Add strfry doc draft

2024-08-19 14:37:54 +02:00
169 changed files with 1498 additions and 3461 deletions
--- a/.env.example
+++ b/.env.example
@@ -1,23 +1,6 @@
 # PRIMARY_DOMAIN=kosmos.org
 # AKKOUNTS_DOMAIN=accounts.example.com
 # Generate this using `rails secret`
 # SECRET_KEY_BASE=
 # Generate these using `rails db:encryption:init`
 # (Optional, needed for LndHub integration)
 # ENCRYPTION_PRIMARY_KEY=
 # ENCRYPTION_KEY_DERIVATION_SALT=
 # The default backend is SQLite
 # DB_ADAPTER=postgresql
 # PG_HOST=localhost
 # PG_PORT=5432
 # PG_DATABASE=akkounts
 # PG_DATABASE_QUEUE=akkounts_queue
 # PG_USERNAME=akkounts
 # PG_PASSWORD=
 # SMTP_SERVER=smtp.example.com
 # SMTP_PORT=587
 # SMTP_LOGIN=accounts
@@ -37,12 +20,8 @@
 # LDAP_HOST=localhost
 # LDAP_PORT=389
 # LDAP_USE_TLS=false
 # LDAP_UID_ATTR=cn
 # LDAP_BASE="ou=kosmos.org,cn=users,dc=kosmos,dc=org"
 # LDAP_ADMIN_USER="cn=Directory Manager"
 # LDAP_ADMIN_PASSWORD=passthebutter
-# LDAP_SUFFIX="dc=kosmos,dc=org"
+# LDAP_SUFFIX='dc=kosmos,dc=org'
 # REDIS_URL='redis://localhost:6379/1'
--- a/.env.test
+++ b/.env.test
@@ -1,9 +1,6 @@
 PRIMARY_DOMAIN=kosmos.org
 AKKOUNTS_DOMAIN=accounts.kosmos.org
 ENCRYPTION_PRIMARY_KEY=YhNLBgCFMAzw5dV3gISxnGrhNDMQwRdn
 ENCRYPTION_KEY_DERIVATION_SALT=h28g16MRZ1sghF2jTCos1DiLZXUswinR
 REDIS_URL='redis://localhost:6379/0'
 BTCPAY_PUBLIC_URL='https://btcpay.example.com'
@@ -24,8 +21,7 @@ LNDHUB_PUBLIC_KEY='024cd3be18617f39cf645851e3ba63f51fc13f0bb09e3bb25e6fd4de55648
 NOSTR_PRIVATE_KEY='7c3ef7e448505f0615137af38569d01807d3b05b5005d5ecf8aaafcd40323cea'
 NOSTR_PUBLIC_KEY='bdd76ce2934b2f591f9fad2ebe9da18f20d2921de527494ba00eeaa0a0efadcf'
 RS_REDIS_URL='redis://localhost:6379/1'
 RS_STORAGE_URL='https://storage.kosmos.org'
-RS_AKKOUNTS_DOMAIN=localhost
+RS_REDIS_URL='redis://localhost:6379/1'
 WEBHOOKS_ALLOWED_IPS='10.1.1.23'
--- a/.gitignore
+++ b/.gitignore
@@ -37,7 +37,6 @@
 /yarn-error.log
 yarn-debug.log*
 .yarn-integrity
 bun.lock
 # Ignore local dotenv config file
 .env
@@ -48,6 +47,3 @@ dump.rdb
 /app/assets/builds/*
 !/app/assets/builds/.keep
 # Ignore generated ctags
 *.tags
--- a/13
+++ b/13
@@ -1,11 +1,18 @@
 # syntax=docker/dockerfile:1
-FROM ruby:3.3.4
+FROM debian:bullseye-slim as base
 SHELL ["/bin/bash", "-o", "pipefail", "-c"]
-RUN apt-get update -qq && apt-get install -y --no-install-recommends curl \
+# TODO Remove when upstream Ruby works properly on Apple silicon
-      ldap-utils tini libvips
+RUN apt update && apt install -y build-essential wget autoconf libpq-dev pkg-config
 RUN wget https://github.com/postmodern/ruby-install/releases/download/v0.9.3/ruby-install-0.9.3.tar.gz \
  && tar -xzvf ruby-install-0.9.3.tar.gz \
  && cd ruby-install-0.9.3/ \
  && make install
 RUN ruby-install -p https://github.com/ruby/ruby/pull/9371.diff ruby 3.3.0
 ENV PATH="/opt/rubies/ruby-3.3.0/bin:${PATH}"
 RUN apt-get install -y --no-install-recommends curl ldap-utils tini libvips
 RUN curl -fsSL https://deb.nodesource.com/setup_lts.x | bash -
 RUN apt-get update && apt-get install -y nodejs
--- a/22
+++ b/22
@@ -2,13 +2,13 @@ source 'https://rubygems.org'
 git_source(:github) { |repo| "https://github.com/#{repo}.git" }
 # Bundle edge Rails instead: gem 'rails', github: 'rails/rails'
-gem 'rails', '~> 8.0'
+gem 'rails', '~> 7.1'
 # Use Puma as the app server
-gem 'puma', '~> 6.6'
+gem 'puma', '~> 4.1'
 # View components
 gem "view_component"
-# Asset bundler
+# Separate dependency since Rails 7.0
-gem 'propshaft'
+gem 'sprockets-rails'
 # Allows custom JS build tasks to integrate with the asset pipeline
 gem 'cssbundling-rails'
 # Use JavaScript with ESM import maps [https://github.com/rails/importmap-rails]
@@ -19,12 +19,17 @@ gem "turbo-rails"
 gem "stimulus-rails"
 # Build JSON APIs with ease. Read more: https://github.com/rails/jbuilder
 gem 'jbuilder', '~> 2.7'
 # Use Redis adapter to run Action Cable in production
 # gem 'redis', '~> 4.0'
 # Use Active Model has_secure_password
 gem 'bcrypt', '~> 3.1'
 # Configuration
 gem 'dotenv-rails'
 # Security
 gem 'lockbox'
 # Authentication
 gem 'warden'
 gem 'devise', '~> 4.9.0'
@@ -39,8 +44,6 @@ gem 'pagy', '~> 6.0', '>= 6.0.2'
 gem 'flipper'
 gem 'flipper-active_record'
 gem 'flipper-ui'
 gem 'gpgme', '~> 2.0.24'
 gem 'zbase32', '~> 0.1.1'
 # HTTP requests
 gem 'faraday'
@@ -48,8 +51,8 @@ gem 'down'
 gem 'aws-sdk-s3', require: false
 # Background/scheduled jobs
-gem 'solid_queue'
+gem 'sidekiq', '< 7'
-gem "mission_control-jobs"
+gem 'sidekiq-scheduler'
 # Monitoring
 gem "sentry-ruby"
@@ -60,11 +63,10 @@ gem 'discourse_api'
 gem "lnurl"
 gem 'manifique', '~> 1.1.0'
 gem 'nostr', '~> 0.6.0'
 gem "redis", "~> 5.4"
 group :development, :test do
  # Use sqlite3 as the database for Active Record
-  gem 'sqlite3', '>= 2.1'
+  gem 'sqlite3', '~> 1.7.2'
  gem 'rspec-rails'
  gem 'rails-controller-testing'
 end
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -1,109 +1,110 @@
 GEM
  remote: https://rubygems.org/
  specs:
-    actioncable (8.0.2)
+    actioncable (7.1.3)
-      actionpack (= 8.0.2)
+      actionpack (= 7.1.3)
-      activesupport (= 8.0.2)
+      activesupport (= 7.1.3)
      nio4r (~> 2.0)
      websocket-driver (>= 0.6.1)
      zeitwerk (~> 2.6)
-    actionmailbox (8.0.2)
+    actionmailbox (7.1.3)
-      actionpack (= 8.0.2)
+      actionpack (= 7.1.3)
-      activejob (= 8.0.2)
+      activejob (= 7.1.3)
-      activerecord (= 8.0.2)
+      activerecord (= 7.1.3)
-      activestorage (= 8.0.2)
+      activestorage (= 7.1.3)
-      activesupport (= 8.0.2)
+      activesupport (= 7.1.3)
-      mail (>= 2.8.0)
+      mail (>= 2.7.1)
-    actionmailer (8.0.2)
+      net-imap
-      actionpack (= 8.0.2)
+      net-pop
-      actionview (= 8.0.2)
+      net-smtp
-      activejob (= 8.0.2)
+    actionmailer (7.1.3)
-      activesupport (= 8.0.2)
+      actionpack (= 7.1.3)
-      mail (>= 2.8.0)
+      actionview (= 7.1.3)
      activejob (= 7.1.3)
      activesupport (= 7.1.3)
      mail (~> 2.5, >= 2.5.4)
      net-imap
      net-pop
      net-smtp
      rails-dom-testing (~> 2.2)
-    actionpack (8.0.2)
+    actionpack (7.1.3)
-      actionview (= 8.0.2)
+      actionview (= 7.1.3)
-      activesupport (= 8.0.2)
+      activesupport (= 7.1.3)
      nokogiri (>= 1.8.5)
      racc
      rack (>= 2.2.4)
      rack-session (>= 1.0.1)
      rack-test (>= 0.6.3)
      rails-dom-testing (~> 2.2)
      rails-html-sanitizer (~> 1.6)
-      useragent (~> 0.16)
+    actiontext (7.1.3)
-    actiontext (8.0.2)
+      actionpack (= 7.1.3)
-      actionpack (= 8.0.2)
+      activerecord (= 7.1.3)
-      activerecord (= 8.0.2)
+      activestorage (= 7.1.3)
-      activestorage (= 8.0.2)
+      activesupport (= 7.1.3)
      activesupport (= 8.0.2)
      globalid (>= 0.6.0)
      nokogiri (>= 1.8.5)
-    actionview (8.0.2)
+    actionview (7.1.3)
-      activesupport (= 8.0.2)
+      activesupport (= 7.1.3)
      builder (~> 3.1)
      erubi (~> 1.11)
      rails-dom-testing (~> 2.2)
      rails-html-sanitizer (~> 1.6)
-    activejob (8.0.2)
+    activejob (7.1.3)
-      activesupport (= 8.0.2)
+      activesupport (= 7.1.3)
      globalid (>= 0.3.6)
-    activemodel (8.0.2)
+    activemodel (7.1.3)
-      activesupport (= 8.0.2)
+      activesupport (= 7.1.3)
-    activerecord (8.0.2)
+    activerecord (7.1.3)
-      activemodel (= 8.0.2)
+      activemodel (= 7.1.3)
-      activesupport (= 8.0.2)
+      activesupport (= 7.1.3)
      timeout (>= 0.4.0)
-    activestorage (8.0.2)
+    activestorage (7.1.3)
-      actionpack (= 8.0.2)
+      actionpack (= 7.1.3)
-      activejob (= 8.0.2)
+      activejob (= 7.1.3)
-      activerecord (= 8.0.2)
+      activerecord (= 7.1.3)
-      activesupport (= 8.0.2)
+      activesupport (= 7.1.3)
      marcel (~> 1.0)
-    activesupport (8.0.2)
+    activesupport (7.1.3)
      base64
      benchmark (>= 0.3)
      bigdecimal
-      concurrent-ruby (~> 1.0, >= 1.3.1)
+      concurrent-ruby (~> 1.0, >= 1.0.2)
      connection_pool (>= 2.2.5)
      drb
      i18n (>= 1.6, < 2)
      logger (>= 1.4.2)
      minitest (>= 5.1)
-      securerandom (>= 0.3)
+      mutex_m
-      tzinfo (~> 2.0, >= 2.0.5)
+      tzinfo (~> 2.0)
-      uri (>= 0.13.1)
+    addressable (2.8.6)
-    addressable (2.8.7)
+      public_suffix (>= 2.0.2, < 6.0)
-      public_suffix (>= 2.0.2, < 7.0)
+    ast (2.4.2)
-    ast (2.4.3)
+    aws-eventstream (1.3.0)
-    aws-eventstream (1.3.2)
+    aws-partitions (1.886.0)
-    aws-partitions (1.1092.0)
+    aws-sdk-core (3.191.0)
    aws-sdk-core (3.222.2)
      aws-eventstream (~> 1, >= 1.3.0)
-      aws-partitions (~> 1, >= 1.992.0)
+      aws-partitions (~> 1, >= 1.651.0)
-      aws-sigv4 (~> 1.9)
+      aws-sigv4 (~> 1.8)
      base64
      jmespath (~> 1, >= 1.6.1)
-      logger
+    aws-sdk-kms (1.77.0)
-    aws-sdk-kms (1.99.0)
+      aws-sdk-core (~> 3, >= 3.191.0)
-      aws-sdk-core (~> 3, >= 3.216.0)
+      aws-sigv4 (~> 1.1)
-      aws-sigv4 (~> 1.5)
+    aws-sdk-s3 (1.143.0)
-    aws-sdk-s3 (1.183.0)
+      aws-sdk-core (~> 3, >= 3.191.0)
      aws-sdk-core (~> 3, >= 3.216.0)
      aws-sdk-kms (~> 1)
-      aws-sigv4 (~> 1.5)
+      aws-sigv4 (~> 1.8)
-    aws-sigv4 (1.11.0)
+    aws-sigv4 (1.8.0)
      aws-eventstream (~> 1, >= 1.0.2)
    backport (1.2.0)
    base64 (0.2.0)
    bcrypt (3.1.20)
-    bech32 (1.5.0)
+    bech32 (1.4.2)
      thor (>= 1.1.0)
-    benchmark (0.4.0)
+    benchmark (0.3.0)
-    bigdecimal (3.1.9)
+    bigdecimal (3.1.6)
    bindex (0.8.1)
    bip-schnorr (0.7.0)
      ecdsa_ext (~> 0.5.0)
-    builder (3.3.0)
+    builder (3.2.4)
    capybara (3.40.0)
      addressable
      matrix
@@ -113,25 +114,23 @@ GEM
      rack-test (>= 0.6.3)
      regexp_parser (>= 1.5, < 3.0)
      xpath (~> 3.2)
    childprocess (5.1.0)
      logger (~> 1.5)
    chunky_png (1.4.0)
-    concurrent-ruby (1.3.4)
+    concurrent-ruby (1.2.3)
-    connection_pool (2.5.2)
+    connection_pool (2.4.1)
-    crack (1.0.0)
+    crack (0.4.6)
      bigdecimal
      rexml
    crass (1.0.6)
-    cssbundling-rails (1.4.3)
+    cssbundling-rails (1.4.0)
      railties (>= 6.0.0)
-    database_cleaner (2.1.0)
+    database_cleaner (2.0.2)
      database_cleaner-active_record (>= 2, < 3)
-    database_cleaner-active_record (2.2.0)
+    database_cleaner-active_record (2.1.0)
      activerecord (>= 5.a)
      database_cleaner-core (~> 2.0.0)
    database_cleaner-core (2.0.1)
-    date (3.4.1)
+    date (3.3.4)
-    devise (4.9.4)
+    devise (4.9.3)
      bcrypt (~> 3.0)
      orm_adapter (~> 0.1)
      railties (>= 4.1.0)
@@ -140,112 +139,105 @@ GEM
    devise_ldap_authenticatable (0.8.7)
      devise (>= 3.4.1)
      net-ldap (>= 0.16.0)
-    diff-lcs (1.6.1)
+    diff-lcs (1.5.1)
    discourse_api (2.0.1)
      faraday (~> 2.7)
      faraday-follow_redirects
      faraday-multipart
      rack (>= 1.6)
-    dotenv (3.1.8)
+    dotenv (2.8.1)
-    dotenv-rails (3.1.8)
+    dotenv-rails (2.8.1)
-      dotenv (= 3.1.8)
+      dotenv (= 2.8.1)
-      railties (>= 6.1)
+      railties (>= 3.2)
-    down (5.4.2)
+    down (5.4.1)
      addressable (~> 2.8)
-    drb (2.2.1)
+    drb (2.2.0)
      ruby2_keywords
    e2mmap (0.1.0)
    ecdsa (1.2.0)
    ecdsa_ext (0.5.1)
      ecdsa (~> 1.2.0)
-    erubi (1.13.1)
+    erubi (1.12.0)
-    et-orbi (1.2.11)
+    et-orbi (1.2.7)
      tzinfo
    event_emitter (0.2.6)
    eventmachine (1.2.7)
-    factory_bot (6.5.1)
+    factory_bot (6.4.6)
-      activesupport (>= 6.1.0)
+      activesupport (>= 5.0.0)
-    factory_bot_rails (6.4.4)
+    factory_bot_rails (6.4.3)
-      factory_bot (~> 6.5)
+      factory_bot (~> 6.4)
      railties (>= 5.0.0)
-    faker (3.5.1)
+    faker (3.2.3)
      i18n (>= 1.8.11, < 2)
-    faraday (2.9.2)
+    faraday (2.9.0)
      faraday-net_http (>= 2.0, < 3.2)
    faraday-follow_redirects (0.3.0)
      faraday (>= 1, < 3)
-    faraday-multipart (1.1.0)
+    faraday-multipart (1.0.4)
-      multipart-post (~> 2.0)
+      multipart-post (~> 2)
-    faraday-net_http (3.1.1)
+    faraday-net_http (3.1.0)
      net-http
    faye-websocket (0.11.3)
      eventmachine (>= 0.12.0)
      websocket-driver (>= 0.5.1)
-    ffi (1.17.2)
+    ffi (1.16.3)
-    ffi (1.17.2-arm64-darwin)
+    flipper (1.2.2)
    ffi (1.17.2-x86_64-linux-gnu)
    flipper (1.3.4)
      concurrent-ruby (< 2)
-    flipper-active_record (1.3.4)
+    flipper-active_record (1.2.2)
-      activerecord (>= 4.2, < 9)
+      activerecord (>= 4.2, < 8)
-      flipper (~> 1.3.4)
+      flipper (~> 1.2.2)
-    flipper-ui (1.3.4)
+    flipper-ui (1.2.2)
      erubi (>= 1.0.0, < 2.0.0)
-      flipper (~> 1.3.4)
+      flipper (~> 1.2.2)
      rack (>= 1.4, < 4)
-      rack-protection (>= 1.5.3, < 5.0.0)
+      rack-protection (>= 1.5.3, <= 4.0.0)
-      rack-session (>= 1.0.2, < 3.0.0)
+      sanitize (< 7)
-      sanitize (< 8)
+    fugit (1.9.0)
-    fugit (1.11.1)
+      et-orbi (~> 1, >= 1.2.7)
      et-orbi (~> 1, >= 1.2.11)
      raabro (~> 1.4)
    globalid (1.2.1)
      activesupport (>= 6.1)
-    gpgme (2.0.24)
+    hashdiff (1.1.0)
-      mini_portile2 (~> 2.7)
+    i18n (1.14.1)
    hashdiff (1.1.2)
    i18n (1.14.7)
      concurrent-ruby (~> 1.0)
    image_processing (1.12.2)
      mini_magick (>= 4.9.5, < 5)
      ruby-vips (>= 2.0.17, < 3)
-    importmap-rails (2.1.0)
+    importmap-rails (2.0.1)
      actionpack (>= 6.0.0)
