Refactor LDAP config

* Move credentials to ENV vars in prod * Use same configs in dev and prod * Make UID attribute and admin DN configurable
Remove SMTP credentials from Rails credentials
2025-05-06 15:32:59 +04:00 · 2025-05-06 15:08:46 +04:00 · 2025-05-05 17:37:58 +04:00 · 2025-05-05 12:54:22 +00:00 · 2025-05-05 15:25:25 +04:00 · 2025-05-05 11:24:56 +00:00
97 changed files with 2580 additions and 1072 deletions
--- a/.env.example
+++ b/.env.example
@@ -1,6 +1,15 @@
 # PRIMARY_DOMAIN=kosmos.org
 # AKKOUNTS_DOMAIN=accounts.example.com
 # The default backend is SQLite
 # DB_ADAPTER=postgresql
 # PG_HOST=localhost
 # PG_PORT=5432
 # PG_DATABASE=akkounts
 # PG_DATABASE_QUEUE=akkounts_queue
 # PG_USERNAME=akkounts
 # PG_PASSWORD=
 # SMTP_SERVER=smtp.example.com
 # SMTP_PORT=587
 # SMTP_LOGIN=accounts
@@ -20,8 +29,12 @@
 # LDAP_HOST=localhost
 # LDAP_PORT=389
 # LDAP_USE_TLS=false
 # LDAP_UID_ATTR=cn
 # LDAP_BASE="ou=kosmos.org,cn=users,dc=kosmos,dc=org"
 # LDAP_ADMIN_USER="cn=Directory Manager"
 # LDAP_ADMIN_PASSWORD=passthebutter
-# LDAP_SUFFIX='dc=kosmos,dc=org'
+# LDAP_SUFFIX="dc=kosmos,dc=org"
 # REDIS_URL='redis://localhost:6379/1'
--- a/.gitignore
+++ b/.gitignore
@@ -37,6 +37,7 @@
 /yarn-error.log
 yarn-debug.log*
 .yarn-integrity
 bun.lock
 # Ignore local dotenv config file
 .env
@@ -47,3 +48,6 @@ dump.rdb
 /app/assets/builds/*
 !/app/assets/builds/.keep
 # Ignore generated ctags
 *.tags
--- a/19
+++ b/19
@@ -2,13 +2,13 @@ source 'https://rubygems.org'
 git_source(:github) { |repo| "https://github.com/#{repo}.git" }
 # Bundle edge Rails instead: gem 'rails', github: 'rails/rails'
-gem 'rails', '~> 7.1'
+gem 'rails', '~> 8.0'
 # Use Puma as the app server
-gem 'puma', '~> 4.1'
+gem 'puma', '~> 6.6'
 # View components
 gem "view_component"
-# Separate dependency since Rails 7.0
+# Asset bundler
-gem 'sprockets-rails'
+gem 'propshaft'
 # Allows custom JS build tasks to integrate with the asset pipeline
 gem 'cssbundling-rails'
 # Use JavaScript with ESM import maps [https://github.com/rails/importmap-rails]
@@ -19,8 +19,6 @@ gem "turbo-rails"
 gem "stimulus-rails"
 # Build JSON APIs with ease. Read more: https://github.com/rails/jbuilder
 gem 'jbuilder', '~> 2.7'
 # Use Redis adapter to run Action Cable in production
 # gem 'redis', '~> 4.0'
 # Use Active Model has_secure_password
 gem 'bcrypt', '~> 3.1'
@@ -44,6 +42,8 @@ gem 'pagy', '~> 6.0', '>= 6.0.2'
 gem 'flipper'
 gem 'flipper-active_record'
 gem 'flipper-ui'
 gem 'gpgme', '~> 2.0.24'
 gem 'zbase32', '~> 0.1.1'
 # HTTP requests
 gem 'faraday'
@@ -51,8 +51,8 @@ gem 'down'
 gem 'aws-sdk-s3', require: false
 # Background/scheduled jobs
-gem 'sidekiq', '< 7'
+gem 'solid_queue'
-gem 'sidekiq-scheduler'
+gem "mission_control-jobs"
 # Monitoring
 gem "sentry-ruby"
@@ -63,10 +63,11 @@ gem 'discourse_api'
 gem "lnurl"
 gem 'manifique', '~> 1.1.0'
 gem 'nostr', '~> 0.6.0'
 gem "redis", "~> 5.4"
 group :development, :test do
  # Use sqlite3 as the database for Active Record
-  gem 'sqlite3', '~> 1.7.2'
+  gem 'sqlite3', '>= 2.1'
  gem 'rspec-rails'
  gem 'rails-controller-testing'
 end
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -1,110 +1,109 @@
 GEM
  remote: https://rubygems.org/
  specs:
-    actioncable (7.1.3)
+    actioncable (8.0.2)
-      actionpack (= 7.1.3)
+      actionpack (= 8.0.2)
-      activesupport (= 7.1.3)
+      activesupport (= 8.0.2)
      nio4r (~> 2.0)
      websocket-driver (>= 0.6.1)
      zeitwerk (~> 2.6)
-    actionmailbox (7.1.3)
+    actionmailbox (8.0.2)
-      actionpack (= 7.1.3)
+      actionpack (= 8.0.2)
-      activejob (= 7.1.3)
+      activejob (= 8.0.2)
-      activerecord (= 7.1.3)
+      activerecord (= 8.0.2)
-      activestorage (= 7.1.3)
+      activestorage (= 8.0.2)
-      activesupport (= 7.1.3)
+      activesupport (= 8.0.2)
-      mail (>= 2.7.1)
+      mail (>= 2.8.0)
-      net-imap
+    actionmailer (8.0.2)
-      net-pop
+      actionpack (= 8.0.2)
-      net-smtp
+      actionview (= 8.0.2)
-    actionmailer (7.1.3)
+      activejob (= 8.0.2)
-      actionpack (= 7.1.3)
+      activesupport (= 8.0.2)
-      actionview (= 7.1.3)
+      mail (>= 2.8.0)
      activejob (= 7.1.3)
      activesupport (= 7.1.3)
      mail (~> 2.5, >= 2.5.4)
      net-imap
      net-pop
      net-smtp
      rails-dom-testing (~> 2.2)
-    actionpack (7.1.3)
+    actionpack (8.0.2)
-      actionview (= 7.1.3)
+      actionview (= 8.0.2)
-      activesupport (= 7.1.3)
+      activesupport (= 8.0.2)
      nokogiri (>= 1.8.5)
      racc
      rack (>= 2.2.4)
      rack-session (>= 1.0.1)
      rack-test (>= 0.6.3)
      rails-dom-testing (~> 2.2)
      rails-html-sanitizer (~> 1.6)
-    actiontext (7.1.3)
+      useragent (~> 0.16)
-      actionpack (= 7.1.3)
+    actiontext (8.0.2)
-      activerecord (= 7.1.3)
+      actionpack (= 8.0.2)
-      activestorage (= 7.1.3)
+      activerecord (= 8.0.2)
-      activesupport (= 7.1.3)
+      activestorage (= 8.0.2)
      activesupport (= 8.0.2)
      globalid (>= 0.6.0)
      nokogiri (>= 1.8.5)
-    actionview (7.1.3)
+    actionview (8.0.2)
-      activesupport (= 7.1.3)
+      activesupport (= 8.0.2)
      builder (~> 3.1)
      erubi (~> 1.11)
      rails-dom-testing (~> 2.2)
      rails-html-sanitizer (~> 1.6)
-    activejob (7.1.3)
+    activejob (8.0.2)
-      activesupport (= 7.1.3)
+      activesupport (= 8.0.2)
      globalid (>= 0.3.6)
-    activemodel (7.1.3)
+    activemodel (8.0.2)
-      activesupport (= 7.1.3)
+      activesupport (= 8.0.2)
-    activerecord (7.1.3)
+    activerecord (8.0.2)
-      activemodel (= 7.1.3)
+      activemodel (= 8.0.2)
-      activesupport (= 7.1.3)
+      activesupport (= 8.0.2)
      timeout (>= 0.4.0)
-    activestorage (7.1.3)
+    activestorage (8.0.2)
-      actionpack (= 7.1.3)
+      actionpack (= 8.0.2)
-      activejob (= 7.1.3)
+      activejob (= 8.0.2)
-      activerecord (= 7.1.3)
+      activerecord (= 8.0.2)
-      activesupport (= 7.1.3)
+      activesupport (= 8.0.2)
      marcel (~> 1.0)
-    activesupport (7.1.3)
+    activesupport (8.0.2)
      base64
      benchmark (>= 0.3)
      bigdecimal
-      concurrent-ruby (~> 1.0, >= 1.0.2)
+      concurrent-ruby (~> 1.0, >= 1.3.1)
      connection_pool (>= 2.2.5)
      drb
      i18n (>= 1.6, < 2)
      logger (>= 1.4.2)
      minitest (>= 5.1)
-      mutex_m
+      securerandom (>= 0.3)
-      tzinfo (~> 2.0)
+      tzinfo (~> 2.0, >= 2.0.5)
-    addressable (2.8.6)
+      uri (>= 0.13.1)
-      public_suffix (>= 2.0.2, < 6.0)
+    addressable (2.8.7)
-    ast (2.4.2)
+      public_suffix (>= 2.0.2, < 7.0)
-    aws-eventstream (1.3.0)
+    ast (2.4.3)
-    aws-partitions (1.886.0)
+    aws-eventstream (1.3.2)
-    aws-sdk-core (3.191.0)
+    aws-partitions (1.1092.0)
    aws-sdk-core (3.222.2)
      aws-eventstream (~> 1, >= 1.3.0)
-      aws-partitions (~> 1, >= 1.651.0)
+      aws-partitions (~> 1, >= 1.992.0)
-      aws-sigv4 (~> 1.8)
+      aws-sigv4 (~> 1.9)
      base64
      jmespath (~> 1, >= 1.6.1)
-    aws-sdk-kms (1.77.0)
+      logger
-      aws-sdk-core (~> 3, >= 3.191.0)
+    aws-sdk-kms (1.99.0)
-      aws-sigv4 (~> 1.1)
+      aws-sdk-core (~> 3, >= 3.216.0)
-    aws-sdk-s3 (1.143.0)
+      aws-sigv4 (~> 1.5)
-      aws-sdk-core (~> 3, >= 3.191.0)
+    aws-sdk-s3 (1.183.0)
      aws-sdk-core (~> 3, >= 3.216.0)
      aws-sdk-kms (~> 1)
-      aws-sigv4 (~> 1.8)
+      aws-sigv4 (~> 1.5)
-    aws-sigv4 (1.8.0)
+    aws-sigv4 (1.11.0)
      aws-eventstream (~> 1, >= 1.0.2)
    backport (1.2.0)
    base64 (0.2.0)
    bcrypt (3.1.20)
-    bech32 (1.4.2)
+    bech32 (1.5.0)
      thor (>= 1.1.0)
-    benchmark (0.3.0)
+    benchmark (0.4.0)
-    bigdecimal (3.1.6)
+    bigdecimal (3.1.9)
    bindex (0.8.1)
    bip-schnorr (0.7.0)
      ecdsa_ext (~> 0.5.0)
-    builder (3.2.4)
+    builder (3.3.0)
    capybara (3.40.0)
      addressable
      matrix
@@ -114,23 +113,25 @@ GEM
      rack-test (>= 0.6.3)
      regexp_parser (>= 1.5, < 3.0)
      xpath (~> 3.2)
    childprocess (5.1.0)
      logger (~> 1.5)
    chunky_png (1.4.0)
-    concurrent-ruby (1.2.3)
+    concurrent-ruby (1.3.4)
-    connection_pool (2.4.1)
+    connection_pool (2.5.2)
-    crack (0.4.6)
+    crack (1.0.0)
      bigdecimal
      rexml
    crass (1.0.6)
-    cssbundling-rails (1.4.0)
+    cssbundling-rails (1.4.3)
      railties (>= 6.0.0)
-    database_cleaner (2.0.2)
+    database_cleaner (2.1.0)
      database_cleaner-active_record (>= 2, < 3)
-    database_cleaner-active_record (2.1.0)
+    database_cleaner-active_record (2.2.0)
      activerecord (>= 5.a)
      database_cleaner-core (~> 2.0.0)
    database_cleaner-core (2.0.1)
-    date (3.3.4)
+    date (3.4.1)
-    devise (4.9.3)
+    devise (4.9.4)
      bcrypt (~> 3.0)
      orm_adapter (~> 0.1)
      railties (>= 4.1.0)
@@ -139,105 +140,113 @@ GEM
    devise_ldap_authenticatable (0.8.7)
      devise (>= 3.4.1)
      net-ldap (>= 0.16.0)
-    diff-lcs (1.5.1)
+    diff-lcs (1.6.1)
    discourse_api (2.0.1)
      faraday (~> 2.7)
      faraday-follow_redirects
      faraday-multipart
      rack (>= 1.6)
-    dotenv (2.8.1)
+    dotenv (3.1.8)
-    dotenv-rails (2.8.1)
+    dotenv-rails (3.1.8)
-      dotenv (= 2.8.1)
+      dotenv (= 3.1.8)
-      railties (>= 3.2)
+      railties (>= 6.1)
-    down (5.4.1)
+    down (5.4.2)
      addressable (~> 2.8)
-    drb (2.2.0)
+    drb (2.2.1)
      ruby2_keywords
    e2mmap (0.1.0)
    ecdsa (1.2.0)
    ecdsa_ext (0.5.1)
      ecdsa (~> 1.2.0)
-    erubi (1.12.0)
+    erubi (1.13.1)
-    et-orbi (1.2.7)
+    et-orbi (1.2.11)
      tzinfo
    event_emitter (0.2.6)
    eventmachine (1.2.7)
-    factory_bot (6.4.6)
+    factory_bot (6.5.1)
-      activesupport (>= 5.0.0)
+      activesupport (>= 6.1.0)
-    factory_bot_rails (6.4.3)
+    factory_bot_rails (6.4.4)
-      factory_bot (~> 6.4)
+      factory_bot (~> 6.5)
      railties (>= 5.0.0)
-    faker (3.2.3)
+    faker (3.5.1)
      i18n (>= 1.8.11, < 2)
-    faraday (2.9.0)
+    faraday (2.9.2)
      faraday-net_http (>= 2.0, < 3.2)
    faraday-follow_redirects (0.3.0)
      faraday (>= 1, < 3)
-    faraday-multipart (1.0.4)
+    faraday-multipart (1.1.0)
-      multipart-post (~> 2)
+      multipart-post (~> 2.0)
-    faraday-net_http (3.1.0)
+    faraday-net_http (3.1.1)
      net-http
    faye-websocket (0.11.3)
      eventmachine (>= 0.12.0)
      websocket-driver (>= 0.5.1)
-    ffi (1.16.3)
+    ffi (1.17.2)
-    flipper (1.2.2)
+    ffi (1.17.2-arm64-darwin)
    ffi (1.17.2-x86_64-linux-gnu)
    flipper (1.3.4)
      concurrent-ruby (< 2)
-    flipper-active_record (1.2.2)
+    flipper-active_record (1.3.4)
-      activerecord (>= 4.2, < 8)
+      activerecord (>= 4.2, < 9)
-      flipper (~> 1.2.2)
+      flipper (~> 1.3.4)
-    flipper-ui (1.2.2)
+    flipper-ui (1.3.4)
      erubi (>= 1.0.0, < 2.0.0)
-      flipper (~> 1.2.2)
+      flipper (~> 1.3.4)
      rack (>= 1.4, < 4)
-      rack-protection (>= 1.5.3, <= 4.0.0)
+      rack-protection (>= 1.5.3, < 5.0.0)
-      sanitize (< 7)
+      rack-session (>= 1.0.2, < 3.0.0)
-    fugit (1.9.0)
+      sanitize (< 8)
-      et-orbi (~> 1, >= 1.2.7)
+    fugit (1.11.1)
      et-orbi (~> 1, >= 1.2.11)
      raabro (~> 1.4)
    globalid (1.2.1)
      activesupport (>= 6.1)
-    hashdiff (1.1.0)
+    gpgme (2.0.24)
-    i18n (1.14.1)
+      mini_portile2 (~> 2.7)
    hashdiff (1.1.2)
    i18n (1.14.7)
      concurrent-ruby (~> 1.0)
    image_processing (1.12.2)
      mini_magick (>= 4.9.5, < 5)
      ruby-vips (>= 2.0.17, < 3)
-    importmap-rails (2.0.1)
+    importmap-rails (2.1.0)
      actionpack (>= 6.0.0)
      activesupport (>= 6.0.0)
      railties (>= 6.0.0)
-    io-console (0.7.2)
+    io-console (0.8.0)
-    irb (1.11.1)
+    irb (1.15.2)
-      rdoc
+      pp (>= 0.6.0)
      rdoc (>= 4.0.0)
      reline (>= 0.4.2)
-    jaro_winkler (1.5.6)
+    jaro_winkler (1.6.0)
-    jbuilder (2.11.5)
+    jbuilder (2.13.0)
      actionview (>= 5.0.0)
      activesupport (>= 5.0.0)
    jmespath (1.6.2)
-    json (2.7.1)
+    json (2.11.3)
-    kramdown (2.4.0)
+    kramdown (2.5.1)
-      rexml
+      rexml (>= 3.3.9)
    kramdown-parser-gfm (1.1.0)
      kramdown (~> 2.0)
-    language_server-protocol (3.17.0.3)
+    language_server-protocol (3.17.0.4)
-    launchy (2.5.2)
+    launchy (3.1.1)
      addressable (~> 2.8)
-    letter_opener (1.8.1)
+      childprocess (~> 5.0)
-      launchy (>= 2.2, < 3)
+      logger (~> 1.6)
-    letter_opener_web (2.0.0)
+    letter_opener (1.10.0)
-      actionmailer (>= 5.2)
+      launchy (>= 2.2, < 4)
-      letter_opener (~> 1.7)
+    letter_opener_web (3.0.0)
-      railties (>= 5.2)
+      actionmailer (>= 6.1)
      letter_opener (~> 1.9)
      railties (>= 6.1)
      rexml
-    listen (3.8.0)
+    lint_roller (1.1.0)
    listen (3.9.0)
      rb-fsevent (~> 0.10, >= 0.10.3)
      rb-inotify (~> 0.9, >= 0.9.10)
-    lnurl (1.1.0)
+    lnurl (1.1.1)
      bech32 (~> 1.1)
-    lockbox (1.3.2)
+    lockbox (2.0.1)
-    loofah (2.22.0)
+    logger (1.7.0)
    loofah (2.24.0)
      crass (~> 1.0.2)
      nokogiri (>= 1.12.0)
    mail (2.8.1)
@@ -249,18 +258,27 @@ GEM
      faraday (~> 2.9.0)
      faraday-follow_redirects (= 0.3.0)
      nokogiri (~> 1.16.0)
-    marcel (1.0.2)
+    marcel (1.0.4)
    matrix (0.4.2)
-    method_source (1.0.0)
+    method_source (1.1.0)
-    mini_magick (4.12.0)
+    mini_magick (4.13.2)
    mini_mime (1.1.5)
-    mini_portile2 (2.8.5)
+    mini_portile2 (2.8.8)
-    minitest (5.21.2)
+    minitest (5.25.5)
-    multipart-post (2.3.0)
+    mission_control-jobs (1.0.2)
-    mutex_m (0.2.0)
+      actioncable (>= 7.1)
-    net-http (0.4.1)
+      actionpack (>= 7.1)
      activejob (>= 7.1)
      activerecord (>= 7.1)
      importmap-rails (>= 1.2.1)
      irb (~> 1.13)
      railties (>= 7.1)
      stimulus-rails
      turbo-rails
    multipart-post (2.4.1)
    net-http (0.6.0)
      uri
-    net-imap (0.4.9.1)
+    net-imap (0.5.7)
      date
      net-protocol
    net-ldap (0.19.0)
@@ -268,15 +286,15 @@ GEM
      net-protocol
    net-protocol (0.2.2)
      timeout
-    net-smtp (0.4.0.1)
+    net-smtp (0.5.1)
      net-protocol
-    nio4r (2.7.0)
+    nio4r (2.7.4)
-    nokogiri (1.16.0)
+    nokogiri (1.16.8)
      mini_portile2 (~> 2.8.2)
      racc (~> 1.4)
-    nokogiri (1.16.0-arm64-darwin)
+    nokogiri (1.16.8-arm64-darwin)
      racc (~> 1.4)
-    nokogiri (1.16.0-x86_64-linux)
+    nokogiri (1.16.8-x86_64-linux)
      racc (~> 1.4)
    nostr (0.6.0)
      bech32 (~> 1.4)
@@ -285,45 +303,57 @@ GEM
      event_emitter (~> 0.2)
      faye-websocket (~> 0.11)
      json (~> 2.6)
    observer (0.1.2)
    orm_adapter (0.5.0)
-    pagy (6.4.3)
+    ostruct (0.6.1)
-    parallel (1.24.0)
+    pagy (6.5.0)
-    parser (3.3.0.5)
+    parallel (1.27.0)
    parser (3.3.8.0)
      ast (~> 2.4.1)
      racc
-    pg (1.5.4)
+    pg (1.5.9)
-    psych (5.1.2)
+    pp (0.6.2)
      prettyprint
    prettyprint (0.2.0)
    prism (1.4.0)
    propshaft (1.1.0)
      actionpack (>= 7.0.0)
      activesupport (>= 7.0.0)
      rack
      railties (>= 7.0.0)
    psych (5.2.3)
      date
      stringio
-    public_suffix (5.0.4)
+    public_suffix (6.0.1)
-    puma (4.3.12)
+    puma (6.6.0)
      nio4r (~> 2.0)
    raabro (1.4.0)
-    racc (1.7.3)
+    racc (1.8.1)
-    rack (2.2.8)
+    rack (2.2.13)
    rack-protection (3.2.0)
      base64 (>= 0.1.0)
      rack (~> 2.2, >= 2.2.4)
    rack-session (1.0.2)
      rack (< 3)
-    rack-test (2.1.0)
+    rack-test (2.2.0)
      rack (>= 1.3)
-    rackup (1.0.0)
+    rackup (1.0.1)
      rack (< 3)
      webrick
-    rails (7.1.3)
+    rails (8.0.2)
-      actioncable (= 7.1.3)
+      actioncable (= 8.0.2)
-      actionmailbox (= 7.1.3)
+      actionmailbox (= 8.0.2)
-      actionmailer (= 7.1.3)
+      actionmailer (= 8.0.2)
-      actionpack (= 7.1.3)
+      actionpack (= 8.0.2)
-      actiontext (= 7.1.3)
+      actiontext (= 8.0.2)
-      actionview (= 7.1.3)
+      actionview (= 8.0.2)
-      activejob (= 7.1.3)
+      activejob (= 8.0.2)
-      activemodel (= 7.1.3)
+      activemodel (= 8.0.2)
-      activerecord (= 7.1.3)
+      activerecord (= 8.0.2)
-      activestorage (= 7.1.3)
+      activestorage (= 8.0.2)
-      activesupport (= 7.1.3)
+      activesupport (= 8.0.2)
      bundler (>= 1.15.0)
-      railties (= 7.1.3)
+      railties (= 8.0.2)
    rails-controller-testing (1.0.5)
      actionpack (>= 5.0.1.rc1)
      actionview (>= 5.0.1.rc1)
@@ -332,138 +362,140 @@ GEM
      activesupport (>= 5.0.0)
      minitest
      nokogiri (>= 1.6)
-    rails-html-sanitizer (1.6.0)
+    rails-html-sanitizer (1.6.2)
      loofah (~> 2.21)
-      nokogiri (~> 1.14)
+      nokogiri (>= 1.15.7, != 1.16.7, != 1.16.6, != 1.16.5, != 1.16.4, != 1.16.3, != 1.16.2, != 1.16.1, != 1.16.0.rc1, != 1.16.0)
    rails-settings-cached (2.8.3)
      activerecord (>= 5.0.0)
      railties (>= 5.0.0)
-    railties (7.1.3)
+    railties (8.0.2)
-      actionpack (= 7.1.3)
+      actionpack (= 8.0.2)
-      activesupport (= 7.1.3)
+      activesupport (= 8.0.2)
-      irb
+      irb (~> 1.13)
      rackup (>= 1.0.0)
      rake (>= 12.2)
      thor (~> 1.0, >= 1.2.2)
      zeitwerk (~> 2.6)
    rainbow (3.1.1)
-    rake (13.1.0)
+    rake (13.2.1)
    rb-fsevent (0.11.2)
-    rb-inotify (0.10.1)
+    rb-inotify (0.11.1)
      ffi (~> 1.0)
-    rbs (2.8.4)
+    rbs (3.9.2)
-    rdoc (6.6.2)
+      logger
    rdoc (6.13.1)
      psych (>= 4.0.0)
-    redis (4.8.1)
+    redis (5.4.0)
-    regexp_parser (2.9.0)
+      redis-client (>= 0.22.0)
-    reline (0.4.2)
+    redis-client (0.24.0)
      connection_pool
    regexp_parser (2.10.0)
    reline (0.6.1)
      io-console (~> 0.5)
    responders (3.1.1)
      actionpack (>= 5.2)
      railties (>= 5.2)
-    reverse_markdown (2.1.1)
+    reverse_markdown (3.0.0)
      nokogiri
-    rexml (3.2.6)
+    rexml (3.4.1)
    rqrcode (2.2.0)
      chunky_png (~> 1.0)
      rqrcode_core (~> 1.0)
    rqrcode_core (1.2.0)
-    rspec-core (3.12.2)
+    rspec-core (3.13.3)
-      rspec-support (~> 3.12.0)
+      rspec-support (~> 3.13.0)
-    rspec-expectations (3.12.3)
+    rspec-expectations (3.13.3)
      diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.12.0)
+      rspec-support (~> 3.13.0)
-    rspec-mocks (3.12.6)
+    rspec-mocks (3.13.2)
      diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.12.0)
+      rspec-support (~> 3.13.0)
-    rspec-rails (6.1.1)
+    rspec-rails (7.1.1)
-      actionpack (>= 6.1)
+      actionpack (>= 7.0)
-      activesupport (>= 6.1)
+      activesupport (>= 7.0)
-      railties (>= 6.1)
+      railties (>= 7.0)
-      rspec-core (~> 3.12)
+      rspec-core (~> 3.13)
-      rspec-expectations (~> 3.12)
+      rspec-expectations (~> 3.13)
-      rspec-mocks (~> 3.12)
+      rspec-mocks (~> 3.13)
-      rspec-support (~> 3.12)
+      rspec-support (~> 3.13)
-    rspec-support (3.12.1)
+    rspec-support (3.13.2)
-    rubocop (1.60.2)
+    rubocop (1.75.3)
      json (~> 2.3)
-      language_server-protocol (>= 3.17.0)
+      language_server-protocol (~> 3.17.0.2)
      lint_roller (~> 1.1.0)
      parallel (~> 1.10)
      parser (>= 3.3.0.2)
      rainbow (>= 2.2.2, < 4.0)
-      regexp_parser (>= 1.8, < 3.0)
+      regexp_parser (>= 2.9.3, < 3.0)
-      rexml (>= 3.2.5, < 4.0)
+      rubocop-ast (>= 1.44.0, < 2.0)
      rubocop-ast (>= 1.30.0, < 2.0)
      ruby-progressbar (~> 1.7)
-      unicode-display_width (>= 2.4.0, < 3.0)
+      unicode-display_width (>= 2.4.0, < 4.0)
-    rubocop-ast (1.30.0)
+    rubocop-ast (1.44.1)
-      parser (>= 3.2.1.0)
+      parser (>= 3.3.7.2)
      prism (~> 1.4)
    ruby-progressbar (1.13.0)
-    ruby-vips (2.2.0)
+    ruby-vips (2.2.3)
      ffi (~> 1.12)
-    ruby2_keywords (0.0.5)
+      logger
-    rufus-scheduler (3.9.1)
+    sanitize (7.0.0)
      fugit (~> 1.1, >= 1.1.6)
    sanitize (6.1.0)
      crass (~> 1.0.2)
-      nokogiri (>= 1.12.0)
+      nokogiri (>= 1.16.8)
-    sentry-rails (5.16.1)
+    securerandom (0.4.1)
    sentry-rails (5.23.0)
      railties (>= 5.0)
-      sentry-ruby (~> 5.16.1)
+      sentry-ruby (~> 5.23.0)
-    sentry-ruby (5.16.1)
+    sentry-ruby (5.23.0)
      bigdecimal
      concurrent-ruby (~> 1.0, >= 1.0.2)
-    sidekiq (6.5.12)
+    solargraph (0.54.2)
      connection_pool (>= 2.2.5, < 3)
      rack (~> 2.0)
      redis (>= 4.5.0, < 5)
    sidekiq-scheduler (5.0.3)
      rufus-scheduler (~> 3.2)
      sidekiq (>= 6, < 8)
      tilt (>= 1.4.0)
    solargraph (0.50.0)
      backport (~> 1.2)
-      benchmark
+      benchmark (~> 0.4)
      bundler (~> 2.0)
      diff-lcs (~> 1.4)
-      e2mmap
+      jaro_winkler (~> 1.6)
      jaro_winkler (~> 1.5)
      kramdown (~> 2.3)
      kramdown-parser-gfm (~> 1.1)
      logger (~> 1.6)
      observer (~> 0.1)
      ostruct (~> 0.6)
      parser (~> 3.0)
-      rbs (~> 2.0)
+      rbs (~> 3.3)
-      reverse_markdown (~> 2.0)
+      reverse_markdown (~> 3.0)
      rubocop (~> 1.38)
      thor (~> 1.0)
      tilt (~> 2.0)
      yard (~> 0.9, >= 0.9.24)
-    sprockets (4.2.1)
+      yard-solargraph (~> 0.1)
