fix(Gitea): Field avatar_url not found in Gitea JSON response by using gothic provided user data and removing our API call

Currently translated at 100.0% (341 of 341 strings)

Translation: Opengist/Opengist
Translate-URL: http://tr.opengist.io/projects/_/opengist/ru/

Co-authored-by: FunNikita <mainik1111@icloud.com>

.gitattributes

@@ -1,2 +1,4 @@
 templates/**/* linguist-vendored
 public/**/*.css linguist-vendored
+public/**/*.scss linguist-vendored
+*.config.js linguist-vendored

.github/FUNDING.yml

@@ -0,0 +1 @@
+github: thomiceli

.github/dependabot.yml

@@ -0,0 +1,18 @@
+version: 2
+updates:
+  - package-ecosystem: "npm"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+  - package-ecosystem: "gomod"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+  - package-ecosystem: "docker"
+    directory: "/"
+    schedule:
+      interval: "weekly"

.github/workflows/docker.yml

@@ -1,52 +0,0 @@
-name: Docker
-
-on:
-  release:
-    types: [published]
-  workflow_dispatch:
-
-jobs:
-  docker-build-release:
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      packages: write
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v3
-
-      - name: Docker meta
-        id: meta
-        uses: docker/metadata-action@v4
-        with:
-          images: |
-            ghcr.io/thomiceli/opengist
-          tags: |
-            type=raw,value=latest,enable=${{ github.ref == format('refs/heads/{0}', github.event.repository.default_branch) }}
-            type=semver,pattern={{major}}
-            type=semver,pattern={{major}}.{{minor}}
-            type=semver,pattern={{version}}
-
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v2
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
-
-      - name: Login to GitHub Container Registry
-        uses: docker/login-action@v2
-        with:
-          registry: ghcr.io
-          username: ${{ github.repository_owner }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Build and push
-        uses: docker/build-push-action@v4
-        with:
-          context: .
-          platforms: linux/amd64,linux/arm64
-          push: true
-          tags: ${{ steps.meta.outputs.tags }}
-          labels: ${{ steps.meta.outputs.labels }}
-          cache-from: type=gha
-          cache-to: type=gha,mode=max

.github/workflows/docs.yml

@@ -0,0 +1,43 @@
+name: Build / Deploy docs
+
+on:
+  push:
+    tags:
+      - 'v*'
+  workflow_dispatch:
+
+jobs:
+  build-and-deploy:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v6
+        with:
+          node-version: '20'
+
+      - name: Install JS dependencies
+        run: |
+          npm install vitepress@1.3.4 tailwindcss@3.4.10
+
+      - name: Build docs
+        run: |
+          cd docs
+          npx tailwindcss -i .vitepress/theme/style.css -o .vitepress/theme/theme.css -c .vitepress/tailwind.config.js
+          npm run docs:build
+
+      - name: Push to docs repository
+        run: |
+          git clone https://${{ secrets.STATIC_REPO_TOKEN }}@github.com/${{ secrets.STATIC_REPO }}.git target-repo
+          rm -rf target-repo/srv/opengist
+          mkdir -p target-repo/srv/opengist
+          cp -r docs/.vitepress/dist/* target-repo/srv/opengist/
+          cd target-repo
+          git config user.name "github-actions[bot]"
+          git config user.email "github-actions[bot]@users.noreply.github.com"
+          git add .
+          git commit -m "Deploy docs from ${{ github.repository }}@${{ github.sha }}" || echo "No changes to commit"
+          git pull --rebase
+          git push

.github/workflows/go.yml

@@ -1,93 +1,138 @@
-name: "Go"
+name: "Go CI"
 on:
   push:
     branches:
       - master
+      - 'dev-*'
+  workflow_dispatch:
+
   pull_request:
+    paths-ignore:
+      - '**.yml'
+      - '**.md'
 