      activesupport (>= 6.0.0)
      railties (>= 6.0.0)
-    io-console (0.8.0)
+    io-console (0.7.2)
-    irb (1.15.2)
+    irb (1.11.1)
-      pp (>= 0.6.0)
+      rdoc
      rdoc (>= 4.0.0)
      reline (>= 0.4.2)
-    jaro_winkler (1.6.0)
+    jaro_winkler (1.5.6)
-    jbuilder (2.13.0)
+    jbuilder (2.11.5)
      actionview (>= 5.0.0)
      activesupport (>= 5.0.0)
    jmespath (1.6.2)
-    json (2.11.3)
+    json (2.7.1)
-    kramdown (2.5.1)
+    kramdown (2.4.0)
-      rexml (>= 3.3.9)
+      rexml
    kramdown-parser-gfm (1.1.0)
      kramdown (~> 2.0)
-    language_server-protocol (3.17.0.4)
+    language_server-protocol (3.17.0.3)
-    launchy (3.1.1)
+    launchy (2.5.2)
      addressable (~> 2.8)
-      childprocess (~> 5.0)
+    letter_opener (1.8.1)
-      logger (~> 1.6)
+      launchy (>= 2.2, < 3)
-    letter_opener (1.10.0)
+    letter_opener_web (2.0.0)
-      launchy (>= 2.2, < 4)
+      actionmailer (>= 5.2)
-    letter_opener_web (3.0.0)
+      letter_opener (~> 1.7)
-      actionmailer (>= 6.1)
+      railties (>= 5.2)
      letter_opener (~> 1.9)
      railties (>= 6.1)
      rexml
-    lint_roller (1.1.0)
+    listen (3.8.0)
    listen (3.9.0)
      rb-fsevent (~> 0.10, >= 0.10.3)
      rb-inotify (~> 0.9, >= 0.9.10)
-    lnurl (1.1.1)
+    lnurl (1.1.0)
      bech32 (~> 1.1)
-    logger (1.7.0)
+    lockbox (1.3.2)
-    loofah (2.24.0)
+    loofah (2.22.0)
      crass (~> 1.0.2)
      nokogiri (>= 1.12.0)
    mail (2.8.1)
@@ -257,27 +249,18 @@ GEM
      faraday (~> 2.9.0)
      faraday-follow_redirects (= 0.3.0)
      nokogiri (~> 1.16.0)
-    marcel (1.0.4)
+    marcel (1.0.2)
    matrix (0.4.2)
-    method_source (1.1.0)
+    method_source (1.0.0)
-    mini_magick (4.13.2)
+    mini_magick (4.12.0)
    mini_mime (1.1.5)
-    mini_portile2 (2.8.8)
+    mini_portile2 (2.8.5)
-    minitest (5.25.5)
+    minitest (5.21.2)
-    mission_control-jobs (1.0.2)
+    multipart-post (2.3.0)
-      actioncable (>= 7.1)
+    mutex_m (0.2.0)
-      actionpack (>= 7.1)
+    net-http (0.4.1)
      activejob (>= 7.1)
      activerecord (>= 7.1)
      importmap-rails (>= 1.2.1)
      irb (~> 1.13)
      railties (>= 7.1)
      stimulus-rails
      turbo-rails
    multipart-post (2.4.1)
    net-http (0.6.0)
      uri
-    net-imap (0.5.7)
+    net-imap (0.4.9.1)
      date
      net-protocol
    net-ldap (0.19.0)
@@ -285,15 +268,15 @@ GEM
      net-protocol
    net-protocol (0.2.2)
      timeout
-    net-smtp (0.5.1)
+    net-smtp (0.4.0.1)
      net-protocol
-    nio4r (2.7.4)
+    nio4r (2.7.0)
-    nokogiri (1.16.8)
+    nokogiri (1.16.0)
      mini_portile2 (~> 2.8.2)
      racc (~> 1.4)
-    nokogiri (1.16.8-arm64-darwin)
+    nokogiri (1.16.0-arm64-darwin)
      racc (~> 1.4)
-    nokogiri (1.16.8-x86_64-linux)
+    nokogiri (1.16.0-x86_64-linux)
      racc (~> 1.4)
    nostr (0.6.0)
      bech32 (~> 1.4)
@@ -302,57 +285,45 @@ GEM
      event_emitter (~> 0.2)
      faye-websocket (~> 0.11)
      json (~> 2.6)
    observer (0.1.2)
    orm_adapter (0.5.0)
-    ostruct (0.6.1)
+    pagy (6.4.3)
-    pagy (6.5.0)
+    parallel (1.24.0)
-    parallel (1.27.0)
+    parser (3.3.0.5)
    parser (3.3.8.0)
      ast (~> 2.4.1)
      racc
-    pg (1.5.9)
+    pg (1.5.4)
-    pp (0.6.2)
+    psych (5.1.2)
      prettyprint
    prettyprint (0.2.0)
    prism (1.4.0)
    propshaft (1.1.0)
      actionpack (>= 7.0.0)
      activesupport (>= 7.0.0)
      rack
      railties (>= 7.0.0)
    psych (5.2.3)
      date
      stringio
-    public_suffix (6.0.1)
+    public_suffix (5.0.4)
-    puma (6.6.0)
+    puma (4.3.12)
      nio4r (~> 2.0)
    raabro (1.4.0)
-    racc (1.8.1)
+    racc (1.7.3)
-    rack (2.2.13)
+    rack (2.2.8)
    rack-protection (3.2.0)
      base64 (>= 0.1.0)
      rack (~> 2.2, >= 2.2.4)
    rack-session (1.0.2)
      rack (< 3)
-    rack-test (2.2.0)
+    rack-test (2.1.0)
      rack (>= 1.3)
-    rackup (1.0.1)
+    rackup (1.0.0)
      rack (< 3)
      webrick
-    rails (8.0.2)
+    rails (7.1.3)
-      actioncable (= 8.0.2)
+      actioncable (= 7.1.3)
-      actionmailbox (= 8.0.2)
+      actionmailbox (= 7.1.3)
-      actionmailer (= 8.0.2)
+      actionmailer (= 7.1.3)
-      actionpack (= 8.0.2)
+      actionpack (= 7.1.3)
-      actiontext (= 8.0.2)
+      actiontext (= 7.1.3)
-      actionview (= 8.0.2)
+      actionview (= 7.1.3)
-      activejob (= 8.0.2)
+      activejob (= 7.1.3)
-      activemodel (= 8.0.2)
+      activemodel (= 7.1.3)
-      activerecord (= 8.0.2)
+      activerecord (= 7.1.3)
-      activestorage (= 8.0.2)
+      activestorage (= 7.1.3)
-      activesupport (= 8.0.2)
+      activesupport (= 7.1.3)
      bundler (>= 1.15.0)
-      railties (= 8.0.2)
+      railties (= 7.1.3)
    rails-controller-testing (1.0.5)
      actionpack (>= 5.0.1.rc1)
      actionview (>= 5.0.1.rc1)
@@ -361,140 +332,138 @@ GEM
      activesupport (>= 5.0.0)
      minitest
      nokogiri (>= 1.6)
-    rails-html-sanitizer (1.6.2)
+    rails-html-sanitizer (1.6.0)
      loofah (~> 2.21)
-      nokogiri (>= 1.15.7, != 1.16.7, != 1.16.6, != 1.16.5, != 1.16.4, != 1.16.3, != 1.16.2, != 1.16.1, != 1.16.0.rc1, != 1.16.0)
+      nokogiri (~> 1.14)
    rails-settings-cached (2.8.3)
      activerecord (>= 5.0.0)
      railties (>= 5.0.0)
-    railties (8.0.2)
+    railties (7.1.3)
-      actionpack (= 8.0.2)
+      actionpack (= 7.1.3)
-      activesupport (= 8.0.2)
+      activesupport (= 7.1.3)
-      irb (~> 1.13)
+      irb
      rackup (>= 1.0.0)
      rake (>= 12.2)
      thor (~> 1.0, >= 1.2.2)
      zeitwerk (~> 2.6)
    rainbow (3.1.1)
-    rake (13.2.1)
+    rake (13.1.0)
    rb-fsevent (0.11.2)
-    rb-inotify (0.11.1)
+    rb-inotify (0.10.1)
      ffi (~> 1.0)
-    rbs (3.9.2)
+    rbs (2.8.4)
-      logger
+    rdoc (6.6.2)
    rdoc (6.13.1)
      psych (>= 4.0.0)
-    redis (5.4.0)
+    redis (4.8.1)
-      redis-client (>= 0.22.0)
+    regexp_parser (2.9.0)
-    redis-client (0.24.0)
+    reline (0.4.2)
      connection_pool
    regexp_parser (2.10.0)
    reline (0.6.1)
      io-console (~> 0.5)
    responders (3.1.1)
      actionpack (>= 5.2)
      railties (>= 5.2)
-    reverse_markdown (3.0.0)
+    reverse_markdown (2.1.1)
      nokogiri
-    rexml (3.4.1)
+    rexml (3.2.6)
    rqrcode (2.2.0)
      chunky_png (~> 1.0)
      rqrcode_core (~> 1.0)
    rqrcode_core (1.2.0)
-    rspec-core (3.13.3)
+    rspec-core (3.12.2)
-      rspec-support (~> 3.13.0)
+      rspec-support (~> 3.12.0)
-    rspec-expectations (3.13.3)
+    rspec-expectations (3.12.3)
      diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.13.0)
+      rspec-support (~> 3.12.0)
-    rspec-mocks (3.13.2)
+    rspec-mocks (3.12.6)
      diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.13.0)
+      rspec-support (~> 3.12.0)
-    rspec-rails (7.1.1)
+    rspec-rails (6.1.1)
-      actionpack (>= 7.0)
+      actionpack (>= 6.1)
-      activesupport (>= 7.0)
+      activesupport (>= 6.1)
-      railties (>= 7.0)
+      railties (>= 6.1)
-      rspec-core (~> 3.13)
+      rspec-core (~> 3.12)
-      rspec-expectations (~> 3.13)
+      rspec-expectations (~> 3.12)
-      rspec-mocks (~> 3.13)
+      rspec-mocks (~> 3.12)
-      rspec-support (~> 3.13)
+      rspec-support (~> 3.12)
-    rspec-support (3.13.2)
+    rspec-support (3.12.1)
-    rubocop (1.75.3)
+    rubocop (1.60.2)
      json (~> 2.3)
-      language_server-protocol (~> 3.17.0.2)
+      language_server-protocol (>= 3.17.0)
      lint_roller (~> 1.1.0)
      parallel (~> 1.10)
      parser (>= 3.3.0.2)
      rainbow (>= 2.2.2, < 4.0)
-      regexp_parser (>= 2.9.3, < 3.0)
+      regexp_parser (>= 1.8, < 3.0)
-      rubocop-ast (>= 1.44.0, < 2.0)
+      rexml (>= 3.2.5, < 4.0)
      rubocop-ast (>= 1.30.0, < 2.0)
      ruby-progressbar (~> 1.7)
-      unicode-display_width (>= 2.4.0, < 4.0)
+      unicode-display_width (>= 2.4.0, < 3.0)
-    rubocop-ast (1.44.1)
+    rubocop-ast (1.30.0)
-      parser (>= 3.3.7.2)
+      parser (>= 3.2.1.0)
      prism (~> 1.4)
    ruby-progressbar (1.13.0)
-    ruby-vips (2.2.3)
+    ruby-vips (2.2.0)
      ffi (~> 1.12)
-      logger
+    ruby2_keywords (0.0.5)
-    sanitize (7.0.0)
+    rufus-scheduler (3.9.1)
      fugit (~> 1.1, >= 1.1.6)
    sanitize (6.1.0)
      crass (~> 1.0.2)
-      nokogiri (>= 1.16.8)
+      nokogiri (>= 1.12.0)
-    securerandom (0.4.1)
+    sentry-rails (5.16.1)
    sentry-rails (5.23.0)
      railties (>= 5.0)
-      sentry-ruby (~> 5.23.0)
+      sentry-ruby (~> 5.16.1)
-    sentry-ruby (5.23.0)
+    sentry-ruby (5.16.1)
      bigdecimal
      concurrent-ruby (~> 1.0, >= 1.0.2)
-    solargraph (0.54.2)
+    sidekiq (6.5.12)
      connection_pool (>= 2.2.5, < 3)
      rack (~> 2.0)
      redis (>= 4.5.0, < 5)
    sidekiq-scheduler (5.0.3)
      rufus-scheduler (~> 3.2)
      sidekiq (>= 6, < 8)
      tilt (>= 1.4.0)
    solargraph (0.50.0)
      backport (~> 1.2)
-      benchmark (~> 0.4)
+      benchmark
      bundler (~> 2.0)
      diff-lcs (~> 1.4)
-      jaro_winkler (~> 1.6)
+      e2mmap
      jaro_winkler (~> 1.5)
      kramdown (~> 2.3)
      kramdown-parser-gfm (~> 1.1)
      logger (~> 1.6)
      observer (~> 0.1)
      ostruct (~> 0.6)
      parser (~> 3.0)
-      rbs (~> 3.3)
+      rbs (~> 2.0)
-      reverse_markdown (~> 3.0)
+      reverse_markdown (~> 2.0)
      rubocop (~> 1.38)
      thor (~> 1.0)
      tilt (~> 2.0)
      yard (~> 0.9, >= 0.9.24)
-      yard-solargraph (~> 0.1)
+    sprockets (4.2.1)
-    solid_queue (1.1.5)
+      concurrent-ruby (~> 1.0)
-      activejob (>= 7.1)
+      rack (>= 2.2.4, < 4)
-      activerecord (>= 7.1)
+    sprockets-rails (3.4.2)
-      concurrent-ruby (>= 1.3.1)
+      actionpack (>= 5.2)
-      fugit (~> 1.11.0)
+      activesupport (>= 5.2)
-      railties (>= 7.1)
+      sprockets (>= 3.0.0)
-      thor (~> 1.3.1)
+    sqlite3 (1.7.2)
    sqlite3 (2.6.0)
      mini_portile2 (~> 2.8.0)
-    sqlite3 (2.6.0-arm64-darwin)
+    sqlite3 (1.7.2-arm64-darwin)
-    sqlite3 (2.6.0-x86_64-linux-gnu)
+    sqlite3 (1.7.2-x86_64-linux)
-    stimulus-rails (1.3.4)
+    stimulus-rails (1.3.3)
      railties (>= 6.0.0)
    stringio (3.1.0)
    thor (1.3.0)
    tilt (2.3.0)
    timeout (0.4.1)
    turbo-rails (1.5.0)
      actionpack (>= 6.0.0)
      activejob (>= 6.0.0)
      railties (>= 6.0.0)
    stringio (3.1.7)
    thor (1.3.2)
    tilt (2.6.0)
    timeout (0.4.3)
    turbo-rails (2.0.13)
      actionpack (>= 7.1.0)
      railties (>= 7.1.0)
    tzinfo (2.0.6)
      concurrent-ruby (~> 1.0)
-    unicode-display_width (3.1.4)
+    unicode-display_width (2.5.0)
-      unicode-emoji (~> 4.0, >= 4.0.4)
+    uri (0.13.0)
-    unicode-emoji (4.0.4)
+    view_component (3.10.0)
-    uri (1.0.3)
+      activesupport (>= 5.2.0, < 8.0)
-    useragent (0.16.11)
+      concurrent-ruby (~> 1.0)
    view_component (3.22.0)
      activesupport (>= 5.2.0, < 8.1)
      concurrent-ruby (= 1.3.4)
      method_source (~> 1.0)
    warden (1.2.9)
      rack (>= 2.0.9)
@@ -503,22 +472,18 @@ GEM
      activemodel (>= 6.0.0)
      bindex (>= 0.4.0)
      railties (>= 6.0.0)
-    webmock (3.25.1)
+    webmock (3.19.1)
      addressable (>= 2.8.0)
      crack (>= 0.3.2)
      hashdiff (>= 0.4.0, < 2.0.0)
-    webrick (1.9.1)
+    webrick (1.8.1)
-    websocket-driver (0.7.7)
+    websocket-driver (0.7.6)
      base64
      websocket-extensions (>= 0.1.0)
    websocket-extensions (0.1.5)
    xpath (3.2.0)
      nokogiri (~> 1.8)
-    yard (0.9.37)
+    yard (0.9.34)
-    yard-solargraph (0.1.0)
+    zeitwerk (2.6.12)
      yard (~> 0.9)
    zbase32 (0.1.1)
    zeitwerk (2.7.2)
 PLATFORMS
  arm64-darwin-22
@@ -542,7 +507,6 @@ DEPENDENCIES
  flipper
  flipper-active_record
  flipper-ui
  gpgme (~> 2.0.24)
  image_processing (~> 1.12.2)
  importmap-rails
  jbuilder (~> 2.7)
@@ -550,25 +514,25 @@ DEPENDENCIES
  letter_opener_web
  listen (~> 3.2)
  lnurl
  lockbox
  manifique (~> 1.1.0)
  mission_control-jobs
  net-ldap
  nostr (~> 0.6.0)
  pagy (~> 6.0, >= 6.0.2)
  pg (~> 1.5)
-  propshaft
+  puma (~> 4.1)
-  puma (~> 6.6)
+  rails (~> 7.1)
  rails (~> 8.0)
  rails-controller-testing
  rails-settings-cached (~> 2.8.3)
  redis (~> 5.4)
  rqrcode (~> 2.0)
  rspec-rails
  sentry-rails
  sentry-ruby
  sidekiq (< 7)
  sidekiq-scheduler
  solargraph
-  solid_queue
+  sprockets-rails
-  sqlite3 (>= 2.1)
+  sqlite3 (~> 1.7.2)
  stimulus-rails
  turbo-rails
  tzinfo-data
@@ -576,7 +540,6 @@ DEPENDENCIES
  warden
  web-console (~> 4.2)
  webmock
  zbase32 (~> 0.1.1)
 BUNDLED WITH
   2.5.5
--- a/README.md
+++ b/README.md
@@ -57,7 +57,7 @@ Running the test suite:
 Running the test suite with Docker Compose requires overriding the Rails
 environment:
-    docker-compose exec -e "RAILS_ENV=test" web rspec
+    docker-compose run -e "RAILS_ENV=test" web rspec
 ### Docker Compose
--- a/app/assets/config/manifest.js
+++ b/app/assets/config/manifest.js
@@ -0,0 +1,4 @@
 //= link_tree ../images
 //= link_tree ../../javascript .js
 //= link_tree ../builds
 //= link_tree ../../../vendor/javascript .js
--- a/app/components/app_catalog/web_app_icon_component.rb
+++ b/app/components/app_catalog/web_app_icon_component.rb
@@ -9,5 +9,13 @@ module AppCatalog
        @image_url = image_url_for(web_app.apple_touch_icon)
      end
    end
    def image_url_for(attachment)
      if Setting.s3_enabled?
