Fix pages views when signed out

Already linked in the same paragraph

.env.example

@@ -1,6 +1,23 @@
 # PRIMARY_DOMAIN=kosmos.org
 # AKKOUNTS_DOMAIN=accounts.example.com
 
+# Generate this using `rails secret`
+# SECRET_KEY_BASE=
+
+# Generate these using `rails db:encryption:init`
+# (Optional, needed for LndHub integration)
+# ENCRYPTION_PRIMARY_KEY=
+# ENCRYPTION_KEY_DERIVATION_SALT=
+
+# The default backend is SQLite
+# DB_ADAPTER=postgresql
+# PG_HOST=localhost
+# PG_PORT=5432
+# PG_DATABASE=akkounts
+# PG_DATABASE_QUEUE=akkounts_queue
+# PG_USERNAME=akkounts
+# PG_PASSWORD=
+
 # SMTP_SERVER=smtp.example.com
 # SMTP_PORT=587
 # SMTP_LOGIN=accounts
@@ -20,8 +37,12 @@
 
 # LDAP_HOST=localhost
 # LDAP_PORT=389
+# LDAP_USE_TLS=false
+# LDAP_UID_ATTR=cn
+# LDAP_BASE="ou=kosmos.org,cn=users,dc=kosmos,dc=org"
+# LDAP_ADMIN_USER="cn=Directory Manager"
 # LDAP_ADMIN_PASSWORD=passthebutter
-# LDAP_SUFFIX='dc=kosmos,dc=org'
+# LDAP_SUFFIX="dc=kosmos,dc=org"
 
 # REDIS_URL='redis://localhost:6379/1'
 

.env.test

@@ -1,6 +1,9 @@
 PRIMARY_DOMAIN=kosmos.org
 AKKOUNTS_DOMAIN=accounts.kosmos.org
 
+ENCRYPTION_PRIMARY_KEY=YhNLBgCFMAzw5dV3gISxnGrhNDMQwRdn
+ENCRYPTION_KEY_DERIVATION_SALT=h28g16MRZ1sghF2jTCos1DiLZXUswinR
+
 REDIS_URL='redis://localhost:6379/0'
 
 BTCPAY_PUBLIC_URL='https://btcpay.example.com'
@@ -21,7 +24,8 @@ LNDHUB_PUBLIC_KEY='024cd3be18617f39cf645851e3ba63f51fc13f0bb09e3bb25e6fd4de55648
 NOSTR_PRIVATE_KEY='7c3ef7e448505f0615137af38569d01807d3b05b5005d5ecf8aaafcd40323cea'
 NOSTR_PUBLIC_KEY='bdd76ce2934b2f591f9fad2ebe9da18f20d2921de527494ba00eeaa0a0efadcf'
 
-RS_STORAGE_URL='https://storage.kosmos.org'
 RS_REDIS_URL='redis://localhost:6379/1'
+RS_STORAGE_URL='https://storage.kosmos.org'
+RS_AKKOUNTS_DOMAIN=localhost
 
 WEBHOOKS_ALLOWED_IPS='10.1.1.23'

.gitignore

@@ -37,6 +37,7 @@
 /yarn-error.log
 yarn-debug.log*
 .yarn-integrity
+bun.lock
 
 # Ignore local dotenv config file
 .env
@@ -47,3 +48,6 @@ dump.rdb
 
 /app/assets/builds/*
 !/app/assets/builds/.keep
+
+# Ignore generated ctags
+*.tags

Dockerfile

@@ -1,18 +1,11 @@
 # syntax=docker/dockerfile:1
-FROM debian:bullseye-slim as base
+FROM ruby:3.3.4
 
 SHELL ["/bin/bash", "-o", "pipefail", "-c"]
 
-# TODO Remove when upstream Ruby works properly on Apple silicon
+RUN apt-get update -qq && apt-get install -y --no-install-recommends curl \
-RUN apt update && apt install -y build-essential wget autoconf libpq-dev pkg-config
+      ldap-utils tini libvips
-RUN wget https://github.com/postmodern/ruby-install/releases/download/v0.9.3/ruby-install-0.9.3.tar.gz \
-  && tar -xzvf ruby-install-0.9.3.tar.gz \
-  && cd ruby-install-0.9.3/ \
-  && make install
-RUN ruby-install -p https://github.com/ruby/ruby/pull/9371.diff ruby 3.3.0
-ENV PATH="/opt/rubies/ruby-3.3.0/bin:${PATH}"
 
-RUN apt-get install -y --no-install-recommends curl ldap-utils tini libvips
 RUN curl -fsSL https://deb.nodesource.com/setup_lts.x | bash -
 RUN apt-get update && apt-get install -y nodejs
 

Gemfile

@@ -2,13 +2,13 @@ source 'https://rubygems.org'
 git_source(:github) { |repo| "https://github.com/#{repo}.git" }
 
 # Bundle edge Rails instead: gem 'rails', github: 'rails/rails'
-gem 'rails', '~> 7.1'
+gem 'rails', '~> 8.0'
 # Use Puma as the app server
-gem 'puma', '~> 4.1'
+gem 'puma', '~> 6.6'
 # View components
 gem "view_component"
-# Separate dependency since Rails 7.0
+# Asset bundler
-gem 'sprockets-rails'
+gem 'propshaft'
 # Allows custom JS build tasks to integrate with the asset pipeline
 gem 'cssbundling-rails'
 # Use JavaScript with ESM import maps [https://github.com/rails/importmap-rails]
@@ -19,17 +19,12 @@ gem "turbo-rails"
 gem "stimulus-rails"
 # Build JSON APIs with ease. Read more: https://github.com/rails/jbuilder
 gem 'jbuilder', '~> 2.7'
-# Use Redis adapter to run Action Cable in production
-# gem 'redis', '~> 4.0'
 # Use Active Model has_secure_password
 gem 'bcrypt', '~> 3.1'
 
 # Configuration
 gem 'dotenv-rails'
 
-# Security
-gem 'lockbox'
-
 # Authentication
 gem 'warden'
 gem 'devise', '~> 4.9.0'
@@ -37,6 +32,7 @@ gem 'devise_ldap_authenticatable'
 gem 'net-ldap'
 
 # Utilities
+gem 'aasm'
 gem "image_processing", "~> 1.12.2"
 gem "rqrcode", "~> 2.0"
 gem 'rails-settings-cached', '~> 2.8.3'
@@ -44,6 +40,9 @@ gem 'pagy', '~> 6.0', '>= 6.0.2'
 gem 'flipper'
 gem 'flipper-active_record'
 gem 'flipper-ui'
+gem 'gpgme', '~> 2.0.24'
+gem 'zbase32', '~> 0.1.1'
+gem 'kramdown'
 
 # HTTP requests
 gem 'faraday'
@@ -51,8 +50,8 @@ gem 'down'
 gem 'aws-sdk-s3', require: false
 
 # Background/scheduled jobs
-gem 'sidekiq', '< 7'
+gem 'solid_queue'
-gem 'sidekiq-scheduler'
+gem "mission_control-jobs"
 
 # Monitoring
 gem "sentry-ruby"
@@ -63,10 +62,11 @@ gem 'discourse_api'
 gem "lnurl"
 gem 'manifique', '~> 1.1.0'
 gem 'nostr', '~> 0.6.0'
+gem "redis", "~> 5.4"
 
 group :development, :test do
   # Use sqlite3 as the database for Active Record
-  gem 'sqlite3', '~> 1.7.2'
+  gem 'sqlite3', '>= 2.1'
   gem 'rspec-rails'
   gem 'rails-controller-testing'
 end