 jobs:
-  checks:
+  lint:
+    name: Lint
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+
+      - name: Set up Go 1.25
+        uses: actions/setup-go@v6
+        with:
+          go-version: "1.25"
+
+      - name: Lint
+        uses: golangci/golangci-lint-action@v9
+        with:
+          version: v2.5
+          args: --timeout=20m --disable=errcheck
+
+      - name: Format
+        run: make fmt check_changes
+
+  check:
+    name: Check
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+
+      - name: Set up Go 1.25
+        uses: actions/setup-go@v6
+        with:
+          go-version: "1.25"
+
+      - name: Check Go modules
+        run: make go_mod check_changes
+
+      - name: Check translations
+        run: make check-tr
+
+  test-db:
+    name: Test
     strategy:
       fail-fast: false
       matrix:
-        os: ["ubuntu-latest", "macOS-latest"]
-        go: ["1.19", "1.20"]
+        os: ["ubuntu-latest"]
+        go: ["1.25"]
+        database: [postgres, mysql]
+        include:
+          - database: postgres
+            image: postgres:16
+            port: 5432:5432
+          - database: mysql
+            image: mysql:8
+            port: 3306:3306
+
     runs-on: ${{ matrix.os }}
+    services:
+      database:
+        image: ${{ matrix.image }}
+        ports:
+          - ${{ matrix.port }}
+        env:
+          POSTGRES_PASSWORD: opengist
+          POSTGRES_DB: opengist_test
+          MYSQL_ROOT_PASSWORD: opengist
+          MYSQL_DATABASE: opengist_test
+        options: >-
+          --health-cmd ${{ matrix.database == 'postgres' && 'pg_isready' || '"mysqladmin ping"' }}
+          --health-interval 10s
+          --health-timeout 5s
+          --health-retries 5
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v6
 
       - name: Set up Go ${{ matrix.go }}
-        uses: WillAbides/setup-go-faster@v1.8.0
+        uses: actions/setup-go@v6
         with:
           go-version: ${{ matrix.go }}
 
-      - name: Cache Go modules
-        uses: actions/cache@v3
-        with:
-          path: ~/go/pkg/mod
-          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
-          restore-keys: |
-            ${{ runner.os }}-go-
+      - name: Run tests
+        run: make test TEST_DB_TYPE=${{ matrix.database }}
 
-      - name: Cache Go build cache
-        uses: actions/cache@v3
-        with:
-          path: ~/.cache/go-build
-          key: ${{ runner.os }}-go-build-${{ matrix.go }}
-          restore-keys: |
-            ${{ runner.os }}-go-build-
-
-      - name: Run go vet
-        run: "go vet ./..."
-
-      - name: Run Staticcheck
-        uses: dominikh/staticcheck-action@v1.3.0
-        with:
-          version: "2023.1.1"
-          install-go: false
-          cache-key: ${{ matrix.go }}
-  docker-build-latest:
-    if: ${{ github.event_name == 'push' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch) }}
-    needs:
-      - checks
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      packages: write
+  test:
+    name: Test
+    strategy:
+      fail-fast: false
+      matrix:
+        os: ["ubuntu-latest", "macOS-latest", "windows-latest"]
+        go: ["1.25"]
+        database: ["sqlite"]
+    runs-on: ${{ matrix.os }}
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v6
 
-      - name: Docker meta
-        id: meta
-        uses: docker/metadata-action@v4
+      - name: Set up Go ${{ matrix.go }}
+        uses: actions/setup-go@v6
         with:
-          images: |
-            ghcr.io/thomiceli/opengist
-          tags: |
-            type=raw,value=dev,enable=${{ github.ref == format('refs/heads/{0}', github.event.repository.default_branch) }}
+          go-version: ${{ matrix.go }}
 
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v2
+      - name: Run tests
+        run: make test TEST_DB_TYPE=${{ matrix.database }}
 
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+  build:
+    name: Build
+    strategy:
+      fail-fast: false
+      matrix:
+        os: ["ubuntu-latest", "macOS-latest", "windows-latest"]
+        go: ["1.25"]
+    runs-on: ${{ matrix.os }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
 
-      - name: Login to GitHub Container Registry
-        uses: docker/login-action@v2
+      - name: Set up Go 1.25
+        uses: actions/setup-go@v6
         with:
-          registry: ghcr.io
-          username: ${{ github.repository_owner }}
-          password: ${{ secrets.GITHUB_TOKEN }}
+          go-version: ${{ matrix.go }}
 