-      concurrent-ruby (~> 1.0)
+    solid_queue (1.1.5)
-      rack (>= 2.2.4, < 4)
+      activejob (>= 7.1)
-    sprockets-rails (3.4.2)
+      activerecord (>= 7.1)
-      actionpack (>= 5.2)
+      concurrent-ruby (>= 1.3.1)
-      activesupport (>= 5.2)
+      fugit (~> 1.11.0)
-      sprockets (>= 3.0.0)
+      railties (>= 7.1)
-    sqlite3 (1.7.2)
+      thor (~> 1.3.1)
    sqlite3 (2.6.0)
      mini_portile2 (~> 2.8.0)
-    sqlite3 (1.7.2-arm64-darwin)
+    sqlite3 (2.6.0-arm64-darwin)
-    sqlite3 (1.7.2-x86_64-linux)
+    sqlite3 (2.6.0-x86_64-linux-gnu)
-    stimulus-rails (1.3.3)
+    stimulus-rails (1.3.4)
      railties (>= 6.0.0)
    stringio (3.1.0)
    thor (1.3.0)
    tilt (2.3.0)
    timeout (0.4.1)
    turbo-rails (1.5.0)
      actionpack (>= 6.0.0)
      activejob (>= 6.0.0)
      railties (>= 6.0.0)
    stringio (3.1.7)
    thor (1.3.2)
    tilt (2.6.0)
    timeout (0.4.3)
    turbo-rails (2.0.13)
      actionpack (>= 7.1.0)
      railties (>= 7.1.0)
    tzinfo (2.0.6)
      concurrent-ruby (~> 1.0)
-    unicode-display_width (2.5.0)
+    unicode-display_width (3.1.4)
-    uri (0.13.0)
+      unicode-emoji (~> 4.0, >= 4.0.4)
-    view_component (3.10.0)
+    unicode-emoji (4.0.4)
-      activesupport (>= 5.2.0, < 8.0)
+    uri (1.0.3)
-      concurrent-ruby (~> 1.0)
+    useragent (0.16.11)
    view_component (3.22.0)
      activesupport (>= 5.2.0, < 8.1)
      concurrent-ruby (= 1.3.4)
      method_source (~> 1.0)
    warden (1.2.9)
      rack (>= 2.0.9)
@@ -472,18 +504,22 @@ GEM
      activemodel (>= 6.0.0)
      bindex (>= 0.4.0)
      railties (>= 6.0.0)
-    webmock (3.19.1)
+    webmock (3.25.1)
      addressable (>= 2.8.0)
      crack (>= 0.3.2)
      hashdiff (>= 0.4.0, < 2.0.0)
-    webrick (1.8.1)
+    webrick (1.9.1)
-    websocket-driver (0.7.6)
+    websocket-driver (0.7.7)
      base64
      websocket-extensions (>= 0.1.0)
    websocket-extensions (0.1.5)
    xpath (3.2.0)
      nokogiri (~> 1.8)
-    yard (0.9.34)
+    yard (0.9.37)
-    zeitwerk (2.6.12)
+    yard-solargraph (0.1.0)
      yard (~> 0.9)
    zbase32 (0.1.1)
    zeitwerk (2.7.2)
 PLATFORMS
  arm64-darwin-22
@@ -507,6 +543,7 @@ DEPENDENCIES
  flipper
  flipper-active_record
  flipper-ui
  gpgme (~> 2.0.24)
  image_processing (~> 1.12.2)
  importmap-rails
  jbuilder (~> 2.7)
@@ -516,23 +553,24 @@ DEPENDENCIES
  lnurl
  lockbox
  manifique (~> 1.1.0)
  mission_control-jobs
  net-ldap
  nostr (~> 0.6.0)
  pagy (~> 6.0, >= 6.0.2)
  pg (~> 1.5)
-  puma (~> 4.1)
+  propshaft
-  rails (~> 7.1)
+  puma (~> 6.6)
  rails (~> 8.0)
  rails-controller-testing
  rails-settings-cached (~> 2.8.3)
  redis (~> 5.4)
  rqrcode (~> 2.0)
  rspec-rails
  sentry-rails
  sentry-ruby
  sidekiq (< 7)
  sidekiq-scheduler
  solargraph
-  sprockets-rails
+  solid_queue
-  sqlite3 (~> 1.7.2)
+  sqlite3 (>= 2.1)
  stimulus-rails
  turbo-rails
  tzinfo-data
@@ -540,6 +578,7 @@ DEPENDENCIES
  warden
  web-console (~> 4.2)
  webmock
  zbase32 (~> 0.1.1)
 BUNDLED WITH
   2.5.5
--- a/README.md
+++ b/README.md
@@ -57,7 +57,7 @@ Running the test suite:
 Running the test suite with Docker Compose requires overriding the Rails
 environment:
-    docker-compose run -e "RAILS_ENV=test" web rspec
+    docker-compose exec -e "RAILS_ENV=test" web rspec
 ### Docker Compose
--- a/app/assets/config/manifest.js
+++ b/app/assets/config/manifest.js
@@ -1,4 +0,0 @@
 //= link_tree ../images
 //= link_tree ../../javascript .js
 //= link_tree ../builds
 //= link_tree ../../../vendor/javascript .js
--- a/app/controllers/admin/users_controller.rb
+++ b/app/controllers/admin/users_controller.rb
@@ -30,7 +30,7 @@ class Admin::UsersController < Admin::BaseController
    amount = params[:amount].to_i
    notify_user = ActiveRecord::Type::Boolean.new.cast(params[:notify_user])
-    CreateInvitations.call(user: @user, amount: amount, notify: notify_user)
+    UserManager::CreateInvitations.call(user: @user, amount: amount, notify: notify_user)
    redirect_to admin_user_path(@user.cn), flash: {
      success: "Added #{amount} invitations to #{@user.cn}'s account"
--- a/app/controllers/settings_controller.rb
+++ b/app/controllers/settings_controller.rb
@@ -21,10 +21,12 @@ class SettingsController < ApplicationController
    end
  end
  # PUT /settings/:section
  def update
    @user.preferences.merge!(user_params[:preferences] || {})
    @user.display_name = user_params[:display_name]
-    @user.avatar_new = user_params[:avatar]
+    @user.avatar_new   = user_params[:avatar]
    @user.pgp_pubkey   = user_params[:pgp_pubkey]
    if @user.save
      if @user.display_name && (@user.display_name != @user.ldap_entry[:display_name])
@@ -35,6 +37,10 @@ class SettingsController < ApplicationController
        LdapManager::UpdateAvatar.call(dn: @user.dn, file: @user.avatar_new)
      end
      if @user.pgp_pubkey && (@user.pgp_pubkey != @user.ldap_entry[:pgp_key])
        UserManager::UpdatePgpKey.call(user: @user)
      end
      redirect_to setting_path(@settings_section), flash: {
        success: 'Settings saved.'
      }
@@ -44,6 +50,7 @@ class SettingsController < ApplicationController
    end
  end
  # POST /settings/update_email
  def update_email
    if @user.valid_ldap_authentication?(security_params[:current_password])
      if @user.update email: email_params[:email]
@@ -61,6 +68,7 @@ class SettingsController < ApplicationController
    end
  end
  # POST /settings/reset_email_password
  def reset_email_password
    @user.current_password = security_params[:current_password]
@@ -83,6 +91,7 @@ class SettingsController < ApplicationController
    end
  end
  # POST /settings/reset_password
  def reset_password
    current_user.send_reset_password_instructions
    sign_out current_user
@@ -90,6 +99,7 @@ class SettingsController < ApplicationController
    redirect_to check_your_email_path, notice: msg
  end
  # POST /settings/set_nostr_pubkey
  def set_nostr_pubkey
    signed_event = Nostr::Event.new(**nostr_event_from_params)
@@ -152,7 +162,8 @@ class SettingsController < ApplicationController
    def user_params
      params.require(:user).permit(
-        :display_name, :avatar, preferences: UserPreferences.pref_keys
+        :display_name, :avatar, :pgp_pubkey,
        preferences: UserPreferences.pref_keys
      )
    end
--- a/app/controllers/signup_controller.rb
+++ b/app/controllers/signup_controller.rb
@@ -96,7 +96,7 @@ class SignupController < ApplicationController
    session[:new_user] = nil
    session[:validation_error] = nil
-    CreateAccount.call(account: {
+    UserManager::CreateAccount.call(account: {
      username: @user.cn,
      domain: Setting.primary_domain,
      email: @user.email,
--- a/app/controllers/web_key_directory_controller.rb
+++ b/app/controllers/web_key_directory_controller.rb
@@ -0,0 +1,35 @@
 class WebKeyDirectoryController < WellKnownController
  before_action :allow_cross_origin_requests
  # /.well-known/openpgpkey/hu/:hashed_username(.txt)
  def show
    @user = User.find_by(cn: params[:l].downcase)
    if @user.nil? ||
       @user.pgp_pubkey.blank? ||
       !@user.pgp_pubkey_contains_user_address?
      http_status :not_found and return
    end
    if params[:hashed_username] != @user.wkd_hash
      http_status :unprocessable_entity and return
    end
    respond_to do |format|
      format.text do
        response.headers['Content-Type'] = 'text/plain'
        render plain: @user.pgp_pubkey
      end
      format.any do
        key = @user.gnupg_key.export
        send_data key, filename: "#{@user.wkd_hash}.pem",
                       type: "application/octet-stream"
      end
    end
  end
  def policy
    head :ok
  end
 end
--- a/app/controllers/webfinger_controller.rb
+++ b/app/controllers/webfinger_controller.rb
@@ -74,7 +74,7 @@ class WebfingerController < WellKnownController
  end
  def remotestorage_link
-    auth_url = new_rs_oauth_url(@username, host: Setting.accounts_domain)
+    auth_url = new_rs_oauth_url(@username, host: Setting.rs_accounts_domain)
    storage_url = "#{Setting.rs_storage_url}/#{@username}"
    {
--- a/app/jobs/remote_storage_expire_authorization_job.rb
+++ b/app/jobs/remote_storage_expire_authorization_job.rb
@@ -3,8 +3,6 @@ class RemoteStorageExpireAuthorizationJob < ApplicationJob
  def perform(rs_auth_id)
    rs_auth = RemoteStorageAuthorization.find rs_auth_id
    return unless rs_auth.expire_at.nil? || rs_auth.expire_at <= DateTime.now
    rs_auth.destroy!
  end
 end
--- a/app/mailers/application_mailer.rb
+++ b/app/mailers/application_mailer.rb
@@ -1,3 +1,90 @@
 class ApplicationMailer < ActionMailer::Base
  default Rails.application.config.action_mailer.default_options
  layout 'mailer'
  private
    def send_mail
      @template ||= "#{self.class.name.underscore}/#{caller[0][/`([^']*)'/, 1]}"
      headers['Message-ID'] = message_id
      if @user.pgp_pubkey.present?
        mail(to: @user.email, subject: "...", content_type: pgp_content_type) do |format|
          format.text { render plain: pgp_content }
        end
      else
        mail(to: @user.email, subject: @subject) do |format|
          format.text { render @template }
        end
      end
    end
    def from_address
      self.class.default[:from]
    end
    def from_domain
      Mail::Address.new(from_address).domain
    end
    def message_id
      @message_id ||= "#{SecureRandom.uuid}@#{from_domain}"
    end
    def boundary
      @boundary ||= SecureRandom.hex(8)
    end
    def pgp_content_type
      "multipart/encrypted; protocol=\"application/pgp-encrypted\"; boundary=\"------------#{boundary}\""
    end
    def pgp_nested_content
      message_content = render_to_string(template: @template)
      message_content_base64 = Base64.encode64(message_content)
      nested_boundary = SecureRandom.hex(8)
      <<~NESTED_CONTENT
        Content-Type: multipart/mixed; boundary="------------#{nested_boundary}"; protected-headers="v1"
        Subject: #{@subject}
        From: <#{from_address}>
        To: #{@user.display_name || @user.cn} <#{@user.email}>
        Message-ID: <#{message_id}>
        --------------#{nested_boundary}
        Content-Type: text/plain; charset=UTF-8; format=flowed
        Content-Transfer-Encoding: base64
        #{message_content_base64}
        --------------#{nested_boundary}--
      NESTED_CONTENT
    end
    def pgp_content
      encrypted_content = UserManager::PgpEncrypt.call(user: @user, text: pgp_nested_content)
      encrypted_base64 = Base64.encode64(encrypted_content.to_s)
      <<~EMAIL_CONTENT
        This is an OpenPGP/MIME encrypted message (RFC 4880 and 3156)
        --------------#{boundary}
        Content-Type: application/pgp-encrypted
        Content-Description: PGP/MIME version identification
        Version: 1
        --------------#{boundary}
        Content-Type: application/octet-stream; name="encrypted.asc"
        Content-Description: OpenPGP encrypted message
        Content-Disposition: inline; filename="encrypted.asc"
        -----BEGIN PGP MESSAGE-----
        #{encrypted_base64}
        -----END PGP MESSAGE-----
        --------------#{boundary}--
      EMAIL_CONTENT
    end
 end
--- a/app/mailers/custom_mailer.rb
+++ b/app/mailers/custom_mailer.rb
@@ -18,6 +18,6 @@ class CustomMailer < ApplicationMailer
    @user = params[:user]
    @subject = params[:subject]
    @body = params[:body]
-    mail(to: @user.email, subject: @subject)
+    send_mail
  end
 end
--- a/app/mailers/notification_mailer.rb
+++ b/app/mailers/notification_mailer.rb
@@ -3,7 +3,7 @@ class NotificationMailer < ApplicationMailer
    @user = params[:user]
    @amount_sats = params[:amount_sats]
    @subject = "Sats received"
-    mail to: @user.email, subject: @subject
+    send_mail
  end
  def remotestorage_auth_created
@@ -15,19 +15,19 @@ class NotificationMailer < ApplicationMailer
      "#{access} #{directory}"
    end
    @subject = "New app connected to your storage"
-    mail to: @user.email, subject: @subject
+    send_mail
  end
  def new_invitations_available
    @user = params[:user]
    @subject = "New invitations added to your account"
-    mail to: @user.email, subject: @subject
+    send_mail
  end
  def bitcoin_donation_confirmed
    @user = params[:user]
    @donation = params[:donation]
    @subject = "Donation confirmed"
-    mail to: @user.email, subject: @subject
+    send_mail
  end
 end
--- a/app/models/concerns/settings/remote_storage_settings.rb
+++ b/app/models/concerns/settings/remote_storage_settings.rb
@@ -6,6 +6,9 @@ module Settings
      field :remotestorage_enabled, type: :boolean,
        default: ENV["RS_STORAGE_URL"].present?
      field :rs_accounts_domain, type: :string,
        default: ENV["RS_AKKOUNTS_DOMAIN"] || ENV["AKKOUNTS_DOMAIN"]
      field :rs_storage_url, type: :string,
        default: ENV["RS_STORAGE_URL"].presence
--- a/app/models/remote_storage_authorization.rb
+++ b/app/models/remote_storage_authorization.rb
@@ -2,7 +2,7 @@ class RemoteStorageAuthorization < ApplicationRecord
  belongs_to :user
  belongs_to :web_app, class_name: "AppCatalog::WebApp", optional: true
-  serialize :permissions unless Rails.env.production?
+  serialize :permissions, coder: YAML unless Rails.env.production?
  validates_presence_of :permissions
  validates_presence_of :client_id
@@ -69,11 +69,19 @@ class RemoteStorageAuthorization < ApplicationRecord
    end
    def remove_token_expiry_job
-      queue = Sidekiq::Queue.new(RemoteStorageExpireAuthorizationJob.queue_name)
+      job_class = RemoteStorageExpireAuthorizationJob
-      queue.each do |job|
+      job_args = [id]
-        next unless job.display_class == "RemoteStorageExpireAuthorizationJob"
+
-        job.delete if job.display_args == [id]
+      query = SolidQueue::Job.where(class_name: job_class.to_s)
-      end
+
      case ActiveRecord::Base.connection.adapter_name.downcase
      when /sqlite/
        query.where("json_extract(arguments, '$.arguments') = ?", job_args.to_json)
      when /postgres/
        query.where("CAST(arguments AS jsonb)->>'arguments' = ?", job_args.to_json)
      else
        raise "Unsupported database adapter"
      end.destroy_all
    end
    def find_or_create_web_app
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -3,9 +3,10 @@ require 'nostr'
 class User < ApplicationRecord
  include EmailValidatable
  attr_accessor :display_name
  attr_accessor :avatar_new
  attr_accessor :current_password
  attr_accessor :avatar_new
  attr_accessor :display_name
  attr_accessor :pgp_pubkey
  serialize :preferences, coder: UserPreferences
@@ -51,6 +52,8 @@ class User < ApplicationRecord
  validate :acceptable_avatar
  validate :acceptable_pgp_key_format, if: -> { defined?(@pgp_pubkey) && @pgp_pubkey.present? }
  #
  # Scopes
  #
@@ -165,6 +168,24 @@ class User < ApplicationRecord
    Nostr::PublicKey.new(nostr_pubkey).to_bech32
  end
  def pgp_pubkey
    @pgp_pubkey ||= ldap_entry[:pgp_key]
  end
  def gnupg_key
    return nil unless pgp_pubkey.present?
    GPGME::Key.import(pgp_pubkey)
    GPGME::Key.get(pgp_fpr)
  end
  def pgp_pubkey_contains_user_address?
    gnupg_key.uids.map(&:email).include?(address)
  end
  def wkd_hash
    ZBase32.encode(Digest::SHA1.digest(cn))
  end
  def avatar
    @avatar_base64 ||= LdapManager::FetchAvatar.call(cn: cn)
  end
@@ -214,4 +235,10 @@ class User < ApplicationRecord
        errors.add(:avatar, "must be a JPEG or PNG file")
      end
    end
    def acceptable_pgp_key_format
      unless GPGME::Key.valid?(pgp_pubkey)
        errors.add(:pgp_pubkey, 'is not a valid armored PGP public key block')
      end
    end
 end
--- a/app/services/create_account.rb
+++ b/app/services/create_account.rb
@@ -1,54 +0,0 @@
 class CreateAccount < ApplicationService
  def initialize(account:)
    @username   = account[:username]
    @domain     = account[:ou] || Setting.primary_domain
    @email      = account[:email]
    @password   = account[:password]
    @invitation = account[:invitation]
    @confirmed  = account[:confirmed]
  end
  def call
    user = create_user_in_database
    add_ldap_document
    create_lndhub_account(user) if Setting.lndhub_enabled
    if @invitation.present?
      update_invitation(user.id)
    end
  end
  private
  def create_user_in_database
    User.create!(
      cn: @username,
      ou: @domain,
      email: @email,
      password: @password,
      password_confirmation: @password,
      confirmed_at: @confirmed ? DateTime.now : nil
    )
  end
  def update_invitation(user_id)
    @invitation.update! invited_user_id: user_id, used_at: DateTime.now
  end
  def add_ldap_document
    hashed_pw = Devise.ldap_auth_password_builder.call(@password)
    CreateLdapUserJob.perform_later(
      username: @username,
      domain: @domain,
      email: @email,
      hashed_pw: hashed_pw,
      confirmed: @confirmed
    )
  end
  def create_lndhub_account(user)
    #TODO enable in development when we have a local lndhub (mock?) API
    return if Rails.env.development?
    CreateLndhubAccountJob.perform_later(user)
  end
 end
--- a/app/services/create_invitations.rb
+++ b/app/services/create_invitations.rb
@@ -1,17 +0,0 @@
 class CreateInvitations < ApplicationService
  def initialize(user:, amount:, notify: true)
    @user = user
    @amount = amount
    @notify = notify
  end
  def call
    @amount.times do
      Invitation.create(user: @user)
    end
    if @notify
      NotificationMailer.with(user: @user).new_invitations_available.deliver_later
    end
  end
 end
--- a/app/services/ldap_manager/update_pgp_key.rb
+++ b/app/services/ldap_manager/update_pgp_key.rb
@@ -0,0 +1,16 @@
 module LdapManager
  class UpdatePgpKey < LdapManagerService
    def initialize(dn:, pubkey:)
      @dn = dn
      @pubkey = pubkey
    end
    def call
      if @pubkey.present?
        replace_attribute @dn, :pgpKey, @pubkey
      else
        delete_attribute @dn, :pgpKey
      end
    end
  end
 end
--- a/app/services/ldap_service.rb
+++ b/app/services/ldap_service.rb
@@ -58,7 +58,7 @@ class LdapService < ApplicationService
    attributes = %w[
      dn cn uid mail displayName admin serviceEnabled
-      mailRoutingAddress mailpassword nostrKey
+      mailRoutingAddress mailpassword nostrKey pgpKey
    ]
    filter = Net::LDAP::Filter.eq("uid", args[:uid] || "*")
@@ -73,7 +73,8 @@ class LdapService < ApplicationService
        services_enabled: e.try(:serviceEnabled),
        email_maildrop: e.try(:mailRoutingAddress),
        email_password: e.try(:mailpassword),
-        nostr_key: e.try(:nostrKey) ? e.nostrKey.first : nil
+        nostr_key: e.try(:nostrKey) ? e.nostrKey.first : nil,
        pgp_key: e.try(:pgpKey) ? e.pgpKey.first : nil
      }
    end
  end
@@ -101,7 +102,7 @@ class LdapService < ApplicationService
    dn = "ou=#{ou},cn=users,#{ldap_suffix}"
    aci = <<-EOS
-(target="ldap:///cn=*,ou=#{ou},cn=users,#{ldap_suffix}")(targetattr="cn || sn || uid || userPassword || mail || mailRoutingAddress || serviceEnabled || nostrKey || nsRole || objectClass") (version 3.0; acl "service-#{ou.gsub(".", "-")}-read-search"; allow (read,search) userdn="ldap:///uid=service,ou=#{ou},cn=applications,#{ldap_suffix}";)
+(target="ldap:///cn=*,ou=#{ou},cn=users,#{ldap_suffix}")(targetattr="cn || sn || uid || userPassword || mail || mailRoutingAddress || serviceEnabled || nostrKey || pgpKey || nsRole || objectClass") (version 3.0; acl "service-#{ou.gsub(".", "-")}-read-search"; allow (read,search) userdn="ldap:///uid=service,ou=#{ou},cn=applications,#{ldap_suffix}";)
    EOS
    attrs = {
--- a/app/services/user_manager/create_account.rb
+++ b/app/services/user_manager/create_account.rb
@@ -0,0 +1,56 @@
 module UserManager
  class CreateAccount < UserManagerService
    def initialize(account:)
      @username   = account[:username]
      @domain     = account[:ou] || Setting.primary_domain
      @email      = account[:email]
      @password   = account[:password]
      @invitation = account[:invitation]
      @confirmed  = account[:confirmed]
    end
    def call
      user = create_user_in_database
      add_ldap_document
      create_lndhub_account(user) if Setting.lndhub_enabled
      if @invitation.present?
        update_invitation(user.id)
      end
    end
    private
    def create_user_in_database
      User.create!(
        cn: @username,
        ou: @domain,
        email: @email,
        password: @password,
        password_confirmation: @password,
        confirmed_at: @confirmed ? DateTime.now : nil
      )
    end
    def update_invitation(user_id)
      @invitation.update! invited_user_id: user_id, used_at: DateTime.now
    end
    def add_ldap_document
      hashed_pw = Devise.ldap_auth_password_builder.call(@password)
      CreateLdapUserJob.perform_later(
        username: @username,
        domain: @domain,
        email: @email,
        hashed_pw: hashed_pw,
        confirmed: @confirmed
      )
    end
    def create_lndhub_account(user)
      #TODO enable in development when we have a local lndhub (mock?) API
      return if Rails.env.development?
