Merge branch 'chore/upgrade_rails' into live

Reviewed-on: #214

.gitignore

@@ -47,3 +47,6 @@ dump.rdb
 
 /app/assets/builds/*
 !/app/assets/builds/.keep
+
+# Ignore generated ctags
+*.tags

Dockerfile

@@ -1,18 +1,11 @@
 # syntax=docker/dockerfile:1
-FROM debian:bullseye-slim as base
+FROM ruby:3.3.4
 
 SHELL ["/bin/bash", "-o", "pipefail", "-c"]
 
-# TODO Remove when upstream Ruby works properly on Apple silicon
+RUN apt-get update -qq && apt-get install -y --no-install-recommends curl \
-RUN apt update && apt install -y build-essential wget autoconf libpq-dev pkg-config
+      ldap-utils tini libvips
-RUN wget https://github.com/postmodern/ruby-install/releases/download/v0.9.3/ruby-install-0.9.3.tar.gz \
-  && tar -xzvf ruby-install-0.9.3.tar.gz \
-  && cd ruby-install-0.9.3/ \
-  && make install
-RUN ruby-install -p https://github.com/ruby/ruby/pull/9371.diff ruby 3.3.0
-ENV PATH="/opt/rubies/ruby-3.3.0/bin:${PATH}"
 
-RUN apt-get install -y --no-install-recommends curl ldap-utils tini libvips
 RUN curl -fsSL https://deb.nodesource.com/setup_lts.x | bash -
 RUN apt-get update && apt-get install -y nodejs
 

Gemfile

@@ -2,7 +2,7 @@ source 'https://rubygems.org'
 git_source(:github) { |repo| "https://github.com/#{repo}.git" }
 
 # Bundle edge Rails instead: gem 'rails', github: 'rails/rails'
-gem 'rails', '~> 7.1'
+gem 'rails', '~> 7.2'
 # Use Puma as the app server
 gem 'puma', '~> 4.1'
 # View components
@@ -44,6 +44,8 @@ gem 'pagy', '~> 6.0', '>= 6.0.2'
 gem 'flipper'
 gem 'flipper-active_record'
 gem 'flipper-ui'
+gem 'gpgme', '~> 2.0.24'
+gem 'zbase32', '~> 0.1.1'
 
 # HTTP requests
 gem 'faraday'

Gemfile.lock

@@ -1,80 +1,77 @@
 GEM
   remote: https://rubygems.org/
   specs:
-    actioncable (7.1.3)
+    actioncable (7.2.2.1)
-      actionpack (= 7.1.3)
+      actionpack (= 7.2.2.1)
-      activesupport (= 7.1.3)
+      activesupport (= 7.2.2.1)
       nio4r (~> 2.0)
       websocket-driver (>= 0.6.1)
       zeitwerk (~> 2.6)
-    actionmailbox (7.1.3)
+    actionmailbox (7.2.2.1)
-      actionpack (= 7.1.3)
+      actionpack (= 7.2.2.1)
-      activejob (= 7.1.3)
+      activejob (= 7.2.2.1)
-      activerecord (= 7.1.3)
+      activerecord (= 7.2.2.1)
-      activestorage (= 7.1.3)
+      activestorage (= 7.2.2.1)
-      activesupport (= 7.1.3)
+      activesupport (= 7.2.2.1)
-      mail (>= 2.7.1)
+      mail (>= 2.8.0)
-      net-imap
+    actionmailer (7.2.2.1)
-      net-pop
+      actionpack (= 7.2.2.1)
-      net-smtp
+      actionview (= 7.2.2.1)
-    actionmailer (7.1.3)
+      activejob (= 7.2.2.1)
-      actionpack (= 7.1.3)
+      activesupport (= 7.2.2.1)
-      actionview (= 7.1.3)
+      mail (>= 2.8.0)
-      activejob (= 7.1.3)
-      activesupport (= 7.1.3)
-      mail (~> 2.5, >= 2.5.4)
-      net-imap
-      net-pop
-      net-smtp
       rails-dom-testing (~> 2.2)
-    actionpack (7.1.3)
+    actionpack (7.2.2.1)
-      actionview (= 7.1.3)
+      actionview (= 7.2.2.1)
-      activesupport (= 7.1.3)
+      activesupport (= 7.2.2.1)
       nokogiri (>= 1.8.5)
       racc
-      rack (>= 2.2.4)
+      rack (>= 2.2.4, < 3.2)
       rack-session (>= 1.0.1)
       rack-test (>= 0.6.3)
       rails-dom-testing (~> 2.2)
       rails-html-sanitizer (~> 1.6)
-    actiontext (7.1.3)
+      useragent (~> 0.16)
-      actionpack (= 7.1.3)
+    actiontext (7.2.2.1)
-      activerecord (= 7.1.3)
+      actionpack (= 7.2.2.1)
-      activestorage (= 7.1.3)
+      activerecord (= 7.2.2.1)
-      activesupport (= 7.1.3)
+      activestorage (= 7.2.2.1)
+      activesupport (= 7.2.2.1)
       globalid (>= 0.6.0)
       nokogiri (>= 1.8.5)
-    actionview (7.1.3)
+    actionview (7.2.2.1)
-      activesupport (= 7.1.3)
+      activesupport (= 7.2.2.1)
       builder (~> 3.1)
       erubi (~> 1.11)
       rails-dom-testing (~> 2.2)
       rails-html-sanitizer (~> 1.6)
-    activejob (7.1.3)
+    activejob (7.2.2.1)
-      activesupport (= 7.1.3)
+      activesupport (= 7.2.2.1)
       globalid (>= 0.3.6)
-    activemodel (7.1.3)
+    activemodel (7.2.2.1)
-      activesupport (= 7.1.3)
+      activesupport (= 7.2.2.1)
-    activerecord (7.1.3)
+    activerecord (7.2.2.1)
-      activemodel (= 7.1.3)
+      activemodel (= 7.2.2.1)
-      activesupport (= 7.1.3)
+      activesupport (= 7.2.2.1)
       timeout (>= 0.4.0)
-    activestorage (7.1.3)
+    activestorage (7.2.2.1)
-      actionpack (= 7.1.3)
+      actionpack (= 7.2.2.1)
-      activejob (= 7.1.3)
+      activejob (= 7.2.2.1)
-      activerecord (= 7.1.3)
+      activerecord (= 7.2.2.1)
-      activesupport (= 7.1.3)
+      activesupport (= 7.2.2.1)
       marcel (~> 1.0)
-    activesupport (7.1.3)
+    activesupport (7.2.2.1)
       base64
+      benchmark (>= 0.3)
       bigdecimal
-      concurrent-ruby (~> 1.0, >= 1.0.2)
+      concurrent-ruby (~> 1.0, >= 1.3.1)
       connection_pool (>= 2.2.5)
       drb
       i18n (>= 1.6, < 2)
+      logger (>= 1.4.2)
       minitest (>= 5.1)
-      mutex_m
+      securerandom (>= 0.3)
-      tzinfo (~> 2.0)
+      tzinfo (~> 2.0, >= 2.0.5)
     addressable (2.8.6)
       public_suffix (>= 2.0.2, < 6.0)
     ast (2.4.2)
@@ -99,12 +96,12 @@ GEM
     bcrypt (3.1.20)
     bech32 (1.4.2)
       thor (>= 1.1.0)
-    benchmark (0.3.0)
+    benchmark (0.4.0)
-    bigdecimal (3.1.6)
+    bigdecimal (3.1.9)
     bindex (0.8.1)
     bip-schnorr (0.7.0)
       ecdsa_ext (~> 0.5.0)
-    builder (3.2.4)
+    builder (3.3.0)
     capybara (3.40.0)
       addressable
       matrix
@@ -115,21 +112,21 @@ GEM
       regexp_parser (>= 1.5, < 3.0)
       xpath (~> 3.2)
     chunky_png (1.4.0)
-    concurrent-ruby (1.2.3)
+    concurrent-ruby (1.3.5)
-    connection_pool (2.4.1)
+    connection_pool (2.5.2)
     crack (0.4.6)
       bigdecimal
       rexml
     crass (1.0.6)
     cssbundling-rails (1.4.0)
       railties (>= 6.0.0)
-    database_cleaner (2.0.2)
+    database_cleaner (2.1.0)
       database_cleaner-active_record (>= 2, < 3)
-    database_cleaner-active_record (2.1.0)
+    database_cleaner-active_record (2.2.0)
       activerecord (>= 5.a)
       database_cleaner-core (~> 2.0.0)
     database_cleaner-core (2.0.1)
-    date (3.3.4)
+    date (3.4.1)
     devise (4.9.3)
       bcrypt (~> 3.0)
       orm_adapter (~> 0.1)
@@ -151,13 +148,12 @@ GEM
       railties (>= 3.2)
     down (5.4.1)
       addressable (~> 2.8)
-    drb (2.2.0)
+    drb (2.2.1)
-      ruby2_keywords
     e2mmap (0.1.0)
     ecdsa (1.2.0)
     ecdsa_ext (0.5.1)
       ecdsa (~> 1.2.0)
-    erubi (1.12.0)
+    erubi (1.13.1)
     et-orbi (1.2.7)
       tzinfo
     event_emitter (0.2.6)
@@ -197,8 +193,10 @@ GEM
       raabro (~> 1.4)
     globalid (1.2.1)
       activesupport (>= 6.1)
+    gpgme (2.0.24)
+      mini_portile2 (~> 2.7)
     hashdiff (1.1.0)
-    i18n (1.14.1)
+    i18n (1.14.7)
       concurrent-ruby (~> 1.0)
     image_processing (1.12.2)
       mini_magick (>= 4.9.5, < 5)
@@ -207,9 +205,10 @@ GEM
       actionpack (>= 6.0.0)
       activesupport (>= 6.0.0)
       railties (>= 6.0.0)
-    io-console (0.7.2)
+    io-console (0.8.0)
-    irb (1.11.1)
+    irb (1.15.2)
-      rdoc
+      pp (>= 0.6.0)
+      rdoc (>= 4.0.0)
       reline (>= 0.4.2)
     jaro_winkler (1.5.6)
     jbuilder (2.11.5)
@@ -236,8 +235,9 @@ GEM
       rb-inotify (~> 0.9, >= 0.9.10)
     lnurl (1.1.0)
       bech32 (~> 1.1)
-    lockbox (1.3.2)
+    lockbox (2.0.1)
-    loofah (2.22.0)
+    logger (1.7.0)
+    loofah (2.24.0)
       crass (~> 1.0.2)
       nokogiri (>= 1.12.0)
     mail (2.8.1)
@@ -249,18 +249,17 @@ GEM
       faraday (~> 2.9.0)
       faraday-follow_redirects (= 0.3.0)
       nokogiri (~> 1.16.0)
-    marcel (1.0.2)
+    marcel (1.0.4)
     matrix (0.4.2)
     method_source (1.0.0)
     mini_magick (4.12.0)
     mini_mime (1.1.5)
-    mini_portile2 (2.8.5)
+    mini_portile2 (2.8.8)
-    minitest (5.21.2)
+    minitest (5.25.5)
     multipart-post (2.3.0)
-    mutex_m (0.2.0)
     net-http (0.4.1)
       uri
-    net-imap (0.4.9.1)
+    net-imap (0.5.7)
       date
       net-protocol
     net-ldap (0.19.0)
@@ -268,15 +267,15 @@ GEM
       net-protocol
     net-protocol (0.2.2)
       timeout
-    net-smtp (0.4.0.1)
+    net-smtp (0.5.1)
       net-protocol
-    nio4r (2.7.0)
+    nio4r (2.7.4)
-    nokogiri (1.16.0)
+    nokogiri (1.16.8)
       mini_portile2 (~> 2.8.2)
       racc (~> 1.4)
-    nokogiri (1.16.0-arm64-darwin)
+    nokogiri (1.16.8-arm64-darwin)
       racc (~> 1.4)
-    nokogiri (1.16.0-x86_64-linux)
+    nokogiri (1.16.8-x86_64-linux)
       racc (~> 1.4)
     nostr (0.6.0)
       bech32 (~> 1.4)
@@ -292,38 +291,42 @@ GEM
       ast (~> 2.4.1)
       racc
     pg (1.5.4)
-    psych (5.1.2)
+    pp (0.6.2)
+      prettyprint
+    prettyprint (0.2.0)
+    psych (5.2.3)
+      date
       stringio
     public_suffix (5.0.4)
     puma (4.3.12)
       nio4r (~> 2.0)
     raabro (1.4.0)
-    racc (1.7.3)
+    racc (1.8.1)
-    rack (2.2.8)
+    rack (2.2.13)
     rack-protection (3.2.0)
       base64 (>= 0.1.0)
       rack (~> 2.2, >= 2.2.4)
     rack-session (1.0.2)
       rack (< 3)
-    rack-test (2.1.0)
+    rack-test (2.2.0)
       rack (>= 1.3)
-    rackup (1.0.0)
+    rackup (1.0.1)
       rack (< 3)
       webrick
-    rails (7.1.3)
+    rails (7.2.2.1)
-      actioncable (= 7.1.3)
+      actioncable (= 7.2.2.1)
-      actionmailbox (= 7.1.3)
+      actionmailbox (= 7.2.2.1)
-      actionmailer (= 7.1.3)
+      actionmailer (= 7.2.2.1)
-      actionpack (= 7.1.3)
+      actionpack (= 7.2.2.1)
-      actiontext (= 7.1.3)
+      actiontext (= 7.2.2.1)
-      actionview (= 7.1.3)
+      actionview (= 7.2.2.1)
-      activejob (= 7.1.3)
+      activejob (= 7.2.2.1)
-      activemodel (= 7.1.3)
+      activemodel (= 7.2.2.1)
-      activerecord (= 7.1.3)
+      activerecord (= 7.2.2.1)
-      activestorage (= 7.1.3)
+      activestorage (= 7.2.2.1)
-      activesupport (= 7.1.3)
+      activesupport (= 7.2.2.1)
       bundler (>= 1.15.0)
-      railties (= 7.1.3)
+      railties (= 7.2.2.1)
     rails-controller-testing (1.0.5)
       actionpack (>= 5.0.1.rc1)
       actionview (>= 5.0.1.rc1)
@@ -332,31 +335,31 @@ GEM
       activesupport (>= 5.0.0)
       minitest
       nokogiri (>= 1.6)
-    rails-html-sanitizer (1.6.0)
+    rails-html-sanitizer (1.6.2)
       loofah (~> 2.21)
-      nokogiri (~> 1.14)
+      nokogiri (>= 1.15.7, != 1.16.7, != 1.16.6, != 1.16.5, != 1.16.4, != 1.16.3, != 1.16.2, != 1.16.1, != 1.16.0.rc1, != 1.16.0)
     rails-settings-cached (2.8.3)
       activerecord (>= 5.0.0)
       railties (>= 5.0.0)
-    railties (7.1.3)
+    railties (7.2.2.1)
-      actionpack (= 7.1.3)
+      actionpack (= 7.2.2.1)
-      activesupport (= 7.1.3)
+      activesupport (= 7.2.2.1)
-      irb
+      irb (~> 1.13)
       rackup (>= 1.0.0)
       rake (>= 12.2)
       thor (~> 1.0, >= 1.2.2)
       zeitwerk (~> 2.6)
     rainbow (3.1.1)
-    rake (13.1.0)
+    rake (13.2.1)
     rb-fsevent (0.11.2)
     rb-inotify (0.10.1)
       ffi (~> 1.0)
     rbs (2.8.4)
-    rdoc (6.6.2)
+    rdoc (6.13.1)
       psych (>= 4.0.0)
     redis (4.8.1)
     regexp_parser (2.9.0)
-    reline (0.4.2)
+    reline (0.6.1)
       io-console (~> 0.5)
     responders (3.1.1)
       actionpack (>= 5.2)
@@ -401,12 +404,12 @@ GEM
     ruby-progressbar (1.13.0)
     ruby-vips (2.2.0)
       ffi (~> 1.12)
-    ruby2_keywords (0.0.5)
     rufus-scheduler (3.9.1)
       fugit (~> 1.1, >= 1.1.6)
     sanitize (6.1.0)
       crass (~> 1.0.2)
       nokogiri (>= 1.12.0)
+    securerandom (0.4.1)
     sentry-rails (5.16.1)
       railties (>= 5.0)
       sentry-ruby (~> 5.16.1)
@@ -449,10 +452,10 @@ GEM
     sqlite3 (1.7.2-x86_64-linux)
     stimulus-rails (1.3.3)
       railties (>= 6.0.0)
-    stringio (3.1.0)
+    stringio (3.1.7)
-    thor (1.3.0)
+    thor (1.3.2)
     tilt (2.3.0)
-    timeout (0.4.1)
+    timeout (0.4.3)
     turbo-rails (1.5.0)
       actionpack (>= 6.0.0)
       activejob (>= 6.0.0)
@@ -461,6 +464,7 @@ GEM
       concurrent-ruby (~> 1.0)
     unicode-display_width (2.5.0)
     uri (0.13.0)
+    useragent (0.16.11)
     view_component (3.10.0)
       activesupport (>= 5.2.0, < 8.0)
       concurrent-ruby (~> 1.0)
@@ -476,14 +480,16 @@ GEM
       addressable (>= 2.8.0)
       crack (>= 0.3.2)
       hashdiff (>= 0.4.0, < 2.0.0)
-    webrick (1.8.1)
+    webrick (1.9.1)
-    websocket-driver (0.7.6)
+    websocket-driver (0.7.7)
+      base64
       websocket-extensions (>= 0.1.0)
     websocket-extensions (0.1.5)
     xpath (3.2.0)
       nokogiri (~> 1.8)
     yard (0.9.34)
-    zeitwerk (2.6.12)
+    zbase32 (0.1.1)
+    zeitwerk (2.7.2)
 