        s3_image_url(attachment)
      else
        Rails.application.routes.url_helpers.rails_blob_path(attachment, only_path: true)
      end
    end
  end
 end
--- a/app/controllers/admin/lightning_controller.rb
+++ b/app/controllers/admin/lightning_controller.rb
@@ -4,7 +4,7 @@ class Admin::LightningController < Admin::BaseController
  def index
    @current_section = :lightning
-    @users = User.pluck(:cn, :ou, :lndhub_username)
+    @users = User.pluck(:cn, :ou, :ln_account)
    @accounts = LndhubAccount.with_balances.order(balance: :desc).to_a
    @ln = {}
--- a/app/controllers/admin/settings/registrations_controller.rb
+++ b/app/controllers/admin/settings/registrations_controller.rb
@@ -9,12 +9,4 @@ class Admin::Settings::RegistrationsController < Admin::SettingsController
      success: "Settings saved"
    }
  end
  private
    def setting_params
      params.require(:setting).permit([
        :reserved_usernames, default_services: []
      ])
    end
 end
--- a/app/controllers/admin/settings_controller.rb
+++ b/app/controllers/admin/settings_controller.rb
@@ -9,12 +9,11 @@ class Admin::SettingsController < Admin::BaseController
    changed_keys = []
    setting_params.keys.each do |key|
-      next if clean_param(key).nil? ||
+      next if setting_params[key].nil? ||
-        (Setting.send(key).to_s == clean_param(key))
+              (Setting.send(key).to_s == setting_params[key].strip)
      changed_keys.push(key)
      setting = Setting.new(var: key)
-      setting.value = clean_param(key)
+      setting.value = setting_params[key].strip
      unless setting.valid?
        @errors.merge!(setting.errors)
      end
@@ -25,7 +24,7 @@ class Admin::SettingsController < Admin::BaseController
    end
    changed_keys.each do |key|
-      Setting.send("#{key}=", clean_param(key))
+      Setting.send("#{key}=", setting_params[key].strip)
    end
  end
@@ -38,12 +37,4 @@ class Admin::SettingsController < Admin::BaseController
    def setting_params
      params.require(:setting).permit(Setting.editable_keys.map(&:to_sym))
    end
    def clean_param(key)
      if Setting.get_field(key)[:type] == :string
        setting_params[key].strip
      else
        setting_params[key]
      end
    end
 end
--- a/app/controllers/admin/users_controller.rb
+++ b/app/controllers/admin/users_controller.rb
@@ -22,7 +22,7 @@ class Admin::UsersController < Admin::BaseController
    @services_enabled = @user.services_enabled
-    @ldap_avatar = LdapManager::FetchAvatar.call(cn: @user.cn)
+    @avatar = LdapManager::FetchAvatar.call(cn: @user.cn)
  end
  # POST /admin/users/:username/invitations
@@ -30,7 +30,7 @@ class Admin::UsersController < Admin::BaseController
    amount = params[:amount].to_i
    notify_user = ActiveRecord::Type::Boolean.new.cast(params[:notify_user])
-    UserManager::CreateInvitations.call(user: @user, amount: amount, notify: notify_user)
+    CreateInvitations.call(user: @user, amount: amount, notify: notify_user)
    redirect_to admin_user_path(@user.cn), flash: {
      success: "Added #{amount} invitations to #{@user.cn}'s account"
--- a/app/controllers/avatars_controller.rb
+++ b/app/controllers/avatars_controller.rb
@@ -1,27 +0,0 @@
 class AvatarsController < ApplicationController
  def show
    if user = User.find_by(cn: params[:username])
      http_status :not_found and return unless user.avatar.attached?
      sha256_hash = params[:hash]
      format = params[:format]&.to_sym || :png
      # size = params[:size]&.to_sym || :original
      unless user.avatar.filename.to_s == "#{sha256_hash}.#{format}"
        http_status :not_found and return
      end
      # TODO See note for avatar_variant in user model
      # blob = if size == :original
      #          user.avatar.blob
      #        else
      #          user.avatar_variant(size: size)&.blob
      #        end
      data = user.avatar.blob.download
      send_data data, type: "image/#{format}", disposition: "inline"
    else
      http_status :not_found
    end
  end
 end
--- a/app/controllers/discourse/sso_controller.rb
+++ b/app/controllers/discourse/sso_controller.rb
@@ -8,9 +8,6 @@ class Discourse::SsoController < ApplicationController
    sso.email = current_user.email
    sso.username = current_user.cn
    sso.name = current_user.display_name
    if current_user.avatar.attached?
      sso.avatar_url = helpers.image_url_for(current_user.avatar)
    end
    sso.admin = current_user.is_admin?
    sso.sso_secret = secret
--- a/app/controllers/lnurlpay_controller.rb
+++ b/app/controllers/lnurlpay_controller.rb
@@ -1,7 +1,7 @@
 class LnurlpayController < ApplicationController
  before_action :check_service_available
  before_action :find_user
-  before_action :set_cors_access_control_headers
+  before_action :set_cors_access_control_headers, only: [:invoice]
  MIN_SATS = 10
  MAX_SATS = 1_000_000
@@ -37,7 +37,7 @@ class LnurlpayController < ApplicationController
      pubkey: Setting.lndhub_public_key,
      customData: [{
        customKey: "696969",
-        customValue: @user.lndhub_username
+        customValue: @user.ln_account
      }]
    }
  end
--- a/app/controllers/services/chat_controller.rb
+++ b/app/controllers/services/chat_controller.rb
@@ -3,7 +3,7 @@ class Services::ChatController < Services::BaseController
  before_action :require_service_available
  def show
-    @service_enabled = current_user.service_enabled?(:ejabberd)
+    @service_enabled = current_user.service_enabled?(:xmpp)
  end
  private
--- a/app/controllers/services/lightning_controller.rb
+++ b/app/controllers/services/lightning_controller.rb
@@ -9,7 +9,7 @@ class Services::LightningController < ApplicationController
  before_action :lndhub_fetch_balance
  def index
-    @wallet_setup_url = "lndhub://#{current_user.lndhub_username}:#{current_user.lndhub_password}@#{ENV['LNDHUB_PUBLIC_URL']}"
+    @wallet_setup_url = "lndhub://#{current_user.ln_account}:#{current_user.ln_password}@#{ENV['LNDHUB_PUBLIC_URL']}"
  end
  def transactions
--- a/app/controllers/settings_controller.rb
+++ b/app/controllers/settings_controller.rb
@@ -21,12 +21,10 @@ class SettingsController < ApplicationController
    end
  end
  # PUT /settings/:section
  def update
    @user.preferences.merge!(user_params[:preferences] || {})
    @user.display_name = user_params[:display_name]
-    @user.avatar_new   = user_params[:avatar_new]
+    @user.avatar_new = user_params[:avatar]
    @user.pgp_pubkey   = user_params[:pgp_pubkey]
    if @user.save
      if @user.display_name && (@user.display_name != @user.ldap_entry[:display_name])
@@ -34,16 +32,7 @@ class SettingsController < ApplicationController
      end
      if @user.avatar_new.present?
-        if store_user_avatar
+        LdapManager::UpdateAvatar.call(dn: @user.dn, file: @user.avatar_new)
          LdapManager::UpdateAvatar.call(user: @user)
        else
          @validation_errors = @user.errors
          render :show, status: :unprocessable_entity and return
        end
      end
      if @user.pgp_pubkey && (@user.pgp_pubkey != @user.ldap_entry[:pgp_key])
        UserManager::UpdatePgpKey.call(user: @user)
      end
      redirect_to setting_path(@settings_section), flash: {
@@ -55,7 +44,6 @@ class SettingsController < ApplicationController
    end
  end
  # POST /settings/update_email
  def update_email
    if @user.valid_ldap_authentication?(security_params[:current_password])
      if @user.update email: email_params[:email]
@@ -73,7 +61,6 @@ class SettingsController < ApplicationController
    end
  end
  # POST /settings/reset_email_password
  def reset_email_password
    @user.current_password = security_params[:current_password]
@@ -96,7 +83,6 @@ class SettingsController < ApplicationController
    end
  end
  # POST /settings/reset_password
  def reset_password
    current_user.send_reset_password_instructions
    sign_out current_user
@@ -104,7 +90,6 @@ class SettingsController < ApplicationController
    redirect_to check_your_email_path, notice: msg
  end
  # POST /settings/set_nostr_pubkey
  def set_nostr_pubkey
    signed_event = Nostr::Event.new(**nostr_event_from_params)
@@ -167,8 +152,7 @@ class SettingsController < ApplicationController
    def user_params
      params.require(:user).permit(
-        :display_name, :avatar_new, :pgp_pubkey,
+        :display_name, :avatar, preferences: UserPreferences.pref_keys
        preferences: UserPreferences.pref_keys
      )
    end
@@ -189,40 +173,4 @@ class SettingsController < ApplicationController
      salt = BCrypt::Engine.generate_salt
      BCrypt::Engine.hash_secret(password, salt)
    end
    def store_user_avatar
      io = @user.avatar_new.tempfile
      img_data = process_avatar(io)
      tempfile = Tempfile.create
      tempfile.binmode
      tempfile.write(img_data)
      tempfile.rewind
      hash = Digest::SHA256.hexdigest(img_data)
      ext = @user.avatar_new.content_type == "image/png" ? "png" : "jpg"
      filename = "#{hash}.#{ext}"
      if filename == @user.avatar.filename.to_s
        @user.errors.add(:avatar, "must be a new file/picture")
        false
      else
        key = "users/#{@user.cn}/avatars/#{filename}"
        @user.avatar.attach io: tempfile, key: key, filename: filename
        @user.save
      end
    end
    def process_avatar(io)
      processed = ImageProcessing::Vips
        .source(io)
        .resize_to_fill(400, 400)
        .saver(strip: true)
        .call
      io.rewind
      processed.read
    rescue Vips::Error => e
      Sentry.capture_exception(e) if Setting.sentry_enabled?
      Rails.logger.error { "Image processing failed for avatar: #{e.message}" }
      nil
    end
 end
--- a/app/controllers/signup_controller.rb
+++ b/app/controllers/signup_controller.rb
@@ -96,7 +96,7 @@ class SignupController < ApplicationController
    session[:new_user] = nil
    session[:validation_error] = nil
-    UserManager::CreateAccount.call(account: {
+    CreateAccount.call(account: {
      username: @user.cn,
      domain: Setting.primary_domain,
      email: @user.email,
--- a/app/controllers/web_key_directory_controller.rb
+++ b/app/controllers/web_key_directory_controller.rb
@@ -1,35 +0,0 @@
 class WebKeyDirectoryController < WellKnownController
  before_action :allow_cross_origin_requests
  # /.well-known/openpgpkey/hu/:hashed_username(.txt)
  def show
    @user = User.find_by(cn: params[:l].downcase)
    if @user.nil? ||
       @user.pgp_pubkey.blank? ||
       !@user.pgp_pubkey_contains_user_address?
      http_status :not_found and return
    end
    if params[:hashed_username] != @user.wkd_hash
      http_status :unprocessable_entity and return
    end
    respond_to do |format|
      format.text do
        response.headers['Content-Type'] = 'text/plain'
        render plain: @user.pgp_pubkey
      end
      format.any do
        key = @user.gnupg_key.export
        send_data key, filename: "#{@user.wkd_hash}.pem",
                       type: "application/octet-stream"
      end
    end
  end
  def policy
    head :ok
  end
 end
--- a/app/controllers/webfinger_controller.rb
+++ b/app/controllers/webfinger_controller.rb
@@ -1,6 +1,8 @@
-class WebfingerController < WellKnownController
+class WebfingerController < ApplicationController
  before_action :allow_cross_origin_requests, only: [:show]
  layout false
  def show
    resource = params[:resource]
@@ -33,10 +35,6 @@ class WebfingerController < WellKnownController
      links: []
    }
    if @user.avatar.attached?
      jrd[:links] += avatar_link
    end
    if Setting.mastodon_enabled && @user.service_enabled?(:mastodon)
      # https://docs.joinmastodon.org/spec/webfinger/
      jrd[:aliases] += mastodon_aliases
@@ -51,16 +49,6 @@ class WebfingerController < WellKnownController
    jrd
  end
  def avatar_link
    [
      {
        rel: "http://webfinger.net/rel/avatar",
        type: @user.avatar.content_type,
        href: helpers.image_url_for(@user.avatar)
      }
    ]
  end
  def mastodon_aliases
    [
      "#{Setting.mastodon_public_url}/@#{@user.cn}",
@@ -88,7 +76,7 @@ class WebfingerController < WellKnownController
  end
  def remotestorage_link
-    auth_url = new_rs_oauth_url(@username, host: Setting.rs_accounts_domain)
+    auth_url = new_rs_oauth_url(@username)
    storage_url = "#{Setting.rs_storage_url}/#{@username}"
    {
@@ -103,4 +91,10 @@ class WebfingerController < WellKnownController
      }
    }
  end
  def allow_cross_origin_requests
    return unless Rails.env.development?
    headers['Access-Control-Allow-Origin'] = "*"
    headers['Access-Control-Allow-Methods'] = "GET"
  end
 end
--- a/app/controllers/webhooks_controller.rb
+++ b/app/controllers/webhooks_controller.rb
@@ -5,7 +5,7 @@ class WebhooksController < ApplicationController
  before_action :process_payload
  def lndhub
-    @user = User.find_by!(lndhub_username: @payload[:user_login])
+    @user = User.find_by!(ln_account: @payload[:user_login])
    if @zap = @user.zaps.find_by(payment_request: @payload[:payment_request])
      settled_at = Time.parse(@payload[:settled_at])
--- a/app/controllers/well_known_controller.rb
+++ b/app/controllers/well_known_controller.rb
@@ -1,8 +1,5 @@
 class WellKnownController < ApplicationController
  before_action :require_nostr_enabled, only: [ :nostr ]
  before_action :allow_cross_origin_requests, only: [ :nostr ]
  layout false
  def nostr
    http_status :unprocessable_entity and return if params[:name].blank?