      CreateLndhubAccountJob.perform_later(user)
    end
  end
 end
--- a/app/services/user_manager/create_invitations.rb
+++ b/app/services/user_manager/create_invitations.rb
@@ -0,0 +1,19 @@
 module UserManager
  class CreateInvitations < UserManagerService
    def initialize(user:, amount:, notify: true)
      @user = user
      @amount = amount
      @notify = notify
    end
    def call
      @amount.times do
        Invitation.create(user: @user)
      end
      if @notify
        NotificationMailer.with(user: @user).new_invitations_available.deliver_later
      end
    end
  end
 end
--- a/app/services/user_manager/pgp_encrypt.rb
+++ b/app/services/user_manager/pgp_encrypt.rb
@@ -0,0 +1,19 @@
 require 'gpgme'
 module UserManager
  class PgpEncrypt < UserManagerService
    def initialize(user:, text:)
      @user = user
      @text = text
    end
    def call
      crypto = GPGME::Crypto.new
      crypto.encrypt(
        @text,
        recipients: @user.gnupg_key,
        always_trust: true
      )
    end
  end
 end
--- a/app/services/user_manager/update_pgp_key.rb
+++ b/app/services/user_manager/update_pgp_key.rb
@@ -0,0 +1,24 @@
 module UserManager
  class UpdatePgpKey < UserManagerService
    def initialize(user:)
      @user = user
    end
    def call
      if @user.pgp_pubkey.blank?
        @user.update! pgp_fpr: nil
      else
        result = GPGME::Key.import(@user.pgp_pubkey)
        if result.imports.present?
          @user.update! pgp_fpr: result.imports.first.fpr
        else
          # TODO notify Sentry, user
          raise "Failed to import OpenPGP pubkey"
        end
      end
      LdapManager::UpdatePgpKey.call(dn: @user.dn, pubkey: @user.pgp_pubkey)
    end
  end
 end
--- a/app/services/user_manager_service.rb
+++ b/app/services/user_manager_service.rb
@@ -0,0 +1,2 @@
 class UserManagerService < ApplicationService
 end
--- a/app/views/admin/users/show.html.erb
+++ b/app/views/admin/users/show.html.erb
@@ -89,13 +89,47 @@
    </section>
    <section class="sm:flex-1 sm:pt-0">
-      <% if @avatar.present? %>
+      <h3>LDAP</h3>
-      <h3>LDAP<h3>
+      <table class="divided">
-      <p>
+        <tbody>
-        <img src="data:image/jpeg;base64,<%= @avatar %>" class="h-48 w-48" />
+          <tr>
-      </p>
+            <th>Avatar</th>
-      <% end %>
+            <td>
-      <!-- <h3>Actions</h3> -->
+              <% if @avatar.present? %>
                <img src="data:image/jpeg;base64,<%= @avatar %>" class="h-48 w-48" />
              <% else %>
                &mdash;
              <% end %>
            </td>
          </tr>
          <tr>
            <th>Display name</th>
            <td><%= @user.display_name || "—" %></td>
          </tr>
          <tr>
            <th class="align-top">PGP key</th>
            <td class="align-top leading-5">
              <% if @user.pgp_pubkey.present? %>
                <span class="font-mono" title="<%= @user.pgp_fpr %>">
                  <% if @user.pgp_pubkey_contains_user_address? %>
                    <%= link_to wkd_key_url(hashed_username: @user.wkd_hash, l: @user.cn, format: :txt),
                      class: "ks-text-link", target: "_blank" do %>
                      <%= "#{@user.pgp_fpr[0, 8]}…#{@user.pgp_fpr[-8..-1]}" %>
                    <% end %>
                  <% else %>
                    <%= "#{@user.pgp_fpr[0, 8]}…#{@user.pgp_fpr[-8..-1]}" %>
                  <% end %>
                </span><br />
                <% @user.gnupg_key.uids.each do |uid| %>
                  <%= uid.uid %><br />
                <% end %>
              <% else %>
                &mdash;
              <% end %>
            </td>
          </tr>
        </tbody>
      </table>
    </section>
  </div>
--- a/app/views/services/remotestorage/show.html.erb
+++ b/app/views/services/remotestorage/show.html.erb
@@ -14,8 +14,9 @@
    <p class="mb-6">
      In order to connect an app to your storage account, give it your address:
    </p>
-    <p data-controller="clipboard" class="flex items-center gap-1 sm:w-2/5">
+    <p data-controller="clipboard" class="flex gap-1 sm:w-2/5">
-      <img src="/img/logos/icon_remotestorage.svg" class="inline-block h-6 w-6 mr-1">
+      <img src="/img/logos/icon_remotestorage.svg"
           class="inline-block h-6 w-6 mr-1 self-center">
      <input type="text" id="user_address" class="grow"
             value=<%= current_user.address %> disabled="disabled"
             data-clipboard-target="source" />
--- a/app/views/settings/_account.html.erb
+++ b/app/views/settings/_account.html.erb
@@ -1,6 +1,6 @@
 <%= tag.section data: {
      controller: "settings--account--email",
-      "settings--account--email-validation-failed-value": @validation_errors.present?
+      "settings--account--email-validation-failed-value": @validation_errors&.[](:email)&.present?
    } do %>
  <h3>E-Mail</h3>
  <%= form_for(@user, url: update_email_settings_path, method: "post") do |f| %>
@@ -23,7 +23,7 @@
        </span>
      </button>
    </p>
-    <% if @validation_errors.present? && @validation_errors[:email].present? %>
+    <% if @validation_errors&.[](:email)&.present? %>
      <p class="error-msg"><%= @validation_errors[:email].first %></p>
    <% end %>
    <div class="initial-hidden">
@@ -41,10 +41,33 @@
 <% end %>
 <section>
  <h3>Password</h3>
-  <p class="mb-8">Use the following button to request an email with a password reset link:</p>
+  <p class="mb-6">Use the following button to request an email with a password reset link:</p>
  <%= form_with(url: reset_password_settings_path, method: :post) do %>
    <p>
      <%= submit_tag("Send me a password reset link", class: 'btn-md btn-gray w-full sm:w-auto') %>
    </p>
  <% end %>
 </section>
 <%= form_for(@user, url: setting_path(:account), html: { :method => :put }) do |f| %>
  <section class="!pt-8 sm:!pt-12">
    <h3>OpenPGP</h3>
    <ul role="list">
      <%= render FormElements::FieldsetComponent.new(
            title: "Public key",
            description: "Your OpenPGP public key in ASCII Armor format"
          ) do %>
        <%= f.text_area :pgp_pubkey,
          value: @user.pgp_pubkey,
          class: "h-24 w-full" %>
        <% if @validation_errors&.[](:pgp_pubkey)&.present? %>
          <p class="error-msg">This <%= @validation_errors[:pgp_pubkey].first %></p>
        <% end %>
      <% end %>
    </ul>
  </section>
  <section>
    <p class="pt-6 border-t border-gray-200 text-right">
      <%= f.submit 'Save', class: "btn-md btn-blue w-full md:w-auto" %>
    </p>
  </section>
 <% end %>
--- a/app/views/settings/_email.html.erb
+++ b/app/views/settings/_email.html.erb
@@ -5,7 +5,7 @@
  <h3>E-Mail Password</h3>
  <%= form_for(@user, url: reset_email_password_settings_path, method: "post") do |f| %>
    <%= hidden_field_tag :section, "email" %>
-    <p class="mb-8">
+    <p class="mb-6">
      Use the following button to generate a new email password:
    </p>
    <p class="hidden initial-visible">
--- a/bin/jobs
+++ b/bin/jobs
@@ -0,0 +1,6 @@
 #!/usr/bin/env ruby
 require_relative "../config/environment"
 require "solid_queue/cli"
 SolidQueue::Cli.start(ARGV)
--- a/bin/rails
+++ b/bin/rails
@@ -1,9 +1,4 @@
 #!/usr/bin/env ruby
-begin
+APP_PATH = File.expand_path("../config/application", __dir__)
-  load File.expand_path('../spring', __FILE__)
+require_relative "../config/boot"
-rescue LoadError => e
+require "rails/commands"
  raise unless e.message.include?('spring')
 end
 APP_PATH = File.expand_path('../config/application', __dir__)
 require_relative '../config/boot'
 require 'rails/commands'
--- a/bin/rake
+++ b/bin/rake
@@ -1,9 +1,4 @@
 #!/usr/bin/env ruby
-begin
+require_relative "../config/boot"
-  load File.expand_path('../spring', __FILE__)
+require "rake"
 rescue LoadError => e
  raise unless e.message.include?('spring')
 end
 require_relative '../config/boot'
 require 'rake'
 Rake.application.run
--- a/bin/rubocop
+++ b/bin/rubocop
@@ -0,0 +1,8 @@
 #!/usr/bin/env ruby
 require "rubygems"
 require "bundler/setup"
 # explicit rubocop config increases performance slightly while avoiding config confusion.
 ARGV.unshift("--config", File.expand_path("../.rubocop.yml", __dir__))
 load Gem.bin_path("rubocop", "rubocop")
--- a/bin/setup
+++ b/bin/setup
@@ -1,36 +1,34 @@
 #!/usr/bin/env ruby
-require 'fileutils'
+require "fileutils"
-# path to your application root.
+APP_ROOT = File.expand_path("..", __dir__)
 APP_ROOT = File.expand_path('..', __dir__)
 def system!(*args)
-  system(*args) || abort("\n== Command #{args} failed ==")
+  system(*args, exception: true)
 end
 FileUtils.chdir APP_ROOT do
-  # This script is a way to setup or update your development environment automatically.
+  # This script is a way to set up or update your development environment automatically.
-  # This script is idempotent, so that you can run it at anytime and get an expectable outcome.
+  # This script is idempotent, so that you can run it at any time and get an expectable outcome.
  # Add necessary setup steps to this file.
-  puts '== Installing dependencies =='
+  puts "== Installing dependencies =="
-  system! 'gem install bundler --conservative'
+  system("bundle check") || system!("bundle install")
  system('bundle check') || system!('bundle install')
  # Install JavaScript dependencies
  # system('bin/yarn')
  # puts "\n== Copying sample files =="
-  # unless File.exist?('config/database.yml')
+  # unless File.exist?("config/database.yml")
-  #   FileUtils.cp 'config/database.yml.sample', 'config/database.yml'
+  #   FileUtils.cp "config/database.yml.sample", "config/database.yml"
  # end
  puts "\n== Preparing database =="
-  system! 'bin/rails db:prepare'
+  system! "bin/rails db:prepare"
  puts "\n== Removing old logs and tempfiles =="
-  system! 'bin/rails log:clear tmp:clear'
+  system! "bin/rails log:clear tmp:clear"
-  puts "\n== Restarting application server =="
+  unless ARGV.include?("--skip-server")
-  system! 'bin/rails restart'
+    puts "\n== Starting development server =="
    STDOUT.flush # flush the output before exec(2) so that it displays
    exec "bin/dev"
  end
 end
--- a/config/application.rb
+++ b/config/application.rb
@@ -1,4 +1,4 @@
-require_relative 'boot'
+require_relative "boot"
 require "rails"
 # Pick the frameworks you want:
@@ -12,7 +12,6 @@ require "action_mailbox/engine"
 # require "action_text/engine"
 require "action_view/railtie"
 require "action_cable/engine"
 require "sprockets/railtie"
 # require "rails/test_unit/railtie"
 # Require the gems listed in Gemfile, including any gems
@@ -22,12 +21,20 @@ Bundler.require(*Rails.groups)
 module Akkounts
  class Application < Rails::Application
    # Initialize configuration defaults for originally generated Rails version.
-    config.load_defaults 7.0
+    config.load_defaults 8.0
-    # Settings in config/environments/* take precedence over those specified here.
+    # Please, add to the `ignore` list any other `lib` subdirectories that do
-    # Application configuration can go into files in config/initializers
+    # not contain `.rb` files, or that should not be reloaded or eager loaded.
-    # -- all .rb files in that directory are automatically loaded after loading
+    # Common ones are `templates`, `generators`, or `middleware`, for example.
-    # the framework and any gems in your application.
+    config.autoload_lib(ignore: %w[assets tasks])
    # Configuration for the application, engines, and railties goes here.
    #
    # These settings can be overridden in specific environments using the files
    # in config/environments, which are processed later.
    #
    # config.time_zone = "Central Time (US & Canada)"
    # config.eager_load_paths << Rails.root.join("extras")
    # Don't generate system test files.
    config.generators.system_tests = nil
@@ -40,7 +47,12 @@ module Akkounts
      g.stylesheets         false
    end
-    config.active_job.queue_adapter = :sidekiq
+    config.active_job.queue_adapter = :solid_queue
    config.mission_control.jobs.http_basic_auth_enabled = false
    config.action_mailer.deliver_later_queue_name = nil # use "default" queue
    # The default includes webp, which requires webp support everywhere
    config.active_storage.web_image_content_types = %w[image/png image/jpeg image/gif]
  end
 end
--- a/config/credentials.yml.enc
+++ b/config/credentials.yml.enc
@@ -1 +1 @@
-tmI5vm7qZhaigr52jEBVWkRdj+EE+9OmPh3vWXC7kA/OHuuucpr7SodychuMkQDPLM0BLk88LFsqvRIR+mqnLWpRC+P9aeUFE6ohxSWzcAd7Y4sgxUD8zpCRPndrwTw0hxXXj1WZSYeWn4BoAB34aV+gYen2MajZF3a95hJGtS5yjgWxvLVkQQKqRDfykkfX6fCS0BPo5X7sT7m4xwCATD/D4219wajm5W3TIdkriHtwt28ZLspaRWA5e0UkzKf8+/Gaj2CrW7UWcvew8R93zQ5RA2/Sp3sDTVN+kLz9I9Q095lQC0ywCAEFYHeKmc2tjrzqRaAAWu06xmWLqGIg21G+A/UU9lUJOkIpxQACWoOfS2IoXR1nXhgXMopkz3aCBXDxKw554v4H2QyOceOsuRf2C685ibMqzQkKMmJ4tcbiOJL77DUc08JTjB8Dq4Ohr8sMzXbV/hATevjYoRP0XarLekqhLv90ZLuIVY16DwB0CzACeNBKeKbeLqJF51upRRWgi+gTbYpV04yUwnXdyssF8mydWocgihrTryBi8F6PsuhBGcaYdP+0yibnGxDCC4x2rupbBfMj2OIX7pYzgtIHB3Eo954Y+bCoggqbE/Qrb9VVXNMgtKgLt8EGWU2tg6wl9QicitIq87uLDAade93zTn6rmcKPywjMDo6jbVIs653ZdUhiKdHGdpnJccbgQ/iLSPB1umNnCeaEX5jM+K9zBvl7ZMCdSk1YIQ==--ekKumqLiSlVJNwMe--K/ecXmmMT1x+WnIXMbHBDw==
+wVGTGBCsJ2bLSXxn/cYKcYyljVARvZGhi2gOQbiJy/r3Ia4gUmurlKFFKF0m6wmUMIlj+W11Mvu4at3c5h9fzODeIJ+EwkbwLcO8KECUyuXwVxVm2sH2TixWRwhyokT+UwS8J5c7lJTgmFAPlZiRQ+YyrqmhyPzq1fEdErk3btsWNPpJpOsdv1YPBCFFN96zMfY8h+Ttr53a9S58h+fwA+ZF5ePVqeIpJshQ+21UjUIKb5qSLEIECsarI/QJDMQwyKcvYiOEPny8nZL/7bE9TxBgC7v6UnsN+ZXVUB36aw7LOPj+21NVIdWjwOgHYRK1H2Co+stS8bDieuqV29iTTL+F8afHm/6yRc7EAtfKJe3nWf4woI+hHw7p7g/6t451F4nv9Nu1Mmt6YvJjzbSIDbf6Q6yfuYyRAv7uZdXrfsezjyhTDNGQ/SgBDpQ7CUzRoruc--0WsH7dH/QP2Hzvya--8eFWc0g5dVAvrPhC5JpO5Q==
--- a/config/database.yml
+++ b/config/database.yml
@@ -1,21 +1,37 @@
 default: &default
-  adapter: sqlite3
+  adapter: <%= ENV["DB_ADAPTER"] || "sqlite3" %>
  pool: <%= ENV["DB_POOL"] || ENV['MAX_THREADS'] || 5 %>
  timeout: 5000
 <% if ENV["DB_ADAPTER"] == "postgresql" %>
  host: <%= ENV["PG_HOST"] || 'localhost' %>
  port: <%= ENV["PG_PORT"] || 5432 %>
  username: <%= ENV["PG_USERNAME"] || 'akkounts' %>
  password: <%= ENV["PG_PASSWORD"] %>
 <% end %>
 <% if ENV["LNDHUB_PG_HOST"].present? %>
 lndhub: &lndhub
  adapter: postgresql
  database_tasks: false
  host: <%= ENV["LNDHUB_PG_HOST"] %>
  port: <%= ENV["LNDHUB_PG_PORT"] || 5432 %>
  database: <%= ENV["LNDHUB_PG_DATABASE"] || 'lndhub' %>
  username: <%= ENV["LNDHUB_PG_USERNAME"] || 'lndhub' %>
  password: <%= ENV["LNDHUB_PG_PASSWORD"] %>
 <% end %>
 development:
  primary:
    <<: *default
-    database: db/development.sqlite3
+    database: <%= ENV["DB_ADAPTER"] == "postgresql" ? ENV["PG_DATABASE"] : "db/development.sqlite3" %>
-  lndhub:
+  queue:
    <<: *default
-    adapter: postgresql
+    database: <%= ENV["DB_ADAPTER"] == "postgresql" ? ENV["PG_DATABASE_QUEUE"] : "db/development_queue.sqlite3" %>
-    database_tasks: false
+    migrations_paths: db/queue_migrate
-    host: <%= ENV["LNDHUB_PG_HOST"] || 'localhost' %>
+<% if ENV["LNDHUB_PG_HOST"].present? %>
-    port: <%= ENV["LNDHUB_PG_PORT"] || 5432 %>
+  lndhub:
-    database: <%= ENV["LNDHUB_PG_DATABASE"] || 'lndhub' %>
+    <<: *lndhub
-    username: <%= ENV["LNDHUB_PG_USERNAME"] || 'lndhub' %>
+<% end %>
    password: <%= ENV["LNDHUB_PG_PASSWORD"] %>
 # Warning: The database defined as "test" will be erased and
 # re-generated from your development database when you run "rake".
@@ -32,18 +48,12 @@ test:
 production:
  primary:
    <<: *default
-    adapter: postgresql
+    database: <%= ENV["DB_ADAPTER"] == "postgresql" ? ENV["PG_DATABASE"] : "db/production.sqlite3" %>
-    database: akkounts
+  queue:
    port: 5432
    host: <%= Rails.application.credentials.postgres[:host] rescue nil %>
    username: <%= Rails.application.credentials.postgres[:username] rescue nil %>
    password: <%= Rails.application.credentials.postgres[:password] rescue nil %>
  lndhub:
    <<: *default
-    adapter: postgresql
+    database: <%= ENV["DB_ADAPTER"] == "postgresql" ? ENV["PG_DATABASE_QUEUE"] : "db/production_queue.sqlite3" %>
-    database_tasks: false
+    migrations_paths: db/queue_migrate
-    host: <%= ENV["LNDHUB_PG_HOST"] || 'localhost' %>
+<% if ENV["LNDHUB_PG_HOST"].present? %>
-    port: <%= ENV["LNDHUB_PG_PORT"] || 5432 %>
+  lndhub:
-    database: <%= ENV["LNDHUB_PG_DATABASE"] || 'lndhub' %>
+    <<: *lndhub
-    username: <%= ENV["LNDHUB_PG_USERNAME"] || 'lndhub' %>
+<% end %>
    password: <%= ENV["LNDHUB_PG_PASSWORD"] %>
--- a/config/environment.rb
+++ b/config/environment.rb
@@ -1,5 +1,5 @@
 # Load the Rails application.
-require_relative 'application'
+require_relative "application"
 # Initialize the Rails application.
 Rails.application.initialize!
--- a/config/environments/development.rb
+++ b/config/environments/development.rb
@@ -1,10 +1,10 @@
 require "active_support/core_ext/integer/time"
 Rails.application.configure do
  # Settings specified here will take precedence over those in config/application.rb.
-  # In the development environment your application's code is reloaded on
+  # Make code changes take effect immediately without server restart.
-  # every request. This slows down response time but is perfect for development
+  config.enable_reloading = true
  # since you don't have to restart the web server when you make code changes.
  config.cache_classes = false
  # Do not eager load code on boot.
  config.eager_load = false
@@ -12,16 +12,15 @@ Rails.application.configure do
  # Show full error reports.
  config.consider_all_requests_local = true
-  # Enable/disable caching. By default caching is disabled.
+  # Enable server timing.
-  # Run rails dev:cache to toggle caching.
+  config.server_timing = true
-  if Rails.root.join('tmp', 'caching-dev.txt').exist?
+
  # Enable/disable Action Controller caching. By default Action Controller caching is disabled.
  # Run rails dev:cache to toggle Action Controller caching.
  if Rails.root.join("tmp/caching-dev.txt").exist?
    config.action_controller.perform_caching = true
    config.action_controller.enable_fragment_cache_logging = true
-
+    config.public_file_server.headers = { "cache-control" => "public, max-age=#{2.days.to_i}" }
    config.cache_store = :memory_store
    config.public_file_server.headers = {
      'Cache-Control' => "public, max-age=#{2.days.to_i}"
    }
  else
    config.action_controller.perform_caching = false
@@ -31,42 +30,63 @@ Rails.application.configure do
  # Don't care if the mailer can't send.
  config.action_mailer.raise_delivery_errors = false
  # Make template changes take effect immediately.
  config.action_mailer.perform_caching = false
  # Print deprecation notices to the Rails logger.
  config.active_support.deprecation = :log
  # Raise exceptions for disallowed deprecations.
  config.active_support.disallowed_deprecation = :raise
  # Tell Active Support which deprecation messages to disallow.
  config.active_support.disallowed_deprecation_warnings = []
  # Raise an error on page load if there are pending migrations.
  config.active_record.migration_error = :page_load
  # Highlight code that triggered database queries in logs.
  config.active_record.verbose_query_logs = true
-  # Debug mode disables concatenation and preprocessing of assets.
+  # Append comments with runtime information tags to SQL queries in logs.
-  # This option may cause significant delays in view rendering with a large
+  config.active_record.query_log_tags_enabled = true
-  # number of complex assets.
+
-  config.assets.debug = true
+  # Highlight code that enqueued background job in logs.
  config.active_job.verbose_enqueue_logs = true
  # Solid Queue database
  config.solid_queue.connects_to = { database: { writing: :queue } }
  # Suppress logger output for asset requests.
-  config.assets.quiet = true
+  # config.assets.quiet = true
  # Raises error for missing translations.
-  # config.action_view.raise_on_missing_translations = true
+  # config.i18n.raise_on_missing_translations = true
-  # Use an evented file watcher to asynchronously detect changes in source code,
+  # Annotate rendered view with file names.
-  # routes, locales, etc. This feature depends on the listen gem.
+  config.action_view.annotate_rendered_view_with_filenames = true
  config.file_watcher = ActiveSupport::EventedFileUpdateChecker
  config.action_mailer.default_options = {
    from: "accounts@localhost"
  }
  # Don't actually send emails, cache them for viewing via letter opener
  config.action_mailer.delivery_method = :letter_opener
-  # Don't care if the mailer can't send
+  # Uncomment if you wish to allow Action Cable access from any origin.
  # config.action_cable.disable_request_forgery_protection = true
  # Raise error when a before_action's only/except options reference missing actions.
  config.action_controller.raise_on_missing_callback_actions = true
  # Notice if the mailer can't send
  config.action_mailer.raise_delivery_errors = true
  # Base URL to be used by email template link helpers
-  config.action_mailer.default_url_options = { host: "localhost:3000", protocol: "http" }
+  config.action_mailer.default_url_options = {
    host: "localhost:3000", # TODO port: 3000
    protocol: "http"
  }
  config.action_mailer.default_options = {
    from: "accounts@localhost",
    message_id: -> { "<#{Mail.random_tag}@localhost>" },
  }
  # Allow requests from any IP
  config.web_console.permissions = '0.0.0.0/0'
--- a/config/environments/production.rb
+++ b/config/environments/production.rb
@@ -1,61 +1,61 @@
 require "active_support/core_ext/integer/time"
 Rails.application.configure do
  # Settings specified here will take precedence over those in config/application.rb.
  # Code is not reloaded between requests.
-  config.cache_classes = true
+  config.enable_reloading = false
-  # Eager load code on boot. This eager loads most of Rails and
+  # Eager load code on boot for better performance and memory savings (ignored by Rake tasks).
  # your application in memory, allowing both threaded web servers
  # and those relying on copy on write to perform better.
  # Rake tasks automatically ignore this option for performance.
  config.eager_load = true
-  # Full error reports are disabled and caching is turned on.
+  # Full error reports are disabled.
-  config.consider_all_requests_local       = false
+  config.consider_all_requests_local = false
  config.action_controller.perform_caching = true
  # Ensures that a master key has been made available in either ENV["RAILS_MASTER_KEY"]
  # or in config/master.key. This key is used to decrypt credentials (and other encrypted files).
  # config.require_master_key = true
  # Disable serving static files from the `/public` folder by default since
  # Apache or NGINX already handles this.
  config.public_file_server.enabled = ENV['RAILS_SERVE_STATIC_FILES'].present?
-  # Compress CSS using a preprocessor.
+  # Turn on fragment caching in view templates.