 PLATFORMS
   arm64-darwin-22
@@ -507,6 +513,7 @@ DEPENDENCIES
   flipper
   flipper-active_record
   flipper-ui
+  gpgme (~> 2.0.24)
   image_processing (~> 1.12.2)
   importmap-rails
   jbuilder (~> 2.7)
@@ -521,7 +528,7 @@ DEPENDENCIES
   pagy (~> 6.0, >= 6.0.2)
   pg (~> 1.5)
   puma (~> 4.1)
-  rails (~> 7.1)
+  rails (~> 7.2)
   rails-controller-testing
   rails-settings-cached (~> 2.8.3)
   rqrcode (~> 2.0)
@@ -540,6 +547,7 @@ DEPENDENCIES
   warden
   web-console (~> 4.2)
   webmock
+  zbase32 (~> 0.1.1)
 
 BUNDLED WITH
    2.5.5

app/controllers/admin/settings/registrations_controller.rb

@@ -9,4 +9,12 @@ class Admin::Settings::RegistrationsController < Admin::SettingsController
       success: "Settings saved"
     }
   end
+
+  private
+
+    def setting_params
+      params.require(:setting).permit([
+        :reserved_usernames, default_services: []
+      ])
+    end
 end

app/controllers/admin/settings_controller.rb

@@ -9,11 +9,12 @@ class Admin::SettingsController < Admin::BaseController
     changed_keys = []
 
     setting_params.keys.each do |key|
-      next if setting_params[key].nil? ||
+      next if clean_param(key).nil? ||
-              (Setting.send(key).to_s == setting_params[key].strip)
+        (Setting.send(key).to_s == clean_param(key))
+
       changed_keys.push(key)
       setting = Setting.new(var: key)
-      setting.value = setting_params[key].strip
+      setting.value = clean_param(key)
       unless setting.valid?
         @errors.merge!(setting.errors)
       end
@@ -24,7 +25,7 @@ class Admin::SettingsController < Admin::BaseController
     end
 
     changed_keys.each do |key|
-      Setting.send("#{key}=", setting_params[key].strip)
+      Setting.send("#{key}=", clean_param(key))
     end
   end
 
@@ -37,4 +38,12 @@ class Admin::SettingsController < Admin::BaseController
     def setting_params
       params.require(:setting).permit(Setting.editable_keys.map(&:to_sym))
     end
+
+    def clean_param(key)
+      if Setting.get_field(key)[:type] == :string
+        setting_params[key].strip
+      else
+        setting_params[key]
+      end
+    end
 end

app/controllers/admin/users_controller.rb

@@ -30,7 +30,7 @@ class Admin::UsersController < Admin::BaseController
     amount = params[:amount].to_i
     notify_user = ActiveRecord::Type::Boolean.new.cast(params[:notify_user])
 
-    CreateInvitations.call(user: @user, amount: amount, notify: notify_user)
+    UserManager::CreateInvitations.call(user: @user, amount: amount, notify: notify_user)
 
     redirect_to admin_user_path(@user.cn), flash: {
       success: "Added #{amount} invitations to #{@user.cn}'s account"

app/controllers/lnurlpay_controller.rb

@@ -1,7 +1,7 @@
 class LnurlpayController < ApplicationController
   before_action :check_service_available
   before_action :find_user
-  before_action :set_cors_access_control_headers, only: [:invoice]
+  before_action :set_cors_access_control_headers
 
   MIN_SATS = 10
   MAX_SATS = 1_000_000

app/controllers/services/chat_controller.rb

@@ -3,7 +3,7 @@ class Services::ChatController < Services::BaseController
   before_action :require_service_available
 
   def show
-    @service_enabled = current_user.service_enabled?(:xmpp)
+    @service_enabled = current_user.service_enabled?(:ejabberd)
   end
 
   private

app/controllers/settings_controller.rb

@@ -21,10 +21,12 @@ class SettingsController < ApplicationController
     end
   end
 
+  # PUT /settings/:section
   def update
     @user.preferences.merge!(user_params[:preferences] || {})
     @user.display_name = user_params[:display_name]
-    @user.avatar_new = user_params[:avatar]
+    @user.avatar_new   = user_params[:avatar]
+    @user.pgp_pubkey   = user_params[:pgp_pubkey]
 
     if @user.save
       if @user.display_name && (@user.display_name != @user.ldap_entry[:display_name])
@@ -35,6 +37,10 @@ class SettingsController < ApplicationController
         LdapManager::UpdateAvatar.call(dn: @user.dn, file: @user.avatar_new)
       end
 
+      if @user.pgp_pubkey && (@user.pgp_pubkey != @user.ldap_entry[:pgp_key])
+        UserManager::UpdatePgpKey.call(user: @user)
+      end
+
       redirect_to setting_path(@settings_section), flash: {
         success: 'Settings saved.'
       }
@@ -44,6 +50,7 @@ class SettingsController < ApplicationController
     end
   end
 
+  # POST /settings/update_email
   def update_email
     if @user.valid_ldap_authentication?(security_params[:current_password])
       if @user.update email: email_params[:email]
@@ -61,6 +68,7 @@ class SettingsController < ApplicationController
     end
   end
 
+  # POST /settings/reset_email_password
   def reset_email_password
     @user.current_password = security_params[:current_password]
 
@@ -83,6 +91,7 @@ class SettingsController < ApplicationController
     end
   end
 
+  # POST /settings/reset_password
   def reset_password
     current_user.send_reset_password_instructions
     sign_out current_user
@@ -90,6 +99,7 @@ class SettingsController < ApplicationController
     redirect_to check_your_email_path, notice: msg
   end
 
+  # POST /settings/set_nostr_pubkey
   def set_nostr_pubkey
     signed_event = Nostr::Event.new(**nostr_event_from_params)
 
@@ -152,7 +162,8 @@ class SettingsController < ApplicationController
 
     def user_params
       params.require(:user).permit(
-        :display_name, :avatar, preferences: UserPreferences.pref_keys
+        :display_name, :avatar, :pgp_pubkey,
+        preferences: UserPreferences.pref_keys
       )
     end
 

app/controllers/signup_controller.rb

@@ -96,7 +96,7 @@ class SignupController < ApplicationController
     session[:new_user] = nil
     session[:validation_error] = nil
 
-    CreateAccount.call(account: {
+    UserManager::CreateAccount.call(account: {
       username: @user.cn,
       domain: Setting.primary_domain,
       email: @user.email,

app/controllers/web_key_directory_controller.rb

@@ -0,0 +1,35 @@
+class WebKeyDirectoryController < WellKnownController
+  before_action :allow_cross_origin_requests
+
+  # /.well-known/openpgpkey/hu/:hashed_username(.txt)
+  def show
+    @user = User.find_by(cn: params[:l].downcase)
+
+    if @user.nil? ||
+       @user.pgp_pubkey.blank? ||
+       !@user.pgp_pubkey_contains_user_address?
+      http_status :not_found and return
+    end
+
+    if params[:hashed_username] != @user.wkd_hash
+      http_status :unprocessable_entity and return
+    end
+
+    respond_to do |format|
+      format.text do
+        response.headers['Content-Type'] = 'text/plain'
+        render plain: @user.pgp_pubkey
+      end
+
+      format.any do
+        key = @user.gnupg_key.export
+        send_data key, filename: "#{@user.wkd_hash}.pem",
+                       type: "application/octet-stream"
+      end
+    end
+  end
+
+  def policy
+    head :ok
+  end
+end

app/controllers/webfinger_controller.rb

@@ -1,8 +1,6 @@
-class WebfingerController < ApplicationController
+class WebfingerController < WellKnownController
   before_action :allow_cross_origin_requests, only: [:show]
 
-  layout false
-
   def show
     resource = params[:resource]
 
@@ -76,7 +74,7 @@ class WebfingerController < ApplicationController
   end
 
   def remotestorage_link
-    auth_url = new_rs_oauth_url(@username)
+    auth_url = new_rs_oauth_url(@username, host: Setting.rs_accounts_domain)
     storage_url = "#{Setting.rs_storage_url}/#{@username}"
 
     {
@@ -91,10 +89,4 @@ class WebfingerController < ApplicationController
       }
     }
   end
-
-  def allow_cross_origin_requests
-    return unless Rails.env.development?
-    headers['Access-Control-Allow-Origin'] = "*"
-    headers['Access-Control-Allow-Methods'] = "GET"
-  end
 end

app/controllers/well_known_controller.rb

@@ -1,5 +1,8 @@
 class WellKnownController < ApplicationController
   before_action :require_nostr_enabled, only: [ :nostr ]
+  before_action :allow_cross_origin_requests, only: [ :nostr ]
+
+  layout false
 
   def nostr
     http_status :unprocessable_entity and return if params[:name].blank?
@@ -7,8 +10,14 @@ class WellKnownController < ApplicationController
     relay_url = Setting.nostr_relay_url.presence
 
     if params[:name] == "_"
-      # pubkey for the primary domain without a username (e.g. kosmos.org)
+      if domain == Setting.primary_domain
-      res = { names: { "_": Setting.nostr_public_key } }
+        # pubkey for the primary domain without a username (e.g. kosmos.org)
+        res = { names: { "_": Setting.nostr_public_key_primary_domain.presence || Setting.nostr_public_key } }
+      else
+        # pubkey for the akkounts domain without a username (e.g. accounts.kosmos.org)
+        res = { names: { "_": Setting.nostr_public_key } }
+      end
+
       res[:relays] = { "_" => [ relay_url ] } if relay_url
     else
       @user = User.where(cn: params[:name], ou: domain).first
@@ -30,4 +39,9 @@ class WellKnownController < ApplicationController
     def require_nostr_enabled
       http_status :not_found unless Setting.nostr_enabled?
     end
+
+    def allow_cross_origin_requests
+      headers['Access-Control-Allow-Origin'] = "*"
+      headers['Access-Control-Allow-Methods'] = "GET"
+    end
 end

app/helpers/dashboard_helper.rb

@@ -1,2 +0,0 @@
-module DashboardHelper
-end

app/helpers/donations_helper.rb

@@ -1,2 +0,0 @@
-module DonationsHelper
-end

app/helpers/invitations_helper.rb

@@ -1,2 +0,0 @@
-module InvitationsHelper
-end

app/helpers/lnurlpay_helper.rb

@@ -1,2 +0,0 @@
-module LnurlpayHelper
-end

app/helpers/services_helper.rb

@@ -0,0 +1,12 @@
+module ServicesHelper
+
+  def service_human_name(key, category = :external)
+    SERVICES[category][key][:name] || key.to_s
+  end
+
+  def service_display_name(key, category = :external)
+    SERVICES[category][key][:display_name] ||
+    service_human_name(key, category)
+  end
+
+end

app/helpers/settings_helper.rb

@@ -1,2 +0,0 @@
-module SettingsHelper
-end

app/helpers/signup_helper.rb

@@ -1,2 +0,0 @@
-module SignupHelper
-end

app/helpers/users_helper.rb

@@ -1,2 +0,0 @@
-module UsersHelper
-end

app/helpers/wallet_helper.rb

@@ -1,2 +0,0 @@
-module WalletHelper
-end

app/helpers/welcome_helper.rb

@@ -1,2 +0,0 @@
-module WelcomeHelper
-end

app/jobs/xmpp_exchange_contacts_job.rb

@@ -2,8 +2,8 @@ class XmppExchangeContactsJob < ApplicationJob
   queue_as :default
 
   def perform(inviter, invitee)
-    return unless inviter.service_enabled?(:xmpp) &&
+    return unless inviter.service_enabled?(:ejabberd) &&
-                  invitee.service_enabled?(:xmpp) &&
+                  invitee.service_enabled?(:ejabberd) &&
                   inviter.preferences[:xmpp_exchange_contacts_with_invitees]
 
     ejabberd = EjabberdApiClient.new

app/mailers/application_mailer.rb

@@ -1,3 +1,90 @@
 class ApplicationMailer < ActionMailer::Base
+  default Rails.application.config.action_mailer.default_options
   layout 'mailer'
+
+  private
+
+    def send_mail
+      @template ||= "#{self.class.name.underscore}/#{caller[0][/`([^']*)'/, 1]}"
+      headers['Message-ID'] = message_id
+
+      if @user.pgp_pubkey.present?
+        mail(to: @user.email, subject: "...", content_type: pgp_content_type) do |format|
+          format.text { render plain: pgp_content }
+        end
+      else
+        mail(to: @user.email, subject: @subject) do |format|
+          format.text { render @template }
+        end
+      end
+    end
+
+    def from_address
+      self.class.default[:from]
+    end
+
+    def from_domain
+      Mail::Address.new(from_address).domain
+    end
+
+    def message_id
+      @message_id ||= "#{SecureRandom.uuid}@#{from_domain}"
+    end
+
+    def boundary
+      @boundary ||= SecureRandom.hex(8)
+    end
+
+    def pgp_content_type
+      "multipart/encrypted; protocol=\"application/pgp-encrypted\"; boundary=\"------------#{boundary}\""
+    end
+
+    def pgp_nested_content
+      message_content = render_to_string(template: @template)
+      message_content_base64 = Base64.encode64(message_content)
+      nested_boundary = SecureRandom.hex(8)
+
+      <<~NESTED_CONTENT
+        Content-Type: multipart/mixed; boundary="------------#{nested_boundary}"; protected-headers="v1"
+        Subject: #{@subject}
+        From: <#{from_address}>
+        To: #{@user.display_name || @user.cn} <#{@user.email}>
+        Message-ID: <#{message_id}>
+
+        --------------#{nested_boundary}
+        Content-Type: text/plain; charset=UTF-8; format=flowed
+        Content-Transfer-Encoding: base64
+
+        #{message_content_base64}
+
+        --------------#{nested_boundary}--
+      NESTED_CONTENT
+    end
+
+    def pgp_content
+      encrypted_content = UserManager::PgpEncrypt.call(user: @user, text: pgp_nested_content)
+      encrypted_base64 = Base64.encode64(encrypted_content.to_s)
+
+      <<~EMAIL_CONTENT
+        This is an OpenPGP/MIME encrypted message (RFC 4880 and 3156)
+        --------------#{boundary}
+        Content-Type: application/pgp-encrypted
+        Content-Description: PGP/MIME version identification
+
+        Version: 1
+
+        --------------#{boundary}
+        Content-Type: application/octet-stream; name="encrypted.asc"
+        Content-Description: OpenPGP encrypted message
+        Content-Disposition: inline; filename="encrypted.asc"
+
+        -----BEGIN PGP MESSAGE-----
+
+        #{encrypted_base64}
+
+        -----END PGP MESSAGE-----
+
+        --------------#{boundary}--
+      EMAIL_CONTENT
+    end
 end

app/mailers/custom_mailer.rb

@@ -18,6 +18,6 @@ class CustomMailer < ApplicationMailer
     @user = params[:user]
     @subject = params[:subject]
     @body = params[:body]
-    mail(to: @user.email, subject: @subject)
+    send_mail
   end
 end

app/mailers/notification_mailer.rb

@@ -3,7 +3,7 @@ class NotificationMailer < ApplicationMailer
     @user = params[:user]
     @amount_sats = params[:amount_sats]
     @subject = "Sats received"
-    mail to: @user.email, subject: @subject
+    send_mail
   end
 
   def remotestorage_auth_created
@@ -15,19 +15,19 @@ class NotificationMailer < ApplicationMailer
       "#{access} #{directory}"
     end
     @subject = "New app connected to your storage"
-    mail to: @user.email, subject: @subject
+    send_mail
   end
 
   def new_invitations_available
     @user = params[:user]
     @subject = "New invitations added to your account"
-    mail to: @user.email, subject: @subject
+    send_mail
   end
 
   def bitcoin_donation_confirmed
     @user = params[:user]
     @donation = params[:donation]
     @subject = "Donation confirmed"
-    mail to: @user.email, subject: @subject
+    send_mail
   end
 end

app/models/concerns/settings/btcpay_settings.rb

@@ -0,0 +1,24 @@
+module Settings
+  module BtcpaySettings
+    extend ActiveSupport::Concern
+
+    included do
+      field :btcpay_api_url, type: :string,
+        default: ENV["BTCPAY_API_URL"].presence
+
+      field :btcpay_enabled, type: :boolean,
+        default: ENV["BTCPAY_API_URL"].present?
+
+      field :btcpay_public_url, type: :string,
+        default: ENV["BTCPAY_PUBLIC_URL"].presence
+
+      field :btcpay_store_id, type: :string,
+        default: ENV["BTCPAY_STORE_ID"].presence
+
+      field :btcpay_auth_token, type: :string,
+        default: ENV["BTCPAY_AUTH_TOKEN"].presence
+
+      field :btcpay_publish_wallet_balances, type: :boolean, default: true
+    end
+  end
+end

app/models/concerns/settings/discourse_settings.rb

@@ -0,0 +1,16 @@
+module Settings
+  module DiscourseSettings
+    extend ActiveSupport::Concern
+
+    included do
+      field :discourse_public_url, type: :string,
+        default: ENV["DISCOURSE_PUBLIC_URL"].presence
+
+      field :discourse_enabled, type: :boolean,
+        default: ENV["DISCOURSE_PUBLIC_URL"].present?
+
+      field :discourse_connect_secret, type: :string,
+        default: ENV["DISCOURSE_CONNECT_SECRET"].presence
+    end
+  end
+end

app/models/concerns/settings/drone_ci_settings.rb

@@ -0,0 +1,13 @@
+module Settings
+  module DroneCiSettings
+    extend ActiveSupport::Concern
+
+    included do
+      field :droneci_public_url, type: :string,
+        default: ENV["DRONECI_PUBLIC_URL"].presence
+
+      field :droneci_enabled, type: :boolean,
+        default: ENV["DRONECI_PUBLIC_URL"].present?
+    end
+  end
+end

app/models/concerns/settings/ejabberd_settings.rb

@@ -0,0 +1,19 @@
+module Settings
+  module EjabberdSettings
+    extend ActiveSupport::Concern
+
+    included do
+      field :ejabberd_enabled, type: :boolean,
+        default: ENV["EJABBERD_API_URL"].present?
+
+      field :ejabberd_api_url, type: :string,
+        default: ENV["EJABBERD_API_URL"].presence
+
+      field :ejabberd_admin_url, type: :string,
+        default: ENV["EJABBERD_ADMIN_URL"].presence
+
+      field :ejabberd_buddy_roster, type: :string,
+        default: "Buddies"
+    end
+  end
+end