@@ -10,14 +7,8 @@ class WellKnownController < ApplicationController
    relay_url = Setting.nostr_relay_url.presence
    if params[:name] == "_"
-      if domain == Setting.primary_domain
+      # pubkey for the primary domain without a username (e.g. kosmos.org)
-        # pubkey for the primary domain without a username (e.g. kosmos.org)
+      res = { names: { "_": Setting.nostr_public_key } }
        res = { names: { "_": Setting.nostr_public_key_primary_domain.presence || Setting.nostr_public_key } }
      else
        # pubkey for the akkounts domain without a username (e.g. accounts.kosmos.org)
        res = { names: { "_": Setting.nostr_public_key } }
      end
      res[:relays] = { "_" => [ relay_url ] } if relay_url
    else
      @user = User.where(cn: params[:name], ou: domain).first
@@ -39,9 +30,4 @@ class WellKnownController < ApplicationController
    def require_nostr_enabled
      http_status :not_found unless Setting.nostr_enabled?
    end
    def allow_cross_origin_requests
      headers['Access-Control-Allow-Origin'] = "*"
      headers['Access-Control-Allow-Methods'] = "GET"
    end
 end
--- a/app/helpers/application_helper.rb
+++ b/app/helpers/application_helper.rb
@@ -14,19 +14,4 @@ module ApplicationHelper
  def badge(text, color)
    tag.span text, class: "inline-flex items-center rounded-full bg-#{color}-100 px-2.5 py-0.5 text-xs font-medium text-#{color}-800"
  end
  def image_url_for(attachment)
    return s3_image_url(attachment) if Setting.s3_enabled?
    if attachment.record.is_a?(User) && attachment.name == "avatar"
      hash, format = attachment.blob.filename.to_s.split(".", 2)
      user_avatar_url(
        username: attachment.record.cn,
        hash: hash,
        format: format
      )
    else
      Rails.application.routes.url_helpers.rails_blob_path(attachment, only_path: true)
    end
  end
 end
--- a/app/helpers/dashboard_helper.rb
+++ b/app/helpers/dashboard_helper.rb
@@ -0,0 +1,2 @@
 module DashboardHelper
 end
--- a/app/helpers/donations_helper.rb
+++ b/app/helpers/donations_helper.rb
@@ -0,0 +1,2 @@
 module DonationsHelper
 end
--- a/app/helpers/invitations_helper.rb
+++ b/app/helpers/invitations_helper.rb
@@ -0,0 +1,2 @@
 module InvitationsHelper
 end
--- a/app/helpers/lnurlpay_helper.rb
+++ b/app/helpers/lnurlpay_helper.rb
@@ -0,0 +1,2 @@
 module LnurlpayHelper
 end
--- a/app/helpers/services_helper.rb
+++ b/app/helpers/services_helper.rb
@@ -1,12 +0,0 @@
 module ServicesHelper
  def service_human_name(key, category = :external)
    SERVICES[category][key][:name] || key.to_s
  end
  def service_display_name(key, category = :external)
    SERVICES[category][key][:display_name] ||
    service_human_name(key, category)
  end
 end
--- a/app/helpers/settings_helper.rb
+++ b/app/helpers/settings_helper.rb
@@ -0,0 +1,2 @@
 module SettingsHelper
 end
--- a/app/helpers/signup_helper.rb
+++ b/app/helpers/signup_helper.rb
@@ -0,0 +1,2 @@
 module SignupHelper
 end
--- a/app/helpers/users_helper.rb
+++ b/app/helpers/users_helper.rb
@@ -0,0 +1,2 @@
 module UsersHelper
 end
--- a/app/helpers/wallet_helper.rb
+++ b/app/helpers/wallet_helper.rb
@@ -0,0 +1,2 @@
 module WalletHelper
 end
--- a/app/helpers/welcome_helper.rb
+++ b/app/helpers/welcome_helper.rb
@@ -0,0 +1,2 @@
 module WelcomeHelper
 end
--- a/app/jobs/create_ldap_user_job.rb
+++ b/app/jobs/create_ldap_user_job.rb
@@ -4,7 +4,7 @@ class CreateLdapUserJob < ApplicationJob
  def perform(username:, domain:, email:, hashed_pw:, confirmed: false)
    dn = "cn=#{username},ou=#{domain},cn=users,dc=kosmos,dc=org"
    attr = {
-      objectclass: ["top", "account", "person", "inetOrgPerson", "extensibleObject"],
+      objectclass: ["top", "account", "person", "extensibleObject"],
      cn: username,
      sn: username,
      uid: username,
--- a/app/jobs/create_lndhub_account_job.rb
+++ b/app/jobs/create_lndhub_account_job.rb
@@ -2,12 +2,12 @@ class CreateLndhubAccountJob < ApplicationJob
  queue_as :default
  def perform(user)
-    return if user.lndhub_username.present? && user.lndhub_password.present?
+    return if user.ln_account.present? && user.ln_password.present?
    lndhub = LndhubV2.new
    credentials = lndhub.create_account
-    user.update! lndhub_username: credentials["login"],
+    user.update! ln_account: credentials["login"],
-                 lndhub_password: credentials["password"]
+                 ln_password: credentials["password"]
  end
 end
--- a/app/jobs/remote_storage_expire_authorization_job.rb
+++ b/app/jobs/remote_storage_expire_authorization_job.rb
@@ -3,6 +3,8 @@ class RemoteStorageExpireAuthorizationJob < ApplicationJob
  def perform(rs_auth_id)
    rs_auth = RemoteStorageAuthorization.find rs_auth_id
    return unless rs_auth.expire_at.nil? || rs_auth.expire_at <= DateTime.now
    rs_auth.destroy!
  end
 end
--- a/app/jobs/xmpp_exchange_contacts_job.rb
+++ b/app/jobs/xmpp_exchange_contacts_job.rb
@@ -2,8 +2,8 @@ class XmppExchangeContactsJob < ApplicationJob
  queue_as :default
  def perform(inviter, invitee)
-    return unless inviter.service_enabled?(:ejabberd) &&
+    return unless inviter.service_enabled?(:xmpp) &&
-                  invitee.service_enabled?(:ejabberd) &&
+                  invitee.service_enabled?(:xmpp) &&
                  inviter.preferences[:xmpp_exchange_contacts_with_invitees]
    ejabberd = EjabberdApiClient.new
--- a/app/mailers/application_mailer.rb
+++ b/app/mailers/application_mailer.rb
@@ -1,90 +1,3 @@
 class ApplicationMailer < ActionMailer::Base
  default Rails.application.config.action_mailer.default_options
  layout 'mailer'
  private
    def send_mail
      @template ||= "#{self.class.name.underscore}/#{caller[0][/`([^']*)'/, 1]}"
      headers['Message-ID'] = message_id
      if @user.pgp_pubkey.present?
        mail(to: @user.email, subject: "...", content_type: pgp_content_type) do |format|
          format.text { render plain: pgp_content }
        end
      else
        mail(to: @user.email, subject: @subject) do |format|
          format.text { render @template }
        end
      end
    end
    def from_address
      self.class.default[:from]
    end
    def from_domain
      Mail::Address.new(from_address).domain
    end
    def message_id
      @message_id ||= "#{SecureRandom.uuid}@#{from_domain}"
    end
    def boundary
      @boundary ||= SecureRandom.hex(8)
    end
    def pgp_content_type
      "multipart/encrypted; protocol=\"application/pgp-encrypted\"; boundary=\"------------#{boundary}\""
    end
    def pgp_nested_content
      message_content = render_to_string(template: @template)
      message_content_base64 = Base64.encode64(message_content)
      nested_boundary = SecureRandom.hex(8)
      <<~NESTED_CONTENT
        Content-Type: multipart/mixed; boundary="------------#{nested_boundary}"; protected-headers="v1"
        Subject: #{@subject}
        From: <#{from_address}>
        To: #{@user.display_name || @user.cn} <#{@user.email}>
        Message-ID: <#{message_id}>
        --------------#{nested_boundary}
        Content-Type: text/plain; charset=UTF-8; format=flowed
        Content-Transfer-Encoding: base64
        #{message_content_base64}
        --------------#{nested_boundary}--
      NESTED_CONTENT
    end
    def pgp_content
      encrypted_content = UserManager::PgpEncrypt.call(user: @user, text: pgp_nested_content)
      encrypted_base64 = Base64.encode64(encrypted_content.to_s)
      <<~EMAIL_CONTENT
        This is an OpenPGP/MIME encrypted message (RFC 4880 and 3156)
        --------------#{boundary}
        Content-Type: application/pgp-encrypted
        Content-Description: PGP/MIME version identification
        Version: 1
        --------------#{boundary}
        Content-Type: application/octet-stream; name="encrypted.asc"
        Content-Description: OpenPGP encrypted message
        Content-Disposition: inline; filename="encrypted.asc"
        -----BEGIN PGP MESSAGE-----
        #{encrypted_base64}
        -----END PGP MESSAGE-----
        --------------#{boundary}--
      EMAIL_CONTENT
    end
 end
--- a/app/mailers/custom_mailer.rb
+++ b/app/mailers/custom_mailer.rb
@@ -18,6 +18,6 @@ class CustomMailer < ApplicationMailer
    @user = params[:user]
    @subject = params[:subject]
    @body = params[:body]
-    send_mail
+    mail(to: @user.email, subject: @subject)
  end
 end
--- a/app/mailers/notification_mailer.rb
+++ b/app/mailers/notification_mailer.rb
@@ -3,7 +3,7 @@ class NotificationMailer < ApplicationMailer
    @user = params[:user]
    @amount_sats = params[:amount_sats]
    @subject = "Sats received"
-    send_mail
+    mail to: @user.email, subject: @subject
  end
  def remotestorage_auth_created
@@ -15,19 +15,19 @@ class NotificationMailer < ApplicationMailer
      "#{access} #{directory}"
    end
    @subject = "New app connected to your storage"
-    send_mail
+    mail to: @user.email, subject: @subject
  end
  def new_invitations_available
    @user = params[:user]
    @subject = "New invitations added to your account"
-    send_mail
+    mail to: @user.email, subject: @subject
  end
  def bitcoin_donation_confirmed
    @user = params[:user]
    @donation = params[:donation]
    @subject = "Donation confirmed"
-    send_mail
+    mail to: @user.email, subject: @subject
  end
 end
--- a/app/models/concerns/settings/btcpay_settings.rb
+++ b/app/models/concerns/settings/btcpay_settings.rb
@@ -1,24 +0,0 @@
 module Settings
  module BtcpaySettings
    extend ActiveSupport::Concern
    included do
      field :btcpay_api_url, type: :string,
        default: ENV["BTCPAY_API_URL"].presence
      field :btcpay_enabled, type: :boolean,
        default: ENV["BTCPAY_API_URL"].present?
      field :btcpay_public_url, type: :string,
        default: ENV["BTCPAY_PUBLIC_URL"].presence
      field :btcpay_store_id, type: :string,
        default: ENV["BTCPAY_STORE_ID"].presence
      field :btcpay_auth_token, type: :string,
        default: ENV["BTCPAY_AUTH_TOKEN"].presence
      field :btcpay_publish_wallet_balances, type: :boolean, default: true
    end
  end
 end
--- a/app/models/concerns/settings/discourse_settings.rb
+++ b/app/models/concerns/settings/discourse_settings.rb
@@ -1,16 +0,0 @@
 module Settings
  module DiscourseSettings
    extend ActiveSupport::Concern
    included do
      field :discourse_public_url, type: :string,
        default: ENV["DISCOURSE_PUBLIC_URL"].presence
      field :discourse_enabled, type: :boolean,
        default: ENV["DISCOURSE_PUBLIC_URL"].present?
      field :discourse_connect_secret, type: :string,
        default: ENV["DISCOURSE_CONNECT_SECRET"].presence
    end
  end
 end
--- a/app/models/concerns/settings/drone_ci_settings.rb
+++ b/app/models/concerns/settings/drone_ci_settings.rb
@@ -1,13 +0,0 @@
 module Settings
  module DroneCiSettings
    extend ActiveSupport::Concern
    included do
      field :droneci_public_url, type: :string,
        default: ENV["DRONECI_PUBLIC_URL"].presence
      field :droneci_enabled, type: :boolean,
        default: ENV["DRONECI_PUBLIC_URL"].present?
    end
  end
 end
--- a/app/models/concerns/settings/ejabberd_settings.rb
+++ b/app/models/concerns/settings/ejabberd_settings.rb
@@ -1,19 +0,0 @@
 module Settings
  module EjabberdSettings
    extend ActiveSupport::Concern
    included do
      field :ejabberd_enabled, type: :boolean,
        default: ENV["EJABBERD_API_URL"].present?
      field :ejabberd_api_url, type: :string,
        default: ENV["EJABBERD_API_URL"].presence
      field :ejabberd_admin_url, type: :string,
        default: ENV["EJABBERD_ADMIN_URL"].presence
      field :ejabberd_buddy_roster, type: :string,
        default: "Buddies"
    end
  end
 end
--- a/app/models/concerns/settings/email_settings.rb
+++ b/app/models/concerns/settings/email_settings.rb
@@ -1,28 +0,0 @@
 module Settings
  module EmailSettings
    extend ActiveSupport::Concern
    included do
      field :email_enabled, type: :boolean,
        default: ENV["EMAIL_SMTP_HOST"].present?
      # field :email_smtp_host, type: :string,
      #   default: ENV["EMAIL_SMTP_HOST"].presence
      #
      # field :email_smtp_port, type: :string,
      #   default: ENV["EMAIL_SMTP_PORT"].presence || 587
      #
      # field :email_smtp_enable_starttls, type: :string,
      #   default: ENV["EMAIL_SMTP_PORT"].presence || true
      #
      # field :email_auth_method, type: :string,
      #   default: ENV["EMAIL_AUTH_METHOD"].presence || "plain"
      #
      # field :email_imap_host, type: :string,
      #   default: ENV["EMAIL_IMAP_HOST"].presence
      #
      # field :email_imap_port, type: :string,
      #   default: ENV["EMAIL_IMAP_PORT"].presence || 993
    end
  end
 end
--- a/app/models/concerns/settings/general_settings.rb
+++ b/app/models/concerns/settings/general_settings.rb
@@ -1,34 +0,0 @@
 module Settings
  module GeneralSettings
    extend ActiveSupport::Concern
    included do
      field :primary_domain, type: :string,
        default: ENV["PRIMARY_DOMAIN"].presence
      field :accounts_domain, type: :string,
        default: ENV["AKKOUNTS_DOMAIN"].presence
      #
      # Internal services
      #
      field :redis_url, type: :string,
        default: ENV["REDIS_URL"] || "redis://localhost:6379/0"
      field :s3_enabled, type: :boolean,
        default: ENV["S3_ENABLED"] && ENV["S3_ENABLED"].to_s != "false"
      field :sentry_enabled, type: :boolean, readonly: true,
        default: ENV["SENTRY_DSN"].present?
      #
      # Registrations
      #
      field :reserved_usernames, type: :array, default: %w[
        account accounts donations mail webmaster support
      ]
    end
  end
 end
--- a/app/models/concerns/settings/gitea_settings.rb
+++ b/app/models/concerns/settings/gitea_settings.rb
@@ -1,13 +0,0 @@
 module Settings
  module GiteaSettings
    extend ActiveSupport::Concern
    included do
      field :gitea_public_url, type: :string,
        default: ENV["GITEA_PUBLIC_URL"].presence
      field :gitea_enabled, type: :boolean,
        default: ENV["GITEA_PUBLIC_URL"].present?
    end
  end
 end
--- a/app/models/concerns/settings/lightning_network_settings.rb
+++ b/app/models/concerns/settings/lightning_network_settings.rb
@@ -1,25 +0,0 @@
 module Settings
  module LightningNetworkSettings
    extend ActiveSupport::Concern
    included do
      field :lndhub_api_url, type: :string,
        default: ENV["LNDHUB_API_URL"].presence
      field :lndhub_enabled, type: :boolean,
        default: ENV["LNDHUB_API_URL"].present?
      field :lndhub_admin_token, type: :string,
        default: ENV["LNDHUB_ADMIN_TOKEN"].presence
      field :lndhub_admin_enabled, type: :boolean,
        default: ENV["LNDHUB_ADMIN_UI"] || false
      field :lndhub_public_key, type: :string,
        default: (ENV["LNDHUB_PUBLIC_KEY"] || "")
      field :lndhub_keysend_enabled, type: :boolean,
        default: -> { self.lndhub_public_key.present? }
    end
  end
 end
--- a/app/models/concerns/settings/mastodon_settings.rb
+++ b/app/models/concerns/settings/mastodon_settings.rb
@@ -1,16 +0,0 @@
 module Settings
  module MastodonSettings
    extend ActiveSupport::Concern
    included do
      field :mastodon_public_url, type: :string,
        default: ENV["MASTODON_PUBLIC_URL"].presence
      field :mastodon_enabled, type: :boolean,
        default: ENV["MASTODON_PUBLIC_URL"].present?
      field :mastodon_address_domain, type: :string,
        default: ENV["MASTODON_ADDRESS_DOMAIN"].presence || self.primary_domain
    end
  end
 end
--- a/app/models/concerns/settings/media_wiki_settings.rb
+++ b/app/models/concerns/settings/media_wiki_settings.rb
@@ -1,13 +0,0 @@
 module Settings
  module MediaWikiSettings
    extend ActiveSupport::Concern
    included do
      field :mediawiki_public_url, type: :string,
        default: ENV["MEDIAWIKI_PUBLIC_URL"].presence
      field :mediawiki_enabled, type: :boolean,
        default: ENV["MEDIAWIKI_PUBLIC_URL"].present?
    end
  end
 end
--- a/app/models/concerns/settings/nostr_settings.rb
+++ b/app/models/concerns/settings/nostr_settings.rb
@@ -1,25 +0,0 @@
 module Settings
  module NostrSettings
    extend ActiveSupport::Concern
    included do
      field :nostr_enabled, type: :boolean,
        default: ENV["NOSTR_PRIVATE_KEY"].present?
      field :nostr_private_key, type: :string,
        default: ENV["NOSTR_PRIVATE_KEY"].presence
      field :nostr_public_key, type: :string,
        default: ENV["NOSTR_PUBLIC_KEY"].presence
      field :nostr_public_key_primary_domain, type: :string,
        default: ENV["NOSTR_PUBLIC_KEY_PRIMARY_DOMAIN"].presence
      field :nostr_relay_url, type: :string,
        default: ENV["NOSTR_RELAY_URL"].presence
      field :nostr_zaps_relay_limit, type: :integer,
        default: 12
    end
  end
 end
--- a/app/models/concerns/settings/open_collective_settings.rb
+++ b/app/models/concerns/settings/open_collective_settings.rb
@@ -1,9 +0,0 @@
 module Settings
  module OpenCollectiveSettings
    extend ActiveSupport::Concern
    included do
      field :opencollective_enabled, type: :boolean, default: true
    end
  end
 end
--- a/app/models/concerns/settings/remote_storage_settings.rb
+++ b/app/models/concerns/settings/remote_storage_settings.rb
@@ -1,19 +0,0 @@
 module Settings
  module RemoteStorageSettings
    extend ActiveSupport::Concern
    included do
      field :remotestorage_enabled, type: :boolean,
        default: ENV["RS_STORAGE_URL"].present?
      field :rs_accounts_domain, type: :string,
        default: ENV["RS_AKKOUNTS_DOMAIN"] || ENV["AKKOUNTS_DOMAIN"]
      field :rs_storage_url, type: :string,
        default: ENV["RS_STORAGE_URL"].presence
      field :rs_redis_url, type: :string,
        default: ENV["RS_REDIS_URL"] || "redis://localhost:6379/1"
    end
  end
 end
--- a/app/models/concerns/settings/xmpp_settings.rb
+++ b/app/models/concerns/settings/xmpp_settings.rb
@@ -1,11 +0,0 @@
 module Settings
  module XmppSettings
    extend ActiveSupport::Concern
    included do
      field :xmpp_default_rooms, type: :array, default: []
      field :xmpp_autojoin_default_rooms, type: :boolean, default: false
      field :xmpp_notifications_from_address, type: :string, default: primary_domain
    end
  end
 end
--- a/app/models/lndhub_user.rb
+++ b/app/models/lndhub_user.rb
@@ -6,7 +6,7 @@ class LndhubUser < LndhubBase
                      foreign_key: "user_id"
  belongs_to :user, class_name: "User",
-                    primary_key: "lndhub_username",
+                    primary_key: "ln_account",
                    foreign_key: "login"
  def balance
--- a/app/models/remote_storage_authorization.rb
+++ b/app/models/remote_storage_authorization.rb
@@ -2,7 +2,7 @@ class RemoteStorageAuthorization < ApplicationRecord
  belongs_to :user
  belongs_to :web_app, class_name: "AppCatalog::WebApp", optional: true
-  serialize :permissions, coder: YAML unless Rails.env.production?
