0.9.0

Update liquor-cabinet image, fix LC/redis networking issue on Linux
Merge pull request 'Fix login redirect for existing RS auth' (#180 ) from bugfix/178-rs_login_redirect into master
2024-03-07 14:48:27 +01:00 · 2024-03-06 22:07:35 +01:00 · 2024-03-06 21:06:27 +00:00 · 2024-03-06 22:00:15 +01:00 · 2024-03-03 11:47:53 +00:00 · 2024-03-02 17:31:44 +01:00
214 changed files with 6222 additions and 929 deletions
--- a/.drone.yml
+++ b/.drone.yml
@@ -17,15 +17,19 @@ steps:
      branch:
        - master
  - name: rspec
-    image: guildeducation/rails:2.7.2-14.20.0
+    image: gitea.kosmos.org/kosmos/akkounts-ci:0.9.1
    environment:
      RAILS_ENV: test
      REDIS_URL: redis://redis:6379/0
      RS_REDIS_URL: redis://redis:6379/1
    commands:
      - bundle config unset deployment
      - bundle config set cache_all 'true'
      - bundle config set cache_path 'vendor/cache'
      - bundle config set with 'development test'
      - bundle install --jobs=3 --retry=3
      - bundle exec rails db:create
      - bundle exec rails db:migrate
      - yarn install
      - rake css:build
      - bundle exec rspec
@@ -42,6 +46,10 @@ steps:
      branch:
        - master
 services:
  - name: redis
    image: redis
 volumes:
  - name: cache
    host:
--- a/.env.example
+++ b/.env.example
@@ -1,43 +1,64 @@
-PRIMARY_DOMAIN=kosmos.org
+# PRIMARY_DOMAIN=kosmos.org
-AKKOUNTS_DOMAIN=accounts.example.com
+# AKKOUNTS_DOMAIN=accounts.example.com
-SMTP_SERVER=smtp.example.com
+# SMTP_SERVER=smtp.example.com
-SMTP_PORT=587
+# SMTP_PORT=587
-SMTP_LOGIN=accounts
+# SMTP_LOGIN=accounts
-SMTP_PASSWORD=123abc
+# SMTP_PASSWORD=123abc
-SMTP_FROM_ADDRESS=accounts@example.com
+# SMTP_FROM_ADDRESS=accounts@example.com
-SMTP_DOMAIN=example.com
+# SMTP_DOMAIN=example.com
-SMTP_AUTH_METHOD=plain
+# SMTP_AUTH_METHOD=plain
-SMTP_ENABLE_STARTTLS=auto
+# SMTP_ENABLE_STARTTLS=auto
-LDAP_HOST=localhost
+# S3_ENABLED=true
-LDAP_PORT=389
+# S3_ENDPOINT=https://s3.kosmos.org
-LDAP_ADMIN_PASSWORD=passthebutter
+# S3_REGION=garage
-LDAP_SUFFIX='dc=kosmos,dc=org'
+# S3_BUCKET=akkounts-production
 # S3_ALIAS_HOST=https://accounts.web.s3.kosmos.org
 # S3_ACCESS_KEY=123456abcdefg
 # S3_SECRET_KEY=123456789123456789123456789
-REDIS_URL='redis://localhost:6379/1'
+# LDAP_HOST=localhost
 # LDAP_PORT=389
 # LDAP_ADMIN_PASSWORD=passthebutter
 # LDAP_SUFFIX='dc=kosmos,dc=org'
-WEBHOOKS_ALLOWED_IPS='10.1.1.163'
+# REDIS_URL='redis://localhost:6379/1'
-DISCOURSE_PUBLIC_URL='https://community.kosmos.org'
+# WEBHOOKS_ALLOWED_IPS='10.1.1.163'
 DISCOURSE_CONNECT_SECRET='discourse_connect_ftw'
-GITEA_PUBLIC_URL='https://gitea.kosmos.org'
+#
-MASTODON_PUBLIC_URL='https://kosmos.social'
+# Service Integrations
-MEDIAWIKI_PUBLIC_URL='https://wiki.kosmos.org'
+#
 RS_STORAGE_URL='https://storage.kosmos.org'
-EJABBERD_ADMIN_URL='https://xmpp.kosmos.org/admin'
+# BTCPAY_API_URL='http://localhost:23001/api/v1'
-EJABBERD_API_URL='https://xmpp.kosmos.org/api'
+# BTCPAY_STORE_ID=''
 # BTCPAY_AUTH_TOKEN=''
-BTCPAY_API_URL='http://localhost:23001/api/v1'
+# DISCOURSE_PUBLIC_URL='https://community.kosmos.org'
 # DISCOURSE_CONNECT_SECRET='discourse_connect_ftw'
-LNDHUB_API_URL='http://localhost:3023'
+# DRONECI_PUBLIC_URL='https://drone.kosmos.org'
-LNDHUB_PUBLIC_URL='https://lndhub.kosmos.org'
+
-LNDHUB_PUBLIC_KEY='0123d3be18617f39cf645851e3ba63f51fc13f0bb09e3bb25e6fd4de556486d946'
+# EJABBERD_ADMIN_URL='https://xmpp.kosmos.org/admin'
-LNDHUB_ADMIN_UI=true
+# EJABBERD_API_URL='https://xmpp.kosmos.org/api'
-LNDHUB_PG_HOST=localhost
+
-LNDHUB_PG_PORT=5432
+# GITEA_PUBLIC_URL='https://gitea.kosmos.org'
-LNDHUB_PG_DATABASE=lndhub
+
-LNDHUB_PG_USERNAME=lndhub
+# LNDHUB_API_URL='http://localhost:3023'
-LNDHUB_PG_PASSWORD=''
+# LNDHUB_PUBLIC_URL='https://lndhub.kosmos.org'
 # LNDHUB_PUBLIC_KEY='0123d3be18617f39cf645851e3ba63f51fc13f0bb09e3bb25e6fd4de556486d946'
 # LNDHUB_ADMIN_UI=true
 # LNDHUB_ADMIN_TOKEN=123456789
 # LNDHUB_PG_HOST=localhost
 # LNDHUB_PG_PORT=5432
 # LNDHUB_PG_DATABASE=lndhub
 # LNDHUB_PG_USERNAME=lndhub
 # LNDHUB_PG_PASSWORD=''
 # MASTODON_PUBLIC_URL='https://kosmos.social'
 # MEDIAWIKI_PUBLIC_URL='https://wiki.kosmos.org'
 # RS_STORAGE_URL='https://storage.kosmos.org'
 # RS_REDIS_URL='redis://localhost:6379/2'
--- a/.env.test
+++ b/.env.test
@@ -1,16 +1,20 @@
 PRIMARY_DOMAIN=kosmos.org
 REDIS_URL='redis://localhost:6379/0'
 BTCPAY_API_URL='http://btcpay.example.com/api/v1'
 BTCPAY_STORE_ID='123456'
 DISCOURSE_PUBLIC_URL='http://discourse.example.com'
 DISCOURSE_CONNECT_SECRET='discourse_connect_ftw'
 EJABBERD_API_URL='http://xmpp.example.com/api'
 BTCPAY_API_URL='http://btcpay.example.com/api/v1'
 LNDHUB_API_URL='http://localhost:3026'
 LNDHUB_PUBLIC_URL='https://lndhub.kosmos.org'
 LNDHUB_PUBLIC_KEY='024cd3be18617f39cf645851e3ba63f51fc13f0bb09e3bb25e6fd4de556486d946'
 RS_STORAGE_URL='https://storage.kosmos.org'
 RS_REDIS_URL='redis://localhost:6379/1'
 WEBHOOKS_ALLOWED_IPS='10.1.1.23'
--- a/.gitea/release-drafter.yml
+++ b/.gitea/release-drafter.yml
@@ -7,6 +7,7 @@ version-resolver:
  minor:
    labels:
      - 'release/minor'
      - 'feature'
  patch:
    labels:
      - 'release/patch'
--- a/.gitignore
+++ b/.gitignore
@@ -23,6 +23,7 @@
 !/tmp/pids/
 !/tmp/pids/.keep
 /storage
 /public/assets
 .byebug_history
@@ -39,6 +40,7 @@ yarn-debug.log*
 # Ignore local dotenv config file
 .env
 .env.development
 # Ignore redis dumps from sidekiq
 dump.rdb
--- a/.ruby-version
+++ b/.ruby-version
@@ -1 +1 @@
-2.7.2
+3.3.0
--- a/20
+++ b/20
@@ -1,17 +1,25 @@
 # syntax=docker/dockerfile:1
-FROM ruby:2.7.6
+FROM debian:bullseye-slim as base
 SHELL ["/bin/bash", "-o", "pipefail", "-c"]
-RUN apt-get update -qq && apt-get install -y --no-install-recommends curl \
+# TODO Remove when upstream Ruby works properly on Apple silicon
-      ldap-utils tini
+RUN apt update && apt install -y build-essential wget autoconf libpq-dev pkg-config
 RUN wget https://github.com/postmodern/ruby-install/releases/download/v0.9.3/ruby-install-0.9.3.tar.gz \
  && tar -xzvf ruby-install-0.9.3.tar.gz \
  && cd ruby-install-0.9.3/ \
  && make install
 RUN ruby-install -p https://github.com/ruby/ruby/pull/9371.diff ruby 3.3.0
 ENV PATH="/opt/rubies/ruby-3.3.0/bin:${PATH}"
 RUN apt-get install -y --no-install-recommends curl ldap-utils tini libvips
 RUN curl -fsSL https://deb.nodesource.com/setup_lts.x | bash -
 RUN apt-get update && apt-get install -y nodejs
 WORKDIR /akkounts
-COPY Gemfile /akkounts/Gemfile
+
-COPY Gemfile.lock /akkounts/Gemfile.lock
+COPY ["Gemfile", "Gemfile.lock", "package.json", "./"]
-COPY package.json /akkounts/package.json
+
 RUN bundle install
 RUN gem install foreman
 RUN npm install -g yarn
--- a/20
+++ b/20
@@ -2,7 +2,7 @@ source 'https://rubygems.org'
 git_source(:github) { |repo| "https://github.com/#{repo}.git" }
 # Bundle edge Rails instead: gem 'rails', github: 'rails/rails'
-gem 'rails', '~> 7.0.2'
+gem 'rails', '~> 7.1'
 # Use Puma as the app server
 gem 'puma', '~> 4.1'
 # View components
@@ -22,7 +22,7 @@ gem 'jbuilder', '~> 2.7'
 # Use Redis adapter to run Action Cable in production
 # gem 'redis', '~> 4.0'
 # Use Active Model has_secure_password
-# gem 'bcrypt', '~> 3.1.7'
+gem 'bcrypt', '~> 3.1'
 # Configuration
 gem 'dotenv-rails'
@@ -37,6 +37,7 @@ gem 'devise_ldap_authenticatable'
 gem 'net-ldap'
 # Utilities
 gem "image_processing", "~> 1.12.2"
 gem "rqrcode", "~> 2.0"
 gem 'rails-settings-cached', '~> 2.8.3'
 gem 'pagy', '~> 6.0', '>= 6.0.2'
@@ -46,6 +47,8 @@ gem 'flipper-ui'
 # HTTP requests
 gem 'faraday'
 gem 'down'
 gem 'aws-sdk-s3', require: false
 # Background/scheduled jobs
 gem 'sidekiq', '< 7'
@@ -58,18 +61,19 @@ gem "sentry-rails"
 # Services
 gem 'discourse_api'
 gem "lnurl"
-gem 'nostr', git: 'https://gitea.kosmos.org/kosmos/nostr-gem.git', branch: 'feature/ruby_2.7_compat'
+gem 'manifique'
 gem 'nostr'
 group :development, :test do
  # Use sqlite3 as the database for Active Record
-  gem 'sqlite3', '~> 1.4'
+  gem 'sqlite3', '~> 1.7.2'
  gem 'rspec-rails'
-  gem "byebug", "~> 11.1"
+  gem 'rails-controller-testing'