Gemfile.lock

@@ -1,110 +1,111 @@
 GEM
   remote: https://rubygems.org/
   specs:
-    actioncable (7.1.3)
+    aasm (5.5.0)
-      actionpack (= 7.1.3)
+      concurrent-ruby (~> 1.0)
-      activesupport (= 7.1.3)
+    actioncable (8.0.2)
+      actionpack (= 8.0.2)
+      activesupport (= 8.0.2)
       nio4r (~> 2.0)
       websocket-driver (>= 0.6.1)
       zeitwerk (~> 2.6)
-    actionmailbox (7.1.3)
+    actionmailbox (8.0.2)
-      actionpack (= 7.1.3)
+      actionpack (= 8.0.2)
-      activejob (= 7.1.3)
+      activejob (= 8.0.2)
-      activerecord (= 7.1.3)
+      activerecord (= 8.0.2)
-      activestorage (= 7.1.3)
+      activestorage (= 8.0.2)
-      activesupport (= 7.1.3)
+      activesupport (= 8.0.2)
-      mail (>= 2.7.1)
+      mail (>= 2.8.0)
-      net-imap
+    actionmailer (8.0.2)
-      net-pop
+      actionpack (= 8.0.2)
-      net-smtp
+      actionview (= 8.0.2)
-    actionmailer (7.1.3)
+      activejob (= 8.0.2)
-      actionpack (= 7.1.3)
+      activesupport (= 8.0.2)
-      actionview (= 7.1.3)
+      mail (>= 2.8.0)
-      activejob (= 7.1.3)
-      activesupport (= 7.1.3)
-      mail (~> 2.5, >= 2.5.4)
-      net-imap
-      net-pop
-      net-smtp
       rails-dom-testing (~> 2.2)
-    actionpack (7.1.3)
+    actionpack (8.0.2)
-      actionview (= 7.1.3)
+      actionview (= 8.0.2)
-      activesupport (= 7.1.3)
+      activesupport (= 8.0.2)
       nokogiri (>= 1.8.5)
-      racc
       rack (>= 2.2.4)
       rack-session (>= 1.0.1)
       rack-test (>= 0.6.3)
       rails-dom-testing (~> 2.2)
       rails-html-sanitizer (~> 1.6)
-    actiontext (7.1.3)
+      useragent (~> 0.16)
-      actionpack (= 7.1.3)
+    actiontext (8.0.2)
-      activerecord (= 7.1.3)
+      actionpack (= 8.0.2)
-      activestorage (= 7.1.3)
+      activerecord (= 8.0.2)
-      activesupport (= 7.1.3)
+      activestorage (= 8.0.2)
+      activesupport (= 8.0.2)
       globalid (>= 0.6.0)
       nokogiri (>= 1.8.5)
-    actionview (7.1.3)
+    actionview (8.0.2)
-      activesupport (= 7.1.3)
+      activesupport (= 8.0.2)
       builder (~> 3.1)
       erubi (~> 1.11)
       rails-dom-testing (~> 2.2)
       rails-html-sanitizer (~> 1.6)
-    activejob (7.1.3)
+    activejob (8.0.2)
-      activesupport (= 7.1.3)
+      activesupport (= 8.0.2)
       globalid (>= 0.3.6)
-    activemodel (7.1.3)
+    activemodel (8.0.2)
-      activesupport (= 7.1.3)
+      activesupport (= 8.0.2)
-    activerecord (7.1.3)
+    activerecord (8.0.2)
-      activemodel (= 7.1.3)
+      activemodel (= 8.0.2)
-      activesupport (= 7.1.3)
+      activesupport (= 8.0.2)
       timeout (>= 0.4.0)
-    activestorage (7.1.3)
+    activestorage (8.0.2)
-      actionpack (= 7.1.3)
+      actionpack (= 8.0.2)
-      activejob (= 7.1.3)
+      activejob (= 8.0.2)
-      activerecord (= 7.1.3)
+      activerecord (= 8.0.2)
-      activesupport (= 7.1.3)
+      activesupport (= 8.0.2)
       marcel (~> 1.0)
-    activesupport (7.1.3)
+    activesupport (8.0.2)
       base64
+      benchmark (>= 0.3)
       bigdecimal
-      concurrent-ruby (~> 1.0, >= 1.0.2)
+      concurrent-ruby (~> 1.0, >= 1.3.1)
       connection_pool (>= 2.2.5)
       drb
       i18n (>= 1.6, < 2)
+      logger (>= 1.4.2)
       minitest (>= 5.1)
-      mutex_m
+      securerandom (>= 0.3)
-      tzinfo (~> 2.0)
+      tzinfo (~> 2.0, >= 2.0.5)
-    addressable (2.8.6)
+      uri (>= 0.13.1)
-      public_suffix (>= 2.0.2, < 6.0)
+    addressable (2.8.7)
-    ast (2.4.2)
+      public_suffix (>= 2.0.2, < 7.0)
-    aws-eventstream (1.3.0)
+    ast (2.4.3)
-    aws-partitions (1.886.0)
+    aws-eventstream (1.3.2)
-    aws-sdk-core (3.191.0)
+    aws-partitions (1.1092.0)
+    aws-sdk-core (3.222.2)
       aws-eventstream (~> 1, >= 1.3.0)
-      aws-partitions (~> 1, >= 1.651.0)
+      aws-partitions (~> 1, >= 1.992.0)
-      aws-sigv4 (~> 1.8)
+      aws-sigv4 (~> 1.9)
+      base64
       jmespath (~> 1, >= 1.6.1)
-    aws-sdk-kms (1.77.0)
+      logger
-      aws-sdk-core (~> 3, >= 3.191.0)
+    aws-sdk-kms (1.99.0)
-      aws-sigv4 (~> 1.1)
+      aws-sdk-core (~> 3, >= 3.216.0)
-    aws-sdk-s3 (1.143.0)
+      aws-sigv4 (~> 1.5)
-      aws-sdk-core (~> 3, >= 3.191.0)
+    aws-sdk-s3 (1.183.0)
+      aws-sdk-core (~> 3, >= 3.216.0)
       aws-sdk-kms (~> 1)
-      aws-sigv4 (~> 1.8)
+      aws-sigv4 (~> 1.5)
-    aws-sigv4 (1.8.0)
+    aws-sigv4 (1.11.0)
       aws-eventstream (~> 1, >= 1.0.2)
     backport (1.2.0)
     base64 (0.2.0)
     bcrypt (3.1.20)
-    bech32 (1.4.2)
+    bech32 (1.5.0)
       thor (>= 1.1.0)
-    benchmark (0.3.0)
+    benchmark (0.4.0)
-    bigdecimal (3.1.6)
+    bigdecimal (3.1.9)
     bindex (0.8.1)
     bip-schnorr (0.7.0)
       ecdsa_ext (~> 0.5.0)
-    builder (3.2.4)
+    builder (3.3.0)
     capybara (3.40.0)
       addressable
       matrix
@@ -114,23 +115,25 @@ GEM
       rack-test (>= 0.6.3)
       regexp_parser (>= 1.5, < 3.0)
       xpath (~> 3.2)
+    childprocess (5.1.0)
+      logger (~> 1.5)
     chunky_png (1.4.0)
-    concurrent-ruby (1.2.3)
+    concurrent-ruby (1.3.4)
-    connection_pool (2.4.1)
+    connection_pool (2.5.2)
-    crack (0.4.6)
+    crack (1.0.0)
       bigdecimal
       rexml
     crass (1.0.6)
-    cssbundling-rails (1.4.0)
+    cssbundling-rails (1.4.3)
       railties (>= 6.0.0)
-    database_cleaner (2.0.2)
+    database_cleaner (2.1.0)
       database_cleaner-active_record (>= 2, < 3)
-    database_cleaner-active_record (2.1.0)
+    database_cleaner-active_record (2.2.0)
       activerecord (>= 5.a)
       database_cleaner-core (~> 2.0.0)
     database_cleaner-core (2.0.1)
-    date (3.3.4)
+    date (3.4.1)
-    devise (4.9.3)
+    devise (4.9.4)
       bcrypt (~> 3.0)
       orm_adapter (~> 0.1)
       railties (>= 4.1.0)
@@ -139,105 +142,112 @@ GEM
     devise_ldap_authenticatable (0.8.7)
       devise (>= 3.4.1)
       net-ldap (>= 0.16.0)
-    diff-lcs (1.5.1)
+    diff-lcs (1.6.1)
     discourse_api (2.0.1)
       faraday (~> 2.7)
       faraday-follow_redirects
       faraday-multipart
       rack (>= 1.6)
-    dotenv (2.8.1)
+    dotenv (3.1.8)
-    dotenv-rails (2.8.1)
+    dotenv-rails (3.1.8)
-      dotenv (= 2.8.1)
+      dotenv (= 3.1.8)
-      railties (>= 3.2)
+      railties (>= 6.1)
-    down (5.4.1)
+    down (5.4.2)
       addressable (~> 2.8)
-    drb (2.2.0)
+    drb (2.2.1)
-      ruby2_keywords
-    e2mmap (0.1.0)
     ecdsa (1.2.0)
     ecdsa_ext (0.5.1)
       ecdsa (~> 1.2.0)
-    erubi (1.12.0)
+    erubi (1.13.1)
-    et-orbi (1.2.7)
+    et-orbi (1.2.11)
       tzinfo
     event_emitter (0.2.6)
     eventmachine (1.2.7)
-    factory_bot (6.4.6)
+    factory_bot (6.5.1)
-      activesupport (>= 5.0.0)
+      activesupport (>= 6.1.0)
-    factory_bot_rails (6.4.3)
+    factory_bot_rails (6.4.4)
-      factory_bot (~> 6.4)
+      factory_bot (~> 6.5)
       railties (>= 5.0.0)
-    faker (3.2.3)
+    faker (3.5.1)
       i18n (>= 1.8.11, < 2)
-    faraday (2.9.0)
+    faraday (2.9.2)
       faraday-net_http (>= 2.0, < 3.2)
     faraday-follow_redirects (0.3.0)
       faraday (>= 1, < 3)
-    faraday-multipart (1.0.4)
+    faraday-multipart (1.1.0)
-      multipart-post (~> 2)
+      multipart-post (~> 2.0)
-    faraday-net_http (3.1.0)
+    faraday-net_http (3.1.1)
       net-http
     faye-websocket (0.11.3)
       eventmachine (>= 0.12.0)
       websocket-driver (>= 0.5.1)
-    ffi (1.16.3)
+    ffi (1.17.2)
-    flipper (1.2.2)
+    ffi (1.17.2-arm64-darwin)
+    ffi (1.17.2-x86_64-linux-gnu)
+    flipper (1.3.4)
       concurrent-ruby (< 2)
-    flipper-active_record (1.2.2)
+    flipper-active_record (1.3.4)
-      activerecord (>= 4.2, < 8)
+      activerecord (>= 4.2, < 9)
-      flipper (~> 1.2.2)
+      flipper (~> 1.3.4)
-    flipper-ui (1.2.2)
+    flipper-ui (1.3.4)
       erubi (>= 1.0.0, < 2.0.0)
-      flipper (~> 1.2.2)
+      flipper (~> 1.3.4)
       rack (>= 1.4, < 4)
-      rack-protection (>= 1.5.3, <= 4.0.0)
+      rack-protection (>= 1.5.3, < 5.0.0)
-      sanitize (< 7)
+      rack-session (>= 1.0.2, < 3.0.0)
-    fugit (1.9.0)
+      sanitize (< 8)
-      et-orbi (~> 1, >= 1.2.7)
+    fugit (1.11.1)
+      et-orbi (~> 1, >= 1.2.11)
       raabro (~> 1.4)
     globalid (1.2.1)
       activesupport (>= 6.1)
-    hashdiff (1.1.0)
+    gpgme (2.0.24)
-    i18n (1.14.1)
+      mini_portile2 (~> 2.7)
+    hashdiff (1.1.2)
+    i18n (1.14.7)
       concurrent-ruby (~> 1.0)
     image_processing (1.12.2)
       mini_magick (>= 4.9.5, < 5)
       ruby-vips (>= 2.0.17, < 3)
-    importmap-rails (2.0.1)
+    importmap-rails (2.1.0)
       actionpack (>= 6.0.0)
       activesupport (>= 6.0.0)
       railties (>= 6.0.0)
-    io-console (0.7.2)
+    io-console (0.8.0)
-    irb (1.11.1)
+    irb (1.15.2)
-      rdoc
+      pp (>= 0.6.0)
+      rdoc (>= 4.0.0)
       reline (>= 0.4.2)
-    jaro_winkler (1.5.6)
+    jaro_winkler (1.6.0)
-    jbuilder (2.11.5)
+    jbuilder (2.13.0)
       actionview (>= 5.0.0)
       activesupport (>= 5.0.0)
     jmespath (1.6.2)
-    json (2.7.1)
+    json (2.11.3)
-    kramdown (2.4.0)
+    kramdown (2.5.1)
-      rexml
+      rexml (>= 3.3.9)
     kramdown-parser-gfm (1.1.0)
       kramdown (~> 2.0)
-    language_server-protocol (3.17.0.3)
+    language_server-protocol (3.17.0.4)
-    launchy (2.5.2)
+    launchy (3.1.1)
       addressable (~> 2.8)
-    letter_opener (1.8.1)
+      childprocess (~> 5.0)
-      launchy (>= 2.2, < 3)
+      logger (~> 1.6)
-    letter_opener_web (2.0.0)
+    letter_opener (1.10.0)
-      actionmailer (>= 5.2)
+      launchy (>= 2.2, < 4)
-      letter_opener (~> 1.7)
+    letter_opener_web (3.0.0)
-      railties (>= 5.2)
+      actionmailer (>= 6.1)
+      letter_opener (~> 1.9)
+      railties (>= 6.1)
       rexml
-    listen (3.8.0)
+    lint_roller (1.1.0)
+    listen (3.9.0)
       rb-fsevent (~> 0.10, >= 0.10.3)
       rb-inotify (~> 0.9, >= 0.9.10)
-    lnurl (1.1.0)
+    lnurl (1.1.1)
       bech32 (~> 1.1)
-    lockbox (1.3.2)
+    logger (1.7.0)
-    loofah (2.22.0)
+    loofah (2.24.0)
       crass (~> 1.0.2)
       nokogiri (>= 1.12.0)
     mail (2.8.1)
@@ -249,18 +259,27 @@ GEM
       faraday (~> 2.9.0)
       faraday-follow_redirects (= 0.3.0)
       nokogiri (~> 1.16.0)
-    marcel (1.0.2)
+    marcel (1.0.4)
     matrix (0.4.2)
-    method_source (1.0.0)
+    method_source (1.1.0)
-    mini_magick (4.12.0)
+    mini_magick (4.13.2)
     mini_mime (1.1.5)
-    mini_portile2 (2.8.5)
+    mini_portile2 (2.8.8)
-    minitest (5.21.2)
+    minitest (5.25.5)
-    multipart-post (2.3.0)
+    mission_control-jobs (1.0.2)
-    mutex_m (0.2.0)
+      actioncable (>= 7.1)
-    net-http (0.4.1)
+      actionpack (>= 7.1)
+      activejob (>= 7.1)
+      activerecord (>= 7.1)
+      importmap-rails (>= 1.2.1)
+      irb (~> 1.13)
+      railties (>= 7.1)
+      stimulus-rails
+      turbo-rails
+    multipart-post (2.4.1)
+    net-http (0.6.0)
       uri
-    net-imap (0.4.9.1)
+    net-imap (0.5.7)
       date
       net-protocol
     net-ldap (0.19.0)
@@ -268,15 +287,15 @@ GEM
       net-protocol
     net-protocol (0.2.2)
       timeout
-    net-smtp (0.4.0.1)
+    net-smtp (0.5.1)
       net-protocol
-    nio4r (2.7.0)
+    nio4r (2.7.4)
-    nokogiri (1.16.0)
+    nokogiri (1.16.8)
       mini_portile2 (~> 2.8.2)
       racc (~> 1.4)
-    nokogiri (1.16.0-arm64-darwin)
+    nokogiri (1.16.8-arm64-darwin)
       racc (~> 1.4)
-    nokogiri (1.16.0-x86_64-linux)
+    nokogiri (1.16.8-x86_64-linux)
       racc (~> 1.4)
     nostr (0.6.0)
       bech32 (~> 1.4)
@@ -285,45 +304,57 @@ GEM
       event_emitter (~> 0.2)
       faye-websocket (~> 0.11)
       json (~> 2.6)
+    observer (0.1.2)
     orm_adapter (0.5.0)
-    pagy (6.4.3)
+    ostruct (0.6.1)
-    parallel (1.24.0)
+    pagy (6.5.0)
-    parser (3.3.0.5)
+    parallel (1.27.0)
+    parser (3.3.8.0)
       ast (~> 2.4.1)
       racc
-    pg (1.5.4)
+    pg (1.5.9)
-    psych (5.1.2)
+    pp (0.6.2)
+      prettyprint
+    prettyprint (0.2.0)
+    prism (1.4.0)
+    propshaft (1.1.0)
+      actionpack (>= 7.0.0)
+      activesupport (>= 7.0.0)
+      rack
+      railties (>= 7.0.0)
+    psych (5.2.3)
+      date
       stringio
-    public_suffix (5.0.4)
+    public_suffix (6.0.1)
-    puma (4.3.12)
+    puma (6.6.0)
       nio4r (~> 2.0)
     raabro (1.4.0)
-    racc (1.7.3)
+    racc (1.8.1)
-    rack (2.2.8)
+    rack (2.2.13)
     rack-protection (3.2.0)
       base64 (>= 0.1.0)
       rack (~> 2.2, >= 2.2.4)
     rack-session (1.0.2)
       rack (< 3)
-    rack-test (2.1.0)
+    rack-test (2.2.0)
       rack (>= 1.3)
-    rackup (1.0.0)
+    rackup (1.0.1)
       rack (< 3)
       webrick
-    rails (7.1.3)
+    rails (8.0.2)
-      actioncable (= 7.1.3)
+      actioncable (= 8.0.2)
-      actionmailbox (= 7.1.3)
+      actionmailbox (= 8.0.2)
-      actionmailer (= 7.1.3)
+      actionmailer (= 8.0.2)
-      actionpack (= 7.1.3)
+      actionpack (= 8.0.2)
-      actiontext (= 7.1.3)
+      actiontext (= 8.0.2)
-      actionview (= 7.1.3)
+      actionview (= 8.0.2)
-      activejob (= 7.1.3)
+      activejob (= 8.0.2)
-      activemodel (= 7.1.3)
+      activemodel (= 8.0.2)
-      activerecord (= 7.1.3)
+      activerecord (= 8.0.2)
-      activestorage (= 7.1.3)
+      activestorage (= 8.0.2)
-      activesupport (= 7.1.3)
+      activesupport (= 8.0.2)
       bundler (>= 1.15.0)
-      railties (= 7.1.3)
+      railties (= 8.0.2)
     rails-controller-testing (1.0.5)
       actionpack (>= 5.0.1.rc1)
       actionview (>= 5.0.1.rc1)
@@ -332,138 +363,140 @@ GEM
       activesupport (>= 5.0.0)
       minitest
       nokogiri (>= 1.6)
-    rails-html-sanitizer (1.6.0)
+    rails-html-sanitizer (1.6.2)
       loofah (~> 2.21)
-      nokogiri (~> 1.14)
+      nokogiri (>= 1.15.7, != 1.16.7, != 1.16.6, != 1.16.5, != 1.16.4, != 1.16.3, != 1.16.2, != 1.16.1, != 1.16.0.rc1, != 1.16.0)
     rails-settings-cached (2.8.3)
       activerecord (>= 5.0.0)
       railties (>= 5.0.0)
-    railties (7.1.3)
+    railties (8.0.2)
-      actionpack (= 7.1.3)
+      actionpack (= 8.0.2)
-      activesupport (= 7.1.3)
+      activesupport (= 8.0.2)
-      irb
+      irb (~> 1.13)
       rackup (>= 1.0.0)
       rake (>= 12.2)
       thor (~> 1.0, >= 1.2.2)
       zeitwerk (~> 2.6)
     rainbow (3.1.1)
-    rake (13.1.0)
+    rake (13.2.1)
     rb-fsevent (0.11.2)
-    rb-inotify (0.10.1)
+    rb-inotify (0.11.1)
       ffi (~> 1.0)
-    rbs (2.8.4)
+    rbs (3.9.2)
-    rdoc (6.6.2)
+      logger
+    rdoc (6.13.1)
       psych (>= 4.0.0)
-    redis (4.8.1)
+    redis (5.4.0)
-    regexp_parser (2.9.0)
+      redis-client (>= 0.22.0)
-    reline (0.4.2)
+    redis-client (0.24.0)
+      connection_pool
+    regexp_parser (2.10.0)
+    reline (0.6.1)
       io-console (~> 0.5)
     responders (3.1.1)
       actionpack (>= 5.2)
       railties (>= 5.2)
-    reverse_markdown (2.1.1)
+    reverse_markdown (3.0.0)
       nokogiri
-    rexml (3.2.6)
+    rexml (3.4.1)
     rqrcode (2.2.0)
       chunky_png (~> 1.0)
       rqrcode_core (~> 1.0)
     rqrcode_core (1.2.0)
-    rspec-core (3.12.2)
+    rspec-core (3.13.3)
-      rspec-support (~> 3.12.0)
+      rspec-support (~> 3.13.0)
-    rspec-expectations (3.12.3)
+    rspec-expectations (3.13.3)
       diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.12.0)
+      rspec-support (~> 3.13.0)
-    rspec-mocks (3.12.6)
+    rspec-mocks (3.13.2)
       diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.12.0)
+      rspec-support (~> 3.13.0)
-    rspec-rails (6.1.1)
+    rspec-rails (7.1.1)
-      actionpack (>= 6.1)
+      actionpack (>= 7.0)
-      activesupport (>= 6.1)
+      activesupport (>= 7.0)
-      railties (>= 6.1)
+      railties (>= 7.0)
-      rspec-core (~> 3.12)
+      rspec-core (~> 3.13)
-      rspec-expectations (~> 3.12)
+      rspec-expectations (~> 3.13)
-      rspec-mocks (~> 3.12)
+      rspec-mocks (~> 3.13)
-      rspec-support (~> 3.12)
+      rspec-support (~> 3.13)
-    rspec-support (3.12.1)
+    rspec-support (3.13.2)
-    rubocop (1.60.2)
+    rubocop (1.75.3)
       json (~> 2.3)
-      language_server-protocol (>= 3.17.0)
+      language_server-protocol (~> 3.17.0.2)
+      lint_roller (~> 1.1.0)
       parallel (~> 1.10)
       parser (>= 3.3.0.2)
       rainbow (>= 2.2.2, < 4.0)
-      regexp_parser (>= 1.8, < 3.0)
+      regexp_parser (>= 2.9.3, < 3.0)
-      rexml (>= 3.2.5, < 4.0)
+      rubocop-ast (>= 1.44.0, < 2.0)
-      rubocop-ast (>= 1.30.0, < 2.0)
       ruby-progressbar (~> 1.7)
-      unicode-display_width (>= 2.4.0, < 3.0)
+      unicode-display_width (>= 2.4.0, < 4.0)
-    rubocop-ast (1.30.0)
+    rubocop-ast (1.44.1)
-      parser (>= 3.2.1.0)
+      parser (>= 3.3.7.2)
+      prism (~> 1.4)
     ruby-progressbar (1.13.0)
-    ruby-vips (2.2.0)
+    ruby-vips (2.2.3)
       ffi (~> 1.12)
-    ruby2_keywords (0.0.5)
+      logger
-    rufus-scheduler (3.9.1)
+    sanitize (7.0.0)
-      fugit (~> 1.1, >= 1.1.6)
-    sanitize (6.1.0)
       crass (~> 1.0.2)
-      nokogiri (>= 1.12.0)
+      nokogiri (>= 1.16.8)
-    sentry-rails (5.16.1)
+    securerandom (0.4.1)
+    sentry-rails (5.23.0)
       railties (>= 5.0)
-      sentry-ruby (~> 5.16.1)
+      sentry-ruby (~> 5.23.0)
-    sentry-ruby (5.16.1)
+    sentry-ruby (5.23.0)
+      bigdecimal
       concurrent-ruby (~> 1.0, >= 1.0.2)
-    sidekiq (6.5.12)
+    solargraph (0.54.2)
-      connection_pool (>= 2.2.5, < 3)
-      rack (~> 2.0)
-      redis (>= 4.5.0, < 5)
-    sidekiq-scheduler (5.0.3)
-      rufus-scheduler (~> 3.2)
-      sidekiq (>= 6, < 8)
-      tilt (>= 1.4.0)
-    solargraph (0.50.0)
       backport (~> 1.2)
-      benchmark
+      benchmark (~> 0.4)
       bundler (~> 2.0)
       diff-lcs (~> 1.4)
-      e2mmap
+      jaro_winkler (~> 1.6)
-      jaro_winkler (~> 1.5)
       kramdown (~> 2.3)
       kramdown-parser-gfm (~> 1.1)
+      logger (~> 1.6)
+      observer (~> 0.1)
+      ostruct (~> 0.6)
       parser (~> 3.0)
-      rbs (~> 2.0)
+      rbs (~> 3.3)
-      reverse_markdown (~> 2.0)
+      reverse_markdown (~> 3.0)
       rubocop (~> 1.38)
       thor (~> 1.0)
       tilt (~> 2.0)
       yard (~> 0.9, >= 0.9.24)
-    sprockets (4.2.1)
+      yard-solargraph (~> 0.1)
-      concurrent-ruby (~> 1.0)
+    solid_queue (1.1.5)
-      rack (>= 2.2.4, < 4)
+      activejob (>= 7.1)
-    sprockets-rails (3.4.2)
+      activerecord (>= 7.1)
-      actionpack (>= 5.2)
+      concurrent-ruby (>= 1.3.1)
-      activesupport (>= 5.2)
+      fugit (~> 1.11.0)
-      sprockets (>= 3.0.0)
+      railties (>= 7.1)
-    sqlite3 (1.7.2)
+      thor (~> 1.3.1)
+    sqlite3 (2.6.0)
       mini_portile2 (~> 2.8.0)
-    sqlite3 (1.7.2-arm64-darwin)
+    sqlite3 (2.6.0-arm64-darwin)
-    sqlite3 (1.7.2-x86_64-linux)
+    sqlite3 (2.6.0-x86_64-linux-gnu)
-    stimulus-rails (1.3.3)
+    stimulus-rails (1.3.4)
-      railties (>= 6.0.0)
-    stringio (3.1.0)
-    thor (1.3.0)
-    tilt (2.3.0)
-    timeout (0.4.1)
-    turbo-rails (1.5.0)
-      actionpack (>= 6.0.0)
-      activejob (>= 6.0.0)
       railties (>= 6.0.0)
+    stringio (3.1.7)
+    thor (1.3.2)
+    tilt (2.6.0)
+    timeout (0.4.3)
+    turbo-rails (2.0.13)
+      actionpack (>= 7.1.0)
+      railties (>= 7.1.0)
     tzinfo (2.0.6)
       concurrent-ruby (~> 1.0)
-    unicode-display_width (2.5.0)
+    unicode-display_width (3.1.4)
-    uri (0.13.0)
+      unicode-emoji (~> 4.0, >= 4.0.4)
-    view_component (3.10.0)
+    unicode-emoji (4.0.4)
-      activesupport (>= 5.2.0, < 8.0)
+    uri (1.0.3)
-      concurrent-ruby (~> 1.0)
+    useragent (0.16.11)
+    view_component (3.22.0)
+      activesupport (>= 5.2.0, < 8.1)
+      concurrent-ruby (= 1.3.4)
       method_source (~> 1.0)
     warden (1.2.9)
       rack (>= 2.0.9)
@@ -472,18 +505,22 @@ GEM
       activemodel (>= 6.0.0)
       bindex (>= 0.4.0)
       railties (>= 6.0.0)
-    webmock (3.19.1)
+    webmock (3.25.1)
       addressable (>= 2.8.0)
       crack (>= 0.3.2)
       hashdiff (>= 0.4.0, < 2.0.0)
-    webrick (1.8.1)
+    webrick (1.9.1)
-    websocket-driver (0.7.6)
+    websocket-driver (0.7.7)
+      base64
       websocket-extensions (>= 0.1.0)
     websocket-extensions (0.1.5)
     xpath (3.2.0)
       nokogiri (~> 1.8)
-    yard (0.9.34)
+    yard (0.9.37)
-    zeitwerk (2.6.12)
+    yard-solargraph (0.1.0)
+      yard (~> 0.9)
+    zbase32 (0.1.1)
+    zeitwerk (2.7.2)
 