app/models/concerns/settings/email_settings.rb

@@ -0,0 +1,28 @@
+module Settings
+  module EmailSettings
+    extend ActiveSupport::Concern
+
+    included do
+      field :email_enabled, type: :boolean,
+        default: ENV["EMAIL_SMTP_HOST"].present?
+
+      # field :email_smtp_host, type: :string,
+      #   default: ENV["EMAIL_SMTP_HOST"].presence
+      #
+      # field :email_smtp_port, type: :string,
+      #   default: ENV["EMAIL_SMTP_PORT"].presence || 587
+      #
+      # field :email_smtp_enable_starttls, type: :string,
+      #   default: ENV["EMAIL_SMTP_PORT"].presence || true
+      #
+      # field :email_auth_method, type: :string,
+      #   default: ENV["EMAIL_AUTH_METHOD"].presence || "plain"
+      #
+      # field :email_imap_host, type: :string,
+      #   default: ENV["EMAIL_IMAP_HOST"].presence
+      #
+      # field :email_imap_port, type: :string,
+      #   default: ENV["EMAIL_IMAP_PORT"].presence || 993
+    end
+  end
+end

app/models/concerns/settings/general_settings.rb

@@ -0,0 +1,34 @@
+module Settings
+  module GeneralSettings
+    extend ActiveSupport::Concern
+
+    included do
+      field :primary_domain, type: :string,
+        default: ENV["PRIMARY_DOMAIN"].presence
+
+      field :accounts_domain, type: :string,
+        default: ENV["AKKOUNTS_DOMAIN"].presence
+
+      #
+      # Internal services
+      #
+
+      field :redis_url, type: :string,
+        default: ENV["REDIS_URL"] || "redis://localhost:6379/0"
+
+      field :s3_enabled, type: :boolean,
+        default: ENV["S3_ENABLED"] && ENV["S3_ENABLED"].to_s != "false"
+
+      field :sentry_enabled, type: :boolean, readonly: true,
+        default: ENV["SENTRY_DSN"].present?
+
+      #
+      # Registrations
+      #
+
+      field :reserved_usernames, type: :array, default: %w[
+        account accounts donations mail webmaster support
+      ]
+    end
+  end
+end

app/models/concerns/settings/gitea_settings.rb

@@ -0,0 +1,13 @@
+module Settings
+  module GiteaSettings
+    extend ActiveSupport::Concern
+
+    included do
+      field :gitea_public_url, type: :string,
+        default: ENV["GITEA_PUBLIC_URL"].presence
+
+      field :gitea_enabled, type: :boolean,
+        default: ENV["GITEA_PUBLIC_URL"].present?
+    end
+  end
+end

app/models/concerns/settings/lightning_network_settings.rb

@@ -0,0 +1,25 @@
+module Settings
+  module LightningNetworkSettings
+    extend ActiveSupport::Concern
+
+    included do
+      field :lndhub_api_url, type: :string,
+        default: ENV["LNDHUB_API_URL"].presence
+
+      field :lndhub_enabled, type: :boolean,
+        default: ENV["LNDHUB_API_URL"].present?
+
+      field :lndhub_admin_token, type: :string,
+        default: ENV["LNDHUB_ADMIN_TOKEN"].presence
+
+      field :lndhub_admin_enabled, type: :boolean,
+        default: ENV["LNDHUB_ADMIN_UI"] || false
+
+      field :lndhub_public_key, type: :string,
+        default: (ENV["LNDHUB_PUBLIC_KEY"] || "")
+
+      field :lndhub_keysend_enabled, type: :boolean,
+        default: -> { self.lndhub_public_key.present? }
+    end
+  end
+end

app/models/concerns/settings/mastodon_settings.rb

@@ -0,0 +1,16 @@
+module Settings
+  module MastodonSettings
+    extend ActiveSupport::Concern
+
+    included do
+      field :mastodon_public_url, type: :string,
+        default: ENV["MASTODON_PUBLIC_URL"].presence
+
+      field :mastodon_enabled, type: :boolean,
+        default: ENV["MASTODON_PUBLIC_URL"].present?
+
+      field :mastodon_address_domain, type: :string,
+        default: ENV["MASTODON_ADDRESS_DOMAIN"].presence || self.primary_domain
+    end
+  end
+end

app/models/concerns/settings/media_wiki_settings.rb

@@ -0,0 +1,13 @@
+module Settings
+  module MediaWikiSettings
+    extend ActiveSupport::Concern
+
+    included do
+      field :mediawiki_public_url, type: :string,
+        default: ENV["MEDIAWIKI_PUBLIC_URL"].presence
+
+      field :mediawiki_enabled, type: :boolean,
+        default: ENV["MEDIAWIKI_PUBLIC_URL"].present?
+    end
+  end
+end

app/models/concerns/settings/nostr_settings.rb

@@ -0,0 +1,25 @@
+module Settings
+  module NostrSettings
+    extend ActiveSupport::Concern
+
+    included do
+      field :nostr_enabled, type: :boolean,
+        default: ENV["NOSTR_PRIVATE_KEY"].present?
+
+      field :nostr_private_key, type: :string,
+        default: ENV["NOSTR_PRIVATE_KEY"].presence
+
+      field :nostr_public_key, type: :string,
+        default: ENV["NOSTR_PUBLIC_KEY"].presence
+
+      field :nostr_public_key_primary_domain, type: :string,
+        default: ENV["NOSTR_PUBLIC_KEY_PRIMARY_DOMAIN"].presence
+
+      field :nostr_relay_url, type: :string,
+        default: ENV["NOSTR_RELAY_URL"].presence
+
+      field :nostr_zaps_relay_limit, type: :integer,
+        default: 12
+    end
+  end
+end

app/models/concerns/settings/open_collective_settings.rb

@@ -0,0 +1,9 @@
+module Settings
+  module OpenCollectiveSettings
+    extend ActiveSupport::Concern
+
+    included do
+      field :opencollective_enabled, type: :boolean, default: true
+    end
+  end
+end

app/models/concerns/settings/remote_storage_settings.rb

@@ -0,0 +1,19 @@
+module Settings
+  module RemoteStorageSettings
+    extend ActiveSupport::Concern
+
+    included do
+      field :remotestorage_enabled, type: :boolean,
+        default: ENV["RS_STORAGE_URL"].present?
+
+      field :rs_accounts_domain, type: :string,
+        default: ENV["RS_AKKOUNTS_DOMAIN"] || ENV["AKKOUNTS_DOMAIN"]
+
+      field :rs_storage_url, type: :string,
+        default: ENV["RS_STORAGE_URL"].presence
+
+      field :rs_redis_url, type: :string,
+        default: ENV["RS_REDIS_URL"] || "redis://localhost:6379/1"
+    end
+  end
+end

app/models/concerns/settings/xmpp_settings.rb

@@ -0,0 +1,11 @@
+module Settings
+  module XmppSettings
+    extend ActiveSupport::Concern
+
+    included do
+      field :xmpp_default_rooms, type: :array, default: []
+      field :xmpp_autojoin_default_rooms, type: :boolean, default: false
+      field :xmpp_notifications_from_address, type: :string, default: primary_domain
+    end
+  end
+end

app/models/remote_storage_authorization.rb

@@ -2,7 +2,7 @@ class RemoteStorageAuthorization < ApplicationRecord
   belongs_to :user
   belongs_to :web_app, class_name: "AppCatalog::WebApp", optional: true
 
-  serialize :permissions unless Rails.env.production?
+  serialize :permissions, coder: YAML unless Rails.env.production?
 
   validates_presence_of :permissions
   validates_presence_of :client_id

app/models/setting.rb

@@ -2,226 +2,30 @@
 class Setting < RailsSettings::Base
   cache_prefix { "v1" }
 
-  field :primary_domain, type: :string,
+  Dir[Rails.root.join('app', 'models', 'concerns', 'settings', '*.rb')].each do |file|
-    default: ENV["PRIMARY_DOMAIN"].presence
+    require file
-
-  field :accounts_domain, type: :string,
-    default: ENV["AKKOUNTS_DOMAIN"].presence
-
-  #
-  # Internal services
-  #
-
-  field :redis_url, type: :string,
-    default: ENV["REDIS_URL"] || "redis://localhost:6379/0"
-
-  field :s3_enabled, type: :boolean,
-    default: ENV["S3_ENABLED"] && ENV["S3_ENABLED"].to_s != "false"
-
-  #
-  # Registrations
-  #
-
-  field :reserved_usernames, type: :array, default: %w[
-    account accounts donations mail webmaster support
-  ]
-
-  #
-  # XMPP
-  #
-
-  field :xmpp_default_rooms, type: :array, default: []
-  field :xmpp_autojoin_default_rooms, type: :boolean, default: false
-  field :xmpp_notifications_from_address, type: :string, default: primary_domain
-
-  #
-  # Sentry
-  #
-
-  field :sentry_enabled, type: :boolean, readonly: true,
-    default: ENV["SENTRY_DSN"].present?
-
-  #
-  # BTCPay Server
-  #
-
-  field :btcpay_api_url, type: :string,
-    default: ENV["BTCPAY_API_URL"].presence
-
-  field :btcpay_enabled, type: :boolean,
-    default: ENV["BTCPAY_API_URL"].present?
-
-  field :btcpay_public_url, type: :string,
-    default: ENV["BTCPAY_PUBLIC_URL"].presence
-
-  field :btcpay_store_id, type: :string,
-    default: ENV["BTCPAY_STORE_ID"].presence
-
-  field :btcpay_auth_token, type: :string,
-    default: ENV["BTCPAY_AUTH_TOKEN"].presence
-
-  field :btcpay_publish_wallet_balances, type: :boolean, default: true
-
-  #
-  # Discourse
-  #
-
-  field :discourse_public_url, type: :string,
-    default: ENV["DISCOURSE_PUBLIC_URL"].presence
-
-  field :discourse_enabled, type: :boolean,
-    default: ENV["DISCOURSE_PUBLIC_URL"].present?
-
-  field :discourse_connect_secret, type: :string,
-    default: ENV["DISCOURSE_CONNECT_SECRET"].presence
-
-  #
-  # Drone CI
-  #
-
-  field :droneci_public_url, type: :string,
-    default: ENV["DRONECI_PUBLIC_URL"].presence
-
-  field :droneci_enabled, type: :boolean,
-    default: ENV["DRONECI_PUBLIC_URL"].present?
-
-  #
-  # ejabberd
-  #
-
-  field :ejabberd_enabled, type: :boolean,
-    default: ENV["EJABBERD_API_URL"].present?
-
-  field :ejabberd_api_url, type: :string,
-    default: ENV["EJABBERD_API_URL"].presence
-
-  field :ejabberd_admin_url, type: :string,
-    default: ENV["EJABBERD_ADMIN_URL"].presence
-
-  field :ejabberd_buddy_roster, type: :string,
-    default: "Buddies"
-
-  #
-  # Gitea
-  #
-
-  field :gitea_public_url, type: :string,
-    default: ENV["GITEA_PUBLIC_URL"].presence
-
-  field :gitea_enabled, type: :boolean,
-    default: ENV["GITEA_PUBLIC_URL"].present?
-
-  #
-  # Lightning Network
-  #
-
-  field :lndhub_api_url, type: :string,
-    default: ENV["LNDHUB_API_URL"].presence
-
-  field :lndhub_enabled, type: :boolean,
-    default: ENV["LNDHUB_API_URL"].present?
-
-  field :lndhub_admin_token, type: :string,
-    default: ENV["LNDHUB_ADMIN_TOKEN"].presence
-
-  field :lndhub_admin_enabled, type: :boolean,
-    default: ENV["LNDHUB_ADMIN_UI"] || false
-
-  field :lndhub_public_key, type: :string,
-    default: (ENV["LNDHUB_PUBLIC_KEY"] || "")
-
-  field :lndhub_keysend_enabled, type: :boolean,
-    default: -> { self.lndhub_public_key.present? }
-
-  #
-  # Mastodon
-  #
-
-  field :mastodon_public_url, type: :string,
-    default: ENV["MASTODON_PUBLIC_URL"].presence
-
-  field :mastodon_enabled, type: :boolean,
-    default: ENV["MASTODON_PUBLIC_URL"].present?
-
-  field :mastodon_address_domain, type: :string,
-    default: ENV["MASTODON_ADDRESS_DOMAIN"].presence || self.primary_domain
-
-  #
-  # MediaWiki
-  #
-
-  field :mediawiki_public_url, type: :string,
-    default: ENV["MEDIAWIKI_PUBLIC_URL"].presence
-
-  field :mediawiki_enabled, type: :boolean,
-    default: ENV["MEDIAWIKI_PUBLIC_URL"].present?
-
-  #
-  # Nostr
-  #
-
-  field :nostr_enabled, type: :boolean,
-    default: ENV["NOSTR_PRIVATE_KEY"].present?
-
-  field :nostr_private_key, type: :string,
-    default: ENV["NOSTR_PRIVATE_KEY"].presence
-
-  field :nostr_public_key, type: :string,
-    default: ENV["NOSTR_PUBLIC_KEY"].presence
-
-  field :nostr_relay_url, type: :string,
-    default: ENV["NOSTR_RELAY_URL"].presence
-
-  field :nostr_zaps_relay_limit, type: :integer,
-    default: 12
-
-  #
-  # OpenCollective
-  #
-
-  field :opencollective_enabled, type: :boolean, default: true
-
-  #
-  # RemoteStorage
-  #
-
-  field :remotestorage_enabled, type: :boolean,
-    default: ENV["RS_STORAGE_URL"].present?
-
-  field :rs_storage_url, type: :string,
-    default: ENV["RS_STORAGE_URL"].presence
-
-  field :rs_redis_url, type: :string,
-    default: ENV["RS_REDIS_URL"] || "redis://localhost:6379/1"
-
-
-  #
-  # E-Mail Service
-  #
-
-  field :email_enabled, type: :boolean,
-    default: ENV["EMAIL_SMTP_HOST"].present?
-
-  # field :email_smtp_host, type: :string,
-  #   default: ENV["EMAIL_SMTP_HOST"].presence
-  #
-  # field :email_smtp_port, type: :string,
-  #   default: ENV["EMAIL_SMTP_PORT"].presence || 587
-  #
-  # field :email_smtp_enable_starttls, type: :string,
-  #   default: ENV["EMAIL_SMTP_PORT"].presence || true
-  #
-  # field :email_auth_method, type: :string,
-  #   default: ENV["EMAIL_AUTH_METHOD"].presence || "plain"
-  #
-  # field :email_imap_host, type: :string,
-  #   default: ENV["EMAIL_IMAP_HOST"].presence
-  #
-  # field :email_imap_port, type: :string,
-  #   default: ENV["EMAIL_IMAP_PORT"].presence || 993
-
-  def self.default_services
-    # TODO Make configurable from respective service settings page
-    %w[ discourse gitea mastodon mediawiki xmpp ]
   end
+
+  include Settings::GeneralSettings
+  include Settings::BtcpaySettings
+  include Settings::DiscourseSettings
+  include Settings::DroneCiSettings
+  include Settings::EjabberdSettings
+  include Settings::EmailSettings
+  include Settings::GiteaSettings
+  include Settings::LightningNetworkSettings
+  include Settings::MastodonSettings
+  include Settings::MediaWikiSettings
+  include Settings::NostrSettings
+  include Settings::OpenCollectiveSettings
+  include Settings::RemoteStorageSettings
+  include Settings::XmppSettings
+
+  def self.available_services
+    known_services = SERVICES[:external].keys
+    known_services.select {|s| Setting.send "#{s}_enabled?" }
+  end
+
+  field :default_services, type: :array,
+    default: self.available_services
 end

app/models/user.rb

@@ -3,9 +3,10 @@ require 'nostr'
 class User < ApplicationRecord
   include EmailValidatable
 
-  attr_accessor :display_name
-  attr_accessor :avatar_new
   attr_accessor :current_password
+  attr_accessor :avatar_new
+  attr_accessor :display_name
+  attr_accessor :pgp_pubkey
 
   serialize :preferences, coder: UserPreferences
 
@@ -51,6 +52,8 @@ class User < ApplicationRecord
 
   validate :acceptable_avatar
 
+  validate :acceptable_pgp_key_format, if: -> { defined?(@pgp_pubkey) && @pgp_pubkey.present? }
+
   #
   # Scopes
   #
@@ -165,6 +168,24 @@ class User < ApplicationRecord
     Nostr::PublicKey.new(nostr_pubkey).to_bech32
   end
 
+  def pgp_pubkey
+    @pgp_pubkey ||= ldap_entry[:pgp_key]
+  end
+
+  def gnupg_key
+    return nil unless pgp_pubkey.present?
+    GPGME::Key.import(pgp_pubkey)
+    GPGME::Key.get(pgp_fpr)
+  end
+
+  def pgp_pubkey_contains_user_address?
+    gnupg_key.uids.map(&:email).include?(address)
+  end
+
+  def wkd_hash
+    ZBase32.encode(Digest::SHA1.digest(cn))
+  end
+
   def avatar
     @avatar_base64 ||= LdapManager::FetchAvatar.call(cn: cn)
   end
@@ -180,14 +201,14 @@ class User < ApplicationRecord
   def enable_service(service)
     current_services = services_enabled
     new_services = Array(service).map(&:to_s)
-    services = (current_services + new_services).uniq
+    services = (current_services + new_services).uniq.sort
     ldap.replace_attribute(dn, :serviceEnabled, services)
   end
 
   def disable_service(service)
     current_services = services_enabled
     disabled_services = Array(service).map(&:to_s)
-    services = (current_services - disabled_services).uniq
+    services = (current_services - disabled_services).uniq.sort
     ldap.replace_attribute(dn, :serviceEnabled, services)
   end
 