 end
 group :development do
  # Access an interactive console on exception pages or by calling 'console' anywhere in the code.
-  gem 'web-console', '>= 3.3.0'
+  gem 'web-console', '~> 4.2'
  gem 'listen', '~> 3.2'
  gem 'letter_opener'
  gem 'letter_opener_web'
@@ -85,8 +89,8 @@ group :test do
 end
 group :production do
-  # Use postgresql as the database for Active Record
+  gem 'pg', '~> 1.5'
  gem 'pg', '~> 1.2.3'
 end
 # Windows does not include zoneinfo files, so bundle the tzinfo-data gem
 gem 'tzinfo-data', platforms: [:mingw, :mswin, :x64_mingw, :jruby]
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -1,113 +1,127 @@
 GIT
  remote: https://gitea.kosmos.org/kosmos/nostr-gem.git
  revision: 596529d9eb50d13b3f385245636698fccf37b442
  branch: feature/ruby_2.7_compat
  specs:
    nostr (0.4.0)
      bech32 (~> 1.3)
      bip-schnorr (~> 0.4)
      ecdsa (~> 1.2)
      event_emitter (~> 0.2)
      faye-websocket (~> 0.11)
      json (~> 2.6)
 GEM
  remote: https://rubygems.org/
  specs:
-    actioncable (7.0.5)
+    actioncable (7.1.3)
-      actionpack (= 7.0.5)
+      actionpack (= 7.1.3)
-      activesupport (= 7.0.5)
+      activesupport (= 7.1.3)
      nio4r (~> 2.0)
      websocket-driver (>= 0.6.1)
-    actionmailbox (7.0.5)
+      zeitwerk (~> 2.6)
-      actionpack (= 7.0.5)
+    actionmailbox (7.1.3)
-      activejob (= 7.0.5)
+      actionpack (= 7.1.3)
-      activerecord (= 7.0.5)
+      activejob (= 7.1.3)
-      activestorage (= 7.0.5)
+      activerecord (= 7.1.3)
-      activesupport (= 7.0.5)
+      activestorage (= 7.1.3)
      activesupport (= 7.1.3)
      mail (>= 2.7.1)
      net-imap
      net-pop
      net-smtp
-    actionmailer (7.0.5)
+    actionmailer (7.1.3)
-      actionpack (= 7.0.5)
+      actionpack (= 7.1.3)
-      actionview (= 7.0.5)
+      actionview (= 7.1.3)
-      activejob (= 7.0.5)
+      activejob (= 7.1.3)
-      activesupport (= 7.0.5)
+      activesupport (= 7.1.3)
      mail (~> 2.5, >= 2.5.4)
      net-imap
      net-pop
      net-smtp
-      rails-dom-testing (~> 2.0)
+      rails-dom-testing (~> 2.2)
-    actionpack (7.0.5)
+    actionpack (7.1.3)
-      actionview (= 7.0.5)
+      actionview (= 7.1.3)
-      activesupport (= 7.0.5)
+      activesupport (= 7.1.3)
-      rack (~> 2.0, >= 2.2.4)
+      nokogiri (>= 1.8.5)
      racc
      rack (>= 2.2.4)
      rack-session (>= 1.0.1)
      rack-test (>= 0.6.3)
-      rails-dom-testing (~> 2.0)
+      rails-dom-testing (~> 2.2)
-      rails-html-sanitizer (~> 1.0, >= 1.2.0)
+      rails-html-sanitizer (~> 1.6)
-    actiontext (7.0.5)
+    actiontext (7.1.3)
-      actionpack (= 7.0.5)
+      actionpack (= 7.1.3)
-      activerecord (= 7.0.5)
+      activerecord (= 7.1.3)
-      activestorage (= 7.0.5)
+      activestorage (= 7.1.3)
-      activesupport (= 7.0.5)
+      activesupport (= 7.1.3)
      globalid (>= 0.6.0)
      nokogiri (>= 1.8.5)
-    actionview (7.0.5)
+    actionview (7.1.3)
-      activesupport (= 7.0.5)
+      activesupport (= 7.1.3)
      builder (~> 3.1)
-      erubi (~> 1.4)
+      erubi (~> 1.11)
-      rails-dom-testing (~> 2.0)
+      rails-dom-testing (~> 2.2)
-      rails-html-sanitizer (~> 1.1, >= 1.2.0)
+      rails-html-sanitizer (~> 1.6)
-    activejob (7.0.5)
+    activejob (7.1.3)
-      activesupport (= 7.0.5)
+      activesupport (= 7.1.3)
      globalid (>= 0.3.6)
-    activemodel (7.0.5)
+    activemodel (7.1.3)
-      activesupport (= 7.0.5)
+      activesupport (= 7.1.3)
-    activerecord (7.0.5)
+    activerecord (7.1.3)
-      activemodel (= 7.0.5)
+      activemodel (= 7.1.3)
-      activesupport (= 7.0.5)
+      activesupport (= 7.1.3)
-    activestorage (7.0.5)
+      timeout (>= 0.4.0)
-      actionpack (= 7.0.5)
+    activestorage (7.1.3)
-      activejob (= 7.0.5)
+      actionpack (= 7.1.3)
-      activerecord (= 7.0.5)
+      activejob (= 7.1.3)
-      activesupport (= 7.0.5)
+      activerecord (= 7.1.3)
      activesupport (= 7.1.3)
      marcel (~> 1.0)
-      mini_mime (>= 1.1.0)
+    activesupport (7.1.3)
-    activesupport (7.0.5)
+      base64
      bigdecimal
      concurrent-ruby (~> 1.0, >= 1.0.2)
      connection_pool (>= 2.2.5)
      drb
      i18n (>= 1.6, < 2)
      minitest (>= 5.1)
      mutex_m
      tzinfo (~> 2.0)
-    addressable (2.8.4)
+    addressable (2.8.6)
      public_suffix (>= 2.0.2, < 6.0)
    ast (2.4.2)
    aws-eventstream (1.3.0)
    aws-partitions (1.886.0)
    aws-sdk-core (3.191.0)
      aws-eventstream (~> 1, >= 1.3.0)
      aws-partitions (~> 1, >= 1.651.0)
      aws-sigv4 (~> 1.8)
      jmespath (~> 1, >= 1.6.1)
    aws-sdk-kms (1.77.0)
      aws-sdk-core (~> 3, >= 3.191.0)
      aws-sigv4 (~> 1.1)
    aws-sdk-s3 (1.143.0)
      aws-sdk-core (~> 3, >= 3.191.0)
      aws-sdk-kms (~> 1)
      aws-sigv4 (~> 1.8)
    aws-sigv4 (1.8.0)
      aws-eventstream (~> 1, >= 1.0.2)
    backport (1.2.0)
-    bcrypt (3.1.18)
+    base64 (0.2.0)
-    bech32 (1.3.0)
+    bcrypt (3.1.20)
    bech32 (1.4.2)
      thor (>= 1.1.0)
-    benchmark (0.2.1)
+    benchmark (0.3.0)
    bigdecimal (3.1.6)
    bindex (0.8.1)
-    bip-schnorr (0.6.0)
+    bip-schnorr (0.7.0)
      ecdsa_ext (~> 0.5.0)
    builder (3.2.4)
-    byebug (11.1.3)
+    capybara (3.40.0)
    capybara (3.39.2)
      addressable
      matrix
      mini_mime (>= 0.1.3)
-      nokogiri (~> 1.8)
+      nokogiri (~> 1.11)
      rack (>= 1.6.0)
      rack-test (>= 0.6.3)
      regexp_parser (>= 1.5, < 3.0)
      xpath (~> 3.2)
    chunky_png (1.4.0)
-    concurrent-ruby (1.2.2)
+    concurrent-ruby (1.2.3)
    connection_pool (2.4.1)
-    crack (0.4.5)
+    crack (0.4.6)
      bigdecimal
      rexml
    crass (1.0.6)
-    cssbundling-rails (1.1.2)
+    cssbundling-rails (1.4.0)
      railties (>= 6.0.0)
    database_cleaner (2.0.2)
      database_cleaner-active_record (>= 2, < 3)
@@ -115,8 +129,8 @@ GEM
      activerecord (>= 5.a)
      database_cleaner-core (~> 2.0.0)
    database_cleaner-core (2.0.1)
-    date (3.3.3)
+    date (3.3.4)
-    devise (4.9.2)
+    devise (4.9.3)
      bcrypt (~> 3.0)
      orm_adapter (~> 0.1)
      railties (>= 4.1.0)
@@ -125,7 +139,7 @@ GEM
    devise_ldap_authenticatable (0.8.7)
      devise (>= 3.4.1)
      net-ldap (>= 0.16.0)
-    diff-lcs (1.5.0)
+    diff-lcs (1.5.1)
    discourse_api (2.0.1)
      faraday (~> 2.7)
      faraday-follow_redirects
@@ -135,6 +149,10 @@ GEM
    dotenv-rails (2.8.1)
      dotenv (= 2.8.1)
      railties (>= 3.2)
    down (5.4.1)
      addressable (~> 2.8)
    drb (2.2.0)
      ruby2_keywords
    e2mmap (0.1.0)
    ecdsa (1.2.0)
    ecdsa_ext (0.5.0)
@@ -144,56 +162,66 @@ GEM
      tzinfo
    event_emitter (0.2.6)
    eventmachine (1.2.7)
-    factory_bot (6.2.1)
+    factory_bot (6.4.6)
      activesupport (>= 5.0.0)
-    factory_bot_rails (6.2.0)
+    factory_bot_rails (6.4.3)
-      factory_bot (~> 6.2.0)
+      factory_bot (~> 6.4)
      railties (>= 5.0.0)
-    faker (3.2.0)
+    faker (3.2.3)
      i18n (>= 1.8.11, < 2)
-    faraday (2.7.6)
+    faraday (2.9.0)
-      faraday-net_http (>= 2.0, < 3.1)
+      faraday-net_http (>= 2.0, < 3.2)
      ruby2_keywords (>= 0.0.4)
    faraday-follow_redirects (0.3.0)
      faraday (>= 1, < 3)
    faraday-multipart (1.0.4)
      multipart-post (~> 2)
-    faraday-net_http (3.0.2)
+    faraday-net_http (3.1.0)
-    faye-websocket (0.11.2)
+      net-http
    faye-websocket (0.11.3)
      eventmachine (>= 0.12.0)
      websocket-driver (>= 0.5.1)
-    ffi (1.15.5)
+    ffi (1.16.3)
-    flipper (0.28.0)
+    flipper (1.2.2)
      concurrent-ruby (< 2)
-    flipper-active_record (0.28.0)
+    flipper-active_record (1.2.2)
      activerecord (>= 4.2, < 8)
-      flipper (~> 0.28.0)
+      flipper (~> 1.2.2)
-    flipper-ui (0.28.0)
+    flipper-ui (1.2.2)
      erubi (>= 1.0.0, < 2.0.0)
-      flipper (~> 0.28.0)
+      flipper (~> 1.2.2)
-      rack (>= 1.4, < 3)
+      rack (>= 1.4, < 4)
      rack-protection (>= 1.5.3, <= 4.0.0)
      sanitize (< 7)
-    fugit (1.8.1)
+    fugit (1.9.0)
      et-orbi (~> 1, >= 1.2.7)
      raabro (~> 1.4)
-    globalid (1.1.0)
+    globalid (1.2.1)
-      activesupport (>= 5.0)
+      activesupport (>= 6.1)
-    hashdiff (1.0.1)
+    hashdiff (1.1.0)
    i18n (1.14.1)
      concurrent-ruby (~> 1.0)
-    importmap-rails (1.1.6)
+    image_processing (1.12.2)
      mini_magick (>= 4.9.5, < 5)
      ruby-vips (>= 2.0.17, < 3)
    importmap-rails (2.0.1)
      actionpack (>= 6.0.0)
      activesupport (>= 6.0.0)
      railties (>= 6.0.0)
    io-console (0.7.2)
    irb (1.11.1)
      rdoc
      reline (>= 0.4.2)
    jaro_winkler (1.5.6)
    jbuilder (2.11.5)
      actionview (>= 5.0.0)
      activesupport (>= 5.0.0)
-    json (2.6.3)
+    jmespath (1.6.2)
    json (2.7.1)
    kramdown (2.4.0)
      rexml
    kramdown-parser-gfm (1.1.0)
      kramdown (~> 2.0)
    language_server-protocol (3.17.0.3)
    launchy (2.5.2)
      addressable (~> 2.8)
    letter_opener (1.8.1)
@@ -206,10 +234,10 @@ GEM
    listen (3.8.0)
      rb-fsevent (~> 0.10, >= 0.10.3)
      rb-inotify (~> 0.9, >= 0.9.10)
-    lnurl (1.0.1)
+    lnurl (1.1.0)
      bech32 (~> 1.1)
-    lockbox (1.2.0)
+    lockbox (1.3.2)
-    loofah (2.21.3)
+    loofah (2.22.0)
      crass (~> 1.0.2)
      nokogiri (>= 1.12.0)
    mail (2.8.1)
@@ -217,58 +245,92 @@ GEM
      net-imap
      net-pop
      net-smtp
    manifique (1.0.1)
      faraday (~> 2.9.0)
      faraday-follow_redirects (= 0.3.0)
      nokogiri (~> 1.16.0)
    marcel (1.0.2)
    matrix (0.4.2)
    method_source (1.0.0)
-    mini_mime (1.1.2)
+    mini_magick (4.12.0)
-    minitest (5.18.0)
+    mini_mime (1.1.5)
    mini_portile2 (2.8.5)
    minitest (5.21.2)
    multipart-post (2.3.0)
-    net-imap (0.3.6)
+    mutex_m (0.2.0)
    net-http (0.4.1)
      uri
    net-imap (0.4.9.1)
      date
      net-protocol
-    net-ldap (0.18.0)
+    net-ldap (0.19.0)
    net-pop (0.1.2)
      net-protocol
-    net-protocol (0.2.1)
+    net-protocol (0.2.2)
      timeout
-    net-smtp (0.3.3)
+    net-smtp (0.4.0.1)
      net-protocol
-    nio4r (2.5.9)
+    nio4r (2.7.0)
-    nokogiri (1.15.2-x86_64-linux)
+    nokogiri (1.16.0)
      mini_portile2 (~> 2.8.2)
      racc (~> 1.4)
    nokogiri (1.16.0-arm64-darwin)
      racc (~> 1.4)
    nokogiri (1.16.0-x86_64-linux)
      racc (~> 1.4)
    nostr (0.5.0)
      bech32 (~> 1.4)
      bip-schnorr (~> 0.6)
      ecdsa (~> 1.2)
      event_emitter (~> 0.2)
      faye-websocket (~> 0.11)
      json (~> 2.6)
    orm_adapter (0.5.0)
-    pagy (6.0.4)
+    pagy (6.4.3)
-    parallel (1.23.0)
+    parallel (1.24.0)
-    parser (3.2.2.3)
+    parser (3.3.0.5)
      ast (~> 2.4.1)
      racc
-    pg (1.2.3)
+    pg (1.5.4)
-    public_suffix (5.0.1)
+    psych (5.1.2)
      stringio
    public_suffix (5.0.4)
    puma (4.3.12)
      nio4r (~> 2.0)
    raabro (1.4.0)
-    racc (1.7.1)
+    racc (1.7.3)
-    rack (2.2.7)
+    rack (2.2.8)
-    rack-protection (3.0.6)
+    rack-protection (3.2.0)
-      rack
+      base64 (>= 0.1.0)
      rack (~> 2.2, >= 2.2.4)
    rack-session (1.0.2)
      rack (< 3)
    rack-test (2.1.0)
      rack (>= 1.3)
-    rails (7.0.5)
+    rackup (1.0.0)
-      actioncable (= 7.0.5)
+      rack (< 3)
-      actionmailbox (= 7.0.5)
+      webrick
-      actionmailer (= 7.0.5)
+    rails (7.1.3)
-      actionpack (= 7.0.5)
+      actioncable (= 7.1.3)
-      actiontext (= 7.0.5)
+      actionmailbox (= 7.1.3)
-      actionview (= 7.0.5)
+      actionmailer (= 7.1.3)
-      activejob (= 7.0.5)
+      actionpack (= 7.1.3)
-      activemodel (= 7.0.5)
+      actiontext (= 7.1.3)
-      activerecord (= 7.0.5)
+      actionview (= 7.1.3)
-      activestorage (= 7.0.5)
+      activejob (= 7.1.3)
-      activesupport (= 7.0.5)
+      activemodel (= 7.1.3)
      activerecord (= 7.1.3)
      activestorage (= 7.1.3)
      activesupport (= 7.1.3)
      bundler (>= 1.15.0)
-      railties (= 7.0.5)
+      railties (= 7.1.3)
-    rails-dom-testing (2.0.3)
+    rails-controller-testing (1.0.5)
-      activesupport (>= 4.2.0)
+      actionpack (>= 5.0.1.rc1)
      actionview (>= 5.0.1.rc1)
      activesupport (>= 5.0.1.rc1)
    rails-dom-testing (2.2.0)
      activesupport (>= 5.0.0)
      minitest
      nokogiri (>= 1.6)
    rails-html-sanitizer (1.6.0)
      loofah (~> 2.21)
@@ -276,27 +338,32 @@ GEM
    rails-settings-cached (2.8.3)
      activerecord (>= 5.0.0)
      railties (>= 5.0.0)
-    railties (7.0.5)
+    railties (7.1.3)
-      actionpack (= 7.0.5)
+      actionpack (= 7.1.3)
-      activesupport (= 7.0.5)
+      activesupport (= 7.1.3)
-      method_source
+      irb
      rackup (>= 1.0.0)
      rake (>= 12.2)
-      thor (~> 1.0)
+      thor (~> 1.0, >= 1.2.2)
-      zeitwerk (~> 2.5)
+      zeitwerk (~> 2.6)
    rainbow (3.1.1)
-    rake (13.0.6)
+    rake (13.1.0)
    rb-fsevent (0.11.2)
    rb-inotify (0.10.1)
      ffi (~> 1.0)
    rbs (2.8.4)
    rdoc (6.6.2)
      psych (>= 4.0.0)
    redis (4.8.1)
-    regexp_parser (2.8.1)
+    regexp_parser (2.9.0)
-    responders (3.1.0)
+    reline (0.4.2)
      io-console (~> 0.5)
    responders (3.1.1)
      actionpack (>= 5.2)
      railties (>= 5.2)
    reverse_markdown (2.1.1)
      nokogiri
-    rexml (3.2.5)
+    rexml (3.2.6)
    rqrcode (2.2.0)
      chunky_png (~> 1.0)
      rqrcode_core (~> 1.0)
@@ -306,10 +373,10 @@ GEM
    rspec-expectations (3.12.3)
      diff-lcs (>= 1.2.0, < 2.0)
      rspec-support (~> 3.12.0)
-    rspec-mocks (3.12.5)
+    rspec-mocks (3.12.6)
      diff-lcs (>= 1.2.0, < 2.0)
      rspec-support (~> 3.12.0)
-    rspec-rails (6.0.3)
+    rspec-rails (6.1.1)
      actionpack (>= 6.1)
      activesupport (>= 6.1)
      railties (>= 6.1)
@@ -317,32 +384,35 @@ GEM
      rspec-expectations (~> 3.12)
      rspec-mocks (~> 3.12)
      rspec-support (~> 3.12)
-    rspec-support (3.12.0)
+    rspec-support (3.12.1)
-    rubocop (1.52.1)
+    rubocop (1.60.2)
      json (~> 2.3)
      language_server-protocol (>= 3.17.0)
      parallel (~> 1.10)
-      parser (>= 3.2.2.3)
+      parser (>= 3.3.0.2)
      rainbow (>= 2.2.2, < 4.0)
      regexp_parser (>= 1.8, < 3.0)
      rexml (>= 3.2.5, < 4.0)
-      rubocop-ast (>= 1.28.0, < 2.0)
+      rubocop-ast (>= 1.30.0, < 2.0)
      ruby-progressbar (~> 1.7)
      unicode-display_width (>= 2.4.0, < 3.0)
-    rubocop-ast (1.29.0)
+    rubocop-ast (1.30.0)
      parser (>= 3.2.1.0)
    ruby-progressbar (1.13.0)
    ruby-vips (2.2.0)
      ffi (~> 1.12)
    ruby2_keywords (0.0.5)
    rufus-scheduler (3.9.1)
      fugit (~> 1.1, >= 1.1.6)
-    sanitize (6.0.1)
+    sanitize (6.1.0)
      crass (~> 1.0.2)
      nokogiri (>= 1.12.0)
-    sentry-rails (5.9.0)
+    sentry-rails (5.16.1)
      railties (>= 5.0)
-      sentry-ruby (~> 5.9.0)
+      sentry-ruby (~> 5.16.1)
-    sentry-ruby (5.9.0)
+    sentry-ruby (5.16.1)
      concurrent-ruby (~> 1.0, >= 1.0.2)
-    sidekiq (6.5.9)
+    sidekiq (6.5.12)
      connection_pool (>= 2.2.5, < 3)
      rack (~> 2.0)
      redis (>= 4.5.0, < 5)
@@ -350,7 +420,7 @@ GEM
      rufus-scheduler (~> 3.2)
      sidekiq (>= 6, < 8)
      tilt (>= 1.4.0)
-    solargraph (0.49.0)
+    solargraph (0.50.0)
      backport (~> 1.2)
      benchmark
      bundler (~> 2.0)
@@ -366,54 +436,63 @@ GEM
      thor (~> 1.0)
      tilt (~> 2.0)
      yard (~> 0.9, >= 0.9.24)
-    sprockets (4.2.0)
+    sprockets (4.2.1)
      concurrent-ruby (~> 1.0)
      rack (>= 2.2.4, < 4)
    sprockets-rails (3.4.2)
      actionpack (>= 5.2)
      activesupport (>= 5.2)
      sprockets (>= 3.0.0)
-    sqlite3 (1.6.3-x86_64-linux)
+    sqlite3 (1.7.2)
-    stimulus-rails (1.2.1)
+      mini_portile2 (~> 2.8.0)
    sqlite3 (1.7.2-arm64-darwin)
    sqlite3 (1.7.2-x86_64-linux)
    stimulus-rails (1.3.3)
      railties (>= 6.0.0)
-    thor (1.2.2)
+    stringio (3.1.0)
-    tilt (2.2.0)
+    thor (1.3.0)
-    timeout (0.3.2)
+    tilt (2.3.0)
-    turbo-rails (1.4.0)
+    timeout (0.4.1)
    turbo-rails (1.5.0)
      actionpack (>= 6.0.0)
      activejob (>= 6.0.0)
      railties (>= 6.0.0)
    tzinfo (2.0.6)
      concurrent-ruby (~> 1.0)
-    unicode-display_width (2.4.2)
+    unicode-display_width (2.5.0)
-    view_component (3.2.0)
+    uri (0.13.0)
    view_component (3.10.0)
      activesupport (>= 5.2.0, < 8.0)
      concurrent-ruby (~> 1.0)
      method_source (~> 1.0)
    warden (1.2.9)
      rack (>= 2.0.9)
-    web-console (4.2.0)
+    web-console (4.2.1)
      actionview (>= 6.0.0)
      activemodel (>= 6.0.0)
      bindex (>= 0.4.0)
      railties (>= 6.0.0)
-    webmock (3.18.1)
+    webmock (3.19.1)
      addressable (>= 2.8.0)
      crack (>= 0.3.2)
      hashdiff (>= 0.4.0, < 2.0.0)
-    websocket-driver (0.7.5)
+    webrick (1.8.1)
    websocket-driver (0.7.6)
      websocket-extensions (>= 0.1.0)
    websocket-extensions (0.1.5)
    xpath (3.2.0)
      nokogiri (~> 1.8)
    yard (0.9.34)
-    zeitwerk (2.6.8)
+    zeitwerk (2.6.12)
 PLATFORMS
  arm64-darwin-22
  ruby
  x86_64-linux
 DEPENDENCIES
-  byebug (~> 11.1)
+  aws-sdk-s3
  bcrypt (~> 3.1)
  capybara
  cssbundling-rails
  database_cleaner
@@ -421,12 +500,14 @@ DEPENDENCIES
  devise_ldap_authenticatable
  discourse_api
  dotenv-rails
  down
  factory_bot_rails
  faker
  faraday
  flipper
  flipper-active_record
  flipper-ui
  image_processing (~> 1.12.2)
  importmap-rails
  jbuilder (~> 2.7)
  letter_opener
@@ -434,12 +515,14 @@ DEPENDENCIES
  listen (~> 3.2)
  lnurl
  lockbox
  manifique
  net-ldap
-  nostr!