+  serialize :permissions unless Rails.env.production?
  validates_presence_of :permissions
  validates_presence_of :client_id
@@ -69,19 +69,11 @@ class RemoteStorageAuthorization < ApplicationRecord
    end
    def remove_token_expiry_job
-      job_class = RemoteStorageExpireAuthorizationJob
+      queue = Sidekiq::Queue.new(RemoteStorageExpireAuthorizationJob.queue_name)
-      job_args = [id]
+      queue.each do |job|
-
+        next unless job.display_class == "RemoteStorageExpireAuthorizationJob"
-      query = SolidQueue::Job.where(class_name: job_class.to_s)
+        job.delete if job.display_args == [id]
-
+      end
      case ActiveRecord::Base.connection.adapter_name.downcase
      when /sqlite/
        query.where("json_extract(arguments, '$.arguments') = ?", job_args.to_json)
      when /postgres/
        query.where("CAST(arguments AS jsonb)->>'arguments' = ?", job_args.to_json)
      else
        raise "Unsupported database adapter"
      end.destroy_all
    end
    def find_or_create_web_app
--- a/app/models/setting.rb
+++ b/app/models/setting.rb
@@ -2,30 +2,226 @@
 class Setting < RailsSettings::Base
  cache_prefix { "v1" }
-  Dir[Rails.root.join('app', 'models', 'concerns', 'settings', '*.rb')].each do |file|
+  field :primary_domain, type: :string,
-    require file
+    default: ENV["PRIMARY_DOMAIN"].presence
  field :accounts_domain, type: :string,
    default: ENV["AKKOUNTS_DOMAIN"].presence
  #
  # Internal services
  #
  field :redis_url, type: :string,
    default: ENV["REDIS_URL"] || "redis://localhost:6379/0"
  field :s3_enabled, type: :boolean,
    default: ENV["S3_ENABLED"] && ENV["S3_ENABLED"].to_s != "false"
  #
  # Registrations
  #
  field :reserved_usernames, type: :array, default: %w[
    account accounts donations mail webmaster support
  ]
  #
  # XMPP
  #
  field :xmpp_default_rooms, type: :array, default: []
  field :xmpp_autojoin_default_rooms, type: :boolean, default: false
  field :xmpp_notifications_from_address, type: :string, default: primary_domain
  #
  # Sentry
  #
  field :sentry_enabled, type: :boolean, readonly: true,
    default: ENV["SENTRY_DSN"].present?
  #
  # BTCPay Server
  #
  field :btcpay_api_url, type: :string,
    default: ENV["BTCPAY_API_URL"].presence
  field :btcpay_enabled, type: :boolean,
    default: ENV["BTCPAY_API_URL"].present?
  field :btcpay_public_url, type: :string,
    default: ENV["BTCPAY_PUBLIC_URL"].presence
  field :btcpay_store_id, type: :string,
    default: ENV["BTCPAY_STORE_ID"].presence
  field :btcpay_auth_token, type: :string,
    default: ENV["BTCPAY_AUTH_TOKEN"].presence
  field :btcpay_publish_wallet_balances, type: :boolean, default: true
  #
  # Discourse
  #
  field :discourse_public_url, type: :string,
    default: ENV["DISCOURSE_PUBLIC_URL"].presence
  field :discourse_enabled, type: :boolean,
    default: ENV["DISCOURSE_PUBLIC_URL"].present?
  field :discourse_connect_secret, type: :string,
    default: ENV["DISCOURSE_CONNECT_SECRET"].presence
  #
  # Drone CI
  #
  field :droneci_public_url, type: :string,
    default: ENV["DRONECI_PUBLIC_URL"].presence
  field :droneci_enabled, type: :boolean,
    default: ENV["DRONECI_PUBLIC_URL"].present?
  #
  # ejabberd
  #
  field :ejabberd_enabled, type: :boolean,
    default: ENV["EJABBERD_API_URL"].present?
  field :ejabberd_api_url, type: :string,
    default: ENV["EJABBERD_API_URL"].presence
  field :ejabberd_admin_url, type: :string,
    default: ENV["EJABBERD_ADMIN_URL"].presence
  field :ejabberd_buddy_roster, type: :string,
    default: "Buddies"
  #
  # Gitea
  #
  field :gitea_public_url, type: :string,
    default: ENV["GITEA_PUBLIC_URL"].presence
  field :gitea_enabled, type: :boolean,
    default: ENV["GITEA_PUBLIC_URL"].present?
  #
  # Lightning Network
  #
  field :lndhub_api_url, type: :string,
    default: ENV["LNDHUB_API_URL"].presence
  field :lndhub_enabled, type: :boolean,
    default: ENV["LNDHUB_API_URL"].present?
  field :lndhub_admin_token, type: :string,
    default: ENV["LNDHUB_ADMIN_TOKEN"].presence
  field :lndhub_admin_enabled, type: :boolean,
    default: ENV["LNDHUB_ADMIN_UI"] || false
  field :lndhub_public_key, type: :string,
    default: (ENV["LNDHUB_PUBLIC_KEY"] || "")
  field :lndhub_keysend_enabled, type: :boolean,
    default: -> { self.lndhub_public_key.present? }
  #
  # Mastodon
  #
  field :mastodon_public_url, type: :string,
    default: ENV["MASTODON_PUBLIC_URL"].presence
  field :mastodon_enabled, type: :boolean,
    default: ENV["MASTODON_PUBLIC_URL"].present?
  field :mastodon_address_domain, type: :string,
    default: ENV["MASTODON_ADDRESS_DOMAIN"].presence || self.primary_domain
  #
  # MediaWiki
  #
  field :mediawiki_public_url, type: :string,
    default: ENV["MEDIAWIKI_PUBLIC_URL"].presence
  field :mediawiki_enabled, type: :boolean,
    default: ENV["MEDIAWIKI_PUBLIC_URL"].present?
  #
  # Nostr
  #
  field :nostr_enabled, type: :boolean,
    default: ENV["NOSTR_PRIVATE_KEY"].present?
  field :nostr_private_key, type: :string,
    default: ENV["NOSTR_PRIVATE_KEY"].presence
  field :nostr_public_key, type: :string,
    default: ENV["NOSTR_PUBLIC_KEY"].presence
  field :nostr_relay_url, type: :string,
    default: ENV["NOSTR_RELAY_URL"].presence
  field :nostr_zaps_relay_limit, type: :integer,
    default: 12
  #
  # OpenCollective
  #
  field :opencollective_enabled, type: :boolean, default: true
  #
  # RemoteStorage
  #
  field :remotestorage_enabled, type: :boolean,
    default: ENV["RS_STORAGE_URL"].present?
  field :rs_storage_url, type: :string,
    default: ENV["RS_STORAGE_URL"].presence
  field :rs_redis_url, type: :string,
    default: ENV["RS_REDIS_URL"] || "redis://localhost:6379/1"
  #
  # E-Mail Service
  #
  field :email_enabled, type: :boolean,
    default: ENV["EMAIL_SMTP_HOST"].present?
  # field :email_smtp_host, type: :string,
  #   default: ENV["EMAIL_SMTP_HOST"].presence
  #
  # field :email_smtp_port, type: :string,
  #   default: ENV["EMAIL_SMTP_PORT"].presence || 587
  #
  # field :email_smtp_enable_starttls, type: :string,
  #   default: ENV["EMAIL_SMTP_PORT"].presence || true
  #
  # field :email_auth_method, type: :string,
  #   default: ENV["EMAIL_AUTH_METHOD"].presence || "plain"
  #
  # field :email_imap_host, type: :string,
  #   default: ENV["EMAIL_IMAP_HOST"].presence
  #
  # field :email_imap_port, type: :string,
  #   default: ENV["EMAIL_IMAP_PORT"].presence || 993
  def self.default_services
    # TODO Make configurable from respective service settings page
    %w[ discourse gitea mastodon mediawiki xmpp ]
  end
  include Settings::GeneralSettings
  include Settings::BtcpaySettings
  include Settings::DiscourseSettings
  include Settings::DroneCiSettings
  include Settings::EjabberdSettings
  include Settings::EmailSettings
  include Settings::GiteaSettings
  include Settings::LightningNetworkSettings
  include Settings::MastodonSettings
  include Settings::MediaWikiSettings
  include Settings::NostrSettings
  include Settings::OpenCollectiveSettings
  include Settings::RemoteStorageSettings
  include Settings::XmppSettings
  def self.available_services
    known_services = SERVICES[:external].keys
    known_services.select {|s| Setting.send "#{s}_enabled?" }
  end
  field :default_services, type: :array,
    default: self.available_services
 end
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -3,10 +3,9 @@ require 'nostr'
 class User < ApplicationRecord
  include EmailValidatable
  attr_accessor :current_password
  attr_accessor :display_name
  attr_accessor :avatar_new
-  attr_accessor :pgp_pubkey
+  attr_accessor :current_password
  serialize :preferences, coder: UserPreferences
@@ -23,16 +22,10 @@ class User < ApplicationRecord
  has_many :zaps
  has_one  :lndhub_user, class_name: "LndhubUser", inverse_of: "user",
-                         primary_key: "lndhub_username", foreign_key: "login"
+                         primary_key: "ln_account", foreign_key: "login"
  has_many :accounts, through: :lndhub_user
  #
  # Attachments
  #
  has_one_attached :avatar
  #
  # Validations
  #
@@ -56,11 +49,8 @@ class User < ApplicationRecord
  validates_length_of :display_name, minimum: 3, maximum: 35, allow_blank: true,
                                     if: -> { defined?(@display_name) }
  validate :acceptable_avatar
  validate :acceptable_pgp_key_format, if: -> { defined?(@pgp_pubkey) && @pgp_pubkey.present? }
  #
  # Scopes
  #
@@ -73,7 +63,7 @@ class User < ApplicationRecord
  # Encrypted database columns
  #
-  encrypts :lndhub_password
+  has_encrypted :ln_login, :ln_password
  # Include default devise modules. Others available are:
  # :confirmable, :lockable, :timeoutable, :trackable and :omniauthable
@@ -84,10 +74,6 @@ class User < ApplicationRecord
         :timeoutable,
         :rememberable
  #
  # Methods
  #
  def ldap_before_save
    self.email = Devise::LDAP::Adapter.get_ldap_param(self.cn, "mail").first
    self.ou    = dn.split(',')
@@ -170,20 +156,6 @@ class User < ApplicationRecord
    @display_name ||= ldap_entry[:display_name]
  end
  # TODO Variant keys are currently broken for some reason
  # (They use the same key as the main blob, when it should be
  # "/variants/#{key)"
  # def avatar_variant(size: :medium)
  #   dimensions = case size
  #                when :large  then [400, 400]
  #                when :medium then [256, 256]
  #                when :small  then [64, 64]
  #                else [256, 256]
  #                end
  #   format = avatar.content_type == "image/png" ? :png : :jpeg
  #   avatar.variant(resize_to_fill: dimensions, format: format)
  # end
  def nostr_pubkey
    @nostr_pubkey ||= ldap_entry[:nostr_key]
  end
@@ -193,22 +165,8 @@ class User < ApplicationRecord
    Nostr::PublicKey.new(nostr_pubkey).to_bech32
  end
-  def pgp_pubkey
+  def avatar
-    @pgp_pubkey ||= ldap_entry[:pgp_key]
+    @avatar_base64 ||= LdapManager::FetchAvatar.call(cn: cn)
  end
  def gnupg_key
    return nil unless pgp_pubkey.present?
    GPGME::Key.import(pgp_pubkey)
    GPGME::Key.get(pgp_fpr)
  end
  def pgp_pubkey_contains_user_address?
    gnupg_key.uids.map(&:email).include?(address)
  end
  def wkd_hash
    ZBase32.encode(Digest::SHA1.digest(cn))
  end
  def services_enabled
@@ -222,14 +180,14 @@ class User < ApplicationRecord
  def enable_service(service)
    current_services = services_enabled
    new_services = Array(service).map(&:to_s)
-    services = (current_services + new_services).uniq.sort
+    services = (current_services + new_services).uniq
    ldap.replace_attribute(dn, :serviceEnabled, services)
  end
  def disable_service(service)
    current_services = services_enabled
    disabled_services = Array(service).map(&:to_s)
-    services = (current_services - disabled_services).uniq.sort
+    services = (current_services - disabled_services).uniq
    ldap.replace_attribute(dn, :serviceEnabled, services)
  end
@@ -248,7 +206,7 @@ class User < ApplicationRecord
      return unless avatar_new.present?
      if avatar_new.size > 1.megabyte
-        errors.add(:avatar, "must be less than 1MB file size")
+        errors.add(:avatar, "file size is too large")
      end
      acceptable_types = ["image/jpeg", "image/png"]
@@ -256,10 +214,4 @@ class User < ApplicationRecord
        errors.add(:avatar, "must be a JPEG or PNG file")
      end
    end
    def acceptable_pgp_key_format
      unless GPGME::Key.valid?(pgp_pubkey)
        errors.add(:pgp_pubkey, 'is not a valid armored PGP public key block')
      end
    end
 end
--- a/app/services/create_account.rb
+++ b/app/services/create_account.rb
@@ -0,0 +1,54 @@
 class CreateAccount < ApplicationService
  def initialize(account:)
    @username   = account[:username]
    @domain     = account[:ou] || Setting.primary_domain
    @email      = account[:email]
    @password   = account[:password]
    @invitation = account[:invitation]
    @confirmed  = account[:confirmed]
  end
  def call
    user = create_user_in_database
    add_ldap_document
    create_lndhub_account(user) if Setting.lndhub_enabled
    if @invitation.present?
      update_invitation(user.id)
    end
  end
  private
  def create_user_in_database
    User.create!(
      cn: @username,
      ou: @domain,
      email: @email,
      password: @password,
      password_confirmation: @password,
      confirmed_at: @confirmed ? DateTime.now : nil
    )
  end
  def update_invitation(user_id)
    @invitation.update! invited_user_id: user_id, used_at: DateTime.now
  end
  def add_ldap_document
    hashed_pw = Devise.ldap_auth_password_builder.call(@password)
    CreateLdapUserJob.perform_later(
      username: @username,
      domain: @domain,
      email: @email,
      hashed_pw: hashed_pw,
      confirmed: @confirmed
    )
  end
  def create_lndhub_account(user)
    #TODO enable in development when we have a local lndhub (mock?) API
    return if Rails.env.development?
    CreateLndhubAccountJob.perform_later(user)
  end
 end
--- a/app/services/create_invitations.rb
+++ b/app/services/create_invitations.rb
@@ -0,0 +1,17 @@
 class CreateInvitations < ApplicationService
  def initialize(user:, amount:, notify: true)
    @user = user
    @amount = amount
    @notify = notify
  end
  def call
    @amount.times do
      Invitation.create(user: @user)
    end
    if @notify
      NotificationMailer.with(user: @user).new_invitations_available.deliver_later
    end
  end
 end
--- a/app/services/ejabberd_api_client.rb
+++ b/app/services/ejabberd_api_client.rb
@@ -8,46 +8,22 @@ class EjabberdApiClient
                       "Content-Type" => "application/json")
    if res.status != 200
      #TODO Send custom event to Sentry
      Rails.logger.error "[ejabberd] API request failed:"
      Rails.logger.error res.body
-      res
+      #TODO Send custom event to Sentry
    end
  end
  #
  # API endpoints
  #
  def add_rosteritem(payload)
    post "add_rosteritem", payload
  end
  def get_vcard2(user, name, subname)
    payload = {
      user: user.cn, host: user.ou,
      name: name, subname: subname
    }
    post "get_vcard2", payload
  end
  def private_get(user, element_name, namespace)
    payload = {
      user: user.cn, host: user.ou,
      element: element_name, ns: namespace
    }
    post "private_get", payload
  end
  def private_set(user, content)
    payload = {
      user: user.cn, host: user.ou,
      element: content
    }
    post "private_set", payload
  end
  def send_message(payload)
    post "send_message", payload
  end
  def private_set(user, content)
    payload = { user: user.cn, host: user.ou, element: content }
    post "private_set", payload
  end
 end
--- a/app/services/ldap_manager/fetch_avatar.rb
+++ b/app/services/ldap_manager/fetch_avatar.rb
@@ -5,12 +5,12 @@ module LdapManager
    end
    def call
-      treebase = ldap_config["base"]
+      treebase   = ldap_config["base"]
      attributes = %w{ jpegPhoto }
-      filter = Net::LDAP::Filter.eq("cn", @cn)
+      filter     = Net::LDAP::Filter.eq("cn", @cn)
      entry = client.search(base: treebase, filter: filter, attributes: attributes).first
-      entry[:jpegPhoto].present? ? entry.jpegPhoto.first : nil
+      entry.try(:jpegPhoto) ? entry.jpegPhoto.first : nil
    end
  end
 end
--- a/app/services/ldap_manager/update_avatar.rb
+++ b/app/services/ldap_manager/update_avatar.rb
@@ -2,41 +2,26 @@ require "image_processing/vips"
 module LdapManager
  class UpdateAvatar < LdapManagerService
-    def initialize(user:)
+    def initialize(dn:, file:)
-      @user = user
+      @dn = dn
-      @dn = user.dn
+      @img_data = process(file)
    end
    def call
-      unless @user.avatar.attached?