 PLATFORMS
   arm64-darwin-22
@@ -491,6 +528,7 @@ PLATFORMS
   x86_64-linux
 
 DEPENDENCIES
+  aasm
   aws-sdk-s3
   bcrypt (~> 3.1)
   capybara
@@ -507,32 +545,34 @@ DEPENDENCIES
   flipper
   flipper-active_record
   flipper-ui
+  gpgme (~> 2.0.24)
   image_processing (~> 1.12.2)
   importmap-rails
   jbuilder (~> 2.7)
+  kramdown
   letter_opener
   letter_opener_web
   listen (~> 3.2)
   lnurl
-  lockbox
   manifique (~> 1.1.0)
+  mission_control-jobs
   net-ldap
   nostr (~> 0.6.0)
   pagy (~> 6.0, >= 6.0.2)
   pg (~> 1.5)
-  puma (~> 4.1)
+  propshaft
-  rails (~> 7.1)
+  puma (~> 6.6)
+  rails (~> 8.0)
   rails-controller-testing
   rails-settings-cached (~> 2.8.3)
+  redis (~> 5.4)
   rqrcode (~> 2.0)
   rspec-rails
   sentry-rails
   sentry-ruby
-  sidekiq (< 7)
-  sidekiq-scheduler
   solargraph
-  sprockets-rails
+  solid_queue
-  sqlite3 (~> 1.7.2)
+  sqlite3 (>= 2.1)
   stimulus-rails
   turbo-rails
   tzinfo-data
@@ -540,6 +580,7 @@ DEPENDENCIES
   warden
   web-console (~> 4.2)
   webmock
+  zbase32 (~> 0.1.1)
 
 BUNDLED WITH
    2.5.5

README.md

@@ -57,7 +57,7 @@ Running the test suite:
 Running the test suite with Docker Compose requires overriding the Rails
 environment:
 
-    docker-compose run -e "RAILS_ENV=test" web rspec
+    docker-compose exec -e "RAILS_ENV=test" web rspec
 
 ### Docker Compose
 
@@ -128,6 +128,7 @@ command:
 
 ### Front-end
 
+* [Icons](https://feathericons.com)
 * [Tailwind CSS](https://tailwindcss.com/)
 * [Sass](https://sass-lang.com/documentation)
 * [Stimulus](https://stimulus.hotwired.dev/handbook/)

app/assets/config/manifest.js

@@ -1,4 +0,0 @@
-//= link_tree ../images
-//= link_tree ../../javascript .js
-//= link_tree ../builds
-//= link_tree ../../../vendor/javascript .js

app/assets/stylesheets/application.tailwind.css

@@ -7,7 +7,6 @@
 @import "components/buttons";
 @import "components/dashboard_services";
 @import "components/forms";
-@import "components/links";
 @import "components/notifications";
 @import "components/pagination";
 @import "components/tables";

app/assets/stylesheets/components/base.css

@@ -6,6 +6,7 @@
   body {
     @apply leading-none bg-cover bg-fixed;
     background-image: linear-gradient(35deg, rgba(255,0,255,0.2) 0, rgba(13,79,153,0.8) 100%), url('/img/bg-1.jpg');
+    color: black;
   }
 
   body#admin {
@@ -32,6 +33,10 @@
     @apply pt-8 sm:pt-12;
   }
 
+  main section h3:not(:first-child) {
+    @apply mt-8;
+  }
+
   main section:first-of-type {
     @apply pt-0;
   }
@@ -55,4 +60,11 @@
   main ul li {
     @apply leading-6;
   }
+
+  main a:not(nav > *) {
+    @apply text-blue-600;
+    &:hover   { @apply underline; }
+    &:visited { @apply text-indigo-600; }
+    &:active  { @apply text-red-600; }
+  }
 }

app/assets/stylesheets/components/buttons.css

@@ -1,5 +1,15 @@
 @layer components {
+  .btn-text-dark          { @apply text-black; }
+  .btn-text-dark:hover    { @apply text-black no-underline; }
+  .btn-text-dark:visited  { @apply text-black; }
+  .btn-text-dark:active   { @apply text-black; }
+  .btn-text-light         { @apply text-white; }
+  .btn-text-light:hover   { @apply text-white no-underline; }
+  .btn-text-light:visited { @apply text-white; }
+  .btn-text-light:active  { @apply text-white; }
+
   .btn {
+    @apply btn-text-dark;
     @apply inline-block font-semibold rounded-md leading-none cursor-pointer text-center
            transition-colors duration-75 focus:outline-none focus:ring-4;
   }
@@ -28,17 +38,20 @@
   }
 
   .btn-blue {
-    @apply bg-blue-500 hover:bg-blue-600 text-white
+    @apply btn-text-light;
+    @apply bg-blue-500 hover:bg-blue-600
            focus:ring-blue-400 focus:ring-opacity-75;
   }
 
   .btn-emerald {
-    @apply bg-emerald-500 hover:bg-emerald-600 text-white
+    @apply btn-text-light;
+    @apply bg-emerald-500 hover:bg-emerald-600
            focus:ring-emerald-400 focus:ring-opacity-75;
   }
 
   .btn-red {
-    @apply bg-red-600 hover:bg-red-700 text-white
+    @apply btn-text-light;
+    @apply bg-red-600 hover:bg-red-700
            focus:ring-red-500 focus:ring-opacity-75;
   }
 

app/assets/stylesheets/components/links.css

@@ -1,8 +0,0 @@
-@layer components {
-  .ks-text-link {
-    @apply text-blue-600;
-    &:hover   { @apply underline; }
-    &:visited { @apply text-indigo-600; }
-    &:active  { @apply text-red-600; }
-  }
-}

app/assets/stylesheets/components/pagination.css

@@ -34,7 +34,7 @@
   .pagy-nav .page a, .page.gap {
     @apply bg-white border-gray-300 text-gray-500 hover:bg-gray-100 relative
            inline-flex items-center border px-4 py-2 text-sm font-medium
-           focus:z-20;
+           no-underline focus:z-20;
   }
 
   .pagy-nav .page.active {

app/components/app_catalog/web_app_icon_component.rb

@@ -2,6 +2,8 @@
 
 module AppCatalog
   class WebAppIconComponent < ViewComponent::Base
+    include ApplicationHelper
+
     def initialize(web_app:)
       if web_app&.icon&.attached?
         @image_url = image_url_for(web_app.icon)
@@ -9,13 +11,5 @@ module AppCatalog
         @image_url = image_url_for(web_app.apple_touch_icon)
       end
     end
-
-    def image_url_for(attachment)
-      if Setting.s3_enabled?
-        s3_image_url(attachment)
-      else
-        Rails.application.routes.url_helpers.rails_blob_path(attachment, only_path: true)
-      end
-    end
   end
 end

app/components/dropdown_link_component.html.erb

@@ -1,4 +1,4 @@
-<%= link_to @href, class: @class, data: {
+<%= link_to @href, class: @class, target: @target, data: {
       'dropdown-target': "menuItem",
       'action': "keydown.up->dropdown#previousItem:prevent keydown.down->dropdown#nextItem:prevent"
     } do %>

app/components/dropdown_link_component.rb

@@ -1,8 +1,9 @@
 # frozen_string_literal: true
 
 class DropdownLinkComponent < ViewComponent::Base
-  def initialize(href:, separator: false, add_class: nil)
+  def initialize(href:, open_in_new_tab: false, separator: false, add_class: nil)
     @href = href
+    @target = open_in_new_tab ? "_blank" : nil
     @class = class_str(separator, add_class)
   end
 

app/components/edit_content_button_component.html.erb

@@ -0,0 +1,30 @@
+<div class="inline-block text-left" data-controller="modal" data-action="keydown.esc->modal#close">
+  <button class="btn-md btn-outline text-red-600" data-action="click->modal#open" title="Edit">
+    <%= content || "Edit" %>
+  </button>
+
+  <%= render ModalComponent.new(show_close_button: false) do %>
+    <%= form_with model: [:admin, @editable_content],
+                  html: { autocomplete: "off" } do |form| %>
+      <%= form.hidden_field :redirect_to, value: @redirect_to  %>
+      <p class="mb-2">
+        <%= form.label :content, @editable_content.key.capitalize, class: 'font-bold' %>
+      </p>
+      <% if @editable_content.rich_text %>
+        <p>
+          <%= form.textarea :content, class: "md:w-[56rem] md:h-[28rem]" %>
+        </p>
+        <p class="text-right">
+          <%= form.submit "Save", class: "ml-2 btn-md btn-blue" %>
+        </p>
+      <% else %>
+        <p class="">
+          <%= form.text_field :content, class: "w-80" %>
+        </p>
+        <p>
+          <%= form.submit "Save", class: "btn-md btn-blue w-full" %>
+        </p>
+      <% end %>
+    <% end %>
+  <% end %>
+</div>