+  nostr
  pagy (~> 6.0, >= 6.0.2)
-  pg (~> 1.2.3)
+  pg (~> 1.5)
  puma (~> 4.1)
-  rails (~> 7.0.2)
+  rails (~> 7.1)
  rails-controller-testing
  rails-settings-cached (~> 2.8.3)
  rqrcode (~> 2.0)
  rspec-rails
@@ -449,14 +532,14 @@ DEPENDENCIES
  sidekiq-scheduler
  solargraph
  sprockets-rails
-  sqlite3 (~> 1.4)
+  sqlite3 (~> 1.7.2)
  stimulus-rails
  turbo-rails
  tzinfo-data
  view_component
  warden
-  web-console (>= 3.3.0)
+  web-console (~> 4.2)
  webmock
 BUNDLED WITH
-   2.3.7
+   2.5.5
--- a/README.md
+++ b/README.md
@@ -14,9 +14,10 @@ so:
 1. Make sure [Docker Compose is installed][1] and Docker is running (included in
   Docker Desktop)
-2. Uncomment the `redis`, `web`, and `sidekiq` sections in `docker-compose.yml`
+3. Run `docker compose up --build` and wait until all services have started
-3. Run `docker compose up` and wait until 389ds announces its successful start
+   (389ds might take an extra minute to be ready). This will take a while when
-   in the log output
+   running for the first time, so you might want to do something else in the
   meantime.
 4. `docker-compose exec ldap dsconf localhost backend create --suffix="dc=kosmos,dc=org" --be-name="dev"`
 5. `docker compose run web rails ldap:setup`
 6. `docker compose run web rails db:setup`
@@ -29,36 +30,44 @@ have the password "user is user".
 ### Rails app
 _Note: when using Docker Compose, prefix the following commands with `docker-compose
 run web`._
 Installing dependencies:
    bundle install
    yarn install
-Setting up local database (SQLite):
+Migrating the local database (after schema changes):
    bundle exec rails db:create
    bundle exec rails db:migrate
-Running the dev server and auto-building CSS files on change:
+Running the dev server, and auto-building CSS files on change _(automatic with Docker Compose)_:
    bin/dev
-Running the background workers (requires Redis):
+Running the background workers (requires Redis) _(automatic with Docker Compose)_:
    bundle exec sidekiq -C config/sidekiq.yml
-Running all specs:
+Running the test suite:
    bundle exec rspec
-### Docker (Compose)
+Running the test suite with Docker Compose requires overriding the Rails
 environment:
-There is a working Docker Compose config file, which allows you to spin up both
+    docker-compose run -e "RAILS_ENV=test" web rspec
 an app server for Rails as well as a local 389ds (LDAP) server.
-By default, `docker-compose up` will only start the LDAP server, listening on
+### Docker Compose
-port 389 on your machine. Uncomment other services in `docker-compose.yml` if
+
-you want to use them.
+Services/containers are configured in `docker-compose.yml`.
 You can run services selectively, for example if you want to run the Rails app
 and test suite on the host machine. Just add the service names of the
 containers you want to run to the `up` command, like so:
    docker-compose up ldap redis
 #### LDAP server
@@ -75,8 +84,24 @@ Now you can seed the back-end with data using this Rails task:
 The setup task will first delete any existing entries in the directory tree
 ("dc=kosmos,dc=org"), and then create our development entries.
-Note that all 389ds data is stored in `tmp/389ds`. So if you want to start over
+Note that all 389ds data is stored in the `389ds-data` volume. So if you want
-with a fresh installation, delete both that directory as well as the container.
+to start over with a fresh installation, delete both that volume as well as the
 container.
 #### Minio / remoteStorage
 If you want to run remoteStorage accounts locally, you will have to create the
 respective bucket first. With the `minio` container running (run by default
 when using Docker Compose), follow these steps:
 * `docker compose up web redis minio liquor-cabinet`
 * Head to http://localhost:9001 and log in with user `minioadmin`, password
  `minioadmin`
 * Create a new bucket called `remotestorage` (or whatever you
  change the `S3_BUCKET` config to)
 * Create a new key with ID "dev-key" and secret "123456789" (or whatever you
  change `S3_ACCESS_KEY` and `S3_SECRET_KEY` to). Leave the policy field empty,
  as it will automatically allow access to the bucket you created.
 ### Adding npm modules to use with Stimulus controllers
@@ -106,6 +131,7 @@ command:
 * [Tailwind CSS](https://tailwindcss.com/)
 * [Sass](https://sass-lang.com/documentation)
 * [Stimulus](https://stimulus.hotwired.dev/handbook/)
 * [Tailwind Stimulus Components](https://github.com/excid3/tailwindcss-stimulus-components)
 ### Testing
--- a/app/assets/stylesheets/application.tailwind.css
+++ b/app/assets/stylesheets/application.tailwind.css
@@ -2,6 +2,7 @@
@import "tailwindcss/components";
@import "tailwindcss/utilities";
@import "components/animations";
@import "components/base";
@import "components/buttons";
@import "components/dashboard_services";
--- a/app/assets/stylesheets/components/animations.css
+++ b/app/assets/stylesheets/components/animations.css
@@ -0,0 +1,16 @@
@keyframes scaleIn {
  from {
    transform: scale(0.5);
    opacity: 0;
  }
  to {
    transform: scale(1);
    opacity: 1;
  }
 }
 .animate-scale-in {
  animation-name: scaleIn;
  animation-duration: 0.15s;
  animation-timing-function: cubic-bezier(0.2, 0, 0.13, 1);
 }
--- a/app/assets/stylesheets/components/buttons.css
+++ b/app/assets/stylesheets/components/buttons.css
@@ -14,12 +14,12 @@
    @apply py-1 px-2 text-sm;
  }
-  .btn-outline {
+  .btn-icon {
-    @apply border-2 border-gray-100 hover:bg-gray-100;
+    @apply py-2 px-3;
  }
-  .btn-icon {
+  .btn-outline {
-    @apply px-3;
+    @apply py-2 border-2 border-gray-100 hover:bg-gray-100;
  }
  .btn-gray {
--- a/app/components/app_catalog/web_app_icon_component.html.erb
+++ b/app/components/app_catalog/web_app_icon_component.html.erb
@@ -0,0 +1,5 @@
 <% if @image_url %>
  <%= image_tag @image_url, class: "h-full w-full" %>
 <% else %>
  <%= render partial: "icons/remotestorage", locals: { custom_class: "h-full w-full p-0.5 text-gray-200" } %>
 <% end %>
--- a/app/components/app_catalog/web_app_icon_component.rb
+++ b/app/components/app_catalog/web_app_icon_component.rb
@@ -0,0 +1,21 @@
 # frozen_string_literal: true
 module AppCatalog
  class WebAppIconComponent < ViewComponent::Base
    def initialize(web_app:)
      if web_app&.icon&.attached?
        @image_url = image_url_for(web_app.icon)
      elsif web_app&.apple_touch_icon&.attached?
        @image_url = image_url_for(web_app.apple_touch_icon)
      end
    end
    def image_url_for(attachment)
      if Setting.s3_enabled?
        s3_image_url(attachment)
      else
        Rails.application.routes.url_helpers.rails_blob_path(attachment, only_path: true)
      end
    end
  end
 end
--- a/app/components/app_info_component.html.erb
+++ b/app/components/app_info_component.html.erb
@@ -0,0 +1,15 @@
 <div class="flex">
  <div class="<%= @icon_container_class %>">
    <%= image_tag(@icon_path, class: 'h-full w-full') %>
  </div>
  <div class="flex-1 px-4">
    <h4 class="sm:pt-2 mb-2 text-lg font-bold"><%= @name %></h4>
    <p class="leading-snug"><%= @description %></p>
    <p class="leading-snug flex flex-wrap gap-3">
      <% @links.each do |link| %>
        <a href="<%= link[1] %>" target="_blank"
           class="flex-0 btn-sm btn-gray"><%= link[0] %></a>
      <% end %>
    </p>
  </div>
 </div>
--- a/app/components/app_info_component.rb
+++ b/app/components/app_info_component.rb
@@ -0,0 +1,19 @@
 # frozen_string_literal: true
 class AppInfoComponent < ViewComponent::Base
  def initialize(name:, description:, icon_path: , icon_fill_box: false, links: [])
    @name = name
    @description = description
    @icon_path = icon_path
    @icon_container_class = icon_container_class(icon_fill_box)
    @links = links
  end
  def icon_container_class(icon_fill_box)
    str = "flex-0 h-16 w-16 sm:h-28 sm:w-28 bg-white rounded-3xl overflow-hidden"
    unless icon_fill_box
      str += " p-2 border border-gray-200"
    end
    str
  end
 end
--- a/app/components/dropdown_component.html.erb
+++ b/app/components/dropdown_component.html.erb
@@ -0,0 +1,34 @@
 <div data-controller="dropdown" data-action="click->dropdown#toggle click@window->dropdown#hide">
  <div class="relative inline-block">
    <div role="button" tabindex="0" data-dropdown-target="button"
         class="inline-block select-none">
      <% if @size == :large %>
      <span class="appearance-none flex items-center inline-block">
        <span class="p-2 bg-gray-50 hover:bg-gray-100 rounded-full">
          <%= render partial: "icons/#{@icon_name}",
                     locals: { custom_class: "inline text-gray-500 h-6 w-6" } %>
        </span>
      </span>
      <% elsif @size == :small %>
      <span class="appearance-none flex items-center inline-block">
        <span class="text-gray-500 hover:text-blue-600">
          <%= render partial: "icons/#{@icon_name}",
                     locals: { custom_class: "inline h-4 w-4" } %>
        </span>
      </span>
      <% end %>
    </div>
    <div data-dropdown-target="menu"
         data-transition-enter="transition ease-out duration-200"
         data-transition-enter-from="opacity-0 translate-y-1"
         data-transition-enter-to="opacity-100 translate-y-0"
         data-transition-leave="transition ease-in duration-150"
         data-transition-leave-from="opacity-100 translate-y-0"
         data-transition-leave-to="opacity-0 translate-y-1"
         class="hidden absolute top-4 right-0 z-10 mt-5 flex w-screen max-w-max">
      <div class="bg-white shadow-lg rounded border overflow-hidden w-auto">
        <%= content %>
      </div>
    </div>
  </div>
 </div>
--- a/app/components/dropdown_component.rb
+++ b/app/components/dropdown_component.rb
@@ -0,0 +1,8 @@
 # frozen_string_literal: true
 class DropdownComponent < ViewComponent::Base
  def initialize(size: :large, icon_name: "kebap-menu")
    @size = size.to_sym
    @icon_name = icon_name
  end
 end
--- a/app/components/dropdown_link_component.html.erb
+++ b/app/components/dropdown_link_component.html.erb
@@ -0,0 +1,6 @@
 <%= link_to @href, class: @class, data: {
      'dropdown-target': "menuItem",
      'action': "keydown.up->dropdown#previousItem:prevent keydown.down->dropdown#nextItem:prevent"
    } do %>
  <%= content %>
 <% end %>
--- a/app/components/dropdown_link_component.rb
+++ b/app/components/dropdown_link_component.rb
@@ -0,0 +1,18 @@
 # frozen_string_literal: true
 class DropdownLinkComponent < ViewComponent::Base
  def initialize(href:, separator: false, add_class: nil)
    @href = href
    @class = class_str(separator, add_class)
  end
  private
  def class_str(separator, add_class)
    str = "no-underline block px-5 py-3 text-sm text-gray-900 bg-white
           hover:bg-gray-100 focus:bg-gray-100 whitespace-no-wrap"
    str = "#{str} border-t" if separator
    str = "#{str} #{add_class}" if add_class
    str
  end
 end
--- a/app/components/form_elements/fieldset_component.html.erb
+++ b/app/components/form_elements/fieldset_component.html.erb
@@ -1,4 +1,6 @@
-<%= tag.public_send(@tag, class: "mb-6 last:mb-0") do %>
+<%= tag.public_send(@tag, class: "mb-6 last:mb-0", data: {
      :'field-name' => @field_name
    }) do %>
  <% if @positioning == :vertical %>
  <label class="block">
    <p class="font-bold <%= @descripton.present? ? "mb-1" : "mb-2" %>">
@@ -9,7 +11,21 @@
      <%= @descripton %>
    </p>
    <% end %>
-    <%= content %>
+
    <%= tag.p class: "flex gap-x-1", data: {
                controller: @resettable ? "settings--resettable-field" : nil,
              } do %>
      <%= content %>
      <% if @resettable %>
        <button type="button"
                class="relative grow-0 shrink-0 btn-md btn-outline text-red-700"
                title="Reset to default value"
                data-settings--resettable-field-target="resetButton"
                data-action="settings--resettable-field#resetField">
          Reset
        </button>
      <% end %>
    <% end %>
  </label>
  <% elsif @positioning == :horizontal %>
  <label class="block flex items-center justify-between">
--- a/app/components/form_elements/fieldset_component.rb
+++ b/app/components/form_elements/fieldset_component.rb
@@ -2,11 +2,15 @@
 module FormElements
  class FieldsetComponent < ViewComponent::Base
-    def initialize(tag: "li", positioning: :vertical, title:, description: nil)
+    def initialize(tag: "li", positioning: :vertical,
                   title:, description: nil,
                   field_name: nil, resettable: false)
      @tag         = tag
      @positioning = positioning
      @title       = title
      @descripton  = description
      @field_name  = field_name
      @resettable  = resettable
    end
  end
 end
--- a/app/components/form_elements/fieldset_resettable_setting_component.html.erb
+++ b/app/components/form_elements/fieldset_resettable_setting_component.html.erb
@@ -0,0 +1,13 @@
 <%= render FormElements::FieldsetComponent.new(
      title: @title,
      description: @description,
      field_name: "setting_#{@key.to_s}",
      resettable: @resettable
    ) do %>
  <%= method("#{@type}_field").call :setting, @key,
    value: Setting.public_send(@key),
    data: {
      :'default-value' => Setting.get_field(@key)[:default]
    },
    class: "w-full" %>
 <% end %>
--- a/app/components/form_elements/fieldset_resettable_setting_component.rb
+++ b/app/components/form_elements/fieldset_resettable_setting_component.rb
@@ -0,0 +1,20 @@
 # frozen_string_literal: true
 module FormElements
  class FieldsetResettableSettingComponent < ViewComponent::Base
    def initialize(tag: "li", key:, type: :text, title:, description: nil)
      @tag         = tag
      @positioning = :vertical
      @title       = title
      @description  = description
      @key         = key.to_sym
      @type        = type
      @resettable  = is_resettable?(@key)
    end
    def is_resettable?(key)
      default_value = Setting.get_field(key)[:default]
      default_value.present? && (default_value != Setting.send(key))
    end
  end
 end
--- a/app/components/form_elements/fieldset_toggle_component.html.erb
