton  = description
+      @field_name  = field_name
+      @resettable  = resettable
+    end
+  end
+end

app/components/form_elements/fieldset_resettable_setting_component.html.erb

@@ -0,0 +1,13 @@
+<%= render FormElements::FieldsetComponent.new(
+      title: @title,
+      description: @description,
+      field_name: "setting_#{@key.to_s}",
+      resettable: @resettable
+    ) do %>
+  <%= method("#{@type}_field").call :setting, @key,
+    value: Setting.public_send(@key),
+    data: {
+      :'default-value' => Setting.get_field(@key)[:default]
+    },
+    class: "w-full" %>
+<% end %>

app/components/form_elements/fieldset_resettable_setting_component.rb

@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+module FormElements
+  class FieldsetResettableSettingComponent < ViewComponent::Base
+    def initialize(tag: "li", key:, type: :text, title:, description: nil)
+      @tag         = tag
+      @positioning = :vertical
+      @title       = title
+      @descripton  = description
+      @key         = key.to_sym
+      @type        = type
+      @resettable  = is_resettable?(@key)
+    end
+
+    def is_resettable?(key)
+      default_value = Setting.get_field(key)[:default]
+      default_value.present? && (default_value != Setting.send(key))
+    end
+  end
+end

app/components/form_elements/fieldset_toggle_component.html.erb

@@ -0,0 +1,33 @@
+<%= tag.public_send @tag, class: "flex items-center justify-between mb-6 last:mb-0",
+      data: @form_enabled ? {
+        controller: "settings--toggle",
+        :'settings--toggle-switch-enabled-value' => @enabled.to_s
+      } : nil do %>
+  <div class="flex flex-col">
+    <label class="font-bold mb-1"><%= @title %></label>
+    <p class="text-gray-500"><%= @descripton %></p>
+  </div>
+  <div class="relative ml-4 inline-flex flex-shrink-0">
+    <%= render FormElements::ToggleComponent.new(
+          enabled: @enabled,
+          input_enabled: @input_enabled,
+          class_names: @form_enabled ? "hidden" : nil,
+          data: {
+            :'settings--toggle-target' => "button",
+            action: "settings--toggle#toggleSwitch"
+          }) %>
+    <% if @form_enabled %>
+      <% if @attribute.present? %>
+        <%= @form.check_box @attribute, {
+              checked: @enabled,
+              data: { :'settings--toggle-target' => "checkbox" }
+            }, "true", "false" %>
+      <% else %>
+        <input name="<%= @field_name %>" type="hidden" value="false" autocomplete="off">
+        <%= check_box_tag @field_name, "true", @enabled, {
+              data: { :'settings--toggle-target' => "checkbox" }
+            } %>
+      <% end %>
+    <% end %>
+  </div>
+<% end %>

app/components/form_elements/fieldset_toggle_component.rb

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+module FormElements
+  class FieldsetToggleComponent < ViewComponent::Base
+    def initialize(tag: "li", form: nil, attribute: nil, field_name: nil,
+                   enabled: false, input_enabled: true, title:, description:)
+      @tag = tag
+      @form = form
+      @attribute = attribute
+      @field_name = field_name
+      @form_enabled = @form.present? || @field_name.present?
+      @enabled = enabled
+      @input_enabled = input_enabled
+      @title = title
+      @descripton = description
+      @button_text = @enabled ? "Switch off" : "Switch on"
+    end
+  end
+end

app/components/form_elements/toggle_component.html.erb

@@ -0,0 +1,15 @@
+<%= button_tag type: "button", name: "toggle", data: @data,
+      role: "switch", aria: { checked: @enabled.to_s },
+      tabindex: @tabindex, disabled: !@input_enabled,
+      class: "#{ @enabled ? 'bg-blue-600' : 'bg-gray-200' }
+              #{ @class_names.present? ? @class_names : '' }
+              relative inline-flex h-6 w-11 flex-shrink-0 cursor-pointer
+              rounded-full border-2 border-transparent transition-colors
+              duration-200 ease-in-out focus:outline-none focus:ring-2
+              focus:ring-blue-600 focus:ring-offset-2" do %>
+  <span class="sr-only"><%= @button_text %></span>
+  <span aria-hidden="true" data-settings--toggle-target="switch"
+        class="<%= @enabled ? 'translate-x-5' : 'translate-x-0' %>
+               pointer-events-none inline-block h-5 w-5 transform rounded-full
+               bg-white shadow ring-0 transition duration-200 ease-in-out"></span>
+<% end %>

app/components/form_elements/toggle_component.rb

@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+
+module FormElements
+  class ToggleComponent < ViewComponent::Base
+    def initialize(enabled:, input_enabled: true, data: nil, class_names: nil, tabindex: nil)
+      @enabled = !!enabled
+      @input_enabled = input_enabled
+      @data = data
+      @class_names = class_names
+      @tabindex = tabindex
+    end
+  end
+end

app/components/header_compact_component.html.erb

@@ -0,0 +1,7 @@
+<header class="py-10">
+  <div class="max-w-xl mx-auto px-4 sm:px-6 lg:px-8">
+    <h1 class="text-3xl font-bold text-white text-center">
+      <%= @title %>
+    </h1>
+  </div>
+</header>

app/components/header_compact_component.rb

@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+class HeaderCompactComponent < ViewComponent::Base
+  def initialize(title:)
+    @title = title
+  end
+end

app/components/header_component.html.erb

@@ -0,0 +1,7 @@
+<header class="py-10">
+  <div class="max-w-6xl mx-auto px-4 sm:px-6 lg:px-8">
+    <h1 class="text-3xl font-bold text-white">
+      <%= @title %>
+    </h1>
+  </div>
+</header>

app/components/header_component.rb

@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+class HeaderComponent < ViewComponent::Base
+  def initialize(title:)
+    @title = title
+  end
+end

app/components/main_compact_component.html.erb

@@ -0,0 +1,5 @@
+<main class="w-full max-w-xl mx-auto pb-12 px-4 sm:px-6 lg:px-8">
+  <div class="bg-white rounded-lg shadow px-6 sm:px-12 py-8 sm:py-12">
+    <%= content %>
+  </div>
+</main>

app/components/main_compact_component.rb

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+class MainCompactComponent < ViewComponent::Base
+
+end

app/components/main_simple_component.html.erb

@@ -0,0 +1,5 @@
+<main class="w-full max-w-6xl mx-auto pb-12 px-4 md:px-6 lg:px-8">
+  <div class="md:min-h-[50vh] bg-white rounded-lg shadow px-6 sm:px-12 py-8 sm:py-12">
+    <%= content %>
+  </div>
+</main>

app/components/main_simple_component.rb

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+class MainSimpleComponent < ViewComponent::Base
+
+end

app/components/main_with_sidenav_component.html.erb

@@ -0,0 +1,15 @@
+<main class="w-full max-w-6xl mx-auto pb-12 px-4 md:px-6 lg:px-8">
+  <div class="bg-white rounded-lg shadow">
+    <div class="md:min-h-[50vh] divide-y divide-gray-200 lg:grid lg:grid-cols-12 lg:divide-y-0 lg:divide-x">
+      <aside class="py-6 sm:py-8 lg:col-span-3">
+        <nav class="space-y-1">
+          <%= render partial: @sidenav_partial %>
+        </nav>
+      </aside>
+      <div class="lg:col-span-9 px-6 sm:px-12 py-8 sm:pt-10 sm:pb-12">
+        <%= content %>
+      </div>
+    </div>
+  </div>
+</main>
+