app/components/edit_content_button_component.rb

@@ -0,0 +1,6 @@
+class EditContentButtonComponent < ViewComponent::Base
+  def initialize(context:, key:, rich_text: false, redirect_to: nil)
+    @editable_content = EditableContent.find_or_create_by(context:, key:, rich_text:)
+    @redirect_to = redirect_to
+  end
+end

app/components/editable_content_component.html.erb

@@ -0,0 +1,9 @@
+<% if @editable_content.has_content? %>
+  <% if @editable_content.rich_text %>
+    <%= helpers.markdown_to_html @editable_content.content %>
+  <% else %>
+    <%= @editable_content.content %>
+  <% end %>
+<% else %>
+  <%= @default %>
+<% end %>

app/components/editable_content_component.rb

@@ -0,0 +1,6 @@
+class EditableContentComponent < ViewComponent::Base
+  def initialize(context:, key:, rich_text: false, default: nil)
+    @editable_content = EditableContent.find_or_create_by(context:, key:, rich_text:)
+    @default = default
+  end
+end

app/components/main_compact_component.html.erb

@@ -1,4 +1,4 @@
-<main class="w-full max-w-xl mx-auto pb-12 px-4 sm:px-6 lg:px-8">
+<main class="w-full max-w-xl mx-auto px-4 sm:px-6 lg:px-8">
   <div class="bg-white rounded-lg shadow px-6 sm:px-12 py-8 sm:py-12">
     <%= content %>
   </div>

app/components/main_simple_component.html.erb

@@ -1,4 +1,4 @@
-<main class="w-full max-w-6xl mx-auto pb-12 px-4 md:px-6 lg:px-8">
+<main class="w-full max-w-6xl mx-auto px-4 md:px-6 lg:px-8">
   <div class="md:min-h-[50vh] bg-white rounded-lg shadow px-6 sm:px-12 py-8 sm:py-12">
     <%= content %>
   </div>

app/components/main_with_sidenav_component.html.erb

@@ -1,4 +1,4 @@
-<main class="w-full max-w-6xl mx-auto pb-12 px-4 md:px-6 lg:px-8">
+<main class="w-full max-w-6xl mx-auto px-4 md:px-6 lg:px-8">
   <div class="bg-white rounded-lg shadow">
     <div class="md:min-h-[50vh] divide-y divide-gray-200 lg:grid lg:grid-cols-12 lg:divide-y-0 lg:divide-x">
       <aside class="py-6 sm:py-8 lg:col-span-3">

app/components/main_with_tabnav_component.html.erb

@@ -1,4 +1,4 @@
-<main class="w-full max-w-6xl mx-auto pb-12 px-4 md:px-6 lg:px-8">
+<main class="w-full max-w-6xl mx-auto px-4 md:px-6 lg:px-8">
   <div class="md:min-h-[50vh] bg-white rounded-lg shadow">
     <div class="px-6 sm:px-12 pt-2 sm:pt-4">
       <%= render partial: @tabnav_partial %>

app/components/rs_auth_component.html.erb

@@ -12,7 +12,8 @@
   </div>
   <%= render DropdownComponent.new do %>
     <%= render DropdownLinkComponent.new(
-          href: launch_app_services_storage_rs_auth_url(@auth)
+          href: launch_app_services_storage_rs_auth_url(@auth),
+          open_in_new_tab: true
         ) do %>
       Launch app
     <% end %>

app/components/sidenav_link_component.rb

@@ -29,7 +29,7 @@ class SidenavLinkComponent < ViewComponent::Base
 
   def class_names_icon(path)
     if @active
-      "text-teal-500 group-hover:text-teal-500 flex-shrink-0 -ml-1 mr-3 h-6 w-6"
+      "text-teal-600 group-hover:text-teal-600 flex-shrink-0 -ml-1 mr-3 h-6 w-6"
     elsif @disabled
       "text-gray-300 group-hover:text-gray-300 flex-shrink-0 -ml-1 mr-3 h-6 w-6"
     else

app/controllers/admin/donations_controller.rb

@@ -4,11 +4,22 @@ class Admin::DonationsController < Admin::BaseController
 
   # GET /donations
   def index
-    @pagy, @donations = pagy(Donation.completed.order('paid_at desc'))
+    @username = params[:username].presence
+
+    pending_scope   = Donation.incomplete.joins(:user).order('paid_at desc')
+    completed_scope = Donation.completed.joins(:user).order('paid_at desc')
+
+    if @username
+      pending_scope   = pending_scope.where(users: { cn: @username })
+      completed_scope = completed_scope.where(users: { cn: @username })
+    end
+
+    @pending_donations = pending_scope
+    @pagy, @donations  = pagy(completed_scope)
 
     @stats = {
-      overall_sats: @donations.sum("amount_sats"),
+      overall_sats: completed_scope.sum("amount_sats"),
-      donor_count: Donation.completed.count(:user_id)
+      donor_count: completed_scope.distinct.count(:user_id)
     }
   end
 

app/controllers/admin/editable_contents_controller.rb

@@ -0,0 +1,45 @@
+class Admin::EditableContentsController < Admin::BaseController
+  before_action :set_content, only: [:show, :edit, :update]
+  before_action :set_current_section, only: [:index, :show, :edit]
+
+  def index
+    @path = params[:path].presence
+    scope = EditableContent.order(path: :asc)
+    scope = scope.where(path: @path) if @path
+    @pagy, @contents = pagy(scope)
+  end
+
+  def show
+  end
+
+  def edit
+  end
+
+  def update
+    return_to = params[:editable_content][:redirect_to].presence
+
+    if @editable_content.update(content_params)
+      if return_to
+        redirect_to return_to
+      else
+        render status: :ok
+      end
+    else
+      render :edit, status: :unprocessable_entity
+    end
+  end
+
+  private
+
+  def set_content
+    @editable_content = EditableContent.find(params[:id])
+  end
+
+  def content_params
+    params.require(:editable_content).permit(:path, :key, :lang, :content, :rich_text)
+  end
+
+  def set_current_section
+    @current_section = :content
+  end
+end

app/controllers/admin/invitations_controller.rb

@@ -1,12 +1,28 @@
 class Admin::InvitationsController < Admin::BaseController
+  before_action :set_current_section
+
   def index
-    @current_section = :invitations
+    @username = params[:username].presence
-    @pagy, @invitations_used = pagy(Invitation.used.order('used_at desc'))
+    accepted_scope = Invitation.used.order('used_at desc')
+    unused_scope = Invitation.unused
+
+    if @username
+      accepted_scope = accepted_scope.joins(:user).where(users: { cn: @username })
+      unused_scope = unused_scope.joins(:user).where(users: { cn: @username })
+    end
+
+    @pagy, @invitations_used = pagy(accepted_scope)
 
     @stats = {
-      available: Invitation.unused.count,
+      available: unused_scope.count,
-      accepted: @invitations_used.length,
+      accepted: accepted_scope.count,
-      users_with_referrals: Invitation.used.distinct.count(:user_id)
+      users_with_referrals: accepted_scope.distinct.count(:user_id)
     }
   end
+
+  private
+
+    def set_current_section
+      @current_section = :invitations
+    end
 end

app/controllers/admin/lightning_controller.rb

@@ -4,7 +4,7 @@ class Admin::LightningController < Admin::BaseController
   def index
     @current_section = :lightning
 
-    @users = User.pluck(:cn, :ou, :ln_account)
+    @users = User.pluck(:cn, :ou, :lndhub_username)
     @accounts = LndhubAccount.with_balances.order(balance: :desc).to_a
 
     @ln = {}

app/controllers/admin/settings/membership_controller.rb

@@ -0,0 +1,23 @@
+class Admin::Settings::MembershipController < Admin::SettingsController
+  def show
+  end
+
+  def update
+    update_settings
+
+    redirect_to admin_settings_membership_path, flash: {
+      success: "Settings saved"
+    }
+  end
+
+  private
+
+    def setting_params
+      params.require(:setting).permit([
+        :member_status_contributor,
+        :member_status_sustainer,
+        :user_index_show_contributors,
+        :user_index_show_sustainers
+      ])
+    end
+end

app/controllers/admin/settings/registrations_controller.rb

@@ -9,4 +9,12 @@ class Admin::Settings::RegistrationsController < Admin::SettingsController
       success: "Settings saved"
     }
   end
+
+  private
+
+    def setting_params
+      params.require(:setting).permit([
+        :reserved_usernames, default_services: []
+      ])
+    end
 end

app/controllers/admin/settings_controller.rb

@@ -9,11 +9,12 @@ class Admin::SettingsController < Admin::BaseController
     changed_keys = []
 
     setting_params.keys.each do |key|
-      next if setting_params[key].nil? ||
+      next if clean_param(key).nil? ||
-              (Setting.send(key).to_s == setting_params[key].strip)
+        (Setting.send(key).to_s == clean_param(key))
+
       changed_keys.push(key)
       setting = Setting.new(var: key)
-      setting.value = setting_params[key].strip
+      setting.value = clean_param(key)
       unless setting.valid?
         @errors.merge!(setting.errors)
       end
@@ -24,7 +25,7 @@ class Admin::SettingsController < Admin::BaseController
     end
 
     changed_keys.each do |key|
-      Setting.send("#{key}=", setting_params[key].strip)
+      Setting.send("#{key}=", clean_param(key))
     end
   end
 
@@ -37,4 +38,12 @@ class Admin::SettingsController < Admin::BaseController
     def setting_params
       params.require(:setting).permit(Setting.editable_keys.map(&:to_sym))
     end
+
+    def clean_param(key)
+      if Setting.get_field(key)[:type] == :string
+        setting_params[key].strip
+      else
+        setting_params[key]
+      end
+    end
 end

app/controllers/admin/users_controller.rb

@@ -4,25 +4,37 @@ class Admin::UsersController < Admin::BaseController
 
   # GET /admin/users
   def index
-    ldap   = LdapService.new
+    ldap = LdapService.new
-    @ou    = Setting.primary_domain
+    ou   = Setting.primary_domain
-    @pagy, @users = pagy(User.where(ou: @ou).order(cn: :asc))
+    @show_contributors = Setting.user_index_show_contributors
+    @show_sustainers = Setting.user_index_show_sustainers
+
+    @contributors = ldap.search_users(:memberStatus, :contributor, :cn) if @show_contributors
+    @sustainers   = ldap.search_users(:memberStatus, :sustainer, :cn) if @show_sustainers
+    @admins       = ldap.search_users(:admin, true, :cn)
+    @pagy, @users = pagy(User.where(ou: ou).order(cn: :asc))
 
     @stats = {
-      users_confirmed: User.where(ou: @ou).confirmed.count,
+      users_confirmed: User.where(ou: ou).confirmed.count,
-      users_pending: User.where(ou: @ou).pending.count
+      users_pending: User.where(ou: ou).pending.count
     }
+    @stats[:users_contributing] = @contributors.size if @show_contributors
+    @stats[:users_paying] = @sustainers.size if @show_sustainers
   end
 
   # GET /admin/users/:username
   def show
+    @invitees = @user.invitees
+    @recent_invitees = @user.invitees.order(created_at: :desc).limit(5)
+    @more_invitees = (@invitees - @recent_invitees).count
+
     if Setting.lndhub_admin_enabled?
       @lndhub_user = @user.lndhub_user
     end
 
     @services_enabled = @user.services_enabled
 
-    @avatar = LdapManager::FetchAvatar.call(cn: @user.cn)
+    @ldap_avatar = LdapManager::FetchAvatar.call(cn: @user.cn)
   end
 
   # POST /admin/users/:username/invitations
@@ -30,7 +42,7 @@ class Admin::UsersController < Admin::BaseController
     amount = params[:amount].to_i
     notify_user = ActiveRecord::Type::Boolean.new.cast(params[:notify_user])
 
-    CreateInvitations.call(user: @user, amount: amount, notify: notify_user)
+    UserManager::CreateInvitations.call(user: @user, amount: amount, notify: notify_user)
 
     redirect_to admin_user_path(@user.cn), flash: {
       success: "Added #{amount} invitations to #{@user.cn}'s account"

app/controllers/avatars_controller.rb

@@ -0,0 +1,27 @@
+class AvatarsController < ApplicationController
+  def show
+    if user = User.find_by(cn: params[:username])
+      http_status :not_found and return unless user.avatar.attached?
+
+      sha256_hash = params[:hash]
+      format = params[:format]&.to_sym || :png
+      # size = params[:size]&.to_sym || :original
+
+      unless user.avatar.filename.to_s == "#{sha256_hash}.#{format}"
+        http_status :not_found and return
+      end
+
+      # TODO See note for avatar_variant in user model
+      # blob = if size == :original
+      #          user.avatar.blob
+      #        else
+      #          user.avatar_variant(size: size)&.blob
+      #        end
+
+      data = user.avatar.blob.download
+      send_data data, type: "image/#{format}", disposition: "inline"
+    else
+      http_status :not_found
+    end
+  end
+end

app/controllers/contributions/donations_controller.rb

@@ -11,7 +11,7 @@ class Contributions::DonationsController < ApplicationController
   def index
     @current_section = :contributions
     @donations_completed = current_user.donations.completed.order('paid_at desc')
-    @donations_pending = current_user.donations.processing.order('created_at desc')
+    @donations_processing = current_user.donations.processing.order('created_at desc')
 
     if Setting.lndhub_enabled?
       begin
@@ -81,14 +81,11 @@ class Contributions::DonationsController < ApplicationController
 
     case invoice["status"]
     when "Settled"
-      @donation.paid_at = DateTime.now
+      @donation.complete!
-      @donation.payment_status = "settled"
-      @donation.save!
       flash_message = { success: "Thank you!" }
     when "Processing"
       unless @donation.processing?
-        @donation.payment_status = "processing"
+        @donation.start_processing!
-        @donation.save!
         flash_message = { success: "Thank you! We will send you an email when the payment is confirmed." }
         BtcpayCheckDonationJob.set(wait: 20.seconds).perform_later(@donation)
       end

app/controllers/contributions/other_controller.rb

@@ -0,0 +1,16 @@
+class Contributions::OtherController < ApplicationController
+  before_action :authenticate_user!
+  before_action :set_content_editing
+
+  # GET /contributions/other
+  def index
+    @current_section = :contributions
+  end
+
+  private
+
+    def set_content_editing
+      return unless params[:edit] && current_user.is_admin?
+      @edit_content = true
+    end
+end

app/controllers/contributions/projects_controller.rb

@@ -1,8 +0,0 @@
-class Contributions::ProjectsController < ApplicationController
-  before_action :authenticate_user!
-
-  # GET /contributions
-  def index
-    @current_section = :contributions
-  end
-end

app/controllers/discourse/sso_controller.rb

@@ -8,6 +8,9 @@ class Discourse::SsoController < ApplicationController
     sso.email = current_user.email
     sso.username = current_user.cn
     sso.name = current_user.display_name
+    if current_user.avatar.attached?
+      sso.avatar_url = helpers.image_url_for(current_user.avatar)
+    end
     sso.admin = current_user.is_admin?
     sso.sso_secret = secret
 

app/controllers/lnurlpay_controller.rb

@@ -1,7 +1,7 @@
 class LnurlpayController < ApplicationController
   before_action :check_service_available
   before_action :find_user
-  before_action :set_cors_access_control_headers, only: [:invoice]
+  before_action :set_cors_access_control_headers
 