-  # config.assets.css_compressor = :sass
+  config.action_controller.perform_caching = true
  # Do not fallback to assets pipeline if a precompiled asset is missed.
  config.assets.compile = false
  # Cache assets for far-future expiry since they are all digest stamped.
  config.public_file_server.headers = { "cache-control" => "public, max-age=#{1.year.to_i}" }
  # Enable serving of images, stylesheets, and JavaScripts from an asset server.
-  # config.action_controller.asset_host = 'http://assets.example.com'
+  # config.asset_host = "http://assets.example.com"
  # Specifies the header that your server uses for sending files.
  # config.action_dispatch.x_sendfile_header = 'X-Sendfile' # for Apache
  # config.action_dispatch.x_sendfile_header = 'X-Accel-Redirect' # for NGINX
-  # Mount Action Cable outside main process or domain.
+  # Assume all access to the app is happening through a SSL-terminating reverse proxy.
-  # config.action_cable.mount_path = nil
+  # config.assume_ssl = true
  # config.action_cable.url = 'wss://example.com/cable'
  # config.action_cable.allowed_request_origins = [ 'http://example.com', /http:\/\/example.*/ ]
  # Force all access to the app over SSL, use Strict-Transport-Security, and use secure cookies.
  # config.force_ssl = true
-  # Use the lowest log level to ensure availability of diagnostic information
+  # Skip http-to-https redirect for the default health check endpoint.
-  # when problems arise.
+  # config.ssl_options = { redirect: { exclude: ->(request) { request.path == "/up" } } }
  config.log_level = :debug
-  # Prepend all log lines with the following tags.
+  # Log to STDOUT with the current request id as a default log tag.
  config.log_tags = [ :request_id ]
  config.logger   = ActiveSupport::TaggedLogging.logger(STDOUT)
-  # Use a different cache store in production.
+  # Change to "debug" to log everything (including potentially personally-identifiable information!)
  config.log_level = ENV.fetch("RAILS_LOG_LEVEL", "info")
  # Prevent health checks from clogging up the logs.
  config.silence_healthcheck_path = "/up"
  # Don't log any deprecations.
  config.active_support.report_deprecations = false
  # Replace the default in-process memory cache store with a durable alternative.
  # config.cache_store = :mem_cache_store
-  # Use a real queuing backend for Active Job (and separate queues per environment).
+  # Solid Queue database
-  # config.active_job.queue_adapter     = :resque
+  config.solid_queue.connects_to = { database: { writing: :queue } }
  # config.active_job.queue_name_prefix = "akkounts_production"
  # E-mail settings, adapted from https://github.com/mastodon/mastodon
@@ -63,7 +63,7 @@ Rails.application.configure do
  outgoing_email_domain  = Mail::Address.new(outgoing_email_address).domain
  config.action_mailer.default_url_options = {
-    host: ENV['AKKOUNTS_DOMAIN'],
+    host: ENV.fetch('AKKOUNTS_DOMAIN'),
    protocol: "https",
  }
@@ -106,6 +106,10 @@ Rails.application.configure do
  config.action_mailer.delivery_method = ENV.fetch('SMTP_DELIVERY_METHOD', 'smtp').to_sym
  # Disable caching for Action Mailer templates even if Action Controller
  # caching is enabled.
  config.action_mailer.perform_caching = false
  # Ignore bad email addresses and do not raise email delivery errors.
  # Set this to true and configure the email server for immediate delivery to raise delivery errors.
  config.action_mailer.raise_delivery_errors = true
@@ -120,43 +124,18 @@ Rails.application.configure do
  # the I18n.default_locale when a translation cannot be found).
  config.i18n.fallbacks = true
  # Send deprecation notices to registered listeners.
  config.active_support.deprecation = :notify
  # Use default logging formatter so that PID and timestamp are not suppressed.
  config.log_formatter = ::Logger::Formatter.new
  # Use a different logger for distributed setups.
  # require 'syslog/logger'
  # config.logger = ActiveSupport::TaggedLogging.new(Syslog::Logger.new 'app-name')
  if ENV["RAILS_LOG_TO_STDOUT"].present?
    logger           = ActiveSupport::Logger.new(STDOUT)
    logger.formatter = config.log_formatter
    config.logger    = ActiveSupport::TaggedLogging.new(logger)
  end
  # Do not dump schema after migrations.
  config.active_record.dump_schema_after_migration = false
-  # Inserts middleware to perform automatic connection switching.
+  # Only use :id for inspections in production.
-  # The `database_selector` hash is used to pass options to the DatabaseSelector
+  config.active_record.attributes_for_inspect = [ :id ]
-  # middleware. The `delay` is used to determine how long to wait after a write
+
-  # to send a subsequent read to the primary.
+  # Enable DNS rebinding protection and other `Host` header attacks.
  # config.hosts = [
  #   "example.com",     # Allow requests from example.com
  #   /.*\.example\.com/ # Allow requests from subdomains like `www.example.com`
  # ]
  #
-  # The `database_resolver` class is used by the middleware to determine which
+  # Skip DNS rebinding protection for the default health check endpoint.
-  # database is appropriate to use based on the time delay.
+  # config.host_authorization = { exclude: ->(request) { request.path == "/up" } }
  #
  # The `database_resolver_context` class is used by the middleware to set
  # timestamps for the last write to the primary. The resolver uses the context
  # class timestamps to determine how long to wait before reading from the
  # replica.
  #
  # By default Rails will store a last write timestamp in the session. The
  # DatabaseSelector middleware is designed as such you can define your own
  # strategy for connection switching and pass that into the middleware through
  # these configuration options.
  # config.active_record.database_selector = { delay: 2.seconds }
  # config.active_record.database_resolver = ActiveRecord::Middleware::DatabaseSelector::Resolver
  # config.active_record.database_resolver_context = ActiveRecord::Middleware::DatabaseSelector::Resolver::Session
 end
--- a/config/environments/test.rb
+++ b/config/environments/test.rb
@@ -6,31 +6,33 @@
 Rails.application.configure do
  # Settings specified here will take precedence over those in config/application.rb.
-  config.cache_classes = false
+  # While tests run files are not watched, reloading is not necessary.
-  config.action_view.cache_template_loading = true
+  config.enable_reloading = false
-  # Do not eager load code on boot. This avoids loading your whole application
+  # Eager loading loads your entire application. When running a single test locally,
-  # just for the purpose of running a single test. If you are using a tool that
+  # this is usually not necessary, and can slow down your test suite. However, it's
-  # preloads Rails for running tests, you may have to set it to true.
+  # recommended that you enable it in continuous integration systems to ensure eager
-  config.eager_load = false
+  # loading is working properly before deploying your code.
  config.eager_load = ENV["CI"].present?
-  # Configure public file server for tests with Cache-Control for performance.
+  # Configure public file server for tests with cache-control for performance.
-  config.public_file_server.enabled = true
+  config.public_file_server.headers = { "cache-control" => "public, max-age=3600" }
  config.public_file_server.headers = {
    'Cache-Control' => "public, max-age=#{1.hour.to_i}"
  }
-  # Show full error reports and disable caching.
+  # Show full error reports.
-  config.consider_all_requests_local       = true
+  config.consider_all_requests_local = true
  config.action_controller.perform_caching = false
  config.cache_store = :null_store
-  # Raise exceptions instead of rendering exception templates.
+  # Render exception templates for rescuable exceptions and raise for other exceptions.
-  config.action_dispatch.show_exceptions = :none
+  config.action_dispatch.show_exceptions = :rescuable
  # Disable request forgery protection in test environment.
  config.action_controller.allow_forgery_protection = false
  config.active_job.queue_adapter = :test
  # Disable caching for Action Mailer templates even if Action Controller
  # caching is enabled.
  config.action_mailer.perform_caching = false
  # Tell Action Mailer not to deliver emails to the real world.
@@ -38,23 +40,28 @@ Rails.application.configure do
  # ActionMailer::Base.deliveries array.
  config.action_mailer.delivery_method = :test
-  # Print deprecation notices to the stderr.
+  config.action_mailer.default_options = {
-  config.active_support.deprecation = :stderr
+    from: "accounts@kosmos.org",
-
+    message_id: -> { "<#{Mail.random_tag}@kosmos.org>" },
-  # Raises error for missing translations.
+  }
  # config.action_view.raise_on_missing_translations = true
  config.action_mailer.default_url_options = {
    host: "accounts.kosmos.org",
-    protocol: "https",
+    protocol: "https"
    from: "accounts@kosmos.org"
  }
-  config.active_job.queue_adapter = :test
+  # Raises error for missing translations.
  # config.i18n.raise_on_missing_translations = true
  # Annotate rendered view with file names.
  # config.action_view.annotate_rendered_view_with_filenames = true
  if ENV["S3_ENABLED"] && ENV["S3_ENABLED"].to_s != "false"
    config.active_storage.service = :s3
  else
    config.active_storage.service = :local
  end
  # Raise error when a before_action's only/except options reference missing actions.
  config.action_controller.raise_on_missing_callback_actions = true
 end
--- a/config/initializers/assets.rb
+++ b/config/initializers/assets.rb
@@ -1,14 +1,9 @@
 # Be sure to restart your server when you modify this file.
 # Version of your assets, change this if you want to expire all your assets.
-Rails.application.config.assets.version = '1.0'
+Rails.application.config.assets.version = "1.0"
 # Add additional assets to the asset load path.
 # Rails.application.config.assets.paths << Emoji.images_path
 # Add Yarn node_modules folder to the asset load path.
 Rails.application.config.assets.paths << Rails.root.join('node_modules')
 # Precompile additional assets.
 # application.js, application.css, and all non-JS/CSS in the app/assets
 # folder are already added.
 # Rails.application.config.assets.precompile += %w( admin.js admin.css )
--- a/config/initializers/content_security_policy.rb
+++ b/config/initializers/content_security_policy.rb
@@ -1,30 +1,25 @@
 # Be sure to restart your server when you modify this file.
-# Define an application-wide content security policy
+# Define an application-wide content security policy.
-# For further information see the following documentation
+# See the Securing Rails Applications Guide for more information:
-# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
+# https://guides.rubyonrails.org/security.html#content-security-policy-header
-# Rails.application.config.content_security_policy do |policy|
+# Rails.application.configure do
-#   policy.default_src :self, :https
+#   config.content_security_policy do |policy|
-#   policy.font_src    :self, :https, :data
+#     policy.default_src :self, :https
-#   policy.img_src     :self, :https, :data
+#     policy.font_src    :self, :https, :data
-#   policy.object_src  :none
+#     policy.img_src     :self, :https, :data
-#   policy.script_src  :self, :https
+#     policy.object_src  :none
-#   policy.style_src   :self, :https
+#     policy.script_src  :self, :https
-#   # If you are using webpack-dev-server then specify webpack-dev-server host
+#     policy.style_src   :self, :https
-#   policy.connect_src :self, :https, "http://localhost:3035", "ws://localhost:3035" if Rails.env.development?
+#     # Specify URI for violation reports
-
+#     # policy.report_uri "/csp-violation-report-endpoint"
-#   # Specify URI for violation reports
+#   end
-#   # policy.report_uri "/csp-violation-report-endpoint"
+#
 #   # Generate session nonces for permitted importmap, inline scripts, and inline styles.
 #   config.content_security_policy_nonce_generator = ->(request) { request.session.id.to_s }
 #   config.content_security_policy_nonce_directives = %w(script-src style-src)
 #
 #   # Report violations without enforcing the policy.
 #   # config.content_security_policy_report_only = true
 # end
 # If you are using UJS then enable automatic nonce generation
 # Rails.application.config.content_security_policy_nonce_generator = -> request { SecureRandom.base64(16) }
 # Set the nonce only to specific directives
 # Rails.application.config.content_security_policy_nonce_directives = %w(script-src)
 # Report CSP violations to a specified URI
 # For further information see the following documentation:
 # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only
 # Rails.application.config.content_security_policy_report_only = true
--- a/config/initializers/devise.rb
+++ b/config/initializers/devise.rb
@@ -45,7 +45,7 @@ Devise.setup do |config|
  # Configure the e-mail address which will be shown in Devise::Mailer,
  # note that it will be overwritten if you use your own mailer class
  # with default "from" parameter.
-  config.mailer_sender = 'accounts@kosmos.org'
+  config.mailer_sender = ENV["SMTP_FROM_ADDRESS"] || 'accounts@localhost'
  # Configure the class responsible to send e-mails.
  # config.mailer = 'Devise::Mailer'
--- a/config/initializers/devise_rails8_patch.rb
+++ b/config/initializers/devise_rails8_patch.rb
@@ -0,0 +1,11 @@
 # See https://alvincrespo.hashnode.dev/rails-8s-lazy-route-loading-devise
 # TODO remove when Devise is fixed
 require 'devise'
 Devise # make sure it's already loaded
 module Devise
  def self.mappings
    Rails.application.try(:reload_routes_unless_loaded)
    @@mappings
  end
 end
--- a/config/initializers/filter_parameter_logging.rb
+++ b/config/initializers/filter_parameter_logging.rb
@@ -1,4 +1,8 @@
 # Be sure to restart your server when you modify this file.
-# Configure sensitive parameters which will be filtered from the log file.
+# Configure parameters to be partially matched (e.g. passw matches password) and filtered from the log file.
-Rails.application.config.filter_parameters += [:password]
+# Use this to limit dissemination of sensitive information.
 # See the ActiveSupport::ParameterFilter documentation for supported notations and behaviors.
 Rails.application.config.filter_parameters += [
  :password, :email, :secret, :token, :_key, :crypt, :salt, :certificate, :otp, :ssn
 ]
--- a/config/initializers/inflections.rb
+++ b/config/initializers/inflections.rb
@@ -4,13 +4,13 @@
 # are locale specific, and you may define rules for as many different
 # locales as you wish. All of these examples are active by default:
 # ActiveSupport::Inflector.inflections(:en) do |inflect|
-#   inflect.plural /^(ox)$/i, '\1en'
+#   inflect.plural /^(ox)$/i, "\\1en"
-#   inflect.singular /^(ox)en/i, '\1'
+#   inflect.singular /^(ox)en/i, "\\1"
-#   inflect.irregular 'person', 'people'
+#   inflect.irregular "person", "people"
 #   inflect.uncountable %w( fish sheep )
 # end
 # These inflection rules are supported but not enabled by default:
 # ActiveSupport::Inflector.inflections(:en) do |inflect|
-#   inflect.acronym 'RESTful'
+#   inflect.acronym "RESTful"
 # end
--- a/config/initializers/mailer_host.rb
+++ b/config/initializers/mailer_host.rb
@@ -1 +0,0 @@
 Rails.application.routes.default_url_options[:host] = ENV['APP_DOMAIN']
--- a/config/initializers/permissions_policy.rb
+++ b/config/initializers/permissions_policy.rb
@@ -0,0 +1,13 @@
 # Be sure to restart your server when you modify this file.
 # Define an application-wide HTTP permissions policy. For further
 # information see: https://developers.google.com/web/updates/2018/06/feature-policy
 # Rails.application.config.permissions_policy do |policy|
 #   policy.camera      :none
 #   policy.gyroscope   :none
 #   policy.microphone  :none
 #   policy.usb         :none
 #   policy.fullscreen  :self
 #   policy.payment     :self, "https://secure.example.com"
 # end
--- a/config/initializers/sidekiq.rb
+++ b/config/initializers/sidekiq.rb
@@ -1,5 +0,0 @@
 require_relative "../../app/models/setting"
 Sidekiq.configure_server do |config|
  config.redis = { url: Setting.redis_url }
 end
--- a/config/ldap.yml
+++ b/config/ldap.yml
@@ -28,11 +28,11 @@ authorizations: &AUTHORIZATIONS
 development:
  host: <%= ENV["LDAP_HOST"] || "localhost" %>
  port: <%= ENV["LDAP_PORT"] || "389" %>
  attribute: cn
  base: <%= ENV["LDAP_BASE"] || "ou=kosmos.org,cn=users,dc=kosmos,dc=org" %>
  admin_user: "cn=Directory Manager"
  admin_password: <%= ENV["LDAP_ADMIN_PASSWORD"] %>
  ssl: <%= ENV["LDAP_USE_TLS"] || "false" %>
  attribute: <%= ENV["LDAP_UID_ATTR"] || "cn" %>
  base: <%= ENV["LDAP_BASE"] || "ou=kosmos.org,cn=users,dc=kosmos,dc=org" %>
  admin_user: <%= ENV["LDAP_ADMIN_USER"] || "cn=Directory Manager" %>
  admin_password: <%= ENV["LDAP_ADMIN_PASSWORD"] %>
  # <<: *AUTHORIZATIONS
 test:
@@ -46,11 +46,11 @@ test:
  # <<: *AUTHORIZATIONS
 production:
-  host: ldap.kosmos.local
+  host: <%= ENV["LDAP_HOST"] || "localhost" %>
-  port: 389
+  port: <%= ENV["LDAP_PORT"] || "389" %>
-  attribute: cn
+  ssl: <%= ENV["LDAP_USE_TLS"] || "false" %>
-  base: ou=kosmos.org,cn=users,dc=kosmos,dc=org
+  attribute: <%= ENV["LDAP_UID_ATTR"] || "cn" %>
-  admin_user: <%= Rails.application.credentials.ldap[:username] rescue nil %>
+  base: <%= ENV["LDAP_BASE"] || "ou=kosmos.org,cn=users,dc=kosmos,dc=org" %>
-  admin_password: <%= Rails.application.credentials.ldap[:password] rescue nil %>
+  admin_user: <%= ENV["LDAP_ADMIN_USER"] || "cn=Directory Manager" %>
-  # ssl: false
+  admin_password: <%= ENV["LDAP_ADMIN_PASSWORD"] %>
  # <<: *AUTHORIZATIONS
--- a/config/puma.rb
+++ b/config/puma.rb
@@ -1,38 +1,43 @@
-# Puma can serve each request in a thread from an internal thread pool.
+# This configuration file will be evaluated by Puma. The top-level methods that
-# The `threads` method setting takes two numbers: a minimum and maximum.
+# are invoked here are part of Puma's configuration DSL. For more information
-# Any libraries that use thread pools should be configured to match
+# about methods provided by the DSL, see https://puma.io/puma/Puma/DSL.html.
-# the maximum value specified for Puma. Default is set to 5 threads for minimum
+
 # and maximum; this matches the default thread size of Active Record.
 #
-max_threads_count = ENV.fetch("RAILS_MAX_THREADS") { 5 }
+# Puma starts a configurable number of processes (workers) and each process
-min_threads_count = ENV.fetch("RAILS_MIN_THREADS") { max_threads_count }
+# serves each request in a thread from an internal thread pool.
 #
 # You can control the number of workers using ENV["WEB_CONCURRENCY"]. You
 # should only set this value when you want to run 2 or more workers. The
 # default is already 1.
 #
 # The ideal number of threads per worker depends both on how much time the
 # application spends waiting for IO operations and on how much you wish to
 # prioritize throughput over latency.
 #
 # As a rule of thumb, increasing the number of threads will increase how much
 # traffic a given process can handle (throughput), but due to CRuby's
 # Global VM Lock (GVL) it has diminishing returns and will degrade the
 # response time (latency) of the application.
 #
 # The default is set to 3 threads as it's deemed a decent compromise between
 # throughput and latency for the average Rails application.
 #
 # Any libraries that use a connection pool or another resource pool should
 # be configured to provide at least as many connections as the number of
 # threads. This includes Active Record's `pool` parameter in `database.yml`.
 max_threads_count = ENV.fetch("RAILS_MAX_THREADS", 5)
 min_threads_count = ENV.fetch("RAILS_MAX_THREADS", 3)
 threads min_threads_count, max_threads_count
-# Specifies the `port` that Puma will listen on to receive requests; default is 3000.
+port ENV.fetch("PORT", 3000)
 #
 port        ENV.fetch("PORT") { 3000 }
 # Specifies the `environment` that Puma will run in.
 #
 environment ENV.fetch("RAILS_ENV") { "development" }
-# Specifies the `pidfile` that Puma will use.
+# Allow puma to be restarted by `bin/rails restart` command.
 pidfile ENV.fetch("PIDFILE") { "tmp/pids/server.pid" }
 # Specifies the number of `workers` to boot in clustered mode.
 # Workers are forked web server processes. If using threads and workers together
 # the concurrency of the application would be max `threads` * `workers`.
 # Workers do not work on JRuby or Windows (both of which do not support
 # processes).
 #
 # workers ENV.fetch("WEB_CONCURRENCY") { 2 }
 # Use the `preload_app!` method when specifying a `workers` number.
 # This directive tells Puma to first boot the application and load code
 # before forking the application. This takes advantage of Copy On Write
 # process behavior so workers use less memory.
 #
 # preload_app!
 # Allow puma to be restarted by `rails restart` command.
 plugin :tmp_restart
 # Run the Solid Queue supervisor inside of Puma for single-server deployments
 plugin :solid_queue if ENV["SOLID_QUEUE_IN_PUMA"]