@@ -214,4 +235,10 @@ class User < ApplicationRecord
         errors.add(:avatar, "must be a JPEG or PNG file")
       end
     end
+
+    def acceptable_pgp_key_format
+      unless GPGME::Key.valid?(pgp_pubkey)
+        errors.add(:pgp_pubkey, 'is not a valid armored PGP public key block')
+      end
+    end
 end

app/services/create_account.rb

@@ -1,54 +0,0 @@
-class CreateAccount < ApplicationService
-  def initialize(account:)
-    @username   = account[:username]
-    @domain     = account[:ou] || Setting.primary_domain
-    @email      = account[:email]
-    @password   = account[:password]
-    @invitation = account[:invitation]
-    @confirmed  = account[:confirmed]
-  end
-
-  def call
-    user = create_user_in_database
-    add_ldap_document
-    create_lndhub_account(user) if Setting.lndhub_enabled
-
-    if @invitation.present?
-      update_invitation(user.id)
-    end
-  end
-
-  private
-
-  def create_user_in_database
-    User.create!(
-      cn: @username,
-      ou: @domain,
-      email: @email,
-      password: @password,
-      password_confirmation: @password,
-      confirmed_at: @confirmed ? DateTime.now : nil
-    )
-  end
-
-  def update_invitation(user_id)
-    @invitation.update! invited_user_id: user_id, used_at: DateTime.now
-  end
-
-  def add_ldap_document
-    hashed_pw = Devise.ldap_auth_password_builder.call(@password)
-    CreateLdapUserJob.perform_later(
-      username: @username,
-      domain: @domain,
-      email: @email,
-      hashed_pw: hashed_pw,
-      confirmed: @confirmed
-    )
-  end
-
-  def create_lndhub_account(user)
-    #TODO enable in development when we have a local lndhub (mock?) API
-    return if Rails.env.development?
-    CreateLndhubAccountJob.perform_later(user)
-  end
-end

app/services/create_invitations.rb

@@ -1,17 +0,0 @@
-class CreateInvitations < ApplicationService
-  def initialize(user:, amount:, notify: true)
-    @user = user
-    @amount = amount
-    @notify = notify
-  end
-
-  def call
-    @amount.times do
-      Invitation.create(user: @user)
-    end
-
-    if @notify
-      NotificationMailer.with(user: @user).new_invitations_available.deliver_later
-    end
-  end
-end

app/services/ldap_manager/update_pgp_key.rb

@@ -0,0 +1,16 @@
+module LdapManager
+  class UpdatePgpKey < LdapManagerService
+    def initialize(dn:, pubkey:)
+      @dn = dn
+      @pubkey = pubkey
+    end
+
+    def call
+      if @pubkey.present?
+        replace_attribute @dn, :pgpKey, @pubkey
+      else
+        delete_attribute @dn, :pgpKey
+      end
+    end
+  end
+end

app/services/ldap_service.rb

@@ -58,7 +58,7 @@ class LdapService < ApplicationService
 
     attributes = %w[
       dn cn uid mail displayName admin serviceEnabled
-      mailRoutingAddress mailpassword nostrKey
+      mailRoutingAddress mailpassword nostrKey pgpKey
     ]
     filter = Net::LDAP::Filter.eq("uid", args[:uid] || "*")
 
@@ -73,7 +73,8 @@ class LdapService < ApplicationService
         services_enabled: e.try(:serviceEnabled),
         email_maildrop: e.try(:mailRoutingAddress),
         email_password: e.try(:mailpassword),
-        nostr_key: e.try(:nostrKey) ? e.nostrKey.first : nil
+        nostr_key: e.try(:nostrKey) ? e.nostrKey.first : nil,
+        pgp_key: e.try(:pgpKey) ? e.pgpKey.first : nil
       }
     end
   end
@@ -101,7 +102,7 @@ class LdapService < ApplicationService
     dn = "ou=#{ou},cn=users,#{ldap_suffix}"
 
     aci = <<-EOS
-(target="ldap:///cn=*,ou=#{ou},cn=users,#{ldap_suffix}")(targetattr="cn || sn || uid || userPassword || mail || mailRoutingAddress || serviceEnabled || nostrKey || nsRole || objectClass") (version 3.0; acl "service-#{ou.gsub(".", "-")}-read-search"; allow (read,search) userdn="ldap:///uid=service,ou=#{ou},cn=applications,#{ldap_suffix}";)
+(target="ldap:///cn=*,ou=#{ou},cn=users,#{ldap_suffix}")(targetattr="cn || sn || uid || userPassword || mail || mailRoutingAddress || serviceEnabled || nostrKey || pgpKey || nsRole || objectClass") (version 3.0; acl "service-#{ou.gsub(".", "-")}-read-search"; allow (read,search) userdn="ldap:///uid=service,ou=#{ou},cn=applications,#{ldap_suffix}";)
     EOS
 
     attrs = {

app/services/user_manager/create_account.rb

@@ -0,0 +1,56 @@
+module UserManager
+  class CreateAccount < UserManagerService
+    def initialize(account:)
+      @username   = account[:username]
+      @domain     = account[:ou] || Setting.primary_domain
+      @email      = account[:email]
+      @password   = account[:password]
+      @invitation = account[:invitation]
+      @confirmed  = account[:confirmed]
+    end
+
+    def call
+      user = create_user_in_database
+      add_ldap_document
+      create_lndhub_account(user) if Setting.lndhub_enabled
+
+      if @invitation.present?
+        update_invitation(user.id)
+      end
+    end
+
+    private
+
+    def create_user_in_database
+      User.create!(
+        cn: @username,
+        ou: @domain,
+        email: @email,
+        password: @password,
+        password_confirmation: @password,
+        confirmed_at: @confirmed ? DateTime.now : nil
+      )
+    end
+
+    def update_invitation(user_id)
+      @invitation.update! invited_user_id: user_id, used_at: DateTime.now
+    end
+
+    def add_ldap_document
+      hashed_pw = Devise.ldap_auth_password_builder.call(@password)
+      CreateLdapUserJob.perform_later(
+        username: @username,
+        domain: @domain,
+        email: @email,
+        hashed_pw: hashed_pw,
+        confirmed: @confirmed
+      )
+    end
+
+    def create_lndhub_account(user)
+      #TODO enable in development when we have a local lndhub (mock?) API
+      return if Rails.env.development?
+      CreateLndhubAccountJob.perform_later(user)
+    end
+  end
+end

app/services/user_manager/create_invitations.rb

@@ -0,0 +1,19 @@
+module UserManager
+  class CreateInvitations < UserManagerService
+    def initialize(user:, amount:, notify: true)
+      @user = user
+      @amount = amount
+      @notify = notify
+    end
+
+    def call
+      @amount.times do
+        Invitation.create(user: @user)
+      end
+
+      if @notify
+        NotificationMailer.with(user: @user).new_invitations_available.deliver_later
+      end
+    end
+  end
+end

app/services/user_manager/pgp_encrypt.rb

@@ -0,0 +1,19 @@
+require 'gpgme'
+
+module UserManager
+  class PgpEncrypt < UserManagerService
+    def initialize(user:, text:)
+      @user = user
+      @text = text
+    end
+
+    def call
+      crypto = GPGME::Crypto.new
+      crypto.encrypt(
+        @text,
+        recipients: @user.gnupg_key,
+        always_trust: true
+      )
+    end
+  end
+end

app/services/user_manager/update_pgp_key.rb

@@ -0,0 +1,24 @@
+module UserManager
+  class UpdatePgpKey < UserManagerService
+    def initialize(user:)
+      @user = user
+    end
+
+    def call
+      if @user.pgp_pubkey.blank?
+        @user.update! pgp_fpr: nil
+      else
+        result = GPGME::Key.import(@user.pgp_pubkey)
+
+        if result.imports.present?
+          @user.update! pgp_fpr: result.imports.first.fpr
+        else
+          # TODO notify Sentry, user
+          raise "Failed to import OpenPGP pubkey"
+        end
+      end
+
+      LdapManager::UpdatePgpKey.call(dn: @user.dn, pubkey: @user.pgp_pubkey)
+    end
+  end
+end

app/services/user_manager_service.rb

@@ -0,0 +1,2 @@
+class UserManagerService < ApplicationService
+end

app/views/admin/settings/registrations/show.html.erb

@@ -9,18 +9,36 @@
         <%= render partial: "admin/settings/errors", locals: { errors: @errors } %>
       <% end %>
 
-      <label class="block">
+      <ul role="list">
-        <p class="font-bold mb-1">Reserved usernames</p>
+        <%= render FormElements::FieldsetComponent.new(
-        <p class="text-gray-500">
+              title: "Reserved usernames",
-          These usernames cannot be registered as accounts:
+              description: "These usernames cannot be registered as accounts."
-        </p>
+            ) do %>
-        <%= f.text_area :reserved_usernames,
+          <%= f.text_area :reserved_usernames,
-          value: Setting.reserved_usernames.join("\n"),
+            value: Setting.reserved_usernames.join("\n"),
-          class: "h-44 mb-2" %>
+            class: "h-44 w-60" %>
-        <p class="text-sm text-gray-500">
+          <p class="text-sm text-gray-500">
-          One username per line
+            One username per line
-        </p>
+          </p>
-      </label>
+        <% end %>
+        <li>
+          <p class="font-bold mb-1">Default services</p>
+          <p class="text-gray-500">
+            These services are enabled for new users by default after signup.
+          </p>
+          <div class="flex flex-wrap gap-x-6 gap-y-2">
+            <% Setting.available_services.each do |option| %>
+              <div class="md:inline-block">
+                <%= f.check_box :default_services,
+                  { multiple: true, checked: Setting.default_services.include?(option),
+                    class: "h-4 w-4 rounded border-gray-300 text-blue-600 focus:ring-blue-600 mr-0.5" },
+                  option, nil %>
+                <%= f.label "default_services_#{option.parameterize}", service_human_name(option) %>
+              </div>
+            <% end %>
+          </div>
+        </li>
+      </ul>
     </section>
 
     <section>

app/views/admin/settings/services/_nostr.html.erb

@@ -19,6 +19,11 @@
         title: "Public key",
         description: "The corresponding public key of the accounts service"
       ) %>
+  <%= render FormElements::FieldsetResettableSettingComponent.new(
+        key: :nostr_public_key_primary_domain,
+        title: "Public key for primary domain (NIP-05)",
+        description: "(optional) A different pubkey to announce for the _@#{Setting.primary_domain} Nostr address"
+      ) %>
   <%= render FormElements::FieldsetResettableSettingComponent.new(
         key: :nostr_relay_url,
         title: "Relay URL",

app/views/admin/settings/services/_remotestorage.html.erb

@@ -1,5 +1,4 @@
 <h3>RemoteStorage</h3>
-<p class="text-red-600 mb-8">Feature currently in development.</p>
 <ul role="list">
   <%= render FormElements::FieldsetToggleComponent.new(
     form: f,

app/views/admin/users/show.html.erb

@@ -89,13 +89,47 @@
     </section>
 
     <section class="sm:flex-1 sm:pt-0">
-      <% if @avatar.present? %>
+      <h3>LDAP</h3>
-      <h3>LDAP<h3>
+      <table class="divided">
-      <p>
+        <tbody>
-        <img src="data:image/jpeg;base64,<%= @avatar %>" class="h-48 w-48" />
+          <tr>
-      </p>
+            <th>Avatar</th>
-      <% end %>
+            <td>
-      <!-- <h3>Actions</h3> -->
+              <% if @avatar.present? %>
+                <img src="data:image/jpeg;base64,<%= @avatar %>" class="h-48 w-48" />
+              <% else %>
+                &mdash;
+              <% end %>
+            </td>
+          </tr>
+          <tr>
+            <th>Display name</th>
+            <td><%= @user.display_name || "—" %></td>
+          </tr>
+          <tr>
+            <th class="align-top">PGP key</th>
+            <td class="align-top leading-5">
+              <% if @user.pgp_pubkey.present? %>
+                <span class="font-mono" title="<%= @user.pgp_fpr %>">
+                  <% if @user.pgp_pubkey_contains_user_address? %>
+                    <%= link_to wkd_key_url(hashed_username: @user.wkd_hash, l: @user.cn, format: :txt),
+                      class: "ks-text-link", target: "_blank" do %>
+                      <%= "#{@user.pgp_fpr[0, 8]}…#{@user.pgp_fpr[-8..-1]}" %>
+                    <% end %>
+                  <% else %>
+                    <%= "#{@user.pgp_fpr[0, 8]}…#{@user.pgp_fpr[-8..-1]}" %>
+                  <% end %>
+                </span><br />
+                <% @user.gnupg_key.uids.each do |uid| %>
+                  <%= uid.uid %><br />
+                <% end %>
+              <% else %>
+                &mdash;
+              <% end %>
+            </td>
+          </tr>
+        </tbody>
+      </table>
     </section>
   </div>
 
@@ -184,7 +218,7 @@
           <td>XMPP (ejabberd)</td>
           <td>
             <%= render FormElements::ToggleComponent.new(
-              enabled: @services_enabled.include?("xmpp"),
+              enabled: @services_enabled.include?("ejabberd"),
               input_enabled: false
             ) %>
           </td>
@@ -205,7 +239,9 @@
             ) %>
           </td>
           <td class="text-right">
+            <% if @user.nostr_pubkey.present? %>
             <%= link_to "Open profile", "https://njump.me/#{@user.nostr_pubkey_bech32}", class: "btn-sm btn-gray" %>
+            <% end %>
           </td>
         </tr>
         <% end %>

app/views/services/remotestorage/show.html.erb

@@ -15,6 +15,8 @@
       In order to connect an app to your storage account, give it your address:
     </p>
     <p data-controller="clipboard" class="flex gap-1 sm:w-2/5">
+      <img src="/img/logos/icon_remotestorage.svg"
+           class="inline-block h-6 w-6 mr-1 self-center">
       <input type="text" id="user_address" class="grow"
              value=<%= current_user.address %> disabled="disabled"
              data-clipboard-target="source" />
@@ -31,6 +33,24 @@
     </p>
   </section>
 
+  <section>
+    <h3>Compatible Apps</h3>
+    <p>
+      Your Storage account is based on a new open standard called
+      <a href="https://remotestorage.io" target="_blank">
+        <img src="/img/logos/icon_remotestorage.svg" class="h-4 w-4 inline">
+        <strong>remoteStorage</strong>
+      </a>, which is not yet widely supported.  Look
+      for the remoteStorage icon, or check the Sync settings in apps.
+    </p>
+    <p>
+      If you want your favorite apps to support syncing data with your own
+      Storage account, let the developers know! All relevant information is
+      available on the <a href="https://remotestorage.io"
+        target="_blank" class="ks-text-link">remoteStorage website</a>.
+    </p>
+  </section>
+
   <section>
     <h3>Recommended Apps</h3>
     <div data-controller="tabs"

app/views/settings/_account.html.erb

@@ -1,6 +1,6 @@
 <%= tag.section data: {
       controller: "settings--account--email",
-      "settings--account--email-validation-failed-value": @validation_errors.present?
+      "settings--account--email-validation-failed-value": @validation_errors&.[](:email)&.present?
     } do %>
   <h3>E-Mail</h3>
   <%= form_for(@user, url: update_email_settings_path, method: "post") do |f| %>
@@ -23,7 +23,7 @@
         </span>
       </button>
     </p>
-    <% if @validation_errors.present? && @validation_errors[:email].present? %>
+    <% if @validation_errors&.[](:email)&.present? %>
       <p class="error-msg"><%= @validation_errors[:email].first %></p>
     <% end %>
     <div class="initial-hidden">
@@ -41,10 +41,33 @@
 <% end %>
 <section>
   <h3>Password</h3>
-  <p class="mb-8">Use the following button to request an email with a password reset link:</p>
+  <p class="mb-6">Use the following button to request an email with a password reset link:</p>
   <%= form_with(url: reset_password_settings_path, method: :post) do %>
     <p>
       <%= submit_tag("Send me a password reset link", class: 'btn-md btn-gray w-full sm:w-auto') %>
     </p>
   <% end %>
 </section>
+<%= form_for(@user, url: setting_path(:account), html: { :method => :put }) do |f| %>
+  <section class="!pt-8 sm:!pt-12">
+    <h3>OpenPGP</h3>
+    <ul role="list">
+      <%= render FormElements::FieldsetComponent.new(
+            title: "Public key",
+            description: "Your OpenPGP public key in ASCII Armor format"
+          ) do %>
+        <%= f.text_area :pgp_pubkey,
+          value: @user.pgp_pubkey,
+          class: "h-24 w-full" %>
+        <% if @validation_errors&.[](:pgp_pubkey)&.present? %>
+          <p class="error-msg">This <%= @validation_errors[:pgp_pubkey].first %></p>
+        <% end %>
+      <% end %>
+    </ul>
+  </section>
+  <section>
+    <p class="pt-6 border-t border-gray-200 text-right">
+      <%= f.submit 'Save', class: "btn-md btn-blue w-full md:w-auto" %>
+    </p>
+  </section>
+<% end %>

app/views/settings/_email.html.erb

@@ -5,7 +5,7 @@
   <h3>E-Mail Password</h3>
   <%= form_for(@user, url: reset_email_password_settings_path, method: "post") do |f| %>
     <%= hidden_field_tag :section, "email" %>
-    <p class="mb-8">
+    <p class="mb-6">
       Use the following button to generate a new email password:
     </p>
     <p class="hidden initial-visible">

bin/rails

@@ -1,9 +1,4 @@
 #!/usr/bin/env ruby
-begin
+APP_PATH = File.expand_path("../config/application", __dir__)
-  load File.expand_path('../spring', __FILE__)
+require_relative "../config/boot"
-rescue LoadError => e
+require "rails/commands"
-  raise unless e.message.include?('spring')
-end
-APP_PATH = File.expand_path('../config/application', __dir__)
-require_relative '../config/boot'
-require 'rails/commands'

bin/rake

@@ -1,9 +1,4 @@
 #!/usr/bin/env ruby
-begin
+require_relative "../config/boot"
-  load File.expand_path('../spring', __FILE__)
+require "rake"
-rescue LoadError => e
-  raise unless e.message.include?('spring')
-end
-require_relative '../config/boot'
-require 'rake'
 Rake.application.run

bin/rubocop

@@ -0,0 +1,8 @@
+#!/usr/bin/env ruby
+require "rubygems"
+require "bundler/setup"
+
+# explicit rubocop config increases performance slightly while avoiding config confusion.
+ARGV.unshift("--config", File.expand_path("../.rubocop.yml", __dir__))
+
+load Gem.bin_path("rubocop", "rubocop")

bin/setup

@@ -1,36 +1,37 @@
 #!/usr/bin/env ruby
-require 'fileutils'
+require "fileutils"
 
-# path to your application root.
+APP_ROOT = File.expand_path("..", __dir__)
-APP_ROOT = File.expand_path('..', __dir__)
+APP_NAME = "akkounts"
 
 def system!(*args)
-  system(*args) || abort("\n== Command #{args} failed ==")
+  system(*args, exception: true)
 end
 
 FileUtils.chdir APP_ROOT do
-  # This script is a way to setup or update your development environment automatically.
+  # This script is a way to set up or update your development environment automatically.
-  # This script is idempotent, so that you can run it at anytime and get an expectable outcome.
+  # This script is idempotent, so that you can run it at any time and get an expectable outcome.
   # Add necessary setup steps to this file.
 