   MIN_SATS = 10
   MAX_SATS = 1_000_000
@@ -37,7 +37,7 @@ class LnurlpayController < ApplicationController
       pubkey: Setting.lndhub_public_key,
       customData: [{
         customKey: "696969",
-        customValue: @user.ln_account
+        customValue: @user.lndhub_username
       }]
     }
   end

app/controllers/pages_controller.rb

@@ -0,0 +1,9 @@
+class PagesController < ApplicationController
+  def privacy
+    @current_section = :privacy
+  end
+
+  def tos
+    @current_section = :tos
+  end
+end

app/controllers/services/chat_controller.rb

@@ -3,7 +3,7 @@ class Services::ChatController < Services::BaseController
   before_action :require_service_available
 
   def show
-    @service_enabled = current_user.service_enabled?(:xmpp)
+    @service_enabled = current_user.service_enabled?(:ejabberd)
   end
 
   private

app/controllers/services/lightning_controller.rb

@@ -9,7 +9,7 @@ class Services::LightningController < ApplicationController
   before_action :lndhub_fetch_balance
 
   def index
-    @wallet_setup_url = "lndhub://#{current_user.ln_account}:#{current_user.ln_password}@#{ENV['LNDHUB_PUBLIC_URL']}"
+    @wallet_setup_url = "lndhub://#{current_user.lndhub_username}:#{current_user.lndhub_password}@#{ENV['LNDHUB_PUBLIC_URL']}"
   end
 
   def transactions

app/controllers/services/rs_auths_controller.rb

@@ -23,7 +23,11 @@ class Services::RsAuthsController < Services::BaseController
   end
 
   def launch_app
-    launch_url = "#{@auth.launch_url}#remotestorage=#{current_user.address}&access_token=#{@auth.token}"
+    user_address = Rails.env.development? ?
+      "#{current_user.cn}@localhost:3000" :
+      current_user.address
+
+    launch_url = "#{@auth.launch_url}#remotestorage=#{user_address}"
 
     redirect_to launch_url, allow_other_host: true
   end

app/controllers/settings_controller.rb

@@ -21,10 +21,12 @@ class SettingsController < ApplicationController
     end
   end
 
+  # PUT /settings/:section
   def update
     @user.preferences.merge!(user_params[:preferences] || {})
     @user.display_name = user_params[:display_name]
-    @user.avatar_new = user_params[:avatar]
+    @user.avatar_new   = user_params[:avatar_new]
+    @user.pgp_pubkey   = user_params[:pgp_pubkey]
 
     if @user.save
       if @user.display_name && (@user.display_name != @user.ldap_entry[:display_name])
@@ -32,7 +34,16 @@ class SettingsController < ApplicationController
       end
 
       if @user.avatar_new.present?
-        LdapManager::UpdateAvatar.call(dn: @user.dn, file: @user.avatar_new)
+        if store_user_avatar
+          UserManager::UpdateAvatar.call(user: @user)
+        else
+          @validation_errors = @user.errors
+          render :show, status: :unprocessable_entity and return
+        end
+      end
+
+      if @user.pgp_pubkey && (@user.pgp_pubkey != @user.ldap_entry[:pgp_key])
+        UserManager::UpdatePgpKey.call(user: @user)
       end
 
       redirect_to setting_path(@settings_section), flash: {
@@ -44,6 +55,7 @@ class SettingsController < ApplicationController
     end
   end
 
+  # POST /settings/update_email
   def update_email
     if @user.valid_ldap_authentication?(security_params[:current_password])
       if @user.update email: email_params[:email]
@@ -61,6 +73,7 @@ class SettingsController < ApplicationController
     end
   end
 
+  # POST /settings/reset_email_password
   def reset_email_password
     @user.current_password = security_params[:current_password]
 
@@ -83,6 +96,7 @@ class SettingsController < ApplicationController
     end
   end
 
+  # POST /settings/reset_password
   def reset_password
     current_user.send_reset_password_instructions
     sign_out current_user
@@ -90,6 +104,7 @@ class SettingsController < ApplicationController
     redirect_to check_your_email_path, notice: msg
   end
 
+  # POST /settings/set_nostr_pubkey
   def set_nostr_pubkey
     signed_event = Nostr::Event.new(**nostr_event_from_params)
 
@@ -152,7 +167,8 @@ class SettingsController < ApplicationController
 
     def user_params
       params.require(:user).permit(
-        :display_name, :avatar, preferences: UserPreferences.pref_keys
+        :display_name, :avatar_new, :pgp_pubkey,
+        preferences: UserPreferences.pref_keys
       )
     end
 
@@ -173,4 +189,30 @@ class SettingsController < ApplicationController
       salt = BCrypt::Engine.generate_salt
       BCrypt::Engine.hash_secret(password, salt)
     end
+
+    def store_user_avatar
+      io = @user.avatar_new.tempfile
+      img_data = UserManager::ProcessAvatar.call(io: io)
+      if img_data.blank?
+        @user.errors.add(:avatar, "failed to process file")
+        false
+      end
+      tempfile = Tempfile.create
+      tempfile.binmode
+      tempfile.write(img_data)
+      tempfile.rewind
+
+      hash = Digest::SHA256.hexdigest(img_data)
+      ext = @user.avatar_new.content_type == "image/png" ? "png" : "jpg"
+      filename = "#{hash}.#{ext}"
+
+      if filename == @user.avatar.filename.to_s
+        @user.errors.add(:avatar, "must be a new file/picture")
+        false
+      else
+        key = "users/#{@user.cn}/avatars/#{filename}"
+        @user.avatar.attach io: tempfile, key: key, filename: filename
+        @user.save
+      end
+    end
 end

app/controllers/signup_controller.rb

@@ -96,7 +96,7 @@ class SignupController < ApplicationController
     session[:new_user] = nil
     session[:validation_error] = nil
 
-    CreateAccount.call(account: {
+    UserManager::CreateAccount.call(account: {
       username: @user.cn,
       domain: Setting.primary_domain,
       email: @user.email,

app/controllers/web_key_directory_controller.rb

@@ -0,0 +1,43 @@
+class WebKeyDirectoryController < WellKnownController
+  before_action :allow_cross_origin_requests
+
+  # /.well-known/openpgpkey/hu/:hashed_username(.txt)?l=username
+  def show
+    if params[:l].blank?
+      # TODO store hashed username in db if existing implementations trigger
+      # this a lot
+      msg = "WKD request with \"l\" param omitted for hu: #{params[:hashed_username]}"
+      Sentry.capture_message(msg) if Setting.sentry_enabled?
+      http_status :bad_request and return
+    end
+
+    @user = User.find_by(cn: params[:l].downcase)
+
+    if @user.nil? ||
+       @user.pgp_pubkey.blank? ||
+       !@user.pgp_pubkey_contains_user_address?
+      http_status :not_found and return
+    end
+
+    if params[:hashed_username] != @user.wkd_hash
+      http_status :unprocessable_entity and return
+    end
+
+    respond_to do |format|
+      format.text do
+        response.headers['Content-Type'] = 'text/plain'
+        render plain: @user.pgp_pubkey
+      end
+
+      format.any do
+        key = @user.gnupg_key.export
+        send_data key, filename: "#{@user.wkd_hash}.pem",
+                       type: "application/octet-stream"
+      end
+    end
+  end
+
+  def policy
+    head :ok
+  end
+end

app/controllers/webfinger_controller.rb

@@ -1,8 +1,6 @@
-class WebfingerController < ApplicationController
+class WebfingerController < WellKnownController
   before_action :allow_cross_origin_requests, only: [:show]
 
-  layout false
-
   def show
     resource = params[:resource]
 
@@ -35,6 +33,10 @@ class WebfingerController < ApplicationController
       links: []
     }
 
+    if @user.avatar.attached?
+      jrd[:links] += avatar_link
+    end
+
     if Setting.mastodon_enabled && @user.service_enabled?(:mastodon)
       # https://docs.joinmastodon.org/spec/webfinger/
       jrd[:aliases] += mastodon_aliases
@@ -49,6 +51,16 @@ class WebfingerController < ApplicationController
     jrd
   end
 
+  def avatar_link
+    [
+      {
+        rel: "http://webfinger.net/rel/avatar",
+        type: @user.avatar.content_type,
+        href: helpers.image_url_for(@user.avatar)
+      }
+    ]
+  end
+
   def mastodon_aliases
     [
       "#{Setting.mastodon_public_url}/@#{@user.cn}",
@@ -76,7 +88,7 @@ class WebfingerController < ApplicationController
   end
 
   def remotestorage_link
-    auth_url = new_rs_oauth_url(@username)
+    auth_url = new_rs_oauth_url(@username, host: Setting.rs_accounts_domain)
     storage_url = "#{Setting.rs_storage_url}/#{@username}"
 
     {
@@ -91,10 +103,4 @@ class WebfingerController < ApplicationController
       }
     }
   end
-
-  def allow_cross_origin_requests
-    return unless Rails.env.development?
-    headers['Access-Control-Allow-Origin'] = "*"
-    headers['Access-Control-Allow-Methods'] = "GET"
-  end
 end

app/controllers/webhooks_controller.rb

@@ -5,7 +5,7 @@ class WebhooksController < ApplicationController
   before_action :process_payload
 
   def lndhub
-    @user = User.find_by!(ln_account: @payload[:user_login])
+    @user = User.find_by!(lndhub_username: @payload[:user_login])
 
     if @zap = @user.zaps.find_by(payment_request: @payload[:payment_request])
       settled_at = Time.parse(@payload[:settled_at])

app/controllers/well_known_controller.rb

@@ -1,5 +1,8 @@
 class WellKnownController < ApplicationController
   before_action :require_nostr_enabled, only: [ :nostr ]
+  before_action :allow_cross_origin_requests, only: [ :nostr ]
+
+  layout false
 
   def nostr
     http_status :unprocessable_entity and return if params[:name].blank?
@@ -7,8 +10,14 @@ class WellKnownController < ApplicationController
     relay_url = Setting.nostr_relay_url.presence
 
     if params[:name] == "_"
-      # pubkey for the primary domain without a username (e.g. kosmos.org)
+      if domain == Setting.primary_domain
-      res = { names: { "_": Setting.nostr_public_key } }
+        # pubkey for the primary domain without a username (e.g. kosmos.org)
+        res = { names: { "_": Setting.nostr_public_key_primary_domain.presence || Setting.nostr_public_key } }
+      else
+        # pubkey for the akkounts domain without a username (e.g. accounts.kosmos.org)
+        res = { names: { "_": Setting.nostr_public_key } }
+      end
+
       res[:relays] = { "_" => [ relay_url ] } if relay_url
     else
       @user = User.where(cn: params[:name], ou: domain).first
@@ -30,4 +39,9 @@ class WellKnownController < ApplicationController
     def require_nostr_enabled
       http_status :not_found unless Setting.nostr_enabled?
     end
+
+    def allow_cross_origin_requests
+      headers['Access-Control-Allow-Origin'] = "*"
+      headers['Access-Control-Allow-Methods'] = "GET"
+    end
 end

app/helpers/application_helper.rb

@@ -14,4 +14,23 @@ module ApplicationHelper
   def badge(text, color)
     tag.span text, class: "inline-flex items-center rounded-full bg-#{color}-100 px-2.5 py-0.5 text-xs font-medium text-#{color}-800"
   end
+
+  def markdown_to_html(string)
+    raw Kramdown::Document.new(string, { input: "GFM" }).to_html
+  end
+
+  def image_url_for(attachment)
+    return s3_image_url(attachment) if Setting.s3_enabled?
+
+    if attachment.record.is_a?(User) && attachment.name == "avatar"
+      hash, format = attachment.blob.filename.to_s.split(".", 2)
+      user_avatar_url(
+        username: attachment.record.cn,
+        hash: hash,
+        format: format
+      )
+    else
+      Rails.application.routes.url_helpers.rails_blob_path(attachment, only_path: true)
+    end
+  end
 end

app/helpers/dashboard_helper.rb

@@ -1,2 +0,0 @@
-module DashboardHelper
-end

app/helpers/donations_helper.rb

@@ -1,2 +0,0 @@
-module DonationsHelper
-end

app/helpers/invitations_helper.rb

@@ -1,2 +0,0 @@
-module InvitationsHelper
-end

app/helpers/lnurlpay_helper.rb

@@ -1,2 +0,0 @@
-module LnurlpayHelper
-end

app/helpers/services_helper.rb

@@ -0,0 +1,12 @@
+module ServicesHelper
+
+  def service_human_name(key, category = :external)
+    SERVICES[category][key][:name] || key.to_s
+  end
+
+  def service_display_name(key, category = :external)
+    SERVICES[category][key][:display_name] ||
+    service_human_name(key, category)
+  end
+
+end

app/helpers/settings_helper.rb

@@ -1,2 +0,0 @@
-module SettingsHelper
-end

app/helpers/signup_helper.rb

@@ -1,2 +0,0 @@
-module SignupHelper
-end

app/helpers/users_helper.rb

@@ -1,2 +0,0 @@
-module UsersHelper
-end

app/helpers/wallet_helper.rb

@@ -1,2 +0,0 @@
-module WalletHelper
-end

app/helpers/welcome_helper.rb

@@ -1,2 +0,0 @@
-module WelcomeHelper
-end

app/jobs/btcpay_check_donation_job.rb

@@ -10,9 +10,7 @@ class BtcpayCheckDonationJob < ApplicationJob
 
     case invoice["status"]
     when "Settled"
-      donation.paid_at = DateTime.now
+      donation.complete!
-      donation.payment_status = "settled"
-      donation.save!
 