 # Specify the PID file. Defaults to tmp/pids/server.pid in development.
 # In other environments, only set the PID file if requested.
 pidfile ENV["PIDFILE"] if ENV["PIDFILE"]
--- a/config/queue.yml
+++ b/config/queue.yml
@@ -0,0 +1,21 @@
 default: &default
  dispatchers:
    - polling_interval: 1
      batch_size: 500
  workers:
    - queues: "*"
      threads: 3
      processes: <%= ENV.fetch("JOB_CONCURRENCY", 1) %>
      polling_interval: 0.1
 development:
  <<: *default
  workers:
    - queues: "*"
      threads: 1
 test:
  <<: *default
 production:
  <<: *default
--- a/config/recurring.yml
+++ b/config/recurring.yml
@@ -0,0 +1,10 @@
 # production:
 #   periodic_cleanup:
 #     class: CleanSoftDeletedRecordsJob
 #     queue: background
 #     args: [ 1000, { batch_size: 500 } ]
 #     schedule: every hour
 #   periodic_command:
 #     command: "SoftDeletedRecord.due.delete_all"
 #     priority: 2
 #     schedule: at 5am every day
--- a/config/routes.rb
+++ b/config/routes.rb
@@ -1,5 +1,3 @@
 require 'sidekiq/web'
 Rails.application.routes.draw do
  devise_for :users, controllers: {
    confirmations: 'users/confirmations',
@@ -70,10 +68,12 @@ Rails.application.routes.draw do
  get '.well-known/webfinger', to: 'webfinger#show'
  get '.well-known/nostr', to: 'well_known#nostr'
-  get '.well-known/lnurlp/:username', to: 'lnurlpay#index', as: 'lightning_address'
+  get '.well-known/lnurlp/:username', to: 'lnurlpay#index', as: :lightning_address
-  get '.well-known/keysend/:username', to: 'lnurlpay#keysend', as: 'lightning_address_keysend'
+  get '.well-known/keysend/:username', to: 'lnurlpay#keysend', as: :lightning_address_keysend
  get '.well-known/openpgpkey/hu/:hashed_username(.:format)', to: 'web_key_directory#show', as: :wkd_key
  get '.well-known/openpgpkey/policy', to: 'web_key_directory#policy'
-  get 'lnurlpay/:username/invoice', to: 'lnurlpay#invoice', as: 'lnurlpay_invoice'
+  get 'lnurlpay/:username/invoice', to: 'lnurlpay#invoice', as: :lnurlpay_invoice
  post 'webhooks/lndhub', to: 'webhooks#lndhub'
@@ -121,7 +121,7 @@ Rails.application.routes.draw do
  end
  authenticate :user, ->(user) { user.is_admin? } do
-    mount Sidekiq::Web, at: '/sidekiq'
+    mount MissionControl::Jobs::Engine, at: "/jobs"
    mount Flipper::UI.app(Flipper), at: '/flipper'
  end
--- a/db/migrate/20240922205634_add_pgp_fpr_to_users.rb
+++ b/db/migrate/20240922205634_add_pgp_fpr_to_users.rb
@@ -0,0 +1,5 @@
 class AddPgpFprToUsers < ActiveRecord::Migration[7.1]
  def change
    add_column :users, :pgp_fpr, :string
  end
 end
--- a/db/migrate/20250428123315_add_service_name_to_active_storage_blobs.active_storage.rb
+++ b/db/migrate/20250428123315_add_service_name_to_active_storage_blobs.active_storage.rb
@@ -0,0 +1,22 @@
 # This migration comes from active_storage (originally 20190112182829)
 class AddServiceNameToActiveStorageBlobs < ActiveRecord::Migration[6.0]
  def up
    return unless table_exists?(:active_storage_blobs)
    unless column_exists?(:active_storage_blobs, :service_name)
      add_column :active_storage_blobs, :service_name, :string
      if configured_service = ActiveStorage::Blob.service.name
        ActiveStorage::Blob.unscoped.update_all(service_name: configured_service)
      end
      change_column :active_storage_blobs, :service_name, :string, null: false
    end
  end
  def down
    return unless table_exists?(:active_storage_blobs)
    remove_column :active_storage_blobs, :service_name
  end
 end
--- a/db/migrate/20250428123316_create_active_storage_variant_records.active_storage.rb
+++ b/db/migrate/20250428123316_create_active_storage_variant_records.active_storage.rb
@@ -0,0 +1,27 @@
 # This migration comes from active_storage (originally 20191206030411)
 class CreateActiveStorageVariantRecords < ActiveRecord::Migration[6.0]
  def change
    return unless table_exists?(:active_storage_blobs)
    # Use Active Record's configured type for primary key
    create_table :active_storage_variant_records, id: primary_key_type, if_not_exists: true do |t|
      t.belongs_to :blob, null: false, index: false, type: blobs_primary_key_type
      t.string :variation_digest, null: false
      t.index %i[ blob_id variation_digest ], name: "index_active_storage_variant_records_uniqueness", unique: true
      t.foreign_key :active_storage_blobs, column: :blob_id
    end
  end
  private
    def primary_key_type
      config = Rails.configuration.generators
      config.options[config.orm][:primary_key_type] || :primary_key
    end
    def blobs_primary_key_type
      pkey_name = connection.primary_key(:active_storage_blobs)
      pkey_column = connection.columns(:active_storage_blobs).find { |c| c.name == pkey_name }
      pkey_column.bigint? ? :bigint : pkey_column.type
    end
 end
--- a/db/migrate/20250428123317_remove_not_null_on_active_storage_blobs_checksum.active_storage.rb
+++ b/db/migrate/20250428123317_remove_not_null_on_active_storage_blobs_checksum.active_storage.rb
@@ -0,0 +1,8 @@
 # This migration comes from active_storage (originally 20211119233751)
 class RemoveNotNullOnActiveStorageBlobsChecksum < ActiveRecord::Migration[6.0]
  def change
    return unless table_exists?(:active_storage_blobs)
    change_column_null(:active_storage_blobs, :checksum, true)
  end
 end
--- a/db/queue_schema.rb
+++ b/db/queue_schema.rb
@@ -0,0 +1,129 @@
 ActiveRecord::Schema[7.1].define(version: 1) do
  create_table "solid_queue_blocked_executions", force: :cascade do |t|
    t.bigint "job_id", null: false
    t.string "queue_name", null: false
    t.integer "priority", default: 0, null: false
    t.string "concurrency_key", null: false
    t.datetime "expires_at", null: false
    t.datetime "created_at", null: false
    t.index [ "concurrency_key", "priority", "job_id" ], name: "index_solid_queue_blocked_executions_for_release"
    t.index [ "expires_at", "concurrency_key" ], name: "index_solid_queue_blocked_executions_for_maintenance"
    t.index [ "job_id" ], name: "index_solid_queue_blocked_executions_on_job_id", unique: true
  end
  create_table "solid_queue_claimed_executions", force: :cascade do |t|
    t.bigint "job_id", null: false
    t.bigint "process_id"
    t.datetime "created_at", null: false
    t.index [ "job_id" ], name: "index_solid_queue_claimed_executions_on_job_id", unique: true
    t.index [ "process_id", "job_id" ], name: "index_solid_queue_claimed_executions_on_process_id_and_job_id"
  end
  create_table "solid_queue_failed_executions", force: :cascade do |t|
    t.bigint "job_id", null: false
    t.text "error"
    t.datetime "created_at", null: false
    t.index [ "job_id" ], name: "index_solid_queue_failed_executions_on_job_id", unique: true
  end
  create_table "solid_queue_jobs", force: :cascade do |t|
    t.string "queue_name", null: false
    t.string "class_name", null: false
    t.text "arguments"
    t.integer "priority", default: 0, null: false
    t.string "active_job_id"
    t.datetime "scheduled_at"
    t.datetime "finished_at"
    t.string "concurrency_key"
    t.datetime "created_at", null: false
    t.datetime "updated_at", null: false
    t.index [ "active_job_id" ], name: "index_solid_queue_jobs_on_active_job_id"
    t.index [ "class_name" ], name: "index_solid_queue_jobs_on_class_name"
    t.index [ "finished_at" ], name: "index_solid_queue_jobs_on_finished_at"
    t.index [ "queue_name", "finished_at" ], name: "index_solid_queue_jobs_for_filtering"
    t.index [ "scheduled_at", "finished_at" ], name: "index_solid_queue_jobs_for_alerting"
  end
  create_table "solid_queue_pauses", force: :cascade do |t|
    t.string "queue_name", null: false
    t.datetime "created_at", null: false
    t.index [ "queue_name" ], name: "index_solid_queue_pauses_on_queue_name", unique: true
  end
  create_table "solid_queue_processes", force: :cascade do |t|
    t.string "kind", null: false
    t.datetime "last_heartbeat_at", null: false
    t.bigint "supervisor_id"
    t.integer "pid", null: false
    t.string "hostname"
    t.text "metadata"
    t.datetime "created_at", null: false
    t.string "name", null: false
    t.index [ "last_heartbeat_at" ], name: "index_solid_queue_processes_on_last_heartbeat_at"
    t.index [ "name", "supervisor_id" ], name: "index_solid_queue_processes_on_name_and_supervisor_id", unique: true
    t.index [ "supervisor_id" ], name: "index_solid_queue_processes_on_supervisor_id"
  end
  create_table "solid_queue_ready_executions", force: :cascade do |t|
    t.bigint "job_id", null: false
    t.string "queue_name", null: false
    t.integer "priority", default: 0, null: false
    t.datetime "created_at", null: false
    t.index [ "job_id" ], name: "index_solid_queue_ready_executions_on_job_id", unique: true
    t.index [ "priority", "job_id" ], name: "index_solid_queue_poll_all"
    t.index [ "queue_name", "priority", "job_id" ], name: "index_solid_queue_poll_by_queue"
  end
  create_table "solid_queue_recurring_executions", force: :cascade do |t|
    t.bigint "job_id", null: false
    t.string "task_key", null: false
    t.datetime "run_at", null: false
    t.datetime "created_at", null: false
    t.index [ "job_id" ], name: "index_solid_queue_recurring_executions_on_job_id", unique: true
    t.index [ "task_key", "run_at" ], name: "index_solid_queue_recurring_executions_on_task_key_and_run_at", unique: true
  end
  create_table "solid_queue_recurring_tasks", force: :cascade do |t|
    t.string "key", null: false
    t.string "schedule", null: false
    t.string "command", limit: 2048
    t.string "class_name"
    t.text "arguments"
    t.string "queue_name"
    t.integer "priority", default: 0
    t.boolean "static", default: true, null: false
    t.text "description"
    t.datetime "created_at", null: false
    t.datetime "updated_at", null: false
    t.index [ "key" ], name: "index_solid_queue_recurring_tasks_on_key", unique: true
    t.index [ "static" ], name: "index_solid_queue_recurring_tasks_on_static"
  end
  create_table "solid_queue_scheduled_executions", force: :cascade do |t|
    t.bigint "job_id", null: false
    t.string "queue_name", null: false
    t.integer "priority", default: 0, null: false
    t.datetime "scheduled_at", null: false
    t.datetime "created_at", null: false
    t.index [ "job_id" ], name: "index_solid_queue_scheduled_executions_on_job_id", unique: true
    t.index [ "scheduled_at", "priority", "job_id" ], name: "index_solid_queue_dispatch_all"
  end
  create_table "solid_queue_semaphores", force: :cascade do |t|
    t.string "key", null: false
    t.integer "value", default: 1, null: false
    t.datetime "expires_at", null: false
    t.datetime "created_at", null: false
    t.datetime "updated_at", null: false
    t.index [ "expires_at" ], name: "index_solid_queue_semaphores_on_expires_at"
    t.index [ "key", "value" ], name: "index_solid_queue_semaphores_on_key_and_value"
    t.index [ "key" ], name: "index_solid_queue_semaphores_on_key", unique: true
  end
  add_foreign_key "solid_queue_blocked_executions", "solid_queue_jobs", column: "job_id", on_delete: :cascade
  add_foreign_key "solid_queue_claimed_executions", "solid_queue_jobs", column: "job_id", on_delete: :cascade
  add_foreign_key "solid_queue_failed_executions", "solid_queue_jobs", column: "job_id", on_delete: :cascade
  add_foreign_key "solid_queue_ready_executions", "solid_queue_jobs", column: "job_id", on_delete: :cascade
  add_foreign_key "solid_queue_recurring_executions", "solid_queue_jobs", column: "job_id", on_delete: :cascade
  add_foreign_key "solid_queue_scheduled_executions", "solid_queue_jobs", column: "job_id", on_delete: :cascade
 end
--- a/db/schema.rb
+++ b/db/schema.rb
@@ -10,7 +10,7 @@
 #
 # It's strongly recommended that you check this file into your version control system.
-ActiveRecord::Schema[7.1].define(version: 2024_06_07_123654) do
+ActiveRecord::Schema[8.0].define(version: 2025_04_28_123317) do
  create_table "active_storage_attachments", force: :cascade do |t|
    t.string "name", null: false
    t.string "record_type", null: false
@@ -132,6 +132,7 @@ ActiveRecord::Schema[7.1].define(version: 2024_06_07_123654) do
    t.datetime "remember_created_at"
    t.string "remember_token"
    t.text "preferences"
    t.string "pgp_fpr"
    t.index ["email"], name: "index_users_on_email", unique: true
    t.index ["reset_password_token"], name: "index_users_on_reset_password_token", unique: true
  end
--- a/db/seeds.rb
+++ b/db/seeds.rb
@@ -7,7 +7,7 @@ Sidekiq::Testing.inline! do
  puts "Create user: admin"
-  CreateAccount.call(account: {
+  UserManager::CreateAccount.call(account: {
    username: "admin", domain: "kosmos.org", email: "admin@example.com",
    password: "admin is admin", confirmed: true
  })
@@ -20,7 +20,7 @@ Sidekiq::Testing.inline! do
    email = Faker::Internet.unique.email
    next if username.length < 3
-    CreateAccount.call(account: {
+    UserManager::CreateAccount.call(account: {
      username: username, domain: "kosmos.org", email: email,
      password: "user is user", confirmed: true
    })
--- a/db/seeds/admin.asc
+++ b/db/seeds/admin.asc
@@ -0,0 +1,13 @@
 -----BEGIN PGP PUBLIC KEY BLOCK-----
 mDMEZvGiUxYJKwYBBAHaRw8BAQdARPZXLqyB3nylJuzuARlOJxqc9mchMKHI4Cy+
 hPWlzja0GEFkbWluIDxhZG1pbkBrb3Ntb3Mub3JnPoiZBBMWCgBBFiEE0pie1+fG
 ImdZwzGnwgEYSg8AulYFAmbxolMCGwMFCQWjmoAFCwkIBwICIgIGFQoJCAsCBBYC
 AwECHgcCF4AACgkQwgEYSg8AulaldAEA7yzh7XRCdIJDHgLUvKHsy2NnyLaDD1Tl
 hyZWbl5og0IBAJAQ2Dm82YXMdUK3X1OGlK8KH5O4E5lSFY4+8/xx0UEJuDgEZvGi
 UxIKKwYBBAGXVQEFAQEHQJc8pzzeIF7Hm5z1eseRAqGvFa+V1BIDf+1XQzuJhhxi
 AwEIB4h+BBgWCgAmFiEE0pie1+fGImdZwzGnwgEYSg8AulYFAmbxolMCGwwFCQWj
 moAACgkQwgEYSg8AulbLtgEApZvuDqSP77lrl1jmtCAJEEZk/ofsRFkf1g3U3Zhm
 9PcA/1+AbcyqjLTcqIPjHmZyGEPiaAvEsBzbPKEPiL3JYhkG
 =45sx
 -----END PGP PUBLIC KEY BLOCK-----
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -37,43 +37,21 @@ services:
      - "3000:3000"
    environment:
      RAILS_ENV: development
      SOLID_QUEUE_IN_PUMA: true
      LAUNCHY_DRY_RUN: true
      BROWSER: /dev/null
      PRIMARY_DOMAIN: kosmos.org
      LDAP_HOST: ldap
      LDAP_PORT: 3389
      LDAP_ADMIN_PASSWORD: passthebutter
      LDAP_USE_TLS: "false"
      REDIS_URL: redis://redis:6379/0
-      ACTIVE_STORAGE_PATH: "/akkounts/tmp/attachments"
+      ACTIVE_STORAGE_PATH: /akkounts/tmp/attachments
      RS_REDIS_URL: redis://redis:6379/1
-      RS_STORAGE_URL: "http://localhost:4567"
+      RS_STORAGE_URL: http://localhost:4567
      S3_ENABLED: false
      NOSTR_PUBLIC_KEY: bdd76ce2934b2f591f9fad2ebe9da18f20d2921de527494ba00eeaa0a0efadcf
      NOSTR_PRIVATE_KEY: 7c3ef7e448505f0615137af38569d01807d3b05b5005d5ecf8aaafcd40323cea
-      NOSTR_RELAY_URL: "ws://strfry:7777"
+      NOSTR_RELAY_URL: ws://strfry:7777
    depends_on:
      - ldap
      - redis
  sidekiq:
    build: .
    command: bash -c "bundle exec sidekiq -C config/sidekiq.yml"
    volumes:
      - .:/akkounts
    networks:
      - internal_network
    environment:
      RAILS_ENV: development
      PRIMARY_DOMAIN: kosmos.org
      LDAP_HOST: ldap
      LDAP_PORT: 3389
      LDAP_ADMIN_PASSWORD: passthebutter
      LDAP_USE_TLS: "false"
      LAUNCHY_DRY_RUN: true
      BROWSER: /dev/null
      REDIS_URL: redis://redis:6379/0
      RS_REDIS_URL: redis://redis:6379/1
      RS_STORAGE_URL: "http://localhost:4567"
      S3_ENABLED: false
    depends_on:
      - ldap
      - redis
@@ -111,7 +89,7 @@ services:
      - redis
  strfry:
-    image: gitea.kosmos.org/kosmos/strfry-deno:1.1.1
+    image: gitea.kosmos.org/kosmos/strfry-deno:2.0.0
    volumes:
      - ./docker/strfry/strfry.conf:/etc/strfry.conf
      - ./extras/strfry:/opt/strfry
--- a/docs/dev/nostr.md
+++ b/docs/dev/nostr.md
@@ -0,0 +1,57 @@
 # Nostr
 ## strfry
 The `extras/strfry` directory contains code to integrate [strfry][1] with
 akkounts, so that notes published to the relay have to be authored by (or in
 some cases just related to) local users who have verified their Nostr public
 key.
 ### Requirements
 [Deno](https://deno.com/) needs to be installed on the machine that you run
 strfry on.
 We provide a Docker image with recent strfry and Deno builds:
 https://gitea.kosmos.org/kosmos/-/packages/container/strfry-deno/
 ### Configuration
 You can use either environment variables (see e.g. the `strfry` service in
 `docker-compose-yml`) or a local `.env` file in the same working directory
 that you place the extra files in (e.g. `/opt/strfry`).
 In your `strfry.conf`, configure `strfry-policy.ts` as the write policy, like so:
 ```
 writePolicy {
    plugin = "/opt/strfry/strfry-policy.ts"
 }
 ```
 All dependencies will be downloaded and cached automatically when the plugin is
 called for the first time.
 ### Manual tasks
 You can sync all notes authored by local users (any account that has verified
 their Nostr pubkey with akkounts) from a remote [strfry][1] relay via negentropy
 sync:
    deno run -A /opt/strfry/strfry-sync.ts wss://nostr.kosmos.org
 Or, in the running container when using Docker Compose:
    docker compose exec strfry deno run -A /opt/strfry/strfry-sync.ts wss://nostr.kosmos.org
 The `strfry` service container also exposes the local relay on your local host
 on port 4777.
 [nak](https://github.com/fiatjaf/nak) is a helpful tool for manual Nostr tasks.
 Here's how you can grab a note by its event ID from a remote relay and publish
 it to your local strfry for example:
    nak req -i 0fb010192685b86b0810b3de3706fbbf3b8c1db30b14533094a2b9700c820cdc nostr.kosmos.org | nak event ws://localhost:4777
 [1]: https://github.com/hoytech/strfry
--- a/extras/strfry/deno.lock
+++ b/extras/strfry/deno.lock
@@ -1,101 +1,231 @@
 {
-  "version": "3",
+  "version": "4",
-  "packages": {
+  "specifiers": {
-    "specifiers": {
+    "jsr:@nostr/tools@*": "2.3.1",
-      "jsr:@nostr/tools@^2.3.1": "jsr:@nostr/tools@2.3.1",
+    "jsr:@nostr/tools@^2.3.1": "2.3.1",
-      "npm:@noble/ciphers@^0.5.1": "npm:@noble/ciphers@0.5.3",
+    "jsr:@nostrify/nostrify@0.36": "0.36.2",
-      "npm:@noble/curves@1.2.0": "npm:@noble/curves@1.2.0",
+    "jsr:@nostrify/policies@*": "0.36.1",
-      "npm:@noble/hashes@1.3.1": "npm:@noble/hashes@1.3.1",
+    "jsr:@nostrify/strfry@*": "0.2.1",
-      "npm:@scure/base@1.1.1": "npm:@scure/base@1.1.1",
+    "jsr:@nostrify/types@0.35": "0.35.0",
-      "npm:ldapts": "npm:ldapts@7.0.12"
+    "jsr:@nostrify/types@0.36": "0.36.0",
    "jsr:@std/bytes@^1.0.5": "1.0.5",
    "jsr:@std/encoding@~0.224.1": "0.224.3",
    "jsr:@std/json@^1.0.1": "1.0.1",
    "jsr:@std/streams@^1.0.7": "1.0.9",
    "jsr:@std/streams@^1.0.8": "1.0.9",
    "npm:@noble/ciphers@~0.5.1": "0.5.3",
    "npm:@noble/curves@1.2.0": "1.2.0",
    "npm:@noble/hashes@1.3.1": "1.3.1",
    "npm:@scure/base@1.1.1": "1.1.1",
    "npm:@scure/bip32@^1.4.0": "1.6.2",
    "npm:@scure/bip39@^1.3.0": "1.5.4",
    "npm:ldapts@*": "7.0.12",
    "npm:lru-cache@^10.2.0": "10.4.3",
    "npm:nostr-tools@^2.7.0": "2.12.0",
    "npm:websocket-ts@^2.1.5": "2.2.1",
    "npm:zod@^3.23.8": "3.24.2"
  },
  "jsr": {
    "@nostr/tools@2.3.1": {
      "integrity": "af01dc45cb28784c584d7a0699707196f397bcc53946efa582a01b11ddde4d61",
      "dependencies": [
        "npm:@noble/ciphers",
        "npm:@noble/curves",
        "npm:@noble/hashes",
        "npm:@scure/base"
      ]
    },
-    "jsr": {
+    "@nostrify/nostrify@0.36.2": {
-      "@nostr/tools@2.3.1": {
+      "integrity": "cc4787ca170b623a2e5dfed1baa4426077daa6143af728ea7dd325d58f4d04d6",
-        "integrity": "af01dc45cb28784c584d7a0699707196f397bcc53946efa582a01b11ddde4d61",
+      "dependencies": [
-        "dependencies": [
+        "jsr:@nostrify/types@0.35",
-          "npm:@noble/ciphers@^0.5.1",
+        "jsr:@std/encoding",
-          "npm:@noble/curves@1.2.0",
+        "npm:@scure/bip32",
-          "npm:@noble/hashes@1.3.1",
+        "npm:@scure/bip39",
-          "npm:@scure/base@1.1.1"
+        "npm:lru-cache",
-        ]
+        "npm:nostr-tools",
-      }
+        "npm:websocket-ts",
        "npm:zod"
      ]
    },
-    "npm": {
+    "@nostrify/policies@0.36.1": {
-      "@noble/ciphers@0.5.3": {
+      "integrity": "6d59af115a687fcd18b6caebab0e4f50ee6cdb0aafa2aacd0aec2065021275b4",
-        "integrity": "sha512-B0+6IIHiqEs3BPMT0hcRmHvEj2QHOLu+uwt+tqDDeVd0oyVzh7BPrDcPjRnV1PV/5LaknXJJQvOuRGR0zQJz+w==",
+      "dependencies": [
-        "dependencies": {}
+        "jsr:@nostrify/nostrify",
-      },
+        "jsr:@nostrify/types@0.35",
-      "@noble/curves@1.2.0": {
+        "npm:nostr-tools"
-        "integrity": "sha512-oYclrNgRaM9SsBUBVbb8M6DTV7ZHRTKugureoYEncY5c65HOmRzvSiTE3y5CYaPYJA/GVkrhXEoF0M3Ya9PMnw==",
+      ]
-        "dependencies": {
+    },
-          "@noble/hashes": "@noble/hashes@1.3.2"
+    "@nostrify/strfry@0.2.1": {
-        }
+      "integrity": "be437b13f49e6564e557da23072bf642723a603568f672543a64d9fda6663432",
-      },
+      "dependencies": [
-      "@noble/hashes@1.3.1": {
+        "jsr:@nostrify/types@0.36",
-        "integrity": "sha512-EbqwksQwz9xDRGfDST86whPBgM65E0OH/pCgqW0GBVzO22bNE+NuIbeTb714+IfSjU3aRk47EUvXIb5bTsenKA==",
+        "jsr:@std/json",
-        "dependencies": {}
+        "jsr:@std/streams@^1.0.8"
-      },
+      ]
-      "@noble/hashes@1.3.2": {
+    },
-        "integrity": "sha512-MVC8EAQp7MvEcm30KWENFjgR+Mkmf+D189XJTkFIlwohU5hcBbn1ZkKq7KVTi2Hme3PMGF390DaL52beVrIihQ==",
+    "@nostrify/types@0.35.0": {
-        "dependencies": {}
+      "integrity": "b8d515563d467072694557d5626fa1600f74e83197eef45dd86a9a99c64f7fe6"
-      },
+    },
-      "@scure/base@1.1.1": {
+    "@nostrify/types@0.36.0": {
-        "integrity": "sha512-ZxOhsSyxYwLJj3pLZCefNitxsj093tb2vq90mp2txoYeBqbcjDjqFhyM8eUjq/uFm6zJ+mUuqxlS2FkuSY1MTA==",
+      "integrity": "b3413467debcbd298d217483df4e2aae6c335a34765c90ac7811cf7c637600e7"
-        "dependencies": {}
+    },
-      },
+    "@std/bytes@1.0.5": {
-      "@types/asn1@0.2.4": {
+      "integrity": "4465dd739d7963d964c809202ebea6d5c6b8e3829ef25c6a224290fbb8a1021e"
-        "integrity": "sha512-V91DSJ2l0h0gRhVP4oBfBzRBN9lAbPUkGDMCnwedqPKX2d84aAMc9CulOvxdw1f7DfEYx99afab+Rsm3e52jhA==",
+    },
-        "dependencies": {
+    "@std/encoding@0.224.3": {
-          "@types/node": "@types/node@18.16.19"
+      "integrity": "5e861b6d81be5359fad4155e591acf17c0207b595112d1840998bb9f476dbdaf"
-        }
+    },
-      },