+++ b/app/components/form_elements/fieldset_toggle_component.html.erb
@@ -5,7 +5,9 @@
      } : nil do %>
  <div class="flex flex-col">
    <label class="font-bold mb-1"><%= @title %></label>
    <% if @description.present? %>
    <p class="text-gray-500"><%= @descripton %></p>
    <% end %>
  </div>
  <div class="relative ml-4 inline-flex flex-shrink-0">
    <%= render FormElements::ToggleComponent.new(
--- a/app/components/form_elements/fieldset_toggle_component.rb
+++ b/app/components/form_elements/fieldset_toggle_component.rb
@@ -3,7 +3,7 @@
 module FormElements
  class FieldsetToggleComponent < ViewComponent::Base
    def initialize(tag: "li", form: nil, attribute: nil, field_name: nil,
-                   enabled: false, input_enabled: true, title:, description:)
+                   enabled: false, input_enabled: true, title:, description: nil)
      @tag = tag
      @form = form
      @attribute = attribute
--- a/app/components/modal_component.html.erb
+++ b/app/components/modal_component.html.erb
@@ -0,0 +1,30 @@
 <div tabindex="-1" class="relative z-10">
  <!-- Modal Background -->
  <div class="hidden fixed inset-0 bg-black bg-opacity-80 overflow-y-auto flex items-center justify-center"
        data-modal-target="background"
        data-action="click->modal#closeBackground"
        data-transition-enter="transition-all ease-in-out duration-100"
        data-transition-enter-from="bg-opacity-0"
        data-transition-enter-to="bg-opacity-80"
        data-transition-leave="transition-all ease-in-out duration-100"
        data-transition-leave-from="bg-opacity-80"
        data-transition-leave-to="bg-opacity-0">
    <!-- Modal Container -->
    <div data-modal-target="container"
         class="max-h-screen w-auto max-w-lg relative
                hidden animate-scale-in fixed inset-0 overflow-y-auto flex items-center justify-center">
      <!-- Modal Card -->
      <div class="m-1 bg-white rounded shadow">
        <div class="p-8">
          <%= content %>
          <% if @show_close_button %>
          <div class="flex justify-end items-center flex-wrap mt-6">
            <button class="btn-md btn-blue" data-action="click->modal#close:prevent">Close</button>
          </div>
          <% end %>
        </div>
      </div>
    </div>
  </div>
 </div>
--- a/app/components/modal_component.rb
+++ b/app/components/modal_component.rb
@@ -0,0 +1,5 @@
 class ModalComponent < ViewComponent::Base
  def initialize(show_close_button: true)
    @show_close_button = show_close_button
  end
 end
--- a/app/components/qr_code_modal_component.html.erb
+++ b/app/components/qr_code_modal_component.html.erb
@@ -0,0 +1,6 @@
 <%= render ModalComponent.new do %>
  <% if @descripton.present? %>
    <p class="mb-6"><%= @description %></p>
  <% end %>
  <p><%= raw @qr_code_svg %></p>
 <% end %>
--- a/app/components/qr_code_modal_component.rb
+++ b/app/components/qr_code_modal_component.rb
@@ -0,0 +1,24 @@
 require "rqrcode"
 class QrCodeModalComponent < ViewComponent::Base
  def initialize(qr_content:, description: nil)
    @description = description
    @qr_code_svg = qr_code_svg(qr_content)
  end
  private
  def qr_code_svg(content)
    qr_code = RQRCode::QRCode.new(content)
    qr_code.as_svg(
      color: "000",
      shape_rendering: "crispEdges",
      module_size: 6,
      standalone: true,
      use_path: true,
      svg_attributes: {
        class: 'inline-block'
      }
    )
  end
 end
--- a/app/components/rs_auth_component.html.erb
+++ b/app/components/rs_auth_component.html.erb
@@ -0,0 +1,26 @@
 <div class="flex items-center gap-4">
  <div class="h-16 w-16 flex-none">
    <%= render AppCatalog::WebAppIconComponent.new(web_app: @web_app) %>
  </div>
  <div class="flex-grow">
    <h4 class="mb-1 text-lg font-bold">
      <%= @web_app&.name || @auth.app_name %>
    </h4>
    <p class="text-sm text-gray-500">
      <%= @auth.client_id %>
    </p>
  </div>
  <%= render DropdownComponent.new do %>
    <%= render DropdownLinkComponent.new(
          href: launch_app_services_storage_rs_auth_url(@auth)
        ) do %>
      Launch app
    <% end %>
    <%= render DropdownLinkComponent.new(
          href: revoke_services_storage_rs_auth_url(@auth),
          separator: true, add_class: "text-red-700"
        ) do %>
      Revoke access
    <% end %>
  <% end %>
 </div>
--- a/app/components/rs_auth_component.rb
+++ b/app/components/rs_auth_component.rb
@@ -0,0 +1,8 @@
 # frozen_string_literal: true
 class RsAuthComponent < ViewComponent::Base
  def initialize(auth:)
    @auth = auth
    @web_app = auth.web_app
  end
 end
--- a/app/components/sidenav_link_component.html.erb
+++ b/app/components/sidenav_link_component.html.erb
@@ -1,4 +1,8 @@
 <%= link_to @path, class: @link_class, title: (@disabled ? "Coming soon" : nil) do %>
  <% if @icon.present? %>
  <%= render partial: "icons/#{@icon}", locals: { custom_class: @icon_class } %>
  <% elsif @text_icon.present? %>
  <span class="mr-3"><%= @text_icon %></span>
  <% end %>
  <span class="truncate"><%= @name %></span>
 <% end %>
--- a/app/components/sidenav_link_component.rb
+++ b/app/components/sidenav_link_component.rb
@@ -1,11 +1,13 @@
 # frozen_string_literal: true
 class SidenavLinkComponent < ViewComponent::Base
-  def initialize(name:, level: 1, path:, icon:, active: false, disabled: false)
+  def initialize(name:, level: 1, path:, icon: nil, text_icon: nil,
                 active: false, disabled: false)
    @name = name
    @level = level
    @path = path
    @icon = icon
    @text_icon = text_icon
    @active = active
    @disabled = disabled
    @link_class = class_names_link(path)
--- a/app/controllers/admin/app_catalog/web_apps_controller.rb
+++ b/app/controllers/admin/app_catalog/web_apps_controller.rb
@@ -0,0 +1,9 @@
 class Admin::AppCatalog::WebAppsController < Admin::AppCatalogController
  def index
    @pagy, @web_apps = pagy(AppCatalog::WebApp.order('created_at desc'))
    @stats = {
      known_apps: AppCatalog::WebApp.count
    }
  end
 end
--- a/app/controllers/admin/app_catalog_controller.rb
+++ b/app/controllers/admin/app_catalog_controller.rb
@@ -0,0 +1,9 @@
 class Admin::AppCatalogController < Admin::BaseController
  before_action :set_current_section
  private
    def set_current_section
      @current_section = :app_catalog
    end
 end
--- a/app/controllers/admin/settings/registrations_controller.rb
+++ b/app/controllers/admin/settings/registrations_controller.rb
@@ -1,8 +1,8 @@
 class Admin::Settings::RegistrationsController < Admin::SettingsController
-  def index
+  def show
  end
-  def create
+  def update
    update_settings
    redirect_to admin_settings_registrations_path, flash: {
--- a/app/controllers/admin/settings/services_controller.rb
+++ b/app/controllers/admin/settings/services_controller.rb
@@ -1,19 +1,32 @@
 class Admin::Settings::ServicesController < Admin::SettingsController
-  def index
+  before_action :set_service, only: [:show, :update]
    @service = params[:s]
-    if @service.blank?
+  def index
-      redirect_to admin_settings_services_path(params: { s: "discourse" })
+    redirect_to admin_settings_service_path("btcpay")
    end
  end
-  def create
+  def show
-    service = params.require(:service)
+  end
  def update
    update_settings
-    redirect_to admin_settings_services_path(params: { s: service }), flash: {
+    redirect_to admin_settings_service_path(@service), flash: {
      success: "Settings saved"
    }
  end
  private
    def set_subsection
      @subsection = "services"
    end
    def set_service
      @service = params[:service]
      if @service.blank?
        redirect_to admin_settings_services_path and return
      end
    end
 end
--- a/app/controllers/admin/settings_controller.rb
+++ b/app/controllers/admin/settings_controller.rb
@@ -20,7 +20,7 @@ class Admin::SettingsController < Admin::BaseController
    end
    if @errors.any?
-      render :index and return
+      render :show and return
    end
    changed_keys.each do |key|
--- a/app/controllers/admin/users_controller.rb
+++ b/app/controllers/admin/users_controller.rb
@@ -1,11 +1,11 @@
 class Admin::UsersController < Admin::BaseController
-  before_action :set_user, only: [:show]
+  before_action :set_user, except: [:index]
  before_action :set_current_section
  # GET /admin/users
  def index
    ldap   = LdapService.new
-    @ou    = params[:ou] || Setting.primary_domain
+    @ou    = Setting.primary_domain
    @orgs  = ldap.fetch_organizations
    @pagy, @users = pagy(User.where(ou: @ou).order(cn: :asc))
    @stats = {
@@ -14,19 +14,46 @@ class Admin::UsersController < Admin::BaseController
    }
  end
  # GET /admin/users/:username
  def show
    if Setting.lndhub_admin_enabled?
      @lndhub_user = @user.lndhub_user
    end
    @services_enabled = @user.services_enabled
    @avatar = LdapManager::FetchAvatar.call(cn: @user.cn)
  end
  # POST /admin/users/:username/invitations
  def create_invitations
    amount = params[:amount].to_i
    notify_user = ActiveRecord::Type::Boolean.new.cast(params[:notify_user])
    CreateInvitations.call(user: @user, amount: amount, notify: notify_user)
    redirect_to admin_user_path(@user.cn), flash: {
      success: "Added #{amount} invitations to #{@user.cn}'s account"
    }
  end
  # DELETE /admin/users/:username/invitations
  def delete_invitations
    invitations = @user.invitations.unused
    amount = invitations.count
    invitations.destroy_all
    redirect_to admin_user_path(@user.cn), flash: {
      success: "Removed #{amount} invitations from #{@user.cn}'s account"
    }
  end
  private
  def set_user
-    address = params[:address].split("@")
+    @user = User.find_by(cn: params[:username], ou: Setting.primary_domain)
-    @user = User.where(cn: address.first, ou: address.last).first
+    http_status :not_found unless @user
  end
  def set_current_section
--- a/app/controllers/api/btcpay_controller.rb
+++ b/app/controllers/api/btcpay_controller.rb
@@ -0,0 +1,37 @@
 class Api::BtcpayController < Api::BaseController
  before_action :require_feature_enabled
  before_action :set_cors_access_control_headers
  def onchain_btc_balance
    balance = BtcpayManager::FetchOnchainWalletBalance.call
    render json: balance
  rescue => error
    Rails.logger.warn "Failed to fetch BTC wallet balance: #{error.message}"
    render json: { error: 'Failed to fetch wallet balance' },
           status: 500
  end
  def lightning_btc_balance
    balance = BtcpayManager::FetchLightningWalletBalance.call
    render json: balance
  rescue => error
    Rails.logger.warn "Failed to fetch BTC lightning balance: #{error.message}"
    render json: { error: 'Failed to fetch wallet balance' },
           status: 500
  end
  private
    def require_feature_enabled
      unless Setting.btcpay_publish_wallet_balances
        http_status :not_found and return
      end
    end
    def set_cors_access_control_headers
      return unless Rails.env.development?
      headers['Access-Control-Allow-Origin'] = "*"
      headers['Access-Control-Allow-Headers'] = "*"
      headers['Access-Control-Allow-Methods'] = "GET"
    end
 end
--- a/app/controllers/api/kredits_controller.rb
+++ b/app/controllers/api/kredits_controller.rb
@@ -1,13 +0,0 @@
 class Api::KreditsController < Api::BaseController
  def onchain_btc_balance
    btcpay = BtcPay.new
    balance = btcpay.onchain_wallet_balance
    render json: balance
  rescue => error
    Rails.logger.warn "Failed to fetch kredits BTC wallet balance: #{error.message}"
    render json: { error: 'Failed to fetch wallet balance' },
           status: 500
  end
 end
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -37,4 +37,8 @@ class ApplicationController < ActionController::Base
      format.any  { head status }
    end
  end
  def after_sign_in_path_for(user)
    session[:user_return_to] || root_path
  end
 end
--- a/app/controllers/lnurlpay_controller.rb
+++ b/app/controllers/lnurlpay_controller.rb
@@ -1,6 +1,6 @@
 class LnurlpayController < ApplicationController
-  before_action :check_feature_enabled
+  before_action :check_service_available
-  before_action :find_user_by_address
+  before_action :find_user
  MIN_SATS = 10
  MAX_SATS = 1_000_000
@@ -9,7 +9,7 @@ class LnurlpayController < ApplicationController
  def index
    render json: {
      status: "OK",
-      callback: "https://accounts.kosmos.org/lnurlpay/#{@user.address}/invoice",
+      callback: "https://#{Setting.accounts_domain}/lnurlpay/#{@user.cn}/invoice",
      tag: "payRequest",
      maxSendable: MAX_SATS * 1000, # msat
      minSendable: MIN_SATS * 1000, # msat
@@ -34,8 +34,8 @@ class LnurlpayController < ApplicationController
  def invoice
    amount = params[:amount].to_i / 1000 # msats
    address = params[:address]
    comment = params[:comment] || ""
    address = @user.address
    if !valid_amount?(amount)
      render json: { status: "ERROR", reason: "Invalid amount" }
@@ -69,9 +69,8 @@ class LnurlpayController < ApplicationController
  private
-  def find_user_by_address
+  def find_user
-    address = params[:address].split("@")
+    @user = User.where(cn: params[:username], ou: Setting.primary_domain).first
    @user = User.where(cn: address.first, ou: address.last).first
    http_status :not_found if @user.nil?
  end
@@ -89,7 +88,7 @@ class LnurlpayController < ApplicationController
  private
-  def check_feature_enabled
+  def check_service_available
    http_status :not_found unless Setting.lndhub_enabled?
  end
 end
--- a/app/controllers/rs/oauth_controller.rb
+++ b/app/controllers/rs/oauth_controller.rb
@@ -0,0 +1,131 @@
 class Rs::OauthController < ApplicationController
  before_action :require_signed_in_with_username, only: :new
  before_action :authenticate_user!, only: :create
  def new
    @user          = User.where(cn: params[:username].downcase, ou: Setting.primary_domain).first
    @scopes        = parse_scopes params[:scope]
    @redirect_uri  = params[:redirect_uri]
    @client_id     = params[:client_id]
    @state         = params[:state]
    @root_access_requested = (@scopes & [":r",":rw"]).any?