+      replace_attribute @dn, :jpegPhoto, @img_data
        Rails.logger.error { "Cannot store empty jpegPhoto for user #{@user.cn}" }
        return false
      end
      img_data = @user.avatar.blob.download
      jpg_data = process_avatar
      Rails.logger.debug { "Storing new jpegPhoto for user #{@user.cn} in LDAP" }
      result = replace_attribute(@dn, :jpegPhoto, jpg_data)
      result == 0
    end
    private
-    def process_avatar
+    def process(file)
-      @user.avatar.blob.open do |file|
+      processed = ImageProcessing::Vips
-        processed = ImageProcessing::Vips
+        .resize_to_fill(512, 512)
-          .source(file)
+        .source(file)
-          .resize_to_fill(256, 256)
+        .convert("jpeg")
-          .convert("jpeg")
+        .saver(strip: true)
-          .saver(strip: true)
+        .call
-          .call
+
-        processed.read
+      Base64.strict_encode64 processed.read
      end
    rescue Vips::Error => e
      Sentry.capture_exception(e) if Setting.sentry_enabled?
      Rails.logger.error { "Image processing failed for LDAP avatar: #{e.message}" }
      nil
    end
  end
 end
--- a/app/services/ldap_manager/update_pgp_key.rb
+++ b/app/services/ldap_manager/update_pgp_key.rb
@@ -1,16 +0,0 @@
 module LdapManager
  class UpdatePgpKey < LdapManagerService
    def initialize(dn:, pubkey:)
      @dn = dn
      @pubkey = pubkey
    end
    def call
      if @pubkey.present?
        replace_attribute @dn, :pgpKey, @pubkey
      else
        delete_attribute @dn, :pgpKey
      end
    end
  end
 end
--- a/app/services/ldap_service.rb
+++ b/app/services/ldap_service.rb
@@ -58,7 +58,7 @@ class LdapService < ApplicationService
    attributes = %w[
      dn cn uid mail displayName admin serviceEnabled
-      mailRoutingAddress mailpassword nostrKey pgpKey
+      mailRoutingAddress mailpassword nostrKey
    ]
    filter = Net::LDAP::Filter.eq("uid", args[:uid] || "*")
@@ -73,8 +73,7 @@ class LdapService < ApplicationService
        services_enabled: e.try(:serviceEnabled),
        email_maildrop: e.try(:mailRoutingAddress),
        email_password: e.try(:mailpassword),
-        nostr_key: e.try(:nostrKey) ? e.nostrKey.first : nil,
+        nostr_key: e.try(:nostrKey) ? e.nostrKey.first : nil
        pgp_key: e.try(:pgpKey) ? e.pgpKey.first : nil
      }
    end
  end
@@ -102,7 +101,7 @@ class LdapService < ApplicationService
    dn = "ou=#{ou},cn=users,#{ldap_suffix}"
    aci = <<-EOS
-(target="ldap:///cn=*,ou=#{ou},cn=users,#{ldap_suffix}")(targetattr="cn || sn || uid || userPassword || mail || mailRoutingAddress || serviceEnabled || nostrKey || pgpKey || nsRole || objectClass") (version 3.0; acl "service-#{ou.gsub(".", "-")}-read-search"; allow (read,search) userdn="ldap:///uid=service,ou=#{ou},cn=applications,#{ldap_suffix}";)
+(target="ldap:///cn=*,ou=#{ou},cn=users,#{ldap_suffix}")(targetattr="cn || sn || uid || userPassword || mail || mailRoutingAddress || serviceEnabled || nostrKey || nsRole || objectClass") (version 3.0; acl "service-#{ou.gsub(".", "-")}-read-search"; allow (read,search) userdn="ldap:///uid=service,ou=#{ou},cn=applications,#{ldap_suffix}";)
    EOS
    attrs = {
--- a/app/services/lndhub.rb
+++ b/app/services/lndhub.rb
@@ -33,10 +33,7 @@ class Lndhub < ApplicationService
  end
  def authenticate(user)
-    credentials = post "auth?type=auth", {
+    credentials = post "auth?type=auth", { login: user.ln_account, password: user.ln_password }
      login: user.lndhub_username,
      password: user.lndhub_password
    }
    self.auth_token = credentials["access_token"]
    self.auth_token
  end
--- a/app/services/user_manager/create_account.rb
+++ b/app/services/user_manager/create_account.rb
@@ -1,56 +0,0 @@
 module UserManager
  class CreateAccount < UserManagerService
    def initialize(account:)
      @username   = account[:username]
      @domain     = account[:ou] || Setting.primary_domain
      @email      = account[:email]
      @password   = account[:password]
      @invitation = account[:invitation]
      @confirmed  = account[:confirmed]
    end
    def call
      user = create_user_in_database
      add_ldap_document
      create_lndhub_account(user) if Setting.lndhub_enabled
      if @invitation.present?
        update_invitation(user.id)
      end
    end
    private
    def create_user_in_database
      User.create!(
        cn: @username,
        ou: @domain,
        email: @email,
        password: @password,
        password_confirmation: @password,
        confirmed_at: @confirmed ? DateTime.now : nil
      )
    end
    def update_invitation(user_id)
      @invitation.update! invited_user_id: user_id, used_at: DateTime.now
    end
    def add_ldap_document
      hashed_pw = Devise.ldap_auth_password_builder.call(@password)
      CreateLdapUserJob.perform_later(
        username: @username,
        domain: @domain,
        email: @email,
        hashed_pw: hashed_pw,
        confirmed: @confirmed
      )
    end
    def create_lndhub_account(user)
      #TODO enable in development when we have a local lndhub (mock?) API
      return if Rails.env.development?
      CreateLndhubAccountJob.perform_later(user)
    end
  end
 end
--- a/app/services/user_manager/create_invitations.rb
+++ b/app/services/user_manager/create_invitations.rb
@@ -1,19 +0,0 @@
 module UserManager
  class CreateInvitations < UserManagerService
    def initialize(user:, amount:, notify: true)
      @user = user
      @amount = amount
      @notify = notify
    end
    def call
      @amount.times do
        Invitation.create(user: @user)
      end
      if @notify
        NotificationMailer.with(user: @user).new_invitations_available.deliver_later
      end
    end
  end
 end
--- a/app/services/user_manager/pgp_encrypt.rb
+++ b/app/services/user_manager/pgp_encrypt.rb
@@ -1,19 +0,0 @@
 require 'gpgme'
 module UserManager
  class PgpEncrypt < UserManagerService
    def initialize(user:, text:)
      @user = user
      @text = text
    end
    def call
      crypto = GPGME::Crypto.new
      crypto.encrypt(
        @text,
        recipients: @user.gnupg_key,
        always_trust: true
      )
    end
  end
 end
--- a/app/services/user_manager/update_pgp_key.rb
+++ b/app/services/user_manager/update_pgp_key.rb
@@ -1,24 +0,0 @@
 module UserManager
  class UpdatePgpKey < UserManagerService
    def initialize(user:)
      @user = user
    end
    def call
      if @user.pgp_pubkey.blank?
        @user.update! pgp_fpr: nil
      else
        result = GPGME::Key.import(@user.pgp_pubkey)
        if result.imports.present?
          @user.update! pgp_fpr: result.imports.first.fpr
        else
          # TODO notify Sentry, user
          raise "Failed to import OpenPGP pubkey"
        end
      end
      LdapManager::UpdatePgpKey.call(dn: @user.dn, pubkey: @user.pgp_pubkey)
    end
  end
 end
--- a/app/services/user_manager_service.rb
+++ b/app/services/user_manager_service.rb
@@ -1,2 +0,0 @@
 class UserManagerService < ApplicationService
 end
--- a/app/views/admin/settings/registrations/show.html.erb
+++ b/app/views/admin/settings/registrations/show.html.erb
@@ -9,36 +9,18 @@
        <%= render partial: "admin/settings/errors", locals: { errors: @errors } %>
      <% end %>
-      <ul role="list">
+      <label class="block">
-        <%= render FormElements::FieldsetComponent.new(
+        <p class="font-bold mb-1">Reserved usernames</p>
-              title: "Reserved usernames",
+        <p class="text-gray-500">
-              description: "These usernames cannot be registered as accounts."
+          These usernames cannot be registered as accounts:
-            ) do %>
+        </p>
-          <%= f.text_area :reserved_usernames,
+        <%= f.text_area :reserved_usernames,
-            value: Setting.reserved_usernames.join("\n"),
+          value: Setting.reserved_usernames.join("\n"),
-            class: "h-44 w-60" %>
+          class: "h-44 mb-2" %>
-          <p class="text-sm text-gray-500">
+        <p class="text-sm text-gray-500">
-            One username per line
+          One username per line
-          </p>
+        </p>
-        <% end %>
+      </label>
        <li>
          <p class="font-bold mb-1">Default services</p>
          <p class="text-gray-500">
            These services are enabled for new users by default after signup.
          </p>
          <div class="flex flex-wrap gap-x-6 gap-y-2">
            <% Setting.available_services.each do |option| %>
              <div class="md:inline-block">
                <%= f.check_box :default_services,
                  { multiple: true, checked: Setting.default_services.include?(option),
                    class: "h-4 w-4 rounded border-gray-300 text-blue-600 focus:ring-blue-600 mr-0.5" },
                  option, nil %>
                <%= f.label "default_services_#{option.parameterize}", service_human_name(option) %>
              </div>
            <% end %>
          </div>
        </li>
      </ul>
    </section>
    <section>
--- a/app/views/admin/settings/services/_nostr.html.erb
+++ b/app/views/admin/settings/services/_nostr.html.erb
@@ -19,11 +19,6 @@
        title: "Public key",
        description: "The corresponding public key of the accounts service"
      ) %>
  <%= render FormElements::FieldsetResettableSettingComponent.new(
        key: :nostr_public_key_primary_domain,
        title: "Public key for primary domain (NIP-05)",
        description: "(optional) A different pubkey to announce for the _@#{Setting.primary_domain} Nostr address"
      ) %>
  <%= render FormElements::FieldsetResettableSettingComponent.new(
        key: :nostr_relay_url,
        title: "Relay URL",
--- a/app/views/admin/settings/services/_remotestorage.html.erb
+++ b/app/views/admin/settings/services/_remotestorage.html.erb
@@ -1,4 +1,5 @@
 <h3>RemoteStorage</h3>
 <p class="text-red-600 mb-8">Feature currently in development.</p>
 <ul role="list">
  <%= render FormElements::FieldsetToggleComponent.new(
    form: f,
--- a/app/views/admin/users/show.html.erb
+++ b/app/views/admin/users/show.html.erb
@@ -89,47 +89,13 @@
    </section>
    <section class="sm:flex-1 sm:pt-0">
-      <h3>LDAP</h3>
+      <% if @avatar.present? %>
-      <table class="divided">
+      <h3>LDAP<h3>
-        <tbody>
+      <p>
-          <tr>
+        <img src="data:image/jpeg;base64,<%= @avatar %>" class="h-48 w-48" />
-            <th>Avatar</th>
+      </p>
-            <td>
+      <% end %>
-              <% if @ldap_avatar.present? %>
+      <!-- <h3>Actions</h3> -->
                JPEG size: <%= @ldap_avatar.size %>
              <% else %>
                &mdash;
              <% end %>
            </td>
          </tr>
          <tr>
            <th>Display name</th>
            <td><%= @user.display_name || "—" %></td>
          </tr>
          <tr>
            <th class="align-top">PGP key</th>
            <td class="align-top leading-5">
              <% if @user.pgp_pubkey.present? %>
                <span class="font-mono" title="<%= @user.pgp_fpr %>">
                  <% if @user.pgp_pubkey_contains_user_address? %>
                    <%= link_to wkd_key_url(hashed_username: @user.wkd_hash, l: @user.cn, format: :txt),
                      class: "ks-text-link", target: "_blank" do %>
                      <%= "#{@user.pgp_fpr[0, 8]}…#{@user.pgp_fpr[-8..-1]}" %>
                    <% end %>
                  <% else %>
                    <%= "#{@user.pgp_fpr[0, 8]}…#{@user.pgp_fpr[-8..-1]}" %>
                  <% end %>
                </span><br />
                <% @user.gnupg_key.uids.each do |uid| %>
                  <%= uid.uid %><br />
                <% end %>
              <% else %>
                &mdash;
              <% end %>
            </td>
          </tr>
        </tbody>
      </table>
    </section>
  </div>
@@ -218,7 +184,7 @@
          <td>XMPP (ejabberd)</td>
          <td>
            <%= render FormElements::ToggleComponent.new(
-              enabled: @services_enabled.include?("ejabberd"),
+              enabled: @services_enabled.include?("xmpp"),
              input_enabled: false
            ) %>
          </td>
@@ -239,9 +205,7 @@
            ) %>
          </td>
          <td class="text-right">
            <% if @user.nostr_pubkey.present? %>
            <%= link_to "Open profile", "https://njump.me/#{@user.nostr_pubkey_bech32}", class: "btn-sm btn-gray" %>
            <% end %>
          </td>
        </tr>
        <% end %>
@@ -278,7 +242,7 @@
      </thead>
      <tbody>
        <tr>
-          <td><%= @user.lndhub_username %></td>
+          <td><%= @user.ln_account %></td>
          <td><%= number_with_delimiter @lndhub_user.balance %> sats</td>
          <td><%= number_with_delimiter @lndhub_user.sum_incoming %> sats</td>
          <td><%= number_with_delimiter @lndhub_user.sum_outgoing %> sats</td>
@@ -287,7 +251,7 @@
      </tbody>
    </table>
    <% else %>
-      <p>No LndHub user found for account <strong class="font-mono"><%= @user.lndhub_username %></strong>.
+      <p>No LndHub user found for account <strong class="font-mono"><%= @user.ln_account %></strong>.
    <% end %>
  </section>
  <% end %>
--- a/app/views/services/remotestorage/show.html.erb
+++ b/app/views/services/remotestorage/show.html.erb
@@ -15,8 +15,6 @@
      In order to connect an app to your storage account, give it your address:
    </p>
    <p data-controller="clipboard" class="flex gap-1 sm:w-2/5">
      <img src="/img/logos/icon_remotestorage.svg"
           class="inline-block h-6 w-6 mr-1 self-center">
      <input type="text" id="user_address" class="grow"
             value=<%= current_user.address %> disabled="disabled"
             data-clipboard-target="source" />
@@ -33,24 +31,6 @@
    </p>
  </section>
  <section>
    <h3>Compatible Apps</h3>
    <p>
      Your Storage account is based on a new open standard called
      <a href="https://remotestorage.io" target="_blank">
        <img src="/img/logos/icon_remotestorage.svg" class="h-4 w-4 inline">
        <strong>remoteStorage</strong>
      </a>, which is not yet widely supported.  Look
      for the remoteStorage icon, or check the Sync settings in apps.
    </p>
    <p>
      If you want your favorite apps to support syncing data with your own
      Storage account, let the developers know! All relevant information is
      available on the <a href="https://remotestorage.io"
        target="_blank" class="ks-text-link">remoteStorage website</a>.
    </p>
  </section>
  <section>
    <h3>Recommended Apps</h3>
    <div data-controller="tabs"
--- a/app/views/settings/_account.html.erb
+++ b/app/views/settings/_account.html.erb
@@ -1,6 +1,6 @@
 <%= tag.section data: {
      controller: "settings--account--email",
-      "settings--account--email-validation-failed-value": @validation_errors&.[](:email)&.present?
+      "settings--account--email-validation-failed-value": @validation_errors.present?
    } do %>
  <h3>E-Mail</h3>
  <%= form_for(@user, url: update_email_settings_path, method: "post") do |f| %>
@@ -23,7 +23,7 @@
        </span>
      </button>
    </p>
-    <% if @validation_errors&.[](:email)&.present? %>
+    <% if @validation_errors.present? && @validation_errors[:email].present? %>
      <p class="error-msg"><%= @validation_errors[:email].first %></p>
    <% end %>
    <div class="initial-hidden">
@@ -41,33 +41,10 @@
 <% end %>
 <section>
  <h3>Password</h3>
-  <p class="mb-6">Use the following button to request an email with a password reset link:</p>
+  <p class="mb-8">Use the following button to request an email with a password reset link:</p>
  <%= form_with(url: reset_password_settings_path, method: :post) do %>
    <p>
      <%= submit_tag("Send me a password reset link", class: 'btn-md btn-gray w-full sm:w-auto') %>
    </p>
  <% end %>
 </section>
 <%= form_for(@user, url: setting_path(:account), html: { :method => :put }) do |f| %>
  <section class="!pt-8 sm:!pt-12">
    <h3>OpenPGP</h3>
    <ul role="list">
      <%= render FormElements::FieldsetComponent.new(
            title: "Public key",
            description: "Your OpenPGP public key in ASCII Armor format"
          ) do %>
        <%= f.text_area :pgp_pubkey,
          value: @user.pgp_pubkey,
          class: "h-24 w-full" %>
        <% if @validation_errors&.[](:pgp_pubkey)&.present? %>
          <p class="error-msg">This <%= @validation_errors[:pgp_pubkey].first %></p>
        <% end %>
      <% end %>
    </ul>
  </section>
  <section>
    <p class="pt-6 border-t border-gray-200 text-right">
      <%= f.submit 'Save', class: "btn-md btn-blue w-full md:w-auto" %>
    </p>
  </section>
 <% end %>
--- a/app/views/settings/_email.html.erb
+++ b/app/views/settings/_email.html.erb
@@ -5,7 +5,7 @@
  <h3>E-Mail Password</h3>
  <%= form_for(@user, url: reset_email_password_settings_path, method: "post") do |f| %>
    <%= hidden_field_tag :section, "email" %>
-    <p class="mb-6">
+    <p class="mb-8">
      Use the following button to generate a new email password:
    </p>
    <p class="hidden initial-visible">
--- a/app/views/settings/_profile.html.erb
+++ b/app/views/settings/_profile.html.erb
@@ -20,7 +20,7 @@
      </button>
    </p>
    <p class="text-sm text-gray-500">
-      Your account's address on the Internet
+      Your user address for Chat and Lightning Network.