+    "@std/json@1.0.1": {
-      "@types/node@18.16.19": {
+      "integrity": "1f0f70737e8827f9acca086282e903677bc1bb0c8ffcd1f21bca60039563049f",
-        "integrity": "sha512-IXl7o+R9iti9eBW4Wg2hx1xQDig183jj7YLn8F7udNceyfkbn1ZxmzZXuak20gR40D7pIkIY1kYGx5VIGbaHKA==",
+      "dependencies": [
-        "dependencies": {}
+        "jsr:@std/streams@^1.0.7"
-      },
+      ]
-      "@types/uuid@9.0.8": {
+    },
-        "integrity": "sha512-jg+97EGIcY9AGHJJRaaPVgetKDsrTgbRjQ5Msgjh/DQKEFl0DtyRr/VCOyD1T2R1MNeWPK/u7JoGhlDZnKBAfA==",
+    "@std/streams@1.0.9": {
-        "dependencies": {}
+      "integrity": "a9d26b1988cdd7aa7b1f4b51e1c36c1557f3f252880fa6cc5b9f37078b1a5035",
-      },
+      "dependencies": [
-      "asn1@0.2.6": {
+        "jsr:@std/bytes"
-        "integrity": "sha512-ix/FxPn0MDjeyJ7i/yoHGFt/EX6LyNbxSEhPPXODPL+KB0VPk86UYfL0lMdy+KCnv+fmvIzySwaK5COwqVbWTQ==",
+      ]
-        "dependencies": {
+    }
-          "safer-buffer": "safer-buffer@2.1.2"
+  },
-        }
+  "npm": {
-      },
+    "@noble/ciphers@0.5.3": {
-      "debug@4.3.5": {
+      "integrity": "sha512-B0+6IIHiqEs3BPMT0hcRmHvEj2QHOLu+uwt+tqDDeVd0oyVzh7BPrDcPjRnV1PV/5LaknXJJQvOuRGR0zQJz+w=="
-        "integrity": "sha512-pt0bNEmneDIvdL1Xsd9oDQ/wrQRkXDT4AUWlNZNPKvW5x/jyO9VFXkJUP07vQ2upmw5PlaITaPKc31jK13V+jg==",
+    },
-        "dependencies": {
+    "@noble/curves@1.1.0": {
-          "ms": "ms@2.1.2"
+      "integrity": "sha512-091oBExgENk/kGj3AZmtBDMpxQPDtxQABR2B9lb1JbVTs6ytdzZNwvhxQ4MWasRNEzlbEH8jCWFCwhF/Obj5AA==",
-        }
+      "dependencies": [
-      },
+        "@noble/hashes@1.3.1"
-      "ldapts@7.0.12": {
+      ]
-        "integrity": "sha512-orwgIejUi/ZyGah9y8jWZmFUg8Ci5M8WAv0oZjSf3MVuk1sRBdor9Qy1ttGHbYpWj96HXKFunQ8AYZ8WWGp17g==",
+    },
-        "dependencies": {
+    "@noble/curves@1.2.0": {
-          "@types/asn1": "@types/asn1@0.2.4",
+      "integrity": "sha512-oYclrNgRaM9SsBUBVbb8M6DTV7ZHRTKugureoYEncY5c65HOmRzvSiTE3y5CYaPYJA/GVkrhXEoF0M3Ya9PMnw==",
-          "@types/uuid": "@types/uuid@9.0.8",
+      "dependencies": [
-          "asn1": "asn1@0.2.6",
+        "@noble/hashes@1.3.2"
-          "debug": "debug@4.3.5",
+      ]
-          "strict-event-emitter-types": "strict-event-emitter-types@2.0.0",
+    },
-          "uuid": "uuid@9.0.1"
+    "@noble/curves@1.8.2": {
-        }
+      "integrity": "sha512-vnI7V6lFNe0tLAuJMu+2sX+FcL14TaCWy1qiczg1VwRmPrpQCdq5ESXQMqUc2tluRNf6irBXrWbl1mGN8uaU/g==",
-      },
+      "dependencies": [
-      "ms@2.1.2": {
+        "@noble/hashes@1.7.2"
-        "integrity": "sha512-sGkPx+VjMtmA6MX27oA4FBFELFCZZ4S4XqeGOXCv68tT+jb3vk/RyaKWP0PTKyWtmLSM0b+adUTEvbs1PEaH2w==",
+      ]
-        "dependencies": {}
+    },
-      },
+    "@noble/hashes@1.3.1": {
-      "safer-buffer@2.1.2": {
+      "integrity": "sha512-EbqwksQwz9xDRGfDST86whPBgM65E0OH/pCgqW0GBVzO22bNE+NuIbeTb714+IfSjU3aRk47EUvXIb5bTsenKA=="
-        "integrity": "sha512-YZo3K82SD7Riyi0E1EQPojLz7kpepnSQI9IyPbHHg1XXXevb5dJI7tpyN2ADxGcQbHG7vcyRHk0cbwqcQriUtg==",
+    },
-        "dependencies": {}
+    "@noble/hashes@1.3.2": {
-      },
+      "integrity": "sha512-MVC8EAQp7MvEcm30KWENFjgR+Mkmf+D189XJTkFIlwohU5hcBbn1ZkKq7KVTi2Hme3PMGF390DaL52beVrIihQ=="
-      "strict-event-emitter-types@2.0.0": {
+    },
-        "integrity": "sha512-Nk/brWYpD85WlOgzw5h173aci0Teyv8YdIAEtV+N88nDB0dLlazZyJMIsN6eo1/AR61l+p6CJTG1JIyFaoNEEA==",
+    "@noble/hashes@1.7.2": {
-        "dependencies": {}
+      "integrity": "sha512-biZ0NUSxyjLLqo6KxEJ1b+C2NAx0wtDoFvCaXHGgUkeHzf3Xc1xKumFKREuT7f7DARNZ/slvYUwFG6B0f2b6hQ=="
-      },
+    },
-      "uuid@9.0.1": {
+    "@scure/base@1.1.1": {
-        "integrity": "sha512-b+1eJOlsR9K8HJpow9Ok3fiWOWSIcIzXodvv0rQjVoOVNpWMpxf1wZNpt4y9h10odCNrqnYp1OBzRktckBe3sA==",
+      "integrity": "sha512-ZxOhsSyxYwLJj3pLZCefNitxsj093tb2vq90mp2txoYeBqbcjDjqFhyM8eUjq/uFm6zJ+mUuqxlS2FkuSY1MTA=="
-        "dependencies": {}
+    },
-      }
+    "@scure/base@1.2.4": {
      "integrity": "sha512-5Yy9czTO47mqz+/J8GM6GIId4umdCk1wc1q8rKERQulIoc8VP9pzDcghv10Tl2E7R96ZUx/PhND3ESYUQX8NuQ=="
    },
    "@scure/bip32@1.3.1": {
      "integrity": "sha512-osvveYtyzdEVbt3OfwwXFr4P2iVBL5u1Q3q4ONBfDY/UpOuXmOlbgwc1xECEboY8wIays8Yt6onaWMUdUbfl0A==",
      "dependencies": [
        "@noble/curves@1.1.0",
        "@noble/hashes@1.3.2",
        "@scure/base@1.1.1"
      ]
    },
    "@scure/bip32@1.6.2": {
      "integrity": "sha512-t96EPDMbtGgtb7onKKqxRLfE5g05k7uHnHRM2xdE6BP/ZmxaLtPek4J4KfVn/90IQNrU1IOAqMgiDtUdtbe3nw==",
      "dependencies": [
        "@noble/curves@1.8.2",
        "@noble/hashes@1.7.2",
        "@scure/base@1.2.4"
      ]
    },
    "@scure/bip39@1.2.1": {
      "integrity": "sha512-Z3/Fsz1yr904dduJD0NpiyRHhRYHdcnyh73FZWiV+/qhWi83wNJ3NWolYqCEN+ZWsUz2TWwajJggcRE9r1zUYg==",
      "dependencies": [
        "@noble/hashes@1.3.2",
        "@scure/base@1.1.1"
      ]
    },
    "@scure/bip39@1.5.4": {
      "integrity": "sha512-TFM4ni0vKvCfBpohoh+/lY05i9gRbSwXWngAsF4CABQxoaOHijxuaZ2R6cStDQ5CHtHO9aGJTr4ksVJASRRyMA==",
      "dependencies": [
        "@noble/hashes@1.7.2",
        "@scure/base@1.2.4"
      ]
    },
    "@types/asn1@0.2.4": {
      "integrity": "sha512-V91DSJ2l0h0gRhVP4oBfBzRBN9lAbPUkGDMCnwedqPKX2d84aAMc9CulOvxdw1f7DfEYx99afab+Rsm3e52jhA==",
      "dependencies": [
        "@types/node"
      ]
    },
    "@types/node@18.16.19": {
      "integrity": "sha512-IXl7o+R9iti9eBW4Wg2hx1xQDig183jj7YLn8F7udNceyfkbn1ZxmzZXuak20gR40D7pIkIY1kYGx5VIGbaHKA=="
    },
    "@types/uuid@9.0.8": {
      "integrity": "sha512-jg+97EGIcY9AGHJJRaaPVgetKDsrTgbRjQ5Msgjh/DQKEFl0DtyRr/VCOyD1T2R1MNeWPK/u7JoGhlDZnKBAfA=="
    },
    "asn1@0.2.6": {
      "integrity": "sha512-ix/FxPn0MDjeyJ7i/yoHGFt/EX6LyNbxSEhPPXODPL+KB0VPk86UYfL0lMdy+KCnv+fmvIzySwaK5COwqVbWTQ==",
      "dependencies": [
        "safer-buffer"
      ]
    },
    "debug@4.3.5": {
      "integrity": "sha512-pt0bNEmneDIvdL1Xsd9oDQ/wrQRkXDT4AUWlNZNPKvW5x/jyO9VFXkJUP07vQ2upmw5PlaITaPKc31jK13V+jg==",
      "dependencies": [
        "ms"
      ]
    },
    "ldapts@7.0.12": {
      "integrity": "sha512-orwgIejUi/ZyGah9y8jWZmFUg8Ci5M8WAv0oZjSf3MVuk1sRBdor9Qy1ttGHbYpWj96HXKFunQ8AYZ8WWGp17g==",
      "dependencies": [
        "@types/asn1",
        "@types/uuid",
        "asn1",
        "debug",
        "strict-event-emitter-types",
        "uuid"
      ]
    },
    "lru-cache@10.4.3": {
      "integrity": "sha512-JNAzZcXrCt42VGLuYz0zfAzDfAvJWW6AfYlDBQyDV5DClI2m5sAmK+OIO7s59XfsRsWHp02jAJrRadPRGTt6SQ=="
    },
    "ms@2.1.2": {
      "integrity": "sha512-sGkPx+VjMtmA6MX27oA4FBFELFCZZ4S4XqeGOXCv68tT+jb3vk/RyaKWP0PTKyWtmLSM0b+adUTEvbs1PEaH2w=="
    },
    "nostr-tools@2.12.0": {
      "integrity": "sha512-pUWEb020gTvt1XZvTa8AKNIHWFapjsv2NKyk43Ez2nnvz6WSXsrTFE0XtkNLSRBjPn6EpxumKeNiVzLz74jNSA==",
      "dependencies": [
        "@noble/ciphers",
        "@noble/curves@1.2.0",
        "@noble/hashes@1.3.1",
        "@scure/base@1.1.1",
        "@scure/bip32@1.3.1",
        "@scure/bip39@1.2.1",
        "nostr-wasm"
      ]
    },
    "nostr-wasm@0.1.0": {
      "integrity": "sha512-78BTryCLcLYv96ONU8Ws3Q1JzjlAt+43pWQhIl86xZmWeegYCNLPml7yQ+gG3vR6V5h4XGj+TxO+SS5dsThQIA=="
    },
    "safer-buffer@2.1.2": {
      "integrity": "sha512-YZo3K82SD7Riyi0E1EQPojLz7kpepnSQI9IyPbHHg1XXXevb5dJI7tpyN2ADxGcQbHG7vcyRHk0cbwqcQriUtg=="
    },
    "strict-event-emitter-types@2.0.0": {
      "integrity": "sha512-Nk/brWYpD85WlOgzw5h173aci0Teyv8YdIAEtV+N88nDB0dLlazZyJMIsN6eo1/AR61l+p6CJTG1JIyFaoNEEA=="
    },
    "uuid@9.0.1": {
      "integrity": "sha512-b+1eJOlsR9K8HJpow9Ok3fiWOWSIcIzXodvv0rQjVoOVNpWMpxf1wZNpt4y9h10odCNrqnYp1OBzRktckBe3sA=="
    },
    "websocket-ts@2.2.1": {
      "integrity": "sha512-YKPDfxlK5qOheLZ2bTIiktZO1bpfGdNCPJmTEaPW7G9UXI1GKjDdeacOrsULUS000OPNxDVOyAuKLuIWPqWM0Q=="
    },
    "zod@3.24.2": {
      "integrity": "sha512-lY7CDW43ECgW9u1TcT3IoXHflywfVqDYze4waEz812jR/bZ8FHDsl7pFQoSZTz5N+2NqRXs8GBwnAwo3ZNxqhQ=="
    }
  },
  "remote": {
--- a/extras/strfry/ldap-policy.ts
+++ b/extras/strfry/ldap-policy.ts
@@ -1,8 +1,8 @@
-import type { IterablePubkeys, Policy } from 'https://gitlab.com/soapbox-pub/strfry-policies/-/raw/develop/mod.ts';
+import { NostrEvent, NostrRelayInfo, NostrRelayOK, NPolicy } from 'jsr:@nostrify/types@^0.35.0';
 import { nip57 } from 'jsr:@nostr/tools';
 import { Client } from 'npm:ldapts';
 import { nip57 } from '@nostr/tools';
-interface LdapConfig {
+export interface LdapConfig {
  url: string;
  bindDN: string;
  password: string;
@@ -10,68 +10,73 @@ interface LdapConfig {
  whitelistPubkeys?: IterablePubkeys;
 }
-const ldapPolicy: Policy<LdapConfig> = async (msg, opts) => {
+export class LdapPolicy implements NPolicy {
-  const client = new Client({ url: opts.url });
+  constructor(private opts: LdapConfig) {}
  const { kind, tags } = msg.event;
  let { pubkey } = msg.event;
  let out = { id: msg.event.id }
-  if (opts.whitelistPubkeys.includes(pubkey)) {
+  // deno-lint-ignore require-await
-    out['action'] = 'accept';
+  async call(event: NostrEvent): Promise<NostrRelayOK> {
-    out['msg'] = '';
+    const client = new Client({ url: this.opts.url });
-    return out;
+    const { id, kind, tags } = event;
-  }
+    let { pubkey } = event;
-  // Zap receipt
+    if (this.opts.whitelistPubkeys.includes(pubkey)) {
-  if (kind === 9735) {
+      return ['OK', id, true, ''];
    const descriptionTag = tags.find(([t, v]) => t === 'description' && v);
    const invalidZapRequestMsg = 'Zap receipts must contain a valid zap request from a relay member';
    if (typeof descriptionTag === 'undefined') {
      out['action'] = 'reject';
      out['msg'] = invalidZapRequestMsg;
      return out;
    }
-    const zapRequestJSON = descriptionTag[1];
+    // Zap receipt
-    const validationResult = nip57.validateZapRequest(zapRequestJSON);
+    if (kind === 9735) {
      const descriptionTag = tags.find(([t, v]) => t === 'description' && v);
      const invalidZapRequestMsg = 'Zap receipts must contain a valid zap request from a relay member';
-    // TODO
+      if (typeof descriptionTag === 'undefined') {
-    // The zap receipt event's pubkey MUST be the same as the recipient's lnurl provider's nostrPubkey (retrieved in step 1 of the protocol flow).
+        return ['OK', id, false, invalidZapRequestMsg];
-    // The invoiceAmount contained in the bolt11 tag of the zap receipt MUST equal the amount tag of the zap request (if present).
+      }
-    if (validationResult === null) {
+      const zapRequestJSON = descriptionTag[1];
-      pubkey = JSON.parse(zapRequestJSON).pubkey;
+      const validationResult = nip57.validateZapRequest(zapRequestJSON);
-    } else {
+
-      out['action'] = 'reject';
+      // TODO
-      out['msg'] = invalidZapRequestMsg;
+      // The zap receipt event's pubkey MUST be the same as the recipient's lnurl provider's nostrPubkey (retrieved in step 1 of the protocol flow).
-      return out;
+      // The invoiceAmount contained in the bolt11 tag of the zap receipt MUST equal the amount tag of the zap request (if present).
      if (validationResult === null) {
        pubkey = JSON.parse(zapRequestJSON).pubkey;
      } else {
        return ['OK', id, false, invalidZapRequestMsg];
      }
    }
    const out = { accept: true, msg: ''};
    try {
      await client.bind(this.opts.bindDN, this.opts.password);
      const { searchEntries } = await client.search(this.opts.searchDN, {
        filter: `(nostrKey=${pubkey})`,
        attributes: ['nostrKey']
      });
      const memberKey = searchEntries[0]?.nostrKey;
      if (memberKey === pubkey) {
        out['accept'] = true;
      } else {
        out['accept'] = false;
        out['msg'] = 'Only members can publish notes on this relay';
      }
    } catch (ex) {
      out['accept'] = false;
      out['msg'] = 'Auth service temporarily unavailable';
    } finally {
      await client.unbind();
      return ['OK', id, out['accept'], out['msg']];
    }
  }
-  try {
+  get info(): NostrRelayInfo {
-    await client.bind(opts.bindDN, opts.password);
+    return {
-
+      limitation: {
-    const { searchEntries } = await client.search(opts.searchDN, {
+        restricted_writes: true,
-      filter: `(nostrKey=${pubkey})`,
+      },
-      attributes: ['nostrKey']
+    };
    });
    const memberKey = searchEntries[0]?.nostrKey;
    if (memberKey === pubkey) {
      out['action'] = 'accept';
      out['msg'] = '';
    } else {
      out['action'] = 'reject';
      out['msg'] = 'Only members can publish notes on this relay';
    }
  } catch (ex) {
    out['action'] = 'reject';
    out['msg'] = 'Auth service temporarily unavailable';
  } finally {
    await client.unbind();
    return out;
  }
-};
+}
 export default ldapPolicy;
--- a/extras/strfry/strfry-policy.ts
+++ b/extras/strfry/strfry-policy.ts
@@ -1,20 +1,20 @@
 #!/bin/sh
-//bin/true; exec deno run -A "$0" "$@"
+//bin/true; exec deno run --unstable-kv -A "$0" "$@"
 import {
-  antiDuplicationPolicy,
+  AntiDuplicationPolicy,
-  hellthreadPolicy,
+  HellthreadPolicy,
-  pipeline,
+  PipePolicy,
  rateLimitPolicy,
  readStdin,
  writeStdout,
-} from 'https://gitlab.com/soapbox-pub/strfry-policies/-/raw/develop/mod.ts';
+} from 'jsr:@nostrify/policies';
-import ldapPolicy from './ldap-policy.ts';
+import { strfry } from 'jsr:@nostrify/strfry';
 import { LdapConfig, LdapPolicy } from './ldap-policy.ts';
 import { load } from "https://deno.land/std@0.224.0/dotenv/mod.ts";
 const dirname = new URL('.', import.meta.url).pathname;
 await load({ envPath: `${dirname}/.env`, export: true });
-const ldapConfig = {
+const ldapConfig: LdapConfig = {
  url: Deno.env.get("LDAP_URL"),
  bindDN: Deno.env.get("LDAP_BIND_DN"),
  password: Deno.env.get("LDAP_PASSWORD"),
@@ -22,13 +22,10 @@ const ldapConfig = {
  whitelistPubkeys: Deno.env.get("WHITELIST_PUBKEYS")?.split(',')
 }
-for await (const msg of readStdin()) {
+const policy = new PipePolicy([
-  const result = await pipeline(msg, [
+  new HellthreadPolicy({ limit: 10 }),
-    [hellthreadPolicy, { limit: 10 }],
+  new AntiDuplicationPolicy({ kv: await Deno.openKv(), expireIn: 60000, minLength: 50 }),
-    [antiDuplicationPolicy, { ttl: 60000, minLength: 50 }],
+  new LdapPolicy(ldapConfig)
-    [rateLimitPolicy, { whitelist: ['127.0.0.1'] }],
+]);
    [ldapPolicy, ldapConfig],
  ]);
-  writeStdout(result);
+await strfry(policy);
 }
--- a/lib/tasks/ctags.rake
+++ b/lib/tasks/ctags.rake
@@ -0,0 +1,29 @@
 module Kosmos
  class Ctags
    def self.generate_app_tags
      excludes = %w[.git gitno log tmp public].join(" --exclude ")
      cmd = "ctags -R --languages=ruby --exclude #{excludes} ."
      system cmd
    end
    def self.generate_bundler_tags
      runtime = ::Bundler::Runtime.new Dir.pwd, ::Bundler.definition
      paths = runtime.specs.map(&:full_gem_path)
      generate_tags(paths, "gems.tags")
    end
    def self.generate_tags(paths, tag_file)
      paths = paths.join(' ').strip
      cmd = "find #{paths} -ignore_readdir_race -type f -name '*.rb' 2>/dev/null | ctags -f #{tag_file} -L -"
      system cmd
    end
  end
 end
 namespace :ctags do
  desc 'generate ctags'
  task :create do
    Kosmos::Ctags.generate_app_tags
    Kosmos::Ctags.generate_bundler_tags
  end
 end
--- a/lib/tasks/ldap.rake
+++ b/lib/tasks/ldap.rake
@@ -21,7 +21,7 @@ namespace :ldap do
  desc "Add custom attributes to schema"
  task add_custom_attributes: :environment do |t, args|
-    %w[ admin service_enabled nostr_key ].each do |name|
+    %w[ admin service_enabled nostr_key pgp_key ].each do |name|
      Rake::Task["ldap:modify_ldap_schema"].invoke(name, "add")
      Rake::Task['ldap:modify_ldap_schema'].reenable
    end
@@ -29,7 +29,7 @@ namespace :ldap do
  desc "Delete custom attributes from schema"
  task delete_custom_attributes: :environment do |t, args|
-    %w[ admin service_enabled nostr_key ].each do |name|
+    %w[ admin service_enabled nostr_key pgp_key ].each do |name|
      Rake::Task["ldap:modify_ldap_schema"].invoke(name, "delete")
      Rake::Task['ldap:modify_ldap_schema'].reenable
    end
--- a/public/400.html
+++ b/public/400.html
@@ -0,0 +1,114 @@
 <!doctype html>
 <html lang="en">
  <head>
    <title>The server cannot process the request due to a client error (400 Bad Request)</title>
    <meta charset="utf-8">
    <meta name="viewport" content="initial-scale=1, width=device-width">
    <meta name="robots" content="noindex, nofollow">
    <style>
      *, *::before, *::after {
        box-sizing: border-box;
      }
      * {
        margin: 0;
      }
      html {
        font-size: 16px;
      }
      body {
        background: #FFF;
        color: #261B23;
        display: grid;
        font-family: ui-sans-serif, system-ui, -apple-system, BlinkMacSystemFont, Aptos, Roboto, "Segoe UI", "Helvetica Neue", Helvetica, Arial, sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol", "Noto Color Emoji";
        font-size: clamp(1rem, 2.5vw, 2rem);
        -webkit-font-smoothing: antialiased;
        font-style: normal;
        font-weight: 400;
        letter-spacing: -0.0025em;
        line-height: 1.4;
        min-height: 100vh;
        place-items: center;
        text-rendering: optimizeLegibility;
        -webkit-text-size-adjust: 100%;
      }
      a {
        color: inherit;
        font-weight: 700;
        text-decoration: underline;
        text-underline-offset: 0.0925em;
      }
      b, strong {
        font-weight: 700;
      }
      i, em {
        font-style: italic;
      }
      main {
        display: grid;
        gap: 1em;
        padding: 2em;
        place-items: center;
        text-align: center;
      }
      main header {
        width: min(100%, 12em);
      }
      main header svg {
        height: auto;
        max-width: 100%;
        width: 100%;
      }
      main article {
        width: min(100%, 30em);
      }
      main article p {
        font-size: 75%;
      }
      main article br {
        display: none;
        @media(min-width: 48em) {
          display: inline;
        }
      }
    </style>
  </head>
  <body>
    <!-- This file lives in public/400.html -->
    <main>
      <header>
        <svg height="172" viewBox="0 0 480 172" width="480" xmlns="http://www.w3.org/2000/svg"><path d="m124.48 3.00509-45.6889 100.02991h26.2239v-28.1168h38.119v28.1168h21.628v35.145h-21.628v30.82h-37.308v-30.82h-72.1833v-31.901l50.2851-103.27391zm115.583 168.69891c-40.822 0-64.884-35.146-64.884-85.7015 0-50.5554 24.062-85.700907 64.884-85.700907 40.823 0 64.884 35.145507 64.884 85.700907 0 50.5555-24.061 85.7015-64.884 85.7015zm0-133.2831c-17.572 0-22.709 21.8984-22.709 47.5816 0 25.6835 5.137 47.5815 22.709 47.5815 17.303 0 22.71-21.898 22.71-47.5815 0-25.6832-5.407-47.5816-22.71-47.5816zm140.456 133.2831c-40.823 0-64.884-35.146-64.884-85.7015 0-50.5554 24.061-85.700907 64.884-85.700907 40.822 0 64.884 35.145507 64.884 85.700907 0 50.5555-24.062 85.7015-64.884 85.7015zm0-133.2831c-17.573 0-22.71 21.8984-22.71 47.5816 0 25.6835 5.137 47.5815 22.71 47.5815 17.302 0 22.709-21.898 22.709-47.5815 0-25.6832-5.407-47.5816-22.709-47.5816z" fill="#f0eff0"/><path d="m123.606 85.4445c3.212 1.0523 5.538 4.2089 5.538 8.0301 0 6.1472-4.209 9.5254-11.298 9.5254h-15.617v-34.0033h14.565c7.089 0 11.353 3.1566 11.353 9.2484 0 3.6551-2.049 6.3134-4.541 7.1994zm-12.904-2.9905h5.095c2.603 0 3.988-.9968 3.988-3.1013 0-2.1044-1.385-3.0459-3.988-3.0459h-5.095zm0 6.6456v6.5902h5.981c2.492 0 3.877-1.3291 3.877-3.2674 0-2.049-1.385-3.3228-3.877-3.3228zm43.786 13.9004h-8.362v-1.274c-.831.831-3.323 1.717-5.981 1.717-4.929 0-9.083-2.769-9.083-8.0301 0-4.818 4.154-7.9193 9.581-7.9193 2.049 0 4.486.6646 5.483 1.3845v-1.606c0-1.606-.942-2.9905-3.046-2.9905-1.606 0-2.548.7199-2.935 1.8275h-8.197c.72-4.8181 4.985-8.6393 11.409-8.6393 7.088 0 11.131 3.7659 11.131 10.2453zm-8.362-6.9779v-1.4399c-.554-1.0522-2.049-1.7167-3.655-1.7167-1.717 0-3.434.7199-3.434 2.3813 0 1.7168 1.717 2.4367 3.434 2.4367 1.606 0 3.101-.6645 3.655-1.6614zm27.996 6.9779v-1.994c-1.163 1.329-3.599 2.548-6.147 2.548-7.199 0-11.131-5.8151-11.131-13.0145s3.932-13.0143 11.131-13.0143c2.548 0 4.984 1.2184 6.147 2.5475v-13.0697h8.695v35.997zm0-9.1931v-6.5902c-.664-1.3291-2.159-2.326-3.821-2.326-2.99 0-4.763 2.4368-4.763 5.6488s1.773 5.5934 4.763 5.5934c1.717 0 3.157-.9415 3.821-2.326zm35.471-2.049h-3.101v11.2421h-8.806v-34.0033h15.285c7.31 0 12.35 4.1535 12.35 11.5744 0 5.1503-2.603 8.6947-6.757 10.2453l7.975 12.1836h-9.858zm-3.101-15.2849v8.1962h5.538c3.156 0 4.596-1.606 4.596-4.0981s-1.44-4.0981-4.596-4.0981zm36.957 17.8323h8.03c-.886 5.7597-5.206 9.2487-11.685 9.2487-7.643 0-12.682-5.2613-12.682-13.0145 0-7.6978 5.316-13.0143 12.515-13.0143 7.643 0 11.962 5.095 11.962 12.5159v2.1598h-16.115c.277 2.9905 1.827 4.5965 4.32 4.5965 1.772 0 3.156-.7753 3.655-2.4921zm-3.822-10.0237c-2.049 0-3.433 1.2737-3.987 3.5997h7.532c-.111-2.0491-1.385-3.5997-3.545-3.5997zm30.98 27.5234v-10.799c-1.163 1.329-3.6 2.548-6.147 2.548-7.2 0-11.132-5.9259-11.132-13.0145 0-7.144 3.932-13.0143 11.132-13.0143 2.547 0 4.984 1.2184 6.147 2.5475v-1.9937h8.695v33.726zm0-17.9981v-6.5902c-.665-1.3291-2.105-2.326-3.821-2.326-2.991 0-4.763 2.4368-4.763 5.6488s1.772 5.5934 4.763 5.5934c1.661 0 3.156-.9415 3.821-2.326zm36.789-15.7279v24.921h-8.695v-2.16c-1.329 1.551-3.821 2.714-6.646 2.714-5.482 0-8.75-3.5999-8.75-9.1379v-16.3371h8.64v14.288c0 2.1045.996 3.5997 3.212 3.5997 1.606 0 3.101-1.0522 3.544-2.769v-15.1187zm19.084 16.2263h8.03c-.886 5.7597-5.206 9.2487-11.685 9.2487-7.643 0-12.682-5.2613-12.682-13.0145 0-7.6978 5.316-13.0143 12.515-13.0143 7.643 0 11.963 5.095 11.963 12.5159v2.1598h-16.116c.277 2.9905 1.828 4.5965 4.32 4.5965 1.772 0 3.156-.7753 3.655-2.4921zm-3.822-10.0237c-2.049 0-3.433 1.2737-3.987 3.5997h7.532c-.111-2.0491-1.385-3.5997-3.545-3.5997zm13.428 11.0206h8.474c.387 1.3845 1.606 2.1598 3.156 2.1598 1.44 0 2.548-.5538 2.548-1.7168 0-.9414-.72-1.2737-1.939-1.5506l-4.873-.9969c-4.154-.886-6.867-2.8797-6.867-7.2547 0-5.3165 4.762-8.4178 10.633-8.4178 6.812 0 10.522 3.1567 11.297 8.0855h-8.03c-.277-1.0522-1.052-1.9937-3.046-1.9937-1.273 0-2.326.5538-2.326 1.6614 0 .7753.554 1.163 1.717 1.3845l4.929 1.163c4.541 1.0522 6.978 3.4335 6.978 7.4763 0 5.3168-4.818 8.2518-10.91 8.2518-6.369 0-10.965-2.88-11.741-8.2518zm27.538-.8861v-9.5807h-3.655v-6.7564h3.655v-6.8671h8.584v6.8671h5.205v6.7564h-5.205v8.307c0 1.9383.941 2.769 2.658 2.769.941 0 1.993-.2216 2.769-.5538v7.3654c-.997.443-2.88.775-4.818.775-5.871 0-9.193-2.769-9.193-9.0819z" fill="#d30001"/></svg>
