WIP: Import deno modules for use with import maps

Fix serviceEnabled indicator on admin page
0.10.0
2024-10-09 15:17:35 +02:00 · 2024-09-24 21:38:01 +02:00 · 2024-09-18 15:49:07 +02:00 · 2024-09-18 14:46:46 +02:00 · 2024-09-14 17:17:09 +02:00 · 2024-09-14 16:46:14 +02:00
309 changed files with 8142 additions and 1562 deletions
--- a/.drone.yml
+++ b/.drone.yml
@@ -17,7 +17,7 @@ steps:
      branch:
        - master
  - name: rspec
-    image: guildeducation/rails:2.7.2-14.20.0
+    image: gitea.kosmos.org/kosmos/akkounts-ci:0.9.1
    environment:
      RAILS_ENV: test
      REDIS_URL: redis://redis:6379/0
@@ -28,6 +28,8 @@ steps:
      - bundle config set cache_path 'vendor/cache'
      - bundle config set with 'development test'
      - bundle install --jobs=3 --retry=3
      - bundle exec rails db:create
      - bundle exec rails db:migrate
      - yarn install
      - rake css:build
      - bundle exec rspec
--- a/.env.example
+++ b/.env.example
@@ -1,46 +1,71 @@
-PRIMARY_DOMAIN=kosmos.org
+# PRIMARY_DOMAIN=kosmos.org
-AKKOUNTS_DOMAIN=accounts.example.com
+# AKKOUNTS_DOMAIN=accounts.example.com
-SMTP_SERVER=smtp.example.com
+# SMTP_SERVER=smtp.example.com
-SMTP_PORT=587
+# SMTP_PORT=587
-SMTP_LOGIN=accounts
+# SMTP_LOGIN=accounts
-SMTP_PASSWORD=123abc
+# SMTP_PASSWORD=123abc
-SMTP_FROM_ADDRESS=accounts@example.com
+# SMTP_FROM_ADDRESS=accounts@example.com
-SMTP_DOMAIN=example.com
+# SMTP_DOMAIN=example.com
-SMTP_AUTH_METHOD=plain
+# SMTP_AUTH_METHOD=plain
-SMTP_ENABLE_STARTTLS=auto
+# SMTP_ENABLE_STARTTLS=auto
-LDAP_HOST=localhost
+# S3_ENABLED=true
-LDAP_PORT=389
+# S3_ENDPOINT=https://s3.kosmos.org
-LDAP_ADMIN_PASSWORD=passthebutter
+# S3_REGION=garage
-LDAP_SUFFIX='dc=kosmos,dc=org'
+# S3_BUCKET=akkounts-production
 # S3_ALIAS_HOST=https://accounts.web.s3.kosmos.org
 # S3_ACCESS_KEY=123456abcdefg
 # S3_SECRET_KEY=123456789123456789123456789
-REDIS_URL='redis://localhost:6379/1'
+# LDAP_HOST=localhost
 # LDAP_PORT=389
 # LDAP_ADMIN_PASSWORD=passthebutter
 # LDAP_SUFFIX='dc=kosmos,dc=org'
-WEBHOOKS_ALLOWED_IPS='10.1.1.163'
+# REDIS_URL='redis://localhost:6379/1'
-DISCOURSE_PUBLIC_URL='https://community.kosmos.org'
+# WEBHOOKS_ALLOWED_IPS='10.1.1.163'
 DISCOURSE_CONNECT_SECRET='discourse_connect_ftw'
-DRONECI_PUBLIC_URL='https://drone.kosmos.org'
+#
 # Service Integrations
 # (sorted alphabetically by service name)
 #
-GITEA_PUBLIC_URL='https://gitea.kosmos.org'
+# BTCPAY_PUBLIC_URL='https://btcpay.example.com'
-MASTODON_PUBLIC_URL='https://kosmos.social'
+# BTCPAY_API_URL='http://localhost:23001/api/v1'
-MEDIAWIKI_PUBLIC_URL='https://wiki.kosmos.org'
+# BTCPAY_STORE_ID=''
-RS_STORAGE_URL='https://storage.kosmos.org'
+# BTCPAY_AUTH_TOKEN=''
 RS_REDIS_URL='redis://localhost:6379/2'
-EJABBERD_ADMIN_URL='https://xmpp.kosmos.org/admin'
+# DISCOURSE_PUBLIC_URL='https://community.kosmos.org'
-EJABBERD_API_URL='https://xmpp.kosmos.org/api'
+# DISCOURSE_CONNECT_SECRET='discourse_connect_ftw'
-BTCPAY_API_URL='http://localhost:23001/api/v1'
+# DRONECI_PUBLIC_URL='https://drone.kosmos.org'
-LNDHUB_API_URL='http://localhost:3023'
+# EJABBERD_ADMIN_URL='https://xmpp.kosmos.org/admin'
-LNDHUB_PUBLIC_URL='https://lndhub.kosmos.org'
+# EJABBERD_API_URL='https://xmpp.kosmos.org/api'
-LNDHUB_PUBLIC_KEY='0123d3be18617f39cf645851e3ba63f51fc13f0bb09e3bb25e6fd4de556486d946'
+
-LNDHUB_ADMIN_UI=true
+# GITEA_PUBLIC_URL='https://gitea.kosmos.org'
-LNDHUB_PG_HOST=localhost
+
-LNDHUB_PG_PORT=5432
+# LNDHUB_API_URL='http://localhost:3023'
-LNDHUB_PG_DATABASE=lndhub
+# LNDHUB_PUBLIC_URL='https://lndhub.kosmos.org'
-LNDHUB_PG_USERNAME=lndhub
+# LNDHUB_PUBLIC_KEY='0123d3be18617f39cf645851e3ba63f51fc13f0bb09e3bb25e6fd4de556486d946'
-LNDHUB_PG_PASSWORD=''
+# LNDHUB_ADMIN_UI=true
 # LNDHUB_ADMIN_TOKEN=123456789
 # LNDHUB_PG_HOST=localhost
 # LNDHUB_PG_PORT=5432
 # LNDHUB_PG_DATABASE=lndhub
 # LNDHUB_PG_USERNAME=lndhub
 # LNDHUB_PG_PASSWORD=''
 # MASTODON_PUBLIC_URL='https://kosmos.social'
 # MASTODON_ADDRESS_DOMAIN='https://kosmos.org'
 # MEDIAWIKI_PUBLIC_URL='https://wiki.kosmos.org'
 # NOSTR_PRIVATE_KEY='123456abcdef...'
 # NOSTR_PUBLIC_KEY='123456abcdef...'
 # NOSTR_RELAY_URL='wss://nostr.kosmos.org'
 # RS_STORAGE_URL='https://storage.kosmos.org'
 # RS_REDIS_URL='redis://localhost:6379/2'
--- a/.env.test
+++ b/.env.test
@@ -1,18 +1,26 @@
 PRIMARY_DOMAIN=kosmos.org
 AKKOUNTS_DOMAIN=accounts.kosmos.org
 REDIS_URL='redis://localhost:6379/0'
 BTCPAY_PUBLIC_URL='https://btcpay.example.com'
 BTCPAY_API_URL='http://btcpay.example.com/api/v1'
 BTCPAY_STORE_ID='123456'
 DISCOURSE_PUBLIC_URL='http://discourse.example.com'
 DISCOURSE_CONNECT_SECRET='discourse_connect_ftw'
 EJABBERD_API_URL='http://xmpp.example.com/api'
-BTCPAY_API_URL='http://btcpay.example.com/api/v1'
+MASTODON_PUBLIC_URL='http://example.social'
 LNDHUB_API_URL='http://localhost:3026'
 LNDHUB_PUBLIC_URL='https://lndhub.kosmos.org'
 LNDHUB_PUBLIC_KEY='024cd3be18617f39cf645851e3ba63f51fc13f0bb09e3bb25e6fd4de556486d946'
 NOSTR_PRIVATE_KEY='7c3ef7e448505f0615137af38569d01807d3b05b5005d5ecf8aaafcd40323cea'
 NOSTR_PUBLIC_KEY='bdd76ce2934b2f591f9fad2ebe9da18f20d2921de527494ba00eeaa0a0efadcf'
 RS_STORAGE_URL='https://storage.kosmos.org'
 RS_REDIS_URL='redis://localhost:6379/1'
--- a/.gitignore
+++ b/.gitignore
@@ -23,6 +23,7 @@
 !/tmp/pids/
 !/tmp/pids/.keep
 /storage
 /public/assets
 .byebug_history
--- a/.npmrc
+++ b/.npmrc
@@ -0,0 +1 @@
@jsr:registry=https://npm.jsr.io
--- a/.ruby-version
+++ b/.ruby-version
@@ -1 +1 @@
-2.7.2
+3.3.0
--- a/7
+++ b/7
@@ -1,16 +1,17 @@
 # syntax=docker/dockerfile:1
-FROM ruby:2.7.6
+FROM ruby:3.3.4
 SHELL ["/bin/bash", "-o", "pipefail", "-c"]
 RUN apt-get update -qq && apt-get install -y --no-install-recommends curl \
-      ldap-utils tini
+      ldap-utils tini libvips
 RUN curl -fsSL https://deb.nodesource.com/setup_lts.x | bash -
 RUN apt-get update && apt-get install -y nodejs
 WORKDIR /akkounts
-COPY ["Gemfile", "Gemfile.lock", "package.json", "./"]
+COPY ["Gemfile", "Gemfile.lock", "package.json", "yarn.lock", "./"]
 RUN bundle install
 RUN gem install foreman
--- a/19
+++ b/19
@@ -2,7 +2,7 @@ source 'https://rubygems.org'
 git_source(:github) { |repo| "https://github.com/#{repo}.git" }
 # Bundle edge Rails instead: gem 'rails', github: 'rails/rails'
-gem 'rails', '~> 7.0.2'
+gem 'rails', '~> 7.1'
 # Use Puma as the app server
 gem 'puma', '~> 4.1'
 # View components
@@ -22,7 +22,7 @@ gem 'jbuilder', '~> 2.7'
 # Use Redis adapter to run Action Cable in production
 # gem 'redis', '~> 4.0'
 # Use Active Model has_secure_password
-# gem 'bcrypt', '~> 3.1.7'
+gem 'bcrypt', '~> 3.1'
 # Configuration
 gem 'dotenv-rails'
@@ -37,6 +37,7 @@ gem 'devise_ldap_authenticatable'
 gem 'net-ldap'
 # Utilities
 gem "image_processing", "~> 1.12.2"
 gem "rqrcode", "~> 2.0"
 gem 'rails-settings-cached', '~> 2.8.3'
 gem 'pagy', '~> 6.0', '>= 6.0.2'
@@ -46,6 +47,8 @@ gem 'flipper-ui'
 # HTTP requests
 gem 'faraday'
 gem 'down'
 gem 'aws-sdk-s3', require: false
 # Background/scheduled jobs
 gem 'sidekiq', '< 7'
@@ -58,19 +61,19 @@ gem "sentry-rails"
 # Services
 gem 'discourse_api'
 gem "lnurl"
-gem 'nostr', git: 'https://gitea.kosmos.org/kosmos/nostr-gem.git', branch: 'feature/ruby_2.7_compat'
+gem 'manifique', '~> 1.1.0'
 gem 'nostr', '~> 0.6.0'
 group :development, :test do
  # Use sqlite3 as the database for Active Record
-  gem 'sqlite3', '~> 1.4'
+  gem 'sqlite3', '~> 1.7.2'
  gem 'rspec-rails'
  gem 'rails-controller-testing'
  gem "byebug", "~> 11.1"
 end
 group :development do
  # Access an interactive console on exception pages or by calling 'console' anywhere in the code.
-  gem 'web-console', '>= 3.3.0'
+  gem 'web-console', '~> 4.2'
  gem 'listen', '~> 3.2'
  gem 'letter_opener'
  gem 'letter_opener_web'
@@ -86,8 +89,8 @@ group :test do
 end
 group :production do
-  # Use postgresql as the database for Active Record
+  gem 'pg', '~> 1.5'
  gem 'pg', '~> 1.2.3'
 end
 # Windows does not include zoneinfo files, so bundle the tzinfo-data gem
 gem 'tzinfo-data', platforms: [:mingw, :mswin, :x64_mingw, :jruby]
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -1,113 +1,127 @@
 GIT
  remote: https://gitea.kosmos.org/kosmos/nostr-gem.git
  revision: 596529d9eb50d13b3f385245636698fccf37b442
  branch: feature/ruby_2.7_compat
  specs:
    nostr (0.4.0)
      bech32 (~> 1.3)
      bip-schnorr (~> 0.4)
      ecdsa (~> 1.2)
      event_emitter (~> 0.2)
      faye-websocket (~> 0.11)
      json (~> 2.6)
 GEM
  remote: https://rubygems.org/
  specs:
-    actioncable (7.0.5)
+    actioncable (7.1.3)
-      actionpack (= 7.0.5)
+      actionpack (= 7.1.3)
-      activesupport (= 7.0.5)
+      activesupport (= 7.1.3)
      nio4r (~> 2.0)
      websocket-driver (>= 0.6.1)
-    actionmailbox (7.0.5)
+      zeitwerk (~> 2.6)
-      actionpack (= 7.0.5)
+    actionmailbox (7.1.3)
-      activejob (= 7.0.5)
+      actionpack (= 7.1.3)
-      activerecord (= 7.0.5)
+      activejob (= 7.1.3)
-      activestorage (= 7.0.5)
+      activerecord (= 7.1.3)
-      activesupport (= 7.0.5)
+      activestorage (= 7.1.3)
      activesupport (= 7.1.3)
      mail (>= 2.7.1)
      net-imap
      net-pop
      net-smtp
-    actionmailer (7.0.5)
+    actionmailer (7.1.3)
-      actionpack (= 7.0.5)
+      actionpack (= 7.1.3)
-      actionview (= 7.0.5)
+      actionview (= 7.1.3)
-      activejob (= 7.0.5)
+      activejob (= 7.1.3)
-      activesupport (= 7.0.5)
+      activesupport (= 7.1.3)
      mail (~> 2.5, >= 2.5.4)
      net-imap
      net-pop
      net-smtp
-      rails-dom-testing (~> 2.0)
+      rails-dom-testing (~> 2.2)
-    actionpack (7.0.5)
+    actionpack (7.1.3)
-      actionview (= 7.0.5)
+      actionview (= 7.1.3)
-      activesupport (= 7.0.5)
+      activesupport (= 7.1.3)
-      rack (~> 2.0, >= 2.2.4)
+      nokogiri (>= 1.8.5)
      racc
      rack (>= 2.2.4)
      rack-session (>= 1.0.1)
      rack-test (>= 0.6.3)
-      rails-dom-testing (~> 2.0)
+      rails-dom-testing (~> 2.2)
-      rails-html-sanitizer (~> 1.0, >= 1.2.0)
+      rails-html-sanitizer (~> 1.6)
-    actiontext (7.0.5)
+    actiontext (7.1.3)
-      actionpack (= 7.0.5)
+      actionpack (= 7.1.3)
-      activerecord (= 7.0.5)
+      activerecord (= 7.1.3)
-      activestorage (= 7.0.5)
+      activestorage (= 7.1.3)
-      activesupport (= 7.0.5)
+      activesupport (= 7.1.3)
      globalid (>= 0.6.0)
      nokogiri (>= 1.8.5)
-    actionview (7.0.5)
+    actionview (7.1.3)
-      activesupport (= 7.0.5)
+      activesupport (= 7.1.3)
      builder (~> 3.1)
-      erubi (~> 1.4)
+      erubi (~> 1.11)
-      rails-dom-testing (~> 2.0)
+      rails-dom-testing (~> 2.2)
-      rails-html-sanitizer (~> 1.1, >= 1.2.0)
+      rails-html-sanitizer (~> 1.6)
-    activejob (7.0.5)
+    activejob (7.1.3)
-      activesupport (= 7.0.5)
+      activesupport (= 7.1.3)
      globalid (>= 0.3.6)
-    activemodel (7.0.5)
+    activemodel (7.1.3)
-      activesupport (= 7.0.5)
+      activesupport (= 7.1.3)
-    activerecord (7.0.5)
+    activerecord (7.1.3)
-      activemodel (= 7.0.5)
+      activemodel (= 7.1.3)
-      activesupport (= 7.0.5)
+      activesupport (= 7.1.3)
-    activestorage (7.0.5)
+      timeout (>= 0.4.0)
-      actionpack (= 7.0.5)
+    activestorage (7.1.3)
-      activejob (= 7.0.5)
+      actionpack (= 7.1.3)
-      activerecord (= 7.0.5)
+      activejob (= 7.1.3)
-      activesupport (= 7.0.5)
+      activerecord (= 7.1.3)
      activesupport (= 7.1.3)
      marcel (~> 1.0)
-      mini_mime (>= 1.1.0)
+    activesupport (7.1.3)
-    activesupport (7.0.5)
+      base64
      bigdecimal
      concurrent-ruby (~> 1.0, >= 1.0.2)
      connection_pool (>= 2.2.5)
      drb
      i18n (>= 1.6, < 2)
      minitest (>= 5.1)
      mutex_m
      tzinfo (~> 2.0)
-    addressable (2.8.4)
+    addressable (2.8.6)
      public_suffix (>= 2.0.2, < 6.0)
    ast (2.4.2)
    aws-eventstream (1.3.0)
    aws-partitions (1.886.0)
    aws-sdk-core (3.191.0)
      aws-eventstream (~> 1, >= 1.3.0)
      aws-partitions (~> 1, >= 1.651.0)
      aws-sigv4 (~> 1.8)
      jmespath (~> 1, >= 1.6.1)
    aws-sdk-kms (1.77.0)
      aws-sdk-core (~> 3, >= 3.191.0)
      aws-sigv4 (~> 1.1)
    aws-sdk-s3 (1.143.0)
      aws-sdk-core (~> 3, >= 3.191.0)
      aws-sdk-kms (~> 1)
      aws-sigv4 (~> 1.8)
    aws-sigv4 (1.8.0)
      aws-eventstream (~> 1, >= 1.0.2)
    backport (1.2.0)
-    bcrypt (3.1.18)
+    base64 (0.2.0)
-    bech32 (1.3.0)
+    bcrypt (3.1.20)
    bech32 (1.4.2)
      thor (>= 1.1.0)
-    benchmark (0.2.1)
+    benchmark (0.3.0)