-      - name: Build and push
-        uses: docker/build-push-action@v4
-        with:
-          context: .
-          platforms: linux/amd64,linux/arm64
-          push: true
-          tags: ${{ steps.meta.outputs.tags }}
-          labels: ${{ steps.meta.outputs.labels }}
-          cache-from: type=gha
-          cache-to: type=gha,mode=max
+      - name: Build
+        shell: bash
+        run: make

.github/workflows/helm.yml

@@ -0,0 +1,49 @@
+name: Build / Deploy Helm Chart
+
+on:
+  workflow_dispatch:
+
+jobs:
+  build-and-deploy:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+
+      - name: Set up Helm
+        uses: azure/setup-helm@v4.3.1
+        with:
+          version: 'latest'
+
+      - name: Update Helm chart dependencies
+        run: |
+          cd ./helm/opengist
+          helm dependency update
+
+      - name: Package Helm chart
+        run: |
+          cd ./helm
+          helm package ./opengist
+
+          # First time, create the index
+          wget -q https://helm.opengist.io/index.yaml
+          if [ ! -f index.yaml ]; then
+            helm repo index --url https://helm.opengist.io .
+          else
+            # For subsequent runs, merge with existing index
+            helm repo index --url https://helm.opengist.io --merge index.yaml .
+          fi
+
+      - name: Push to docs repository
+        run: |
+          git clone https://${{ secrets.DOCS_REPO_TOKEN }}@github.com/${{ secrets.DOCS_REPO }}.git target-repo
+          mkdir -p target-repo/helm
+          cp helm/*.tgz target-repo/helm/
+          cp helm/index.yaml target-repo/helm/
+          cd target-repo
+          git config user.name "github-actions[bot]"
+          git config user.email "github-actions[bot]@users.noreply.github.com"
+          git add .
+          git commit -m "Deploy helm chart from ${{ github.repository }}@${{ github.sha }}" || echo "No changes to commit"
+          git pull --rebase
+          git push

.github/workflows/release.yml

@@ -0,0 +1,84 @@
+name: Release
+
+on:
+  release:
+    types: [published]
+
+jobs:
+  binaries-build-release:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+
+      - name: Set up Go 1.25
+        uses: actions/setup-go@v6
+        with:
+          go-version: "1.25"
+
+      - name: Cross compile build
+        run: make all_crosscompile
+
+      - name: Upload Release Assets
+        uses: softprops/action-gh-release@v2
+        with:
+          files: |
+            build/*.tar.gz 
+            build/*.zip 
+            build/checksums.txt
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+  docker-build-release:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+
+      - name: Docker meta
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: |
+            ghcr.io/thomiceli/opengist
+            docker.io/thomiceli/opengist
+          tags: |
+            type=raw,value=latest,enable=${{ github.ref == format('refs/heads/{0}', github.event.repository.default_branch) }}
+            type=semver,pattern={{major}}
+            type=semver,pattern={{major}}.{{minor}}
+            type=semver,pattern={{version}}
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Login to Docker Hub
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Build and push
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          platforms: linux/amd64,linux/arm64
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max

.gitignore

@@ -1,8 +1,16 @@
 node_modules/
 gist.db
 .idea/
+.vscode/
 .DS_Store
 /**/.DS_Store
 public/assets/*
 public/manifest.json
+public/.vite/*
+./opengist
 opengist
+build/
+docs/.vitepress/dist/
+docs/.vitepress/cache/
+helm/opengist/charts/
+vendor/