-  puts '== Installing dependencies =='
+  puts "== Installing dependencies =="
-  system! 'gem install bundler --conservative'
+  system! "gem install bundler --conservative"
-  system('bundle check') || system!('bundle install')
+  system("bundle check") || system!("bundle install")
-
-  # Install JavaScript dependencies
-  # system('bin/yarn')
 
   # puts "\n== Copying sample files =="
-  # unless File.exist?('config/database.yml')
+  # unless File.exist?("config/database.yml")
-  #   FileUtils.cp 'config/database.yml.sample', 'config/database.yml'
+  #   FileUtils.cp "config/database.yml.sample", "config/database.yml"
   # end
 
   puts "\n== Preparing database =="
-  system! 'bin/rails db:prepare'
+  system! "bin/rails db:prepare"
 
   puts "\n== Removing old logs and tempfiles =="
-  system! 'bin/rails log:clear tmp:clear'
+  system! "bin/rails log:clear tmp:clear"
 
   puts "\n== Restarting application server =="
-  system! 'bin/rails restart'
+  system! "bin/rails restart"
+
+  # puts "\n== Configuring puma-dev =="
+  # system "ln -nfs #{APP_ROOT} ~/.puma-dev/#{APP_NAME}"
+  # system "curl -Is https://#{APP_NAME}.test/up | head -n 1"
 end

config/application.rb

@@ -1,4 +1,4 @@
-require_relative 'boot'
+require_relative "boot"
 
 require "rails"
 # Pick the frameworks you want:
@@ -12,7 +12,6 @@ require "action_mailbox/engine"
 # require "action_text/engine"
 require "action_view/railtie"
 require "action_cable/engine"
-require "sprockets/railtie"
 # require "rails/test_unit/railtie"
 
 # Require the gems listed in Gemfile, including any gems
@@ -22,12 +21,20 @@ Bundler.require(*Rails.groups)
 module Akkounts
   class Application < Rails::Application
     # Initialize configuration defaults for originally generated Rails version.
-    config.load_defaults 7.0
+    config.load_defaults 7.2
 
-    # Settings in config/environments/* take precedence over those specified here.
+    # Please, add to the `ignore` list any other `lib` subdirectories that do
-    # Application configuration can go into files in config/initializers
+    # not contain `.rb` files, or that should not be reloaded or eager loaded.
-    # -- all .rb files in that directory are automatically loaded after loading
+    # Common ones are `templates`, `generators`, or `middleware`, for example.
-    # the framework and any gems in your application.
+    config.autoload_lib(ignore: %w[assets tasks])
+
+    # Configuration for the application, engines, and railties goes here.
+    #
+    # These settings can be overridden in specific environments using the files
+    # in config/environments, which are processed later.
+    #
+    # config.time_zone = "Central Time (US & Canada)"
+    # config.eager_load_paths << Rails.root.join("extras")
 
     # Don't generate system test files.
     config.generators.system_tests = nil
@@ -41,6 +48,10 @@ module Akkounts
     end
 
     config.active_job.queue_adapter = :sidekiq
+
     config.action_mailer.deliver_later_queue_name = nil # use "default" queue
+
+    # The default includes webp, which requires webp support everywhere
+    config.active_storage.web_image_content_types = %w[image/png image/jpeg image/gif]
   end
 end

config/environment.rb

@@ -1,5 +1,5 @@
 # Load the Rails application.
-require_relative 'application'
+require_relative "application"
 
 # Initialize the Rails application.
 Rails.application.initialize!

config/environments/development.rb

@@ -1,10 +1,12 @@
+require "active_support/core_ext/integer/time"
+
 Rails.application.configure do
   # Settings specified here will take precedence over those in config/application.rb.
 
-  # In the development environment your application's code is reloaded on
+  # In the development environment your application's code is reloaded any time
-  # every request. This slows down response time but is perfect for development
+  # it changes. This slows down response time but is perfect for development
   # since you don't have to restart the web server when you make code changes.
-  config.cache_classes = false
+  config.enable_reloading = true
 
   # Do not eager load code on boot.
   config.eager_load = false
@@ -12,16 +14,17 @@ Rails.application.configure do
   # Show full error reports.
   config.consider_all_requests_local = true
 
+  # Enable server timing.
+  config.server_timing = true
+
   # Enable/disable caching. By default caching is disabled.
   # Run rails dev:cache to toggle caching.
-  if Rails.root.join('tmp', 'caching-dev.txt').exist?
+  if Rails.root.join("tmp/caching-dev.txt").exist?
     config.action_controller.perform_caching = true
     config.action_controller.enable_fragment_cache_logging = true
 
     config.cache_store = :memory_store
-    config.public_file_server.headers = {
+    config.public_file_server.headers = { "Cache-Control" => "public, max-age=#{2.days.to_i}" }
-      'Cache-Control' => "public, max-age=#{2.days.to_i}"
-    }
   else
     config.action_controller.perform_caching = false
 
@@ -31,42 +34,58 @@ Rails.application.configure do
   # Don't care if the mailer can't send.
   config.action_mailer.raise_delivery_errors = false
 
+  # Disable caching for Action Mailer templates even if Action Controller
+  # caching is enabled.
   config.action_mailer.perform_caching = false
 
   # Print deprecation notices to the Rails logger.
   config.active_support.deprecation = :log
 
+  # Raise exceptions for disallowed deprecations.
+  config.active_support.disallowed_deprecation = :raise
+
+  # Tell Active Support which deprecation messages to disallow.
+  config.active_support.disallowed_deprecation_warnings = []
+
   # Raise an error on page load if there are pending migrations.
   config.active_record.migration_error = :page_load
 
   # Highlight code that triggered database queries in logs.
   config.active_record.verbose_query_logs = true
 
-  # Debug mode disables concatenation and preprocessing of assets.
+  # Highlight code that enqueued background job in logs.
-  # This option may cause significant delays in view rendering with a large
+  config.active_job.verbose_enqueue_logs = true
-  # number of complex assets.
-  config.assets.debug = true
 
   # Suppress logger output for asset requests.
   config.assets.quiet = true
 
   # Raises error for missing translations.
-  # config.action_view.raise_on_missing_translations = true
+  # config.i18n.raise_on_missing_translations = true
 
-  # Use an evented file watcher to asynchronously detect changes in source code,
+  # Annotate rendered view with file names.
-  # routes, locales, etc. This feature depends on the listen gem.
+  config.action_view.annotate_rendered_view_with_filenames = true
-  config.file_watcher = ActiveSupport::EventedFileUpdateChecker
-
-  config.action_mailer.default_options = {
-    from: "accounts@localhost"
-  }
 
   # Don't actually send emails, cache them for viewing via letter opener
   config.action_mailer.delivery_method = :letter_opener
-  # Don't care if the mailer can't send
+  # Uncomment if you wish to allow Action Cable access from any origin.
+  # config.action_cable.disable_request_forgery_protection = true
+
+  # Raise error when a before_action's only/except options reference missing actions.
+  config.action_controller.raise_on_missing_callback_actions = true
+
+  # Notice if the mailer can't send
   config.action_mailer.raise_delivery_errors = true
+
   # Base URL to be used by email template link helpers
-  config.action_mailer.default_url_options = { host: "localhost:3000", protocol: "http" }
+  config.action_mailer.default_url_options = {
+    host: "localhost:3000", # TODO port: 3000
+    protocol: "http"
+  }
+
+  config.action_mailer.default_options = {
+    from: "accounts@localhost",
+    message_id: -> { "<#{Mail.random_tag}@localhost>" },
+  }
 
   # Allow requests from any IP
   config.web_console.permissions = '0.0.0.0/0'

config/environments/production.rb

@@ -1,8 +1,10 @@
+require "active_support/core_ext/integer/time"
+
 Rails.application.configure do
   # Settings specified here will take precedence over those in config/application.rb.
 
   # Code is not reloaded between requests.
-  config.cache_classes = true
+  config.enable_reloading = false
 
   # Eager load code on boot. This eager loads most of Rails and
   # your application in memory, allowing both threaded web servers
@@ -11,11 +13,11 @@ Rails.application.configure do
   config.eager_load = true
 
   # Full error reports are disabled and caching is turned on.
-  config.consider_all_requests_local       = false
+  config.consider_all_requests_local = false
   config.action_controller.perform_caching = true
 
-  # Ensures that a master key has been made available in either ENV["RAILS_MASTER_KEY"]
+  # Ensures that a master key has been made available in ENV["RAILS_MASTER_KEY"], config/master.key, or an environment
-  # or in config/master.key. This key is used to decrypt credentials (and other encrypted files).
+  # key such as config/credentials/production.key. This key is used to decrypt credentials (and other encrypted files).
   # config.require_master_key = true
 
   # Disable serving static files from the `/public` folder by default since
@@ -29,32 +31,47 @@ Rails.application.configure do
   config.assets.compile = false
 
   # Enable serving of images, stylesheets, and JavaScripts from an asset server.
-  # config.action_controller.asset_host = 'http://assets.example.com'
+  # config.asset_host = "http://assets.example.com"
 
   # Specifies the header that your server uses for sending files.
-  # config.action_dispatch.x_sendfile_header = 'X-Sendfile' # for Apache
+  # config.action_dispatch.x_sendfile_header = "X-Sendfile" # for Apache
-  # config.action_dispatch.x_sendfile_header = 'X-Accel-Redirect' # for NGINX
+  # config.action_dispatch.x_sendfile_header = "X-Accel-Redirect" # for NGINX
 
   # Mount Action Cable outside main process or domain.
   # config.action_cable.mount_path = nil
-  # config.action_cable.url = 'wss://example.com/cable'
+  # config.action_cable.url = "wss://example.com/cable"
-  # config.action_cable.allowed_request_origins = [ 'http://example.com', /http:\/\/example.*/ ]
+  # config.action_cable.allowed_request_origins = [ "http://example.com", /http:\/\/example.*/ ]
+
+  # Assume all access to the app is happening through a SSL-terminating reverse proxy.
+  # Can be used together with config.force_ssl for Strict-Transport-Security and secure cookies.
+  # config.assume_ssl = true
 
   # Force all access to the app over SSL, use Strict-Transport-Security, and use secure cookies.
   # config.force_ssl = true
 
-  # Use the lowest log level to ensure availability of diagnostic information
+  # Skip http-to-https redirect for the default health check endpoint.
-  # when problems arise.
+  # config.ssl_options = { redirect: { exclude: ->(request) { request.path == "/up" } } }
-  config.log_level = :debug
+
+  # Log to STDOUT if configured
+  if ENV["RAILS_LOG_TO_STDOUT"].present?
+    config.logger = ActiveSupport::Logger.new(STDOUT)
+      .tap  { |logger| logger.formatter = ::Logger::Formatter.new }
+      .then { |logger| ActiveSupport::TaggedLogging.new(logger) }
+  end
 
   # Prepend all log lines with the following tags.
   config.log_tags = [ :request_id ]
 
+  # "info" includes generic and useful information about system operation, but avoids logging too much
+  # information to avoid inadvertent exposure of personally identifiable information (PII). If you
+  # want to log everything, set the level to "debug".
+  config.log_level = ENV.fetch("RAILS_LOG_LEVEL", "info")
+
   # Use a different cache store in production.
   # config.cache_store = :mem_cache_store
 
   # Use a real queuing backend for Active Job (and separate queues per environment).
-  # config.active_job.queue_adapter     = :resque
+  # config.active_job.queue_adapter = :resque
   # config.active_job.queue_name_prefix = "akkounts_production"
 
   # E-mail settings, adapted from https://github.com/mastodon/mastodon
@@ -63,7 +80,7 @@ Rails.application.configure do
   outgoing_email_domain  = Mail::Address.new(outgoing_email_address).domain
 
   config.action_mailer.default_url_options = {
-    host: ENV['AKKOUNTS_DOMAIN'],
+    host: ENV.fetch('AKKOUNTS_DOMAIN'),
     protocol: "https",
   }
 
@@ -106,6 +123,10 @@ Rails.application.configure do
 
   config.action_mailer.delivery_method = ENV.fetch('SMTP_DELIVERY_METHOD', 'smtp').to_sym
 
+  # Disable caching for Action Mailer templates even if Action Controller
+  # caching is enabled.
+  config.action_mailer.perform_caching = false
+
   # Ignore bad email addresses and do not raise email delivery errors.
   # Set this to true and configure the email server for immediate delivery to raise delivery errors.
   config.action_mailer.raise_delivery_errors = true
@@ -120,43 +141,21 @@ Rails.application.configure do
   # the I18n.default_locale when a translation cannot be found).
   config.i18n.fallbacks = true
 
-  # Send deprecation notices to registered listeners.
+  # Don't log any deprecations.
-  config.active_support.deprecation = :notify
+  config.active_support.report_deprecations = true
-
-  # Use default logging formatter so that PID and timestamp are not suppressed.
-  config.log_formatter = ::Logger::Formatter.new
-
-  # Use a different logger for distributed setups.
-  # require 'syslog/logger'
-  # config.logger = ActiveSupport::TaggedLogging.new(Syslog::Logger.new 'app-name')
-
-  if ENV["RAILS_LOG_TO_STDOUT"].present?
-    logger           = ActiveSupport::Logger.new(STDOUT)
-    logger.formatter = config.log_formatter
-    config.logger    = ActiveSupport::TaggedLogging.new(logger)
-  end
 
   # Do not dump schema after migrations.
+
   config.active_record.dump_schema_after_migration = false
 
-  # Inserts middleware to perform automatic connection switching.
+  # Only use :id for inspections in production.
-  # The `database_selector` hash is used to pass options to the DatabaseSelector
+  config.active_record.attributes_for_inspect = [ :id ]
-  # middleware. The `delay` is used to determine how long to wait after a write
+
-  # to send a subsequent read to the primary.
+  # Enable DNS rebinding protection and other `Host` header attacks.
-  #
+  # config.hosts = [
-  # The `database_resolver` class is used by the middleware to determine which
+  #   "example.com",     # Allow requests from example.com
-  # database is appropriate to use based on the time delay.
+  #   /.*\.example\.com/ # Allow requests from subdomains like `www.example.com`
-  #
+  # ]
-  # The `database_resolver_context` class is used by the middleware to set
+  # Skip DNS rebinding protection for the default health check endpoint.
-  # timestamps for the last write to the primary. The resolver uses the context
+  # config.host_authorization = { exclude: ->(request) { request.path == "/up" } }
-  # class timestamps to determine how long to wait before reading from the
-  # replica.
-  #
-  # By default Rails will store a last write timestamp in the session. The
-  # DatabaseSelector middleware is designed as such you can define your own
-  # strategy for connection switching and pass that into the middleware through
-  # these configuration options.
-  # config.active_record.database_selector = { delay: 2.seconds }
-  # config.active_record.database_resolver = ActiveRecord::Middleware::DatabaseSelector::Resolver
-  # config.active_record.database_resolver_context = ActiveRecord::Middleware::DatabaseSelector::Resolver::Session
 end

config/environments/test.rb

@@ -1,3 +1,5 @@
+require "active_support/core_ext/integer/time"
+
 # The test environment is used exclusively to run your application's
 # test suite. You never need to work with it otherwise. Remember that
 # your test database is "scratch space" for the test suite and is wiped
@@ -6,31 +8,33 @@
 Rails.application.configure do
   # Settings specified here will take precedence over those in config/application.rb.
 
-  config.cache_classes = false
+  # While tests run files are not watched, reloading is not necessary.
-  config.action_view.cache_template_loading = true
+  config.enable_reloading = false
 
-  # Do not eager load code on boot. This avoids loading your whole application
+  # Eager loading loads your entire application. When running a single test locally,
-  # just for the purpose of running a single test. If you are using a tool that
+  # this is usually not necessary, and can slow down your test suite. However, it's
-  # preloads Rails for running tests, you may have to set it to true.
+  # recommended that you enable it in continuous integration systems to ensure eager
-  config.eager_load = false
+  # loading is working properly before deploying your code.
+  config.eager_load = ENV["CI"].present?
 