app/components/main_with_sidenav_component.rb

@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+class MainWithSidenavComponent < ViewComponent::Base
+  def initialize(sidenav_partial:)
+    @sidenav_partial = sidenav_partial
+  end
+end

app/components/main_with_tabnav_component.html.erb

@@ -0,0 +1,10 @@
+<main class="w-full max-w-6xl mx-auto pb-12 px-4 md:px-6 lg:px-8">
+  <div class="bg-white rounded-lg shadow">
+    <div class="px-6 sm:px-12 pt-2 sm:pt-4">
+      <%= render partial: @tabnav_partial %>
+    </div>
+    <div class="px-6 sm:px-12 py-8 sm:py-12">
+      <%= content %>
+    </div>
+  </div>
+</main>

app/components/main_with_tabnav_component.rb

@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+class MainWithTabnavComponent < ViewComponent::Base
+  def initialize(tabnav_partial:)
+    @tabnav_partial = tabnav_partial
+  end
+end

app/components/modal_component.html.erb

@@ -0,0 +1,28 @@
+<div tabindex="-1" class="relative z-10">
+  <!-- Modal Background -->
+  <div class="hidden fixed inset-0 bg-black bg-opacity-80 overflow-y-auto flex items-center justify-center"
+        data-modal-target="background"
+        data-action="click->modal#closeBackground"
+        data-transition-enter="transition-all ease-in-out duration-100"
+        data-transition-enter-from="bg-opacity-0"
+        data-transition-enter-to="bg-opacity-80"
+        data-transition-leave="transition-all ease-in-out duration-100"
+        data-transition-leave-from="bg-opacity-80"
+        data-transition-leave-to="bg-opacity-0">
+
+    <!-- Modal Container -->
+    <div data-modal-target="container"
+         class="max-h-screen w-auto max-w-lg relative
+                hidden animate-scale-in fixed inset-0 overflow-y-auto flex items-center justify-center">
+      <!-- Modal Card -->
+      <div class="m-1 bg-white rounded shadow">
+        <div class="p-8">
+          <%= content %>
+          <div class="flex justify-end items-center flex-wrap mt-6">
+            <button class="btn-md btn-blue" data-action="click->modal#close:prevent">Close</button>
+          </div>
+        </div>
+      </div>
+    </div>
+  </div>
+</div>

app/components/modal_component.rb

@@ -0,0 +1,2 @@
+class ModalComponent < ViewComponent::Base
+end

app/components/notification_component.html.erb

@@ -0,0 +1,49 @@
+<div class="flash-msg <%= @type %> hidden max-w-sm w-full bg-white shadow-lg rounded-lg pointer-events-auto mt-4"
+     data-turbo="false"
+     data-notification-action-url="<%= @data.dig(:action, :url) %>"
+     data-notification-action-method="<%= @data.dig(:action, :method) %>"
+     data-notification-timeout="<%= @data[:timeout] %>"
+     data-controller="notification">
+  <div class="rounded-lg shadow-xs overflow-hidden">
+    <div class="p-4">
+      <div class="flex items-start">
+        <div class="flex-shrink-0">
+          <span class="inline-block h-6 w-6 <%= @icon_color_class %>">
+            <%= render "icons/#{@icon_name}" %>
+          </span>
+        </div>
+        <div class="ml-3 w-0 flex-1 pt-0.5">
+          <p class="text-sm leading-5 font-medium text-gray-900">
+            <%= @data[:title] %>
+          </p>
+          <% if @data[:body].present? %>
+            <p class="mt-1 text-sm leading-5 text-gray-500">
+              <%= @data[:body] %>
+            </p>
+          <% end %>
+          <% if @data[:action].present? %>
+            <div class="mt-2" data-notification-target="buttons">
+              <a data-turbo-frame="_top" <% if @data.dig(:action, :method) == 'get' %> href="<%= @data.dig(:action, :url) %>" <% else %> href="#" data-action="notification#run" <% end %> class="text-sm leading-5 font-medium text-indigo-600 hover:text-indigo-500 focus:outline-none focus:underline transition ease-in-out duration-150">
+                <%= @data.dig(:action, :name) %>
+              </a>
+              <button data-action="notification#close" class="ml-6 text-sm leading-5 font-medium text-gray-700 hover:text-gray-500 focus:outline-none focus:underline transition ease-in-out duration-150">
+                <%= t('.dismiss') %>
+              </button>
+            </div>
+          <% end %>
+        </div>
+        <div class="ml-4 flex-shrink-0 flex">
+          <button class="inline-flex text-gray-400 focus:outline-none focus:text-gray-500 transition ease-in-out duration-150" data-action="notification#close">
+            <!-- Heroicon name: solid/x -->
+            <svg class="h-5 w-5" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 20 20" fill="currentColor" aria-hidden="true">
+              <path fill-rule="evenodd" d="M4.293 4.293a1 1 0 011.414 0L10 8.586l4.293-4.293a1 1 0 111.414 1.414L11.414 10l4.293 4.293a1 1 0 01-1.414 1.414L10 11.414l-4.293 4.293a1 1 0 01-1.414-1.414L8.586 10 4.293 5.707a1 1 0 010-1.414z" clip-rule="evenodd" />
+            </svg>
+          </button>
+        </div>
+      </div>
+    </div>
+    <% if @data[:countdown] %>
+      <div class="bg-indigo-600 rounded-lg h-1 w-0" data-notification-target="countdown"></div>
+    <% end %>
+  </div>
+</div>

app/components/notification_component.rb

@@ -0,0 +1,54 @@
+# frozen_string_literal: true
+
+# @param type [String] Classic notification type `error`, `alert` and `info` + custom `success`
+# @param data [String, Hash] `String` for backward compatibility,
+#   `Hash` for the new functionality `{title: '', body: '', timeout: 5, countdown: false, action: { url: '', method: '', name: ''}}`.
+#   The `title` attribute for `Hash` is mandatory.
+class NotificationComponent < ViewComponent::Base
+  def initialize(type:, data:)
+    @type = type
+    @data = prepare_data(data)
+    @icon_name = icon_name
+    @icon_color_class = icon_color_class
+
+    @data[:timeout] ||= 5
+    @data[:action][:method] ||= "get" if @data[:action]
+  end
+
+  private
+
+  def prepare_data(data)
+    case data
+    when Hash
+      data
+    else
+      { title: data }
+    end
+  end
+
+  def icon_name
+    case @type
+    when 'success'
+      'check-circle'
+    when 'error'
+      'alert-octagon'
+    when 'alert'
+      'alert-octagon'
+    else
+      'info'
+    end
+  end
+
+  def icon_color_class
+    case @type
+    when 'success'
+      'text-emerald-500'
+    when 'error'
+      'text-rose-600'
+    when 'alert'
+      'text-rose-600'
+    else
+      'text-gray-400'
+    end
+  end
+end

app/components/qr_code_modal_component.html.erb

@@ -0,0 +1,6 @@
+<%= render ModalComponent.new do %>
+  <% if @descripton.present? %>
+    <p class="mb-6"><%= @description %></p>
+  <% end %>
+  <p><%= raw @qr_code_svg %></p>
+<% end %>

app/components/qr_code_modal_component.rb

@@ -0,0 +1,24 @@
+require "rqrcode"
+
+class QrCodeModalComponent < ViewComponent::Base
+  def initialize(qr_content:, description: nil)
+    @description = description
+    @qr_code_svg = qr_code_svg(qr_content)
+  end
+
+  private
+
+  def qr_code_svg(content)
+    qr_code = RQRCode::QRCode.new(content)
+    qr_code.as_svg(
+      color: "000",
+      shape_rendering: "crispEdges",
+      module_size: 6,
+      standalone: true,
+      use_path: true,
+      svg_attributes: {
+        class: 'inline-block'
+      }
+    )
+  end
+end