    @denial_url = url_with_state("#{@redirect_uri}#error=access_denied", @state)
    @expire_at_dates = [["Never", nil],
                        ["In 1 month", 1.month.from_now],
                        ["In 1 day", 1.day.from_now]]
    http_status :bad_request and return unless @redirect_uri.present?
    unless current_user == @user
      sign_out :user
      redirect_to new_rs_oauth_url(@user.cn,
                                   scope: params[:scope],
                                   redirect_uri: params[:redirect_uri],
                                   client_id: params[:client_id],
                                   state: params[:state])
      return
    end
    unless @client_id.present?
      redirect_to(url_with_state("#{@redirect_uri}#error=invalid_request", @state),
                  allow_other_host: true) and return
    end
    if @scopes.empty?
      redirect_to(url_with_state("#{@redirect_uri}#error=invalid_scope", @state),
                  allow_other_host: true) and return
    end
    unless hostname_of(@client_id) == hostname_of(@redirect_uri)
      redirect_to(url_with_state("#{@redirect_uri}#error=invalid_client", @state),
                  allow_other_host: true) and return
    end
    @client_id.gsub!(/http(s)?:\/\//, "")
    if auth = current_user.remote_storage_authorizations.valid.where(permissions: @scopes, client_id: @client_id).first
      redirect_to(url_with_state("#{@redirect_uri}#access_token=#{auth.token}", @state),
                  allow_other_host: true) and return
    end
  end
  def create
    unless current_user.id.to_s == params[:user_id]
      Rails.logger.info("NO MATCH: #{params[:user_id]}, #{current_user.id}")
      http_status :forbidden and return
    end
    permissions  = parse_scopes params[:scope]
    redirect_uri = params[:redirect_uri].presence
    client_id    = params[:client_id].presence
    state        = params[:state].presence
    expire_at    = params[:expire_at].presence
    http_status :bad_request and return unless redirect_uri.present?
    if permissions.empty?
      redirect_to(url_with_state("#{redirect_uri}#error=invalid_scope", state),
                  allow_other_host: true) and return
    end
    unless client_id.present?
      redirect_to(url_with_state("#{redirect_uri}#error=invalid_request", state),
                  allow_other_host: true) and return
    end
    unless hostname_of(client_id) == hostname_of(redirect_uri)
      redirect_to(url_with_state("#{redirect_uri}#error=invalid_client", state),
                  allow_other_host: true) and return
    end
    client_id.gsub!(/http(s)?:\/\//, "")
    auth = current_user.remote_storage_authorizations.create!(
      permissions: permissions,
      client_id: client_id,
      redirect_uri: redirect_uri,
      app_name: client_id,
      expire_at: expire_at
    )
    redirect_to url_with_state("#{redirect_uri}#access_token=#{auth.token}", state),
                allow_other_host: true
  end
  private
  def require_signed_in_with_username
    unless user_signed_in?
      session[:user_return_to] = request.url
      redirect_to new_user_session_path(cn: params[:username], ou: Setting.primary_domain)
    end
  end
  def hostname_of(uri)
    uri.gsub(/http(s)?:\/\//, "").split(":")[0].split("/")[0]
  end
  def parse_scopes(scope_string)
    return [] if scope_string.blank?
    scopes = scope_string.
      gsub(/\[|\]/, "").
      gsub(/\,/, " ").
      gsub(/\/:/, ":").
      split(/\s/).map(&:strip).
      reject(&:empty?)
    scopes = [":r"] if scopes.include?("*:r")
    scopes = [":rw"] if scopes.include?("*:rw")
    scopes
  end
  def url_with_state(url, state)
    state ? "#{url}&state=#{CGI.escape(state)}" : url
  end
 end
--- a/app/controllers/services/base_controller.rb
+++ b/app/controllers/services/base_controller.rb
@@ -0,0 +1,9 @@
 class Services::BaseController < ApplicationController
  before_action :set_current_section
  private
    def set_current_section
      @current_section = :services
    end
 end
--- a/app/controllers/services/chat_controller.rb
+++ b/app/controllers/services/chat_controller.rb
@@ -0,0 +1,14 @@
 class Services::ChatController < Services::BaseController
  before_action :authenticate_user!
  before_action :require_service_available
  def show
    @service_enabled = current_user.services_enabled.include?(:xmpp)
  end
  private
    def require_service_available
      http_status :not_found unless Setting.ejabberd_enabled?
    end
 end
--- a/app/controllers/services/email_controller.rb
+++ b/app/controllers/services/email_controller.rb
@@ -0,0 +1,34 @@
 class Services::EmailController < Services::BaseController
  before_action :authenticate_user!
  before_action :require_service_available
  before_action :require_feature_enabled
  def show
    ldap_entry = current_user.ldap_entry
    @service_enabled = ldap_entry[:email_password].present?
    @maildrop = ldap_entry[:email_maildrop]
    @email_forwarding_active = @maildrop.present? &&
                               @maildrop.split("@").first != current_user.cn
  end
  def new_password
    if session[:new_email_password].present?
      @new_password = session.delete(:new_email_password)
    else
      redirect_to setting_path(:email)
    end
  end
  private
    def require_service_available
      http_status :not_found unless Setting.email_enabled?
    end
    def require_feature_enabled
      unless Flipper.enabled?(:email, current_user)
        http_status :forbidden
      end
    end
 end
--- a/app/controllers/services/lightning_controller.rb
+++ b/app/controllers/services/lightning_controller.rb
@@ -8,8 +8,7 @@ class Services::LightningController < ApplicationController
  before_action :fetch_balance
  def index
-    @wallet_url = "lndhub://#{current_user.ln_account}:#{current_user.ln_password}@#{ENV['LNDHUB_PUBLIC_URL']}"
+    @wallet_setup_url = "lndhub://#{current_user.ln_account}:#{current_user.ln_password}@#{ENV['LNDHUB_PUBLIC_URL']}"
    initialize_lndhub_qr_code
  end
  def transactions
@@ -56,20 +55,6 @@ class Services::LightningController < ApplicationController
  private
  def initialize_lndhub_qr_code
    qr_code = RQRCode::QRCode.new(@wallet_url)
    @lndhub_qr_svg = qr_code.as_svg(
      color: "000",
      shape_rendering: "crispEdges",
      module_size: 6,
      standalone: true,
      use_path: true,
      svg_attributes: {
        class: 'inline-block'
      }
    )
  end
  def authenticate_with_lndhub(options={})
    if session[:ln_auth_token].present? && !options[:force_reauth]
      @ln_auth_token = session[:ln_auth_token]
--- a/app/controllers/services/mastodon_controller.rb
+++ b/app/controllers/services/mastodon_controller.rb
@@ -0,0 +1,14 @@
 class Services::MastodonController < Services::BaseController
  before_action :authenticate_user!
  before_action :require_service_available
  def show
    @service_enabled = current_user.services_enabled.include?(:mastodon)
  end
  private
    def require_service_available
      http_status :not_found unless Setting.mastodon_enabled?
    end
 end
--- a/app/controllers/services/remotestorage_controller.rb
+++ b/app/controllers/services/remotestorage_controller.rb
@@ -1,30 +1,26 @@
-class Services::RemotestorageController < ApplicationController
+class Services::RemotestorageController < Services::BaseController
-  before_action :require_user_signed_in
+  before_action :authenticate_user!
-  before_action :require_service_enabled
+  before_action :require_service_available
  before_action :require_feature_enabled
  before_action :set_current_section
-  def dashboard
+  # Dashboard
  def show
    # unless current_user.services_enabled.include?(:remotestorage)
    #   redirect_to service_remotestorage_info_path
    # end
    @rs_auths = current_user.remote_storage_authorizations
    # TODO sort by app name
  end
  private
    def require_service_available
      http_status :not_found unless Setting.remotestorage_enabled?
    end
    def require_feature_enabled
      unless Flipper.enabled?(:remotestorage, current_user)
        http_status :forbidden
      end
    end
    def require_service_enabled
      unless Setting.remotestorage_enabled?
        http_status :not_found
      end
    end
    def set_current_section
      @current_section = :services
    end
 end
--- a/app/controllers/services/rs_auths_controller.rb
+++ b/app/controllers/services/rs_auths_controller.rb
@@ -0,0 +1,42 @@
 class Services::RsAuthsController < Services::BaseController
  before_action :authenticate_user!
  before_action :require_feature_enabled
  before_action :require_service_available
  # before_action :require_service_enabled
  before_action :find_rs_auth
  def destroy
    @auth.destroy!
    respond_to do |format|
      format.html do redirect_to services_storage_url, flash: {
        success: 'App authorization revoked'
      }
      end
      format.json { head :no_content }
    end
  end
  def launch_app
    launch_url = "#{@auth.launch_url}#remotestorage=#{current_user.address}&access_token=#{@auth.token}"
    redirect_to launch_url, allow_other_host: true
  end
  private
    def require_feature_enabled
      unless Flipper.enabled?(:remotestorage, current_user)
        http_status :forbidden
      end
    end
    def require_service_available
      http_status :not_found unless Setting.remotestorage_enabled?
    end
    def find_rs_auth
      @auth = current_user.remote_storage_authorizations.find(params[:id])
      http_status :not_found unless @auth.present?
    end
 end
--- a/app/controllers/settings_controller.rb
+++ b/app/controllers/settings_controller.rb
@@ -1,10 +1,11 @@
-require 'securerandom'
+require "securerandom"
 require "bcrypt"
 class SettingsController < ApplicationController
  before_action :authenticate_user!
  before_action :set_main_nav_section
-  before_action :set_settings_section, only: [:show, :update, :update_email]
+  before_action :set_settings_section, only: [:show, :update, :update_email, :reset_email_password]
-  before_action :set_user, only: [:show, :update, :update_email]
+  before_action :set_user, only: [:show, :update, :update_email, :reset_email_password]
  def index
    redirect_to setting_path(:profile)
@@ -19,10 +20,15 @@ class SettingsController < ApplicationController
  def update
    @user.preferences.merge!(user_params[:preferences] || {})
    @user.display_name = user_params[:display_name]
    @user.avatar_new = user_params[:avatar]
    if @user.save
      if @user.display_name && (@user.display_name != @user.ldap_entry[:display_name])
-        LdapManager::UpdateDisplayName.call(@user.dn, user_params[:display_name])
+        LdapManager::UpdateDisplayName.call(dn: @user.dn, display_name: @user.display_name)
      end
      if @user.avatar_new.present?
        LdapManager::UpdateAvatar.call(dn: @user.dn, file: @user.avatar_new)
      end
      redirect_to setting_path(@settings_section), flash: {
@@ -35,7 +41,7 @@ class SettingsController < ApplicationController
  end
  def update_email
-    if @user.valid_ldap_authentication?(email_params[:current_password])
+    if @user.valid_ldap_authentication?(security_params[:current_password])
      if @user.update email: email_params[:email]
        redirect_to setting_path(:account), flash: {
          notice: 'Please confirm your new address using the confirmation link we just sent you.'
@@ -51,6 +57,28 @@ class SettingsController < ApplicationController
    end
  end
  def reset_email_password
    @user.current_password = security_params[:current_password]
    if @user.valid_ldap_authentication?(@user.current_password)
      @user.current_password = nil
      session[:new_email_password] = generate_email_password
      hashed_password = hash_email_password(session[:new_email_password])
      LdapManager::UpdateEmailPassword.call(dn: @user.dn, password_hash: hashed_password)
      if @user.ldap_entry[:email_maildrop] != @user.address
        LdapManager::UpdateEmailMaildrop.call(dn: @user.dn, address: @user.address)
      end
      redirect_to new_password_services_email_path
    else
      @validation_errors = {
        current_password: [ "Wrong password. Try again!" ]
      }
      render :show, status: :forbidden
    end
  end
  def reset_password
    current_user.send_reset_password_instructions
    sign_out current_user
@@ -60,8 +88,8 @@ class SettingsController < ApplicationController
  def set_nostr_pubkey
    signed_event = nostr_event_params[:signed_event].to_h.symbolize_keys
-    is_valid_id  = NostrManager::ValidateId.call(signed_event)
+    is_valid_id  = NostrManager::ValidateId.call(event: signed_event)
-    is_valid_sig = NostrManager::VerifySignature.call(signed_event)
+    is_valid_sig = NostrManager::VerifySignature.call(event: signed_event)
    is_correct_content = signed_event[:content] == "Connect my public key to #{current_user.address} (confirmation #{session[:shared_secret]})"
    unless is_valid_id && is_valid_sig && is_correct_content
@@ -105,7 +133,10 @@ class SettingsController < ApplicationController
    def set_settings_section
      @settings_section = params[:section]
-      allowed_sections = [:profile, :account, :lightning, :xmpp, :experiments]
+      allowed_sections = [
        :profile, :account, :xmpp, :email, :lightning, :remotestorage,
        :experiments
      ]
      unless allowed_sections.include?(@settings_section.to_sym)
        redirect_to setting_path(:profile)
@@ -117,14 +148,19 @@ class SettingsController < ApplicationController
    end
    def user_params
-      params.require(:user).permit(:display_name, preferences: [
+      params.require(:user).permit(:display_name, :avatar, preferences: [
        :lightning_notify_sats_received,
        :remotestorage_notify_auth_created,
        :xmpp_exchange_contacts_with_invitees
      ])
    end
    def email_params
-      params.require(:user).permit(:email, :current_password)
+      params.require(:user).permit(:email)
    end
    def security_params
      params.require(:user).permit(:current_password)
    end
    def nostr_event_params
@@ -132,4 +168,14 @@ class SettingsController < ApplicationController
        :id, :pubkey, :created_at, :kind, :tags, :content, :sig
      ])
    end
    def generate_email_password
      characters = [('a'..'z'), ('A'..'Z'), (0..9)].map(&:to_a).flatten
      SecureRandom.random_bytes(16).each_byte.map { |b| characters[b % characters.length] }.join
    end
    def hash_email_password(password)
      salt = BCrypt::Engine.generate_salt
      BCrypt::Engine.hash_secret(password, salt)
    end
 end
--- a/app/controllers/signup_controller.rb
+++ b/app/controllers/signup_controller.rb
@@ -96,13 +96,13 @@ class SignupController < ApplicationController
    session[:new_user] = nil
    session[:validation_error] = nil
-    CreateAccount.call(
+    CreateAccount.call(account: {
      username: @user.cn,
      domain: Setting.primary_domain,
      email: @user.email,
      password: @user.password,
      invitation: @invitation
-    )
+    })
  end
  def set_context
--- a/app/controllers/webfinger_controller.rb
+++ b/app/controllers/webfinger_controller.rb
@@ -6,15 +6,19 @@ class WebfingerController < ApplicationController
  def show
    resource = params[:resource]
-    if resource && resource.match(/acct:\w+/)
+    if resource && @useraddress = resource.match(/acct:(.+)/)&.[](1)
-      useraddress = resource.split(":").last
+      @username, @org = @useraddress.split("@")
-      username, org = useraddress.split("@")
+
-      username.downcase!
+      unless Rails.env.development?
-      unless User.where(cn: username, ou: org).any?