   # Configure public file server for tests with Cache-Control for performance.
-  config.public_file_server.enabled = true
+  config.public_file_server.headers = { "Cache-Control" => "public, max-age=#{1.hour.to_i}" }
-  config.public_file_server.headers = {
-    'Cache-Control' => "public, max-age=#{1.hour.to_i}"
-  }
 
   # Show full error reports and disable caching.
-  config.consider_all_requests_local       = true
+  config.consider_all_requests_local = true
   config.action_controller.perform_caching = false
   config.cache_store = :null_store
 
-  # Raise exceptions instead of rendering exception templates.
+  # Render exception templates for rescuable exceptions and raise for other exceptions.
-  config.action_dispatch.show_exceptions = :none
+  config.action_dispatch.show_exceptions = :rescuable
 
   # Disable request forgery protection in test environment.
   config.action_controller.allow_forgery_protection = false
 
+  config.active_job.queue_adapter = :test
+
+  # Disable caching for Action Mailer templates even if Action Controller
+  # caching is enabled.
   config.action_mailer.perform_caching = false
 
   # Tell Action Mailer not to deliver emails to the real world.
@@ -38,23 +42,37 @@ Rails.application.configure do
   # ActionMailer::Base.deliveries array.
   config.action_mailer.delivery_method = :test
 
-  # Print deprecation notices to the stderr.
+  config.action_mailer.default_options = {
-  config.active_support.deprecation = :stderr
+    from: "accounts@kosmos.org",
-
+    message_id: -> { "<#{Mail.random_tag}@kosmos.org>" },
-  # Raises error for missing translations.
+  }
-  # config.action_view.raise_on_missing_translations = true
 
   config.action_mailer.default_url_options = {
     host: "accounts.kosmos.org",
-    protocol: "https",
+    protocol: "https"
-    from: "accounts@kosmos.org"
   }
 
-  config.active_job.queue_adapter = :test
+  # Print deprecation notices to the stderr.
+  config.active_support.deprecation = :stderr
+
+  # Raise exceptions for disallowed deprecations.
+  config.active_support.disallowed_deprecation = :raise
+
+  # Tell Active Support which deprecation messages to disallow.
+  config.active_support.disallowed_deprecation_warnings = []
+
+  # Raises error for missing translations.
+  # config.i18n.raise_on_missing_translations = true
+
+  # Annotate rendered view with file names.
+  # config.action_view.annotate_rendered_view_with_filenames = true
 
   if ENV["S3_ENABLED"] && ENV["S3_ENABLED"].to_s != "false"
     config.active_storage.service = :s3
   else
     config.active_storage.service = :local
   end
+
+  # Raise error when a before_action's only/except options reference missing actions.
+  config.action_controller.raise_on_missing_callback_actions = true
 end

config/initializers/assets.rb

@@ -1,7 +1,7 @@
 # Be sure to restart your server when you modify this file.
 
 # Version of your assets, change this if you want to expire all your assets.
-Rails.application.config.assets.version = '1.0'
+Rails.application.config.assets.version = "1.0"
 
 # Add additional assets to the asset load path.
 # Rails.application.config.assets.paths << Emoji.images_path
@@ -11,4 +11,4 @@ Rails.application.config.assets.paths << Rails.root.join('node_modules')
 # Precompile additional assets.
 # application.js, application.css, and all non-JS/CSS in the app/assets
 # folder are already added.
-# Rails.application.config.assets.precompile += %w( admin.js admin.css )
+# Rails.application.config.assets.precompile += %w[ admin.js admin.css ]

config/initializers/content_security_policy.rb

@@ -1,30 +1,25 @@
 # Be sure to restart your server when you modify this file.
 
-# Define an application-wide content security policy
+# Define an application-wide content security policy.
-# For further information see the following documentation
+# See the Securing Rails Applications Guide for more information:
-# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
+# https://guides.rubyonrails.org/security.html#content-security-policy-header
 
-# Rails.application.config.content_security_policy do |policy|
+# Rails.application.configure do
-#   policy.default_src :self, :https
+#   config.content_security_policy do |policy|
-#   policy.font_src    :self, :https, :data
+#     policy.default_src :self, :https
-#   policy.img_src     :self, :https, :data
+#     policy.font_src    :self, :https, :data
-#   policy.object_src  :none
+#     policy.img_src     :self, :https, :data
-#   policy.script_src  :self, :https
+#     policy.object_src  :none
-#   policy.style_src   :self, :https
+#     policy.script_src  :self, :https
-#   # If you are using webpack-dev-server then specify webpack-dev-server host
+#     policy.style_src   :self, :https
-#   policy.connect_src :self, :https, "http://localhost:3035", "ws://localhost:3035" if Rails.env.development?
+#     # Specify URI for violation reports
-
+#     # policy.report_uri "/csp-violation-report-endpoint"
-#   # Specify URI for violation reports
+#   end
-#   # policy.report_uri "/csp-violation-report-endpoint"
+#
+#   # Generate session nonces for permitted importmap, inline scripts, and inline styles.
+#   config.content_security_policy_nonce_generator = ->(request) { request.session.id.to_s }
+#   config.content_security_policy_nonce_directives = %w(script-src style-src)
+#
+#   # Report violations without enforcing the policy.
+#   # config.content_security_policy_report_only = true
 # end
-
-# If you are using UJS then enable automatic nonce generation
-# Rails.application.config.content_security_policy_nonce_generator = -> request { SecureRandom.base64(16) }
-
-# Set the nonce only to specific directives
-# Rails.application.config.content_security_policy_nonce_directives = %w(script-src)
-
-# Report CSP violations to a specified URI
-# For further information see the following documentation:
-# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only
-# Rails.application.config.content_security_policy_report_only = true

config/initializers/filter_parameter_logging.rb

@@ -1,4 +1,8 @@
 # Be sure to restart your server when you modify this file.
 
-# Configure sensitive parameters which will be filtered from the log file.
+# Configure parameters to be partially matched (e.g. passw matches password) and filtered from the log file.
-Rails.application.config.filter_parameters += [:password]
+# Use this to limit dissemination of sensitive information.
+# See the ActiveSupport::ParameterFilter documentation for supported notations and behaviors.
+Rails.application.config.filter_parameters += [
+  :password, :email, :secret, :token, :_key, :crypt, :salt, :certificate, :otp, :ssn
+]

config/initializers/inflections.rb

@@ -4,13 +4,13 @@
 # are locale specific, and you may define rules for as many different
 # locales as you wish. All of these examples are active by default:
 # ActiveSupport::Inflector.inflections(:en) do |inflect|
-#   inflect.plural /^(ox)$/i, '\1en'
+#   inflect.plural /^(ox)$/i, "\\1en"
-#   inflect.singular /^(ox)en/i, '\1'
+#   inflect.singular /^(ox)en/i, "\\1"
-#   inflect.irregular 'person', 'people'
+#   inflect.irregular "person", "people"
 #   inflect.uncountable %w( fish sheep )
 # end
 
 # These inflection rules are supported but not enabled by default:
 # ActiveSupport::Inflector.inflections(:en) do |inflect|
-#   inflect.acronym 'RESTful'
+#   inflect.acronym "RESTful"
 # end

config/initializers/mailer_host.rb

@@ -1 +0,0 @@
-Rails.application.routes.default_url_options[:host] = ENV['APP_DOMAIN']

config/initializers/permissions_policy.rb

@@ -0,0 +1,13 @@
+# Be sure to restart your server when you modify this file.
+
+# Define an application-wide HTTP permissions policy. For further
+# information see: https://developers.google.com/web/updates/2018/06/feature-policy
+
+# Rails.application.config.permissions_policy do |policy|
+#   policy.camera      :none
+#   policy.gyroscope   :none
+#   policy.microphone  :none
+#   policy.usb         :none
+#   policy.fullscreen  :self
+#   policy.payment     :self, "https://secure.example.com"
+# end

config/initializers/service_details.rb

@@ -0,0 +1,2 @@
+config_path = Rails.root.join('config', 'services.yml')
+SERVICES = YAML.load_file(config_path).deep_symbolize_keys.with_indifferent_access

config/puma.rb

@@ -1,38 +1,35 @@
-# Puma can serve each request in a thread from an internal thread pool.
+# This configuration file will be evaluated by Puma. The top-level methods that
-# The `threads` method setting takes two numbers: a minimum and maximum.
+# are invoked here are part of Puma's configuration DSL. For more information
-# Any libraries that use thread pools should be configured to match
+# about methods provided by the DSL, see https://puma.io/puma/Puma/DSL.html.
-# the maximum value specified for Puma. Default is set to 5 threads for minimum
+
-# and maximum; this matches the default thread size of Active Record.
+# Puma starts a configurable number of processes (workers) and each process
+# serves each request in a thread from an internal thread pool.
 #
-max_threads_count = ENV.fetch("RAILS_MAX_THREADS") { 5 }
+# The ideal number of threads per worker depends both on how much time the
-min_threads_count = ENV.fetch("RAILS_MIN_THREADS") { max_threads_count }
+# application spends waiting for IO operations and on how much you wish to
+# to prioritize throughput over latency.
+#
+# As a rule of thumb, increasing the number of threads will increase how much
+# traffic a given process can handle (throughput), but due to CRuby's
+# Global VM Lock (GVL) it has diminishing returns and will degrade the
+# response time (latency) of the application.
+#
+# The default is set to 3 threads as it's deemed a decent compromise between
+# throughput and latency for the average Rails application.
+#
+# Any libraries that use a connection pool or another resource pool should
+# be configured to provide at least as many connections as the number of
+# threads. This includes Active Record's `pool` parameter in `database.yml`.
+max_threads_count = ENV.fetch("RAILS_MAX_THREADS", 5)
+min_threads_count = ENV.fetch("RAILS_MAX_THREADS", 3)
 threads min_threads_count, max_threads_count
 
-# Specifies the `port` that Puma will listen on to receive requests; default is 3000.
+port ENV.fetch("PORT", 3000)
-#
-port        ENV.fetch("PORT") { 3000 }
-
-# Specifies the `environment` that Puma will run in.
-#
 environment ENV.fetch("RAILS_ENV") { "development" }
 
-# Specifies the `pidfile` that Puma will use.
+# Allow puma to be restarted by `bin/rails restart` command.
-pidfile ENV.fetch("PIDFILE") { "tmp/pids/server.pid" }
-
-# Specifies the number of `workers` to boot in clustered mode.
-# Workers are forked web server processes. If using threads and workers together
-# the concurrency of the application would be max `threads` * `workers`.
-# Workers do not work on JRuby or Windows (both of which do not support
-# processes).
-#
-# workers ENV.fetch("WEB_CONCURRENCY") { 2 }
-
-# Use the `preload_app!` method when specifying a `workers` number.
-# This directive tells Puma to first boot the application and load code
-# before forking the application. This takes advantage of Copy On Write
-# process behavior so workers use less memory.
-#
-# preload_app!
-
-# Allow puma to be restarted by `rails restart` command.
 plugin :tmp_restart
+
+# Specify the PID file. Defaults to tmp/pids/server.pid in development.
+# In other environments, only set the PID file if requested.
+pidfile ENV["PIDFILE"] if ENV["PIDFILE"]

config/routes.rb

@@ -70,10 +70,12 @@ Rails.application.routes.draw do
 
   get '.well-known/webfinger', to: 'webfinger#show'
   get '.well-known/nostr', to: 'well_known#nostr'
-  get '.well-known/lnurlp/:username', to: 'lnurlpay#index', as: 'lightning_address'
+  get '.well-known/lnurlp/:username', to: 'lnurlpay#index', as: :lightning_address
-  get '.well-known/keysend/:username', to: 'lnurlpay#keysend', as: 'lightning_address_keysend'
+  get '.well-known/keysend/:username', to: 'lnurlpay#keysend', as: :lightning_address_keysend
+  get '.well-known/openpgpkey/hu/:hashed_username(.:format)', to: 'web_key_directory#show', as: :wkd_key
+  get '.well-known/openpgpkey/policy', to: 'web_key_directory#policy'
 
-  get 'lnurlpay/:username/invoice', to: 'lnurlpay#invoice', as: 'lnurlpay_invoice'
+  get 'lnurlpay/:username/invoice', to: 'lnurlpay#invoice', as: :lnurlpay_invoice
 
   post 'webhooks/lndhub', to: 'webhooks#lndhub'
 

config/services.yml

@@ -0,0 +1,30 @@
+internal:
+  btcpay:
+    name: BTCPay Server
+  postgres:
+    name: PostgreSQL
+  sentry:
+    name: Sentry
+external:
+  discourse:
+    name: Discourse
+  droneci:
+    name: Drone CI
+  ejabberd:
+    display_name: Chat
+  email:
+    name: E-Mail
+  gitea:
+    name: Gitea
+  lndhub:
+    name: LNDHub
+    display_name: Lightning Network
+  mastodon:
+    name: Mastodon
+  mediawiki:
+    name: MediaWiki
+  nostr:
+    name: Nostr
+  remotestorage:
+    name: remoteStorage
+    display_name: Storage

config/sidekiq.yml

@@ -1,4 +1,6 @@
 :concurrency: 2
+production:
+  :concurrency: 10
 :queues:
   - default
   - mailers

db/migrate/20240922205634_add_pgp_fpr_to_users.rb

@@ -0,0 +1,5 @@
+class AddPgpFprToUsers < ActiveRecord::Migration[7.1]
+  def change
+    add_column :users, :pgp_fpr, :string
+  end
+end

db/schema.rb

@@ -10,7 +10,7 @@
 #
 # It's strongly recommended that you check this file into your version control system.
 
-ActiveRecord::Schema[7.1].define(version: 2024_06_07_123654) do
+ActiveRecord::Schema[7.1].define(version: 2024_09_22_205634) do
   create_table "active_storage_attachments", force: :cascade do |t|
     t.string "name", null: false
     t.string "record_type", null: false
@@ -132,6 +132,7 @@ ActiveRecord::Schema[7.1].define(version: 2024_06_07_123654) do
     t.datetime "remember_created_at"
     t.string "remember_token"
     t.text "preferences"
+    t.string "pgp_fpr"
     t.index ["email"], name: "index_users_on_email", unique: true
     t.index ["reset_password_token"], name: "index_users_on_reset_password_token", unique: true
   end

db/seeds.rb

@@ -7,7 +7,7 @@ Sidekiq::Testing.inline! do
 
   puts "Create user: admin"
 
-  CreateAccount.call(account: {
+  UserManager::CreateAccount.call(account: {
     username: "admin", domain: "kosmos.org", email: "admin@example.com",
     password: "admin is admin", confirmed: true
   })
@@ -20,7 +20,7 @@ Sidekiq::Testing.inline! do
     email = Faker::Internet.unique.email
     next if username.length < 3
 
-    CreateAccount.call(account: {
+    UserManager::CreateAccount.call(account: {
       username: username, domain: "kosmos.org", email: email,
       password: "user is user", confirmed: true
     })

db/seeds/admin.asc

@@ -0,0 +1,13 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mDMEZvGiUxYJKwYBBAHaRw8BAQdARPZXLqyB3nylJuzuARlOJxqc9mchMKHI4Cy+
+hPWlzja0GEFkbWluIDxhZG1pbkBrb3Ntb3Mub3JnPoiZBBMWCgBBFiEE0pie1+fG
+ImdZwzGnwgEYSg8AulYFAmbxolMCGwMFCQWjmoAFCwkIBwICIgIGFQoJCAsCBBYC
+AwECHgcCF4AACgkQwgEYSg8AulaldAEA7yzh7XRCdIJDHgLUvKHsy2NnyLaDD1Tl
+hyZWbl5og0IBAJAQ2Dm82YXMdUK3X1OGlK8KH5O4E5lSFY4+8/xx0UEJuDgEZvGi
+UxIKKwYBBAGXVQEFAQEHQJc8pzzeIF7Hm5z1eseRAqGvFa+V1BIDf+1XQzuJhhxi
+AwEIB4h+BBgWCgAmFiEE0pie1+fGImdZwzGnwgEYSg8AulYFAmbxolMCGwwFCQWj
+moAACgkQwgEYSg8AulbLtgEApZvuDqSP77lrl1jmtCAJEEZk/ofsRFkf1g3U3Zhm
+9PcA/1+AbcyqjLTcqIPjHmZyGEPiaAvEsBzbPKEPiL3JYhkG
+=45sx
+-----END PGP PUBLIC KEY BLOCK-----

doc/integrations/strfry.md

@@ -1,29 +0,0 @@
-# strfry (nostr relay)
-
-## LDAP policy
-
-...
-
-## Useful scripts
-
-### Syncing events for all local nostr users from a remote relay
-
-You can sync all events of all local users with a pubkey stored in LDAP from a
-specified remote relay to the local relay with the `strfry-sync.ts` script:
-
-    deno run -A /opt/strfry-sync.ts wss://relay.example.com
-
-Doing the same with Docker Compose (great for seeding data to your local relay
-in development):
-
-    docker compose run strfry deno run -A /opt/strfry-sync.ts wss://relay.example.com
-
-## Docker image
-
-In order to use the LDAP policy with Docker, you will need
-[Deno](https://deno.com/) installed in your strfry container. We provide a
-custom Docker image for strfry with Deno included (which we use in
-development):
-
-* Registry: https://gitea.kosmos.org/kosmos/-/packages/container/strfry-deno/1.1.1
-* Source: https://github.com/raucao/strfry/blob/docker_deno/ubuntu.Dockerfile

docker-compose.yml

@@ -111,7 +111,7 @@ services:
       - redis
 
   strfry:
-    image: gitea.kosmos.org/kosmos/strfry-deno:1.1.1
+    image: gitea.kosmos.org/kosmos/strfry-deno:2.0.0
     volumes:
       - ./docker/strfry/strfry.conf:/etc/strfry.conf
       - ./extras/strfry:/opt/strfry

docs/dev/nostr.md

@@ -0,0 +1,57 @@
+# Nostr
+
+## strfry
+
+The `extras/strfry` directory contains code to integrate [strfry][1] with
+akkounts, so that notes published to the relay have to be authored by (or in
+some cases just related to) local users who have verified their Nostr public
+key.
+
+### Requirements
+
+[Deno](https://deno.com/) needs to be installed on the machine that you run
+strfry on.
+
+We provide a Docker image with recent strfry and Deno builds:
+
+https://gitea.kosmos.org/kosmos/-/packages/container/strfry-deno/
+
+### Configuration
+
+You can use either environment variables (see e.g. the `strfry` service in
+`docker-compose-yml`) or a local `.env` file in the same working directory
+that you place the extra files in (e.g. `/opt/strfry`).
+
+In your `strfry.conf`, configure `strfry-policy.ts` as the write policy, like so:
+
+```
+writePolicy {
+    plugin = "/opt/strfry/strfry-policy.ts"
+}
+```
+
+All dependencies will be downloaded and cached automatically when the plugin is
+called for the first time.
+
+### Manual tasks
+
+You can sync all notes authored by local users (any account that has verified
+their Nostr pubkey with akkounts) from a remote [strfry][1] relay via negentropy
+sync:
+
+    deno run -A /opt/strfry/strfry-sync.ts wss://nostr.kosmos.org
+
+Or, in the running container when using Docker Compose:
+
+    docker compose exec strfry deno run -A /opt/strfry/strfry-sync.ts wss://nostr.kosmos.org
+
+The `strfry` service container also exposes the local relay on your local host
+on port 4777.
+
+[nak](https://github.com/fiatjaf/nak) is a helpful tool for manual Nostr tasks.
+Here's how you can grab a note by its event ID from a remote relay and publish
+it to your local strfry for example:
+
+    nak req -i 0fb010192685b86b0810b3de3706fbbf3b8c1db30b14533094a2b9700c820cdc nostr.kosmos.org | nak event ws://localhost:4777
+
+[1]: https://github.com/hoytech/strfry