app/components/quickstats_container_component.html.erb

@@ -0,0 +1,3 @@
+<dl class="grid grid-cols-2 lg:grid-cols-4 gap-6 sm:gap-12">
+  <%= content %>
+</dl>

app/components/quickstats_container_component.rb

@@ -0,0 +1,4 @@
+# frozen_string_literal: true
+
+class QuickstatsContainerComponent < ViewComponent::Base
+end

app/components/quickstats_item_component.html.erb

@@ -0,0 +1,18 @@
+<div class="">
+  <dt class="mb-2 text-gray-500">
+    <%= @title %>
+  </dt>
+  <dd>
+    <% if @type == :number %>
+      <span class="text-2xl"><%= number_with_delimiter @value %></span>
+    <% else %>
+      <span class="text-2xl"><%= @value %></span>
+    <% end %>
+    <% if @unit %>
+      <span><%= @unit %></span>
+    <% end %>
+    <% if @meta %>
+      <span class="text-gray-500"><%= @meta %></span>
+    <% end %>
+  </dd>
+</div>

app/components/quickstats_item_component.rb

@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+
+class QuickstatsItemComponent < ViewComponent::Base
+  def initialize(type:, title:, value:, unit: nil, meta: nil, icon_name: nil, icon_color_class: nil)
+    @type = type
+    @title = title
+    @value = value
+    @unit = unit
+    @meta = meta
+    @icon_name = icon_name
+    @icon_color_class = icon_color_class
+  end
+end

app/components/sidenav_link_component.html.erb

@@ -0,0 +1,4 @@
+<%= link_to @path, class: @link_class, title: (@disabled ? "Coming soon" : nil) do %>
+  <%= render partial: "icons/#{@icon}", locals: { custom_class: @icon_class } %>
+  <span class="truncate"><%= @name %></span>
+<% end %>

app/components/sidenav_link_component.rb

@@ -0,0 +1,37 @@
+# frozen_string_literal: true
+
+class SidenavLinkComponent < ViewComponent::Base
+  def initialize(name:, level: 1, path:, icon:, active: false, disabled: false)
+    @name = name
+    @level = level
+    @path = path
+    @icon = icon
+    @active = active
+    @disabled = disabled
+    @link_class = class_names_link(path)
+    @icon_class = class_names_icon(path)
+  end
+
+  def class_names_link(path)
+    px = @level == 1 ? "px-4" : "pl-8 pr-4"
+    base = "#{px} py-2 group border-l-4 flex items-center text-base font-medium"
+
+    if @active
+      "#{base} bg-teal-50 border-teal-500 text-teal-700 hover:bg-teal-50 hover:text-teal-700"
+    elsif @disabled
+      "#{base} border-transparent text-gray-400 hover:bg-gray-50"
+    else
+      "#{base} border-transparent text-gray-900 hover:bg-gray-50 hover:text-gray-900"
+    end
+  end
+
+  def class_names_icon(path)
+    if @active
+      "text-teal-500 group-hover:text-teal-500 flex-shrink-0 -ml-1 mr-3 h-6 w-6"
+    elsif @disabled
+      "text-gray-300 group-hover:text-gray-300 flex-shrink-0 -ml-1 mr-3 h-6 w-6"
+    else
+      "text-gray-400 group-hover:text-gray-500 flex-shrink-0 -ml-1 mr-3 h-6 w-6"
+    end
+  end
+end

app/components/tabnav_link_component.html.erb

@@ -0,0 +1,3 @@
+<%= link_to @path, class: @link_class do %>
+  <%= @name %>
+<% end %>

app/components/tabnav_link_component.rb

@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+
+class TabnavLinkComponent < ViewComponent::Base
+  def initialize(name:, path:, active: false, disabled: false)
+    @name = name
+    @path = path
+    @active = active
+    @disabled = disabled
+    @link_class = class_names_link(path)
+  end
+
+  def class_names_link(path)
+    if @active
+      "border-indigo-500 text-indigo-600 w-1/2 py-4 px-1 text-center border-b-2"
+    elsif @disabled
+      "border-transparent text-gray-500 hover:text-gray-700 hover:border-gray-300 w-1/2 py-4 px-1 text-center border-b-2"
+    else
+      "border-transparent text-gray-500 hover:text-gray-700 hover:border-gray-300 w-1/2 py-4 px-1 text-center border-b-2"
+    end
+  end
+end

app/components/wallet_summary_component.html.erb

@@ -0,0 +1,22 @@
+<section class="w-full grid grid-cols-1 md:grid-cols-12 md:mb-0">
+  <div class="md:col-span-8">
+    <p>
+      Send and receive sats via the Bitcoin Lightning Network.
+    </p>
+  </div>
+  <div class="md:col-span-4 mt-4 md:mt-0">
+    <p class="font-mono md:text-right mb-0 p-4 border border-gray-300 rounded-lg overflow-hidden">
+    <% if @balance %>
+      <span class="text-2xl"><%= number_with_delimiter @balance %></span>
+      <span class="text-xl">sats</span>
+      <br>
+      <span class="text-sm text-gray-500">Available balance</span>
+    <% else %>
+      <span class="text-2xl">n/a</span>
+      <span class="text-xl">sats</span>
+      <br>
+      <span class="text-sm text-gray-500">Balance unavailable</span>
+    <% end %>
+    </p>
+  </div>
+</section>

app/components/wallet_summary_component.rb

@@ -0,0 +1,8 @@
+# frozen_string_literal: true
+
+class WalletSummaryComponent < ViewComponent::Base
+  def initialize(balance:)
+    @balance = balance
+  end
+
+end

app/controllers/account_controller.rb

@@ -0,0 +1,7 @@
+class AccountController < ApplicationController
+  before_action :authenticate_user!
+
+  def index
+    @current_section = :account
+  end
+end

app/controllers/admin/base_controller.rb

@@ -1,6 +1,11 @@
 class Admin::BaseController < ApplicationController
+  include Pagy::Backend
 
   before_action :authenticate_user!
   before_action :authorize_admin
+  before_action :set_context
 
+  def set_context
+    @context = :admin
+  end
 end

app/controllers/admin/dashboard_controller.rb

@@ -1,4 +1,5 @@
 class Admin::DashboardController < Admin::BaseController
   def index
+    @current_section = :dashboard
   end
 end