       NotificationMailer.with(user: donation.user)
                         .bitcoin_donation_confirmed

app/jobs/create_ldap_user_job.rb

@@ -4,7 +4,7 @@ class CreateLdapUserJob < ApplicationJob
   def perform(username:, domain:, email:, hashed_pw:, confirmed: false)
     dn = "cn=#{username},ou=#{domain},cn=users,dc=kosmos,dc=org"
     attr = {
-      objectclass: ["top", "account", "person", "extensibleObject"],
+      objectclass: ["top", "account", "person", "inetOrgPerson", "extensibleObject"],
       cn: username,
       sn: username,
       uid: username,

app/jobs/create_lndhub_account_job.rb

@@ -2,12 +2,12 @@ class CreateLndhubAccountJob < ApplicationJob
   queue_as :default
 
   def perform(user)
-    return if user.ln_account.present? && user.ln_password.present?
+    return if user.lndhub_username.present? && user.lndhub_password.present?
 
     lndhub = LndhubV2.new
     credentials = lndhub.create_account
 
-    user.update! ln_account: credentials["login"],
+    user.update! lndhub_username: credentials["login"],
-                 ln_password: credentials["password"]
+                 lndhub_password: credentials["password"]
   end
 end

app/jobs/remote_storage_expire_authorization_job.rb

@@ -3,8 +3,6 @@ class RemoteStorageExpireAuthorizationJob < ApplicationJob
 
   def perform(rs_auth_id)
     rs_auth = RemoteStorageAuthorization.find rs_auth_id
-    return unless rs_auth.expire_at.nil? || rs_auth.expire_at <= DateTime.now
-
     rs_auth.destroy!
   end
 end

app/jobs/xmpp_exchange_contacts_job.rb

@@ -2,21 +2,6 @@ class XmppExchangeContactsJob < ApplicationJob
   queue_as :default
 
   def perform(inviter, invitee)
-    return unless inviter.service_enabled?(:xmpp) &&
+    EjabberdManager::ExchangeContacts.call(inviter:, invitee:)
-                  invitee.service_enabled?(:xmpp) &&
-                  inviter.preferences[:xmpp_exchange_contacts_with_invitees]
-
-    ejabberd = EjabberdApiClient.new
-
-    ejabberd.add_rosteritem({
-      "localuser": invitee.cn, "localhost": invitee.ou,
-      "user": inviter.cn, "host": inviter.ou,
-      "nick": inviter.cn, "group": Setting.ejabberd_buddy_roster, "subs": "both"
-    })
-    ejabberd.add_rosteritem({
-      "localuser": inviter.cn, "localhost": inviter.ou,
-      "user": invitee.cn, "host": invitee.ou,
-      "nick": invitee.cn, "group": Setting.ejabberd_buddy_roster, "subs": "both"
-    })
   end
 end

app/jobs/xmpp_send_message_job.rb

@@ -2,7 +2,6 @@ class XmppSendMessageJob < ApplicationJob
   queue_as :default
 
   def perform(payload)
-    ejabberd = EjabberdApiClient.new
+    EjabberdManager::SendMessage.call(payload:)
-    ejabberd.send_message payload
   end
 end

app/jobs/xmpp_set_avatar_job.rb

@@ -0,0 +1,7 @@
+class XmppSetAvatarJob < ApplicationJob
+  queue_as :default
+
+  def perform(user:, overwrite: false)
+    EjabberdManager::SetAvatar.call(user:, overwrite:)
+  end
+end

app/jobs/xmpp_set_default_bookmarks_job.rb

@@ -2,25 +2,6 @@ class XmppSetDefaultBookmarksJob < ApplicationJob
   queue_as :default
 
   def perform(user)
-    return unless Setting.xmpp_default_rooms.any?
+    EjabberdManager::SetDefaultBookmarks.call(user:)
-    @user = user
-    ejabberd = EjabberdApiClient.new
-    ejabberd.private_set user, storage_content
-  end
-
-  def storage_content
-    bookmarks = ""
-    Setting.xmpp_default_rooms.each do |r|
-      bookmarks << conference_element(
-        jid: r[/<(.+)>/, 1], name: r[/^(.+)\s/, 1], nick: @user.cn,
-        autojoin: Setting.xmpp_autojoin_default_rooms
-      )
-    end
-
-    "<storage xmlns='storage:bookmarks'>#{bookmarks}</storage>"
-  end
-
-  def conference_element(jid:, name:, autojoin: false, nick:)
-    "<conference jid='#{jid}' name='#{name}' autojoin='#{autojoin.to_s}'><nick>#{nick}</nick></conference>"
   end
 end

app/mailers/application_mailer.rb

@@ -1,3 +1,90 @@
 class ApplicationMailer < ActionMailer::Base
+  default Rails.application.config.action_mailer.default_options
   layout 'mailer'
+
+  private
+
+    def send_mail
+      @template ||= "#{self.class.name.underscore}/#{caller[0][/`([^']*)'/, 1]}"
+      headers['Message-ID'] = message_id
+
+      if @user.pgp_pubkey.present?
+        mail(to: @user.email, subject: "...", content_type: pgp_content_type) do |format|
+          format.text { render plain: pgp_content }
+        end
+      else
+        mail(to: @user.email, subject: @subject) do |format|
+          format.text { render @template }
+        end
+      end
+    end
+
+    def from_address
+      self.class.default[:from]
+    end
+
+    def from_domain
+      Mail::Address.new(from_address).domain
+    end
+
+    def message_id
+      @message_id ||= "#{SecureRandom.uuid}@#{from_domain}"
+    end
+
+    def boundary
+      @boundary ||= SecureRandom.hex(8)
+    end
+
+    def pgp_content_type
+      "multipart/encrypted; protocol=\"application/pgp-encrypted\"; boundary=\"------------#{boundary}\""
+    end
+
+    def pgp_nested_content
+      message_content = render_to_string(template: @template)
+      message_content_base64 = Base64.encode64(message_content)
+      nested_boundary = SecureRandom.hex(8)
+
+      <<~NESTED_CONTENT
+        Content-Type: multipart/mixed; boundary="------------#{nested_boundary}"; protected-headers="v1"
+        Subject: #{@subject}
+        From: <#{from_address}>
+        To: #{@user.display_name || @user.cn} <#{@user.email}>
+        Message-ID: <#{message_id}>
+
+        --------------#{nested_boundary}
+        Content-Type: text/plain; charset=UTF-8; format=flowed
+        Content-Transfer-Encoding: base64
+
+        #{message_content_base64}
+
+        --------------#{nested_boundary}--
+      NESTED_CONTENT
+    end
+
+    def pgp_content
+      encrypted_content = UserManager::PgpEncrypt.call(user: @user, text: pgp_nested_content)
+      encrypted_base64 = Base64.encode64(encrypted_content.to_s)
+
+      <<~EMAIL_CONTENT
+        This is an OpenPGP/MIME encrypted message (RFC 4880 and 3156)
+        --------------#{boundary}
+        Content-Type: application/pgp-encrypted
+        Content-Description: PGP/MIME version identification
+
+        Version: 1
+
+        --------------#{boundary}
+        Content-Type: application/octet-stream; name="encrypted.asc"
+        Content-Description: OpenPGP encrypted message
+        Content-Disposition: inline; filename="encrypted.asc"
+
+        -----BEGIN PGP MESSAGE-----
+
+        #{encrypted_base64}
+
+        -----END PGP MESSAGE-----
+
+        --------------#{boundary}--
+      EMAIL_CONTENT
+    end
 end

app/mailers/custom_mailer.rb

@@ -18,6 +18,6 @@ class CustomMailer < ApplicationMailer
     @user = params[:user]
     @subject = params[:subject]
     @body = params[:body]
-    mail(to: @user.email, subject: @subject)
+    send_mail
   end
 end

app/mailers/notification_mailer.rb

@@ -3,7 +3,7 @@ class NotificationMailer < ApplicationMailer
     @user = params[:user]
     @amount_sats = params[:amount_sats]
     @subject = "Sats received"
-    mail to: @user.email, subject: @subject
+    send_mail
   end
 
   def remotestorage_auth_created
@@ -15,19 +15,19 @@ class NotificationMailer < ApplicationMailer
       "#{access} #{directory}"
     end
     @subject = "New app connected to your storage"
-    mail to: @user.email, subject: @subject
+    send_mail
   end
 
   def new_invitations_available
     @user = params[:user]
     @subject = "New invitations added to your account"
-    mail to: @user.email, subject: @subject
+    send_mail
   end
 
   def bitcoin_donation_confirmed
     @user = params[:user]
     @donation = params[:donation]
     @subject = "Donation confirmed"
-    mail to: @user.email, subject: @subject
+    send_mail
   end
 end

app/models/concerns/settings/btcpay_settings.rb

@@ -0,0 +1,24 @@
+module Settings
+  module BtcpaySettings
+    extend ActiveSupport::Concern
+
+    included do
+      field :btcpay_api_url, type: :string,
+        default: ENV["BTCPAY_API_URL"].presence
+
+      field :btcpay_enabled, type: :boolean,
+        default: ENV["BTCPAY_API_URL"].present?
+
+      field :btcpay_public_url, type: :string,
+        default: ENV["BTCPAY_PUBLIC_URL"].presence
+
+      field :btcpay_store_id, type: :string,
+        default: ENV["BTCPAY_STORE_ID"].presence
+
+      field :btcpay_auth_token, type: :string,
+        default: ENV["BTCPAY_AUTH_TOKEN"].presence
+
+      field :btcpay_publish_wallet_balances, type: :boolean, default: true
+    end
+  end
+end

app/models/concerns/settings/discourse_settings.rb

@@ -0,0 +1,16 @@
+module Settings
+  module DiscourseSettings
+    extend ActiveSupport::Concern
+
+    included do
+      field :discourse_public_url, type: :string,
+        default: ENV["DISCOURSE_PUBLIC_URL"].presence
+
+      field :discourse_enabled, type: :boolean,
+        default: ENV["DISCOURSE_PUBLIC_URL"].present?
+
+      field :discourse_connect_secret, type: :string,
+        default: ENV["DISCOURSE_CONNECT_SECRET"].presence
+    end
+  end
+end

app/models/concerns/settings/drone_ci_settings.rb

@@ -0,0 +1,13 @@
+module Settings
+  module DroneCiSettings
+    extend ActiveSupport::Concern
+
+    included do
+      field :droneci_public_url, type: :string,
+        default: ENV["DRONECI_PUBLIC_URL"].presence
+
+      field :droneci_enabled, type: :boolean,
+        default: ENV["DRONECI_PUBLIC_URL"].present?
+    end
+  end
+end

app/models/concerns/settings/ejabberd_settings.rb

@@ -0,0 +1,19 @@
+module Settings
+  module EjabberdSettings
+    extend ActiveSupport::Concern
+
+    included do
+      field :ejabberd_enabled, type: :boolean,
+        default: ENV["EJABBERD_API_URL"].present?
+
+      field :ejabberd_api_url, type: :string,
+        default: ENV["EJABBERD_API_URL"].presence
+
+      field :ejabberd_admin_url, type: :string,
+        default: ENV["EJABBERD_ADMIN_URL"].presence
+
+      field :ejabberd_buddy_roster, type: :string,
+        default: "Buddies"
+    end
+  end
+end

app/models/concerns/settings/email_settings.rb

@@ -0,0 +1,28 @@
+module Settings
+  module EmailSettings
+    extend ActiveSupport::Concern
+
+    included do
+      field :email_enabled, type: :boolean,
+        default: ENV["EMAIL_SMTP_HOST"].present?
+
+      # field :email_smtp_host, type: :string,
+      #   default: ENV["EMAIL_SMTP_HOST"].presence
+      #
+      # field :email_smtp_port, type: :string,
+      #   default: ENV["EMAIL_SMTP_PORT"].presence || 587
+      #
+      # field :email_smtp_enable_starttls, type: :string,
+      #   default: ENV["EMAIL_SMTP_PORT"].presence || true
+      #
+      # field :email_auth_method, type: :string,
+      #   default: ENV["EMAIL_AUTH_METHOD"].presence || "plain"
+      #
+      # field :email_imap_host, type: :string,
+      #   default: ENV["EMAIL_IMAP_HOST"].presence
+      #
+      # field :email_imap_port, type: :string,
+      #   default: ENV["EMAIL_IMAP_PORT"].presence || 993
+    end
+  end
+end

app/models/concerns/settings/general_settings.rb

@@ -0,0 +1,34 @@
+module Settings
+  module GeneralSettings
+    extend ActiveSupport::Concern
+
+    included do
+      field :primary_domain, type: :string,
+        default: ENV["PRIMARY_DOMAIN"].presence
+
+      field :accounts_domain, type: :string,
+        default: ENV["AKKOUNTS_DOMAIN"].presence
+
+      #
+      # Internal services
+      #
+
+      field :redis_url, type: :string,
+        default: ENV["REDIS_URL"] || "redis://localhost:6379/0"
+
+      field :s3_enabled, type: :boolean,
+        default: ENV["S3_ENABLED"] && ENV["S3_ENABLED"].to_s != "false"
+
+      field :sentry_enabled, type: :boolean, readonly: true,
+        default: ENV["SENTRY_DSN"].present?
+
+      #
+      # Registrations
+      #
+
+      field :reserved_usernames, type: :array, default: %w[
+        account accounts donations mail webmaster support
+      ]
+    end
+  end
+end

app/models/concerns/settings/gitea_settings.rb

@@ -0,0 +1,13 @@
+module Settings
+  module GiteaSettings
+    extend ActiveSupport::Concern
+
+    included do
+      field :gitea_public_url, type: :string,
+        default: ENV["GITEA_PUBLIC_URL"].presence
+
+      field :gitea_enabled, type: :boolean,
+        default: ENV["GITEA_PUBLIC_URL"].present?
+    end
+  end
+end

app/models/concerns/settings/lightning_network_settings.rb

@@ -0,0 +1,25 @@
+module Settings
+  module LightningNetworkSettings
+    extend ActiveSupport::Concern
+
+    included do
+      field :lndhub_api_url, type: :string,
+        default: ENV["LNDHUB_API_URL"].presence
+
+      field :lndhub_enabled, type: :boolean,
+        default: ENV["LNDHUB_API_URL"].present?
+
+      field :lndhub_admin_token, type: :string,
+        default: ENV["LNDHUB_ADMIN_TOKEN"].presence
+
+      field :lndhub_admin_enabled, type: :boolean,
+        default: ENV["LNDHUB_ADMIN_UI"] || false
+
+      field :lndhub_public_key, type: :string,
+        default: (ENV["LNDHUB_PUBLIC_KEY"] || "")
+
+      field :lndhub_keysend_enabled, type: :boolean,
+        default: -> { self.lndhub_public_key.present? }
+    end
+  end
+end

app/models/concerns/settings/mastodon_settings.rb

@@ -0,0 +1,19 @@
+module Settings
+  module MastodonSettings
+    extend ActiveSupport::Concern
+
+    included do
+      field :mastodon_public_url, type: :string,
+        default: ENV["MASTODON_PUBLIC_URL"].presence
+
+      field :mastodon_enabled, type: :boolean,
+        default: ENV["MASTODON_PUBLIC_URL"].present?
+
+      field :mastodon_address_domain, type: :string,
+        default: ENV["MASTODON_ADDRESS_DOMAIN"].presence || self.primary_domain
+
+      field :mastodon_auth_token, type: :string,
+        default: ENV["MASTODON_AUTH_TOKEN"].presence
+    end
+  end
+end