    bigdecimal (3.1.6)
    bindex (0.8.1)
-    bip-schnorr (0.6.0)
+    bip-schnorr (0.7.0)
      ecdsa_ext (~> 0.5.0)
    builder (3.2.4)
-    byebug (11.1.3)
+    capybara (3.40.0)
    capybara (3.39.2)
      addressable
      matrix
      mini_mime (>= 0.1.3)
-      nokogiri (~> 1.8)
+      nokogiri (~> 1.11)
      rack (>= 1.6.0)
      rack-test (>= 0.6.3)
      regexp_parser (>= 1.5, < 3.0)
      xpath (~> 3.2)
    chunky_png (1.4.0)
-    concurrent-ruby (1.2.2)
+    concurrent-ruby (1.2.3)
    connection_pool (2.4.1)
-    crack (0.4.5)
+    crack (0.4.6)
      bigdecimal
      rexml
    crass (1.0.6)
-    cssbundling-rails (1.1.2)
+    cssbundling-rails (1.4.0)
      railties (>= 6.0.0)
    database_cleaner (2.0.2)
      database_cleaner-active_record (>= 2, < 3)
@@ -115,8 +129,8 @@ GEM
      activerecord (>= 5.a)
      database_cleaner-core (~> 2.0.0)
    database_cleaner-core (2.0.1)
-    date (3.3.3)
+    date (3.3.4)
-    devise (4.9.2)
+    devise (4.9.3)
      bcrypt (~> 3.0)
      orm_adapter (~> 0.1)
      railties (>= 4.1.0)
@@ -125,7 +139,7 @@ GEM
    devise_ldap_authenticatable (0.8.7)
      devise (>= 3.4.1)
      net-ldap (>= 0.16.0)
-    diff-lcs (1.5.0)
+    diff-lcs (1.5.1)
    discourse_api (2.0.1)
      faraday (~> 2.7)
      faraday-follow_redirects
@@ -135,65 +149,79 @@ GEM
    dotenv-rails (2.8.1)
      dotenv (= 2.8.1)
      railties (>= 3.2)
    down (5.4.1)
      addressable (~> 2.8)
    drb (2.2.0)
      ruby2_keywords
    e2mmap (0.1.0)
    ecdsa (1.2.0)
-    ecdsa_ext (0.5.0)
+    ecdsa_ext (0.5.1)
      ecdsa (~> 1.2.0)
    erubi (1.12.0)
    et-orbi (1.2.7)
      tzinfo
    event_emitter (0.2.6)
    eventmachine (1.2.7)
-    factory_bot (6.2.1)
+    factory_bot (6.4.6)
      activesupport (>= 5.0.0)
-    factory_bot_rails (6.2.0)
+    factory_bot_rails (6.4.3)
-      factory_bot (~> 6.2.0)
+      factory_bot (~> 6.4)
      railties (>= 5.0.0)
-    faker (3.2.0)
+    faker (3.2.3)
      i18n (>= 1.8.11, < 2)
-    faraday (2.7.6)
+    faraday (2.9.0)
-      faraday-net_http (>= 2.0, < 3.1)
+      faraday-net_http (>= 2.0, < 3.2)
      ruby2_keywords (>= 0.0.4)
    faraday-follow_redirects (0.3.0)
      faraday (>= 1, < 3)
    faraday-multipart (1.0.4)
      multipart-post (~> 2)
-    faraday-net_http (3.0.2)
+    faraday-net_http (3.1.0)
-    faye-websocket (0.11.2)
+      net-http
    faye-websocket (0.11.3)
      eventmachine (>= 0.12.0)
      websocket-driver (>= 0.5.1)
-    ffi (1.15.5)
+    ffi (1.16.3)
-    flipper (0.28.0)
+    flipper (1.2.2)
      concurrent-ruby (< 2)
-    flipper-active_record (0.28.0)
+    flipper-active_record (1.2.2)
      activerecord (>= 4.2, < 8)
-      flipper (~> 0.28.0)
+      flipper (~> 1.2.2)
-    flipper-ui (0.28.0)
+    flipper-ui (1.2.2)
      erubi (>= 1.0.0, < 2.0.0)
-      flipper (~> 0.28.0)
+      flipper (~> 1.2.2)
-      rack (>= 1.4, < 3)
+      rack (>= 1.4, < 4)
      rack-protection (>= 1.5.3, <= 4.0.0)
      sanitize (< 7)
-    fugit (1.8.1)
+    fugit (1.9.0)
      et-orbi (~> 1, >= 1.2.7)
      raabro (~> 1.4)
-    globalid (1.1.0)
+    globalid (1.2.1)
-      activesupport (>= 5.0)
+      activesupport (>= 6.1)
-    hashdiff (1.0.1)
+    hashdiff (1.1.0)
    i18n (1.14.1)
      concurrent-ruby (~> 1.0)
-    importmap-rails (1.1.6)
+    image_processing (1.12.2)
      mini_magick (>= 4.9.5, < 5)
      ruby-vips (>= 2.0.17, < 3)
    importmap-rails (2.0.1)
      actionpack (>= 6.0.0)
      activesupport (>= 6.0.0)
      railties (>= 6.0.0)
    io-console (0.7.2)
    irb (1.11.1)
      rdoc
      reline (>= 0.4.2)
    jaro_winkler (1.5.6)
    jbuilder (2.11.5)
      actionview (>= 5.0.0)
      activesupport (>= 5.0.0)
-    json (2.6.3)
+    jmespath (1.6.2)
    json (2.7.1)
    kramdown (2.4.0)
      rexml
    kramdown-parser-gfm (1.1.0)
      kramdown (~> 2.0)
    language_server-protocol (3.17.0.3)
    launchy (2.5.2)
      addressable (~> 2.8)
    letter_opener (1.8.1)
@@ -206,10 +234,10 @@ GEM
    listen (3.8.0)
      rb-fsevent (~> 0.10, >= 0.10.3)
      rb-inotify (~> 0.9, >= 0.9.10)
-    lnurl (1.0.1)
+    lnurl (1.1.0)
      bech32 (~> 1.1)
-    lockbox (1.2.0)
+    lockbox (1.3.2)
-    loofah (2.21.3)
+    loofah (2.22.0)
      crass (~> 1.0.2)
      nokogiri (>= 1.12.0)
    mail (2.8.1)
@@ -217,64 +245,92 @@ GEM
      net-imap
      net-pop
      net-smtp
    manifique (1.1.0)
      faraday (~> 2.9.0)
      faraday-follow_redirects (= 0.3.0)
      nokogiri (~> 1.16.0)
    marcel (1.0.2)
    matrix (0.4.2)
    method_source (1.0.0)
-    mini_mime (1.1.2)
+    mini_magick (4.12.0)
-    minitest (5.18.0)
+    mini_mime (1.1.5)
    mini_portile2 (2.8.5)
    minitest (5.21.2)
    multipart-post (2.3.0)
-    net-imap (0.3.6)
+    mutex_m (0.2.0)
    net-http (0.4.1)
      uri
    net-imap (0.4.9.1)
      date
      net-protocol
-    net-ldap (0.18.0)
+    net-ldap (0.19.0)
    net-pop (0.1.2)
      net-protocol
-    net-protocol (0.2.1)
+    net-protocol (0.2.2)
      timeout
-    net-smtp (0.3.3)
+    net-smtp (0.4.0.1)
      net-protocol
-    nio4r (2.5.9)
+    nio4r (2.7.0)
-    nokogiri (1.15.2-arm64-darwin)
+    nokogiri (1.16.0)
      mini_portile2 (~> 2.8.2)
      racc (~> 1.4)
-    nokogiri (1.15.2-x86_64-linux)
+    nokogiri (1.16.0-arm64-darwin)
      racc (~> 1.4)
    nokogiri (1.16.0-x86_64-linux)
      racc (~> 1.4)
    nostr (0.6.0)
      bech32 (~> 1.4)
      bip-schnorr (~> 0.7)
      ecdsa (~> 1.2)
      event_emitter (~> 0.2)
      faye-websocket (~> 0.11)
      json (~> 2.6)
    orm_adapter (0.5.0)
-    pagy (6.0.4)
+    pagy (6.4.3)
-    parallel (1.23.0)
+    parallel (1.24.0)
-    parser (3.2.2.3)
+    parser (3.3.0.5)
      ast (~> 2.4.1)
      racc
-    pg (1.2.3)
+    pg (1.5.4)
-    public_suffix (5.0.1)
+    psych (5.1.2)
      stringio
    public_suffix (5.0.4)
    puma (4.3.12)
      nio4r (~> 2.0)
    raabro (1.4.0)
-    racc (1.7.1)
+    racc (1.7.3)
-    rack (2.2.7)
+    rack (2.2.8)
-    rack-protection (3.0.6)
+    rack-protection (3.2.0)
-      rack
+      base64 (>= 0.1.0)
      rack (~> 2.2, >= 2.2.4)
    rack-session (1.0.2)
      rack (< 3)
    rack-test (2.1.0)
      rack (>= 1.3)
-    rails (7.0.5)
+    rackup (1.0.0)
-      actioncable (= 7.0.5)
+      rack (< 3)
-      actionmailbox (= 7.0.5)
+      webrick
-      actionmailer (= 7.0.5)
+    rails (7.1.3)
-      actionpack (= 7.0.5)
+      actioncable (= 7.1.3)
-      actiontext (= 7.0.5)
+      actionmailbox (= 7.1.3)
-      actionview (= 7.0.5)
+      actionmailer (= 7.1.3)
-      activejob (= 7.0.5)
+      actionpack (= 7.1.3)
-      activemodel (= 7.0.5)
+      actiontext (= 7.1.3)
-      activerecord (= 7.0.5)
+      actionview (= 7.1.3)
-      activestorage (= 7.0.5)
+      activejob (= 7.1.3)
-      activesupport (= 7.0.5)
+      activemodel (= 7.1.3)
      activerecord (= 7.1.3)
      activestorage (= 7.1.3)
      activesupport (= 7.1.3)
      bundler (>= 1.15.0)
-      railties (= 7.0.5)
+      railties (= 7.1.3)
    rails-controller-testing (1.0.5)
      actionpack (>= 5.0.1.rc1)
      actionview (>= 5.0.1.rc1)
      activesupport (>= 5.0.1.rc1)
-    rails-dom-testing (2.0.3)
+    rails-dom-testing (2.2.0)
-      activesupport (>= 4.2.0)
+      activesupport (>= 5.0.0)
      minitest
      nokogiri (>= 1.6)
    rails-html-sanitizer (1.6.0)
      loofah (~> 2.21)
@@ -282,27 +338,32 @@ GEM
    rails-settings-cached (2.8.3)
      activerecord (>= 5.0.0)
      railties (>= 5.0.0)
-    railties (7.0.5)
+    railties (7.1.3)
-      actionpack (= 7.0.5)
+      actionpack (= 7.1.3)
-      activesupport (= 7.0.5)
+      activesupport (= 7.1.3)
-      method_source
+      irb
      rackup (>= 1.0.0)
      rake (>= 12.2)
-      thor (~> 1.0)
+      thor (~> 1.0, >= 1.2.2)
-      zeitwerk (~> 2.5)
+      zeitwerk (~> 2.6)
    rainbow (3.1.1)
-    rake (13.0.6)
+    rake (13.1.0)
    rb-fsevent (0.11.2)
    rb-inotify (0.10.1)
      ffi (~> 1.0)
    rbs (2.8.4)
    rdoc (6.6.2)
      psych (>= 4.0.0)
    redis (4.8.1)
-    regexp_parser (2.8.1)
+    regexp_parser (2.9.0)
-    responders (3.1.0)
+    reline (0.4.2)
      io-console (~> 0.5)
    responders (3.1.1)
      actionpack (>= 5.2)
      railties (>= 5.2)
    reverse_markdown (2.1.1)
      nokogiri
-    rexml (3.2.5)
+    rexml (3.2.6)
    rqrcode (2.2.0)
      chunky_png (~> 1.0)
      rqrcode_core (~> 1.0)
@@ -312,10 +373,10 @@ GEM
    rspec-expectations (3.12.3)
      diff-lcs (>= 1.2.0, < 2.0)
      rspec-support (~> 3.12.0)
-    rspec-mocks (3.12.5)
+    rspec-mocks (3.12.6)
      diff-lcs (>= 1.2.0, < 2.0)
      rspec-support (~> 3.12.0)
-    rspec-rails (6.0.3)
+    rspec-rails (6.1.1)
      actionpack (>= 6.1)
      activesupport (>= 6.1)
      railties (>= 6.1)
@@ -323,32 +384,35 @@ GEM
      rspec-expectations (~> 3.12)
      rspec-mocks (~> 3.12)
      rspec-support (~> 3.12)
-    rspec-support (3.12.0)
+    rspec-support (3.12.1)
-    rubocop (1.52.1)
+    rubocop (1.60.2)
      json (~> 2.3)
      language_server-protocol (>= 3.17.0)
      parallel (~> 1.10)
-      parser (>= 3.2.2.3)
+      parser (>= 3.3.0.2)
      rainbow (>= 2.2.2, < 4.0)
      regexp_parser (>= 1.8, < 3.0)
      rexml (>= 3.2.5, < 4.0)
-      rubocop-ast (>= 1.28.0, < 2.0)
+      rubocop-ast (>= 1.30.0, < 2.0)
      ruby-progressbar (~> 1.7)
      unicode-display_width (>= 2.4.0, < 3.0)
-    rubocop-ast (1.29.0)
+    rubocop-ast (1.30.0)
      parser (>= 3.2.1.0)
    ruby-progressbar (1.13.0)
    ruby-vips (2.2.0)
      ffi (~> 1.12)
    ruby2_keywords (0.0.5)
    rufus-scheduler (3.9.1)
      fugit (~> 1.1, >= 1.1.6)
-    sanitize (6.0.1)
+    sanitize (6.1.0)
      crass (~> 1.0.2)
      nokogiri (>= 1.12.0)
-    sentry-rails (5.9.0)
+    sentry-rails (5.16.1)
      railties (>= 5.0)
-      sentry-ruby (~> 5.9.0)
+      sentry-ruby (~> 5.16.1)
-    sentry-ruby (5.9.0)
+    sentry-ruby (5.16.1)
      concurrent-ruby (~> 1.0, >= 1.0.2)
-    sidekiq (6.5.9)
+    sidekiq (6.5.12)
      connection_pool (>= 2.2.5, < 3)
      rack (~> 2.0)
      redis (>= 4.5.0, < 5)
@@ -356,7 +420,7 @@ GEM
      rufus-scheduler (~> 3.2)
      sidekiq (>= 6, < 8)
      tilt (>= 1.4.0)
-    solargraph (0.49.0)
+    solargraph (0.50.0)
      backport (~> 1.2)
      benchmark
      bundler (~> 2.0)
@@ -372,56 +436,63 @@ GEM
      thor (~> 1.0)
      tilt (~> 2.0)
      yard (~> 0.9, >= 0.9.24)
-    sprockets (4.2.0)
+    sprockets (4.2.1)
      concurrent-ruby (~> 1.0)
      rack (>= 2.2.4, < 4)
    sprockets-rails (3.4.2)
      actionpack (>= 5.2)
      activesupport (>= 5.2)
      sprockets (>= 3.0.0)
-    sqlite3 (1.6.3-arm64-darwin)
+    sqlite3 (1.7.2)
-    sqlite3 (1.6.3-x86_64-linux)
+      mini_portile2 (~> 2.8.0)
-    stimulus-rails (1.2.1)
+    sqlite3 (1.7.2-arm64-darwin)
    sqlite3 (1.7.2-x86_64-linux)
    stimulus-rails (1.3.3)
      railties (>= 6.0.0)
-    thor (1.2.2)
+    stringio (3.1.0)
-    tilt (2.2.0)
+    thor (1.3.0)
-    timeout (0.3.2)
+    tilt (2.3.0)
-    turbo-rails (1.4.0)
+    timeout (0.4.1)
    turbo-rails (1.5.0)
      actionpack (>= 6.0.0)
      activejob (>= 6.0.0)
      railties (>= 6.0.0)
    tzinfo (2.0.6)
      concurrent-ruby (~> 1.0)
-    unicode-display_width (2.4.2)
+    unicode-display_width (2.5.0)
-    view_component (3.2.0)
+    uri (0.13.0)
    view_component (3.10.0)
      activesupport (>= 5.2.0, < 8.0)
      concurrent-ruby (~> 1.0)
      method_source (~> 1.0)
    warden (1.2.9)
      rack (>= 2.0.9)
-    web-console (4.2.0)
+    web-console (4.2.1)
      actionview (>= 6.0.0)
      activemodel (>= 6.0.0)
      bindex (>= 0.4.0)
      railties (>= 6.0.0)
-    webmock (3.18.1)
+    webmock (3.19.1)
      addressable (>= 2.8.0)
      crack (>= 0.3.2)
      hashdiff (>= 0.4.0, < 2.0.0)
-    websocket-driver (0.7.5)
+    webrick (1.8.1)
    websocket-driver (0.7.6)
      websocket-extensions (>= 0.1.0)
    websocket-extensions (0.1.5)
    xpath (3.2.0)
      nokogiri (~> 1.8)
    yard (0.9.34)
-    zeitwerk (2.6.8)
+    zeitwerk (2.6.12)
 PLATFORMS
  arm64-darwin-22
  ruby
  x86_64-linux
 DEPENDENCIES
-  byebug (~> 11.1)
+  aws-sdk-s3
  bcrypt (~> 3.1)
  capybara
  cssbundling-rails
  database_cleaner
@@ -429,12 +500,14 @@ DEPENDENCIES
  devise_ldap_authenticatable
  discourse_api
  dotenv-rails
  down
  factory_bot_rails
  faker
  faraday
  flipper
  flipper-active_record
  flipper-ui
  image_processing (~> 1.12.2)
  importmap-rails
  jbuilder (~> 2.7)
  letter_opener
@@ -442,12 +515,13 @@ DEPENDENCIES
  listen (~> 3.2)
  lnurl
  lockbox
  manifique (~> 1.1.0)
  net-ldap
-  nostr!