app/controllers/admin/donations_controller.rb

@@ -0,0 +1,95 @@
+class Admin::DonationsController < Admin::BaseController
+  before_action :set_donation, only: [:show, :edit, :update, :destroy]
+  before_action :set_current_section, only: [:index, :show, :new, :edit]
+
+  # GET /donations
+  # GET /donations.json
+  def index
+    @pagy, @donations = pagy(Donation.all.order('created_at desc'))
+
+    @stats = {
+      overall_sats: @donations.all.sum("amount_sats"),
+      donor_count: Donation.distinct.count(:user_id)
+    }
+  end
+
+  # GET /donations/1
+  # GET /donations/1.json
+  def show
+  end
+
+  # GET /donations/new
+  def new
+    @donation = Donation.new
+  end
+
+  # GET /donations/1/edit
+  def edit
+  end
+
+  # POST /donations
+  # POST /donations.json
+  def create
+    @donation = Donation.new(donation_params)
+
+    respond_to do |format|
+      if @donation.save
+        format.html do
+          redirect_to admin_donation_url(@donation), flash: {
+            success: 'Donation was successfully created.'
+          }
+        end
+        format.json { render :show, status: :created, location: @donation }
+      else
+        format.html { render :new, status: :unprocessable_entity }
+        format.json { render json: @donation.errors, status: :unprocessable_entity }
+      end
+    end
+  end
+
+  # PATCH/PUT /donations/1
+  # PATCH/PUT /donations/1.json
+  def update
+    respond_to do |format|
+      if @donation.update(donation_params)
+        format.html do
+          redirect_to admin_donation_url(@donation), flash: {
+            success: 'Donation was successfully updated.'
+          }
+        end
+        format.json { render :show, status: :ok, location: @donation }
+      else
+        format.html { render :edit, status: :unprocessable_entity }
+        format.json { render json: @donation.errors, status: :unprocessable_entity }
+      end
+    end
+  end
+
+  # DELETE /donations/1
+  # DELETE /donations/1.json
+  def destroy
+    @donation.destroy
+    respond_to do |format|
+      format.html do redirect_to admin_donations_url, flash: {
+        success: 'Donation was successfully destroyed.'
+      }
+      end
+      format.json { head :no_content }
+    end
+  end
+
+  private
+    # Use callbacks to share common setup or constraints between actions.
+    def set_donation
+      @donation = Donation.find(params[:id])
+    end
+
+    # Only allow a list of trusted parameters through.
+    def donation_params
+      params.require(:donation).permit(:user_id, :amount_sats, :amount_eur, :amount_usd, :public_name, :paid_at)
+    end
+
+    def set_current_section
+      @current_section = :donations
+    end
+end

app/controllers/admin/invitations_controller.rb

@@ -0,0 +1,12 @@
+class Admin::InvitationsController < Admin::BaseController
+  def index
+    @current_section = :invitations
+    @pagy, @invitations_used = pagy(Invitation.used.order('used_at desc'))
+
+    @stats = {
+      available: Invitation.unused.count,
+      accepted: @invitations_used.length,
+      users_with_referrals: Invitation.used.distinct.count(:user_id)
+    }
+  end
+end

app/controllers/admin/ldap_users_controller.rb

@@ -1,41 +0,0 @@
-class Admin::LdapUsersController < Admin::BaseController
-  def index
-    attributes = %w{dn cn uid mail admin}
-    filter = Net::LDAP::Filter.eq("uid", "*")
-    if params[:ou]
-      treebase = "ou=#{params[:ou]},cn=users,dc=kosmos,dc=org"
-    else
-      treebase = "ou=kosmos.org,cn=users,dc=kosmos,dc=org"
-    end
-
-    entries = ldap_client.search(base: treebase, filter: filter, attributes: attributes)
-    entries.sort_by! { |e| e.cn[0] }
-
-    @entries = entries.collect do |e|
-      {
-        uid: e.uid.first,
-        mail: e.try(:mail) ? e.mail.first : nil,
-        admin: e.try(:admin) ? 'admin' : nil
-        # password: e.userpassword.first
-      }
-    end
-    # ldap_client.get_operation_result
-  end
-
-  private
-
-  def ldap_client
-    ldap_client ||= Net::LDAP.new host: ENV['LDAP_HOST'],
-      port: ldap_config['port'],
-      encryption: ldap_config['ssl'],
-      auth: {
-        method: :simple,
-        username: ldap_config['admin_user'],
-        password: ldap_config['admin_password']
-      }
-  end
-
-  def ldap_config
-    ldap_config ||= YAML.load(ERB.new(File.read("#{Rails.root}/config/ldap.yml")).result)[Rails.env]
-  end
-end

app/controllers/admin/lightning_controller.rb

@@ -0,0 +1,21 @@
+class Admin::LightningController < Admin::BaseController
+  before_action :check_feature_enabled
+
+  def index
+    @current_section = :lightning
+
+    @users = User.pluck(:cn, :ou, :ln_account)
+    @accounts = LndhubAccount.with_balances.order(balance: :desc).to_a
+
+    @ln = {}
+    @ln[:current_balance] = LndhubAccount.current.joins(:ledgers).sum("account_ledgers.amount")
+    @ln[:users_with_sats] = @accounts.length
+  end
+
+  def check_feature_enabled
+    if !Setting.lndhub_admin_enabled?
+      flash[:alert] = "Lightning Admin UI not enabled"
+      redirect_to admin_root_path and return
+    end
+  end
+end

app/controllers/admin/settings/registrations_controller.rb

@@ -0,0 +1,12 @@
+class Admin::Settings::RegistrationsController < Admin::SettingsController
+  def index
+  end
+
+  def create
+    update_settings
+
+    redirect_to admin_settings_registrations_path, flash: {
+      success: "Settings saved"
+    }
+  end
+end

app/controllers/admin/settings/services_controller.rb

@@ -0,0 +1,19 @@
+class Admin::Settings::ServicesController < Admin::SettingsController
+  def index
+    @service = params[:s]
+
+    if @service.blank?
+      redirect_to admin_settings_services_path(params: { s: "discourse" })
+    end
+  end
+
+  def create
+    service = params.require(:service)
+
+    update_settings
+
+    redirect_to admin_settings_services_path(params: { s: service }), flash: {
+      success: "Settings saved"
+    }
+  end
+end

app/controllers/admin/settings_controller.rb

@@ -0,0 +1,40 @@
+class Admin::SettingsController < Admin::BaseController
+  before_action :set_current_section
+
+  def index
+  end
+
+  def update_settings
+    @errors = ActiveModel::Errors.new(Setting.new)
+    changed_keys = []
+
+    setting_params.keys.each do |key|
+      next if setting_params[key].nil? ||
+              (Setting.send(key).to_s == setting_params[key].strip)
+      changed_keys.push(key)
+      setting = Setting.new(var: key)
+      setting.value = setting_params[key].strip
+      unless setting.valid?
+        @errors.merge!(setting.errors)
+      end
+    end
+
+    if @errors.any?
+      render :index and return
+    end
+
+    changed_keys.each do |key|
+      Setting.send("#{key}=", setting_params[key].strip)
+    end
+  end
+
+  private
+
+    def set_current_section
+      @current_section = :settings
+    end
+
+    def setting_params
+      params.require(:setting).permit(Setting.editable_keys.map(&:to_sym))
+    end
+end

app/controllers/admin/users_controller.rb

@@ -0,0 +1,35 @@
+class Admin::UsersController < Admin::BaseController
+  before_action :set_user, only: [:show]
+  before_action :set_current_section
+
+  def index
+    ldap   = LdapService.new
+    @ou    = params[:ou] || Setting.primary_domain
+    @orgs  = ldap.fetch_organizations
+    @pagy, @users = pagy(User.where(ou: @ou).order(cn: :asc))
+
+    @stats = {
+      users_confirmed: User.where(ou: @ou).confirmed.count,
+      users_pending: User.where(ou: @ou).pending.count
+    }
+  end
+
+  def show
+    if Setting.lndhub_admin_enabled?
+      @lndhub_user = @user.lndhub_user
+    end
+
+    @services_enabled = @user.services_enabled
+  end
+
+  private
+
+  def set_user
+    address = params[:address].split("@")
+    @user = User.where(cn: address.first, ou: address.last).first
+  end
+
+  def set_current_section
+    @current_section = :users
+  end
+end

app/controllers/api/base_controller.rb

@@ -0,0 +1,5 @@
+class Api::BaseController < ApplicationController
+
+  layout false
+
+end

app/controllers/api/kredits_controller.rb

@@ -0,0 +1,13 @@
+class Api::KreditsController < Api::BaseController
+
+  def onchain_btc_balance
+    btcpay = BtcPay.new
+    balance = btcpay.onchain_wallet_balance
+    render json: balance
+  rescue => error
+    Rails.logger.warn "Failed to fetch kredits BTC wallet balance: #{error.message}"
+    render json: { error: 'Failed to fetch wallet balance' },
+           status: 500
+  end
+
+end

app/controllers/application_controller.rb

@@ -3,12 +3,30 @@ class ApplicationController < ActionController::Base
     render :text => exception, :status => 500
   end
 