extras/strfry/deno.lock

@@ -1,101 +1,231 @@
 {
-  "version": "3",
+  "version": "4",
-  "packages": {
+  "specifiers": {
-    "specifiers": {
+    "jsr:@nostr/tools@*": "2.3.1",
-      "jsr:@nostr/tools@^2.3.1": "jsr:@nostr/tools@2.3.1",
+    "jsr:@nostr/tools@^2.3.1": "2.3.1",
-      "npm:@noble/ciphers@^0.5.1": "npm:@noble/ciphers@0.5.3",
+    "jsr:@nostrify/nostrify@0.36": "0.36.2",
-      "npm:@noble/curves@1.2.0": "npm:@noble/curves@1.2.0",
+    "jsr:@nostrify/policies@*": "0.36.1",
-      "npm:@noble/hashes@1.3.1": "npm:@noble/hashes@1.3.1",
+    "jsr:@nostrify/strfry@*": "0.2.1",
-      "npm:@scure/base@1.1.1": "npm:@scure/base@1.1.1",
+    "jsr:@nostrify/types@0.35": "0.35.0",
-      "npm:ldapts": "npm:ldapts@7.0.12"
+    "jsr:@nostrify/types@0.36": "0.36.0",
+    "jsr:@std/bytes@^1.0.5": "1.0.5",
+    "jsr:@std/encoding@~0.224.1": "0.224.3",
+    "jsr:@std/json@^1.0.1": "1.0.1",
+    "jsr:@std/streams@^1.0.7": "1.0.9",
+    "jsr:@std/streams@^1.0.8": "1.0.9",
+    "npm:@noble/ciphers@~0.5.1": "0.5.3",
+    "npm:@noble/curves@1.2.0": "1.2.0",
+    "npm:@noble/hashes@1.3.1": "1.3.1",
+    "npm:@scure/base@1.1.1": "1.1.1",
+    "npm:@scure/bip32@^1.4.0": "1.6.2",
+    "npm:@scure/bip39@^1.3.0": "1.5.4",
+    "npm:ldapts@*": "7.0.12",
+    "npm:lru-cache@^10.2.0": "10.4.3",
+    "npm:nostr-tools@^2.7.0": "2.12.0",
+    "npm:websocket-ts@^2.1.5": "2.2.1",
+    "npm:zod@^3.23.8": "3.24.2"
+  },
+  "jsr": {
+    "@nostr/tools@2.3.1": {
+      "integrity": "af01dc45cb28784c584d7a0699707196f397bcc53946efa582a01b11ddde4d61",
+      "dependencies": [
+        "npm:@noble/ciphers",
+        "npm:@noble/curves",
+        "npm:@noble/hashes",
+        "npm:@scure/base"
+      ]
     },
-    "jsr": {
+    "@nostrify/nostrify@0.36.2": {
-      "@nostr/tools@2.3.1": {
+      "integrity": "cc4787ca170b623a2e5dfed1baa4426077daa6143af728ea7dd325d58f4d04d6",
-        "integrity": "af01dc45cb28784c584d7a0699707196f397bcc53946efa582a01b11ddde4d61",
+      "dependencies": [
-        "dependencies": [
+        "jsr:@nostrify/types@0.35",
-          "npm:@noble/ciphers@^0.5.1",
+        "jsr:@std/encoding",
-          "npm:@noble/curves@1.2.0",
+        "npm:@scure/bip32",
-          "npm:@noble/hashes@1.3.1",
+        "npm:@scure/bip39",
-          "npm:@scure/base@1.1.1"
+        "npm:lru-cache",
-        ]
+        "npm:nostr-tools",
-      }
+        "npm:websocket-ts",
+        "npm:zod"
+      ]
     },
-    "npm": {
+    "@nostrify/policies@0.36.1": {
-      "@noble/ciphers@0.5.3": {
+      "integrity": "6d59af115a687fcd18b6caebab0e4f50ee6cdb0aafa2aacd0aec2065021275b4",
-        "integrity": "sha512-B0+6IIHiqEs3BPMT0hcRmHvEj2QHOLu+uwt+tqDDeVd0oyVzh7BPrDcPjRnV1PV/5LaknXJJQvOuRGR0zQJz+w==",
+      "dependencies": [
-        "dependencies": {}
+        "jsr:@nostrify/nostrify",
-      },
+        "jsr:@nostrify/types@0.35",
-      "@noble/curves@1.2.0": {
+        "npm:nostr-tools"
-        "integrity": "sha512-oYclrNgRaM9SsBUBVbb8M6DTV7ZHRTKugureoYEncY5c65HOmRzvSiTE3y5CYaPYJA/GVkrhXEoF0M3Ya9PMnw==",
+      ]
-        "dependencies": {
+    },
-          "@noble/hashes": "@noble/hashes@1.3.2"
+    "@nostrify/strfry@0.2.1": {
-        }
+      "integrity": "be437b13f49e6564e557da23072bf642723a603568f672543a64d9fda6663432",
-      },
+      "dependencies": [
-      "@noble/hashes@1.3.1": {
+        "jsr:@nostrify/types@0.36",
-        "integrity": "sha512-EbqwksQwz9xDRGfDST86whPBgM65E0OH/pCgqW0GBVzO22bNE+NuIbeTb714+IfSjU3aRk47EUvXIb5bTsenKA==",
+        "jsr:@std/json",
-        "dependencies": {}
+        "jsr:@std/streams@^1.0.8"
-      },
+      ]
-      "@noble/hashes@1.3.2": {
+    },
-        "integrity": "sha512-MVC8EAQp7MvEcm30KWENFjgR+Mkmf+D189XJTkFIlwohU5hcBbn1ZkKq7KVTi2Hme3PMGF390DaL52beVrIihQ==",
+    "@nostrify/types@0.35.0": {
-        "dependencies": {}
+      "integrity": "b8d515563d467072694557d5626fa1600f74e83197eef45dd86a9a99c64f7fe6"
-      },
+    },
-      "@scure/base@1.1.1": {
+    "@nostrify/types@0.36.0": {
-        "integrity": "sha512-ZxOhsSyxYwLJj3pLZCefNitxsj093tb2vq90mp2txoYeBqbcjDjqFhyM8eUjq/uFm6zJ+mUuqxlS2FkuSY1MTA==",
+      "integrity": "b3413467debcbd298d217483df4e2aae6c335a34765c90ac7811cf7c637600e7"
-        "dependencies": {}
+    },
-      },
+    "@std/bytes@1.0.5": {
-      "@types/asn1@0.2.4": {
+      "integrity": "4465dd739d7963d964c809202ebea6d5c6b8e3829ef25c6a224290fbb8a1021e"
-        "integrity": "sha512-V91DSJ2l0h0gRhVP4oBfBzRBN9lAbPUkGDMCnwedqPKX2d84aAMc9CulOvxdw1f7DfEYx99afab+Rsm3e52jhA==",
+    },
-        "dependencies": {
+    "@std/encoding@0.224.3": {
-          "@types/node": "@types/node@18.16.19"
+      "integrity": "5e861b6d81be5359fad4155e591acf17c0207b595112d1840998bb9f476dbdaf"
-        }
+    },
-      },
+    "@std/json@1.0.1": {
-      "@types/node@18.16.19": {
+      "integrity": "1f0f70737e8827f9acca086282e903677bc1bb0c8ffcd1f21bca60039563049f",
-        "integrity": "sha512-IXl7o+R9iti9eBW4Wg2hx1xQDig183jj7YLn8F7udNceyfkbn1ZxmzZXuak20gR40D7pIkIY1kYGx5VIGbaHKA==",
+      "dependencies": [
-        "dependencies": {}
+        "jsr:@std/streams@^1.0.7"
-      },
+      ]
-      "@types/uuid@9.0.8": {
+    },
-        "integrity": "sha512-jg+97EGIcY9AGHJJRaaPVgetKDsrTgbRjQ5Msgjh/DQKEFl0DtyRr/VCOyD1T2R1MNeWPK/u7JoGhlDZnKBAfA==",
+    "@std/streams@1.0.9": {
-        "dependencies": {}
+      "integrity": "a9d26b1988cdd7aa7b1f4b51e1c36c1557f3f252880fa6cc5b9f37078b1a5035",
-      },
+      "dependencies": [
-      "asn1@0.2.6": {
+        "jsr:@std/bytes"
-        "integrity": "sha512-ix/FxPn0MDjeyJ7i/yoHGFt/EX6LyNbxSEhPPXODPL+KB0VPk86UYfL0lMdy+KCnv+fmvIzySwaK5COwqVbWTQ==",
+      ]
-        "dependencies": {
+    }
-          "safer-buffer": "safer-buffer@2.1.2"
+  },
-        }
+  "npm": {
-      },
+    "@noble/ciphers@0.5.3": {
-      "debug@4.3.5": {
+      "integrity": "sha512-B0+6IIHiqEs3BPMT0hcRmHvEj2QHOLu+uwt+tqDDeVd0oyVzh7BPrDcPjRnV1PV/5LaknXJJQvOuRGR0zQJz+w=="
-        "integrity": "sha512-pt0bNEmneDIvdL1Xsd9oDQ/wrQRkXDT4AUWlNZNPKvW5x/jyO9VFXkJUP07vQ2upmw5PlaITaPKc31jK13V+jg==",
+    },
-        "dependencies": {
+    "@noble/curves@1.1.0": {
-          "ms": "ms@2.1.2"
+      "integrity": "sha512-091oBExgENk/kGj3AZmtBDMpxQPDtxQABR2B9lb1JbVTs6ytdzZNwvhxQ4MWasRNEzlbEH8jCWFCwhF/Obj5AA==",
-        }
+      "dependencies": [
-      },
+        "@noble/hashes@1.3.1"
-      "ldapts@7.0.12": {
+      ]
-        "integrity": "sha512-orwgIejUi/ZyGah9y8jWZmFUg8Ci5M8WAv0oZjSf3MVuk1sRBdor9Qy1ttGHbYpWj96HXKFunQ8AYZ8WWGp17g==",
+    },
-        "dependencies": {
+    "@noble/curves@1.2.0": {
-          "@types/asn1": "@types/asn1@0.2.4",
+      "integrity": "sha512-oYclrNgRaM9SsBUBVbb8M6DTV7ZHRTKugureoYEncY5c65HOmRzvSiTE3y5CYaPYJA/GVkrhXEoF0M3Ya9PMnw==",
-          "@types/uuid": "@types/uuid@9.0.8",
+      "dependencies": [
-          "asn1": "asn1@0.2.6",
+        "@noble/hashes@1.3.2"
-          "debug": "debug@4.3.5",
+      ]
-          "strict-event-emitter-types": "strict-event-emitter-types@2.0.0",
+    },
-          "uuid": "uuid@9.0.1"
+    "@noble/curves@1.8.2": {
-        }
+      "integrity": "sha512-vnI7V6lFNe0tLAuJMu+2sX+FcL14TaCWy1qiczg1VwRmPrpQCdq5ESXQMqUc2tluRNf6irBXrWbl1mGN8uaU/g==",
-      },
+      "dependencies": [
-      "ms@2.1.2": {
+        "@noble/hashes@1.7.2"
-        "integrity": "sha512-sGkPx+VjMtmA6MX27oA4FBFELFCZZ4S4XqeGOXCv68tT+jb3vk/RyaKWP0PTKyWtmLSM0b+adUTEvbs1PEaH2w==",
+      ]
-        "dependencies": {}
+    },
-      },
+    "@noble/hashes@1.3.1": {
-      "safer-buffer@2.1.2": {
+      "integrity": "sha512-EbqwksQwz9xDRGfDST86whPBgM65E0OH/pCgqW0GBVzO22bNE+NuIbeTb714+IfSjU3aRk47EUvXIb5bTsenKA=="
-        "integrity": "sha512-YZo3K82SD7Riyi0E1EQPojLz7kpepnSQI9IyPbHHg1XXXevb5dJI7tpyN2ADxGcQbHG7vcyRHk0cbwqcQriUtg==",
+    },
-        "dependencies": {}
+    "@noble/hashes@1.3.2": {
-      },
+      "integrity": "sha512-MVC8EAQp7MvEcm30KWENFjgR+Mkmf+D189XJTkFIlwohU5hcBbn1ZkKq7KVTi2Hme3PMGF390DaL52beVrIihQ=="
-      "strict-event-emitter-types@2.0.0": {
+    },
-        "integrity": "sha512-Nk/brWYpD85WlOgzw5h173aci0Teyv8YdIAEtV+N88nDB0dLlazZyJMIsN6eo1/AR61l+p6CJTG1JIyFaoNEEA==",
+    "@noble/hashes@1.7.2": {
-        "dependencies": {}
+      "integrity": "sha512-biZ0NUSxyjLLqo6KxEJ1b+C2NAx0wtDoFvCaXHGgUkeHzf3Xc1xKumFKREuT7f7DARNZ/slvYUwFG6B0f2b6hQ=="
-      },
+    },
-      "uuid@9.0.1": {
+    "@scure/base@1.1.1": {
-        "integrity": "sha512-b+1eJOlsR9K8HJpow9Ok3fiWOWSIcIzXodvv0rQjVoOVNpWMpxf1wZNpt4y9h10odCNrqnYp1OBzRktckBe3sA==",
+      "integrity": "sha512-ZxOhsSyxYwLJj3pLZCefNitxsj093tb2vq90mp2txoYeBqbcjDjqFhyM8eUjq/uFm6zJ+mUuqxlS2FkuSY1MTA=="
-        "dependencies": {}
+    },
-      }
+    "@scure/base@1.2.4": {
+      "integrity": "sha512-5Yy9czTO47mqz+/J8GM6GIId4umdCk1wc1q8rKERQulIoc8VP9pzDcghv10Tl2E7R96ZUx/PhND3ESYUQX8NuQ=="
+    },
+    "@scure/bip32@1.3.1": {
+      "integrity": "sha512-osvveYtyzdEVbt3OfwwXFr4P2iVBL5u1Q3q4ONBfDY/UpOuXmOlbgwc1xECEboY8wIays8Yt6onaWMUdUbfl0A==",
+      "dependencies": [
+        "@noble/curves@1.1.0",
+        "@noble/hashes@1.3.2",
+        "@scure/base@1.1.1"
+      ]
+    },
+    "@scure/bip32@1.6.2": {
+      "integrity": "sha512-t96EPDMbtGgtb7onKKqxRLfE5g05k7uHnHRM2xdE6BP/ZmxaLtPek4J4KfVn/90IQNrU1IOAqMgiDtUdtbe3nw==",
+      "dependencies": [
+        "@noble/curves@1.8.2",
+        "@noble/hashes@1.7.2",
+        "@scure/base@1.2.4"
+      ]
+    },
+    "@scure/bip39@1.2.1": {
+      "integrity": "sha512-Z3/Fsz1yr904dduJD0NpiyRHhRYHdcnyh73FZWiV+/qhWi83wNJ3NWolYqCEN+ZWsUz2TWwajJggcRE9r1zUYg==",
+      "dependencies": [
+        "@noble/hashes@1.3.2",
+        "@scure/base@1.1.1"
+      ]
+    },
+    "@scure/bip39@1.5.4": {
+      "integrity": "sha512-TFM4ni0vKvCfBpohoh+/lY05i9gRbSwXWngAsF4CABQxoaOHijxuaZ2R6cStDQ5CHtHO9aGJTr4ksVJASRRyMA==",
+      "dependencies": [
+        "@noble/hashes@1.7.2",
+        "@scure/base@1.2.4"
+      ]
+    },
+    "@types/asn1@0.2.4": {
+      "integrity": "sha512-V91DSJ2l0h0gRhVP4oBfBzRBN9lAbPUkGDMCnwedqPKX2d84aAMc9CulOvxdw1f7DfEYx99afab+Rsm3e52jhA==",
+      "dependencies": [
+        "@types/node"
+      ]
+    },
+    "@types/node@18.16.19": {
+      "integrity": "sha512-IXl7o+R9iti9eBW4Wg2hx1xQDig183jj7YLn8F7udNceyfkbn1ZxmzZXuak20gR40D7pIkIY1kYGx5VIGbaHKA=="
+    },
+    "@types/uuid@9.0.8": {
+      "integrity": "sha512-jg+97EGIcY9AGHJJRaaPVgetKDsrTgbRjQ5Msgjh/DQKEFl0DtyRr/VCOyD1T2R1MNeWPK/u7JoGhlDZnKBAfA=="
+    },
+    "asn1@0.2.6": {
+      "integrity": "sha512-ix/FxPn0MDjeyJ7i/yoHGFt/EX6LyNbxSEhPPXODPL+KB0VPk86UYfL0lMdy+KCnv+fmvIzySwaK5COwqVbWTQ==",
+      "dependencies": [
+        "safer-buffer"
+      ]
+    },
+    "debug@4.3.5": {
+      "integrity": "sha512-pt0bNEmneDIvdL1Xsd9oDQ/wrQRkXDT4AUWlNZNPKvW5x/jyO9VFXkJUP07vQ2upmw5PlaITaPKc31jK13V+jg==",
+      "dependencies": [
+        "ms"
+      ]
+    },
+    "ldapts@7.0.12": {
+      "integrity": "sha512-orwgIejUi/ZyGah9y8jWZmFUg8Ci5M8WAv0oZjSf3MVuk1sRBdor9Qy1ttGHbYpWj96HXKFunQ8AYZ8WWGp17g==",
+      "dependencies": [
+        "@types/asn1",
+        "@types/uuid",
+        "asn1",
+        "debug",
+        "strict-event-emitter-types",
+        "uuid"
+      ]
+    },
+    "lru-cache@10.4.3": {
+      "integrity": "sha512-JNAzZcXrCt42VGLuYz0zfAzDfAvJWW6AfYlDBQyDV5DClI2m5sAmK+OIO7s59XfsRsWHp02jAJrRadPRGTt6SQ=="
+    },
+    "ms@2.1.2": {
+      "integrity": "sha512-sGkPx+VjMtmA6MX27oA4FBFELFCZZ4S4XqeGOXCv68tT+jb3vk/RyaKWP0PTKyWtmLSM0b+adUTEvbs1PEaH2w=="
+    },
+    "nostr-tools@2.12.0": {
+      "integrity": "sha512-pUWEb020gTvt1XZvTa8AKNIHWFapjsv2NKyk43Ez2nnvz6WSXsrTFE0XtkNLSRBjPn6EpxumKeNiVzLz74jNSA==",
+      "dependencies": [
+        "@noble/ciphers",
+        "@noble/curves@1.2.0",
+        "@noble/hashes@1.3.1",
+        "@scure/base@1.1.1",
+        "@scure/bip32@1.3.1",
+        "@scure/bip39@1.2.1",
+        "nostr-wasm"
+      ]
+    },
+    "nostr-wasm@0.1.0": {
+      "integrity": "sha512-78BTryCLcLYv96ONU8Ws3Q1JzjlAt+43pWQhIl86xZmWeegYCNLPml7yQ+gG3vR6V5h4XGj+TxO+SS5dsThQIA=="
+    },
+    "safer-buffer@2.1.2": {
+      "integrity": "sha512-YZo3K82SD7Riyi0E1EQPojLz7kpepnSQI9IyPbHHg1XXXevb5dJI7tpyN2ADxGcQbHG7vcyRHk0cbwqcQriUtg=="
+    },
+    "strict-event-emitter-types@2.0.0": {
+      "integrity": "sha512-Nk/brWYpD85WlOgzw5h173aci0Teyv8YdIAEtV+N88nDB0dLlazZyJMIsN6eo1/AR61l+p6CJTG1JIyFaoNEEA=="
+    },
+    "uuid@9.0.1": {
+      "integrity": "sha512-b+1eJOlsR9K8HJpow9Ok3fiWOWSIcIzXodvv0rQjVoOVNpWMpxf1wZNpt4y9h10odCNrqnYp1OBzRktckBe3sA=="
+    },
+    "websocket-ts@2.2.1": {
+      "integrity": "sha512-YKPDfxlK5qOheLZ2bTIiktZO1bpfGdNCPJmTEaPW7G9UXI1GKjDdeacOrsULUS000OPNxDVOyAuKLuIWPqWM0Q=="
+    },
+    "zod@3.24.2": {
+      "integrity": "sha512-lY7CDW43ECgW9u1TcT3IoXHflywfVqDYze4waEz812jR/bZ8FHDsl7pFQoSZTz5N+2NqRXs8GBwnAwo3ZNxqhQ=="
     }
   },
   "remote": {