CHANGELOG.md

@@ -1,5 +1,460 @@
 # Changelog
 
+## [1.12.1](https://github.com/thomiceli/opengist/compare/v1.12.0...v1.12.1) - 2026-02-03
+See here how to [update](https://opengist.io/docs/update) Opengist.
+
+### Added
+- More translation strings (#605)
+
+### Fixed
+- Allow Access Tokens with Required Login (#611)
+- Make text files renderable with mimetypes different than text/plain (#612)
+- Improve security on raw files endpoint (#613)
+
+> Admins of Opengist instances may want to run "Synchronize all gists previews" in the admin panel.
+
+## [1.12.0](https://github.com/thomiceli/opengist/compare/v1.11.1...v1.12.0) - 2026-01-27
+See here how to [update](https://opengist.io/docs/update) Opengist.
+
+### Added
+- Access tokens (#602)
+- Fuzzy search for gist search (#555)
+- Allow Unicode letters/numbers in topics (#597)
+- Resize editor height (#600)
+- More translation strings (#516) (#604)
+
+### Fixed
+- Don't panic on Go TCP errors (#601)
+
+### Other
+- Reduce footprint of Docker image (#515)
+- Update Go + JS deps (#603)
+- Configure Dependabot for updates on Go and NPM (#449)
+
+### [Helm Chart](helm/opengist)
+- Use existing pvc claim of provided (#547)
+- Adds StatefulSet support (#549)
+- Move Prom metrics to a dedicated port + support ServiceMonitor (#599)
+
+## [1.11.1](https://github.com/thomiceli/opengist/compare/v1.11.0...v1.11.1) - 2025-09-30
+See here how to [update](https://opengist.io/docs/update) Opengist.
+
+### Added
+- More translation strings (#511)
+
+### Fixed
+- CSV errors for rendering (#514)
+
+### Other
+- Reset default log level to warn
+
+## [1.11.0](https://github.com/thomiceli/opengist/compare/v1.10.0...v1.11.0) - 2025-09-21
+See here how to [update](https://opengist.io/docs/update) Opengist.
+
+### Added
+- LDAP authentication (#470)
+- Listen to Unix websocket (#484)
+- Binary files support (#503)
+- Support for rendering .ipynb Jupyter/IPython notebooks (#491)
+- File upload on gist creation/edition (#507)
+- Read psql sslmode from db uri (#462)
+- OIDC group claim name to OpenID request (#490)
+- Reworked user settings page (#467)
+- Style preference tab for user (#467)
+- Init gist with regular urls via git CLI (http) (#501)
+
+### Fixed
+- Gitlab avatar (#461)
+- Correct German spelling, use consistent wording (#468)
+- Filename unescape (#474)
+- Fix Markdown preview links (#475)
+- Replace Unicode characters with HTML entity codes in embed template (#480)
+- Redirect to $baseUrl after auth with passkey instead of / (#482)
+- Human date on iOS devices (#510)
+
+### Docs
+- Add Proxmox VE Helper-Script (#473)
+
+### Other
+- Use Helm deployment.env[] values (#471)
+- Update Helm Postgres version
+- Use database for Gist init queue (#498)
+- Update go dep chroma (#493)
+
+## [1.10.0](https://github.com/thomiceli/opengist/compare/v1.9.1...v1.10.0) - 2025-04-07
+See here how to [update](https://opengist.io/docs/update) Opengist.
+
+### 🔴 Deprecations
+_Removed in the next SemVer MAJOR version of Opengist._
+* Use the configuration option `index`/`OG_INDEX` **instead of** `index.enabled`/`OG_INDEX_ENABLED`. The default value is `bleve`.
+* The configuration `index.dirname`/`OG_INDEX_DIRNAME` will be removed. If you're using Bleve, the path of the index will be `opengist.index`.
+
+### Added
+- Helm Chart (#454)
+- Meilisearch indexer (#444)
+- Prometheus metrics (#439)
+- Config to name the OIDC provider (#435)
+- Read admin group from OIDC token claim (#445)
+- More translation strings (#438)
+
+### Fixed
+- Garbled text display issues for non-English Unicode characters in browsers (#441)
+- Test database when running `go test` (#442)
+- Allow lag between admin invitation creation and test assertion (#452)
+- gist.html using relative URL (#451)
+- Do not hide file delete button on gist edit page (#447)
+
+### Other
+- Update deps Golang & JS deps (#455)