+  before_action :sentry_set_user
+
+  def sentry_set_user
+    return unless Setting.sentry_enabled
+
+    if user_signed_in?
+      Sentry.set_user(id: current_user.id, username: current_user.cn)
+    else
+      Sentry.set_user({})
+    end
+  end
+
   def require_user_signed_in
     unless user_signed_in?
       redirect_to welcome_path and return
     end
   end
 
+  def require_user_signed_out
+    if user_signed_in?
+      redirect_to root_path and return
+    end
+  end
+
   def authorize_admin
     http_status :forbidden unless current_user.is_admin?
   end

app/controllers/contributions/donations_controller.rb

@@ -0,0 +1,10 @@
+class Contributions::DonationsController < ApplicationController
+  before_action :authenticate_user!
+
+  # GET /donations
+  # GET /donations.json
+  def index
+    @donations = current_user.donations.completed
+    @current_section = :contributions
+  end
+end

app/controllers/contributions/projects_controller.rb

@@ -0,0 +1,8 @@
+class Contributions::ProjectsController < ApplicationController
+  before_action :authenticate_user!
+
+  # GET /contributions
+  def index
+    @current_section = :contributions
+  end
+end

app/controllers/dashboard_controller.rb

@@ -2,5 +2,6 @@ class DashboardController < ApplicationController
   before_action :require_user_signed_in
 
   def index
+    @current_section = :services
   end
 end

app/controllers/discourse/sso_controller.rb

@@ -0,0 +1,17 @@
+class Discourse::SsoController < ApplicationController
+  before_action :authenticate_user!
+
+  def connect
+    secret = Setting.discourse_connect_secret
+    sso = DiscourseApi::SingleSignOn.parse(request.query_string, secret)
+    sso.external_id = current_user.id
+    sso.email = current_user.email
+    sso.username = current_user.cn
+    sso.name = current_user.display_name
+    sso.admin = current_user.is_admin?
+    sso.sso_secret = secret
+
+    redirect_to sso.to_url("#{Setting.discourse_public_url}/session/sso_login"),
+                allow_other_host: true
+  end
+end

app/controllers/invitations_controller.rb

@@ -0,0 +1,51 @@
+class InvitationsController < ApplicationController
+  before_action :authenticate_user!, except: ["show"]
+  before_action :require_user_signed_out, only: ["show"]
+
+  # GET /invitations
+  def index
+    @invitations_unused = current_user.invitations.unused
+    @invitations_used   = current_user.invitations.used.order('used_at desc')
+    @current_section = :invitations
+  end
+
+  # GET /invitations/a-random-invitation-token
+  def show
+    token = session[:invitation_token] = params[:id]
+
+    if Invitation.where(token: token, used_at: nil).exists?
+      redirect_to signup_path and return
+    else
+      flash.now[:alert] = "This invitation either doesn't exist or has already been used."
+      http_status :unauthorized
+    end
+  end
+
+  # POST /invitations
+  def create
+    @invitation = Invitation.new(user: current_user)
+
+    respond_to do |format|
+      if @invitation.save
+        format.html do redirect_to @invitation, flash: {
+          success: 'Invitation was successfully created.'
+        }
+        end
+        format.json { render :show, status: :created, location: @invitation }
+      else
+        format.html { render :new }
+        format.json { render json: @invitation.errors, status: :unprocessable_entity }
+      end
+    end
+  end
+
+  # DELETE /invitations/1
+  def destroy
+    @invitation = current_user.invitations.find(params[:id])
+    @invitation.destroy
+    respond_to do |format|
+      format.html { redirect_to invitations_url }
+      format.json { head :no_content }
+    end
+  end
+end

app/controllers/lnurlpay_controller.rb

@@ -0,0 +1,95 @@
+class LnurlpayController < ApplicationController
+  before_action :check_feature_enabled
+  before_action :find_user_by_address
+
+  MIN_SATS = 10
+  MAX_SATS = 1_000_000
+  MAX_COMMENT_CHARS = 100
+
+  def index
+    render json: {
+      status: "OK",
+      callback: "https://accounts.kosmos.org/lnurlpay/#{@user.address}/invoice",
+      tag: "payRequest",
+      maxSendable: MAX_SATS * 1000, # msat
+      minSendable: MIN_SATS * 1000, # msat
+      metadata: metadata(@user.address),
+      commentAllowed: MAX_COMMENT_CHARS
+    }
+  end
+
+  def keysend
+    http_status :not_found and return unless Setting.lndhub_keysend_enabled?
+
+    render json: {
+      status: "OK",
+      tag: "keysend",
+      pubkey: Setting.lndhub_public_key,
+      customData: [{
+        customKey: "696969",
+        customValue: @user.ln_account
+      }]
+    }
+  end
+
+  def invoice
+    amount = params[:amount].to_i / 1000 # msats
+    address = params[:address]
+    comment = params[:comment] || ""
+
+    if !valid_amount?(amount)
+      render json: { status: "ERROR", reason: "Invalid amount" }
+      return
+    end
+
+    if !valid_comment?(comment)
+      render json: { status: "ERROR", reason: "Comment too long" }
+      return
+    end
+
+    memo = "To #{address}"
+    memo = "#{memo}: \"#{comment}\"" if comment.present?
+
+    payment_request = @user.ln_create_invoice({
+      amount: amount, # we create invoices in sats
+      memo: memo,
+      description_hash: Digest::SHA2.hexdigest(metadata(address)),
+    })
+
+    render json: {
+      status: "OK",
+      successAction: {
+        tag: "message",
+        message: "Sats received. Thank you!"
+      },
+      routes: [],
+      pr: payment_request
+    }
+  end
+
+  private
+
+  def find_user_by_address
+    address = params[:address].split("@")
+    @user = User.where(cn: address.first, ou: address.last).first
+    http_status :not_found if @user.nil?
+  end
+
+  def metadata(address)
+    "[[\"text/identifier\", \"#{address}\"], [\"text/plain\", \"Send sats, receive thanks.\"]]"
+  end
+
+  def valid_amount?(amount_in_sats)
+    amount_in_sats <= MAX_SATS && amount_in_sats >= MIN_SATS
+  end
+
+  def valid_comment?(comment)
+    comment.length <= MAX_COMMENT_CHARS
+  end
+
+  private
+
+  def check_feature_enabled
+    http_status :not_found unless Setting.lndhub_enabled?
+  end
+end