    </p>
  </div>
  <%= form_for(@user, url: setting_path(:profile), html: { :method => :put }) do |f| %>
@@ -31,19 +31,23 @@
      <% end %>
    <% end %>
    <% if Flipper.enabled?(:avatar_upload, current_user) %>
    <label class="block">
-      <p class="font-bold mb-1">Avatar</p>
+      <p class="font-bold mb-1">
-      <p class="text-gray-500">Default profile picture</p>
+        Avatar
      </p>
      <p class="text-gray-500">
        Default profile picture
      </p>
      <div class="flex items-center gap-6">
-        <% if @user.avatar.attached? %>
+        <% if current_user.avatar.present? %>
-          <p class="flex-none">
+        <p class="flex-none">
-            <%= image_tag image_url_for(@user.avatar), class: "h-24 w-24 rounded-lg" %>
+          <%= image_tag "data:image/jpeg;base64,#{current_user.avatar}", class: "h-24 w-24 rounded-lg" %>
-          </p>
+        </p>
        <% end %>
        <div class="grow">
          <p class="mb-2">
-            <%= f.file_field :avatar_new, accept: "image/jpeg,image/png" %>
+          <%= f.file_field :avatar, class: "" %>
          </p>
          <p class="text-sm text-gray-500">
            JPEG or PNG image, not larger than 1 megabyte
          </p>
@@ -53,6 +57,7 @@
        </div>
      </div>
    </label>
    <% end %>
    <p class="mt-8 pt-6 border-t border-gray-200 text-right">
      <%= f.submit 'Save', class: "btn-md btn-blue w-full md:w-auto" %>
--- a/bin/jobs
+++ b/bin/jobs
@@ -1,6 +0,0 @@
 #!/usr/bin/env ruby
 require_relative "../config/environment"
 require "solid_queue/cli"
 SolidQueue::Cli.start(ARGV)
--- a/bin/rails
+++ b/bin/rails
@@ -1,4 +1,9 @@
 #!/usr/bin/env ruby
-APP_PATH = File.expand_path("../config/application", __dir__)
+begin
-require_relative "../config/boot"
+  load File.expand_path('../spring', __FILE__)
-require "rails/commands"
+rescue LoadError => e
  raise unless e.message.include?('spring')
 end
 APP_PATH = File.expand_path('../config/application', __dir__)
 require_relative '../config/boot'
 require 'rails/commands'
--- a/bin/rake
+++ b/bin/rake
@@ -1,4 +1,9 @@
 #!/usr/bin/env ruby
-require_relative "../config/boot"
+begin
-require "rake"
+  load File.expand_path('../spring', __FILE__)
 rescue LoadError => e
  raise unless e.message.include?('spring')
 end
 require_relative '../config/boot'
 require 'rake'
 Rake.application.run
--- a/bin/rubocop
+++ b/bin/rubocop
@@ -1,8 +0,0 @@
 #!/usr/bin/env ruby
 require "rubygems"
 require "bundler/setup"
 # explicit rubocop config increases performance slightly while avoiding config confusion.
 ARGV.unshift("--config", File.expand_path("../.rubocop.yml", __dir__))
 load Gem.bin_path("rubocop", "rubocop")
--- a/bin/setup
+++ b/bin/setup
@@ -1,34 +1,36 @@
 #!/usr/bin/env ruby
-require "fileutils"
+require 'fileutils'
-APP_ROOT = File.expand_path("..", __dir__)
+# path to your application root.
 APP_ROOT = File.expand_path('..', __dir__)
 def system!(*args)
-  system(*args, exception: true)
+  system(*args) || abort("\n== Command #{args} failed ==")
 end
 FileUtils.chdir APP_ROOT do
-  # This script is a way to set up or update your development environment automatically.
+  # This script is a way to setup or update your development environment automatically.
-  # This script is idempotent, so that you can run it at any time and get an expectable outcome.
+  # This script is idempotent, so that you can run it at anytime and get an expectable outcome.
  # Add necessary setup steps to this file.
-  puts "== Installing dependencies =="
+  puts '== Installing dependencies =='
-  system("bundle check") || system!("bundle install")
+  system! 'gem install bundler --conservative'
  system('bundle check') || system!('bundle install')
  # Install JavaScript dependencies
  # system('bin/yarn')
  # puts "\n== Copying sample files =="
-  # unless File.exist?("config/database.yml")
+  # unless File.exist?('config/database.yml')
-  #   FileUtils.cp "config/database.yml.sample", "config/database.yml"
+  #   FileUtils.cp 'config/database.yml.sample', 'config/database.yml'
  # end
  puts "\n== Preparing database =="
-  system! "bin/rails db:prepare"
+  system! 'bin/rails db:prepare'
  puts "\n== Removing old logs and tempfiles =="
-  system! "bin/rails log:clear tmp:clear"
+  system! 'bin/rails log:clear tmp:clear'
-  unless ARGV.include?("--skip-server")
+  puts "\n== Restarting application server =="
-    puts "\n== Starting development server =="
+  system! 'bin/rails restart'
    STDOUT.flush # flush the output before exec(2) so that it displays
    exec "bin/dev"
  end
 end
--- a/config/application.rb
+++ b/config/application.rb
@@ -1,4 +1,4 @@
-require_relative "boot"
+require_relative 'boot'
 require "rails"
 # Pick the frameworks you want:
@@ -12,6 +12,7 @@ require "action_mailbox/engine"
 # require "action_text/engine"
 require "action_view/railtie"
 require "action_cable/engine"
 require "sprockets/railtie"
 # require "rails/test_unit/railtie"
 # Require the gems listed in Gemfile, including any gems
@@ -21,20 +22,12 @@ Bundler.require(*Rails.groups)
 module Akkounts
  class Application < Rails::Application
    # Initialize configuration defaults for originally generated Rails version.
-    config.load_defaults 8.0
+    config.load_defaults 7.0
-    # Please, add to the `ignore` list any other `lib` subdirectories that do
+    # Settings in config/environments/* take precedence over those specified here.
-    # not contain `.rb` files, or that should not be reloaded or eager loaded.
+    # Application configuration can go into files in config/initializers
-    # Common ones are `templates`, `generators`, or `middleware`, for example.
+    # -- all .rb files in that directory are automatically loaded after loading
-    config.autoload_lib(ignore: %w[assets tasks])
+    # the framework and any gems in your application.
    # Configuration for the application, engines, and railties goes here.
    #
    # These settings can be overridden in specific environments using the files
    # in config/environments, which are processed later.
    #
    # config.time_zone = "Central Time (US & Canada)"
    # config.eager_load_paths << Rails.root.join("extras")
    # Don't generate system test files.
    config.generators.system_tests = nil
@@ -47,15 +40,7 @@ module Akkounts
      g.stylesheets         false
    end
-    config.active_job.queue_adapter = :solid_queue
+    config.active_job.queue_adapter = :sidekiq
    config.mission_control.jobs.http_basic_auth_enabled = false
    config.action_mailer.deliver_later_queue_name = nil # use "default" queue
    # The default includes webp, which requires webp support everywhere
    config.active_storage.web_image_content_types = %w[image/png image/jpeg image/gif]
    config.active_record.encryption.primary_key = ENV["ENCRYPTION_PRIMARY_KEY"]
    config.active_record.encryption.key_derivation_salt = ENV["ENCRYPTION_KEY_DERIVATION_SALT"]
  end
 end
--- a/config/credentials.yml.enc
+++ b/config/credentials.yml.enc
@@ -0,0 +1 @@
 tmI5vm7qZhaigr52jEBVWkRdj+EE+9OmPh3vWXC7kA/OHuuucpr7SodychuMkQDPLM0BLk88LFsqvRIR+mqnLWpRC+P9aeUFE6ohxSWzcAd7Y4sgxUD8zpCRPndrwTw0hxXXj1WZSYeWn4BoAB34aV+gYen2MajZF3a95hJGtS5yjgWxvLVkQQKqRDfykkfX6fCS0BPo5X7sT7m4xwCATD/D4219wajm5W3TIdkriHtwt28ZLspaRWA5e0UkzKf8+/Gaj2CrW7UWcvew8R93zQ5RA2/Sp3sDTVN+kLz9I9Q095lQC0ywCAEFYHeKmc2tjrzqRaAAWu06xmWLqGIg21G+A/UU9lUJOkIpxQACWoOfS2IoXR1nXhgXMopkz3aCBXDxKw554v4H2QyOceOsuRf2C685ibMqzQkKMmJ4tcbiOJL77DUc08JTjB8Dq4Ohr8sMzXbV/hATevjYoRP0XarLekqhLv90ZLuIVY16DwB0CzACeNBKeKbeLqJF51upRRWgi+gTbYpV04yUwnXdyssF8mydWocgihrTryBi8F6PsuhBGcaYdP+0yibnGxDCC4x2rupbBfMj2OIX7pYzgtIHB3Eo954Y+bCoggqbE/Qrb9VVXNMgtKgLt8EGWU2tg6wl9QicitIq87uLDAade93zTn6rmcKPywjMDo6jbVIs653ZdUhiKdHGdpnJccbgQ/iLSPB1umNnCeaEX5jM+K9zBvl7ZMCdSk1YIQ==--ekKumqLiSlVJNwMe--K/ecXmmMT1x+WnIXMbHBDw==
--- a/config/credentials/test.key
+++ b/config/credentials/test.key
@@ -0,0 +1 @@
 6b101c9addbfa5f959b5859f756bc9d7
--- a/config/credentials/test.yml.enc
+++ b/config/credentials/test.yml.enc
@@ -0,0 +1 @@
 vqH5By5qFLImVjdlWj+7FwGg8APKnr/AEd7WqekG7L0vNA32WGBpwS1uGzs02LIcATRwGj8DyJxiBOB/w9z8cwoO+t6Woi5hAnOSCQwFWKLT0dZq7jgtT8pxK0Yu/Nf91PEFN1rc/8ZFy2KKVpbtMbMPyivT38e/ctBZD/lHrWkndvLXYvFVhqWjUnDOGbhwl/U0RZgqBBjvlm3B0JkQfiN8VXPlCJL2Cd8kd0+MpRCRTgtcxA==--OdVXnDP7OhzJxCsP--+8SI6IFIeXyDxXb+WpqhIQ==
--- a/config/database.yml
+++ b/config/database.yml
@@ -1,37 +1,21 @@
 default: &default
-  adapter: <%= ENV["DB_ADAPTER"] || "sqlite3" %>
+  adapter: sqlite3
  pool: <%= ENV["DB_POOL"] || ENV['MAX_THREADS'] || 5 %>
  timeout: 5000
 <% if ENV["DB_ADAPTER"] == "postgresql" %>
  host: <%= ENV["PG_HOST"] || 'localhost' %>
  port: <%= ENV["PG_PORT"] || 5432 %>
  username: <%= ENV["PG_USERNAME"] || 'akkounts' %>
  password: <%= ENV["PG_PASSWORD"] %>
 <% end %>
 <% if ENV["LNDHUB_PG_HOST"].present? %>
 lndhub: &lndhub
  adapter: postgresql
  database_tasks: false
  host: <%= ENV["LNDHUB_PG_HOST"] %>
  port: <%= ENV["LNDHUB_PG_PORT"] || 5432 %>
  database: <%= ENV["LNDHUB_PG_DATABASE"] || 'lndhub' %>
  username: <%= ENV["LNDHUB_PG_USERNAME"] || 'lndhub' %>
  password: <%= ENV["LNDHUB_PG_PASSWORD"] %>
 <% end %>
 development:
  primary:
    <<: *default
-    database: <%= ENV["DB_ADAPTER"] == "postgresql" ? ENV["PG_DATABASE"] : "db/development.sqlite3" %>
+    database: db/development.sqlite3
  queue:
    <<: *default
    database: <%= ENV["DB_ADAPTER"] == "postgresql" ? ENV["PG_DATABASE_QUEUE"] : "db/development_queue.sqlite3" %>
    migrations_paths: db/queue_migrate
 <% if ENV["LNDHUB_PG_HOST"].present? %>
  lndhub:
-    <<: *lndhub
+    <<: *default
-<% end %>
+    adapter: postgresql
    database_tasks: false
    host: <%= ENV["LNDHUB_PG_HOST"] || 'localhost' %>
    port: <%= ENV["LNDHUB_PG_PORT"] || 5432 %>
    database: <%= ENV["LNDHUB_PG_DATABASE"] || 'lndhub' %>
    username: <%= ENV["LNDHUB_PG_USERNAME"] || 'lndhub' %>
    password: <%= ENV["LNDHUB_PG_PASSWORD"] %>
 # Warning: The database defined as "test" will be erased and
 # re-generated from your development database when you run "rake".
@@ -48,12 +32,18 @@ test:
 production:
  primary:
    <<: *default
-    database: <%= ENV["DB_ADAPTER"] == "postgresql" ? ENV["PG_DATABASE"] : "db/production.sqlite3" %>
+    adapter: postgresql
-  queue:
+    database: akkounts
-    <<: *default
+    port: 5432
-    database: <%= ENV["DB_ADAPTER"] == "postgresql" ? ENV["PG_DATABASE_QUEUE"] : "db/production_queue.sqlite3" %>
+    host: <%= Rails.application.credentials.postgres[:host] rescue nil %>
-    migrations_paths: db/queue_migrate
+    username: <%= Rails.application.credentials.postgres[:username] rescue nil %>
-<% if ENV["LNDHUB_PG_HOST"].present? %>
+    password: <%= Rails.application.credentials.postgres[:password] rescue nil %>
  lndhub:
-    <<: *lndhub
+    <<: *default
-<% end %>
+    adapter: postgresql
    database_tasks: false
    host: <%= ENV["LNDHUB_PG_HOST"] || 'localhost' %>
    port: <%= ENV["LNDHUB_PG_PORT"] || 5432 %>
    database: <%= ENV["LNDHUB_PG_DATABASE"] || 'lndhub' %>
    username: <%= ENV["LNDHUB_PG_USERNAME"] || 'lndhub' %>
    password: <%= ENV["LNDHUB_PG_PASSWORD"] %>
--- a/config/environment.rb
+++ b/config/environment.rb
@@ -1,5 +1,5 @@
 # Load the Rails application.
-require_relative "application"
+require_relative 'application'
 # Initialize the Rails application.
 Rails.application.initialize!
--- a/config/environments/development.rb
+++ b/config/environments/development.rb
@@ -1,10 +1,10 @@
 require "active_support/core_ext/integer/time"
 Rails.application.configure do
  # Settings specified here will take precedence over those in config/application.rb.
-  # Make code changes take effect immediately without server restart.
+  # In the development environment your application's code is reloaded on
-  config.enable_reloading = true
+  # every request. This slows down response time but is perfect for development
  # since you don't have to restart the web server when you make code changes.
  config.cache_classes = false
  # Do not eager load code on boot.
  config.eager_load = false
@@ -12,15 +12,16 @@ Rails.application.configure do
  # Show full error reports.
  config.consider_all_requests_local = true
-  # Enable server timing.
+  # Enable/disable caching. By default caching is disabled.
-  config.server_timing = true
+  # Run rails dev:cache to toggle caching.
-
+  if Rails.root.join('tmp', 'caching-dev.txt').exist?
  # Enable/disable Action Controller caching. By default Action Controller caching is disabled.
  # Run rails dev:cache to toggle Action Controller caching.
  if Rails.root.join("tmp/caching-dev.txt").exist?
    config.action_controller.perform_caching = true
    config.action_controller.enable_fragment_cache_logging = true
-    config.public_file_server.headers = { "cache-control" => "public, max-age=#{2.days.to_i}" }
+
    config.cache_store = :memory_store
    config.public_file_server.headers = {
      'Cache-Control' => "public, max-age=#{2.days.to_i}"
    }
  else
    config.action_controller.perform_caching = false
@@ -30,63 +31,42 @@ Rails.application.configure do
  # Don't care if the mailer can't send.
  config.action_mailer.raise_delivery_errors = false
  # Make template changes take effect immediately.
  config.action_mailer.perform_caching = false
  # Print deprecation notices to the Rails logger.
  config.active_support.deprecation = :log
  # Raise exceptions for disallowed deprecations.
  config.active_support.disallowed_deprecation = :raise
  # Tell Active Support which deprecation messages to disallow.
  config.active_support.disallowed_deprecation_warnings = []
  # Raise an error on page load if there are pending migrations.
  config.active_record.migration_error = :page_load
  # Highlight code that triggered database queries in logs.
  config.active_record.verbose_query_logs = true
-  # Append comments with runtime information tags to SQL queries in logs.
+  # Debug mode disables concatenation and preprocessing of assets.
-  config.active_record.query_log_tags_enabled = true
+  # This option may cause significant delays in view rendering with a large
-
+  # number of complex assets.
-  # Highlight code that enqueued background job in logs.
+  config.assets.debug = true
  config.active_job.verbose_enqueue_logs = true
  # Solid Queue database
  config.solid_queue.connects_to = { database: { writing: :queue } }
  # Suppress logger output for asset requests.
-  # config.assets.quiet = true
+  config.assets.quiet = true
  # Raises error for missing translations.
-  # config.i18n.raise_on_missing_translations = true
+  # config.action_view.raise_on_missing_translations = true
-  # Annotate rendered view with file names.
+  # Use an evented file watcher to asynchronously detect changes in source code,
-  config.action_view.annotate_rendered_view_with_filenames = true
+  # routes, locales, etc. This feature depends on the listen gem.
  config.file_watcher = ActiveSupport::EventedFileUpdateChecker
  config.action_mailer.default_options = {
    from: "accounts@localhost"
  }
  # Don't actually send emails, cache them for viewing via letter opener
  config.action_mailer.delivery_method = :letter_opener
-  # Uncomment if you wish to allow Action Cable access from any origin.