+
+## [1.9.1](https://github.com/thomiceli/opengist/compare/v1.9.0...v1.9.1) - 2025-02-04
+See here how to [update](https://opengist.io/docs/update) Opengist.
+
+### Added
+- More translation strings (#401)
+
+### Fixed
+- SQL query for MySQL/Postgres on user profile (#424)
+- User avatar on gist likes list (#425)
+
+### Other
+- Update deps Golang & JS deps (#430)
+
+## [1.9.0](https://github.com/thomiceli/opengist/compare/v1.8.4...v1.9.0) - 2025-02-02
+See here how to [update](https://opengist.io/docs/update) Opengist.
+
+### Added
+- Topics (tags) for Gists (#413)
+- Gist languages saved in database (#422)
+- Search gists on user profile with title, visibility, language & topics (#422)
+- Jdenticon for default avatars (#416)
+- Git push option for description (#412)
+- MIME type support for raw file serving (#417)
+
+### Fixed
+- Skip CSRF for embed gists (#402)
+- Remove CSRF check for Git HTTP packs (#408)
+- Replace path.Join with filepath.Join for file system paths (#414)
+- Empty password error when trying to change the username (#418)
+- Save content form on gist create error (#420)
+
+### Other
+- Refactor server code (#407)
+- Remove memdb for gist init (#421)
+- Added Opengist Docker images to Docker Hub
+
+## [1.8.4](https://github.com/thomiceli/opengist/compare/v1.8.3...v1.8.4) - 2024-12-15
+See here how to [update](/docs/update.md) Opengist.
+
+### Added
+- More translation strings (#398)
+- Custom instance names (#399)
+
+### Fixed
+- Prevent passwords managers autofill on filename inputs (#357)
+
+## [1.8.3](https://github.com/thomiceli/opengist/compare/v1.8.2...v1.8.3) - 2024-11-26
+See here how to [update](/docs/update.md) Opengist.
+
+### Changed
+- Throw `warn` instead of `fatal` on Git global config init failure (#392)
+- Define esbuild as a Javascript dependency for all other platforms (#393)
+
+## [1.8.2](https://github.com/thomiceli/opengist/compare/v1.8.1...v1.8.2) - 2024-11-25
+See here how to [update](/docs/update.md) Opengist.
+
+### Added
+- More translation strings (#373) (#388)
+
+### Changed
+- Enforce git config on startup (#383)
+- Respect file scheme URIs for SQLite. (#387)
+
+### Fixed
+- Convert octal notation file names in Git (#380)
+- Git clone on SSH with MySQL (#382)
+- Escaping for embed gists (#381)
+
+### Other
+- Update deps Golang & JS deps
+
+## [1.8.1](https://github.com/thomiceli/opengist/compare/v1.8.0...v1.8.1) - 2024-11-02
+See here how to [update](/docs/update.md) Opengist.
+
+### Changed
+- Hide passkey login when login form is disabled (#369)
+
+### Fixed
+- Markdown preview (#368)
+- confirm() popup messages (#370)
+
+## [1.8.0](https://github.com/thomiceli/opengist/compare/v1.7.5...v1.8.0) - 2024-10-31
+See here how to [update](https://opengist.io/docs/update) Opengist.
+
+### 🔴 Deprecations 
+_Removed in the next SemVer MAJOR version of Opengist._
+* Use the configuration option `db-uri`/`OG_DB_URI` **instead of** `db-filename`/`OG_DB_FILENAME`.\
+  More info [here](https://opengist.io/docs/configuration/databases/sqlite) if you plan to keep SQLite as a DBMS for Opengist.
+
+### Added
+- Postgres and MySQL databases support (#335)
+- Passkeys & TOTP support + MFA (#341) (#342)
+- Add/Remove admins (#337)
+- Queriable shorter uuids (#338)
+- Use Docker secrets (#340)
+- SVG preview in Markdown (#346)
+- Secret key definition & move the secret key file to its parent directory (#358)
+- More translation strings (#339)
+
+### Changed
+- Separate OAuth unlink URL (#336)
+
+### Fixed
+- Adding multiple empty lines in editor. (#345)
+- Config URL (#343)
+- Send Markdown preview data as form params (#347)
+- Fix oauth endpoint to support detecting https in 'Forwarded' header, enabling google support (#359)
+- Use mail handle if OAuth nickname is empty (#362)
+
+### Other
+- Use go 1.23 and update deps (#354)