app/controllers/rs/oauth_controller.rb

@@ -0,0 +1,145 @@
+class Rs::OauthController < ApplicationController
+  before_action :require_signed_in_with_username, only: :new
+  before_action :authenticate_user!, only: :create
+
+  def new
+    username, org  = params[:useraddress].split("@")
+    @user          = User.where(cn: username.downcase, ou: org).first
+    @scopes        = parse_scopes params[:scope]
+    @redirect_uri  = params[:redirect_uri]
+    @client_id     = params[:client_id]
+    @state         = params[:state]
+    @root_access_requested = (@scopes & [":r",":rw"]).any?
+
+    @denial_url = url_with_state("#{@redirect_uri}#error=access_denied", @state)
+
+    @expire_at_dates = [["Never", nil],
+                        ["In 1 month", 1.month.from_now],
+                        ["In 1 day", 1.day.from_now]]
+
+    http_status :bad_request and return unless @redirect_uri.present?
+
+    unless current_user == @user
+      sign_out :user
+
+      redirect_to new_rs_oauth_url(@user.address,
+                                   scope: params[:scope],
+                                   redirect_uri: params[:redirect_uri],
+                                   client_id: params[:client_id],
+                                   state: params[:state])
+      return
+    end
+
+    unless @client_id.present?
+      redirect_to(url_with_state("#{@redirect_uri}#error=invalid_request", @state),
+                  allow_other_host: true) and return
+    end
+
+    if @scopes.empty?
+      redirect_to(url_with_state("#{@redirect_uri}#error=invalid_scope", @state),
+                  allow_other_host: true) and return
+    end
+
+    unless hostname_of(@client_id) == hostname_of(@redirect_uri)
+      redirect_to(url_with_state("#{@redirect_uri}#error=invalid_client", @state),
+                  allow_other_host: true) and return
+    end
+
+    @client_id.gsub!(/http(s)?:\/\//, "")
+
+    if auth = current_user.remote_storage_authorizations.valid.where(permissions: @scopes, client_id: @client_id).first
+      redirect_to(url_with_state("#{@redirect_uri}#access_token=#{auth.token}", @state),
+                  allow_other_host: true) and return
+    end
+  end
+
+  def create
+    unless current_user.id.to_s == params[:user_id]
+      Rails.logger.info("NO MATCH: #{params[:user_id]}, #{current_user.id}")
+      http_status :forbidden and return
+    end
+
+    permissions  = parse_scopes params[:scope]
+    redirect_uri = params[:redirect_uri].presence
+    client_id    = params[:client_id].presence
+    state        = params[:state].presence
+    expire_at    = params[:expire_at].presence
+
+    http_status :bad_request and return unless redirect_uri.present?
+
+    if permissions.empty?
+      redirect_to(url_with_state("#{redirect_uri}#error=invalid_scope", state),
+                  allow_other_host: true) and return
+    end
+
+    unless client_id.present?
+      redirect_to(url_with_state("#{redirect_uri}#error=invalid_request", state),
+                  allow_other_host: true) and return
+    end
+
+    unless hostname_of(client_id) == hostname_of(redirect_uri)
+      redirect_to(url_with_state("#{redirect_uri}#error=invalid_client", state),
+                  allow_other_host: true) and return
+    end
+
+    client_id.gsub!(/http(s)?:\/\//, "")
+
+    auth = current_user.remote_storage_authorizations.create!(
+      permissions: permissions,
+      client_id: client_id,
+      redirect_uri: redirect_uri,
+      app_name: client_id, #TODO use user-defined name
+      expire_at: expire_at
+    )
+
+    redirect_to url_with_state("#{redirect_uri}#access_token=#{auth.token}", state),
+                allow_other_host: true
+  end
+
+  # GET /rs/oauth/token/:id/launch_app
+  def launch_app
+    auth = current_user.remote_storage_authorizations.find(params[:id])
+
+    redirect_to app_auth_url(auth), allow_other_host: true
+  end
+
+  private
+
+  def require_signed_in_with_username
+    unless user_signed_in?
+      username, org = params[:useraddress].split("@")
+      redirect_to new_user_session_path(cn: username, ou: org)
+    end
+  end
+
+  def app_auth_url(auth)
+    url = "#{auth.url}#remotestorage=#{current_user.address}"
+    url += "&access_token=#{auth.token}"
+    url
+  end
+
+  def hostname_of(uri)
+    uri.gsub(/http(s)?:\/\//, "").split(":")[0].split("/")[0]
+  end
+
+  def parse_scopes(scope_string)
+    return [] if scope_string.blank?
+
+    scopes = scope_string.
+      gsub(/\[|\]/, "").
+      gsub(/\,/, " ").
+      gsub(/\/:/, ":").
+      split(/\s/).map(&:strip).
+      reject(&:empty?)
+
+    scopes = [":r"] if scopes.include?("*:r")
+    scopes = [":rw"] if scopes.include?("*:rw")
+
+    scopes
+  end
+
+  def url_with_state(url, state)
+    state ? "#{url}&state=#{CGI.escape(state)}" : url
+  end
+
+end

app/controllers/services/base_controller.rb

@@ -0,0 +1,9 @@
+class Services::BaseController < ApplicationController
+  before_action :set_current_section
+
+  private
+
+    def set_current_section
+      @current_section = :services
+    end
+end

app/controllers/services/chat_controller.rb

@@ -0,0 +1,14 @@
+class Services::ChatController < Services::BaseController
+  before_action :authenticate_user!
+  before_action :require_service_available
+
+  def show
+    @service_enabled = current_user.services_enabled.include?(:xmpp)
+  end
+
+  private
+
+    def require_service_available
+      http_status :not_found unless Setting.ejabberd_enabled?
+    end
+end

app/controllers/services/lightning_controller.rb

@@ -0,0 +1,122 @@
+require "rqrcode"
+require "lnurl"
+
+class Services::LightningController < ApplicationController
+  before_action :authenticate_user!
+  before_action :authenticate_with_lndhub
+  before_action :set_current_section
+  before_action :fetch_balance
+
+  def index
+    @wallet_setup_url = "lndhub://#{current_user.ln_account}:#{current_user.ln_password}@#{ENV['LNDHUB_PUBLIC_URL']}"
+  end
+
+  def transactions
+    @transactions = fetch_transactions
+  end
+
+  def qr_lnurlp
+    lnurlp_url = "https://kosmos.org/.well-known/lnurlp/#{current_user.cn}"
+    lnurlp_bech32 = Lnurl.new(lnurlp_url).to_bech32
+    qr_code = RQRCode::QRCode.new("lightning:" + lnurlp_bech32)
+
+    respond_to do |format|
+      format.svg do
+        qr_svg = qr_code.as_svg(
+          color: "000",
+          shape_rendering: "crispEdges",
+          module_size: 6,
+          standalone: true,
+          use_path: true,
+          svg_attributes: {
+            class: 'inline-block'
+          }
+        )
+        send_data(
+          qr_svg,
+          filename: "bitcoin-lightning-#{current_user.address}.svg",
+          type: "image/svg+xml"
+        )
+      end
+      format.png do
+        qr_png = qr_code.as_png(
+          fill: "white",
+          color: "black",
+          size: 1024,
+        )
+        send_data(
+          qr_png,
+          filename: "bitcoin-lightning-#{current_user.address}.png",
+          type: "image/png"
+        )
+      end
+    end
+  end
+
+  private
+
+  def authenticate_with_lndhub(options={})
+    if session[:ln_auth_token].present? && !options[:force_reauth]
+      @ln_auth_token = session[:ln_auth_token]
+    else
+      lndhub = Lndhub.new
+      auth_token = lndhub.authenticate(current_user)
+      session[:ln_auth_token] = auth_token
+      @ln_auth_token = auth_token
+    end
+  rescue => e
+    Sentry.capture_exception(e) if Setting.sentry_enabled?
+  end
+
+  def set_current_section
+    @current_section = :services
+  end
+
+  def fetch_balance
+    lndhub = Lndhub.new
+    data = lndhub.balance @ln_auth_token
+    @balance = data["BTC"]["AvailableBalance"] rescue nil
+  rescue AuthError
+    authenticate_with_lndhub(force_reauth: true)
+    raise if @fetch_balance_retried
+    @fetch_balance_retried = true
+    fetch_balance
+  end
+
+  def fetch_transactions
+    lndhub = Lndhub.new
+    txs = lndhub.gettxs @ln_auth_token
+    invoices = lndhub.getuserinvoices(@ln_auth_token).select{|i| i["ispaid"]}
+    process_transactions(txs + invoices)
+  rescue AuthError
+    authenticate_with_lndhub(force_reauth: true)
+    raise if @fetch_transactions_retried
+    @fetch_transactions_retried = true
+    fetch_transactions
+  end
+
+  def process_transactions(txs)
+    txs.collect do |tx|
+      if tx["type"] == "bitcoind_tx"
+        tx["amount_sats"] = (tx["amount"] * 100000000).to_i
+        tx["datetime"] = Time.at(tx["time"].to_i)
+        tx["title"] = "Received"
+        tx["description"] = "On-chain topup"
+        tx["received"] = true
+      else
+        tx["amount_sats"] = tx["value"] || tx["amt"]
+        tx["fee"] = tx["type"] == "paid_invoice" ? tx["fee"] : nil
+        tx["datetime"] = Time.at(tx["timestamp"].to_i)
+        tx["title"] = tx["type"] == "paid_invoice" ? "Sent" : "Received"
+        tx["description"] = tx["memo"] || tx["description"]
+        tx["received"] = tx["type"] == "user_invoice"
+      end
+    end
+
+    # Handle an edge case where lndhub.go includes a failed payment in the
+    # list, which wasn't actually booked
+    txs.reject!{ |tx| tx["type"] == "paid_invoice" && tx["payment_preimage"].blank? }
+
+    txs.sort{ |a,b| b["datetime"] <=> a["datetime"] }
+  end
+end