      </header>
      <article>
        <p><strong>The server cannot process the request due to a client error.</strong> Please check the request and try again. If you’re the application owner check the logs for more information.</p>
      </article>
    </main>
  </body>
 </html>
--- a/public/404.html
+++ b/public/404.html
@@ -1,67 +1,114 @@
-<!DOCTYPE html>
+<!doctype html>
 <html>
 <head>
  <title>The page you were looking for doesn't exist (404)</title>
  <meta name="viewport" content="width=device-width,initial-scale=1">
  <style>
  .rails-default-error-page {
    background-color: #EFEFEF;
    color: #2E2F30;
    text-align: center;
    font-family: arial, sans-serif;
    margin: 0;
  }
-  .rails-default-error-page div.dialog {
+<html lang="en">
    width: 95%;
    max-width: 33em;
    margin: 4em auto 0;
  }
-  .rails-default-error-page div.dialog > div {
+  <head>
    border: 1px solid #CCC;
    border-right-color: #999;
    border-left-color: #999;
    border-bottom-color: #BBB;
    border-top: #B00100 solid 4px;
    border-top-left-radius: 9px;
    border-top-right-radius: 9px;
    background-color: white;
    padding: 7px 12% 0;
    box-shadow: 0 3px 8px rgba(50, 50, 50, 0.17);
  }
-  .rails-default-error-page h1 {
+    <title>The page you were looking for doesn’t exist (404 Not found)</title>
    font-size: 100%;
    color: #730E15;
    line-height: 1.5em;
  }
-  .rails-default-error-page div.dialog > p {
+    <meta charset="utf-8">
-    margin: 0 0 1em;
+    <meta name="viewport" content="initial-scale=1, width=device-width">
-    padding: 1em;
+    <meta name="robots" content="noindex, nofollow">
-    background-color: #F7F7F7;
+
-    border: 1px solid #CCC;
+    <style>
-    border-right-color: #999;
+
-    border-left-color: #999;
+      *, *::before, *::after {
-    border-bottom-color: #999;
+        box-sizing: border-box;
-    border-bottom-left-radius: 4px;
+      }
-    border-bottom-right-radius: 4px;
+
-    border-top-color: #DADADA;
+      * {
-    color: #666;
+        margin: 0;
-    box-shadow: 0 3px 8px rgba(50, 50, 50, 0.17);
+      }
-  }
+
-  </style>
+      html {
-</head>
+        font-size: 16px;
      }
      body {
        background: #FFF;
        color: #261B23;
        display: grid;
        font-family: ui-sans-serif, system-ui, -apple-system, BlinkMacSystemFont, Aptos, Roboto, "Segoe UI", "Helvetica Neue", Helvetica, Arial, sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol", "Noto Color Emoji";
        font-size: clamp(1rem, 2.5vw, 2rem);
        -webkit-font-smoothing: antialiased;
        font-style: normal;
        font-weight: 400;
        letter-spacing: -0.0025em;
        line-height: 1.4;
        min-height: 100vh;
        place-items: center;
        text-rendering: optimizeLegibility;
        -webkit-text-size-adjust: 100%;
      }
      a {
        color: inherit;
        font-weight: 700;
        text-decoration: underline;
        text-underline-offset: 0.0925em;
      }
      b, strong {
        font-weight: 700;
      }
      i, em {
        font-style: italic;
      }
      main {
        display: grid;
        gap: 1em;
        padding: 2em;
        place-items: center;
        text-align: center;
      }
      main header {
        width: min(100%, 12em);
      }
      main header svg {
        height: auto;
        max-width: 100%;
        width: 100%;
      }
      main article {
        width: min(100%, 30em);
      }
      main article p {
        font-size: 75%;
      }
      main article br {
        display: none;
        @media(min-width: 48em) {
          display: inline;
        }
      }
    </style>
  </head>
  <body>
    <!-- This file lives in public/404.html -->
    <main>
      <header>
        <svg height="172" viewBox="0 0 480 172" width="480" xmlns="http://www.w3.org/2000/svg"><path d="m124.48 3.00509-45.6889 100.02991h26.2239v-28.1168h38.119v28.1168h21.628v35.145h-21.628v30.82h-37.308v-30.82h-72.1833v-31.901l50.2851-103.27391zm115.583 168.69891c-40.822 0-64.884-35.146-64.884-85.7015 0-50.5554 24.062-85.700907 64.884-85.700907 40.823 0 64.884 35.145507 64.884 85.700907 0 50.5555-24.061 85.7015-64.884 85.7015zm0-133.2831c-17.572 0-22.709 21.8984-22.709 47.5816 0 25.6835 5.137 47.5815 22.709 47.5815 17.303 0 22.71-21.898 22.71-47.5815 0-25.6832-5.407-47.5816-22.71-47.5816zm165.328-35.41581-45.689 100.02991h26.224v-28.1168h38.119v28.1168h21.628v35.145h-21.628v30.82h-37.308v-30.82h-72.184v-31.901l50.285-103.27391z" fill="#f0eff0"/><path d="m157.758 68.9967v34.0033h-7.199l-14.233-19.8814v19.8814h-8.584v-34.0033h8.307l13.125 18.7184v-18.7184zm28.454 21.5428c0 7.6978-5.15 13.0145-12.737 13.0145-7.532 0-12.738-5.3167-12.738-13.0145s5.206-13.0143 12.738-13.0143c7.587 0 12.737 5.3165 12.737 13.0143zm-8.528 0c0-3.4336-1.496-5.8703-4.209-5.8703-2.659 0-4.154 2.4367-4.154 5.8703s1.495 5.8149 4.154 5.8149c2.713 0 4.209-2.3813 4.209-5.8149zm13.184 3.8766v-9.5807h-3.655v-6.7564h3.655v-6.8671h8.584v6.8671h5.205v6.7564h-5.205v8.307c0 1.9383.941 2.769 2.658 2.769.941 0 1.994-.2216 2.769-.5538v7.3654c-.997.443-2.88.775-4.818.775-5.87 0-9.193-2.769-9.193-9.0819zm37.027 8.5839h-8.806v-34.0033h23.924v7.6978h-15.118v6.7564h13.9v7.5316h-13.9zm41.876-12.4605c0 7.6978-5.15 13.0145-12.737 13.0145-7.532 0-12.738-5.3167-12.738-13.0145s5.206-13.0143 12.738-13.0143c7.587 0 12.737 5.3165 12.737 13.0143zm-8.529 0c0-3.4336-1.495-5.8703-4.208-5.8703-2.659 0-4.154 2.4367-4.154 5.8703s1.495 5.8149 4.154 5.8149c2.713 0 4.208-2.3813 4.208-5.8149zm35.337-12.4605v24.921h-8.695v-2.16c-1.329 1.551-3.821 2.714-6.646 2.714-5.482 0-8.75-3.5999-8.75-9.1379v-16.3371h8.64v14.288c0 2.1045.997 3.5997 3.212 3.5997 1.606 0 3.101-1.0522 3.544-2.769v-15.1187zm4.076 24.921v-24.921h8.694v2.1598c1.385-1.5506 3.822-2.7136 6.701-2.7136 5.538 0 8.806 3.5997 8.806 9.1377v16.3371h-8.639v-14.2327c0-2.049-1.053-3.5443-3.268-3.5443-1.717 0-3.156.9969-3.6 2.7136v15.0634zm44.113 0v-1.994c-1.163 1.329-3.6 2.548-6.147 2.548-7.2 0-11.132-5.8151-11.132-13.0145s3.932-13.0143 11.132-13.0143c2.547 0 4.984 1.2184 6.147 2.5475v-13.0697h8.695v35.997zm0-9.1931v-6.5902c-.665-1.3291-2.16-2.326-3.821-2.326-2.991 0-4.763 2.4368-4.763 5.6488s1.772 5.5934 4.763 5.5934c1.717 0 3.156-.9415 3.821-2.326z" fill="#d30001"/></svg>
      </header>
      <article>
        <p><strong>The page you were looking for doesn’t exist.</strong> You may have mistyped the address or the page may have moved. If you’re the application owner check the logs for more information.</p>
      </article>
    </main>
  </body>
 <body class="rails-default-error-page">
  <!-- This file lives in public/404.html -->
  <div class="dialog">
    <div>
      <h1>The page you were looking for doesn't exist.</h1>
      <p>You may have mistyped the address or the page may have moved.</p>
    </div>
    <p>If you are the application owner check the logs for more information.</p>
  </div>
 </body>
 </html>
--- a/public/422.html
+++ b/public/422.html
--- a/public/500.html
+++ b/public/500.html
--- a/schemas/ldap/nostr_key.ldif
+++ b/schemas/ldap/nostr_key.ldif
@@ -5,5 +5,5 @@ attributeTypes: ( 1.3.6.1.4.1.61554.1.1.2.1.21
  NAME 'nostrKey'
  DESC 'Nostr public key'
  EQUALITY caseIgnoreMatch
-  SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
  SINGLE-VALUE )
--- a/schemas/ldap/pgp_key.ldif
+++ b/schemas/ldap/pgp_key.ldif
@@ -0,0 +1,8 @@
 dn: cn=schema
 changetype: modify
 add: attributeTypes
 attributeTypes: ( 1.3.6.1.4.1.3401.8.2.11
  NAME 'pgpKey'
  DESC 'OpenPGP public key block'
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
  SINGLE-VALUE )
--- a/spec/controllers/rs/oauth_controller_spec.rb
+++ b/spec/controllers/rs/oauth_controller_spec.rb
@@ -5,6 +5,7 @@ RSpec.describe Rs::OauthController, type: :controller do
  before do
    allow_any_instance_of(AppCatalog::WebApp).to receive(:update_metadata).and_return(true)
    allow_any_instance_of(RemoteStorageAuthorization).to receive(:remove_token_expiry_job).and_return(nil)
  end
  describe "GET /rs/oauth/:username" do
--- a/spec/controllers/services/rs_auths_controller_spec.rb
+++ b/spec/controllers/services/rs_auths_controller_spec.rb
@@ -5,6 +5,7 @@ RSpec.describe Services::RsAuthsController, type: :controller do
  before do
    allow_any_instance_of(AppCatalog::WebApp).to receive(:update_metadata).and_return(true)
    allow_any_instance_of(RemoteStorageAuthorization).to receive(:remove_token_expiry_job).and_return(nil)
    allow_any_instance_of(Flipper).to receive(:enabled?).and_return(true)
  end
--- a/spec/factories/devise.rb
+++ b/spec/factories/devise.rb
--- a/spec/features/settings/account_spec.rb
+++ b/spec/features/settings/account_spec.rb
@@ -14,6 +14,7 @@ RSpec.describe 'Account settings', type: :feature do
        .with("invalid password").and_return(false)
      allow_any_instance_of(User).to receive(:valid_ldap_authentication?)
        .with("valid password").and_return(true)
      allow_any_instance_of(User).to receive(:pgp_pubkey).and_return(nil)
    end
    scenario 'fails with invalid password' do
@@ -55,4 +56,44 @@ RSpec.describe 'Account settings', type: :feature do
      end
    end
  end
  feature "Update OpenPGP key" do
    let(:invalid_key) { File.read("#{Rails.root}/spec/fixtures/files/pgp_key_invalid.asc") }
    let(:valid_key_alice) { File.read("#{Rails.root}/spec/fixtures/files/pgp_key_valid_alice.asc") }
    let(:fingerprint_alice) { "EB85BB5FA33A75E15E944E63F231550C4F47E38E" }
    before do
      login_as user, :scope => :user
      allow_any_instance_of(User).to receive(:ldap_entry).and_return({
        uid: user.cn, ou: user.ou, display_name: nil, pgp_key: nil
      })
    end
    scenario 'rejects an invalid key' do
      expect(UserManager::UpdatePgpKey).not_to receive(:call)
      visit setting_path(:account)
      fill_in 'Public key', with: invalid_key
      click_button "Save"
      expect(current_url).to eq(setting_url(:account))
      within ".error-msg" do
        expect(page).to have_content("This is not a valid armored PGP public key block")
      end
    end
    scenario 'stores a valid key' do
      expect(UserManager::UpdatePgpKey).to receive(:call)
        .with(user: user).and_return(true)
      visit setting_path(:account)
      fill_in 'Public key', with: valid_key_alice
      click_button "Save"
      expect(current_url).to eq(setting_url(:account))
      within ".flash-msg" do
        expect(page).to have_content("Settings saved")
      end
    end
  end
 end
--- a/spec/features/settings/profile_spec.rb
+++ b/spec/features/settings/profile_spec.rb
@@ -9,7 +9,7 @@ RSpec.describe 'Profile settings', type: :feature do
    allow(user).to receive(:display_name).and_return("Mark")
    allow_any_instance_of(User).to receive(:dn).and_return("cn=mwahlberg,ou=kosmos.org,cn=users,dc=kosmos,dc=org")
    allow_any_instance_of(User).to receive(:ldap_entry).and_return({
-      uid: user.cn, ou: user.ou, display_name: "Mark"
+      uid: user.cn, ou: user.ou, display_name: "Mark", pgp_key: nil
    })
    allow_any_instance_of(User).to receive(:avatar).and_return(avatar_base64)
--- a/spec/features/signup_spec.rb
+++ b/spec/features/signup_spec.rb
@@ -52,7 +52,7 @@ RSpec.describe "Signup", type: :feature do
      click_button "Continue"
      expect(page).to have_content("Choose a password")
-      expect(CreateAccount).to receive(:call)
+      expect(UserManager::CreateAccount).to receive(:call)
        .with(account: {
          username: "tony", domain: "kosmos.org",
          email: "tony@example.com", password: "a-valid-password",
@@ -96,7 +96,7 @@ RSpec.describe "Signup", type: :feature do
      click_button "Create account"
      expect(page).to have_content("Password is too short")
-      expect(CreateAccount).to receive(:call)
+      expect(UserManager::CreateAccount).to receive(:call)
        .with(account: {
          username: "tony", domain: "kosmos.org",
          email: "tony@example.com", password: "a-valid-password",
--- a/spec/fixtures/files/pgp_key_invalid.asc
+++ b/spec/fixtures/files/pgp_key_invalid.asc
@@ -0,0 +1,11 @@
 -----BEGIN PGP PUBLIC KEY BLOCK-----
 b7O1u120JkFsaWNlIExvdmVsYWNlIDxhbGljZUBvcGVucGdwLmV4YW1wbGU+iJAE
 ExYIADgCGwMFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AWIQTrhbtfozp14V6UTmPy
 MVUMT0fjjgUCXaWfOgAKCRDyMVUMT0fjjukrAPoDnHBSogOmsHOsd9qGsiZpgRnO
 dypvbm+QtXZqth9rvwD9HcDC0tC+PHAsO7OTh1S1TC9RiJsvawAfCPaQZoed8gK4
 OARcRwTpEgorBgEEAZdVAQUBAQdAQv8GIa2rSTzgqbXCpDDYMiKRVitCsy203x3s
 E9+eviIDAQgHiHgEGBYIACAWIQTrhbtfozp14V6UTmPyMVUMT0fjjgUCXEcE6QIb
 DAAKCRDyMVUMT0fjjlnQAQDFHUs6TIcxrNTtEZFjUFm1M0PJ1Dng/cDW4xN80fsn
 0QEA22Kr7VkCjeAEC08VSTeV+QFsmz55/lntWkwYWhmvOgE=
 =iIGO
 -----END PGP PUBLIC KEY BLOCK-----
--- a/spec/fixtures/files/pgp_key_valid_alice.asc
+++ b/spec/fixtures/files/pgp_key_valid_alice.asc
@@ -0,0 +1,16 @@
 -----BEGIN PGP PUBLIC KEY BLOCK-----
 Comment: Alice's OpenPGP certificate
 Comment: https://www.ietf.org/id/draft-bre-openpgp-samples-01.html
 mDMEXEcE6RYJKwYBBAHaRw8BAQdArjWwk3FAqyiFbFBKT4TzXcVBqPTB3gmzlC/U
 b7O1u120JkFsaWNlIExvdmVsYWNlIDxhbGljZUBvcGVucGdwLmV4YW1wbGU+iJAE
 ExYIADgCGwMFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AWIQTrhbtfozp14V6UTmPy
 MVUMT0fjjgUCXaWfOgAKCRDyMVUMT0fjjukrAPoDnHBSogOmsHOsd9qGsiZpgRnO
 dypvbm+QtXZqth9rvwD9HcDC0tC+PHAsO7OTh1S1TC9RiJsvawAfCPaQZoed8gK4
 OARcRwTpEgorBgEEAZdVAQUBAQdAQv8GIa2rSTzgqbXCpDDYMiKRVitCsy203x3s
 E9+eviIDAQgHiHgEGBYIACAWIQTrhbtfozp14V6UTmPyMVUMT0fjjgUCXEcE6QIb
 DAAKCRDyMVUMT0fjjlnQAQDFHUs6TIcxrNTtEZFjUFm1M0PJ1Dng/cDW4xN80fsn
 0QEA22Kr7VkCjeAEC08VSTeV+QFsmz55/lntWkwYWhmvOgE=
 =iIGO
 -----END PGP PUBLIC KEY BLOCK-----
--- a/spec/fixtures/files/pgp_key_valid_jimmy.asc
+++ b/spec/fixtures/files/pgp_key_valid_jimmy.asc
@@ -0,0 +1,13 @@
 -----BEGIN PGP PUBLIC KEY BLOCK-----
 mDMEZvFjRhYJKwYBBAHaRw8BAQdACUxVX9bGlbuNR0MNYUyHHxTcOgm4qjwq8Bjg
 7P41OFK0GEppbW15IDxqaW1teUBrb3Ntb3Mub3JnPoiZBBMWCgBBFiEEMWv1FiNt
 r3cjaxX2BX2Tly+4YsMFAmbxY0YCGwMFCQWjmoAFCwkIBwICIgIGFQoJCAsCBBYC
 AwECHgcCF4AACgkQBX2Tly+4YsMjHgEAoOOLrv9pWbi8hhrSMkqJ7FJvsBTQF//U
 aJUQRa8CTgoBAI3kyGKZ8gOC8UOOKsUC0LiNCVXPyX45h8T4QFRdEVYKuDgEZvFj
 RhIKKwYBBAGXVQEFAQEHQIomqcQ59UjtQex54pz8qGqyxCj2DPJYUat9pXinDgN8
 AwEIB4h+BBgWCgAmFiEEMWv1FiNtr3cjaxX2BX2Tly+4YsMFAmbxY0YCGwwFCQWj
 moAACgkQBX2Tly+4YsPoVgEA/9Q5Gs1klP4u/nw343V57e9s4RKmEiRSkErnC9wW
 Iu0A/jp6Elz2pDQPB2XLwcb+n7JlgA05HI0zWj1+EoM7TC4J
 =KQbn
 -----END PGP PUBLIC KEY BLOCK-----
--- a/spec/fixtures/files/pgp_key_valid_jimmy.pem
+++ b/spec/fixtures/files/pgp_key_valid_jimmy.pem
--- a/spec/jobs/remote_storage_expire_authorization_job_spec.rb
+++ b/spec/jobs/remote_storage_expire_authorization_job_spec.rb
@@ -5,6 +5,9 @@ RSpec.describe RemoteStorageExpireAuthorizationJob, type: :job do
    allow_any_instance_of(AppCatalog::WebApp).to(
      receive(:update_metadata).and_return(true)
    )
    allow_any_instance_of(RemoteStorageAuthorization).to(
      receive(:remove_token_expiry_job).and_return(nil)
    )
    @user = create :user, cn: "ronald", ou: "kosmos.org"
    @rs_authorization = create :remote_storage_authorization,
--- a/spec/mailers/notification_mailer_spec.rb
+++ b/spec/mailers/notification_mailer_spec.rb
@@ -0,0 +1,87 @@
 # spec/mailers/welcome_mailer_spec.rb
 require 'rails_helper'
 RSpec.describe NotificationMailer, type: :mailer do
  describe '#lightning_sats_received' do
    context "without PGP key" do
      let(:user) { create(:user, cn: "phil", email: 'phil@example.com') }
      before do
        allow_any_instance_of(User).to receive(:ldap_entry).and_return({
          uid: user.cn, ou: user.ou, display_name: nil, pgp_key: nil
        })
      end
      describe "unencrypted email" do
        let(:mail) { described_class.with(user: user, amount_sats: 21000).lightning_sats_received }
        it 'renders the correct to/from headers' do
          expect(mail.to).to eq([user.email])
          expect(mail.from).to eq(['accounts@kosmos.org'])
        end
        it 'renders the correct subject' do
          expect(mail.subject).to eq('Sats received')
        end
        it 'uses the correct content type' do
          expect(mail.header['content-type'].to_s).to include('text/plain')
        end
        it 'renders the body with correct content' do
          expect(mail.body.encoded).to match(/You just received 21,000 sats/)
          expect(mail.body.encoded).to include(user.address)
        end
        it 'includes a link to the lightning service page' do
          expect(mail.body.encoded).to include("https://accounts.kosmos.org/services/lightning")
        end
      end
    end
    context "with PGP key" do
      let(:pgp_pubkey) { File.read("#{Rails.root}/spec/fixtures/files/pgp_key_valid_alice.asc") }
      let(:pgp_fingerprint) { "EB85BB5FA33A75E15E944E63F231550C4F47E38E" }
      let(:user) { create(:user, id: 2, cn: "alice", email: 'alice@example.com', pgp_fpr: pgp_fingerprint) }
      before do
        allow_any_instance_of(User).to receive(:ldap_entry).and_return({
          uid: user.cn, ou: user.ou, display_name: nil, pgp_key: pgp_pubkey
        })
      end
      describe "encrypted email" do
        let(:mail) { described_class.with(user: user, amount_sats: 21000).lightning_sats_received }
        it 'renders the correct to/from headers' do
          expect(mail.to).to eq([user.email])
          expect(mail.from).to eq(['accounts@kosmos.org'])
        end
        it 'encrypts the subject line' do
          expect(mail.subject).to eq('...')
        end
        it 'uses the correct content type' do
          expect(mail.header['content-type'].to_s).to include('multipart/encrypted')
          expect(mail.header['content-type'].to_s).to include('protocol="application/pgp-encrypted"')
        end
        it 'renders the PGP version part' do
          expect(mail.body.encoded).to include("Content-Type: application/pgp-encrypted")
          expect(mail.body.encoded).to include("Content-Description: PGP/MIME version identification")
          expect(mail.body.encoded).to include("Version: 1")
        end
        it 'renders the encrypted PGP part' do
          expect(mail.body.encoded).to include('Content-Type: application/octet-stream; name="encrypted.asc"')
          expect(mail.body.encoded).to include('Content-Description: OpenPGP encrypted message')
          expect(mail.body.encoded).to include('Content-Disposition: inline; filename="encrypted.asc"')
          expect(mail.body.encoded).to include('-----BEGIN PGP MESSAGE-----')
          expect(mail.body.encoded).to include('hF4DR')
        end
      end
    end
  end
 end
--- a/spec/models/remote_storage_authorization_spec.rb
+++ b/spec/models/remote_storage_authorization_spec.rb
@@ -7,6 +7,7 @@ RSpec.describe RemoteStorageAuthorization, type: :model do
  before do
    allow_any_instance_of(AppCatalog::WebApp).to receive(:update_metadata).and_return(true)
    allow_any_instance_of(RemoteStorageAuthorization).to receive(:remove_token_expiry_job).and_return(nil)
  end
  describe "#create" do
--- a/spec/models/user_spec.rb
+++ b/spec/models/user_spec.rb
@@ -1,20 +1,16 @@
 require 'rails_helper'
 RSpec.describe User, type: :model do
-  let(:user) { create :user, cn: "philipp" }
+  let(:user) { create :user, cn: "philipp", ou: "kosmos.org", email: "philipp@example.com" }
  let(:dn) { "cn=philipp,ou=kosmos.org,cn=users,dc=kosmos,dc=org" }
  describe "#address" do
    let(:user) { build :user, cn: "jimmy", ou: "kosmos.org" }
    it "returns the user address" do
-      expect(user.address).to eq("jimmy@kosmos.org")
+      expect(user.address).to eq("philipp@kosmos.org")
    end
  end
  describe "#mastodon_address" do
    let(:user) { build :user, cn: "jimmy", ou: "kosmos.org" }
    context "Mastodon service not configured" do
      before do
        Setting.mastodon_enabled = false
@@ -32,7 +28,7 @@ RSpec.describe User, type: :model do
      describe "domain is the same as primary domain" do
        it "returns the user address" do
-          expect(user.mastodon_address).to eq("jimmy@kosmos.org")
+          expect(user.mastodon_address).to eq("philipp@kosmos.org")
        end
      end
@@ -42,7 +38,7 @@ RSpec.describe User, type: :model do
        end
        it "returns the user address" do
-          expect(user.mastodon_address).to eq("jimmy@kosmos.social")
+          expect(user.mastodon_address).to eq("philipp@kosmos.social")
        end
      end
@@ -239,7 +235,7 @@ RSpec.describe User, type: :model do
  describe "#nostr_pubkey" do
    before do
-      allow_any_instance_of(User).to receive(:ldap_entry)
+      allow(user).to receive(:ldap_entry)
        .and_return({ nostr_key: "07e188a1ff87ce171d517b8ed2bb7a31b1d3453a0db3b15379ec07b724d232f3" })
    end
@@ -250,7 +246,7 @@ RSpec.describe User, type: :model do
  describe "#nostr_pubkey_bech32" do
    before do
-      allow_any_instance_of(User).to receive(:ldap_entry)
+      allow(user).to receive(:ldap_entry)
        .and_return({ nostr_key: "07e188a1ff87ce171d517b8ed2bb7a31b1d3453a0db3b15379ec07b724d232f3" })
    end
@@ -258,4 +254,73 @@ RSpec.describe User, type: :model do
      expect(user.nostr_pubkey_bech32).to eq("npub1qlsc3g0lsl8pw8230w8d9wm6xxcax3f6pkemz5measrmwfxjxteslf2hac")
    end
  end
  describe "OpenPGP key" do
    let(:alice) { create :user, id: 2, cn: "alice", email: "alice@example.com" }
    let(:jimmy) { create :user, id: 3, cn: "jimmy", email: "jimmy@example.com" }
    let(:valid_key_alice) { File.read("#{Rails.root}/spec/fixtures/files/pgp_key_valid_alice.asc") }
    let(:valid_key_jimmy) { File.read("#{Rails.root}/spec/fixtures/files/pgp_key_valid_jimmy.asc") }
    let(:fingerprint_alice) { "EB85BB5FA33A75E15E944E63F231550C4F47E38E" }
    let(:fingerprint_jimmy) { "316BF516236DAF77236B15F6057D93972FB862C3" }
    let(:invalid_key) { File.read("#{Rails.root}/spec/fixtures/files/pgp_key_invalid.asc") }
    before do
      GPGME::Key.import(valid_key_alice)
      GPGME::Key.import(valid_key_jimmy)
      alice.update pgp_fpr: fingerprint_alice
      jimmy.update pgp_fpr: fingerprint_jimmy
      allow(alice).to receive(:ldap_entry).and_return({ pgp_key: valid_key_alice })
      allow(jimmy).to receive(:ldap_entry).and_return({ pgp_key: valid_key_jimmy })
    end
    after do
      alice.gnupg_key.delete!