+  nostr (~> 0.6.0)
  pagy (~> 6.0, >= 6.0.2)
-  pg (~> 1.2.3)
+  pg (~> 1.5)
  puma (~> 4.1)
-  rails (~> 7.0.2)
+  rails (~> 7.1)
  rails-controller-testing
  rails-settings-cached (~> 2.8.3)
  rqrcode (~> 2.0)
@@ -458,14 +532,14 @@ DEPENDENCIES
  sidekiq-scheduler
  solargraph
  sprockets-rails
-  sqlite3 (~> 1.4)
+  sqlite3 (~> 1.7.2)
  stimulus-rails
  turbo-rails
  tzinfo-data
  view_component
  warden
-  web-console (>= 3.3.0)
+  web-console (~> 4.2)
  webmock
 BUNDLED WITH
-   2.3.7
+   2.5.11
--- a/README.md
+++ b/README.md
@@ -14,8 +14,10 @@ so:
 1. Make sure [Docker Compose is installed][1] and Docker is running (included in
   Docker Desktop)
-3. Run `docker compose up` and wait until 389ds announces its successful start
+3. Run `docker compose up --build` and wait until all services have started
-   in the log output
+   (389ds might take an extra minute to be ready). This will take a while when
   running for the first time, so you might want to do something else in the
   meantime.
 4. `docker-compose exec ldap dsconf localhost backend create --suffix="dc=kosmos,dc=org" --be-name="dev"`
 5. `docker compose run web rails ldap:setup`
 6. `docker compose run web rails db:setup`
@@ -28,38 +30,44 @@ have the password "user is user".
 ### Rails app
 _Note: when using Docker Compose, prefix the following commands with `docker-compose
 run web`._
 Installing dependencies:
    bundle install
    yarn install
-Setting up local database (SQLite):
+Migrating the local database (after schema changes):
    bundle exec rails db:create
    bundle exec rails db:migrate
-Running the dev server and auto-building CSS files on change:
+Running the dev server, and auto-building CSS files on change _(automatic with Docker Compose)_:
    bin/dev
-Running the background workers (requires Redis):
+Running the background workers (requires Redis) _(automatic with Docker Compose)_:
    bundle exec sidekiq -C config/sidekiq.yml
-Running all specs:
+Running the test suite:
    bundle exec rspec
-### Docker (Compose)
+Running the test suite with Docker Compose requires overriding the Rails
 environment:
-There is a working Docker Compose config file, which define a number of services including
+    docker-compose run -e "RAILS_ENV=test" web rspec
 an app server for Rails as well as a local 389ds (LDAP) server.
-For Rails developers, you probably just want to start the LDAP server: `docker-compose up ldap`, 
+### Docker Compose
 listening on port 389 on your machine. 
-You can pick and choose your services adding them by name (listed in `docker-compose.yml`) at 
+Services/containers are configured in `docker-compose.yml`.
-the end of the docker compose command. eg. `docker compose up ldap redis`
+
 You can run services selectively, for example if you want to run the Rails app
 and test suite on the host machine. Just add the service names of the
 containers you want to run to the `up` command, like so:
    docker-compose up ldap redis
 #### LDAP server
@@ -76,8 +84,24 @@ Now you can seed the back-end with data using this Rails task:
 The setup task will first delete any existing entries in the directory tree
 ("dc=kosmos,dc=org"), and then create our development entries.
-Note that all 389ds data is stored in `tmp/389ds`. So if you want to start over
+Note that all 389ds data is stored in the `389ds-data` volume. So if you want
-with a fresh installation, delete both that directory as well as the container.
+to start over with a fresh installation, delete both that volume as well as the
 container.
 #### Minio / remoteStorage
 If you want to run remoteStorage accounts locally, you will have to create the
 respective bucket first. With the `minio` container running (run by default
 when using Docker Compose), follow these steps:
 * `docker compose up web redis minio liquor-cabinet`
 * Head to http://localhost:9001 and log in with user `minioadmin`, password
  `minioadmin`
 * Create a new bucket called `remotestorage` (or whatever you
  change the `S3_BUCKET` config to)
 * Create a new key with ID "dev-key" and secret "123456789" (or whatever you
  change `S3_ACCESS_KEY` and `S3_SECRET_KEY` to). Leave the policy field empty,
  as it will automatically allow access to the bucket you created.
 ### Adding npm modules to use with Stimulus controllers
--- a/app/assets/stylesheets/components/buttons.css
+++ b/app/assets/stylesheets/components/buttons.css
@@ -32,11 +32,21 @@
           focus:ring-blue-400 focus:ring-opacity-75;
  }
  .btn-emerald {
    @apply bg-emerald-500 hover:bg-emerald-600 text-white
           focus:ring-emerald-400 focus:ring-opacity-75;
  }
  .btn-red {
    @apply bg-red-600 hover:bg-red-700 text-white
           focus:ring-red-500 focus:ring-opacity-75;
  }
  .btn-outline-purple {
    @apply border-2 border-purple-500 hover:bg-purple-100
           focus:ring-purple-400 focus:ring-opacity-75;
  }
  .btn:disabled {
    @apply bg-gray-100 hover:bg-gray-200 text-gray-400
           focus:ring-gray-300 focus:ring-opacity-75;
--- a/app/assets/stylesheets/components/dashboard_services.css
+++ b/app/assets/stylesheets/components/dashboard_services.css
@@ -1,5 +1,5 @@
@layer components {
  .services > div > a {
-    background-image: linear-gradient(110deg, rgba(255,255,255,0.99) 0, rgba(255,255,255,0.88) 100%);
+    background-image: linear-gradient(110deg, rgba(255,255,255,0.99) 20%, rgba(255,255,255,0.88) 100%);
  }
 }
--- a/app/components/app_catalog/web_app_icon_component.html.erb
+++ b/app/components/app_catalog/web_app_icon_component.html.erb
@@ -0,0 +1,5 @@
 <% if @image_url %>
  <%= image_tag @image_url, class: "h-full w-full" %>
 <% else %>
  <%= render partial: "icons/remotestorage", locals: { custom_class: "h-full w-full p-0.5 text-gray-200" } %>
 <% end %>
--- a/app/components/app_catalog/web_app_icon_component.rb
+++ b/app/components/app_catalog/web_app_icon_component.rb
@@ -0,0 +1,21 @@
 # frozen_string_literal: true
 module AppCatalog
  class WebAppIconComponent < ViewComponent::Base
    def initialize(web_app:)
      if web_app&.icon&.attached?
        @image_url = image_url_for(web_app.icon)
      elsif web_app&.apple_touch_icon&.attached?
        @image_url = image_url_for(web_app.apple_touch_icon)
      end
    end
    def image_url_for(attachment)
      if Setting.s3_enabled?
        s3_image_url(attachment)
      else
        Rails.application.routes.url_helpers.rails_blob_path(attachment, only_path: true)
      end
    end
  end
 end
--- a/app/components/dropdown_component.html.erb
+++ b/app/components/dropdown_component.html.erb
@@ -0,0 +1,34 @@
 <div data-controller="dropdown" data-action="click->dropdown#toggle click@window->dropdown#hide">
  <div class="relative inline-block">
    <div role="button" tabindex="0" data-dropdown-target="button"
         class="inline-block select-none">
      <% if @size == :large %>
      <span class="appearance-none flex items-center inline-block">
        <span class="p-2 bg-gray-50 hover:bg-gray-100 rounded-full">
          <%= render partial: "icons/#{@icon_name}",
                     locals: { custom_class: "inline text-gray-500 h-6 w-6" } %>
        </span>
      </span>
      <% elsif @size == :small %>
      <span class="appearance-none flex items-center inline-block">
        <span class="text-gray-500 hover:text-blue-600">
          <%= render partial: "icons/#{@icon_name}",
                     locals: { custom_class: "inline h-4 w-4" } %>
        </span>
      </span>
      <% end %>
    </div>
    <div data-dropdown-target="menu"
         data-transition-enter="transition ease-out duration-200"
         data-transition-enter-from="opacity-0 translate-y-1"
         data-transition-enter-to="opacity-100 translate-y-0"
         data-transition-leave="transition ease-in duration-150"
         data-transition-leave-from="opacity-100 translate-y-0"
         data-transition-leave-to="opacity-0 translate-y-1"
         class="hidden absolute top-4 right-0 z-10 mt-5 flex w-screen max-w-max">
      <div class="bg-white shadow-lg rounded border overflow-hidden w-auto">
        <%= content %>
      </div>
    </div>
  </div>
 </div>
--- a/app/components/dropdown_component.rb
+++ b/app/components/dropdown_component.rb
@@ -0,0 +1,8 @@
 # frozen_string_literal: true
 class DropdownComponent < ViewComponent::Base
  def initialize(size: :large, icon_name: "kebap-menu")
    @size = size.to_sym
    @icon_name = icon_name
  end
 end
--- a/app/components/dropdown_link_component.html.erb
+++ b/app/components/dropdown_link_component.html.erb
@@ -0,0 +1,6 @@
 <%= link_to @href, class: @class, data: {
      'dropdown-target': "menuItem",
      'action': "keydown.up->dropdown#previousItem:prevent keydown.down->dropdown#nextItem:prevent"
    } do %>
  <%= content %>
 <% end %>
--- a/app/components/dropdown_link_component.rb
+++ b/app/components/dropdown_link_component.rb
@@ -0,0 +1,18 @@
 # frozen_string_literal: true
 class DropdownLinkComponent < ViewComponent::Base
  def initialize(href:, separator: false, add_class: nil)
    @href = href
    @class = class_str(separator, add_class)
  end
  private
  def class_str(separator, add_class)
    str = "no-underline block px-5 py-3 text-sm text-gray-900 bg-white
           hover:bg-gray-100 focus:bg-gray-100 whitespace-no-wrap"
    str = "#{str} border-t" if separator
    str = "#{str} #{add_class}" if add_class
    str
  end
 end
--- a/app/components/form_elements/fieldset_resettable_setting_component.html.erb
+++ b/app/components/form_elements/fieldset_resettable_setting_component.html.erb
@@ -6,6 +6,7 @@
    ) do %>
  <%= method("#{@type}_field").call :setting, @key,
    value: Setting.public_send(@key),
    placeholder: @placeholder,
    data: {
      :'default-value' => Setting.get_field(@key)[:default]
    },
--- a/app/components/form_elements/fieldset_resettable_setting_component.rb
+++ b/app/components/form_elements/fieldset_resettable_setting_component.rb
@@ -2,14 +2,15 @@
 module FormElements
  class FieldsetResettableSettingComponent < ViewComponent::Base
-    def initialize(tag: "li", key:, type: :text, title:, description: nil)
+    def initialize(tag: "li", key:, type: :text, title:, description: nil, placeholder: nil)
      @tag         = tag
      @positioning = :vertical
      @title       = title
-      @descripton  = description
+      @description  = description
      @key         = key.to_sym
      @type        = type
      @resettable  = is_resettable?(@key)
      @placeholder = placeholder
    end
    def is_resettable?(key)
--- a/app/components/form_elements/fieldset_toggle_component.html.erb
+++ b/app/components/form_elements/fieldset_toggle_component.html.erb
@@ -5,7 +5,9 @@
      } : nil do %>
  <div class="flex flex-col">
    <label class="font-bold mb-1"><%= @title %></label>
-    <p class="text-gray-500"><%= @descripton %></p>
+    <% if @description.present? %>
    <p class="text-gray-500"><%= @description %></p>
    <% end %>
  </div>
  <div class="relative ml-4 inline-flex flex-shrink-0">
    <%= render FormElements::ToggleComponent.new(
--- a/app/components/form_elements/fieldset_toggle_component.rb
+++ b/app/components/form_elements/fieldset_toggle_component.rb
@@ -3,7 +3,7 @@
 module FormElements
  class FieldsetToggleComponent < ViewComponent::Base
    def initialize(tag: "li", form: nil, attribute: nil, field_name: nil,
-                   enabled: false, input_enabled: true, title:, description:)
+                   enabled: false, input_enabled: true, title:, description: nil)
      @tag = tag
      @form = form
      @attribute = attribute
@@ -12,7 +12,7 @@ module FormElements
      @enabled = enabled
      @input_enabled = input_enabled
      @title = title
-      @descripton = description
+      @description = description
      @button_text = @enabled ? "Switch off" : "Switch on"
    end
  end
--- a/app/components/main_with_tabnav_component.html.erb
+++ b/app/components/main_with_tabnav_component.html.erb
@@ -1,5 +1,5 @@
 <main class="w-full max-w-6xl mx-auto pb-12 px-4 md:px-6 lg:px-8">
-  <div class="bg-white rounded-lg shadow">
+  <div class="md:min-h-[50vh] bg-white rounded-lg shadow">
    <div class="px-6 sm:px-12 pt-2 sm:pt-4">
      <%= render partial: @tabnav_partial %>
    </div>
--- a/app/components/modal_component.html.erb
+++ b/app/components/modal_component.html.erb
@@ -12,15 +12,17 @@
    <!-- Modal Container -->
    <div data-modal-target="container"
-         class="max-h-screen w-auto max-w-lg relative
+         class="relative m-4 max-h-screen w-auto max-w-full
                hidden animate-scale-in fixed inset-0 overflow-y-auto flex items-center justify-center">
      <!-- Modal Card -->
      <div class="m-1 bg-white rounded shadow">
        <div class="p-8">
          <%= content %>
          <% if @show_close_button %>
          <div class="flex justify-end items-center flex-wrap mt-6">
            <button class="btn-md btn-blue" data-action="click->modal#close:prevent">Close</button>
          </div>
          <% end %>
        </div>
      </div>
    </div>
--- a/app/components/modal_component.rb
+++ b/app/components/modal_component.rb
@@ -1,2 +1,5 @@
 class ModalComponent < ViewComponent::Base
  def initialize(show_close_button: true)
    @show_close_button = show_close_button
  end
 end
--- a/app/components/notification_component.rb
+++ b/app/components/notification_component.rb
@@ -34,6 +34,8 @@ class NotificationComponent < ViewComponent::Base
      'alert-octagon'
    when 'alert'
      'alert-octagon'
    when 'warning'
      'alert-octagon'
    else
      'info'
    end
--- a/app/components/rs_auth_component.html.erb
+++ b/app/components/rs_auth_component.html.erb
@@ -0,0 +1,26 @@
 <div class="flex items-center gap-4">
  <div class="h-16 w-16 flex-none">
    <%= render AppCatalog::WebAppIconComponent.new(web_app: @web_app) %>
  </div>
  <div class="flex-grow">
    <h4 class="mb-1 text-lg font-bold">
      <%= @web_app&.name || @auth.app_name %>
    </h4>
    <p class="text-sm text-gray-500">
      <%= @auth.client_id %>
    </p>
  </div>
  <%= render DropdownComponent.new do %>
    <%= render DropdownLinkComponent.new(
          href: launch_app_services_storage_rs_auth_url(@auth)
        ) do %>
      Launch app
    <% end %>
    <%= render DropdownLinkComponent.new(
          href: revoke_services_storage_rs_auth_url(@auth),
          separator: true, add_class: "text-red-700"
        ) do %>
      Revoke access
    <% end %>
  <% end %>
 </div>
--- a/app/components/rs_auth_component.rb
+++ b/app/components/rs_auth_component.rb
@@ -0,0 +1,8 @@
 # frozen_string_literal: true
 class RsAuthComponent < ViewComponent::Base
  def initialize(auth:)
    @auth = auth
    @web_app = auth.web_app
  end
 end
--- a/app/components/sidenav_link_component.html.erb
+++ b/app/components/sidenav_link_component.html.erb
@@ -1,4 +1,8 @@
 <%= link_to @path, class: @link_class, title: (@disabled ? "Coming soon" : nil) do %>
  <% if @icon.present? %>
  <%= render partial: "icons/#{@icon}", locals: { custom_class: @icon_class } %>
  <% elsif @text_icon.present? %>
  <span class="mr-3"><%= @text_icon %></span>
  <% end %>
  <span class="truncate"><%= @name %></span>
 <% end %>
--- a/app/components/sidenav_link_component.rb
+++ b/app/components/sidenav_link_component.rb
@@ -1,11 +1,13 @@
 # frozen_string_literal: true
 class SidenavLinkComponent < ViewComponent::Base
-  def initialize(name:, level: 1, path:, icon:, active: false, disabled: false)
+  def initialize(name:, level: 1, path:, icon: nil, text_icon: nil,
                 active: false, disabled: false)
    @name = name
    @level = level
    @path = path
    @icon = icon
    @text_icon = text_icon
    @active = active
    @disabled = disabled
    @link_class = class_names_link(path)
--- a/app/controllers/admin/app_catalog/web_apps_controller.rb
+++ b/app/controllers/admin/app_catalog/web_apps_controller.rb
@@ -0,0 +1,9 @@
 class Admin::AppCatalog::WebAppsController < Admin::AppCatalogController
  def index
    @pagy, @web_apps = pagy(AppCatalog::WebApp.order('created_at desc'))
    @stats = {
      known_apps: AppCatalog::WebApp.count
    }
  end
 end
--- a/app/controllers/admin/app_catalog_controller.rb
+++ b/app/controllers/admin/app_catalog_controller.rb
@@ -0,0 +1,9 @@
 class Admin::AppCatalogController < Admin::BaseController
  before_action :set_current_section
  private
    def set_current_section
      @current_section = :app_catalog
    end
 end
--- a/app/controllers/admin/donations_controller.rb
+++ b/app/controllers/admin/donations_controller.rb
@@ -3,18 +3,16 @@ class Admin::DonationsController < Admin::BaseController
  before_action :set_current_section, only: [:index, :show, :new, :edit]
  # GET /donations
  # GET /donations.json
  def index
-    @pagy, @donations = pagy(Donation.all.order('created_at desc'))
+    @pagy, @donations = pagy(Donation.completed.order('paid_at desc'))
    @stats = {
-      overall_sats: @donations.all.sum("amount_sats"),
+      overall_sats: @donations.sum("amount_sats"),
-      donor_count: Donation.distinct.count(:user_id)
+      donor_count: Donation.completed.count(:user_id)
    }
  end
  # GET /donations/1
  # GET /donations/1.json
  def show
  end
@@ -28,54 +26,41 @@ class Admin::DonationsController < Admin::BaseController
  end
  # POST /donations
  # POST /donations.json
  def create
    @donation = Donation.new(donation_params)
-    respond_to do |format|
+    if @donation.paid_at == nil
-      if @donation.save
+      @donation.errors.add(:paid_at, message: "is required")
-        format.html do
+      render :new, status: :unprocessable_entity and return
-          redirect_to admin_donation_url(@donation), flash: {
+    end
-            success: 'Donation was successfully created.'