app/models/concerns/settings/media_wiki_settings.rb

@@ -0,0 +1,13 @@
+module Settings
+  module MediaWikiSettings
+    extend ActiveSupport::Concern
+
+    included do
+      field :mediawiki_public_url, type: :string,
+        default: ENV["MEDIAWIKI_PUBLIC_URL"].presence
+
+      field :mediawiki_enabled, type: :boolean,
+        default: ENV["MEDIAWIKI_PUBLIC_URL"].present?
+    end
+  end
+end

app/models/concerns/settings/membership_settings.rb

@@ -0,0 +1,18 @@
+module Settings
+  module MembershipSettings
+    extend ActiveSupport::Concern
+
+    included do
+      field :member_status_contributor, type: :string,
+        default: "Contributor"
+      field :member_status_sustainer, type: :string,
+        default: "Sustainer"
+
+      # Admin panel
+      field :user_index_show_contributors, type: :boolean,
+        default: false
+      field :user_index_show_sustainers, type: :boolean,
+        default: false
+    end
+  end
+end

app/models/concerns/settings/nostr_settings.rb

@@ -0,0 +1,25 @@
+module Settings
+  module NostrSettings
+    extend ActiveSupport::Concern
+
+    included do
+      field :nostr_enabled, type: :boolean,
+        default: ENV["NOSTR_PRIVATE_KEY"].present?
+
+      field :nostr_private_key, type: :string,
+        default: ENV["NOSTR_PRIVATE_KEY"].presence
+
+      field :nostr_public_key, type: :string,
+        default: ENV["NOSTR_PUBLIC_KEY"].presence
+
+      field :nostr_public_key_primary_domain, type: :string,
+        default: ENV["NOSTR_PUBLIC_KEY_PRIMARY_DOMAIN"].presence
+
+      field :nostr_relay_url, type: :string,
+        default: ENV["NOSTR_RELAY_URL"].presence
+
+      field :nostr_zaps_relay_limit, type: :integer,
+        default: 12
+    end
+  end
+end

app/models/concerns/settings/open_collective_settings.rb

@@ -0,0 +1,9 @@
+module Settings
+  module OpenCollectiveSettings
+    extend ActiveSupport::Concern
+
+    included do
+      field :opencollective_enabled, type: :boolean, default: true
+    end
+  end
+end

app/models/concerns/settings/remote_storage_settings.rb

@@ -0,0 +1,19 @@
+module Settings
+  module RemoteStorageSettings
+    extend ActiveSupport::Concern
+
+    included do
+      field :remotestorage_enabled, type: :boolean,
+        default: ENV["RS_STORAGE_URL"].present?
+
+      field :rs_accounts_domain, type: :string,
+        default: ENV["RS_AKKOUNTS_DOMAIN"] || ENV["AKKOUNTS_DOMAIN"]
+
+      field :rs_storage_url, type: :string,
+        default: ENV["RS_STORAGE_URL"].presence
+
+      field :rs_redis_url, type: :string,
+        default: ENV["RS_REDIS_URL"] || "redis://localhost:6379/1"
+    end
+  end
+end

app/models/concerns/settings/xmpp_settings.rb

@@ -0,0 +1,11 @@
+module Settings
+  module XmppSettings
+    extend ActiveSupport::Concern
+
+    included do
+      field :xmpp_default_rooms, type: :array, default: []
+      field :xmpp_autojoin_default_rooms, type: :boolean, default: false
+      field :xmpp_notifications_from_address, type: :string, default: primary_domain
+    end
+  end
+end

app/models/donation.rb

@@ -1,22 +1,42 @@
 class Donation < ApplicationRecord
-  # Relations
+  include AASM
+
   belongs_to :user
 
-  # Validations
   validates_presence_of :user
   validates_presence_of :donation_method,
     inclusion: { in: %w[ custom btcpay lndhub ] }
   validates_presence_of :payment_status, allow_nil: true,
-    inclusion: { in: %w[ processing settled ] }
+    inclusion: { in: %w[ pending processing settled ] }
   validates_presence_of :paid_at, allow_nil: true
   validates_presence_of :amount_sats, allow_nil: true
   validates_presence_of :fiat_amount, allow_nil: true
   validates_presence_of :fiat_currency, allow_nil: true,
     inclusion: { in: %w[ EUR USD ] }
 
-  #Scopes
+  scope :pending,    -> { where(payment_status: "pending") }
   scope :processing, -> { where(payment_status: "processing") }
-  scope :completed, -> { where(payment_status: "settled") }
+  scope :completed,  -> { where(payment_status: "settled") }
+  scope :incomplete, -> { where.not(payment_status: "settled") }
+
+  aasm column: :payment_status do
+    state :pending, initial: true
+    state :processing
+    state :settled
+
+    event :start_processing do
+      transitions from: :pending, to: :processing
+    end
+
+    event :complete do
+      transitions from: :processing, to: :settled, after: [:set_paid_at, :set_sustainer_status]
+      transitions from: :pending, to: :settled, after: [:set_paid_at, :set_sustainer_status]
+    end
+  end
+
+  def pending?
+    payment_status == "pending"
+  end
 
   def processing?
     payment_status == "processing"
@@ -25,4 +45,17 @@ class Donation < ApplicationRecord
   def completed?
     payment_status == "settled"
   end
+
+  private
+
+    def set_paid_at
+      update paid_at: DateTime.now if paid_at.nil?
+    end
+
+    def set_sustainer_status
+      user.add_member_status :sustainer
+    rescue => e
+      Sentry.capture_exception(e) if Setting.sentry_enabled?
+      Rails.logger.error("Failed to set memberStatus: #{e.message}")
+    end
 end

app/models/editable_content.rb

@@ -0,0 +1,12 @@
+class EditableContent < ApplicationRecord
+  validates :key, presence: true,
+                  uniqueness: { scope: :context }
+
+  def has_content?
+    content.present?
+  end
+
+  def is_empty?
+    content.blank?
+  end
+end

app/models/lndhub_user.rb

@@ -6,7 +6,7 @@ class LndhubUser < LndhubBase
                       foreign_key: "user_id"
 
   belongs_to :user, class_name: "User",
-                    primary_key: "ln_account",
+                    primary_key: "lndhub_username",
                     foreign_key: "login"
 
   def balance

app/models/remote_storage_authorization.rb

@@ -2,7 +2,7 @@ class RemoteStorageAuthorization < ApplicationRecord
   belongs_to :user
   belongs_to :web_app, class_name: "AppCatalog::WebApp", optional: true
 
-  serialize :permissions unless Rails.env.production?
+  serialize :permissions, coder: YAML unless Rails.env.production?
 
   validates_presence_of :permissions
   validates_presence_of :client_id
@@ -69,11 +69,19 @@ class RemoteStorageAuthorization < ApplicationRecord
     end
 
     def remove_token_expiry_job
-      queue = Sidekiq::Queue.new(RemoteStorageExpireAuthorizationJob.queue_name)
+      job_class = RemoteStorageExpireAuthorizationJob
-      queue.each do |job|
+      job_args = [id]
-        next unless job.display_class == "RemoteStorageExpireAuthorizationJob"
+
-        job.delete if job.display_args == [id]
+      query = SolidQueue::Job.where(class_name: job_class.to_s)
-      end
+
+      case ActiveRecord::Base.connection.adapter_name.downcase
+      when /sqlite/
+        query.where("json_extract(arguments, '$.arguments') = ?", job_args.to_json)
+      when /postgres/
+        query.where("CAST(arguments AS jsonb)->>'arguments' = ?", job_args.to_json)
+      else
+        raise "Unsupported database adapter"
+      end.destroy_all
     end
 
     def find_or_create_web_app

app/models/setting.rb

@@ -2,226 +2,31 @@
 class Setting < RailsSettings::Base
   cache_prefix { "v1" }
 
-  field :primary_domain, type: :string,
+  Dir[Rails.root.join('app', 'models', 'concerns', 'settings', '*.rb')].each do |file|
-    default: ENV["PRIMARY_DOMAIN"].presence
+    require file
-
-  field :accounts_domain, type: :string,
-    default: ENV["AKKOUNTS_DOMAIN"].presence
-
-  #
-  # Internal services
-  #
-
-  field :redis_url, type: :string,
-    default: ENV["REDIS_URL"] || "redis://localhost:6379/0"
-
-  field :s3_enabled, type: :boolean,
-    default: ENV["S3_ENABLED"] && ENV["S3_ENABLED"].to_s != "false"
-
-  #
-  # Registrations
-  #
-
-  field :reserved_usernames, type: :array, default: %w[
-    account accounts donations mail webmaster support
-  ]
-
-  #
-  # XMPP
-  #
-
-  field :xmpp_default_rooms, type: :array, default: []
-  field :xmpp_autojoin_default_rooms, type: :boolean, default: false
-  field :xmpp_notifications_from_address, type: :string, default: primary_domain
-
-  #
-  # Sentry
-  #
-
-  field :sentry_enabled, type: :boolean, readonly: true,
-    default: ENV["SENTRY_DSN"].present?
-
-  #
-  # BTCPay Server
-  #
-
-  field :btcpay_api_url, type: :string,
-    default: ENV["BTCPAY_API_URL"].presence
-
-  field :btcpay_enabled, type: :boolean,
-    default: ENV["BTCPAY_API_URL"].present?
-
-  field :btcpay_public_url, type: :string,
-    default: ENV["BTCPAY_PUBLIC_URL"].presence
-
-  field :btcpay_store_id, type: :string,
-    default: ENV["BTCPAY_STORE_ID"].presence
-
-  field :btcpay_auth_token, type: :string,
-    default: ENV["BTCPAY_AUTH_TOKEN"].presence
-
-  field :btcpay_publish_wallet_balances, type: :boolean, default: true
-
-  #
-  # Discourse
-  #
-
-  field :discourse_public_url, type: :string,
-    default: ENV["DISCOURSE_PUBLIC_URL"].presence
-
-  field :discourse_enabled, type: :boolean,
-    default: ENV["DISCOURSE_PUBLIC_URL"].present?
-
-  field :discourse_connect_secret, type: :string,
-    default: ENV["DISCOURSE_CONNECT_SECRET"].presence
-
-  #
-  # Drone CI
-  #
-
-  field :droneci_public_url, type: :string,
-    default: ENV["DRONECI_PUBLIC_URL"].presence
-
-  field :droneci_enabled, type: :boolean,
-    default: ENV["DRONECI_PUBLIC_URL"].present?
-
-  #
-  # ejabberd
-  #
-
-  field :ejabberd_enabled, type: :boolean,
-    default: ENV["EJABBERD_API_URL"].present?
-
-  field :ejabberd_api_url, type: :string,
-    default: ENV["EJABBERD_API_URL"].presence
-
-  field :ejabberd_admin_url, type: :string,
-    default: ENV["EJABBERD_ADMIN_URL"].presence
-
-  field :ejabberd_buddy_roster, type: :string,
-    default: "Buddies"
-
-  #
-  # Gitea
-  #
-
-  field :gitea_public_url, type: :string,
-    default: ENV["GITEA_PUBLIC_URL"].presence
-
-  field :gitea_enabled, type: :boolean,
-    default: ENV["GITEA_PUBLIC_URL"].present?
-
-  #
-  # Lightning Network
-  #
-
-  field :lndhub_api_url, type: :string,
-    default: ENV["LNDHUB_API_URL"].presence
-
-  field :lndhub_enabled, type: :boolean,
-    default: ENV["LNDHUB_API_URL"].present?
-
-  field :lndhub_admin_token, type: :string,
-    default: ENV["LNDHUB_ADMIN_TOKEN"].presence
-
-  field :lndhub_admin_enabled, type: :boolean,
-    default: ENV["LNDHUB_ADMIN_UI"] || false
-
-  field :lndhub_public_key, type: :string,
-    default: (ENV["LNDHUB_PUBLIC_KEY"] || "")
-
-  field :lndhub_keysend_enabled, type: :boolean,
-    default: -> { self.lndhub_public_key.present? }
-
-  #
-  # Mastodon
-  #
-
-  field :mastodon_public_url, type: :string,
-    default: ENV["MASTODON_PUBLIC_URL"].presence
-
-  field :mastodon_enabled, type: :boolean,
-    default: ENV["MASTODON_PUBLIC_URL"].present?
-
-  field :mastodon_address_domain, type: :string,
-    default: ENV["MASTODON_ADDRESS_DOMAIN"].presence || self.primary_domain
-
-  #
-  # MediaWiki
-  #
-
-  field :mediawiki_public_url, type: :string,
-    default: ENV["MEDIAWIKI_PUBLIC_URL"].presence
-
-  field :mediawiki_enabled, type: :boolean,
-    default: ENV["MEDIAWIKI_PUBLIC_URL"].present?
-
-  #
-  # Nostr
-  #
-
-  field :nostr_enabled, type: :boolean,
-    default: ENV["NOSTR_PRIVATE_KEY"].present?
-
-  field :nostr_private_key, type: :string,
-    default: ENV["NOSTR_PRIVATE_KEY"].presence
-
-  field :nostr_public_key, type: :string,
-    default: ENV["NOSTR_PUBLIC_KEY"].presence
-
-  field :nostr_relay_url, type: :string,
-    default: ENV["NOSTR_RELAY_URL"].presence
-
-  field :nostr_zaps_relay_limit, type: :integer,
-    default: 12
-
-  #
-  # OpenCollective
-  #
-
-  field :opencollective_enabled, type: :boolean, default: true
-
-  #
-  # RemoteStorage
-  #
-
-  field :remotestorage_enabled, type: :boolean,
-    default: ENV["RS_STORAGE_URL"].present?
-
-  field :rs_storage_url, type: :string,
-    default: ENV["RS_STORAGE_URL"].presence
-
-  field :rs_redis_url, type: :string,
-    default: ENV["RS_REDIS_URL"] || "redis://localhost:6379/1"
-
-
-  #
-  # E-Mail Service
-  #
-
-  field :email_enabled, type: :boolean,
-    default: ENV["EMAIL_SMTP_HOST"].present?
-
-  # field :email_smtp_host, type: :string,
-  #   default: ENV["EMAIL_SMTP_HOST"].presence
-  #
-  # field :email_smtp_port, type: :string,
-  #   default: ENV["EMAIL_SMTP_PORT"].presence || 587
-  #
-  # field :email_smtp_enable_starttls, type: :string,
-  #   default: ENV["EMAIL_SMTP_PORT"].presence || true
-  #
-  # field :email_auth_method, type: :string,
-  #   default: ENV["EMAIL_AUTH_METHOD"].presence || "plain"
-  #
-  # field :email_imap_host, type: :string,
-  #   default: ENV["EMAIL_IMAP_HOST"].presence
-  #
-  # field :email_imap_port, type: :string,
-  #   default: ENV["EMAIL_IMAP_PORT"].presence || 993
-
-  def self.default_services
-    # TODO Make configurable from respective service settings page
-    %w[ discourse gitea mastodon mediawiki xmpp ]
   end
+
+  include Settings::GeneralSettings
+  include Settings::BtcpaySettings
+  include Settings::DiscourseSettings
+  include Settings::DroneCiSettings
+  include Settings::EjabberdSettings
+  include Settings::EmailSettings
+  include Settings::GiteaSettings
+  include Settings::LightningNetworkSettings
+  include Settings::MastodonSettings
+  include Settings::MediaWikiSettings
+  include Settings::MembershipSettings
+  include Settings::NostrSettings
+  include Settings::OpenCollectiveSettings
+  include Settings::RemoteStorageSettings
+  include Settings::XmppSettings
+
+  def self.available_services
+    known_services = SERVICES[:external].keys
+    known_services.select {|s| Setting.send "#{s}_enabled?" }
+  end
+
+  field :default_services, type: :array,
+    default: self.available_services
 end

app/models/user.rb

@@ -3,9 +3,10 @@ require 'nostr'
 class User < ApplicationRecord
   include EmailValidatable
 