+- Typos in README (#363)
+
+## [1.7.5](https://github.com/thomiceli/opengist/compare/v1.7.4...v1.7.5) - 2024-09-12
+See here how to [update](/docs/update.md) Opengist.
+
+### Added
+- New website for documentation using Vitepress [https://opengist.io](https://opengist.io) (#326)
+- Ukrainian localization (#325)
+- Dummy /metrics endpoint (#327)
+
+## [1.7.4](https://github.com/thomiceli/opengist/compare/v1.7.3...v1.7.4) - 2024-09-09
+See here how to [update](/docs/update.md) Opengist.
+
+### Added
+- More translations strings (#294) (#304)
+- Hide change password form when login via password disabled (#314)
+- File delete button on create editor (#320)
+- Assets cache header 
+- Hide secret values in admin config page
+- Atomic pointer for indexer (#321)
+
+### Fixed
+- Fatal error using `cases.Title()` (#313)
+- Search unlisted gist (#319)
+
+### Other
+- Removed logger `trace` and `fatal` levels (#322)
+
+## [1.7.3](https://github.com/thomiceli/opengist/compare/v1.7.2...v1.7.3) - 2024-06-03
+See here how to [update](/docs/update.md) Opengist.
+
+### Added
+- Setting to allow anonymous access to individual gists while still RequireLogin everywhere else (#229)
+- Make edit visibility a toggle (#277)
+- More translation strings (#274) (#281)
+- String method to visibility (#276)
+
+### Fixed
+- Perms for http/ssh clone (#288)
+- Fix translation string (#293)
+
+### Other
+- Update deps Golang & JS deps
+- Check translations keys in CI (#279)
+- Fix CI check for additional translations only (#289)
+
+## [1.7.2](https://github.com/thomiceli/opengist/compare/v1.7.1...v1.7.2) - 2024-05-05
+See here how to [update](/docs/update.md) Opengist.
+
+### Added
+- Docs: 
+  - Run with systemd as a normal user (#254)
+  - Kubernetes deployment (#258)
+- More translation strings (#269) (#271)
+
+### Changed
+- Rework git log parsing and truncating (#260)
+- Set Opengist version from git tags (#261)
+
+### Fixed
+- Missing preview button when editing .md gist (#259)
+- Frontend (#267)
+  - Fix mermaid display 
+  - Move Login/Register buttons on mobile 
+  - Set minimum width on avatar
+
+### Other
+- Use go 1.22 and update deps (#244)
+
+## [1.7.1](https://github.com/thomiceli/opengist/compare/v1.7.0...v1.7.1) - 2024-04-05
+See here how to [update](/docs/update.md) Opengist.
+
+### Added
+- Docs: More detailed variant for custom pages (#248)
+
+### Fixed
+- Auth page GitlabName Error (#242)
+- Empty invitation on user creation (#247)
+
+## [1.7.0](https://github.com/thomiceli/opengist/compare/v1.6.1...v1.7.0) - 2024-04-03
+See here how to [update](/docs/update.md) Opengist.
+
+Note: all sessions will be invalidated after this update.
+
+### Added
+- Custom logo configuration (#209)
+- Custom static links (#234)
+- Invitations for closed registrations (#233)
+- Set gist visibility via Git push options (#215)
+- Set gist URL and title via push options (#216)
+- Specify custom names in the OAuth login buttons (#214)
+- Markdown preview (#224)
+- Reset a user password using CLI (#226)
+- Translations (#207, #210)
+
+### Changed
+- Use filesystem session store (#240)
+- Move Git hook logic to Opengist (#213)
+- Increase login for 1 year (#222)
+
+### Fixed
+- Show theme change button on responsive devices (#225)
+- New line literal in embed gists (#237)
+
+### Other
+- GitHub security updates
+- New docker dev env (#220)
+
+## [1.6.1](https://github.com/thomiceli/opengist/compare/v1.6.0...v1.6.1) - 2024-01-06
+See here how to [update](/docs/update.md) Opengist.
+
+### Added
+- Healthcheck on Docker container (#204)
+- Translations:
+  - fr-FR (#201)
+
+### Fixed
+- Directory renaming on username change (#205)
+
+## [1.6.0](https://github.com/thomiceli/opengist/compare/v1.5.3...v1.6.0) - 2024-01-04
+See here how to [update](/docs/update.md) Opengist.
+
+### Added
+- Embedded gists (#179)
+- Gist code search (#194)