      jimmy.gnupg_key.delete!
    end
    describe "#acceptable_pgp_key_format" do
      it "validates the record when the key is valid" do
        alice.pgp_pubkey = valid_key_alice
        expect(alice).to be_valid
      end
      it "adds a validation error when the key is not valid" do
        user.pgp_pubkey = invalid_key
        expect(user).to_not be_valid
        expect(user.errors[:pgp_pubkey]).to be_present
      end
    end
    describe "#pgp_pubkey" do
      it "returns the raw pubkey from LDAP" do
        expect(alice.pgp_pubkey).to eq(valid_key_alice)
      end
    end
    describe "#gnupg_key" do
      subject { alice.gnupg_key }
      it "returns a GPGME::Key object from the system's GPG keyring" do
        expect(subject).to be_a(GPGME::Key)
        expect(subject.fingerprint).to eq(fingerprint_alice)
        expect(subject.email).to eq("alice@openpgp.example")
      end
    end
    describe "#pgp_pubkey_contains_user_address?" do
      it "returns false when the user address is one of the UIDs of the key" do
        expect(alice.pgp_pubkey_contains_user_address?).to eq(false)
      end
      it "returns true when the user address is missing from the UIDs of the key" do
        expect(jimmy.pgp_pubkey_contains_user_address?).to eq(true)
      end
    end
    describe "wkd_hash" do
      it "returns a z-base32 encoded SHA-1 digest of the username" do
        expect(alice.wkd_hash).to eq("kei1q4tipxxu1yj79k9kfukdhfy631xe")
      end
    end
  end
 end
--- a/spec/requests/web_key_directory_spec.rb
+++ b/spec/requests/web_key_directory_spec.rb
@@ -0,0 +1,101 @@
 require 'rails_helper'
 RSpec.describe "OpenPGP Web Key Directory", type: :request do
  describe "policy" do
    it "returns an empty 200 response" do
      get "/.well-known/openpgpkey/policy"
      expect(response).to have_http_status(:ok)
      expect(response.body).to be_empty
    end
  end
  describe "non-existent user" do
    it "returns a 404 status" do
      get "/.well-known/openpgpkey/hu/fmb8gw3n4zdj4xpwaziki4mwcxr1368i?l=aristotle"
      expect(response).to have_http_status(:not_found)
    end
  end
  describe "user without pubkey" do
    let(:user) { create :user, cn: 'bernd', ou: 'kosmos.org' }
    it "returns a 404 status" do
      get "/.well-known/openpgpkey/hu/kp95h369c89sx8ia1hn447i868nqyz4t?l=bernd"
      expect(response).to have_http_status(:not_found)
    end
  end
  describe "user with pubkey" do
    let(:alice) { create :user, id: 2, cn: "alice", email: "alice@example.com" }
    let(:jimmy) { create :user, id: 3, cn: "jimmy", email: "jimmy@example.com" }
    let(:valid_key_alice) { File.read("#{Rails.root}/spec/fixtures/files/pgp_key_valid_alice.asc") }
    let(:valid_key_jimmy) { File.read("#{Rails.root}/spec/fixtures/files/pgp_key_valid_jimmy.asc") }
    let(:fingerprint_alice) { "EB85BB5FA33A75E15E944E63F231550C4F47E38E" }
    let(:fingerprint_jimmy) { "316BF516236DAF77236B15F6057D93972FB862C3" }
    let(:invalid_key) { File.read("#{Rails.root}/spec/fixtures/files/pgp_key_invalid.asc") }
    before do
      GPGME::Key.import(valid_key_alice)
      GPGME::Key.import(valid_key_jimmy)
      alice.update pgp_fpr: fingerprint_alice
      jimmy.update pgp_fpr: fingerprint_jimmy
    end
    after do
      alice.gnupg_key.delete!
      jimmy.gnupg_key.delete!
    end
    describe "pubkey does not contain user address" do
      before do
        allow_any_instance_of(User).to receive(:ldap_entry)
          .and_return({ pgp_key: valid_key_alice })
      end
      it "returns a 404 status" do
        get "/.well-known/openpgpkey/hu/kei1q4tipxxu1yj79k9kfukdhfy631xe?l=alice"
        expect(response).to have_http_status(:not_found)
      end
    end
    describe "pubkey contains user address" do
      before do
        allow_any_instance_of(User).to receive(:ldap_entry)
          .and_return({ pgp_key: valid_key_jimmy })
      end
      it "returns the pubkey in binary format" do
        get "/.well-known/openpgpkey/hu/yuca4ky39mhwkjo78qb8zjgbfj1hg3yf?l=jimmy"
        expect(response).to have_http_status(:ok)
        expect(response.headers['Content-Type']).to eq("application/octet-stream")
        expected_binary_data = File.binread("#{Rails.root}/spec/fixtures/files/pgp_key_valid_jimmy.pem")
        expect(response.body).to eq(expected_binary_data)
      end
      context "with wrong capitalization of username" do
        it "returns the pubkey as ASCII Armor plain text" do
          get "/.well-known/openpgpkey/hu/yuca4ky39mhwkjo78qb8zjgbfj1hg3yf?l=JimmY"
          expect(response).to have_http_status(:ok)
          expected_binary_data = File.binread("#{Rails.root}/spec/fixtures/files/pgp_key_valid_jimmy.pem")
          expect(response.body).to eq(expected_binary_data)
        end
      end
      context "with .txt extension" do
        it "returns the pubkey as ASCII Armor plain text" do
          get "/.well-known/openpgpkey/hu/yuca4ky39mhwkjo78qb8zjgbfj1hg3yf.txt?l=jimmy"
          expect(response).to have_http_status(:ok)
          expect(response.body).to eq(valid_key_jimmy)
          expect(response.headers['Content-Type']).to eq("text/plain")
        end
      end
      context "invalid URL" do
        it "returns a 422 status" do
          get "/.well-known/openpgpkey/hu/123456abcdef?l=alice"
          expect(response).to have_http_status(:not_found)
        end
      end
    end
  end
 end
--- a/spec/services/user_manager/create_account_spec.rb
+++ b/spec/services/user_manager/create_account_spec.rb
@@ -1,8 +1,8 @@
 require 'rails_helper'
-RSpec.describe CreateAccount, type: :model do
+RSpec.describe UserManager::CreateAccount, type: :model do
  describe "#create_user_in_database" do
-    let(:service) { CreateAccount.new(account: {
+    let(:service) { described_class.new(account: {
      username: 'isaacnewton',
      email: 'isaacnewton@example.com',
      password: 'bright-ideas-in-autumn'
@@ -19,7 +19,7 @@ RSpec.describe CreateAccount, type: :model do
  describe "#update_invitation" do
    let(:invitation) { create :invitation }
-    let(:service) { CreateAccount.new(account: {
+    let(:service) { described_class.new(account: {
      username: 'isaacnewton',
      email: 'isaacnewton@example.com',
      password: 'bright-ideas-in-autumn',
@@ -42,7 +42,7 @@ RSpec.describe CreateAccount, type: :model do
  describe "#add_ldap_document" do
    include ActiveJob::TestHelper
-    let(:service) { CreateAccount.new(account: {
+    let(:service) { described_class.new(account: {
      username: 'halfinney',
      email: 'halfinney@example.com',
      password: 'remember-remember-the-5th-of-november'
@@ -68,7 +68,7 @@ RSpec.describe CreateAccount, type: :model do
  describe "#add_ldap_document for pre-confirmed account" do
    include ActiveJob::TestHelper
-    let(:service) { CreateAccount.new(account: {
+    let(:service) { described_class.new(account: {
      username: 'halfinney',
      email: 'halfinney@example.com',
      password: 'remember-remember-the-5th-of-november',
@@ -89,7 +89,7 @@ RSpec.describe CreateAccount, type: :model do
  describe "#create_lndhub_account" do
    include ActiveJob::TestHelper
-    let(:service) { CreateAccount.new(account: {
+    let(:service) { described_class.new(account: {
      username: 'halfinney', email: 'halfinney@example.com',
      password: 'bright-ideas-in-winter'
    })}
--- a/spec/services/user_manager/create_invitations_spec.rb
+++ b/spec/services/user_manager/create_invitations_spec.rb
@@ -1,13 +1,13 @@
 require 'rails_helper'
-RSpec.describe CreateInvitations, type: :model do
+RSpec.describe UserManager::CreateInvitations, type: :model do
  include ActiveJob::TestHelper
  let(:user) { create :user }
  describe "#call" do
    before do
-      CreateInvitations.call(user: user, amount: 5)
+      described_class.call(user: user, amount: 5)
    end
    after(:each) { clear_enqueued_jobs }
@@ -28,7 +28,7 @@ RSpec.describe CreateInvitations, type: :model do
  describe "#call with notification disabled" do
    before do
-      CreateInvitations.call(user: user, amount: 3, notify: false)
+      described_class.call(user: user, amount: 3, notify: false)
    end
    after(:each) { clear_enqueued_jobs }
--- a/spec/services/user_manager/update_pgp_key_spec.rb
+++ b/spec/services/user_manager/update_pgp_key_spec.rb
@@ -0,0 +1,74 @@
 require 'rails_helper'
 RSpec.describe UserManager::UpdatePgpKey, type: :model do
  include ActiveJob::TestHelper
  let(:alice) { create :user, cn: "alice" }
  let(:dn)    { "cn=alice,ou=kosmos.org,cn=users,dc=kosmos,dc=org" }
  let(:pubkey_asc) { File.read("#{Rails.root}/spec/fixtures/files/pgp_key_valid_alice.asc") }
  let(:fingerprint) { "EB85BB5FA33A75E15E944E63F231550C4F47E38E" }
  before do
    allow(alice).to receive(:dn).and_return(dn)
    allow(alice).to receive(:ldap_entry).and_return({
      uid: alice.cn, ou: alice.ou, pgp_key: nil
    })
  end
  describe "#call" do
    context "with valid key" do
      before do
        alice.pgp_pubkey = pubkey_asc
        allow(LdapManager::UpdatePgpKey).to receive(:call)
          .with(dn: alice.dn, pubkey: pubkey_asc)
      end
      after do
        alice.gnupg_key.delete!
      end
      it "imports the key into the GnuPG keychain" do
        described_class.call(user: alice)
        expect(alice.gnupg_key).to be_present
      end
      it "stores the key's fingerprint on the user record" do
        described_class.call(user: alice)
        expect(alice.pgp_fpr).to eq(fingerprint)
      end
      it "updates the user's LDAP entry with the new key" do
        expect(LdapManager::UpdatePgpKey).to receive(:call)
          .with(dn: alice.dn, pubkey: pubkey_asc)
        described_class.call(user: alice)
      end
    end
    context "with empty key" do
      before do
        alice.update pgp_fpr: fingerprint
        alice.pgp_pubkey = ""
        allow(LdapManager::UpdatePgpKey).to receive(:call)
          .with(dn: alice.dn, pubkey: "")
      end
      it "does not attempt to import the key" do
        expect(GPGME::Key).not_to receive(:import)
        described_class.call(user: alice)
      end
      it "removes the key's fingerprint from the user record" do
        described_class.call(user: alice)
        expect(alice.pgp_fpr).to be_nil
      end
      it "removes the key from the user's LDAP entry" do
        expect(LdapManager::UpdatePgpKey).to receive(:call)
          .with(dn: alice.dn, pubkey: "")
        described_class.call(user: alice)
      end
    end
  end
 end
--- a/spec/spec_helper.rb
+++ b/spec/spec_helper.rb
@@ -14,6 +14,11 @@
 #
 # See http://rubydoc.info/gems/rspec-core/RSpec/Core/Configuration
 RSpec.configure do |config|
  # TODO Remove when Devise fixes https://github.com/heartcombo/devise/issues/5705
  config.before(:each, type: :controller) do
    Rails.application.reload_routes_unless_loaded
  end
  # rspec-expectations config goes here. You can use an alternate
  # assertion/expectation library such as wrong or the stdlib/minitest
  # assertions if you prefer.
Author	SHA1	Message	Date
Râu Cao	3d8619532b	Refactor LDAP config All checks were successful continuous-integration/drone/push Build is passing Details continuous-integration/drone/pr Build is passing Details * Move credentials to ENV vars in prod * Use same configs in dev and prod * Make UID attribute and admin DN configurable	2025-05-06 15:32:59 +04:00
Râu Cao	d56edb34f1	Remove SMTP credentials from Rails credentials Already unused	2025-05-06 15:08:46 +04:00
Râu Cao	a97bbf61a8	Fix postgresql query for deleting auth expiry job All checks were successful continuous-integration/drone/push Build is passing Details Solid Queue uses a text column, instead of a jsonb, so we need to cast it as jsonb on the fly.	2025-05-05 17:37:58 +04:00
Râu Cao	5a523fd220	Merge pull request 'Refactor database configs' (#220 ) from chore/db_configs into master All checks were successful continuous-integration/drone/push Build is passing Details Reviewed-on: #220	2025-05-05 12:54:22 +00:00
Râu Cao	889c9ae824	Refactor database configs All checks were successful continuous-integration/drone/push Build is passing Details continuous-integration/drone/pr Build is passing Details Release Drafter / Update release notes draft (pull_request) Successful in 2s Details * Move postgres credentials to ENV vars * Allow postgres in development * Allow SQlite in production * Refactor optional lndhub db config Co-authored-by: Greg Karékinian <greg@karekinian.com>	2025-05-05 15:25:25 +04:00
Râu Cao	e686cf42e8	Merge pull request 'Switch from Sidekiq to Solid Queue' (#219 ) from dev/sidekiq_to_solidqueue into master All checks were successful continuous-integration/drone/push Build is passing Details Reviewed-on: #219 Reviewed-by: Greg <greg@noreply.kosmos.org>	2025-05-05 11:24:56 +00:00
Râu Cao	906468d156	Allow to immediately expire auth via job All checks were successful continuous-integration/drone/push Build is passing Details continuous-integration/drone/pr Build is passing Details Release Drafter / Update release notes draft (pull_request) Successful in 3s Details When running the job before its schedule	2025-05-05 12:46:46 +04:00
Râu Cao	ee5c6d86d0	Port RS auth job removal to Solid Queue All checks were successful continuous-integration/drone/push Build is passing Details continuous-integration/drone/pr Build is passing Details	2025-05-05 11:07:30 +04:00
Râu Cao	d1eea85b04	Add Redis gem explicitly, remove sidekiq require Some checks failed continuous-integration/drone/push Build is failing Details continuous-integration/drone/pr Build is failing Details	2025-05-04 18:14:49 +04:00
Râu Cao	ecd814641a	Remove Sidekiq initializer Some checks failed continuous-integration/drone/push Build is failing Details continuous-integration/drone/pr Build is failing Details	2025-05-04 17:44:37 +04:00
Râu Cao	b1dd5800b2	Update lockfile Some checks failed continuous-integration/drone/push Build is failing Details continuous-integration/drone/pr Build is failing Details	2025-05-04 17:42:31 +04:00
Râu Cao	0cad4cdcfe	WIP Switch from Sidekiq to Solid Queue Some checks failed continuous-integration/drone/push Build is running Details continuous-integration/drone/pr Build is failing Details	2025-05-04 17:40:33 +04:00
Greg	b61906059c	Merge pull request 'Upgrade Rails to 8.0' (#216 ) from chore/upgrade_rails into master All checks were successful continuous-integration/drone/push Build is passing Details Reviewed-on: #216 Reviewed-by: Greg <greg@noreply.kosmos.org>	2025-04-30 08:36:16 +00:00
Râu Cao	aef779a59c	Switch from Sprockets to Propshaft All checks were successful continuous-integration/drone/push Build is passing Details continuous-integration/drone/pr Build is passing Details Release Drafter / Update release notes draft (pull_request) Successful in 1s Details	2025-04-29 17:11:21 +04:00
Râu Cao	1ddecab2c3	Upgrade Rails to 8.0 All checks were successful continuous-integration/drone/push Build is passing Details continuous-integration/drone/pr Build is passing Details	2025-04-28 17:49:54 +04:00
Râu Cao	74b4bc3875	Upgrade Rails to 7.2 All checks were successful continuous-integration/drone/push Build is passing Details	2025-04-28 00:17:25 +04:00
Râu Cao	646c95ecc2	Fix local/development RS auth URL All checks were successful continuous-integration/drone/push Build is passing Details	2025-04-27 16:09:32 +04:00
Râu Cao	fb054ae455	Add task for generating ctags All checks were successful continuous-integration/drone/push Build is passing Details	2025-04-26 12:37:10 +04:00
Râu Cao	536052e9bf	Merge pull request 'Upgrade strfry/deno, port strfry policies to @nostrify/policies' (#214 ) from chore/upgrade_strfry_deno into master All checks were successful continuous-integration/drone/push Build is passing Details Reviewed-on: #214	2025-04-18 10:51:35 +00:00
Râu Cao	b29a0abb0b	Document strfry integration All checks were successful continuous-integration/drone/push Build is passing Details continuous-integration/drone/pr Build is passing Details Release Drafter / Update release notes draft (pull_request) Successful in 3s Details	2025-04-16 17:34:10 +04:00
Râu Cao	29ff486683	Port strfry policies to @nostrify/policies Use packages from JSR and adapt code for new policy APIs	2025-04-15 19:01:22 +04:00
Râu Cao	e53b9dd186	Upgrade strfry docker image Contains latest strfry (1.0.4) and deno (2.2.10)	2025-04-15 19:00:52 +04:00
Râu Cao	a2921297fe	Fix seeds The CreateAccount service has moved to a namespace	2025-04-11 16:14:44 +04:00
Râu Cao	7df56479a4	Fix 500 when pubkey is nil	2025-01-02 08:30:58 -05:00
Râu Cao	8aa3ca9e23	Merge pull request 'Let users upload their OpenPGP public key, and serve WKD response' (#205 ) from feature/191-gpg_keys_wkd into master All checks were successful continuous-integration/drone/push Build is passing Details Reviewed-on: #205 Reviewed-by: galfert <garret.alfert@gmail.com>	2024-10-14 14:08:31 +00:00
Râu Cao	3ad1d03785	Merge pull request 'Encrypt all system emails for users with PGP key' (#207 ) from feature/encrypted_system_emails into feature/191-gpg_keys_wkd All checks were successful continuous-integration/drone/push Build is passing Details continuous-integration/drone/pr Build is passing Details Release Drafter / Update release notes draft (pull_request) Successful in 4s Details Reviewed-on: #207 Reviewed-by: galfert <garret.alfert@gmail.com>	2024-10-14 13:39:01 +00:00
Râu Cao	e258a8bd27	Merge pull request 'Use ASCII format for nostrKey LDAP schema' (#206 ) from chore/nostr_key_ldap_schema into master All checks were successful continuous-integration/drone/push Build is passing Details Reviewed-on: #206 Reviewed-by: galfert <garret.alfert@gmail.com>	2024-10-10 14:18:31 +00:00
Râu Cao	339462f320	Refactor mailer options usage All checks were successful continuous-integration/drone/push Build is passing Details continuous-integration/drone/pr Build is passing Details Release Drafter / Update release notes draft (pull_request) Successful in 5s Details	2024-10-08 14:06:10 +02:00
Râu Cao	c4c2d16342	Encrypt outgoing emails when possible	2024-10-08 14:05:50 +02:00
Râu Cao	3ee76e26ab	Re-import user's pubkey on access All checks were successful continuous-integration/drone/push Build is passing Details continuous-integration/drone/pr Build is passing Details Sometimes, the pubkey might not be imported in the local keychain (anymore), but at this point in the code it had been successfully imported at least once before. So we just (re-)import every time for it to never fail.	2024-10-08 11:34:18 +02:00
Râu Cao	729e4fd566	Add WKD policy endpoint All checks were successful continuous-integration/drone/push Build is passing Details continuous-integration/drone/pr Build is passing Details	2024-09-26 23:11:21 +02:00
Râu Cao	8ad6adbaeb	Use ASCII format for nostrKey LDAP schema Some checks failed continuous-integration/drone/push Build is passing Details continuous-integration/drone/pr Build is passing Details Release Drafter / Update release notes draft (pull_request) Failing after 10m11s Details No need for UTF-8	2024-09-25 18:35:48 +02:00
Râu Cao	534e5a9d3c	Gracefully handle wrong capitalization of username All checks were successful continuous-integration/drone/push Build is passing Details continuous-integration/drone/pr Build is passing Details	2024-09-25 00:20:30 +02:00
Râu Cao	1b72c97f42	Remove obsolete code	2024-09-25 00:17:30 +02:00
Râu Cao	bfd8ca16a9	Merge branch 'master' into feature/191-gpg_keys_wkd	2024-09-25 00:16:39 +02:00
Râu Cao	9f6fa6deba	Remove example link All checks were successful continuous-integration/drone/push Build is passing Details continuous-integration/drone/pr Build is passing Details Until we have a live example on kosmos.org	2024-09-23 20:36:05 +02:00
Râu Cao	37b106e73c	Whitespace All checks were successful continuous-integration/drone/push Build is passing Details continuous-integration/drone/pr Build is passing Details	2024-09-23 19:22:52 +02:00
Râu Cao	c3f1f97e1a	Add display name and PGP key to admin user page Link the key to the ASCII Armor WKD endpoint, if it contains the user's account address	2024-09-23 19:21:59 +02:00
Râu Cao	4a677178e8	Add Web Key Directory endpoint Serve public keys in binary and armored text, if they contain a user's account address.	2024-09-23 19:20:10 +02:00
Râu Cao	3042a02a17	Allow users to update their OpenPGP pubkey All checks were successful continuous-integration/drone/push Build is passing Details	2024-09-23 18:13:39 +02:00
Râu Cao	118fddb497	Document URLs for settings controller actions No need to read the route sources all the time	2024-09-23 16:07:02 +02:00
Râu Cao	ba683a7b95	Move some Rails app services to UserManager namespace All checks were successful continuous-integration/drone/push Build is passing Details	2024-09-23 16:03:02 +02:00
Râu Cao	90a8a70c15	Add OpenPGP key to LDAP directory and User model All checks were successful continuous-integration/drone/push Build is passing Details	2024-09-23 15:20:00 +02:00
		`@@ -0,0 +1,2 @@`
							`class UserManagerService < ApplicationService`
							`end`
		`@@ -1 +1 @@`
			tmI5vm7qZhaigr52jEBVWkRdj+EE+9OmPh3vWXC7kA/OHuuucpr7SodychuMkQDPLM0BLk88LFsqvRIR+mqnLWpRC+P9aeUFE6ohxSWzcAd7Y4sgxUD8zpCRPndrwTw0hxXXj1WZSYeWn4BoAB34aV+gYen2MajZF3a95hJGtS5yjgWxvLVkQQKqRDfykkfX6fCS0BPo5X7sT7m4xwCATD/D4219wajm5W3TIdkriHtwt28ZLspaRWA5e0UkzKf8+/Gaj2CrW7UWcvew8R93zQ5RA2/Sp3sDTVN+kLz9I9Q095lQC0ywCAEFYHeKmc2tjrzqRaAAWu06xmWLqGIg21G+A/UU9lUJOkIpxQACWoOfS2IoXR1nXhgXMopkz3aCBXDxKw554v4H2QyOceOsuRf2C685ibMqzQkKMmJ4tcbiOJL77DUc08JTjB8Dq4Ohr8sMzXbV/hATevjYoRP0XarLekqhLv90ZLuIVY16DwB0CzACeNBKeKbeLqJF51upRRWgi+gTbYpV04yUwnXdyssF8mydWocgihrTryBi8F6PsuhBGcaYdP+0yibnGxDCC4x2rupbBfMj2OIX7pYzgtIHB3Eo954Y+bCoggqbE/Qrb9VVXNMgtKgLt8EGWU2tg6wl9QicitIq87uLDAade93zTn6rmcKPywjMDo6jbVIs653ZdUhiKdHGdpnJccbgQ/iLSPB1umNnCeaEX5jM+K9zBvl7ZMCdSk1YIQ==--ekKumqLiSlVJNwMe--K/ecXmmMT1x+WnIXMbHBDw==				`wVGTGBCsJ2bLSXxn/cYKcYyljVARvZGhi2gOQbiJy/r3Ia4gUmurlKFFKF0m6wmUMIlj+W11Mvu4at3c5h9fzODeIJ+EwkbwLcO8KECUyuXwVxVm2sH2TixWRwhyokT+UwS8J5c7lJTgmFAPlZiRQ+YyrqmhyPzq1fEdErk3btsWNPpJpOsdv1YPBCFFN96zMfY8h+Ttr53a9S58h+fwA+ZF5ePVqeIpJshQ+21UjUIKb5qSLEIECsarI/QJDMQwyKcvYiOEPny8nZL/7bE9TxBgC7v6UnsN+ZXVUB36aw7LOPj+21NVIdWjwOgHYRK1H2Co+stS8bDieuqV29iTTL+F8afHm/6yRc7EAtfKJe3nWf4woI+hHw7p7g/6t451F4nv9Nu1Mmt6YvJjzbSIDbf6Q6yfuYyRAv7uZdXrfsezjyhTDNGQ/SgBDpQ7CUzRoruc--0WsH7dH/QP2Hzvya--8eFWc0g5dVAvrPhC5JpO5Q==`
		`@@ -1 +0,0 @@`
			`Rails.application.routes.default_url_options[:host] = ENV['APP_DOMAIN']`