+  attr_accessor :current_password
   attr_accessor :display_name
   attr_accessor :avatar_new
-  attr_accessor :current_password
+  attr_accessor :pgp_pubkey
 
   serialize :preferences, coder: UserPreferences
 
@@ -22,10 +23,16 @@ class User < ApplicationRecord
   has_many :zaps
 
   has_one  :lndhub_user, class_name: "LndhubUser", inverse_of: "user",
-                         primary_key: "ln_account", foreign_key: "login"
+                         primary_key: "lndhub_username", foreign_key: "login"
 
   has_many :accounts, through: :lndhub_user
 
+  #
+  # Attachments
+  #
+
+  has_one_attached :avatar
+
   #
   # Validations
   #
@@ -49,8 +56,11 @@ class User < ApplicationRecord
   validates_length_of :display_name, minimum: 3, maximum: 35, allow_blank: true,
                                      if: -> { defined?(@display_name) }
 
+
   validate :acceptable_avatar
 
+  validate :acceptable_pgp_key_format, if: -> { defined?(@pgp_pubkey) && @pgp_pubkey.present? }
+
   #
   # Scopes
   #
@@ -63,7 +73,7 @@ class User < ApplicationRecord
   # Encrypted database columns
   #
 
-  has_encrypted :ln_login, :ln_password
+  encrypts :lndhub_password
 
   # Include default devise modules. Others available are:
   # :confirmable, :lockable, :timeoutable, :trackable and :omniauthable
@@ -74,6 +84,10 @@ class User < ApplicationRecord
          :timeoutable,
          :rememberable
 
+  #
+  # Methods
+  #
+
   def ldap_before_save
     self.email = Devise::LDAP::Adapter.get_ldap_param(self.cn, "mail").first
     self.ou    = dn.split(',')
@@ -117,11 +131,11 @@ class User < ApplicationRecord
   end
 
   def is_admin?
-    admin ||= if admin = Devise::LDAP::Adapter.get_ldap_param(self.cn, :admin)
+    @admin ||= if admin = Devise::LDAP::Adapter.get_ldap_param(self.cn, :admin)
-                !!admin.first
+                 !!admin.first
-              else
+               else
-                false
+                 false
-              end
+               end
   end
 
   def address
@@ -149,13 +163,41 @@ class User < ApplicationRecord
 
   def ldap_entry(reload: false)
     return @ldap_entry if defined?(@ldap_entry) && !reload
-    @ldap_entry = ldap.fetch_users(uid: self.cn, ou: self.ou).first
+    @ldap_entry = ldap.fetch_users(cn: self.cn).first
+  end
+
+  def add_to_ldap_array(attr_key, ldap_attr, value)
+    current_entries = ldap_entry[attr_key.to_sym] || []
+    new_entries = Array(value).map(&:to_s)
+    entries = (current_entries + new_entries).uniq.sort
+    ldap.replace_attribute(dn, ldap_attr.to_sym, entries)
+  end
+
+  def remove_from_ldap_array(attr_key, ldap_attr, value)
+    current_entries = ldap_entry[attr_key.to_sym] || []
+    entries_to_remove = Array(value).map(&:to_s)
+    entries = (current_entries - entries_to_remove).uniq.sort
+    ldap.replace_attribute(dn, ldap_attr.to_sym, entries)
   end
 
   def display_name
     @display_name ||= ldap_entry[:display_name]
   end
 
+  # TODO Variant keys are currently broken for some reason
+  # (They use the same key as the main blob, when it should be
+  # "/variants/#{key)"
+  # def avatar_variant(size: :medium)
+  #   dimensions = case size
+  #                when :large  then [400, 400]
+  #                when :medium then [256, 256]
+  #                when :small  then [64, 64]
+  #                else [256, 256]
+  #                end
+  #   format = avatar.content_type == "image/png" ? :png : :jpeg
+  #   avatar.variant(resize_to_fill: dimensions, format: format)
+  # end
+
   def nostr_pubkey
     @nostr_pubkey ||= ldap_entry[:nostr_key]
   end
@@ -165,8 +207,22 @@ class User < ApplicationRecord
     Nostr::PublicKey.new(nostr_pubkey).to_bech32
   end
 
-  def avatar
+  def pgp_pubkey
-    @avatar_base64 ||= LdapManager::FetchAvatar.call(cn: cn)
+    @pgp_pubkey ||= ldap_entry[:pgp_key]
+  end
+
+  def gnupg_key
+    return nil unless pgp_pubkey.present?
+    GPGME::Key.import(pgp_pubkey)
+    GPGME::Key.get(pgp_fpr)
+  end
+
+  def pgp_pubkey_contains_user_address?
+    gnupg_key.uids.map(&:email).include?(address)
+  end
+
+  def wkd_hash
+    ZBase32.encode(Digest::SHA1.digest(cn))
   end
 
   def services_enabled
@@ -178,21 +234,39 @@ class User < ApplicationRecord
   end
 
   def enable_service(service)
-    current_services = services_enabled
+    add_to_ldap_array :services_enabled, :serviceEnabled, service
-    new_services = Array(service).map(&:to_s)
+    ldap_entry(reload: true)[:services_enabled]
-    services = (current_services + new_services).uniq
-    ldap.replace_attribute(dn, :serviceEnabled, services)
   end
 
   def disable_service(service)
-    current_services = services_enabled
+    remove_from_ldap_array :services_enabled, :serviceEnabled, service
-    disabled_services = Array(service).map(&:to_s)
+    ldap_entry(reload: true)[:services_enabled]
-    services = (current_services - disabled_services).uniq
-    ldap.replace_attribute(dn, :serviceEnabled, services)
   end
 
   def disable_all_services
-    ldap.delete_attribute(dn,:service)
+    ldap.delete_attribute(dn, :serviceEnabled)
+  end
+
+  def member_status
+    ldap_entry[:member_status] || []
+  end
+
+  def add_member_status(status)
+    add_to_ldap_array :member_status, :memberStatus, status
+    ldap_entry(reload: true)[:member_status]
+  end
+
+  def remove_member_status(status)
+    remove_from_ldap_array :member_status, :memberStatus, status
+    ldap_entry(reload: true)[:member_status]
+  end
+
+  def is_contributing_member?
+    member_status.map(&:to_sym).include?(:contributor)
+  end
+
+  def is_paying_member?
+    member_status.map(&:to_sym).include?(:sustainer)
   end
 
   private
@@ -206,7 +280,7 @@ class User < ApplicationRecord
       return unless avatar_new.present?
 
       if avatar_new.size > 1.megabyte
-        errors.add(:avatar, "file size is too large")
+        errors.add(:avatar, "must be less than 1MB file size")
       end
 
       acceptable_types = ["image/jpeg", "image/png"]
@@ -214,4 +288,10 @@ class User < ApplicationRecord
         errors.add(:avatar, "must be a JPEG or PNG file")
       end
     end
+
+    def acceptable_pgp_key_format
+      unless GPGME::Key.valid?(pgp_pubkey)
+        errors.add(:pgp_pubkey, 'is not a valid armored PGP public key block')
+      end
+    end
 end

app/services/btcpay_manager_service.rb

@@ -1,36 +1,22 @@
 #
 # API Docs: https://docs.btcpayserver.org/API/Greenfield/v1/
 #
-class BtcpayManagerService < ApplicationService
+class BtcpayManagerService < RestApiService
   private
 
-    def base_url
+  def base_url
-      @base_url ||= "#{Setting.btcpay_api_url}/stores/#{Setting.btcpay_store_id}"
+    @base_url ||= "#{Setting.btcpay_api_url}/stores/#{Setting.btcpay_store_id}"
-    end
+  end
 
-    def auth_token
+  def auth_token
-      @auth_token ||= Setting.btcpay_auth_token
+    @auth_token ||= Setting.btcpay_auth_token
-    end
+  end
 
-    def headers
+  def headers
-      {
+    {
-        "Content-Type" => "application/json",
+      "Content-Type" => "application/json",
-        "Accept" => "application/json",
+      "Accept" => "application/json",
-        "Authorization" => "token #{auth_token}"
+      "Authorization" => "token #{auth_token}"
-      }
+    }
-    end
+  end
-
-    def endpoint_url(path)
-      "#{base_url}/#{path.gsub(/^\//, '')}"
-    end
-
-    def get(path, params = {})
-      res = Faraday.get endpoint_url(path), params, headers
-      JSON.parse(res.body)
-    end
-
-    def post(path, payload)
-      res = Faraday.post endpoint_url(path), payload.to_json, headers
-      JSON.parse(res.body)
-    end
 end

app/services/create_account.rb

@@ -1,54 +0,0 @@
-class CreateAccount < ApplicationService
-  def initialize(account:)
-    @username   = account[:username]
-    @domain     = account[:ou] || Setting.primary_domain
-    @email      = account[:email]
-    @password   = account[:password]
-    @invitation = account[:invitation]
-    @confirmed  = account[:confirmed]
-  end
-
-  def call
-    user = create_user_in_database
-    add_ldap_document
-    create_lndhub_account(user) if Setting.lndhub_enabled
-
-    if @invitation.present?
-      update_invitation(user.id)
-    end
-  end
-
-  private
-
-  def create_user_in_database
-    User.create!(
-      cn: @username,
-      ou: @domain,
-      email: @email,
-      password: @password,
-      password_confirmation: @password,
-      confirmed_at: @confirmed ? DateTime.now : nil
-    )
-  end
-
-  def update_invitation(user_id)
-    @invitation.update! invited_user_id: user_id, used_at: DateTime.now
-  end
-
-  def add_ldap_document
-    hashed_pw = Devise.ldap_auth_password_builder.call(@password)
-    CreateLdapUserJob.perform_later(
-      username: @username,
-      domain: @domain,
-      email: @email,
-      hashed_pw: hashed_pw,
-      confirmed: @confirmed
-    )
-  end
-
-  def create_lndhub_account(user)
-    #TODO enable in development when we have a local lndhub (mock?) API
-    return if Rails.env.development?
-    CreateLndhubAccountJob.perform_later(user)
-  end
-end

app/services/create_invitations.rb

@@ -1,17 +0,0 @@
-class CreateInvitations < ApplicationService
-  def initialize(user:, amount:, notify: true)
-    @user = user
-    @amount = amount
-    @notify = notify
-  end
-
-  def call
-    @amount.times do
-      Invitation.create(user: @user)
-    end
-
-    if @notify
-      NotificationMailer.with(user: @user).new_invitations_available.deliver_later
-    end
-  end
-end

app/services/ejabberd_api_client.rb

@@ -1,29 +0,0 @@
-class EjabberdApiClient
-  def initialize
-    @base_url = Setting.ejabberd_api_url
-  end
-
-  def post(endpoint, payload)
-    res = Faraday.post("#{@base_url}/#{endpoint}", payload.to_json,
-                       "Content-Type" => "application/json")
-
-    if res.status != 200
-      Rails.logger.error "[ejabberd] API request failed:"
-      Rails.logger.error res.body
-      #TODO Send custom event to Sentry
-    end
-  end
-
-  def add_rosteritem(payload)
-    post "add_rosteritem", payload
-  end
-
-  def send_message(payload)
-    post "send_message", payload
-  end
-
-  def private_set(user, content)
-    payload = { user: user.cn, host: user.ou, element: content }
-    post "private_set", payload
-  end
-end

app/services/ejabberd_manager/exchange_contacts.rb

@@ -0,0 +1,25 @@
+module EjabberdManager
+  class ExchangeContacts < EjabberdManagerService
+    def initialize(inviter:, invitee:)
+      @inviter = inviter
+      @invitee = invitee
+    end
+
+    def call
+      return unless @inviter.service_enabled?(:ejabberd) &&
+                    @invitee.service_enabled?(:ejabberd) &&
+                    @inviter.preferences[:xmpp_exchange_contacts_with_invitees]
+
+      add_rosteritem({
+        "localuser": @invitee.cn, "localhost": @invitee.ou,
+        "user": @inviter.cn, "host": @inviter.ou,
+        "nick": @inviter.cn, "group": Setting.ejabberd_buddy_roster, "subs": "both"
+      })
+      add_rosteritem({
+        "localuser": @inviter.cn, "localhost": @inviter.ou,
+        "user": @invitee.cn, "host": @invitee.ou,
+        "nick": @invitee.cn, "group": Setting.ejabberd_buddy_roster, "subs": "both"
+      })
+    end
+  end
+end

app/services/ejabberd_manager/get_avatar.rb

@@ -0,0 +1,25 @@
+module EjabberdManager
+  class GetAvatar < EjabberdManagerService
+    def initialize(user:)
+      @user = user
+    end
+
+    def call
+      res = get_vcard2 @user, "PHOTO", "BINVAL"
+
+      if res.status == 200
+        # VCARD PHOTO/BINVAL prop exists
+        img_base64 = JSON.parse(res.body)["content"]
+        ct_res = get_vcard2 @user, "PHOTO", "TYPE"
+        content_type = JSON.parse(ct_res.body)["content"]
+        { content_type:, img_base64: }
+      elsif res.status == 400
+        # VCARD or PHOTO/BINVAL prop does not exist
+        nil
+      else
+        # Unexpected error, let job fail
+        raise res.inspect
+      end
+    end
+  end
+end

app/services/ejabberd_manager/send_message.rb

@@ -0,0 +1,11 @@
+module EjabberdManager
+  class SendMessage < EjabberdManagerService
+    def initialize(payload:)
+      @payload = payload
+    end
+
+    def call
+      send_message @payload
+    end
+  end
+end