+- Custom URLS for gists (#183)
+- Gist JSON data/metadata (#179)
+- Keep default visibility when creating a gist on the UI (#155)
+- Health check endpoint (#170)
+- GitLab OAuth2 login (#174)
+- Syntax highlighting for more file types (#176) 
+- Checkable Markdown checkboxes (#182)
+- Config:
+  - Log output (#172) 
+  - Default git branch name (#171)
+- Change username setting (#190)
+- Admin actions:
+  - Synchronize all gists previews (#191)
+  - Reset Git server hooks for all repositories (#191)
+  - Index all gists (#194)
+- Translations:
+  - cs-CZ (#164)
+  - zh-TW (#166, #195)
+  - hu-HU (#185)
+  - pt-BR (#193)
+- Docs (#198)
+
+### Changed
+- Updated dependencies (#197):
+  - Go `1.20` -> `1.21` 
+  - JavaScript packages
+  - NodeJS Docker image `18` -> `20`
+  - Alpine Docker image `3.17` -> `3.19`
+
+### Fixed
+- Fix reverse proxy subpath support (#192)
+- Fix undecoded gist content when going back to editing in the UI (#184)
+- Fix outputting non-truncated large files for editon/zip download (#184)
+- Allow dashes in usernames (#184)
+- Delete SSH keys associated to deleted user (#184)
+- Better error message when there is no files in gist (#184)
+- Show if there is no files in gist preview (#184)
+- Log parsing for the 11th empty commit (#184)
+- Optimize reading gist files content (#186)
+
+## [1.5.3](https://github.com/thomiceli/opengist/compare/v1.5.2...v1.5.3) - 2023-11-20
+### Added
+- es-ES translation (#139)
+- Create/change account password (#156)
+- Display OAuth error messages when HTTP 400 (#159)
+
+### Fixed
+- Git bare repository branch name creation (#157)
+- Git file truncated output hanging (#157) 
+- Home user directory detection handling (#145)
+- UI changes (#158)
+
+## [1.5.2](https://github.com/thomiceli/opengist/compare/v1.5.1...v1.5.2) - 2023-10-16
+### Added
+- zh-CN translation (#130)
+- ru-RU translation (#135)
+- config.yml usage in the Docker container (#131)
+- Longer title and description (#129)
+
+### Fixed
+- Private gist visibility (#128)
+- Dark background color in Markdown rendering (#137)
+- Error handling for password hashes (#132)
+
+## [1.5.1](https://github.com/thomiceli/opengist/compare/v1.5.0...v1.5.1) - 2023-09-29
+### Added
+- Hungarian translations (#123)
+
+### Fixed
+- .c and .h syntax highlighting (#119)
+- Login page disabled depending on locale (#120)
+- Syntax error on templates when calling locale function (#122)
+
+## [1.5.0](https://github.com/thomiceli/opengist/compare/v1.4.2...v1.5.0) - 2023-09-26
+### Added
+- Private Gist visibility (#87)
+- Create gists from a special Git HTTP server remote URL (#95)
+- OIDC provider integration (#98)
+- Translation system (#104)
+- Run `git gc` on all repositories as admin (#90)
+- Unit and integration tests (#97)
+- Documentation (#110, #111)
+- New logo (#103)
+
+### Changed
+- Use Non-CGO SQLite instead of CGO SQLite (#100)
+- Various UI changes (#84, #93)
+- Improved CI/CD pipeline (#99, #113)
+- Improved git http semantics and repo obfuscation (#94)
+- Updated Go deps (#102)
+
+### Fixed
+- Find command for Windows users (#89)
+- Retain visibility when editing a gist (#83)
+- Typo on admin index page (#85)
+- ViteJS dev server (#91)
+- Bugs (#105)
+
+### Breaking changes
+- Removed CONFIG env var
+- Removed TLS server (#101)
+
+## [1.4.2](https://github.com/thomiceli/opengist/compare/v1.4.1...v1.4.2) - 2023-07-17
+### Added
+- External url to HTML links & redirects (#75)
+- Make unlisted gists not SEO crawlable (#78)
+- Warning message on OAuth unlink (#79)
+
+### Changed
+- Redirect to `/all` when not logged in (#76)
+- Removed Dev Docker image (#80)
+
 ## [1.4.1](https://github.com/thomiceli/opengist/compare/v1.4.0...v1.4.1) - 2023-06-25
 ### ⚠️ Docker users ⚠️
 Opengist Docker volume has been changed from `/root/.opengist` to `/opengist`, do not forget to update your