+
-          }
+    if @donation.save
-        end
+      redirect_to admin_donation_url(@donation), flash: {
-        format.json { render :show, status: :created, location: @donation }
+        success: 'Donation was successfully created.'
-      else
+      }
-        format.html { render :new, status: :unprocessable_entity }
+    else
-        format.json { render json: @donation.errors, status: :unprocessable_entity }
+      render :new, status: :unprocessable_entity
      end
    end
  end
-  # PATCH/PUT /donations/1
+  # PUT /donations/1
  # PATCH/PUT /donations/1.json
  def update
-    respond_to do |format|
+    if @donation.update(donation_params)
-      if @donation.update(donation_params)
+      redirect_to admin_donation_url(@donation), flash: {
-        format.html do
+        success: 'Donation was successfully updated.'
-          redirect_to admin_donation_url(@donation), flash: {
+      }
-            success: 'Donation was successfully updated.'
+    else
-          }
+      render :edit, status: :unprocessable_entity
        end
        format.json { render :show, status: :ok, location: @donation }
      else
        format.html { render :edit, status: :unprocessable_entity }
        format.json { render json: @donation.errors, status: :unprocessable_entity }
      end
    end
  end
  # DELETE /donations/1
  # DELETE /donations/1.json
  def destroy
    @donation.destroy
-    respond_to do |format|
+
-      format.html do redirect_to admin_donations_url, flash: {
+    redirect_to admin_donations_url, flash: {
-        success: 'Donation was successfully destroyed.'
+      success: 'Donation was successfully destroyed.'
-      }
+    }
      end
      format.json { head :no_content }
    end
  end
  private
@@ -86,7 +71,10 @@ class Admin::DonationsController < Admin::BaseController
    # Only allow a list of trusted parameters through.
    def donation_params
-      params.require(:donation).permit(:user_id, :amount_sats, :amount_eur, :amount_usd, :public_name, :paid_at)
+      params.require(:donation).permit(
        :user_id, :donation_method,
        :amount_sats, :fiat_amount, :fiat_currency,
        :public_name, :paid_at)
    end
    def set_current_section
--- a/app/controllers/admin/settings/registrations_controller.rb
+++ b/app/controllers/admin/settings/registrations_controller.rb
@@ -1,12 +1,20 @@
 class Admin::Settings::RegistrationsController < Admin::SettingsController
-  def index
+  def show
  end
-  def create
+  def update
    update_settings
    redirect_to admin_settings_registrations_path, flash: {
      success: "Settings saved"
    }
  end
  private
    def setting_params
      params.require(:setting).permit([
        :reserved_usernames, default_services: []
      ])
    end
 end
--- a/app/controllers/admin/settings/services_controller.rb
+++ b/app/controllers/admin/settings/services_controller.rb
@@ -1,19 +1,32 @@
 class Admin::Settings::ServicesController < Admin::SettingsController
-  def index
+  before_action :set_service, only: [:show, :update]
    @service = params[:s]
-    if @service.blank?
+  def index
-      redirect_to admin_settings_services_path(params: { s: "discourse" })
+    redirect_to admin_settings_service_path("btcpay")
    end
  end
-  def create
+  def show
-    service = params.require(:service)
+  end
  def update
    update_settings
-    redirect_to admin_settings_services_path(params: { s: service }), flash: {
+    redirect_to admin_settings_service_path(@service), flash: {
      success: "Settings saved"
    }
  end
  private
    def set_subsection
      @subsection = "services"
    end
    def set_service
      @service = params[:service]
      if @service.blank?
        redirect_to admin_settings_services_path and return
      end
    end
 end
--- a/app/controllers/admin/settings_controller.rb
+++ b/app/controllers/admin/settings_controller.rb
@@ -9,22 +9,23 @@ class Admin::SettingsController < Admin::BaseController
    changed_keys = []
    setting_params.keys.each do |key|
-      next if setting_params[key].nil? ||
+      next if clean_param(key).nil? ||
-              (Setting.send(key).to_s == setting_params[key].strip)
+        (Setting.send(key).to_s == clean_param(key))
      changed_keys.push(key)
      setting = Setting.new(var: key)
-      setting.value = setting_params[key].strip
+      setting.value = clean_param(key)
      unless setting.valid?
        @errors.merge!(setting.errors)
      end
    end
    if @errors.any?
-      render :index and return
+      render :show and return
    end
    changed_keys.each do |key|
-      Setting.send("#{key}=", setting_params[key].strip)
+      Setting.send("#{key}=", clean_param(key))
    end
  end
@@ -37,4 +38,12 @@ class Admin::SettingsController < Admin::BaseController
    def setting_params
      params.require(:setting).permit(Setting.editable_keys.map(&:to_sym))
    end
    def clean_param(key)
      if Setting.get_field(key)[:type] == :string
        setting_params[key].strip
      else
        setting_params[key]
      end
    end
 end
--- a/app/controllers/admin/users_controller.rb
+++ b/app/controllers/admin/users_controller.rb
@@ -1,11 +1,11 @@
 class Admin::UsersController < Admin::BaseController
-  before_action :set_user, only: [:show]
+  before_action :set_user, except: [:index]
  before_action :set_current_section
  # GET /admin/users
  def index
    ldap   = LdapService.new
-    @ou    = params[:ou] || Setting.primary_domain
+    @ou    = Setting.primary_domain
    @orgs  = ldap.fetch_organizations
    @pagy, @users = pagy(User.where(ou: @ou).order(cn: :asc))
    @stats = {
@@ -14,19 +14,46 @@ class Admin::UsersController < Admin::BaseController
    }
  end
  # GET /admin/users/:username
  def show
    if Setting.lndhub_admin_enabled?
      @lndhub_user = @user.lndhub_user
    end
    @services_enabled = @user.services_enabled
    @avatar = LdapManager::FetchAvatar.call(cn: @user.cn)
  end
  # POST /admin/users/:username/invitations
  def create_invitations
    amount = params[:amount].to_i
    notify_user = ActiveRecord::Type::Boolean.new.cast(params[:notify_user])
    CreateInvitations.call(user: @user, amount: amount, notify: notify_user)
    redirect_to admin_user_path(@user.cn), flash: {
      success: "Added #{amount} invitations to #{@user.cn}'s account"
    }
  end
  # DELETE /admin/users/:username/invitations
  def delete_invitations
    invitations = @user.invitations.unused
    amount = invitations.count
    invitations.destroy_all
    redirect_to admin_user_path(@user.cn), flash: {
      success: "Removed #{amount} invitations from #{@user.cn}'s account"
    }
  end
  private
  def set_user
-    address = params[:address].split("@")
+    @user = User.find_by(cn: params[:username], ou: Setting.primary_domain)
-    @user = User.where(cn: address.first, ou: address.last).first
+    http_status :not_found unless @user
  end
  def set_current_section
--- a/app/controllers/api/btcpay_controller.rb
+++ b/app/controllers/api/btcpay_controller.rb
@@ -0,0 +1,37 @@
 class Api::BtcpayController < Api::BaseController
  before_action :require_feature_enabled
  before_action :set_cors_access_control_headers
  def onchain_btc_balance
    balance = BtcpayManager::FetchOnchainWalletBalance.call
    render json: balance
  rescue => error
    Rails.logger.warn "Failed to fetch BTC wallet balance: #{error.message}"
    render json: { error: 'Failed to fetch wallet balance' },
           status: 500
  end
  def lightning_btc_balance
    balance = BtcpayManager::FetchLightningWalletBalance.call
    render json: balance
  rescue => error
    Rails.logger.warn "Failed to fetch BTC lightning balance: #{error.message}"
    render json: { error: 'Failed to fetch wallet balance' },
           status: 500
  end
  private
    def require_feature_enabled
      unless Setting.btcpay_publish_wallet_balances
        http_status :not_found and return
      end
    end
    def set_cors_access_control_headers
      return unless Rails.env.development?
      headers['Access-Control-Allow-Origin'] = "*"
      headers['Access-Control-Allow-Headers'] = "*"
      headers['Access-Control-Allow-Methods'] = "GET"
    end
 end
--- a/app/controllers/api/kredits_controller.rb
+++ b/app/controllers/api/kredits_controller.rb
@@ -1,13 +0,0 @@
 class Api::KreditsController < Api::BaseController
  def onchain_btc_balance
    btcpay = BtcPay.new
    balance = btcpay.onchain_wallet_balance
    render json: balance
  rescue => error
    Rails.logger.warn "Failed to fetch kredits BTC wallet balance: #{error.message}"
    render json: { error: 'Failed to fetch wallet balance' },
           status: 500
  end
 end
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -37,4 +37,35 @@ class ApplicationController < ActionController::Base
      format.any  { head status }
    end
  end
  def after_sign_in_path_for(user)
    session[:user_return_to] || root_path
  end
  def lndhub_authenticate(options={})
    if session[:ln_auth_token].present? && !options[:force_reauth]
      @ln_auth_token = session[:ln_auth_token]
    else
      lndhub = Lndhub.new
      auth_token = lndhub.authenticate(current_user)
      session[:ln_auth_token] = auth_token
      @ln_auth_token = auth_token
    end
  rescue => e
    Sentry.capture_exception(e) if Setting.sentry_enabled?
  end
  def lndhub_fetch_balance
    @balance = LndhubManager::FetchUserBalance.call(auth_token: @ln_auth_token)
  rescue AuthError
    lndhub_authenticate(force_reauth: true)
    raise if @fetch_balance_retried
    @fetch_balance_retried = true
    lndhub_fetch_balance
  end
  def nostr_event_from_params
    params.permit!
    params[:signed_event].to_h.symbolize_keys
  end
 end
--- a/app/controllers/contributions/donations_controller.rb
+++ b/app/controllers/contributions/donations_controller.rb
@@ -1,10 +1,129 @@
 class Contributions::DonationsController < ApplicationController
-  before_action :authenticate_user!
+  include BtcpayHelper
-  # GET /donations
+  before_action :authenticate_user!
-  # GET /donations.json
+  before_action :set_donation_methods, only: [:index, :create]
  before_action :require_donation_method_enabled, only: [:create]
  before_action :validate_donation_params, only: [:create]
  before_action :set_donation, only: [:confirm_btcpay]
  # GET /contributions/donations
  def index
    @donations = current_user.donations.completed
    @current_section = :contributions
    @donations_completed = current_user.donations.completed.order('paid_at desc')
    @donations_pending = current_user.donations.processing.order('created_at desc')
    if Setting.lndhub_enabled?
      begin
        lndhub_authenticate
        lndhub_fetch_balance
      rescue
        @balance = 0
      end
    end
  end
  # POST /contributions/donations
  def create
    if params[:currency] == "sats"
      fiat_amount = nil
      fiat_currency = nil
      amount_sats = params[:amount]
    else
      fiat_amount = params[:amount].to_i
      fiat_currency = params[:currency]
      amount_sats = nil
    end
    @donation = current_user.donations.create!(
      donation_method: params[:donation_method],
      payment_method: nil,
      paid_at: nil,
      amount_sats: amount_sats,
      fiat_amount: (fiat_amount.nil? ? nil : fiat_amount * 100), # store in cents
      fiat_currency: fiat_currency,
      public_name: params[:public_name]
    )
    case params[:donation_method]
    when "btcpay"
      res = BtcpayManager::CreateInvoice.call(
        amount: fiat_amount || (amount_sats.to_f / 100000000),
        currency: fiat_currency || "BTC",
        redirect_url: confirm_btcpay_contributions_donation_url(@donation)
      )
      @donation.update! btcpay_invoice_id: res["id"]
      redirect_to btcpay_checkout_url(res["id"]), allow_other_host: true
    else
      redirect_to contributions_donations_url, flash: {
        error: "Donation method currently not available"
      }
    end
  end
  def confirm_btcpay
    redirect_to contributions_donations_url and return if @donation.completed?
    invoice = BtcpayManager::FetchInvoice.call(invoice_id: @donation.btcpay_invoice_id)
    if @donation.amount_sats.present?
      # TODO make default fiat currency configurable and/or determine from user's
      # i18n browser settings
      @donation.fiat_currency = "EUR"
      exchange_rate = BtcpayManager::FetchExchangeRate.call(fiat_currency: @donation.fiat_currency)
      @donation.fiat_amount = (((@donation.amount_sats.to_f / 100000000) * exchange_rate) * 100).to_i
    else
      amt_str = invoice["paymentMethods"].first["amount"]
      @donation.amount_sats = amt_str.tr(".","").sub(/0*$/, "").to_i
    end
    case invoice["status"]
    when "Settled"
      @donation.paid_at = DateTime.now
      @donation.payment_status = "settled"
      @donation.save!
      flash_message = { success: "Thank you!" }
    when "Processing"
      unless @donation.processing?
        @donation.payment_status = "processing"
        @donation.save!
        flash_message = { success: "Thank you! We will send you an email when the payment is confirmed." }
        BtcpayCheckDonationJob.set(wait: 20.seconds).perform_later(@donation)
      end
    when "Expired"
      flash_message = { warning: "The payment request for this donation has expired" }
    else
      flash_message = { warning: "Could not determine status of payment" }
    end
    redirect_to contributions_donations_url, flash: flash_message
  end
  private
    def set_donation
      @donation = current_user.donations.find_by(id: params[:id])
      http_status :not_found unless @donation.present?
    end
    def set_donation_methods
      @donation_methods = []
      @donation_methods.push :btcpay if Setting.btcpay_enabled?
      @donation_methods.push :lndhub if Setting.lndhub_enabled?
      @donation_methods.push :opencollective if Setting.opencollective_enabled?
    end
    def require_donation_method_enabled
      http_status :forbidden unless @donation_methods.include?(
        params[:donation_method].to_sym
      )
    end
    def validate_donation_params
      if !%w[EUR USD sats].include?(params[:currency]) || (params[:amount].to_i <= 0)
        http_status :unprocessable_entity
      end
    end
 end
--- a/app/controllers/lnurlpay_controller.rb
+++ b/app/controllers/lnurlpay_controller.rb
@@ -1,23 +1,33 @@
 class LnurlpayController < ApplicationController
-  before_action :check_feature_enabled
+  before_action :check_service_available
-  before_action :find_user_by_address
+  before_action :find_user
  before_action :set_cors_access_control_headers
  MIN_SATS = 10
  MAX_SATS = 1_000_000
  MAX_COMMENT_CHARS = 100
  # GET /.well-known/lnurlp/:username
  def index
-    render json: {
+    res = {
      status: "OK",
-      callback: "https://accounts.kosmos.org/lnurlpay/#{@user.address}/invoice",
+      callback: "https://#{Setting.accounts_domain}/lnurlpay/#{@user.cn}/invoice",
      tag: "payRequest",
      maxSendable: MAX_SATS * 1000, # msat
      minSendable: MIN_SATS * 1000, # msat
      metadata: metadata(@user.address),
      commentAllowed: MAX_COMMENT_CHARS
    }
    if Setting.nostr_enabled?
      res[:allowsNostr] = true
      res[:nostrPubkey] = Setting.nostr_public_key
    end
    render json: res
  end
  # GET /.well-known/keysend/:username
  def keysend
    http_status :not_found and return unless Setting.lndhub_keysend_enabled?
@@ -32,64 +42,120 @@ class LnurlpayController < ApplicationController
    }
  end
  # GET /lnurlpay/:username/invoice
  def invoice
-    amount = params[:amount].to_i / 1000 # msats
+    amount = params[:amount].to_i / 1000 # msats to sats
    address = params[:address]
    comment = params[:comment] || ""
    address = @user.address
    if !valid_amount?(amount)
      render json: { status: "ERROR", reason: "Invalid amount" }
      return
    end
-    if !valid_comment?(comment)
+    if params[:nostr].present? && Setting.nostr_enabled?