+  # Don't care if the mailer can't send
  # config.action_cable.disable_request_forgery_protection = true
  # Raise error when a before_action's only/except options reference missing actions.
  config.action_controller.raise_on_missing_callback_actions = true
  # Notice if the mailer can't send
  config.action_mailer.raise_delivery_errors = true
  # Base URL to be used by email template link helpers
-  config.action_mailer.default_url_options = {
+  config.action_mailer.default_url_options = { host: "localhost:3000", protocol: "http" }
    host: "localhost:3000", # TODO port: 3000
    protocol: "http"
  }
  config.action_mailer.default_options = {
    from: "accounts@localhost",
    message_id: -> { "<#{Mail.random_tag}@localhost>" },
  }
  # Allow requests from any IP
  config.web_console.permissions = '0.0.0.0/0'
--- a/config/environments/production.rb
+++ b/config/environments/production.rb
@@ -1,61 +1,61 @@
 require "active_support/core_ext/integer/time"
 Rails.application.configure do
  # Settings specified here will take precedence over those in config/application.rb.
  # Code is not reloaded between requests.
-  config.enable_reloading = false
+  config.cache_classes = true
-  # Eager load code on boot for better performance and memory savings (ignored by Rake tasks).
+  # Eager load code on boot. This eager loads most of Rails and
  # your application in memory, allowing both threaded web servers
  # and those relying on copy on write to perform better.
  # Rake tasks automatically ignore this option for performance.
  config.eager_load = true
-  # Full error reports are disabled.
+  # Full error reports are disabled and caching is turned on.
-  config.consider_all_requests_local = false
+  config.consider_all_requests_local       = false
  config.action_controller.perform_caching = true
  # Ensures that a master key has been made available in either ENV["RAILS_MASTER_KEY"]
  # or in config/master.key. This key is used to decrypt credentials (and other encrypted files).
  # config.require_master_key = true
  # Disable serving static files from the `/public` folder by default since
  # Apache or NGINX already handles this.
  config.public_file_server.enabled = ENV['RAILS_SERVE_STATIC_FILES'].present?
-  # Turn on fragment caching in view templates.
+  # Compress CSS using a preprocessor.
-  config.action_controller.perform_caching = true
+  # config.assets.css_compressor = :sass
  # Do not fallback to assets pipeline if a precompiled asset is missed.
  config.assets.compile = false
  # Cache assets for far-future expiry since they are all digest stamped.
  config.public_file_server.headers = { "cache-control" => "public, max-age=#{1.year.to_i}" }
  # Enable serving of images, stylesheets, and JavaScripts from an asset server.
-  # config.asset_host = "http://assets.example.com"
+  # config.action_controller.asset_host = 'http://assets.example.com'
  # Specifies the header that your server uses for sending files.
  # config.action_dispatch.x_sendfile_header = 'X-Sendfile' # for Apache
  # config.action_dispatch.x_sendfile_header = 'X-Accel-Redirect' # for NGINX
-  # Assume all access to the app is happening through a SSL-terminating reverse proxy.
+  # Mount Action Cable outside main process or domain.
-  # config.assume_ssl = true
+  # config.action_cable.mount_path = nil
  # config.action_cable.url = 'wss://example.com/cable'
  # config.action_cable.allowed_request_origins = [ 'http://example.com', /http:\/\/example.*/ ]
  # Force all access to the app over SSL, use Strict-Transport-Security, and use secure cookies.
  # config.force_ssl = true
-  # Skip http-to-https redirect for the default health check endpoint.
+  # Use the lowest log level to ensure availability of diagnostic information
-  # config.ssl_options = { redirect: { exclude: ->(request) { request.path == "/up" } } }
+  # when problems arise.
  config.log_level = :debug
-  # Log to STDOUT with the current request id as a default log tag.
+  # Prepend all log lines with the following tags.
  config.log_tags = [ :request_id ]
  config.logger   = ActiveSupport::TaggedLogging.logger(STDOUT)
-  # Change to "debug" to log everything (including potentially personally-identifiable information!)
+  # Use a different cache store in production.
  config.log_level = ENV.fetch("RAILS_LOG_LEVEL", "info")
  # Prevent health checks from clogging up the logs.
  config.silence_healthcheck_path = "/up"
  # Don't log any deprecations.
  config.active_support.report_deprecations = false
  # Replace the default in-process memory cache store with a durable alternative.
  # config.cache_store = :mem_cache_store
-  # Solid Queue database
+  # Use a real queuing backend for Active Job (and separate queues per environment).
-  config.solid_queue.connects_to = { database: { writing: :queue } }
+  # config.active_job.queue_adapter     = :resque
  # config.active_job.queue_name_prefix = "akkounts_production"
  # E-mail settings, adapted from https://github.com/mastodon/mastodon
@@ -63,7 +63,7 @@ Rails.application.configure do
  outgoing_email_domain  = Mail::Address.new(outgoing_email_address).domain
  config.action_mailer.default_url_options = {
-    host: ENV.fetch('AKKOUNTS_DOMAIN'),
+    host: ENV['AKKOUNTS_DOMAIN'],
    protocol: "https",
  }
@@ -106,10 +106,6 @@ Rails.application.configure do
  config.action_mailer.delivery_method = ENV.fetch('SMTP_DELIVERY_METHOD', 'smtp').to_sym
  # Disable caching for Action Mailer templates even if Action Controller
  # caching is enabled.
  config.action_mailer.perform_caching = false
  # Ignore bad email addresses and do not raise email delivery errors.
  # Set this to true and configure the email server for immediate delivery to raise delivery errors.
  config.action_mailer.raise_delivery_errors = true
@@ -124,18 +120,43 @@ Rails.application.configure do
  # the I18n.default_locale when a translation cannot be found).
  config.i18n.fallbacks = true
  # Send deprecation notices to registered listeners.
  config.active_support.deprecation = :notify
  # Use default logging formatter so that PID and timestamp are not suppressed.
  config.log_formatter = ::Logger::Formatter.new
  # Use a different logger for distributed setups.
  # require 'syslog/logger'
  # config.logger = ActiveSupport::TaggedLogging.new(Syslog::Logger.new 'app-name')
  if ENV["RAILS_LOG_TO_STDOUT"].present?
    logger           = ActiveSupport::Logger.new(STDOUT)
    logger.formatter = config.log_formatter
    config.logger    = ActiveSupport::TaggedLogging.new(logger)
  end
  # Do not dump schema after migrations.
  config.active_record.dump_schema_after_migration = false
-  # Only use :id for inspections in production.
+  # Inserts middleware to perform automatic connection switching.
-  config.active_record.attributes_for_inspect = [ :id ]
+  # The `database_selector` hash is used to pass options to the DatabaseSelector
-
+  # middleware. The `delay` is used to determine how long to wait after a write
-  # Enable DNS rebinding protection and other `Host` header attacks.
+  # to send a subsequent read to the primary.
  # config.hosts = [
  #   "example.com",     # Allow requests from example.com
  #   /.*\.example\.com/ # Allow requests from subdomains like `www.example.com`
  # ]
  #
-  # Skip DNS rebinding protection for the default health check endpoint.
+  # The `database_resolver` class is used by the middleware to determine which
-  # config.host_authorization = { exclude: ->(request) { request.path == "/up" } }
+  # database is appropriate to use based on the time delay.
  #
  # The `database_resolver_context` class is used by the middleware to set
  # timestamps for the last write to the primary. The resolver uses the context
  # class timestamps to determine how long to wait before reading from the
  # replica.
  #
  # By default Rails will store a last write timestamp in the session. The
  # DatabaseSelector middleware is designed as such you can define your own
  # strategy for connection switching and pass that into the middleware through
  # these configuration options.
  # config.active_record.database_selector = { delay: 2.seconds }
  # config.active_record.database_resolver = ActiveRecord::Middleware::DatabaseSelector::Resolver
  # config.active_record.database_resolver_context = ActiveRecord::Middleware::DatabaseSelector::Resolver::Session
 end
--- a/config/environments/test.rb
+++ b/config/environments/test.rb
@@ -6,33 +6,31 @@
 Rails.application.configure do
  # Settings specified here will take precedence over those in config/application.rb.
-  # While tests run files are not watched, reloading is not necessary.
+  config.cache_classes = false
-  config.enable_reloading = false
+  config.action_view.cache_template_loading = true
-  # Eager loading loads your entire application. When running a single test locally,
+  # Do not eager load code on boot. This avoids loading your whole application
-  # this is usually not necessary, and can slow down your test suite. However, it's
+  # just for the purpose of running a single test. If you are using a tool that
-  # recommended that you enable it in continuous integration systems to ensure eager
+  # preloads Rails for running tests, you may have to set it to true.
-  # loading is working properly before deploying your code.
+  config.eager_load = false
  config.eager_load = ENV["CI"].present?
-  # Configure public file server for tests with cache-control for performance.
+  # Configure public file server for tests with Cache-Control for performance.
-  config.public_file_server.headers = { "cache-control" => "public, max-age=3600" }
+  config.public_file_server.enabled = true
  config.public_file_server.headers = {
    'Cache-Control' => "public, max-age=#{1.hour.to_i}"
  }
-  # Show full error reports.
+  # Show full error reports and disable caching.
-  config.consider_all_requests_local = true
+  config.consider_all_requests_local       = true
  config.action_controller.perform_caching = false
  config.cache_store = :null_store
-  # Render exception templates for rescuable exceptions and raise for other exceptions.
+  # Raise exceptions instead of rendering exception templates.
-  config.action_dispatch.show_exceptions = :rescuable
+  config.action_dispatch.show_exceptions = :none
  # Disable request forgery protection in test environment.
  config.action_controller.allow_forgery_protection = false
  config.active_job.queue_adapter = :test
  # Disable caching for Action Mailer templates even if Action Controller
  # caching is enabled.
  config.action_mailer.perform_caching = false
  # Tell Action Mailer not to deliver emails to the real world.
@@ -40,28 +38,23 @@ Rails.application.configure do
  # ActionMailer::Base.deliveries array.
  config.action_mailer.delivery_method = :test
-  config.action_mailer.default_options = {
+  # Print deprecation notices to the stderr.
-    from: "accounts@kosmos.org",
+  config.active_support.deprecation = :stderr
-    message_id: -> { "<#{Mail.random_tag}@kosmos.org>" },
+
-  }
+  # Raises error for missing translations.
  # config.action_view.raise_on_missing_translations = true
  config.action_mailer.default_url_options = {
    host: "accounts.kosmos.org",
-    protocol: "https"
+    protocol: "https",
    from: "accounts@kosmos.org"
  }
-  # Raises error for missing translations.
+  config.active_job.queue_adapter = :test
  # config.i18n.raise_on_missing_translations = true
  # Annotate rendered view with file names.
  # config.action_view.annotate_rendered_view_with_filenames = true
  if ENV["S3_ENABLED"] && ENV["S3_ENABLED"].to_s != "false"
    config.active_storage.service = :s3
  else
    config.active_storage.service = :local
  end
  # Raise error when a before_action's only/except options reference missing actions.
  config.action_controller.raise_on_missing_callback_actions = true
 end
--- a/config/initializers/assets.rb
+++ b/config/initializers/assets.rb
@@ -1,9 +1,14 @@
 # Be sure to restart your server when you modify this file.
 # Version of your assets, change this if you want to expire all your assets.
-Rails.application.config.assets.version = "1.0"
+Rails.application.config.assets.version = '1.0'
 # Add additional assets to the asset load path.
 # Rails.application.config.assets.paths << Emoji.images_path
 # Add Yarn node_modules folder to the asset load path.
 Rails.application.config.assets.paths << Rails.root.join('node_modules')
 # Precompile additional assets.
 # application.js, application.css, and all non-JS/CSS in the app/assets
 # folder are already added.
 # Rails.application.config.assets.precompile += %w( admin.js admin.css )
--- a/config/initializers/content_security_policy.rb
+++ b/config/initializers/content_security_policy.rb
@@ -1,25 +1,30 @@
 # Be sure to restart your server when you modify this file.
-# Define an application-wide content security policy.
+# Define an application-wide content security policy
-# See the Securing Rails Applications Guide for more information:
+# For further information see the following documentation
-# https://guides.rubyonrails.org/security.html#content-security-policy-header
+# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
-# Rails.application.configure do
+# Rails.application.config.content_security_policy do |policy|
-#   config.content_security_policy do |policy|
+#   policy.default_src :self, :https
-#     policy.default_src :self, :https
+#   policy.font_src    :self, :https, :data
-#     policy.font_src    :self, :https, :data
+#   policy.img_src     :self, :https, :data
-#     policy.img_src     :self, :https, :data
+#   policy.object_src  :none
-#     policy.object_src  :none
+#   policy.script_src  :self, :https
-#     policy.script_src  :self, :https
+#   policy.style_src   :self, :https
-#     policy.style_src   :self, :https
+#   # If you are using webpack-dev-server then specify webpack-dev-server host
-#     # Specify URI for violation reports
+#   policy.connect_src :self, :https, "http://localhost:3035", "ws://localhost:3035" if Rails.env.development?
-#     # policy.report_uri "/csp-violation-report-endpoint"
+
-#   end
+#   # Specify URI for violation reports
-#
+#   # policy.report_uri "/csp-violation-report-endpoint"
 #   # Generate session nonces for permitted importmap, inline scripts, and inline styles.
 #   config.content_security_policy_nonce_generator = ->(request) { request.session.id.to_s }
 #   config.content_security_policy_nonce_directives = %w(script-src style-src)
 #
 #   # Report violations without enforcing the policy.
 #   # config.content_security_policy_report_only = true
 # end
 # If you are using UJS then enable automatic nonce generation
 # Rails.application.config.content_security_policy_nonce_generator = -> request { SecureRandom.base64(16) }
 # Set the nonce only to specific directives
 # Rails.application.config.content_security_policy_nonce_directives = %w(script-src)
 # Report CSP violations to a specified URI
 # For further information see the following documentation:
 # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only
 # Rails.application.config.content_security_policy_report_only = true
--- a/config/initializers/devise.rb
+++ b/config/initializers/devise.rb
@@ -45,7 +45,7 @@ Devise.setup do |config|
  # Configure the e-mail address which will be shown in Devise::Mailer,
  # note that it will be overwritten if you use your own mailer class
  # with default "from" parameter.
-  config.mailer_sender = ENV["SMTP_FROM_ADDRESS"] || 'accounts@localhost'
+  config.mailer_sender = 'accounts@kosmos.org'
  # Configure the class responsible to send e-mails.
  # config.mailer = 'Devise::Mailer'
--- a/config/initializers/devise_rails8_patch.rb
+++ b/config/initializers/devise_rails8_patch.rb
@@ -1,11 +0,0 @@
 # See https://alvincrespo.hashnode.dev/rails-8s-lazy-route-loading-devise
 # TODO remove when Devise is fixed
 require 'devise'
 Devise # make sure it's already loaded
 module Devise
  def self.mappings
    Rails.application.try(:reload_routes_unless_loaded)
    @@mappings
  end
 end
--- a/config/initializers/filter_parameter_logging.rb
+++ b/config/initializers/filter_parameter_logging.rb
@@ -1,8 +1,4 @@
 # Be sure to restart your server when you modify this file.
-# Configure parameters to be partially matched (e.g. passw matches password) and filtered from the log file.
+# Configure sensitive parameters which will be filtered from the log file.
-# Use this to limit dissemination of sensitive information.
+Rails.application.config.filter_parameters += [:password]
 # See the ActiveSupport::ParameterFilter documentation for supported notations and behaviors.
 Rails.application.config.filter_parameters += [
  :password, :email, :secret, :token, :_key, :crypt, :salt, :certificate, :otp, :ssn
 ]
--- a/Show More
+++ b/Show More
		`@@ -1,2 +0,0 @@`
			`class UserManagerService < ApplicationService`
			`end`
		`@@ -0,0 +1 @@`
							tmI5vm7qZhaigr52jEBVWkRdj+EE+9OmPh3vWXC7kA/OHuuucpr7SodychuMkQDPLM0BLk88LFsqvRIR+mqnLWpRC+P9aeUFE6ohxSWzcAd7Y4sgxUD8zpCRPndrwTw0hxXXj1WZSYeWn4BoAB34aV+gYen2MajZF3a95hJGtS5yjgWxvLVkQQKqRDfykkfX6fCS0BPo5X7sT7m4xwCATD/D4219wajm5W3TIdkriHtwt28ZLspaRWA5e0UkzKf8+/Gaj2CrW7UWcvew8R93zQ5RA2/Sp3sDTVN+kLz9I9Q095lQC0ywCAEFYHeKmc2tjrzqRaAAWu06xmWLqGIg21G+A/UU9lUJOkIpxQACWoOfS2IoXR1nXhgXMopkz3aCBXDxKw554v4H2QyOceOsuRf2C685ibMqzQkKMmJ4tcbiOJL77DUc08JTjB8Dq4Ohr8sMzXbV/hATevjYoRP0XarLekqhLv90ZLuIVY16DwB0CzACeNBKeKbeLqJF51upRRWgi+gTbYpV04yUwnXdyssF8mydWocgihrTryBi8F6PsuhBGcaYdP+0yibnGxDCC4x2rupbBfMj2OIX7pYzgtIHB3Eo954Y+bCoggqbE/Qrb9VVXNMgtKgLt8EGWU2tg6wl9QicitIq87uLDAade93zTn6rmcKPywjMDo6jbVIs653ZdUhiKdHGdpnJccbgQ/iLSPB1umNnCeaEX5jM+K9zBvl7ZMCdSk1YIQ==--ekKumqLiSlVJNwMe--K/ecXmmMT1x+WnIXMbHBDw==
		`@@ -0,0 +1 @@`
							`vqH5By5qFLImVjdlWj+7FwGg8APKnr/AEd7WqekG7L0vNA32WGBpwS1uGzs02LIcATRwGj8DyJxiBOB/w9z8cwoO+t6Woi5hAnOSCQwFWKLT0dZq7jgtT8pxK0Yu/Nf91PEFN1rc/8ZFy2KKVpbtMbMPyivT38e/ctBZD/lHrWkndvLXYvFVhqWjUnDOGbhwl/U0RZgqBBjvlm3B0JkQfiN8VXPlCJL2Cd8kd0+MpRCRTgtcxA==--OdVXnDP7OhzJxCsP--+8SI6IFIeXyDxXb+WpqhIQ==`