app/controllers/services/mastodon_controller.rb

@@ -0,0 +1,14 @@
+class Services::MastodonController < Services::BaseController
+  before_action :authenticate_user!
+  before_action :require_service_available
+
+  def show
+    @service_enabled = current_user.services_enabled.include?(:mastodon)
+  end
+
+  private
+
+    def require_service_available
+      http_status :not_found unless Setting.mastodon_enabled?
+    end
+end

app/controllers/services/remotestorage_controller.rb

@@ -0,0 +1,23 @@
+class Services::RemotestorageController < Services::BaseController
+  before_action :authenticate_user!
+  before_action :require_feature_enabled
+  before_action :require_service_available
+
+  def dashboard
+    # unless current_user.services_enabled.include?(:remotestorage)
+    #   redirect_to service_remotestorage_info_path
+    # end
+  end
+
+  private
+
+    def require_feature_enabled
+      unless Flipper.enabled?(:remotestorage, current_user)
+        http_status :forbidden
+      end
+    end
+
+    def require_service_available
+      http_status :not_found unless Setting.remotestorage_enabled?
+    end
+end

app/controllers/settings_controller.rb

@@ -1,7 +1,54 @@
+require 'securerandom'
+
 class SettingsController < ApplicationController
-  before_action :require_user_signed_in
+  before_action :authenticate_user!
+  before_action :set_main_nav_section
+  before_action :set_settings_section, only: [:show, :update, :update_email]
+  before_action :set_user, only: [:show, :update, :update_email]
 
   def index
+    redirect_to setting_path(:profile)
+  end
+
+  def show
+    if @settings_section == "experiments"
+      session[:shared_secret] ||= SecureRandom.base64(12)
+    end
+  end
+
+  def update
+    @user.preferences.merge!(user_params[:preferences] || {})
+    @user.display_name = user_params[:display_name]
+
+    if @user.save
+      if @user.display_name && (@user.display_name != @user.ldap_entry[:display_name])
+        LdapManager::UpdateDisplayName.call(@user.dn, user_params[:display_name])
+      end
+
+      redirect_to setting_path(@settings_section), flash: {
+        success: 'Settings saved.'
+      }
+    else
+      @validation_errors = @user.errors
+      render :show, status: :unprocessable_entity
+    end
+  end
+
+  def update_email
+    if @user.valid_ldap_authentication?(email_params[:current_password])
+      if @user.update email: email_params[:email]
+        redirect_to setting_path(:account), flash: {
+          notice: 'Please confirm your new address using the confirmation link we just sent you.'
+        }
+      else
+        @validation_errors = @user.errors
+        render :show, status: :unprocessable_entity
+      end
+    else
+      redirect_to setting_path(:account), flash: {
+        error: 'Password did not match your current password. Try again.'
+      }
+    end
   end
 
   def reset_password
@@ -10,4 +57,79 @@ class SettingsController < ApplicationController
     msg = "We have sent you an email with a link to reset your password."
     redirect_to check_your_email_path, notice: msg
   end
+
+  def set_nostr_pubkey
+    signed_event = nostr_event_params[:signed_event].to_h.symbolize_keys
+    is_valid_id  = NostrManager::ValidateId.call(signed_event)
+    is_valid_sig = NostrManager::VerifySignature.call(signed_event)
+    is_correct_content = signed_event[:content] == "Connect my public key to #{current_user.address} (confirmation #{session[:shared_secret]})"
+
+    unless is_valid_id && is_valid_sig && is_correct_content
+      flash[:alert] = "Public key could not be verified"
+      http_status :unprocessable_entity and return
+    end
+
+    pubkey_taken = User.all_except(current_user).where(
+      ou: current_user.ou, nostr_pubkey: signed_event[:pubkey]
+    ).any?
+
+    if pubkey_taken
+      flash[:alert] = "Public key already in use for a different account"
+      http_status :unprocessable_entity and return
+    end
+
+    current_user.update! nostr_pubkey: signed_event[:pubkey]
+    session[:shared_secret] = nil
+
+    flash[:success] = "Public key verification successful"
+    http_status :ok
+  rescue
+    flash[:alert] = "Public key could not be verified"
+    http_status :unprocessable_entity and return
+  end
+
+  # DELETE /settings/nostr_pubkey
+  def remove_nostr_pubkey
+    current_user.update! nostr_pubkey: nil
+
+    redirect_to setting_path(:experiments), flash: {
+      success: 'Public key removed from account'
+    }
+  end
+
+  private
+
+    def set_main_nav_section
+      @current_section = :settings
+    end
+
+    def set_settings_section
+      @settings_section = params[:section]
+      allowed_sections = [:profile, :account, :lightning, :xmpp, :experiments]
+
+      unless allowed_sections.include?(@settings_section.to_sym)
+        redirect_to setting_path(:profile)
+      end
+    end
+
+    def set_user
+      @user = current_user
+    end
+
+    def user_params
+      params.require(:user).permit(:display_name, preferences: [
+        :lightning_notify_sats_received,
+        :xmpp_exchange_contacts_with_invitees
+      ])
+    end
+
+    def email_params
+      params.require(:user).permit(:email, :current_password)
+    end
+
+    def nostr_event_params
+      params.permit(signed_event: [
+        :id, :pubkey, :created_at, :kind, :tags, :content, :sig
+      ])
+    end
 end