-      render json: { status: "ERROR", reason: "Comment too long" }
+      handle_zap_request amount, params[:nostr], params[:lnurl]
-      return
+    else
      handle_pay_request address, amount, comment
    end
  end
  private
    def set_cors_access_control_headers
      headers['Access-Control-Allow-Origin'] = "*"
      headers['Access-Control-Allow-Headers'] = "*"
      headers['Access-Control-Allow-Methods'] = "GET"
    end
-    memo = "To #{address}"
+    def check_service_available
-    memo = "#{memo}: \"#{comment}\"" if comment.present?
+      http_status :not_found unless Setting.lndhub_enabled?
    end
-    payment_request = @user.ln_create_invoice({
+    def find_user
-      amount: amount, # we create invoices in sats
+      @user = User.where(cn: params[:username], ou: Setting.primary_domain).first
-      memo: memo,
+      http_status :not_found if @user.nil?
-      description_hash: Digest::SHA2.hexdigest(metadata(address)),
+    end
    })
-    render json: {
+    def metadata(address)
-      status: "OK",
+      "[[\"text/identifier\",\"#{address}\"],[\"text/plain\",\"Sats for #{address}\"]]"
-      successAction: {
+    end
        tag: "message",
        message: "Sats received. Thank you!"
      },
      routes: [],
      pr: payment_request
    }
  end
-  private
+    def valid_amount?(amount_in_sats)
      amount_in_sats <= MAX_SATS && amount_in_sats >= MIN_SATS
    end
-  def find_user_by_address
+    def valid_comment?(comment)
-    address = params[:address].split("@")
+      comment.length <= MAX_COMMENT_CHARS
-    @user = User.where(cn: address.first, ou: address.last).first
+    end
    http_status :not_found if @user.nil?
  end
-  def metadata(address)
+    def handle_pay_request(address, amount, comment)
-    "[[\"text/identifier\", \"#{address}\"], [\"text/plain\", \"Send sats, receive thanks.\"]]"
+      if !valid_comment?(comment)
-  end
+        render json: { status: "ERROR", reason: "Comment too long" }
        return
      end
-  def valid_amount?(amount_in_sats)
+      desc = "To #{address}"
-    amount_in_sats <= MAX_SATS && amount_in_sats >= MIN_SATS
+      desc = "#{desc}: \"#{comment}\"" if comment.present?
  end
-  def valid_comment?(comment)
+      invoice = LndhubManager::CreateUserInvoice.call(
-    comment.length <= MAX_COMMENT_CHARS
+        user: @user, payload: {
-  end
+          amount: amount, # sats
          description: desc,
          description_hash: Digest::SHA256.hexdigest(metadata(address)),
        }
      )
-  private
+      render json: {
        status: "OK",
        successAction: {
          tag: "message",
          message: "Sats received. Thank you!"
        },
        routes: [],
        pr: invoice["payment_request"]
      }
    end
-  def check_feature_enabled
+    def nostr_event_from_payload(nostr_param)
-    http_status :not_found unless Setting.lndhub_enabled?
+      event_obj = JSON.parse(nostr_param).transform_keys(&:to_sym)
-  end
+      Nostr::Event.new(**event_obj)
    rescue => e
      return nil
    end
    def valid_zap_request?(amount, event, lnurl)
      NostrManager::VerifyZapRequest.call(
        amount: amount, event: event, lnurl: lnurl
      )
    end
    def handle_zap_request(amount, nostr_param, lnurl_param)
      event = nostr_event_from_payload(nostr_param)
      unless event.present? && valid_zap_request?(amount*1000, event, lnurl_param)
        render json: { status: "ERROR", reason: "Invalid zap request" }
        return
      end
      # TODO might want to use the existing invoice and zap record if there are
      # multiple calls with the same zap request
      desc = "Zap for #{@user.address}"
      desc = "#{desc}: \"#{event.content}\"" if event.content.present?
      invoice = LndhubManager::CreateUserInvoice.call(
        user: @user, payload: {
          amount: amount, # sats
          description: desc,
          description_hash: Digest::SHA256.hexdigest(event.to_json),
        }
      )
      @user.zaps.create! request: event,
                         payment_request: invoice["payment_request"],
                         amount: amount
      render json: { status: "OK", pr: invoice["payment_request"] }
    end
 end
--- a/app/controllers/rs/oauth_controller.rb
+++ b/app/controllers/rs/oauth_controller.rb
@@ -3,8 +3,7 @@ class Rs::OauthController < ApplicationController
  before_action :authenticate_user!, only: :create
  def new
-    username, org  = params[:useraddress].split("@")
+    @user          = User.where(cn: params[:username].downcase, ou: Setting.primary_domain).first
    @user          = User.where(cn: username.downcase, ou: org).first
    @scopes        = parse_scopes params[:scope]
    @redirect_uri  = params[:redirect_uri]
    @client_id     = params[:client_id]
@@ -22,7 +21,7 @@ class Rs::OauthController < ApplicationController
    unless current_user == @user
      sign_out :user
-      redirect_to new_rs_oauth_url(@user.address,
+      redirect_to new_rs_oauth_url(@user.cn,
                                   scope: params[:scope],
                                   redirect_uri: params[:redirect_uri],
                                   client_id: params[:client_id],
@@ -88,7 +87,7 @@ class Rs::OauthController < ApplicationController
      permissions: permissions,
      client_id: client_id,
      redirect_uri: redirect_uri,
-      app_name: client_id, #TODO use user-defined name
+      app_name: client_id,
      expire_at: expire_at
    )
@@ -96,28 +95,15 @@ class Rs::OauthController < ApplicationController
                allow_other_host: true
  end
  # GET /rs/oauth/token/:id/launch_app
  def launch_app
    auth = current_user.remote_storage_authorizations.find(params[:id])
    redirect_to app_auth_url(auth), allow_other_host: true
  end
  private
  def require_signed_in_with_username
    unless user_signed_in?
-      username, org = params[:useraddress].split("@")
+      session[:user_return_to] = request.url
-      redirect_to new_user_session_path(cn: username, ou: org)
+      redirect_to new_user_session_path(cn: params[:username], ou: Setting.primary_domain)
    end
  end
  def app_auth_url(auth)
    url = "#{auth.url}#remotestorage=#{current_user.address}"
    url += "&access_token=#{auth.token}"
    url
  end
  def hostname_of(uri)
    uri.gsub(/http(s)?:\/\//, "").split(":")[0].split("/")[0]
  end
--- a/app/controllers/services/chat_controller.rb
+++ b/app/controllers/services/chat_controller.rb
@@ -3,7 +3,7 @@ class Services::ChatController < Services::BaseController
  before_action :require_service_available
  def show
-    @service_enabled = current_user.services_enabled.include?(:xmpp)
+    @service_enabled = current_user.service_enabled?(:ejabberd)
  end
  private
--- a/app/controllers/services/email_controller.rb
+++ b/app/controllers/services/email_controller.rb
@@ -0,0 +1,34 @@
 class Services::EmailController < Services::BaseController
  before_action :authenticate_user!
  before_action :require_service_available
  before_action :require_feature_enabled
  def show
    ldap_entry = current_user.ldap_entry
    @service_enabled = ldap_entry[:email_password].present?
    @maildrop = ldap_entry[:email_maildrop]
    @email_forwarding_active = @maildrop.present? &&
                               @maildrop.split("@").first != current_user.cn
  end
  def new_password
    if session[:new_email_password].present?
      @new_password = session.delete(:new_email_password)
    else
      redirect_to setting_path(:email)
    end
  end
  private
    def require_service_available
      http_status :not_found unless Setting.email_enabled?
    end
    def require_feature_enabled
      unless Flipper.enabled?(:email, current_user)
        http_status :forbidden
      end
    end
 end
--- a/app/controllers/services/lightning_controller.rb
+++ b/app/controllers/services/lightning_controller.rb
@@ -2,10 +2,11 @@ require "rqrcode"
 require "lnurl"
 class Services::LightningController < ApplicationController
  before_action :authenticate_user!
  before_action :authenticate_with_lndhub
  before_action :set_current_section
-  before_action :fetch_balance
+  before_action :require_service_available
  before_action :authenticate_user!
  before_action :lndhub_authenticate
  before_action :lndhub_fetch_balance
  def index
    @wallet_setup_url = "lndhub://#{current_user.ln_account}:#{current_user.ln_password}@#{ENV['LNDHUB_PUBLIC_URL']}"
@@ -55,32 +56,12 @@ class Services::LightningController < ApplicationController
  private
  def authenticate_with_lndhub(options={})
    if session[:ln_auth_token].present? && !options[:force_reauth]
      @ln_auth_token = session[:ln_auth_token]
    else
      lndhub = Lndhub.new
      auth_token = lndhub.authenticate(current_user)
      session[:ln_auth_token] = auth_token
      @ln_auth_token = auth_token
    end
  rescue => e
    Sentry.capture_exception(e) if Setting.sentry_enabled?
  end
  def set_current_section
    @current_section = :services
  end
-  def fetch_balance
+  def require_service_available
-    lndhub = Lndhub.new
+    http_status :not_found unless Setting.lndhub_enabled?
    data = lndhub.balance @ln_auth_token
    @balance = data["BTC"]["AvailableBalance"] rescue nil
  rescue AuthError
    authenticate_with_lndhub(force_reauth: true)
    raise if @fetch_balance_retried
    @fetch_balance_retried = true
    fetch_balance
  end
  def fetch_transactions
--- a/app/controllers/services/mastodon_controller.rb
+++ b/app/controllers/services/mastodon_controller.rb
@@ -3,7 +3,7 @@ class Services::MastodonController < Services::BaseController
  before_action :require_service_available
  def show
-    @service_enabled = current_user.services_enabled.include?(:mastodon)
+    @service_enabled = current_user.service_enabled?(:mastodon)
  end
  private
--- a/app/controllers/services/remotestorage_controller.rb
+++ b/app/controllers/services/remotestorage_controller.rb
@@ -1,23 +1,25 @@
 class Services::RemotestorageController < Services::BaseController
  before_action :authenticate_user!
  before_action :require_feature_enabled
  before_action :require_service_available
  before_action :require_feature_enabled
-  def dashboard
+  # Dashboard
-    # unless current_user.services_enabled.include?(:remotestorage)
+  def show
    # unless current_user.service_enabled?(:remotestorage)
    #   redirect_to service_remotestorage_info_path
    # end
    # @rs_apps_connected = current_user.remote_storage_authorizations.any?
  end
  private
    def require_service_available
      http_status :not_found unless Setting.remotestorage_enabled?
    end
    def require_feature_enabled
      unless Flipper.enabled?(:remotestorage, current_user)
        http_status :forbidden
      end
    end
    def require_service_available
      http_status :not_found unless Setting.remotestorage_enabled?
    end
 end
--- a/app/controllers/services/rs_auths_controller.rb
+++ b/app/controllers/services/rs_auths_controller.rb
@@ -0,0 +1,47 @@
 class Services::RsAuthsController < Services::BaseController
  before_action :authenticate_user!
  before_action :require_feature_enabled
  before_action :require_service_available
  # before_action :require_service_enabled
  before_action :find_rs_auth, only: [:destroy, :launch_app]
  def index
    @rs_auths = current_user.remote_storage_authorizations
    # TODO sort by app name?
  end
  def destroy
    @auth.destroy!
    respond_to do |format|
      format.html do redirect_to apps_services_storage_url, flash: {
        success: 'App authorization revoked'
      }
      end
      format.json { head :no_content }
    end
  end
  def launch_app
    launch_url = "#{@auth.launch_url}#remotestorage=#{current_user.address}&access_token=#{@auth.token}"
    redirect_to launch_url, allow_other_host: true
  end
  private
    def require_feature_enabled
      unless Flipper.enabled?(:remotestorage, current_user)
        http_status :forbidden
      end
    end
    def require_service_available
      http_status :not_found unless Setting.remotestorage_enabled?
    end
    def find_rs_auth
      @auth = current_user.remote_storage_authorizations.find(params[:id])
      http_status :not_found unless @auth.present?
    end
 end
--- a/app/controllers/settings_controller.rb
+++ b/app/controllers/settings_controller.rb
@@ -1,17 +1,22 @@
-require 'securerandom'
+require "securerandom"
 require "bcrypt"
 class SettingsController < ApplicationController
  before_action :authenticate_user!
  before_action :set_main_nav_section
-  before_action :set_settings_section, only: [:show, :update, :update_email]
+  before_action :set_settings_section, only: [:show, :update, :update_email, :reset_email_password]
-  before_action :set_user, only: [:show, :update, :update_email]
+  before_action :set_user, only: [:show, :update, :update_email, :reset_email_password]
  def index
    redirect_to setting_path(:profile)
  end
  def show
-    if @settings_section == "experiments"
+    case @settings_section
    when "lightning"
      @notifications_enabled = @user.preferences[:lightning_notify_sats_received] != "disabled" ||
                               @user.preferences[:lightning_notify_zap_received] != "disabled"
    when "nostr"
      session[:shared_secret] ||= SecureRandom.base64(12)
    end
  end
@@ -19,10 +24,15 @@ class SettingsController < ApplicationController
  def update
    @user.preferences.merge!(user_params[:preferences] || {})
    @user.display_name = user_params[:display_name]
    @user.avatar_new = user_params[:avatar]
    if @user.save
      if @user.display_name && (@user.display_name != @user.ldap_entry[:display_name])
-        LdapManager::UpdateDisplayName.call(@user.dn, user_params[:display_name])
+        LdapManager::UpdateDisplayName.call(dn: @user.dn, display_name: @user.display_name)
      end
      if @user.avatar_new.present?
        LdapManager::UpdateAvatar.call(dn: @user.dn, file: @user.avatar_new)
      end
      redirect_to setting_path(@settings_section), flash: {
@@ -35,7 +45,7 @@ class SettingsController < ApplicationController
  end
  def update_email
-    if @user.valid_ldap_authentication?(email_params[:current_password])
+    if @user.valid_ldap_authentication?(security_params[:current_password])
      if @user.update email: email_params[:email]
        redirect_to setting_path(:account), flash: {
          notice: 'Please confirm your new address using the confirmation link we just sent you.'
@@ -51,6 +61,28 @@ class SettingsController < ApplicationController
    end
  end
  def reset_email_password
    @user.current_password = security_params[:current_password]
    if @user.valid_ldap_authentication?(@user.current_password)
      @user.current_password = nil
      session[:new_email_password] = generate_email_password
      hashed_password = hash_email_password(session[:new_email_password])
      LdapManager::UpdateEmailPassword.call(dn: @user.dn, password_hash: hashed_password)
      if @user.ldap_entry[:email_maildrop] != @user.address
        LdapManager::UpdateEmailMaildrop.call(dn: @user.dn, address: @user.address)
      end
      redirect_to new_password_services_email_path
    else
      @validation_errors = {
        current_password: [ "Wrong password. Try again!" ]
      }
      render :show, status: :forbidden
    end
  end
  def reset_password
    current_user.send_reset_password_instructions
    sign_out current_user
@@ -59,40 +91,39 @@ class SettingsController < ApplicationController
  end
  def set_nostr_pubkey
-    signed_event = nostr_event_params[:signed_event].to_h.symbolize_keys
+    signed_event = Nostr::Event.new(**nostr_event_from_params)
    is_valid_id  = NostrManager::ValidateId.call(signed_event)
    is_valid_sig = NostrManager::VerifySignature.call(signed_event)
    is_correct_content = signed_event[:content] == "Connect my public key to #{current_user.address} (confirmation #{session[:shared_secret]})"
-    unless is_valid_id && is_valid_sig && is_correct_content
+    is_valid_sig  = signed_event.verify_signature
    is_valid_auth = NostrManager::VerifyAuth.call(
      event: signed_event,
      challenge: session[:shared_secret]
    )
    unless is_valid_sig && is_valid_auth
      flash[:alert] = "Public key could not be verified"
      http_status :unprocessable_entity and return
    end
-    pubkey_taken = User.all_except(current_user).where(
+    user_with_pubkey = LdapManager::FetchUserByNostrKey.call(pubkey: signed_event.pubkey)
      ou: current_user.ou, nostr_pubkey: signed_event[:pubkey]
    ).any?