+        # Allow different domains (e.g. localhost:3000) in development only
        head 404 and return unless @org == Setting.primary_domain
      end
      unless User.where(cn: @username.downcase, ou: Setting.primary_domain).any?
        head 404 and return
      end
-      render json: webfinger(useraddress).to_json,
+      render json: webfinger.to_json,
             content_type: "application/jrd+json"
    else
      head 422 and return
@@ -23,19 +27,18 @@ class WebfingerController < ApplicationController
  private
-  def webfinger(useraddress)
+  def webfinger
    links = [];
-    links << remotestorage_link(useraddress) if Setting.remotestorage_enabled
+    # TODO check if storage service is enabled for user, not just globally
    links << remotestorage_link if Setting.remotestorage_enabled
    { "links" => links }
  end
-  def remotestorage_link(useraddress)
+  def remotestorage_link
-    # TODO use when OAuth routes are available
+    auth_url = new_rs_oauth_url(@username)
-    # auth_url = new_rs_oauth_url(useraddress)
+    storage_url = "#{Setting.rs_storage_url}/#{@username}"
    auth_url = "https://example.com/rs/oauth"
    storage_url = "#{Setting.rs_storage_url}/#{useraddress}"
    {
      "rel" => "http://tools.ietf.org/id/draft-dejong-remotestorage",
@@ -51,7 +54,8 @@ class WebfingerController < ApplicationController
  end
  def allow_cross_origin_requests
-    headers['Access-Control-Allow-Origin'] = '*'
+    return unless Rails.env.development?
-    headers['Access-Control-Allow-Methods'] = 'GET, POST, PUT, OPTIONS'
+    headers['Access-Control-Allow-Origin'] = "*"
    headers['Access-Control-Allow-Methods'] = "GET"
  end
 end
--- a/app/controllers/webhooks_controller.rb
+++ b/app/controllers/webhooks_controller.rb
@@ -30,7 +30,7 @@ class WebhooksController < ApplicationController
  def notify_xmpp(address, amt_sats, memo)
    payload = {
      type: "normal",
-      from: Setting.primary_domain,
+      from: Setting.xmpp_notifications_from_address,
      to: address,
      subject: "Sats received!",
      body: "#{helpers.number_with_delimiter amt_sats} sats received in your Lightning wallet:\n> #{memo}"
--- a/app/helpers/oauth_helper.rb
+++ b/app/helpers/oauth_helper.rb
@@ -0,0 +1,11 @@
 module OauthHelper
  def scope_name(scope)
    scope.gsub(/(\:.+)/, '')
  end
  def scope_permissions(scope)
    scope.match(/\:r$/) ? "r" : "rw"
  end
 end
--- a/app/javascript/controllers/application.js
+++ b/app/javascript/controllers/application.js
@@ -1,7 +1,12 @@
 import { Application } from "@hotwired/stimulus"
 import { Dropdown, Modal, Tabs } from "tailwindcss-stimulus-components"
 const application = Application.start()
 application.register('dropdown', Dropdown)
 application.register('modal', Modal)
 application.register('tabs', Tabs)
 // Configure Stimulus development experience
 application.debug = false
 window.Stimulus   = application
--- a/app/javascript/controllers/settings/email/password_controller.js
+++ b/app/javascript/controllers/settings/email/password_controller.js
@@ -0,0 +1,27 @@
 import { Controller } from "@hotwired/stimulus"
 export default class extends Controller {
  static targets = [ "resetPasswordButton", "currentPasswordField" ]
  static values = { validationFailed: Boolean }
  connect () {
    if (this.validationFailedValue) return;
    this.element.querySelectorAll(".initial-hidden").forEach(el => {
      el.classList.add("hidden");
    })
    this.element.querySelectorAll(".initial-visible").forEach(el => {
      el.classList.remove("hidden");
    })
  }
  showPasswordReset () {
    this.element.querySelectorAll(".initial-visible").forEach(el => {
      el.classList.add("hidden");
    })
    this.element.querySelectorAll(".initial-hidden").forEach(el => {
      el.classList.remove("hidden");
    })
    this.currentPasswordFieldTarget.select();
  }
 }
--- a/app/javascript/controllers/settings/nostr_pubkey_controller.js
+++ b/app/javascript/controllers/settings/nostr_pubkey_controller.js
@@ -1,13 +1,4 @@
 import { Controller } from "@hotwired/stimulus"
 import { bech32 } from "bech32"
 function hexToBytes (hex) {
  let bytes = []
  for (let c = 0; c < hex.length; c += 2) {
    bytes.push(parseInt(hex.substr(c, 2), 16))
  }
  return bytes
 }
 // Connects to data-controller="settings--nostr-pubkey"
 export default class extends Controller {
@@ -15,10 +6,6 @@ export default class extends Controller {
  static values  = { userAddress: String, pubkeyHex: String, sharedSecret: String }
  connect () {
    if (this.hasPubkeyHexValue && this.pubkeyHexValue.length > 0) {
      this.pubkeyBech32InputTarget.value = this.pubkeyBech32
    }
    if (window.nostr) {
      if (this.hasSetPubkeyTarget) {
        this.setPubkeyTarget.disabled = false
@@ -53,11 +40,6 @@ export default class extends Controller {
    }
  }
  get pubkeyBech32 () {
    const words = bech32.toWords(hexToBytes(this.pubkeyHexValue))
    return bech32.encode('npub', words)
  }
  get csrfToken () {
    const element = document.head.querySelector('meta[name="csrf-token"]')
    return element.getAttribute("content")
--- a/app/javascript/controllers/settings/resettable_field_controller.js
+++ b/app/javascript/controllers/settings/resettable_field_controller.js
@@ -0,0 +1,10 @@
 import { Controller } from "@hotwired/stimulus"
 export default class extends Controller {
  static targets = [ "resetButton" ]
  resetField () {
    const inputEl = this.element.querySelector('input')
    inputEl.value = inputEl.dataset.defaultValue
  }
 }
--- a/app/jobs/remote_storage_expire_authorization_job.rb
+++ b/app/jobs/remote_storage_expire_authorization_job.rb
@@ -0,0 +1,10 @@
 class RemoteStorageExpireAuthorizationJob < ApplicationJob
  queue_as :remotestorage
  def perform(rs_auth_id)
    rs_auth = RemoteStorageAuthorization.find rs_auth_id
    return unless rs_auth.expire_at.nil? || rs_auth.expire_at <= DateTime.now
    rs_auth.destroy!
  end
 end
--- a/app/mailers/notification_mailer.rb
+++ b/app/mailers/notification_mailer.rb
@@ -5,4 +5,22 @@ class NotificationMailer < ApplicationMailer
    @subject = "Sats received"
    mail to: @user.email, subject: @subject
  end
  def remotestorage_auth_created
    @user = params[:user]
    @auth = params[:auth]
    @permissions = @auth.permissions.map do |p|
      access = p.split(":")[1] == 'r' ? 'read' : 'read/write'
      directory = p.split(':')[0] == '' ? 'all folders and files' : p.split(':')[0]
      "#{access} #{directory}"
    end
    @subject = "New app connected to your storage"
    mail to: @user.email, subject: @subject
  end
  def new_invitations_available
    @user = params[:user]
    @subject = "New invitations added to your account"
    mail to: @user.email, subject: @subject
  end
 end
--- a/app/models/app_catalog.rb
+++ b/app/models/app_catalog.rb
@@ -0,0 +1,5 @@
 module AppCatalog
  def self.table_name_prefix
    "app_catalog_"
  end
 end
--- a/app/models/app_catalog/web_app.rb
+++ b/app/models/app_catalog/web_app.rb
@@ -0,0 +1,16 @@
 class AppCatalog::WebApp < ApplicationRecord
  store :metadata, coder: JSON
  has_many :remote_storage_authorizations, dependent: :destroy
  has_one_attached :icon
  has_one_attached :apple_touch_icon
  validates :url, presence: true, uniqueness: true
  validates :url, format: { with: URI.regexp },
                  if: Proc.new { |a| a.url.present? }
  def update_metadata
    AppCatalogManager::UpdateMetadata.call(app: self)
  end
 end
--- a/app/models/remote_storage_authorization.rb
+++ b/app/models/remote_storage_authorization.rb
@@ -0,0 +1,114 @@
 class RemoteStorageAuthorization < ApplicationRecord
  belongs_to :user
  belongs_to :web_app, class_name: "AppCatalog::WebApp", optional: true
  serialize :permissions unless Rails.env.production?
  validates_presence_of :permissions
  validates_presence_of :client_id
  scope :valid, -> { where(expire_at: nil).or(where(expire_at: (DateTime.now)..)) }
  scope :expired, -> { where(expire_at: ..(DateTime.now)) }
  after_initialize do |a|
    a.permissions = [] if a.permissions == nil
  end
  before_create  :generate_token
  before_create  :store_token_in_redis
  before_create  :find_or_create_web_app
  after_create   :schedule_token_expiry
  after_create   :notify_user
  before_destroy :delete_token_from_redis
  after_destroy  :remove_token_expiry_job
  def url
    uri = URI.parse self.redirect_uri
    "#{uri.scheme}://#{client_id}"
  end
  def launch_url
    return url unless web_app && web_app.metadata[:start_url].present?
    start_url = web_app.metadata[:start_url]
    if start_url.match("^https?:\/\/")
      return start_url.start_with?(url) ? start_url : url
    else
      path = start_url.gsub(/^\.\.\//, "").gsub(/^\.\//, "").gsub(/^\//, "")
      "#{url}/#{path}"
    end
  end
  def delete_token_from_redis
    key = "authorizations:#{user.cn}:#{token}"
    redis.srem? key, redis.smembers(key)
  rescue => e
    Rails.logger.error e
    Sentry.capture_exception(e) if Setting.sentry_enabled?
  end
  private
    def redis
      @redis ||= Redis.new(url: Setting.rs_redis_url)
    end
    def generate_token(length=16)
      self.token = SecureRandom.hex(length) if self.token.blank?
    end
    def store_token_in_redis
      redis.sadd "authorizations:#{user.cn}:#{token}", permissions
    end
    def schedule_token_expiry
      return unless expire_at.present?
      RemoteStorageExpireAuthorizationJob.set(wait_until: expire_at)
                                         .perform_later(id)
    end
    def remove_token_expiry_job
      queue = Sidekiq::Queue.new(RemoteStorageExpireAuthorizationJob.queue_name)
      queue.each do |job|
        next unless job.display_class == "RemoteStorageExpireAuthorizationJob"
        job.delete if job.display_args == [id]
      end
    end
    def find_or_create_web_app
      if looks_like_hosted_origin?
        web_app = AppCatalog::WebApp.find_or_create_by!(url: self.url)
        web_app.update_metadata unless web_app.name.present?
        self.web_app = web_app
        self.app_name = web_app.name.presence || client_id
      else
        self.app_name = client_id
      end
    end
    def looks_like_hosted_origin?
      uri = URI.parse self.redirect_uri
      !!(uri.host =~ /(?=^.{4,253}$)(^((?!-)[a-zA-Z0-9-]{0,62}[a-zA-Z0-9]\.)+[a-zA-Z]{2,63}$)/)
    rescue URI::InvalidURIError
      false
    end
    def notify_user
      notify = user.preferences[:remotestorage_notify_auth_created]
      case notify
      when "xmpp"
        router = Router.new
        payload = {
          type: "normal", to: user.address,
          from: Setting.xmpp_notifications_from_address,
          body: "You have just granted '#{self.client_id}' access to your Kosmos Storage. Visit your Storage dashboard to check on your connected apps and revoke permissions anytime: #{router.services_storage_url}"
        }
        XmppSendMessageJob.perform_later(payload)
      when "email"
        NotificationMailer.with(user: user, auth: self)
                          .remotestorage_auth_created.deliver_later
      end
    end
 end
--- a/app/models/setting.rb
+++ b/app/models/setting.rb
@@ -12,9 +12,12 @@ class Setting < RailsSettings::Base
  # Internal services
  #
-  field :redis_url, type: :string, readonly: true,
+  field :redis_url, type: :string,
    default: ENV["REDIS_URL"] || "redis://localhost:6379/0"
  field :s3_enabled, type: :boolean,
    default: ENV["S3_ENABLED"] && ENV["S3_ENABLED"].to_s != "false"
  #
  # Registrations
  #
@@ -29,38 +32,67 @@ class Setting < RailsSettings::Base
  field :xmpp_default_rooms, type: :array, default: []
  field :xmpp_autojoin_default_rooms, type: :boolean, default: false
  field :xmpp_notifications_from_address, type: :string, default: primary_domain
  #
  # Sentry
  #
  field :sentry_enabled, type: :boolean, readonly: true,
-    default: (ENV["SENTRY_DSN"].present?.to_s || false)
+    default: ENV["SENTRY_DSN"].present?
  #
  # BTCPay Server
  #
  field :btcpay_api_url, type: :string,
    default: ENV["BTCPAY_API_URL"].presence
  field :btcpay_enabled, type: :boolean,
    default: ENV["BTCPAY_API_URL"].present?
  field :btcpay_store_id, type: :string,
    default: ENV["BTCPAY_STORE_ID"].presence
  field :btcpay_auth_token, type: :string,
    default: ENV["BTCPAY_AUTH_TOKEN"].presence
  field :btcpay_publish_wallet_balances, type: :boolean, default: true
  #
  # Discourse
  #
-  field :discourse_public_url, type: :string, readonly: true,
+  field :discourse_public_url, type: :string,
    default: ENV["DISCOURSE_PUBLIC_URL"].presence
  field :discourse_enabled, type: :boolean,
-    default: (ENV["DISCOURSE_PUBLIC_URL"].present?.to_s || false)
+    default: ENV["DISCOURSE_PUBLIC_URL"].present?
-  field :discourse_connect_secret, type: :string, readonly: true,
+  field :discourse_connect_secret, type: :string,
    default: ENV["DISCOURSE_CONNECT_SECRET"].presence
  #
  # Drone CI
  #
  field :droneci_public_url, type: :string,
    default: ENV["DRONECI_PUBLIC_URL"].presence
  field :droneci_enabled, type: :boolean,
    default: ENV["DRONECI_PUBLIC_URL"].present?
  #
  # ejabberd
  #
  field :ejabberd_enabled, type: :boolean,
-    default: (ENV["EJABBERD_API_URL"].present?.to_s || false)
+    default: ENV["EJABBERD_API_URL"].present?
-  field :ejabberd_api_url, type: :string, readonly: true,
+  field :ejabberd_api_url, type: :string,
    default: ENV["EJABBERD_API_URL"].presence
-  field :ejabberd_admin_url, type: :string, readonly: true,
+  field :ejabberd_admin_url, type: :string,
    default: ENV["EJABBERD_ADMIN_URL"].presence
  field :ejabberd_buddy_roster, type: :string,
@@ -70,50 +102,56 @@ class Setting < RailsSettings::Base
  # Gitea
  #
-  field :gitea_public_url, type: :string, readonly: true,
+  field :gitea_public_url, type: :string,
    default: ENV["GITEA_PUBLIC_URL"].presence
  field :gitea_enabled, type: :boolean,
-    default: (ENV["GITEA_PUBLIC_URL"].present?.to_s || false)
+    default: ENV["GITEA_PUBLIC_URL"].present?
  #
  # Lightning Network
  #
-  field :lndhub_api_url, type: :string, readonly: true,
+  field :lndhub_api_url, type: :string,
    default: ENV["LNDHUB_API_URL"].presence
  field :lndhub_enabled, type: :boolean,
-    default: (ENV["LNDHUB_API_URL"].present?.to_s || false)
+    default: ENV["LNDHUB_API_URL"].present?
  field :lndhub_admin_token, type: :string,
    default: ENV["LNDHUB_ADMIN_TOKEN"].presence
  field :lndhub_admin_enabled, type: :boolean,
-    default: (ENV["LNDHUB_ADMIN_UI"] || false)
+    default: ENV["LNDHUB_ADMIN_UI"] || false
-  field :lndhub_public_key, type: :string, readonly: true,
+  field :lndhub_public_key, type: :string,
    default: (ENV["LNDHUB_PUBLIC_KEY"] || "")
  field :lndhub_keysend_enabled, type: :boolean,
-    default: -> { self.lndhub_public_key.present?.to_s || false }
+    default: -> { self.lndhub_public_key.present? }
  #
  # Mastodon
  #
-  field :mastodon_public_url, type: :string, readonly: true,
+  field :mastodon_public_url, type: :string,
    default: ENV["MASTODON_PUBLIC_URL"].presence
  field :mastodon_enabled, type: :boolean,
-    default: (ENV["MASTODON_PUBLIC_URL"].present?.to_s || false)
+    default: ENV["MASTODON_PUBLIC_URL"].present?
  field :mastodon_address_domain, type: :string,
    default: ENV["MASTODON_ADDRESS_DOMAIN"].presence || self.primary_domain
  #
  # MediaWiki
  #
-  field :mediawiki_public_url, type: :string, readonly: true,
+  field :mediawiki_public_url, type: :string,
    default: ENV["MEDIAWIKI_PUBLIC_URL"].presence
  field :mediawiki_enabled, type: :boolean,
-    default: (ENV["MEDIAWIKI_PUBLIC_URL"].present?.to_s || false)
+    default: ENV["MEDIAWIKI_PUBLIC_URL"].present?