extras/strfry/ldap-policy.ts

@@ -1,8 +1,8 @@
-import type { IterablePubkeys, Policy } from 'https://gitlab.com/soapbox-pub/strfry-policies/-/raw/develop/mod.ts';
+import { NostrEvent, NostrRelayInfo, NostrRelayOK, NPolicy } from 'jsr:@nostrify/types@^0.35.0';
+import { nip57 } from 'jsr:@nostr/tools';
 import { Client } from 'npm:ldapts';
-import { nip57 } from '@nostr/tools';
 
-interface LdapConfig {
+export interface LdapConfig {
   url: string;
   bindDN: string;
   password: string;
@@ -10,68 +10,73 @@ interface LdapConfig {
   whitelistPubkeys?: IterablePubkeys;
 }
 
-const ldapPolicy: Policy<LdapConfig> = async (msg, opts) => {
+export class LdapPolicy implements NPolicy {
-  const client = new Client({ url: opts.url });
+  constructor(private opts: LdapConfig) {}
-  const { kind, tags } = msg.event;
-  let { pubkey } = msg.event;
-  let out = { id: msg.event.id }
 
-  if (opts.whitelistPubkeys.includes(pubkey)) {
+  // deno-lint-ignore require-await
-    out['action'] = 'accept';
+  async call(event: NostrEvent): Promise<NostrRelayOK> {
-    out['msg'] = '';
+    const client = new Client({ url: this.opts.url });
-    return out;
+    const { id, kind, tags } = event;
-  }
+    let { pubkey } = event;
 
-  // Zap receipt
+    if (this.opts.whitelistPubkeys.includes(pubkey)) {
-  if (kind === 9735) {
+      return ['OK', id, true, ''];
-    const descriptionTag = tags.find(([t, v]) => t === 'description' && v);
-    const invalidZapRequestMsg = 'Zap receipts must contain a valid zap request from a relay member';
-
-    if (typeof descriptionTag === 'undefined') {
-      out['action'] = 'reject';
-      out['msg'] = invalidZapRequestMsg;
-      return out;
     }
 
-    const zapRequestJSON = descriptionTag[1];
+    // Zap receipt
-    const validationResult = nip57.validateZapRequest(zapRequestJSON);
+    if (kind === 9735) {
+      const descriptionTag = tags.find(([t, v]) => t === 'description' && v);
+      const invalidZapRequestMsg = 'Zap receipts must contain a valid zap request from a relay member';
 
-    // TODO
+      if (typeof descriptionTag === 'undefined') {
-    // The zap receipt event's pubkey MUST be the same as the recipient's lnurl provider's nostrPubkey (retrieved in step 1 of the protocol flow).
+        return ['OK', id, false, invalidZapRequestMsg];
-    // The invoiceAmount contained in the bolt11 tag of the zap receipt MUST equal the amount tag of the zap request (if present).
+      }
 
-    if (validationResult === null) {
+      const zapRequestJSON = descriptionTag[1];
-      pubkey = JSON.parse(zapRequestJSON).pubkey;
+      const validationResult = nip57.validateZapRequest(zapRequestJSON);
-    } else {
+
-      out['action'] = 'reject';
+      // TODO
-      out['msg'] = invalidZapRequestMsg;
+      // The zap receipt event's pubkey MUST be the same as the recipient's lnurl provider's nostrPubkey (retrieved in step 1 of the protocol flow).
-      return out;
+      // The invoiceAmount contained in the bolt11 tag of the zap receipt MUST equal the amount tag of the zap request (if present).
+
+      if (validationResult === null) {
+        pubkey = JSON.parse(zapRequestJSON).pubkey;
+      } else {
+        return ['OK', id, false, invalidZapRequestMsg];
+      }
+    }
+
+    const out = { accept: true, msg: ''};
+
+    try {
+      await client.bind(this.opts.bindDN, this.opts.password);
+
+      const { searchEntries } = await client.search(this.opts.searchDN, {
+        filter: `(nostrKey=${pubkey})`,
+        attributes: ['nostrKey']
+      });
+      const memberKey = searchEntries[0]?.nostrKey;
+
+      if (memberKey === pubkey) {
+        out['accept'] = true;
+      } else {
+        out['accept'] = false;
+        out['msg'] = 'Only members can publish notes on this relay';
+      }
+    } catch (ex) {
+      out['accept'] = false;
+      out['msg'] = 'Auth service temporarily unavailable';
+    } finally {
+      await client.unbind();
+      return ['OK', id, out['accept'], out['msg']];
     }
   }
 
-  try {
+  get info(): NostrRelayInfo {
-    await client.bind(opts.bindDN, opts.password);
+    return {
-
+      limitation: {
-    const { searchEntries } = await client.search(opts.searchDN, {
+        restricted_writes: true,
-      filter: `(nostrKey=${pubkey})`,
+      },
-      attributes: ['nostrKey']
+    };
-    });
-    const memberKey = searchEntries[0]?.nostrKey;
-
-    if (memberKey === pubkey) {
-      out['action'] = 'accept';
-      out['msg'] = '';
-    } else {
-      out['action'] = 'reject';
-      out['msg'] = 'Only members can publish notes on this relay';
-    }
-  } catch (ex) {
-    out['action'] = 'reject';
-    out['msg'] = 'Auth service temporarily unavailable';
-  } finally {
-    await client.unbind();
-    return out;
   }
-};
+}
-
-export default ldapPolicy;

extras/strfry/strfry-policy.ts

@@ -1,20 +1,20 @@
 #!/bin/sh
-//bin/true; exec deno run -A "$0" "$@"
+//bin/true; exec deno run --unstable-kv -A "$0" "$@"
 import {
-  antiDuplicationPolicy,
+  AntiDuplicationPolicy,
-  hellthreadPolicy,
+  HellthreadPolicy,
-  pipeline,
+  PipePolicy,
-  rateLimitPolicy,
   readStdin,
   writeStdout,
-} from 'https://gitlab.com/soapbox-pub/strfry-policies/-/raw/develop/mod.ts';
+} from 'jsr:@nostrify/policies';
-import ldapPolicy from './ldap-policy.ts';
+import { strfry } from 'jsr:@nostrify/strfry';
+import { LdapConfig, LdapPolicy } from './ldap-policy.ts';
 import { load } from "https://deno.land/std@0.224.0/dotenv/mod.ts";
 
 const dirname = new URL('.', import.meta.url).pathname;
 await load({ envPath: `${dirname}/.env`, export: true });
 
-const ldapConfig = {
+const ldapConfig: LdapConfig = {
   url: Deno.env.get("LDAP_URL"),
   bindDN: Deno.env.get("LDAP_BIND_DN"),
   password: Deno.env.get("LDAP_PASSWORD"),
@@ -22,13 +22,10 @@ const ldapConfig = {
   whitelistPubkeys: Deno.env.get("WHITELIST_PUBKEYS")?.split(',')
 }
 
-for await (const msg of readStdin()) {
+const policy = new PipePolicy([
-  const result = await pipeline(msg, [
+  new HellthreadPolicy({ limit: 10 }),
-    [hellthreadPolicy, { limit: 10 }],
+  new AntiDuplicationPolicy({ kv: await Deno.openKv(), expireIn: 60000, minLength: 50 }),
-    [antiDuplicationPolicy, { ttl: 60000, minLength: 50 }],
+  new LdapPolicy(ldapConfig)
-    [rateLimitPolicy, { whitelist: ['127.0.0.1'] }],
+]);
-    [ldapPolicy, ldapConfig],
-  ]);
 
-  writeStdout(result);
+await strfry(policy);
-}

lib/tasks/ctags.rake

@@ -0,0 +1,29 @@
+module Kosmos
+  class Ctags
+    def self.generate_app_tags
+      excludes = %w[.git gitno log tmp public].join(" --exclude ")
+      cmd = "ctags -R --languages=ruby --exclude #{excludes} ."
+      system cmd
+    end
+
+    def self.generate_bundler_tags
+      runtime = ::Bundler::Runtime.new Dir.pwd, ::Bundler.definition
+      paths = runtime.specs.map(&:full_gem_path)
+      generate_tags(paths, "gems.tags")
+    end
+
+    def self.generate_tags(paths, tag_file)
+      paths = paths.join(' ').strip
+      cmd = "find #{paths} -ignore_readdir_race -type f -name '*.rb' 2>/dev/null | ctags -f #{tag_file} -L -"
+      system cmd
+    end
+  end
+end
+
+namespace :ctags do
+  desc 'generate ctags'
+  task :create do
+    Kosmos::Ctags.generate_app_tags
+    Kosmos::Ctags.generate_bundler_tags
+  end
+end

lib/tasks/ldap.rake

@@ -21,7 +21,7 @@ namespace :ldap do
 
   desc "Add custom attributes to schema"
   task add_custom_attributes: :environment do |t, args|
-    %w[ admin service_enabled nostr_key ].each do |name|
+    %w[ admin service_enabled nostr_key pgp_key ].each do |name|
       Rake::Task["ldap:modify_ldap_schema"].invoke(name, "add")
       Rake::Task['ldap:modify_ldap_schema'].reenable
     end
@@ -29,7 +29,7 @@ namespace :ldap do
 
   desc "Delete custom attributes from schema"
   task delete_custom_attributes: :environment do |t, args|
-    %w[ admin service_enabled nostr_key ].each do |name|
+    %w[ admin service_enabled nostr_key pgp_key ].each do |name|
       Rake::Task["ldap:modify_ldap_schema"].invoke(name, "delete")
       Rake::Task['ldap:modify_ldap_schema'].reenable
     end

package.json

@@ -11,7 +11,7 @@
     "postcss-preset-env": "^7.8.3",
     "tailwindcss": "^3.2.4"
   },
-  "version": "0.9.0",
+  "version": "0.10.0",
   "scripts": {
     "build:css:tailwind": "tailwindcss --postcss -i ./app/assets/stylesheets/application.tailwind.css -o ./app/assets/builds/application.css",
     "build:css": "yarn run build:css:tailwind"

schemas/ldap/nostr_key.ldif

@@ -5,5 +5,5 @@ attributeTypes: ( 1.3.6.1.4.1.61554.1.1.2.1.21
   NAME 'nostrKey'
   DESC 'Nostr public key'
   EQUALITY caseIgnoreMatch
-  SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
   SINGLE-VALUE )

schemas/ldap/pgp_key.ldif

@@ -0,0 +1,8 @@
+dn: cn=schema
+changetype: modify
+add: attributeTypes
+attributeTypes: ( 1.3.6.1.4.1.3401.8.2.11
+  NAME 'pgpKey'
+  DESC 'OpenPGP public key block'
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
+  SINGLE-VALUE )

spec/features/settings/account_spec.rb

@@ -14,6 +14,7 @@ RSpec.describe 'Account settings', type: :feature do
         .with("invalid password").and_return(false)
       allow_any_instance_of(User).to receive(:valid_ldap_authentication?)
         .with("valid password").and_return(true)
+      allow_any_instance_of(User).to receive(:pgp_pubkey).and_return(nil)
     end
 
     scenario 'fails with invalid password' do
@@ -55,4 +56,44 @@ RSpec.describe 'Account settings', type: :feature do
       end
     end
   end
+
+  feature "Update OpenPGP key" do
+    let(:invalid_key) { File.read("#{Rails.root}/spec/fixtures/files/pgp_key_invalid.asc") }
+    let(:valid_key_alice) { File.read("#{Rails.root}/spec/fixtures/files/pgp_key_valid_alice.asc") }
+    let(:fingerprint_alice) { "EB85BB5FA33A75E15E944E63F231550C4F47E38E" }
+
+    before do
+      login_as user, :scope => :user
+      allow_any_instance_of(User).to receive(:ldap_entry).and_return({
+        uid: user.cn, ou: user.ou, display_name: nil, pgp_key: nil
+      })
+    end
+
+    scenario 'rejects an invalid key' do
+      expect(UserManager::UpdatePgpKey).not_to receive(:call)
+
+      visit setting_path(:account)
+      fill_in 'Public key', with: invalid_key
+      click_button "Save"
+
+      expect(current_url).to eq(setting_url(:account))
+      within ".error-msg" do
+        expect(page).to have_content("This is not a valid armored PGP public key block")
+      end
+    end
+
+    scenario 'stores a valid key' do
+      expect(UserManager::UpdatePgpKey).to receive(:call)
+        .with(user: user).and_return(true)
+
+      visit setting_path(:account)
+      fill_in 'Public key', with: valid_key_alice
+      click_button "Save"
+
+      expect(current_url).to eq(setting_url(:account))
+      within ".flash-msg" do
+        expect(page).to have_content("Settings saved")
+      end
+    end
+  end
 end

spec/features/settings/profile_spec.rb

@@ -9,7 +9,7 @@ RSpec.describe 'Profile settings', type: :feature do
     allow(user).to receive(:display_name).and_return("Mark")
     allow_any_instance_of(User).to receive(:dn).and_return("cn=mwahlberg,ou=kosmos.org,cn=users,dc=kosmos,dc=org")
     allow_any_instance_of(User).to receive(:ldap_entry).and_return({
-      uid: user.cn, ou: user.ou, display_name: "Mark"
+      uid: user.cn, ou: user.ou, display_name: "Mark", pgp_key: nil
     })
     allow_any_instance_of(User).to receive(:avatar).and_return(avatar_base64)
 

spec/features/signup_spec.rb

@@ -52,7 +52,7 @@ RSpec.describe "Signup", type: :feature do
       click_button "Continue"
       expect(page).to have_content("Choose a password")
 
-      expect(CreateAccount).to receive(:call)
+      expect(UserManager::CreateAccount).to receive(:call)
         .with(account: {
           username: "tony", domain: "kosmos.org",
           email: "tony@example.com", password: "a-valid-password",
@@ -96,7 +96,7 @@ RSpec.describe "Signup", type: :feature do
       click_button "Create account"
       expect(page).to have_content("Password is too short")
 
-      expect(CreateAccount).to receive(:call)
+      expect(UserManager::CreateAccount).to receive(:call)
         .with(account: {
           username: "tony", domain: "kosmos.org",
           email: "tony@example.com", password: "a-valid-password",

spec/fixtures/files/pgp_key_invalid.asc

@@ -0,0 +1,11 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+b7O1u120JkFsaWNlIExvdmVsYWNlIDxhbGljZUBvcGVucGdwLmV4YW1wbGU+iJAE
+ExYIADgCGwMFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AWIQTrhbtfozp14V6UTmPy
+MVUMT0fjjgUCXaWfOgAKCRDyMVUMT0fjjukrAPoDnHBSogOmsHOsd9qGsiZpgRnO
+dypvbm+QtXZqth9rvwD9HcDC0tC+PHAsO7OTh1S1TC9RiJsvawAfCPaQZoed8gK4
+OARcRwTpEgorBgEEAZdVAQUBAQdAQv8GIa2rSTzgqbXCpDDYMiKRVitCsy203x3s
+E9+eviIDAQgHiHgEGBYIACAWIQTrhbtfozp14V6UTmPyMVUMT0fjjgUCXEcE6QIb
+DAAKCRDyMVUMT0fjjlnQAQDFHUs6TIcxrNTtEZFjUFm1M0PJ1Dng/cDW4xN80fsn
+0QEA22Kr7VkCjeAEC08VSTeV+QFsmz55/lntWkwYWhmvOgE=
+=iIGO
+-----END PGP PUBLIC KEY BLOCK-----