-    if pubkey_taken
+    if user_with_pubkey.present? && (user_with_pubkey != current_user)
      flash[:alert] = "Public key already in use for a different account"
      http_status :unprocessable_entity and return
    end
-    current_user.update! nostr_pubkey: signed_event[:pubkey]
+    LdapManager::UpdateNostrKey.call(dn: current_user.dn, pubkey: signed_event.pubkey)
    session[:shared_secret] = nil
    flash[:success] = "Public key verification successful"
    http_status :ok
  rescue
    flash[:alert] = "Public key could not be verified"
    http_status :unprocessable_entity and return
  end
  # DELETE /settings/nostr_pubkey
  def remove_nostr_pubkey
-    current_user.update! nostr_pubkey: nil
+    # TODO require current pubkey or password to delete
    LdapManager::UpdateNostrKey.call(dn: current_user.dn, pubkey: nil)
-    redirect_to setting_path(:experiments), flash: {
+    redirect_to setting_path(:nostr), flash: {
      success: 'Public key removed from account'
    }
  end
@@ -105,7 +136,10 @@ class SettingsController < ApplicationController
    def set_settings_section
      @settings_section = params[:section]
-      allowed_sections = [:profile, :account, :lightning, :xmpp, :experiments]
+      allowed_sections = [
        :profile, :account, :xmpp, :email,
        :lightning, :remotestorage, :nostr
      ]
      unless allowed_sections.include?(@settings_section.to_sym)
        redirect_to setting_path(:profile)
@@ -117,19 +151,26 @@ class SettingsController < ApplicationController
    end
    def user_params
-      params.require(:user).permit(:display_name, preferences: [
+      params.require(:user).permit(
-        :lightning_notify_sats_received,
+        :display_name, :avatar, preferences: UserPreferences.pref_keys
-        :xmpp_exchange_contacts_with_invitees
+      )
      ])
    end
    def email_params
-      params.require(:user).permit(:email, :current_password)
+      params.require(:user).permit(:email)
    end
-    def nostr_event_params
+    def security_params
-      params.permit(signed_event: [
+      params.require(:user).permit(:current_password)
-        :id, :pubkey, :created_at, :kind, :tags, :content, :sig
+    end
-      ])
+
    def generate_email_password
      characters = [('a'..'z'), ('A'..'Z'), (0..9)].map(&:to_a).flatten
      SecureRandom.random_bytes(16).each_byte.map { |b| characters[b % characters.length] }.join
    end
    def hash_email_password(password)
      salt = BCrypt::Engine.generate_salt
      BCrypt::Engine.hash_secret(password, salt)
    end
 end
--- a/app/controllers/signup_controller.rb
+++ b/app/controllers/signup_controller.rb
@@ -96,13 +96,13 @@ class SignupController < ApplicationController
    session[:new_user] = nil
    session[:validation_error] = nil
-    CreateAccount.call(
+    CreateAccount.call(account: {
      username: @user.cn,
      domain: Setting.primary_domain,
      email: @user.email,
      password: @user.password,
      invitation: @invitation
-    )
+    })
  end
  def set_context
--- a/app/controllers/users/sessions_controller.rb
+++ b/app/controllers/users/sessions_controller.rb
@@ -0,0 +1,62 @@
 # frozen_string_literal: true
 class Users::SessionsController < Devise::SessionsController
  # before_action :configure_sign_in_params, only: [:create]
  # GET /resource/sign_in
  def new
    session[:shared_secret] = SecureRandom.base64(12)
    super
  end
  # POST /resource/sign_in
  # def create
  #   super
  # end
  # DELETE /resource/sign_out
  # def destroy
  #   super
  # end
  # POST /users/nostr_login
  def nostr_login
    signed_event = Nostr::Event.new(**nostr_event_from_params)
    is_valid_sig  = signed_event.verify_signature
    is_valid_auth = NostrManager::VerifyAuth.call(
      event: signed_event,
      challenge: session[:shared_secret]
    )
    session[:shared_secret] = nil
    unless is_valid_sig && is_valid_auth
      flash[:alert] = "Login verification failed"
      http_status :unauthorized and return
    end
    user = LdapManager::FetchUserByNostrKey.call(pubkey: signed_event.pubkey)
    if user.present?
      set_flash_message!(:notice, :signed_in)
      sign_in("user", user)
      render json: { redirect_url: after_sign_in_path_for(user) }, status: :ok
    else
      flash[:alert] = "Failed to find your account. Nostr login may be disabled."
      http_status :unauthorized
    end
  end
  protected
    def set_flash_message(key, kind, options = {})
      # Hide flash message after redirecting from a signin route while logged in
      super unless key == :alert && kind == "already_authenticated"
    end
  # If you have extra params to permit, append them to the sanitizer.
  # def configure_sign_in_params
  #   devise_parameter_sanitizer.permit(:sign_in, keys: [:attribute])
  # end
 end
--- a/app/controllers/webfinger_controller.rb
+++ b/app/controllers/webfinger_controller.rb
@@ -1,20 +1,23 @@
-class WebfingerController < ApplicationController
+class WebfingerController < WellKnownController
  before_action :allow_cross_origin_requests, only: [:show]
  layout false
  def show
    resource = params[:resource]
-    if resource && resource.match(/acct:\w+/)
+    if resource && @useraddress = resource.match(/acct:(.+)/)&.[](1)
-      useraddress = resource.split(":").last
+      @username, @domain = @useraddress.split("@")
-      username, org = useraddress.split("@")
+
-      username.downcase!
+      unless Rails.env.development?
-      unless User.where(cn: username, ou: org).any?
+        # Allow different domains (e.g. localhost:3000) in development only
        head 404 and return unless @domain == Setting.primary_domain
      end
      unless @user = User.where(ou: Setting.primary_domain)
                         .find_by(cn: @username.downcase)
        head 404 and return
      end
-      render json: webfinger(useraddress).to_json,
+      render json: webfinger.to_json,
             content_type: "application/jrd+json"
    else
      head 422 and return
@@ -23,24 +26,61 @@ class WebfingerController < ApplicationController
  private
-  def webfinger(useraddress)
+  def webfinger
-    links = [];
+    jrd = {
      subject: "acct:#{@user.address}",
      aliases: [],
      links: []
    }
-    links << remotestorage_link(useraddress) if Setting.remotestorage_enabled
+    if Setting.mastodon_enabled && @user.service_enabled?(:mastodon)
      # https://docs.joinmastodon.org/spec/webfinger/
      jrd[:aliases] += mastodon_aliases
      jrd[:links] += mastodon_links
    end
-    { "links" => links }
+    if Setting.remotestorage_enabled && @user.service_enabled?(:remotestorage)
      # https://datatracker.ietf.org/doc/draft-dejong-remotestorage/
      jrd[:links] << remotestorage_link
    end
    jrd
  end
-  def remotestorage_link(useraddress)
+  def mastodon_aliases
-    # TODO use when OAuth routes are available
+    [
-    # auth_url = new_rs_oauth_url(useraddress)
+      "#{Setting.mastodon_public_url}/@#{@user.cn}",
-    auth_url = "https://example.com/rs/oauth"
+      "#{Setting.mastodon_public_url}/users/#{@user.cn}"
-    storage_url = "#{Setting.rs_storage_url}/#{useraddress}"
+    ]
  end
  def mastodon_links
    [
      {
        rel: "http://webfinger.net/rel/profile-page",
        type: "text/html",
        href: "#{Setting.mastodon_public_url}/@#{@user.cn}"
      },
      {
        rel: "self",
        type: "application/activity+json",
        href: "#{Setting.mastodon_public_url}/users/#{@user.cn}"
      },
      {
        rel: "http://ostatus.org/schema/1.0/subscribe",
        template: "#{Setting.mastodon_public_url}/authorize_interaction?uri={uri}"
      }
    ]
  end
  def remotestorage_link
    auth_url = new_rs_oauth_url(@username, host: Setting.accounts_domain)
    storage_url = "#{Setting.rs_storage_url}/#{@username}"
    {
-      "rel" => "http://tools.ietf.org/id/draft-dejong-remotestorage",
+      rel: "http://tools.ietf.org/id/draft-dejong-remotestorage",
-      "href" => storage_url,
+      href: storage_url,
-      "properties" => {
+      properties: {
        "http://remotestorage.io/spec/version" => "draft-dejong-remotestorage-13",
        "http://tools.ietf.org/html/rfc6749#section-4.2" => auth_url,
        "http://tools.ietf.org/html/rfc6750#section-2.3" => nil, # access token via a HTTP query parameter
@@ -49,9 +89,4 @@ class WebfingerController < ApplicationController
      }
    }
  end
  def allow_cross_origin_requests
    headers['Access-Control-Allow-Origin'] = '*'
    headers['Access-Control-Allow-Methods'] = 'GET, POST, PUT, OPTIONS'
  end
 end
--- a/app/controllers/webhooks_controller.rb
+++ b/app/controllers/webhooks_controller.rb
@@ -2,45 +2,76 @@ class WebhooksController < ApplicationController
  skip_forgery_protection
  before_action :authorize_request
  before_action :process_payload
  def lndhub
-    begin
+    @user = User.find_by!(ln_account: @payload[:user_login])
-      payload = JSON.parse(request.body.read, symbolize_names: true)
+
-      head :no_content and return unless payload[:type] == "incoming"
+    if @zap = @user.zaps.find_by(payment_request: @payload[:payment_request])
-    rescue
+      settled_at = Time.parse(@payload[:settled_at])
-      head :unprocessable_entity and return
+      zap_receipt = NostrManager::CreateZapReceipt.call(
        zap: @zap,
        paid_at: settled_at.to_i,
        preimage: @payload[:preimage]
      )
      @zap.update! settled_at: settled_at, receipt: zap_receipt.to_h
      NostrManager::PublishZapReceipt.call(zap: @zap)
    end
-    user = User.find_by!(ln_account: payload[:user_login])
+    send_notifications
    notify = user.preferences[:lightning_notify_sats_received]
    case notify
    when "xmpp"
      notify_xmpp(user.address, payload[:amount], payload[:memo])
    when "email"
      NotificationMailer.with(user: user, amount_sats: payload[:amount])
                        .lightning_sats_received.deliver_later
    end
    head :ok
  end
  private
  # TODO refactor into mailer-like generic class/service
  def notify_xmpp(address, amt_sats, memo)
    payload = {
      type: "normal",
      from: Setting.primary_domain,
      to: address,
      subject: "Sats received!",
      body: "#{helpers.number_with_delimiter amt_sats} sats received in your Lightning wallet:\n> #{memo}"
    }
    XmppSendMessageJob.perform_later(payload)
  end
  def authorize_request
    if !ENV['WEBHOOKS_ALLOWED_IPS'].split(',').include?(request.remote_ip)
      head :forbidden and return
    end
  end
  def process_payload
    @payload = JSON.parse(request.body.read, symbolize_names: true)
    unless @payload[:type] == "incoming" &&
           @payload[:state] == "settled"
      head :no_content and return
    end
  rescue
    head :unprocessable_entity and return
  end
  def send_notifications
    return if @payload[:amount] < @user.preferences[:lightning_notify_min_sats]
    if @user.preferences[:lightning_notify_only_with_message]
      return if @payload[:memo].blank?
    end
    target = @zap.present? ? @user.preferences[:lightning_notify_zap_received] :
                             @user.preferences[:lightning_notify_sats_received]
    case target
    when "xmpp"
      notify_xmpp
    when "email"
      notify_email
    end
  end
  # TODO refactor into mailer-like generic class/service
  def notify_xmpp
    XmppSendMessageJob.perform_later({
      type: "normal",
      from: Setting.xmpp_notifications_from_address,
      to: @user.address,
      subject: "Sats received!",
      body: "#{helpers.number_with_delimiter @payload[:amount]} sats received in your Lightning wallet:\n> #{@payload[:memo]}"
    })
  end
  def notify_email
    NotificationMailer.with(user: @user, amount_sats: @payload[:amount])
                      .lightning_sats_received.deliver_later
  end
 end
--- a/app/controllers/well_known_controller.rb
+++ b/app/controllers/well_known_controller.rb
@@ -1,16 +1,47 @@
 class WellKnownController < ApplicationController
  before_action :require_nostr_enabled, only: [ :nostr ]
  before_action :allow_cross_origin_requests, only: [ :nostr ]
  layout false
  def nostr
    http_status :unprocessable_entity and return if params[:name].blank?
    domain = request.headers["X-Forwarded-Host"].presence || Setting.primary_domain
-    @user = User.where(cn: params[:name], ou: domain).first
+    relay_url = Setting.nostr_relay_url.presence
-    http_status :not_found and return if @user.nil? || @user.nostr_pubkey.blank?
+
    if params[:name] == "_"
      if domain == Setting.primary_domain
        # pubkey for the primary domain without a username (e.g. kosmos.org)
        res = { names: { "_": Setting.nostr_public_key_primary_domain.presence || Setting.nostr_public_key } }
      else
        # pubkey for the akkounts domain without a username (e.g. accounts.kosmos.org)
        res = { names: { "_": Setting.nostr_public_key } }
      end
      res[:relays] = { "_" => [ relay_url ] } if relay_url
    else
      @user = User.where(cn: params[:name], ou: domain).first
      http_status :not_found and return if @user.nil? || @user.nostr_pubkey.blank?
      res = { names: { @user.cn => @user.nostr_pubkey } }
      res[:relays] = { @user.nostr_pubkey => [ relay_url ] } if relay_url
    end
    respond_to do |format|
      format.json do
-        render json: {
+        render json: res.to_json
          names: { "#{@user.cn}": @user.nostr_pubkey }
        }.to_json
      end
    end
  end
  private
    def require_nostr_enabled
      http_status :not_found unless Setting.nostr_enabled?
    end
    def allow_cross_origin_requests
      headers['Access-Control-Allow-Origin'] = "*"
      headers['Access-Control-Allow-Methods'] = "GET"
    end
 end
--- a/app/helpers/application_helper.rb
+++ b/app/helpers/application_helper.rb
@@ -1,10 +1,6 @@
 module ApplicationHelper
  include Pagy::Frontend
  def sats_to_btc(sats)
    sats.to_f / 100000000
  end
  def main_nav_class(current_section, link_to_section)
    if current_section == link_to_section
      "bg-gray-900/50 text-white px-3 py-2 rounded-md font-medium text-base md:text-sm block md:inline-block"
--- a/app/helpers/btcpay_helper.rb
+++ b/app/helpers/btcpay_helper.rb
@@ -0,0 +1,7 @@
 module BtcpayHelper
  def btcpay_checkout_url(invoice_id)
    "#{Setting.btcpay_public_url}/i/#{invoice_id}"
  end
 end
--- a/app/helpers/dashboard_helper.rb
+++ b/app/helpers/dashboard_helper.rb
@@ -1,2 +0,0 @@
 module DashboardHelper
 end
--- a/app/helpers/donations_helper.rb
+++ b/app/helpers/donations_helper.rb
@@ -1,2 +0,0 @@
 module DonationsHelper
 end
--- a/app/helpers/invitations_helper.rb
+++ b/app/helpers/invitations_helper.rb
@@ -1,2 +0,0 @@
 module InvitationsHelper
 end
--- a/app/helpers/lnurlpay_helper.rb
+++ b/app/helpers/lnurlpay_helper.rb
@@ -1,2 +0,0 @@
 module LnurlpayHelper
 end
--- a/app/helpers/services_helper.rb
+++ b/app/helpers/services_helper.rb
@@ -0,0 +1,12 @@
 module ServicesHelper
  def service_human_name(key, category = :external)
    SERVICES[category][key][:name] || key.to_s
  end
  def service_display_name(key, category = :external)
    SERVICES[category][key][:display_name] ||
    service_human_name(key, category)
  end
 end
--- a/app/helpers/settings_helper.rb
+++ b/app/helpers/settings_helper.rb
@@ -1,2 +0,0 @@
 module SettingsHelper
 end
--- a/app/helpers/signup_helper.rb
+++ b/app/helpers/signup_helper.rb
@@ -1,2 +0,0 @@
 module SignupHelper
 end
--- a/app/helpers/users_helper.rb
+++ b/app/helpers/users_helper.rb
@@ -1,2 +0,0 @@
 module UsersHelper
 end
--- a/app/helpers/wallet_helper.rb
+++ b/app/helpers/wallet_helper.rb
@@ -1,2 +0,0 @@
 module WalletHelper
 end
--- a/app/helpers/welcome_helper.rb
+++ b/app/helpers/welcome_helper.rb
@@ -1,2 +0,0 @@
 module WelcomeHelper
 end
--- a/app/javascript/controllers/application.js
+++ b/app/javascript/controllers/application.js
@@ -1,8 +1,9 @@
 import { Application } from "@hotwired/stimulus"
-import { Modal, Tabs } from "tailwindcss-stimulus-components"
+import { Dropdown, Modal, Tabs } from "tailwindcss-stimulus-components"
 const application = Application.start()
 application.register('dropdown', Dropdown)
 application.register('modal', Modal)
 application.register('tabs', Tabs)
--- a/app/javascript/controllers/nostr_login_controller.js
+++ b/app/javascript/controllers/nostr_login_controller.js
@@ -0,0 +1,57 @@
 import { Controller } from "@hotwired/stimulus"
 // import { Nostrify } from '@nostrify/nostrify';
 // Connects to data-controller="nostr-login"
 export default class extends Controller {
  static targets = [ "loginForm", "loginButton" ]
  static values  = { site: String, sharedSecret: String }
  connect() {
    // window.Nostrify = Nostrify;
    // console.log(Nostrify);
    if (window.nostr) {
      this.loginButtonTarget.disabled = false
      this.loginFormTarget.classList.remove("hidden")
    }
  }
  async login () {
    this.loginButtonTarget.disabled = true
    try {
      // Auth based on NIP-42
      const signedEvent = await window.nostr.signEvent({
        created_at: Math.floor(Date.now() / 1000),
        kind: 22242,
        tags: [
          ["site", this.siteValue],
          ["challenge", this.sharedSecretValue]
        ],
        content: ""
      })
      const res = await fetch("/users/nostr_login", {
        method: "POST", credentials: "include", headers: {
          "Accept": "application/json", 'Content-Type': 'application/json',
          "X-CSRF-Token": this.csrfToken
        }, body: JSON.stringify({ signed_event: signedEvent })
      })
      if (res.status === 200) {
        res.json().then(r => { window.location.href = r.redirect_url })
      } else {
        window.location.reload()
      }
    } catch (error) {
      console.warn('Unable to authenticate:', error.message)
    } finally {
      this.loginButtonTarget.disabled = false
    }
  }
  get csrfToken () {
    const element = document.head.querySelector('meta[name="csrf-token"]')
    return element.getAttribute("content")
  }
 }
--- a/app/javascript/controllers/settings/email/password_controller.js
+++ b/app/javascript/controllers/settings/email/password_controller.js
@@ -0,0 +1,27 @@
 import { Controller } from "@hotwired/stimulus"
 export default class extends Controller {
  static targets = [ "resetPasswordButton", "currentPasswordField" ]
  static values = { validationFailed: Boolean }
  connect () {
    if (this.validationFailedValue) return;
    this.element.querySelectorAll(".initial-hidden").forEach(el => {
      el.classList.add("hidden");
    })
    this.element.querySelectorAll(".initial-visible").forEach(el => {
      el.classList.remove("hidden");
    })
  }
  showPasswordReset () {
    this.element.querySelectorAll(".initial-visible").forEach(el => {
      el.classList.add("hidden");
    })
    this.element.querySelectorAll(".initial-hidden").forEach(el => {
      el.classList.remove("hidden");
    })
    this.currentPasswordFieldTarget.select();
  }
 }
--- a/app/javascript/controllers/settings/nostr_pubkey_controller.js
+++ b/app/javascript/controllers/settings/nostr_pubkey_controller.js
@@ -1,24 +1,16 @@
 import { Controller } from "@hotwired/stimulus"
 import { bech32 } from "bech32"
 function hexToBytes (hex) {
  let bytes = []
  for (let c = 0; c < hex.length; c += 2) {
    bytes.push(parseInt(hex.substr(c, 2), 16))
  }
  return bytes
 }
 // Connects to data-controller="settings--nostr-pubkey"
 export default class extends Controller {
  static targets = [ "noExtension", "setPubkey", "pubkeyBech32Input" ]
-  static values  = { userAddress: String, pubkeyHex: String, sharedSecret: String }
+  static values  = {
    userAddress: String,
    pubkeyHex: String,
    site: String,
    sharedSecret: String
  }
  connect () {
    if (this.hasPubkeyHexValue && this.pubkeyHexValue.length > 0) {
      this.pubkeyBech32InputTarget.value = this.pubkeyBech32
    }
    if (window.nostr) {
      if (this.hasSetPubkeyTarget) {
        this.setPubkeyTarget.disabled = false
@@ -32,11 +24,15 @@ export default class extends Controller {
    this.setPubkeyTarget.disabled = true
    try {
      // Auth based on NIP-42
      const signedEvent = await window.nostr.signEvent({
        created_at: Math.floor(Date.now() / 1000),
-        kind: 1,
+        kind: 22242,
-        tags: [],
+        tags: [
-        content: `Connect my public key to ${this.userAddressValue} (confirmation ${this.sharedSecretValue})`
+          ["site", this.siteValue],
          ["challenge", this.sharedSecretValue]
        ],
        content: ""
      })
      const res = await fetch("/settings/set_nostr_pubkey", {
@@ -53,11 +49,6 @@ export default class extends Controller {
    }
  }
  get pubkeyBech32 () {
    const words = bech32.toWords(hexToBytes(this.pubkeyHexValue))
    return bech32.encode('npub', words)
  }
  get csrfToken () {
    const element = document.head.querySelector('meta[name="csrf-token"]')
    return element.getAttribute("content")
--- a/app/jobs/btcpay_check_donation_job.rb
+++ b/app/jobs/btcpay_check_donation_job.rb
@@ -0,0 +1,28 @@
 class BtcpayCheckDonationJob < ApplicationJob
  queue_as :default
  def perform(donation)
    return if donation.completed?