  #
  # Nostr
@@ -126,8 +164,37 @@ class Setting < RailsSettings::Base
  #
  field :remotestorage_enabled, type: :boolean,
-    default: (ENV["RS_STORAGE_URL"].present?.to_s || false)
+    default: ENV["RS_STORAGE_URL"].present?
  field :rs_storage_url, type: :string,
    default: ENV["RS_STORAGE_URL"].presence
  field :rs_redis_url, type: :string,
    default: ENV["RS_REDIS_URL"] || "redis://localhost:6379/1"
  #
  # E-Mail Service
  #
  field :email_enabled, type: :boolean,
    default: ENV["EMAIL_SMTP_HOST"].present?
  # field :email_smtp_host, type: :string,
  #   default: ENV["EMAIL_SMTP_HOST"].presence
  #
  # field :email_smtp_port, type: :string,
  #   default: ENV["EMAIL_SMTP_PORT"].presence || 587
  #
  # field :email_smtp_enable_starttls, type: :string,
  #   default: ENV["EMAIL_SMTP_PORT"].presence || true
  #
  # field :email_auth_method, type: :string,
  #   default: ENV["EMAIL_AUTH_METHOD"].presence || "plain"
  #
  # field :email_imap_host, type: :string,
  #   default: ENV["EMAIL_IMAP_HOST"].presence
  #
  # field :email_imap_port, type: :string,
  #   default: ENV["EMAIL_IMAP_PORT"].presence || 993
 end
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -1,11 +1,18 @@
 require 'nostr'
 class User < ApplicationRecord
  include EmailValidatable
  attr_accessor :display_name
  attr_accessor :avatar_new
  attr_accessor :current_password
-  serialize :preferences, UserPreferences
+  serialize :preferences, coder: UserPreferences
  #
  # Relations
  #
  has_many :invitations, dependent: :destroy
  has_one  :invitation, inverse_of: :invitee, foreign_key: 'invited_user_id'
  has_one  :inviter, through: :invitation, source: :user
@@ -18,6 +25,12 @@ class User < ApplicationRecord
  has_many :accounts, through: :lndhub_user
  has_many :remote_storage_authorizations
  #
  # Validations
  #
  validates_uniqueness_of :cn, scope: :ou
  validates_length_of :cn, minimum: 3
  validates_format_of :cn, with: /\A([a-z0-9\-])*\z/,
@@ -28,7 +41,8 @@ class User < ApplicationRecord
                           message: "is invalid. Usernames need to start with a letter."
  # FIXME This needs a server restart to apply values
  validates_format_of :cn, without: /\A(#{Setting.reserved_usernames.join('|')})\z/i,
-                           message: "has already been taken"
+                           message: "has already been taken",
                           unless: Proc.new{ |u| u.persisted? }
  validates_uniqueness_of :email
  validates :email, email: true
@@ -38,10 +52,20 @@ class User < ApplicationRecord
  validates_uniqueness_of :nostr_pubkey, allow_blank: true
  validate :acceptable_avatar
  #
  # Scopes
  #
  scope :confirmed,  -> { where.not(confirmed_at: nil) }
  scope :pending,    -> { where(confirmed_at: nil) }
  scope :all_except, -> (user) { where.not(id: user) }
  #
  # Encrypted database columns
  #
  has_encrypted :ln_login, :ln_password
  # Include default devise modules. Others available are:
@@ -68,12 +92,14 @@ class User < ApplicationRecord
  def devise_after_confirmation
    if ldap_entry[:mail] != self.email
      # E-Mail update confirmed
-      LdapManager::UpdateEmail.call(self.dn, self.email)
+      LdapManager::UpdateEmail.call(dn: self.dn, address: self.email)
    else
      # E-Mail from signup confirmed (i.e. account activation)
      # TODO Make configurable, only activate globally enabled services
      enable_service %w[ discourse gitea mediawiki xmpp ]
-      #TODO enable in development when we have easy setup of ejabberd etc.
+      # TODO enable in development when we have easy setup of ejabberd etc.
      return if Rails.env.development? || !Setting.ejabberd_enabled?
      XmppExchangeContactsJob.perform_later(inviter, self) if inviter.present?
@@ -107,6 +133,11 @@ class User < ApplicationRecord
    "#{self.cn}@#{self.ou}"
  end
  def mastodon_address
    return nil unless Setting.mastodon_enabled?
    "#{self.cn}@#{Setting.mastodon_address_domain}"
  end
  def valid_attribute?(attribute_name)
    self.valid?
    self.errors[attribute_name].blank?
@@ -132,6 +163,10 @@ class User < ApplicationRecord
    @display_name ||= ldap_entry[:display_name]
  end
  def avatar
    @avatar_base64 ||= LdapManager::FetchAvatar.call(cn: cn)
  end
  def services_enabled
    ldap_entry[:service] || []
  end
@@ -154,10 +189,28 @@ class User < ApplicationRecord
    ldap.delete_attribute(dn,:service)
  end
  def nostr_pubkey_bech32
    return nil unless nostr_pubkey.present?
    Nostr::PublicKey.new(nostr_pubkey).to_bech32
  end
  private
    def ldap
      return @ldap_service if defined?(@ldap_service)
      @ldap_service = LdapService.new
    end
    def acceptable_avatar
      return unless avatar_new.present?
      if avatar_new.size > 1.megabyte
        errors.add(:avatar, "file size is too large")
      end
      acceptable_types = ["image/jpeg", "image/png"]
      unless acceptable_types.include?(avatar_new.content_type)
        errors.add(:avatar, "must be a JPEG or PNG file")
      end
    end
 end
--- a/app/services/app_catalog_manager/update_metadata.rb
+++ b/app/services/app_catalog_manager/update_metadata.rb
@@ -0,0 +1,63 @@
 require "manifique"
 require "down"
 module AppCatalogManager
  class UpdateMetadata < AppCatalogManagerService
    def initialize(app:)
      @app = app
    end
    def call
      agent = Manifique::Agent.new(url: @app.url)
      metadata = agent.fetch_metadata
      @app.name = metadata.name
      [:name, :short_name, :description, :theme_color, :background_color,
       :display, :start_url, :scope, :share_target, :icons].each do |prop|
        @app.metadata[prop] = metadata.send(prop) if prop
      end
      @app.save!
      # TODO move icon downloads to separate, async job
      if icon = metadata.select_icon(sizes: "256x256") ||
         icon = metadata.select_icon(sizes: "192x192")
        attach_remote_image(:icon, icon)
        # TODO elsif get whatever is available
      end
      if apple_touch_icon = metadata.select_icon(purpose: "apple-touch-icon")
        attach_remote_image(:apple_touch_icon, apple_touch_icon)
      end
    rescue Manifique::Error => e
      msg = "Fetching web app manifest failed for #{e.url}: #{e.type}"
      Rails.logger.warn(msg)
      Sentry.capture_message(msg) if Setting.sentry_enabled?
      false
    end
    def attach_remote_image(attachment_name, icon)
      if icon['src'].start_with?("http")
        download_url = icon['src']
      else
        download_url = "#{@app.url}/#{icon["src"].gsub(/^\//,'')}"
      end
      filename = "#{attachment_name}-#{Time.now.to_i}.png"
      key = "web_apps/#{@app.id}/icons/#{filename}"
      begin
        tempfile = Down.download(download_url)
        @app.send(attachment_name).attach(key: key, io: tempfile, filename: filename)
      rescue Down::NotFound
        msg = "Download of \"#{attachment_name}\" failed: NotFound error for #{download_url}"
        Rails.logger.warn(msg)
        Sentry.capture_message(msg)
      rescue => e
        Rails.logger.warn "Saving attachment \"#{attachment_name}\" failed: \"#{e.message}\""
        Sentry.capture_exception(e) if Setting.sentry_enabled?
      end
    end
  end
 end
--- a/app/services/app_catalog_manager_service.rb
+++ b/app/services/app_catalog_manager_service.rb
@@ -0,0 +1,2 @@
 class AppCatalogManagerService < ApplicationService
 end
--- a/app/services/application_service.rb
+++ b/app/services/application_service.rb
@@ -1,7 +1,7 @@
 class ApplicationService
  # This enables executing a service's `#call` method directly via
  # `MyService.call(args)`, without creating a class instance it first.
-  def self.call(*args, &block)
+  def self.call(**args, &block)
-    new(*args, &block).call
+    new(**args, &block).call
  end
 end
--- a/app/services/btc_pay.rb
+++ b/app/services/btc_pay.rb
@@ -1,32 +0,0 @@
 #
 # API Docs: https://docs.btcpayserver.org/API/Greenfield/v1/
 #
 class BtcPay
  def initialize
    @base_url = ENV["BTCPAY_API_URL"]
    @store_id = Rails.application.credentials.btcpay[:store_id]
    @auth_token = Rails.application.credentials.btcpay[:auth_token]
  end
  def onchain_wallet_balance
    res = get "stores/#{@store_id}/payment-methods/onchain/BTC/wallet"
    {
      balance: res["balance"].to_f,
      unconfirmed_balance: res["unconfirmedBalance"].to_f,
      confirmed_balance: res["confirmedBalance"].to_f
    }
  end
  private
  def get(endpoint)
    res = Faraday.get("#{@base_url}/#{endpoint}", {}, {
      "Content-Type" => "application/json",
      "Accept" => "application/json",
      "Authorization" => "token #{@auth_token}"
    })
    JSON.parse(res.body)
  end
 end
--- a/app/services/btcpay_manager/fetch_lightning_wallet_balance.rb
+++ b/app/services/btcpay_manager/fetch_lightning_wallet_balance.rb
@@ -0,0 +1,11 @@
 module BtcpayManager
  class FetchLightningWalletBalance < BtcpayManagerService
    def call
      res = get "stores/#{store_id}/lightning/BTC/balance"
      {
        confirmed_balance: res["offchain"]["local"].to_i / 1000 # msats to sats
      }
    end
  end
 end
--- a/app/services/btcpay_manager/fetch_onchain_wallet_balance.rb
+++ b/app/services/btcpay_manager/fetch_onchain_wallet_balance.rb
@@ -0,0 +1,13 @@
 module BtcpayManager
  class FetchOnchainWalletBalance < BtcpayManagerService
    def call
      res = get "stores/#{store_id}/payment-methods/onchain/BTC/wallet"
      {
        balance: (res["balance"].to_f * 100000000).to_i, # BTC to sats
        unconfirmed_balance: (res["unconfirmedBalance"].to_f * 100000000).to_i,
        confirmed_balance: (res["confirmedBalance"].to_f * 100000000).to_i
      }
    end
  end
 end
--- a/app/services/btcpay_manager_service.rb
+++ b/app/services/btcpay_manager_service.rb
@@ -0,0 +1,24 @@
 #
 # API Docs: https://docs.btcpayserver.org/API/Greenfield/v1/
 #
 class BtcpayManagerService < ApplicationService
  attr_reader :base_url, :store_id, :auth_token
  def initialize
    @base_url   = Setting.btcpay_api_url
    @store_id   = Setting.btcpay_store_id
    @auth_token = Setting.btcpay_auth_token
  end
  private
    def get(endpoint)
      res = Faraday.get("#{base_url}/#{endpoint}", {}, {
        "Content-Type" => "application/json",
        "Accept" => "application/json",
        "Authorization" => "token #{auth_token}"
      })
      JSON.parse(res.body)
    end
 end
--- a/app/services/create_account.rb
+++ b/app/services/create_account.rb
@@ -1,11 +1,11 @@
 class CreateAccount < ApplicationService
-  def initialize(args)
+  def initialize(account:)
-    @username   = args[:username]
+    @username   = account[:username]
-    @domain     = args[:ou] || Setting.primary_domain
+    @domain     = account[:ou] || Setting.primary_domain
-    @email      = args[:email]
+    @email      = account[:email]
-    @password   = args[:password]
+    @password   = account[:password]
-    @invitation = args[:invitation]
+    @invitation = account[:invitation]
-    @confirmed  = args[:confirmed]
+    @confirmed  = account[:confirmed]
  end
  def call
--- a/app/services/create_invitations.rb
+++ b/app/services/create_invitations.rb
@@ -0,0 +1,17 @@
 class CreateInvitations < ApplicationService
  def initialize(user:, amount:, notify: true)
    @user = user
    @amount = amount
    @notify = notify
  end
  def call
    @amount.times do
      Invitation.create(user: @user)
    end
    if @notify
      NotificationMailer.with(user: @user).new_invitations_available.deliver_later
    end
  end
 end
--- a/app/services/ldap_manager/fetch_avatar.rb
+++ b/app/services/ldap_manager/fetch_avatar.rb
@@ -0,0 +1,16 @@
 module LdapManager
  class FetchAvatar < LdapManagerService
    def initialize(cn:)
      @cn = cn
    end
    def call
      treebase   = ldap_config["base"]
      attributes = %w{ jpegPhoto }
      filter     = Net::LDAP::Filter.eq("cn", @cn)
      entry = ldap_client.search(base: treebase, filter: filter, attributes: attributes).first
      entry.try(:jpegPhoto) ? entry.jpegPhoto.first : nil
    end
  end
 end
--- a/app/services/ldap_manager/update_avatar.rb
+++ b/app/services/ldap_manager/update_avatar.rb
@@ -0,0 +1,27 @@
 require "image_processing/vips"
 module LdapManager
  class UpdateAvatar < LdapManagerService
    def initialize(dn:, file:)
      @dn = dn
      @img_data = process(file)
    end
    def call
      replace_attribute @dn, :jpegPhoto, @img_data
    end
    private
    def process(file)
      processed = ImageProcessing::Vips
        .resize_to_fill(512, 512)
        .source(file)
        .convert("jpeg")
        .saver(strip: true)
        .call
      Base64.strict_encode64 processed.read
    end
  end
 end
--- a/app/services/ldap_manager/update_display_name.rb
+++ b/app/services/ldap_manager/update_display_name.rb
@@ -1,6 +1,6 @@
 module LdapManager
  class UpdateDisplayName < LdapManagerService
-    def initialize(dn, display_name)
+    def initialize(dn:, display_name:)
      @dn = dn
      @display_name = display_name
    end
--- a/app/services/ldap_manager/update_email.rb
+++ b/app/services/ldap_manager/update_email.rb
@@ -1,6 +1,6 @@
 module LdapManager
  class UpdateEmail < LdapManagerService
-    def initialize(dn, address)
+    def initialize(dn:, address:)
      @dn = dn
      @address = address
    end
--- a/app/services/ldap_manager/update_email_maildrop.rb
+++ b/app/services/ldap_manager/update_email_maildrop.rb
@@ -0,0 +1,12 @@
 module LdapManager
  class UpdateEmailMaildrop < LdapManagerService
    def initialize(dn:, address:)
      @dn = dn
      @address = address
    end
    def call
      replace_attribute @dn, :mailRoutingAddress, @address
    end
  end
 end
--- a/app/services/ldap_manager/update_email_password.rb
+++ b/app/services/ldap_manager/update_email_password.rb
@@ -0,0 +1,12 @@
 module LdapManager
  class UpdateEmailPassword < LdapManagerService
    def initialize(dn:, password_hash:)
      @dn = dn
      @password_hash = password_hash
    end
    def call
      replace_attribute @dn, :mailpassword, @password_hash
    end
  end
 end
--- a/app/services/ldap_manager_service.rb
+++ b/app/services/ldap_manager_service.rb
@@ -1,2 +1,5 @@
 class LdapManagerService < LdapService
  def suffix
    @suffix ||= ENV["LDAP_SUFFIX"] || "dc=kosmos,dc=org"
  end
 end
--- a/app/services/ldap_service.rb
+++ b/app/services/ldap_service.rb
@@ -50,8 +50,11 @@ class LdapService < ApplicationService
      treebase = ldap_config["base"]
    end
-    attributes = %w{dn cn uid mail displayName admin service}
+    attributes = %w[
-    filter     = Net::LDAP::Filter.eq("uid", args[:uid] || "*")
+      dn cn uid mail displayName admin service
      mailRoutingAddress mailpassword
    ]
    filter = Net::LDAP::Filter.eq("uid", args[:uid] || "*")
    entries = ldap_client.search(base: treebase, filter: filter, attributes: attributes)
    entries.sort_by! { |e| e.cn[0] }
@@ -61,7 +64,9 @@ class LdapService < ApplicationService
        mail: e.try(:mail) ? e.mail.first : nil,
        display_name: e.try(:displayName) ? e.displayName.first : nil,