app/controllers/signup_controller.rb

@@ -0,0 +1,111 @@
+class SignupController < ApplicationController
+  before_action :require_user_signed_out
+  before_action :require_invitation
+  before_action :set_invitation
+  before_action :set_new_user, only: ["steps", "validate"]
+  before_action :set_context
+
+  def index
+    @invited_by_name = @invitation.user.address
+  end
+
+  def steps
+    @step = params[:step].to_i
+    http_status :not_found unless [1,2,3].include?(@step)
+    @validation_error = session[:validation_error]
+  end
+
+  def validate
+    session[:validation_error] = nil
+
+    case user_params.keys.first
+    when "cn"
+      @user.cn = user_params[:cn]
+      @user.valid?
+      session[:new_user] = @user
+
+      if @user.errors[:cn].present?
+        session[:validation_error] = @user.errors[:cn].first # Store user including validation errors
+        redirect_to signup_steps_path(1) and return
+      else
+        redirect_to signup_steps_path(2) and return
+      end
+    when "email"
+      @user.email = user_params[:email]
+      @user.valid?
+      session[:new_user] = @user
+
+      if @user.errors[:email].present?
+        session[:validation_error] = @user.errors[:email].first # Store user including validation errors
+        redirect_to signup_steps_path(2) and return
+      else
+        redirect_to signup_steps_path(3) and return
+      end
+    when "password"
+      @user.password = user_params[:password]
+      @user.password_confirmation = user_params[:password]
+      @user.valid?
+      session[:new_user] = @user
+
+      if @user.errors[:password].present?
+        session[:validation_error] = @user.errors[:password].first # Store user including validation errors
+        redirect_to signup_steps_path(3) and return
+      else
+        complete_signup
+        msg = "Almost done! We have sent you an email to confirm your address."
+        redirect_to(check_your_email_path, notice: msg) and return
+      end
+    end
+  end
+
+  private
+
+  def user_params
+    params.require(:user).permit(:cn, :email, :password)
+  end
+
+  def require_invitation
+    if session[:invitation_token].blank?
+      flash.now[:alert] = "You need an invitation to sign up for an account."
+      http_status :unauthorized
+    elsif !valid_invitation?(session[:invitation_token])
+      flash.now[:alert] = "This invitation either doesn't exist or has already been used."
+      http_status :unauthorized
+    end
+
+    @invitation = Invitation.find_by(token: session[:invitation_token])
+  end
+
+  def valid_invitation?(token)
+    Invitation.where(token: session[:invitation_token], used_at: nil).exists?
+  end
+
+  def set_invitation
+    @invitation = Invitation.find_by(token: session[:invitation_token])
+  end
+
+  def set_new_user
+    if session[:new_user].present?
+      @user = User.new(session[:new_user])
+    else
+      @user = User.new(ou: Setting.primary_domain)
+    end
+  end
+
+  def complete_signup
+    session[:new_user] = nil
+    session[:validation_error] = nil
+
+    CreateAccount.call(
+      username: @user.cn,
+      domain: Setting.primary_domain,
+      email: @user.email,
+      password: @user.password,
+      invitation: @invitation
+    )
+  end
+
+  def set_context
+    @context = :signup
+  end
+end

app/controllers/turbo_controller.rb

@@ -0,0 +1,18 @@
+class TurboController < ApplicationController
+  class Responder < ActionController::Responder
+    def to_turbo_stream
+      controller.render(options.merge(formats: :html))
+    rescue ActionView::MissingTemplate => error
+      if get?
+        raise error
+      elsif has_errors? && default_action
+        render rendering_options.merge(formats: :html, status: :unprocessable_entity)
+      else
+        redirect_to navigation_location
+      end
+    end
+  end
+
+  self.responder = Responder
+  respond_to :html, :turbo_stream
+end

app/controllers/users/confirmations_controller.rb

@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+class Users::ConfirmationsController < Devise::ConfirmationsController
+  # GET /resource/confirmation?confirmation_token=abcdef
+  def show
+    self.resource = resource_class.confirm_by_token(params[:confirmation_token])
+    yield resource if block_given?
+
+    if resource.errors.empty?
+      set_flash_message!(:success, :confirmed)
+      resource.devise_after_confirmation
+      respond_with_navigational(resource){ redirect_to after_confirmation_path_for(resource_name, resource) }
+    else
+      respond_with_navigational(resource.errors, status: :unprocessable_entity){ render :new }
+    end
+  end
+end

app/controllers/users/devise_controller.rb

@@ -0,0 +1,18 @@
+class Users::DeviseController < ApplicationController
+  class Responder < ActionController::Responder
+    def to_turbo_stream
+      controller.render(options.merge(formats: :html))
+    rescue ActionView::MissingTemplate => error
+      if get?
+        raise error
+      elsif has_errors? && default_action
+        render rendering_options.merge(formats: :html, status: :unprocessable_entity)
+      else
+        redirect_to navigation_location
+      end
+    end
+  end
+
+  self.responder = Responder
+  respond_to :html, :turbo_stream
+end

app/controllers/webfinger_controller.rb

@@ -0,0 +1,57 @@
+class WebfingerController < ApplicationController
+  before_action :allow_cross_origin_requests, only: [:show]
+
+  layout false
+
+  def show
+    resource = params[:resource]
+
+    if resource && resource.match(/acct:\w+/)
+      useraddress = resource.split(":").last
+      username, org = useraddress.split("@")
+      username.downcase!
+      unless User.where(cn: username, ou: org).any?
+        head 404 and return
+      end
+
+      render json: webfinger(useraddress).to_json,
+             content_type: "application/jrd+json"
+    else
+      head 422 and return
+    end
+  end
+
+  private
+
+  def webfinger(useraddress)
+    links = [];
+
+    links << remotestorage_link(useraddress) if Setting.remotestorage_enabled
+
+    { "links" => links }
+  end
+
+  def remotestorage_link(useraddress)
+    # TODO use when OAuth routes are available
+    # auth_url = new_rs_oauth_url(useraddress)
+    auth_url = "https://example.com/rs/oauth"
+    storage_url = "#{Setting.rs_storage_url}/#{useraddress}"
+
+    {
+      "rel" => "http://tools.ietf.org/id/draft-dejong-remotestorage",
+      "href" => storage_url,
+      "properties" => {
+        "http://remotestorage.io/spec/version" => "draft-dejong-remotestorage-13",
+        "http://tools.ietf.org/html/rfc6749#section-4.2" => auth_url,
+        "http://tools.ietf.org/html/rfc6750#section-2.3" => nil, # access token via a HTTP query parameter
+        "http://tools.ietf.org/html/rfc7233": "GET", # content range requests
+        "http://remotestorage.io/spec/web-authoring": nil
+      }
+    }
+  end
+
+  def allow_cross_origin_requests
+    headers['Access-Control-Allow-Origin'] = '*'
+    headers['Access-Control-Allow-Methods'] = 'GET, POST, PUT, OPTIONS'
+  end
+end

app/controllers/webhooks_controller.rb

@@ -0,0 +1,46 @@
+class WebhooksController < ApplicationController
+  skip_forgery_protection
+
+  before_action :authorize_request
+
+  def lndhub
+    begin
+      payload = JSON.parse(request.body.read, symbolize_names: true)
+      head :no_content and return unless payload[:type] == "incoming"
+    rescue
+      head :unprocessable_entity and return
+    end
+
+    user = User.find_by!(ln_account: payload[:user_login])
+    notify = user.preferences[:lightning_notify_sats_received]
+    case notify
+    when "xmpp"
+      notify_xmpp(user.address, payload[:amount], payload[:memo])
+    when "email"
+      NotificationMailer.with(user: user, amount_sats: payload[:amount])
+                        .lightning_sats_received.deliver_later
+    end
+
+    head :ok
+  end
+
+  private
+
+  # TODO refactor into mailer-like generic class/service
+  def notify_xmpp(address, amt_sats, memo)
+    payload = {
+      type: "normal",
+      from: Setting.primary_domain,
+      to: address,
+      subject: "Sats received!",
+      body: "#{helpers.number_with_delimiter amt_sats} sats received in your Lightning wallet:\n> #{memo}"
+    }
+    XmppSendMessageJob.perform_later(payload)
+  end
+
+  def authorize_request
+    if !ENV['WEBHOOKS_ALLOWED_IPS'].split(',').include?(request.remote_ip)
+      head :forbidden and return
+    end
+  end
+end