    invoice = BtcpayManager::FetchInvoice.call(
      invoice_id: donation.btcpay_invoice_id
    )
    case invoice["status"]
    when "Settled"
      donation.paid_at = DateTime.now
      donation.payment_status = "settled"
      donation.save!
      NotificationMailer.with(user: donation.user)
                        .bitcoin_donation_confirmed
                        .deliver_later
    when "Processing"
      re_enqueue_job(donation)
    end
  end
  def re_enqueue_job(donation)
    self.class.set(wait: 20.seconds).perform_later(donation)
  end
 end
--- a/app/jobs/create_ldap_user_job.rb
+++ b/app/jobs/create_ldap_user_job.rb
@@ -1,7 +1,7 @@
 class CreateLdapUserJob < ApplicationJob
  queue_as :default
-  def perform(username, domain, email, hashed_pw)
+  def perform(username:, domain:, email:, hashed_pw:, confirmed: false)
    dn = "cn=#{username},ou=#{domain},cn=users,dc=kosmos,dc=org"
    attr = {
      objectclass: ["top", "account", "person", "extensibleObject"],
@@ -12,6 +12,10 @@ class CreateLdapUserJob < ApplicationJob
      userPassword: hashed_pw
    }
    if confirmed
      attr[:serviceEnabled] = Setting.default_services
    end
    ldap_client.add(dn: dn, attributes: attr)
  end
--- a/app/jobs/nostr_publish_event_job.rb
+++ b/app/jobs/nostr_publish_event_job.rb
@@ -0,0 +1,7 @@
 class NostrPublishEventJob < ApplicationJob
  queue_as :nostr
  def perform(event:, relay_url:)
    NostrManager::PublishEvent.call(event: event, relay_url: relay_url)
  end
 end
--- a/app/jobs/xmpp_exchange_contacts_job.rb
+++ b/app/jobs/xmpp_exchange_contacts_job.rb
@@ -2,8 +2,8 @@ class XmppExchangeContactsJob < ApplicationJob
  queue_as :default
  def perform(inviter, invitee)
-    return unless inviter.services_enabled.include?("xmpp") &&
+    return unless inviter.service_enabled?(:ejabberd) &&
-                  invitee.services_enabled.include?("xmpp") &&
+                  invitee.service_enabled?(:ejabberd) &&
                  inviter.preferences[:xmpp_exchange_contacts_with_invitees]
    ejabberd = EjabberdApiClient.new
--- a/app/mailers/notification_mailer.rb
+++ b/app/mailers/notification_mailer.rb
@@ -5,4 +5,29 @@ class NotificationMailer < ApplicationMailer
    @subject = "Sats received"
    mail to: @user.email, subject: @subject
  end
  def remotestorage_auth_created
    @user = params[:user]
    @auth = params[:auth]
    @permissions = @auth.permissions.map do |p|
      access = p.split(":")[1] == 'r' ? 'read' : 'read/write'
      directory = p.split(':')[0] == '' ? 'all folders and files' : p.split(':')[0]
      "#{access} #{directory}"
    end
    @subject = "New app connected to your storage"
    mail to: @user.email, subject: @subject
  end
  def new_invitations_available
    @user = params[:user]
    @subject = "New invitations added to your account"
    mail to: @user.email, subject: @subject
  end
  def bitcoin_donation_confirmed
    @user = params[:user]
    @donation = params[:donation]
    @subject = "Donation confirmed"
    mail to: @user.email, subject: @subject
  end
 end
--- a/app/models/app_catalog.rb
+++ b/app/models/app_catalog.rb
@@ -0,0 +1,5 @@
 module AppCatalog
  def self.table_name_prefix
    "app_catalog_"
  end
 end
--- a/app/models/app_catalog/web_app.rb
+++ b/app/models/app_catalog/web_app.rb
@@ -0,0 +1,16 @@
 class AppCatalog::WebApp < ApplicationRecord
  store :metadata, coder: JSON
  has_many :remote_storage_authorizations, dependent: :destroy
  has_one_attached :icon
  has_one_attached :apple_touch_icon
  validates :url, presence: true, uniqueness: true
  validates :url, format: { with: URI.regexp },
                  if: Proc.new { |a| a.url.present? }
  def update_metadata
    AppCatalogManager::UpdateMetadata.call(app: self)
  end
 end
--- a/app/models/concerns/settings/btcpay_settings.rb
+++ b/app/models/concerns/settings/btcpay_settings.rb
@@ -0,0 +1,24 @@
 module Settings
  module BtcpaySettings
    extend ActiveSupport::Concern
    included do
      field :btcpay_api_url, type: :string,
        default: ENV["BTCPAY_API_URL"].presence
      field :btcpay_enabled, type: :boolean,
        default: ENV["BTCPAY_API_URL"].present?
      field :btcpay_public_url, type: :string,
        default: ENV["BTCPAY_PUBLIC_URL"].presence
      field :btcpay_store_id, type: :string,
        default: ENV["BTCPAY_STORE_ID"].presence
      field :btcpay_auth_token, type: :string,
        default: ENV["BTCPAY_AUTH_TOKEN"].presence
      field :btcpay_publish_wallet_balances, type: :boolean, default: true
    end
  end
 end
--- a/app/models/concerns/settings/discourse_settings.rb
+++ b/app/models/concerns/settings/discourse_settings.rb
@@ -0,0 +1,16 @@
 module Settings
  module DiscourseSettings
    extend ActiveSupport::Concern
    included do
      field :discourse_public_url, type: :string,
        default: ENV["DISCOURSE_PUBLIC_URL"].presence
      field :discourse_enabled, type: :boolean,
        default: ENV["DISCOURSE_PUBLIC_URL"].present?
      field :discourse_connect_secret, type: :string,
        default: ENV["DISCOURSE_CONNECT_SECRET"].presence
    end
  end
 end
--- a/app/models/concerns/settings/drone_ci_settings.rb
+++ b/app/models/concerns/settings/drone_ci_settings.rb
@@ -0,0 +1,13 @@
 module Settings
  module DroneCiSettings
    extend ActiveSupport::Concern
    included do
      field :droneci_public_url, type: :string,
        default: ENV["DRONECI_PUBLIC_URL"].presence
      field :droneci_enabled, type: :boolean,
        default: ENV["DRONECI_PUBLIC_URL"].present?
    end
  end
 end
--- a/app/models/concerns/settings/ejabberd_settings.rb
+++ b/app/models/concerns/settings/ejabberd_settings.rb
@@ -0,0 +1,19 @@
 module Settings
  module EjabberdSettings
    extend ActiveSupport::Concern
    included do
      field :ejabberd_enabled, type: :boolean,
        default: ENV["EJABBERD_API_URL"].present?
      field :ejabberd_api_url, type: :string,
        default: ENV["EJABBERD_API_URL"].presence
      field :ejabberd_admin_url, type: :string,
        default: ENV["EJABBERD_ADMIN_URL"].presence
      field :ejabberd_buddy_roster, type: :string,
        default: "Buddies"
    end
  end
 end
--- a/app/models/concerns/settings/email_settings.rb
+++ b/app/models/concerns/settings/email_settings.rb
@@ -0,0 +1,28 @@
 module Settings
  module EmailSettings
    extend ActiveSupport::Concern
    included do
      field :email_enabled, type: :boolean,
        default: ENV["EMAIL_SMTP_HOST"].present?
      # field :email_smtp_host, type: :string,
      #   default: ENV["EMAIL_SMTP_HOST"].presence
      #
      # field :email_smtp_port, type: :string,
      #   default: ENV["EMAIL_SMTP_PORT"].presence || 587
      #
      # field :email_smtp_enable_starttls, type: :string,
      #   default: ENV["EMAIL_SMTP_PORT"].presence || true
      #
      # field :email_auth_method, type: :string,
      #   default: ENV["EMAIL_AUTH_METHOD"].presence || "plain"
      #
      # field :email_imap_host, type: :string,
      #   default: ENV["EMAIL_IMAP_HOST"].presence
      #
      # field :email_imap_port, type: :string,
      #   default: ENV["EMAIL_IMAP_PORT"].presence || 993
    end
  end
 end
--- a/app/models/concerns/settings/general_settings.rb
+++ b/app/models/concerns/settings/general_settings.rb
@@ -0,0 +1,34 @@
 module Settings
  module GeneralSettings
    extend ActiveSupport::Concern
    included do
      field :primary_domain, type: :string,
        default: ENV["PRIMARY_DOMAIN"].presence
      field :accounts_domain, type: :string,
        default: ENV["AKKOUNTS_DOMAIN"].presence
      #
      # Internal services
      #
      field :redis_url, type: :string,
        default: ENV["REDIS_URL"] || "redis://localhost:6379/0"
      field :s3_enabled, type: :boolean,
        default: ENV["S3_ENABLED"] && ENV["S3_ENABLED"].to_s != "false"
      field :sentry_enabled, type: :boolean, readonly: true,
        default: ENV["SENTRY_DSN"].present?
      #
      # Registrations
      #
      field :reserved_usernames, type: :array, default: %w[
        account accounts donations mail webmaster support
      ]
    end
  end
 end
--- a/app/models/concerns/settings/gitea_settings.rb
+++ b/app/models/concerns/settings/gitea_settings.rb
@@ -0,0 +1,13 @@
 module Settings
  module GiteaSettings
    extend ActiveSupport::Concern
    included do
      field :gitea_public_url, type: :string,
        default: ENV["GITEA_PUBLIC_URL"].presence
      field :gitea_enabled, type: :boolean,
        default: ENV["GITEA_PUBLIC_URL"].present?
    end
  end
 end
--- a/app/models/concerns/settings/lightning_network_settings.rb
+++ b/app/models/concerns/settings/lightning_network_settings.rb
@@ -0,0 +1,25 @@
 module Settings
  module LightningNetworkSettings
    extend ActiveSupport::Concern
    included do
      field :lndhub_api_url, type: :string,
        default: ENV["LNDHUB_API_URL"].presence
      field :lndhub_enabled, type: :boolean,
        default: ENV["LNDHUB_API_URL"].present?
      field :lndhub_admin_token, type: :string,
        default: ENV["LNDHUB_ADMIN_TOKEN"].presence
      field :lndhub_admin_enabled, type: :boolean,
        default: ENV["LNDHUB_ADMIN_UI"] || false
      field :lndhub_public_key, type: :string,
        default: (ENV["LNDHUB_PUBLIC_KEY"] || "")
      field :lndhub_keysend_enabled, type: :boolean,
        default: -> { self.lndhub_public_key.present? }
    end
  end
 end
--- a/app/models/concerns/settings/mastodon_settings.rb
+++ b/app/models/concerns/settings/mastodon_settings.rb
@@ -0,0 +1,16 @@
 module Settings
  module MastodonSettings
    extend ActiveSupport::Concern
    included do
      field :mastodon_public_url, type: :string,
        default: ENV["MASTODON_PUBLIC_URL"].presence
      field :mastodon_enabled, type: :boolean,
        default: ENV["MASTODON_PUBLIC_URL"].present?
      field :mastodon_address_domain, type: :string,
        default: ENV["MASTODON_ADDRESS_DOMAIN"].presence || self.primary_domain
    end
  end
 end
--- a/app/models/concerns/settings/media_wiki_settings.rb
+++ b/app/models/concerns/settings/media_wiki_settings.rb
@@ -0,0 +1,13 @@
 module Settings
  module MediaWikiSettings
    extend ActiveSupport::Concern
    included do
      field :mediawiki_public_url, type: :string,
        default: ENV["MEDIAWIKI_PUBLIC_URL"].presence
      field :mediawiki_enabled, type: :boolean,
        default: ENV["MEDIAWIKI_PUBLIC_URL"].present?
    end
  end
 end
--- a/app/models/concerns/settings/nostr_settings.rb
+++ b/app/models/concerns/settings/nostr_settings.rb
@@ -0,0 +1,25 @@
 module Settings
  module NostrSettings
    extend ActiveSupport::Concern
    included do
      field :nostr_enabled, type: :boolean,
        default: ENV["NOSTR_PRIVATE_KEY"].present?
      field :nostr_private_key, type: :string,
        default: ENV["NOSTR_PRIVATE_KEY"].presence
      field :nostr_public_key, type: :string,
        default: ENV["NOSTR_PUBLIC_KEY"].presence
      field :nostr_public_key_primary_domain, type: :string,
        default: ENV["NOSTR_PUBLIC_KEY_PRIMARY_DOMAIN"].presence
      field :nostr_relay_url, type: :string,
        default: ENV["NOSTR_RELAY_URL"].presence
      field :nostr_zaps_relay_limit, type: :integer,
        default: 12
    end
  end
 end
--- a/app/models/concerns/settings/open_collective_settings.rb
+++ b/app/models/concerns/settings/open_collective_settings.rb
@@ -0,0 +1,9 @@
 module Settings
  module OpenCollectiveSettings
    extend ActiveSupport::Concern
    included do
      field :opencollective_enabled, type: :boolean, default: true
    end
  end
 end
--- a/app/models/concerns/settings/remote_storage_settings.rb
+++ b/app/models/concerns/settings/remote_storage_settings.rb
@@ -0,0 +1,16 @@
 module Settings
  module RemoteStorageSettings
    extend ActiveSupport::Concern
    included do
      field :remotestorage_enabled, type: :boolean,
        default: ENV["RS_STORAGE_URL"].present?
      field :rs_storage_url, type: :string,
        default: ENV["RS_STORAGE_URL"].presence
      field :rs_redis_url, type: :string,
        default: ENV["RS_REDIS_URL"] || "redis://localhost:6379/1"
    end
  end
 end
--- a/app/models/concerns/settings/xmpp_settings.rb
+++ b/app/models/concerns/settings/xmpp_settings.rb
@@ -0,0 +1,11 @@
 module Settings
  module XmppSettings
    extend ActiveSupport::Concern
    included do
      field :xmpp_default_rooms, type: :array, default: []
      field :xmpp_autojoin_default_rooms, type: :boolean, default: false
      field :xmpp_notifications_from_address, type: :string, default: primary_domain
    end
  end
 end
--- a/app/models/donation.rb
+++ b/app/models/donation.rb
@@ -4,12 +4,25 @@ class Donation < ApplicationRecord
  # Validations
  validates_presence_of :user
-  validates_presence_of :amount_sats
+  validates_presence_of :donation_method,
-  validates_presence_of :paid_at
+    inclusion: { in: %w[ custom btcpay lndhub ] }
-
+  validates_presence_of :payment_status, allow_nil: true,
-  # Hooks
+    inclusion: { in: %w[ processing settled ] }
-  # TODO before_create :store_fiat_value
+  validates_presence_of :paid_at, allow_nil: true
  validates_presence_of :amount_sats, allow_nil: true
  validates_presence_of :fiat_amount, allow_nil: true
  validates_presence_of :fiat_currency, allow_nil: true,
    inclusion: { in: %w[ EUR USD ] }
  #Scopes
-  scope :completed, -> { where.not(paid_at: nil) }
+  scope :processing, -> { where(payment_status: "processing") }
  scope :completed, -> { where(payment_status: "settled") }
  def processing?