        admin: e.try(:admin) ? 'admin' : nil,
-        service: e.try(:service)
+        service: e.try(:service),
        email_maildrop: e.try(:mailRoutingAddress),
        email_password: e.try(:mailpassword)
      }
    end
  end
--- a/app/services/lndhub_v2.rb
+++ b/app/services/lndhub_v2.rb
@@ -14,7 +14,7 @@ class LndhubV2 < Lndhub
  end
  def create_account(payload={})
-    post "v2/users", payload, admin_token: Rails.application.credentials.lndhub[:admin_token]
+    post "v2/users", payload, admin_token: Setting.lndhub_admin_token
  end
  def create_invoice(payload)
--- a/app/services/nostr_manager/validate_id.rb
+++ b/app/services/nostr_manager/validate_id.rb
@@ -1,6 +1,6 @@
 module NostrManager
  class ValidateId < NostrManagerService
-    def initialize(event)
+    def initialize(event:)
      @event = Nostr::Event.new(**event)
    end
--- a/app/services/nostr_manager/verify_signature.rb
+++ b/app/services/nostr_manager/verify_signature.rb
@@ -1,6 +1,6 @@
 module NostrManager
  class VerifySignature < NostrManagerService
-    def initialize(event)
+    def initialize(event:)
      @event = Nostr::Event.new(**event)
    end
--- a/app/services/router.rb
+++ b/app/services/router.rb
@@ -0,0 +1,7 @@
 class Router
  include Rails.application.routes.url_helpers
  def self.default_url_options
    ActionMailer::Base.default_url_options
  end
 end
--- a/app/views/admin/app_catalog/web_apps/index.html.erb
+++ b/app/views/admin/app_catalog/web_apps/index.html.erb
@@ -0,0 +1,56 @@
 <%= render HeaderComponent.new(title: "App Catalog") %>
 <%= render MainWithSidenavComponent.new(sidenav_partial: 'shared/admin_sidenav_app_catalog') do %>
  <section>
    <%= render QuickstatsContainerComponent.new do %>
      <%= render QuickstatsItemComponent.new(
          type: :number,
          title: 'Known Web Apps',
          value: @stats[:known_apps],
      ) %>
      <%# <%= render QuickstatsItemComponent.new(
      <%#     type: :number,
      <%#     title: 'Accepted',
      <%#     value: @stats[:accepted],
      <%# ) %>
      <%# <%= render QuickstatsItemComponent.new(
      <%#     type: :number,
      <%#     title: 'Users with referrals',
      <%#     value: @stats[:users_with_referrals],
      <%#     meta: "/ #{User.count}"
      <%# ) %>
    <% end %>
  </section>
  <% if @web_apps.any? %>
    <section>
      <h3>Web Apps</h3>
      <table class="divided mb-8">
        <thead>
          <tr>
            <th>Name</th>
            <th>URL</th>
            <th class="hidden md:table-cell">RS Auths</th>
            <th class="hidden md:table-cell">Created at</th>
          </tr>
        </thead>
        <tbody>
          <% @web_apps.each do |web_app| %>
            <tr>
              <td><%= web_app.name %></td>
              <td><%= link_to web_app.url, web_app.url,
                              target: "_blank", rel: "nofollow noopener",
                              class: "ks-text-link" %></td>
              <td class="hidden md:table-cell"><%= web_app.remote_storage_authorizations.count %></td>
              <td class="hidden md:table-cell">
                <span title="<%= web_app.created_at %>" class="cursor-help">
                  <%= time_ago_in_words web_app.created_at, include_seconds: false %> ago
                </span>
              </td>
            </tr>
          <% end %>
        </tbody>
      </table>
      <%== pagy_nav @pagy %>
    </section>
  <% end %>
 <% end %>
--- a/app/views/admin/settings/registrations/index.html.erb
+++ b/app/views/admin/settings/registrations/index.html.erb
@@ -1,7 +1,7 @@
 <%= render HeaderComponent.new(title: "Settings") %>
 <%= render MainWithSidenavComponent.new(sidenav_partial: 'shared/admin_sidenav_settings') do %>
-  <%= form_for(Setting.new, url: admin_settings_registrations_path) do |f| %>
+  <%= form_for(Setting.new, url: admin_settings_registrations_path, method: :put) do |f| %>
    <section>
      <h3>Registrations</h3>
--- a/app/views/admin/settings/services/_btcpay.html.erb
+++ b/app/views/admin/settings/services/_btcpay.html.erb
@@ -0,0 +1,37 @@
 <h3>BTCPay Server</h3>
 <ul role="list">
  <%= render FormElements::FieldsetToggleComponent.new(
    form: f,
    attribute: :btcpay_enabled,
    enabled: Setting.btcpay_enabled?,
    title: "Enable BTCPay integration",
    description: "BTCPay configuration present and features enabled"
  ) %>
 <% if Setting.btcpay_enabled? %>
  <%= render FormElements::FieldsetResettableSettingComponent.new(
        key: :btcpay_api_url,
        title: "API URL"
      ) %>
  <%= render FormElements::FieldsetResettableSettingComponent.new(
        key: :btcpay_store_id,
        title: "Store ID"
      ) %>
  <%= render FormElements::FieldsetResettableSettingComponent.new(
        key: :btcpay_auth_token,
        type: :password,
        title: "Auth Token"
      ) %>
 </ul>
 </section>
 <section>
 <h3>REST API</h3>
 <ul role="list">
  <%= render FormElements::FieldsetToggleComponent.new(
    form: f,
    attribute: :btcpay_publish_wallet_balances,
    enabled: Setting.btcpay_publish_wallet_balances?,
    title: "Publish wallet balances",
    description: "Publish the store's on-chain and Lightning wallet balances"
  ) %>
 <% end %>
 </ul>
--- a/app/views/admin/settings/services/_discourse.html.erb
+++ b/app/views/admin/settings/services/_discourse.html.erb
@@ -8,16 +8,15 @@
    description: "Discourse configuration present and features enabled"
  ) %>
 <% if Setting.discourse_enabled? %>
-  <%= render FormElements::FieldsetComponent.new(title: "Public URL") do %>
+  <%= render FormElements::FieldsetResettableSettingComponent.new(
-    <%= f.text_field :discourse_public_url,
+        key: :discourse_public_url,
-      value: Setting.discourse_public_url,
+        title: "Public URL"
-      class: "w-full", disabled: true %>
+      ) %>
-  <% end %>
+  <%= render FormElements::FieldsetResettableSettingComponent.new(
-  <%= render FormElements::FieldsetComponent.new(title: "Connect secret") do %>
+        key: :discourse_connect_secret,
-    <%= f.password_field :discourse_connect_secret,
+        type: :password,
-      value: Setting.discourse_connect_secret,
+        title: "Connect secret"
-      class: "w-full", disabled: true %>
+      ) %>
  <% end %>
 <% end %>
 </ul>
 <% if Setting.discourse_enabled? %>
@@ -31,14 +30,14 @@
      <input type="text" class="grow" disabled="disabled"
             value="https://<%= Setting.accounts_domain %>/discourse/connect"
             data-clipboard-target="source" />
-      <button class="btn-md btn-icon btn-blue shrink-0"
+      <button class="btn-md btn-icon btn-outline shrink-0"
              data-clipboard-target="trigger" data-action="clipboard#copy"
              title="Copy to clipboard">
        <span class="content-initial">
-          <%= render partial: "icons/copy", locals: { custom_class: "text-white h-4 w-4 inline" } %>
+          <%= render partial: "icons/copy", locals: { custom_class: "text-blue-600 h-4 w-4 inline" } %>
        </span>
        <span class="content-active hidden">
-          <%= render partial: "icons/check", locals: { custom_class: "text-white h-4 w-4 inline" } %>
+          <%= render partial: "icons/check", locals: { custom_class: "text-blue-600 h-4 w-4 inline" } %>
        </span>
      </button>
    </li>
--- a/app/views/admin/settings/services/_droneci.html.erb
+++ b/app/views/admin/settings/services/_droneci.html.erb
@@ -0,0 +1,16 @@
 <h3>Drone CI</h3>
 <ul role="list">
  <%= render FormElements::FieldsetToggleComponent.new(
    form: f,
    attribute: :droneci_enabled,
    enabled: Setting.droneci_enabled?,
    title: "Enable Drone CI integration",
    description: "Drone CI configuration present and features enabled"
  ) %>
  <% if Setting.droneci_enabled? %>
    <%= render FormElements::FieldsetResettableSettingComponent.new(
          key: :droneci_public_url,
          title: "Public URL"
        ) %>
  <% end %>
 </ul>
--- a/app/views/admin/settings/services/_ejabberd.html.erb
+++ b/app/views/admin/settings/services/_ejabberd.html.erb
@@ -8,16 +8,14 @@
    description: "ejabberd configuration present and features enabled"
  ) %>
 <% if Setting.ejabberd_enabled? %>
-  <%= render FormElements::FieldsetComponent.new(title: "API URL") do %>
+  <%= render FormElements::FieldsetResettableSettingComponent.new(
-    <%= f.text_field :ejabberd_api_url,
+        key: :ejabberd_api_url,
-      value: Setting.ejabberd_api_url,
+        title: "API URL"
-      class: "w-full", disabled: true %>
+      ) %>
-  <% end %>
+  <%= render FormElements::FieldsetResettableSettingComponent.new(
-  <%= render FormElements::FieldsetComponent.new(title: "Admin URL") do %>
+        key: :ejabberd_admin_url,
-    <%= f.text_field :ejabberd_admin_url,
+        title: "Admin URL"
-      value: Setting.ejabberd_admin_url,
+      ) %>
      class: "w-full", disabled: true %>
  <% end %>
 </ul>
 <h3 class="mt-10">User default settings</h3>
 <ul role="list">
@@ -37,12 +35,24 @@
    title: "Auto-join default rooms",
    description: "Automatically join above default rooms in chat clients"
  ) %>
-  <%= render FormElements::FieldsetComponent.new(
+  <%= render FormElements::FieldsetResettableSettingComponent.new(
        key: :ejabberd_buddy_roster,
        title: "Contact roster name",
        description: "Used when exchanging contacts after signup from invitation"
      ) %>
 </ul>
 <h3 class="mt-10">Notifications</h3>
 <ul role="list">
  <%= render FormElements::FieldsetComponent.new(
        title: "From address",
        description: "Address (JID) of the account notifications are sent from",
        resettable: Setting.get_field(:xmpp_notifications_from_address)[:default] != Setting.xmpp_notifications_from_address
      ) do %>
-    <%= f.text_field :ejabberd_buddy_roster,
+    <%= f.text_field :xmpp_notifications_from_address,
-      value: Setting.ejabberd_buddy_roster,
+      value: Setting.xmpp_notifications_from_address,
      data: {
        :'default-value' => Setting.get_field(:xmpp_notifications_from_address)[:default]
      },
      class: "w-full" %>
  <% end %>
 <% end %>
--- a/app/views/admin/settings/services/_email.html.erb
+++ b/app/views/admin/settings/services/_email.html.erb
@@ -0,0 +1,16 @@
 <h3>E-Mail</h3>
 <ul role="list">
  <%= render FormElements::FieldsetToggleComponent.new(
    form: f,
    attribute: :email_enabled,
    enabled: Setting.email_enabled?,
    title: "Enable E-Mail service integration",
    description: "Enable/configure LDAP attributes for use with a mail server"
  ) %>
  <%# <% if Setting.email_enabled? %>
  <%#   <%= render FormElements::FieldsetResettableSettingComponent.new(
  <%#         key: :gitea_public_url,
  <%#         title: "Public URL"
  <%#       ) %>
  <%# <% end %>
 </ul>
--- a/app/views/admin/settings/services/_gitea.html.erb
+++ b/app/views/admin/settings/services/_gitea.html.erb
@@ -8,10 +8,9 @@
    description: "Gitea configuration present and features enabled"
  ) %>
  <% if Setting.gitea_enabled? %>
-    <%= render FormElements::FieldsetComponent.new(title: "Public URL") do %>
+    <%= render FormElements::FieldsetResettableSettingComponent.new(
-      <%= f.text_field :gitea_public_url,
+          key: :gitea_public_url,
-        value: Setting.gitea_public_url,
+          title: "Public URL"
-        class: "w-full", disabled: true %>
+        ) %>
    <% end %>
  <% end %>
 </ul>
--- a/app/views/admin/settings/services/_lndhub.html.erb
+++ b/app/views/admin/settings/services/_lndhub.html.erb
@@ -8,31 +8,36 @@
    description: "LNDHub configuration present and wallet features enabled"
  ) %>
  <% if Setting.lndhub_enabled? %>
-    <%= render FormElements::FieldsetComponent.new(title: "API URL") do %>
+    <%= render FormElements::FieldsetResettableSettingComponent.new(
-      <%= f.text_field :lndhub_api_url,
+      key: :lndhub_api_url,
-        value: Setting.lndhub_api_url,
+      title: "API URL"
-        class: "w-full", disabled: true %>
+    ) %>
-    <% end %>
+    <%= render FormElements::FieldsetResettableSettingComponent.new(
-  <% end %>
+      key: :lndhub_admin_token,
-  <%= render FormElements::FieldsetToggleComponent.new(
+      type: :password,
-    form: f,
+      title: "Admin token",
-    attribute: :lndhub_admin_enabled,
+      description: "Auth token for creating new lndhub accounts"
-    enabled: Setting.lndhub_admin_enabled?,
+    ) %>
-    title: "Enable LNDHub admin panel",
+    <%= render FormElements::FieldsetToggleComponent.new(
-    description: "LNDHub database configuration present and admin panel enabled"
+      form: f,
-  ) %>
+      attribute: :lndhub_admin_enabled,
-  <%= render FormElements::FieldsetToggleComponent.new(
+      enabled: Setting.lndhub_admin_enabled?,
-    form: f,
+      title: "Enable LNDHub admin panel",
-    attribute: :lndhub_keysend_enabled,
+      description: "LNDHub database configuration present and admin panel enabled"
-    enabled: Setting.lndhub_keysend_enabled?,
+    ) %>
-    title: "Enable keysend payments",
+    <%= render FormElements::FieldsetToggleComponent.new(
-    description: "Allow users to receive invoice-less payments to their Lightning Address"
+      form: f,
-  ) %>
+      attribute: :lndhub_keysend_enabled,
-  <% if Setting.lndhub_keysend_enabled? %>
+      enabled: Setting.lndhub_keysend_enabled?,
-    <%= render FormElements::FieldsetComponent.new(title: "Public key", description: "The public key of the Lightning node used by LNDHub") do %>
+      title: "Enable keysend payments",
-      <%= f.text_field :lndhub_public_key,
+      description: "Allow users to receive invoice-less payments to their Lightning Address"
-        value: Setting.lndhub_public_key,
+    ) %>
-        class: "w-full", disabled: true %>
+    <% if Setting.lndhub_keysend_enabled? %>
      <%= render FormElements::FieldsetResettableSettingComponent.new(
            key: :lndhub_public_key,
            title: "Public key",
            description: "The public key of the Lightning node used by LNDHub"
          ) %>
    <% end %>
  <% end %>
 </ul>
--- a/app/views/admin/settings/services/_mastodon.html.erb
+++ b/app/views/admin/settings/services/_mastodon.html.erb
@@ -8,10 +8,13 @@
    description: "Mastodon configuration present and features enabled"
  ) %>
  <% if Setting.mastodon_enabled? %>
-    <%= render FormElements::FieldsetComponent.new(title: "Public URL") do %>
+    <%= render FormElements::FieldsetResettableSettingComponent.new(
-      <%= f.text_field :mastodon_public_url,
+          key: :mastodon_public_url,
-        value: Setting.mastodon_public_url,
+          title: "Public URL"
-        class: "w-full", disabled: true %>
+        ) %>
-    <% end %>
+    <%= render FormElements::FieldsetResettableSettingComponent.new(
          key: :mastodon_address_domain,
          title: "User address domain"
        ) %>
  <% end %>
 </ul>
--- a/Show More
+++ b/Show More
		`@@ -0,0 +1,2 @@`
							`class AppCatalogManagerService < ApplicationService`
							`end`