    payment_status == "processing"
  end
  def completed?
    payment_status == "settled"
  end
 end
--- a/app/models/remote_storage_authorization.rb
+++ b/app/models/remote_storage_authorization.rb
@@ -1,7 +1,8 @@
 class RemoteStorageAuthorization < ApplicationRecord
  belongs_to :user
  belongs_to :web_app, class_name: "AppCatalog::WebApp", optional: true
-  serialize :permissions
+  serialize :permissions unless Rails.env.production?
  validates_presence_of :permissions
  validates_presence_of :client_id
@@ -15,22 +16,36 @@ class RemoteStorageAuthorization < ApplicationRecord
  before_create  :generate_token
  before_create  :store_token_in_redis
  before_create  :find_or_create_web_app
  after_create   :schedule_token_expiry
  after_create   :notify_user
  before_destroy :delete_token_from_redis
  after_destroy  :remove_token_expiry_job
  def url
-    if self.redirect_uri
+    uri = URI.parse self.redirect_uri
-      uri = URI.parse self.redirect_uri
+    "#{uri.scheme}://#{client_id}"
-      "#{uri.scheme}://#{client_id}"
+  end
  def launch_url
    return url unless web_app && web_app.metadata[:start_url].present?
    start_url = web_app.metadata[:start_url]
    if start_url.match("^https?:\/\/")
      return start_url.start_with?(url) ? start_url : url
    else
-      "http://#{client_id}"
+      path = start_url.gsub(/^\.\.\//, "").gsub(/^\.\//, "").gsub(/^\//, "")
      "#{url}/#{path}"
    end
  end
  def delete_token_from_redis
-    key = "rs:authorizations:#{user.address}:#{token}"
+    key = "authorizations:#{user.cn}:#{token}"
    redis.srem? key, redis.smembers(key)
  rescue => e
    Rails.logger.error e
    Sentry.capture_exception(e) if Setting.sentry_enabled?
  end
  private
@@ -44,7 +59,7 @@ class RemoteStorageAuthorization < ApplicationRecord
    end
    def store_token_in_redis
-      redis.sadd "rs:authorizations:#{user.address}:#{token}", permissions
+      redis.sadd "authorizations:#{user.cn}:#{token}", permissions
    end
    def schedule_token_expiry
@@ -60,4 +75,40 @@ class RemoteStorageAuthorization < ApplicationRecord
        job.delete if job.display_args == [id]
      end
    end
    def find_or_create_web_app
      if looks_like_hosted_origin?
        web_app = AppCatalog::WebApp.find_or_create_by!(url: self.url)
        web_app.update_metadata unless web_app.name.present?
        self.web_app = web_app
        self.app_name = web_app.name.presence || client_id
      else
        self.app_name = client_id
      end
    end
    def looks_like_hosted_origin?
      uri = URI.parse self.redirect_uri
      !!(uri.host =~ /(?=^.{4,253}$)(^((?!-)[a-zA-Z0-9-]{0,62}[a-zA-Z0-9]\.)+[a-zA-Z]{2,63}$)/)
    rescue URI::InvalidURIError
      false
    end
    def notify_user
      notify = user.preferences[:remotestorage_notify_auth_created]
      case notify
      when "xmpp"
        router = Router.new
        payload = {
          type: "normal", to: user.address,
          from: Setting.xmpp_notifications_from_address,
          body: "You have just granted '#{self.client_id}' access to your Kosmos Storage. Visit your Storage dashboard to check on your connected apps and revoke permissions anytime: #{router.services_storage_url}"
        }
        XmppSendMessageJob.perform_later(payload)
      when "email"
        NotificationMailer.with(user: user, auth: self)
                          .remotestorage_auth_created.deliver_later
      end
    end
 end
--- a/app/models/setting.rb
+++ b/app/models/setting.rb
@@ -2,149 +2,30 @@
 class Setting < RailsSettings::Base
  cache_prefix { "v1" }
-  field :primary_domain, type: :string,
+  Dir[Rails.root.join('app', 'models', 'concerns', 'settings', '*.rb')].each do |file|
-    default: ENV["PRIMARY_DOMAIN"].presence
+    require file
  end
-  field :accounts_domain, type: :string,
+  include Settings::GeneralSettings
-    default: ENV["AKKOUNTS_DOMAIN"].presence
+  include Settings::BtcpaySettings
  include Settings::DiscourseSettings
  include Settings::DroneCiSettings
  include Settings::EjabberdSettings
  include Settings::EmailSettings
  include Settings::GiteaSettings
  include Settings::LightningNetworkSettings
  include Settings::MastodonSettings
  include Settings::MediaWikiSettings
  include Settings::NostrSettings
  include Settings::OpenCollectiveSettings
  include Settings::RemoteStorageSettings
  include Settings::XmppSettings
-  #
+  def self.available_services
-  # Internal services
+    known_services = SERVICES[:external].keys
-  #
+    known_services.select {|s| Setting.send "#{s}_enabled?" }
  end
-  field :redis_url, type: :string,
+  field :default_services, type: :array,
-    default: ENV["REDIS_URL"] || "redis://localhost:6379/0"
+    default: self.available_services
  #
  # Registrations
  #
  field :reserved_usernames, type: :array, default: %w[
    account accounts donations mail webmaster support
  ]
  #
  # XMPP
  #
  field :xmpp_default_rooms, type: :array, default: []
  field :xmpp_autojoin_default_rooms, type: :boolean, default: false
  field :xmpp_notifications_from_address, type: :string, default: primary_domain
  #
  # Sentry
  #
  field :sentry_enabled, type: :boolean, readonly: true,
    default: (ENV["SENTRY_DSN"].present?.to_s || false)
  #
  # Discourse
  #
  field :discourse_public_url, type: :string,
    default: ENV["DISCOURSE_PUBLIC_URL"].presence
  field :discourse_enabled, type: :boolean,
    default: (ENV["DISCOURSE_PUBLIC_URL"].present?.to_s || false)
  field :discourse_connect_secret, type: :string,
    default: ENV["DISCOURSE_CONNECT_SECRET"].presence
  #
  # Drone CI
  #
  field :droneci_public_url, type: :string,
    default: ENV["DRONECI_PUBLIC_URL"].presence
  field :droneci_enabled, type: :boolean,
    default: (ENV["DRONECI_PUBLIC_URL"].present?.to_s || false)
  #
  # ejabberd
  #
  field :ejabberd_enabled, type: :boolean,
    default: (ENV["EJABBERD_API_URL"].present?.to_s || false)
  field :ejabberd_api_url, type: :string,
    default: ENV["EJABBERD_API_URL"].presence
  field :ejabberd_admin_url, type: :string,
    default: ENV["EJABBERD_ADMIN_URL"].presence
  field :ejabberd_buddy_roster, type: :string,
    default: "Buddies"
  #
  # Gitea
  #
  field :gitea_public_url, type: :string,
    default: ENV["GITEA_PUBLIC_URL"].presence
  field :gitea_enabled, type: :boolean,
    default: (ENV["GITEA_PUBLIC_URL"].present?.to_s || false)
  #
  # Lightning Network
  #
  field :lndhub_api_url, type: :string,
    default: ENV["LNDHUB_API_URL"].presence
  field :lndhub_enabled, type: :boolean,
    default: (ENV["LNDHUB_API_URL"].present?.to_s || false)
  field :lndhub_admin_enabled, type: :boolean,
    default: (ENV["LNDHUB_ADMIN_UI"] || false)
  field :lndhub_public_key, type: :string,
    default: (ENV["LNDHUB_PUBLIC_KEY"] || "")
  field :lndhub_keysend_enabled, type: :boolean,
    default: -> { self.lndhub_public_key.present?.to_s || false }
  #
  # Mastodon
  #
  field :mastodon_public_url, type: :string,
    default: ENV["MASTODON_PUBLIC_URL"].presence
  field :mastodon_enabled, type: :boolean,
    default: (ENV["MASTODON_PUBLIC_URL"].present?.to_s || false)
  field :mastodon_address_domain, type: :string,
    default: ENV["MASTODON_ADDRESS_DOMAIN"].presence || self.primary_domain
  #
  # MediaWiki
  #
  field :mediawiki_public_url, type: :string,
    default: ENV["MEDIAWIKI_PUBLIC_URL"].presence
  field :mediawiki_enabled, type: :boolean,
    default: (ENV["MEDIAWIKI_PUBLIC_URL"].present?.to_s || false)
  #
  # Nostr
  #
  field :nostr_enabled, type: :boolean, default: true
  #
  # RemoteStorage
  #
  field :remotestorage_enabled, type: :boolean,
    default: (ENV["RS_STORAGE_URL"].present?.to_s || false)
  field :rs_storage_url, type: :string,
    default: ENV["RS_STORAGE_URL"].presence
  field :rs_redis_url, type: :string,
    default: ENV["RS_REDIS_URL"] || "redis://localhost:6379/1"
 end
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -1,24 +1,34 @@
 require 'nostr'
 class User < ApplicationRecord
  include EmailValidatable
  attr_accessor :display_name
  attr_accessor :avatar_new
  attr_accessor :current_password
-  serialize :preferences, UserPreferences
+  serialize :preferences, coder: UserPreferences
  #
  # Relations
  #
  has_many :invitations, dependent: :destroy
  has_one  :invitation, inverse_of: :invitee, foreign_key: 'invited_user_id'
  has_one  :inviter, through: :invitation, source: :user
  has_many :invitees, through: :invitations
  has_many :donations, dependent: :nullify
  has_many :remote_storage_authorizations
  has_many :zaps
  has_one  :lndhub_user, class_name: "LndhubUser", inverse_of: "user",
                         primary_key: "ln_account", foreign_key: "login"
  has_many :accounts, through: :lndhub_user
-  has_many :remote_storage_authorizations
+  #
  # Validations
  #
  validates_uniqueness_of :cn, scope: :ou
  validates_length_of :cn, minimum: 3
@@ -30,7 +40,8 @@ class User < ApplicationRecord
                           message: "is invalid. Usernames need to start with a letter."
  # FIXME This needs a server restart to apply values
  validates_format_of :cn, without: /\A(#{Setting.reserved_usernames.join('|')})\z/i,
-                           message: "has already been taken"
+                           message: "has already been taken",
                           unless: Proc.new{ |u| u.persisted? }
  validates_uniqueness_of :email
  validates :email, email: true
@@ -38,12 +49,20 @@ class User < ApplicationRecord
  validates_length_of :display_name, minimum: 3, maximum: 35, allow_blank: true,
                                     if: -> { defined?(@display_name) }
-  validates_uniqueness_of :nostr_pubkey, allow_blank: true
+  validate :acceptable_avatar
  #
  # Scopes
  #
  scope :confirmed,  -> { where.not(confirmed_at: nil) }
  scope :pending,    -> { where(confirmed_at: nil) }
  scope :all_except, -> (user) { where.not(id: user) }
  #
  # Encrypted database columns
  #
  has_encrypted :ln_login, :ln_password
  # Include default devise modules. Others available are:
@@ -70,13 +89,12 @@ class User < ApplicationRecord
  def devise_after_confirmation
    if ldap_entry[:mail] != self.email
      # E-Mail update confirmed
-      LdapManager::UpdateEmail.call(self.dn, self.email)
+      LdapManager::UpdateEmail.call(dn: self.dn, address: self.email)
    else
      # TODO Make configurable
      # E-Mail from signup confirmed (i.e. account activation)
-      enable_service %w[ discourse gitea mediawiki xmpp ]
+      enable_default_services
-      #TODO enable in development when we have easy setup of ejabberd etc.
+      # TODO enable in development when we have easy setup of ejabberd etc.
      return if Rails.env.development? || !Setting.ejabberd_enabled?
      XmppExchangeContactsJob.perform_later(inviter, self) if inviter.present?
@@ -112,7 +130,7 @@ class User < ApplicationRecord
  def mastodon_address
    return nil unless Setting.mastodon_enabled?
-    "#{self.cn}@#{Setting.mastodon_address_domain}"
+    "#{self.cn.gsub("-", "_")}@#{Setting.mastodon_address_domain}"
  end
  def valid_attribute?(attribute_name)
@@ -120,10 +138,8 @@ class User < ApplicationRecord
    self.errors[attribute_name].blank?
  end
-  def ln_create_invoice(payload)
+  def enable_default_services
-    lndhub = Lndhub.new
+    enable_service Setting.default_services
    lndhub.authenticate self
    lndhub.addinvoice payload
  end
  def dn
@@ -140,22 +156,39 @@ class User < ApplicationRecord
    @display_name ||= ldap_entry[:display_name]
  end
  def nostr_pubkey
    @nostr_pubkey ||= ldap_entry[:nostr_key]
  end
  def nostr_pubkey_bech32
    return nil unless nostr_pubkey.present?
    Nostr::PublicKey.new(nostr_pubkey).to_bech32
  end
  def avatar
    @avatar_base64 ||= LdapManager::FetchAvatar.call(cn: cn)
  end
  def services_enabled
-    ldap_entry[:service] || []
+    ldap_entry[:services_enabled] || []
  end
  def service_enabled?(name)
    services_enabled.map(&:to_sym).include?(name.to_sym)
  end
  def enable_service(service)
    current_services = services_enabled
    new_services = Array(service).map(&:to_s)
-    services = (current_services + new_services).uniq
+    services = (current_services + new_services).uniq.sort
-    ldap.replace_attribute(dn, :service, services)
+    ldap.replace_attribute(dn, :serviceEnabled, services)
  end
  def disable_service(service)
    current_services = services_enabled
    disabled_services = Array(service).map(&:to_s)
-    services = (current_services - disabled_services).uniq
+    services = (current_services - disabled_services).uniq.sort
-    ldap.replace_attribute(dn, :service, services)
+    ldap.replace_attribute(dn, :serviceEnabled, services)
  end
  def disable_all_services
@@ -168,4 +201,17 @@ class User < ApplicationRecord
      return @ldap_service if defined?(@ldap_service)
      @ldap_service = LdapService.new
    end
    def acceptable_avatar
      return unless avatar_new.present?
      if avatar_new.size > 1.megabyte
        errors.add(:avatar, "file size is too large")
      end
      acceptable_types = ["image/jpeg", "image/png"]
      unless acceptable_types.include?(avatar_new.content_type)
        errors.add(:avatar, "must be a JPEG or PNG file")
      end
    end
 end
--- a/app/models/user_preferences.rb
+++ b/app/models/user_preferences.rb
@@ -26,4 +26,8 @@ class UserPreferences
    end
    hash.stringify_keys!.to_h
  end
  def self.pref_keys
    DEFAULT_PREFS.keys.map(&:to_sym)
  end
 end
--- a/app/models/zap.rb
+++ b/app/models/zap.rb
@@ -0,0 +1,20 @@
 class Zap < ApplicationRecord
  belongs_to :user
  scope :settled, -> { where.not(settled_at: nil) }
  scope :unpaid, -> { where(settled_at: nil) }
  def request_event
    nostr_event_from_hash(request)
  end
  def receipt_event
    nostr_event_from_hash(receipt)
  end
  private
    def nostr_event_from_hash(hash)
      Nostr::Event.new(**hash.symbolize_keys)
    end
 end
--- a/app/services/app_catalog_manager/update_metadata.rb
+++ b/app/services/app_catalog_manager/update_metadata.rb
@@ -0,0 +1,63 @@
 require "manifique"
 require "down"
 module AppCatalogManager
  class UpdateMetadata < AppCatalogManagerService
    def initialize(app:)
      @app = app
    end
    def call
      agent = Manifique::Agent.new(url: @app.url)
      metadata = agent.fetch_metadata
      @app.name = metadata.name
      [:name, :short_name, :description, :theme_color, :background_color,
       :display, :start_url, :scope, :share_target, :icons].each do |prop|
        @app.metadata[prop] = metadata.send(prop) if prop
      end
      @app.save!
      # TODO move icon downloads to separate, async job
      if icon = metadata.select_icon(sizes: "256x256") ||
         icon = metadata.select_icon(sizes: "192x192")
        attach_remote_image(:icon, icon)
        # TODO elsif get whatever is available
      end
      if apple_touch_icon = metadata.select_icon(purpose: "apple-touch-icon")
        attach_remote_image(:apple_touch_icon, apple_touch_icon)
      end
    rescue Manifique::Error => e
      msg = "Fetching web app manifest failed for #{e.url}: #{e.type}"
      Rails.logger.warn(msg)
      Sentry.capture_message(msg) if Setting.sentry_enabled?
      false
    end
    def attach_remote_image(attachment_name, icon)
      if icon['src'].start_with?("http")
        download_url = icon['src']
      else
        download_url = "#{@app.url}/#{icon["src"].gsub(/^\//,'')}"
      end
      filename = "#{attachment_name}-#{Time.now.to_i}.png"
      key = "web_apps/#{@app.id}/icons/#{filename}"
      begin
        tempfile = Down.download(download_url)
        @app.send(attachment_name).attach(key: key, io: tempfile, filename: filename)
      rescue Down::NotFound
        msg = "Download of \"#{attachment_name}\" failed: NotFound error for #{download_url}"
        Rails.logger.warn(msg)
        Sentry.capture_message(msg)
      rescue => e
        Rails.logger.warn "Saving attachment \"#{attachment_name}\" failed: \"#{e.message}\""
        Sentry.capture_exception(e) if Setting.sentry_enabled?
      end
    end
  end
 end
--- a/app/services/app_catalog_manager_service.rb
+++ b/app/services/app_catalog_manager_service.rb
@@ -0,0 +1,2 @@
 class AppCatalogManagerService < ApplicationService
 end
--- a/Show More
+++ b/Show More
		`@@ -0,0 +1,2 @@`
							`class AppCatalogManagerService < ApplicationService`
							`end`