Dockerfile

@@ -1,16 +1,18 @@
-FROM alpine:3.17 AS build
+FROM alpine:3.22 AS base
 
 RUN apk update && \
-    apk add --no-cache \
-    make \
-    gcc \
-    musl-dev \
-    libstdc++
+        apk add --no-cache \
+        make \
+        gcc \
+        git \
+        musl-dev \
+        libstdc++
 
-COPY --from=golang:1.19-alpine /usr/local/go/ /usr/local/go/
+COPY --from=golang:1.25.6-alpine3.22 /usr/local/go/ /usr/local/go/
 ENV PATH="/usr/local/go/bin:${PATH}"
+ENV CGO_ENABLED=0
 
-COPY --from=node:18-alpine /usr/local/ /usr/local/
+COPY --from=node:24.13.0-alpine3.22 /usr/local/ /usr/local/
 ENV NODE_PATH="/usr/local/lib/node_modules"
 ENV PATH="/usr/local/bin:${PATH}"
 
@@ -18,33 +20,51 @@ WORKDIR /opengist
 
 COPY . .
 
-RUN make
 
-
-FROM alpine:3.17 as run
-
-RUN apk update && \
-    apk add --no-cache \
-    shadow \
+FROM base AS dev
+RUN apk add --no-cache \
     openssl \
-    openssh \
+    openssh-server \
     curl \
     wget \
     git \
     gnupg \
-    xz \
-    gcc \
-    musl-dev \
-    libstdc++
+    xz
+
+EXPOSE 6157 6158 2222 16157
+
+RUN git config --global --add safe.directory /opengist
+RUN make install
+
+VOLUME /opengist
+
+CMD ["make", "watch"]
+
+
+FROM base AS build
+
+RUN make
+
+
+FROM alpine:3.22 AS prod
+
+RUN apk update && \
+    apk add --no-cache \
+    shadow \
+    openssh-server \
+    curl \
+    git
 
 RUN addgroup -S opengist && \
-    adduser -S -G opengist -H -s /bin/ash -g 'Opengist User' opengist
+    adduser -S -G opengist -s /bin/ash -g 'Opengist User' opengist
 
 WORKDIR /app/opengist
 
+COPY --from=build --chown=opengist:opengist /opengist/config.yml /config.yml
 COPY --from=build --chown=opengist:opengist /opengist/opengist .
 COPY --from=build --chown=opengist:opengist /opengist/docker ./docker
 
-EXPOSE 6157 2222
+EXPOSE 6157 6158 2222
 VOLUME /opengist
+HEALTHCHECK --interval=60s --timeout=30s --start-period=15s --retries=3 CMD curl -f http://localhost:6157/healthcheck || exit 1
 ENTRYPOINT ["./docker/entrypoint.sh"]

Makefile

@@ -1,9 +1,14 @@
-.PHONY: all install build_frontend build_backend build build_docker watch_frontend watch_backend watch clean clean_docker
+.PHONY: all all_crosscompile install build_frontend build_backend build build_crosscompile build_docker build_dev_docker run_dev_docker watch_frontend watch_backend watch clean clean_docker check_changes go_mod fmt test check-tr
 
 # Specify the name of your Go binary output
 BINARY_NAME := opengist
+GIT_TAG := $(shell git describe --tags)
+VERSION_PKG := github.com/thomiceli/opengist/internal/config.OpengistVersion
+TEST_DB_TYPE ?= sqlite
 
-all: install build
+all: clean install build
+
+all_crosscompile: clean install build_frontend build_crosscompile
 
 install:
 	@echo "Installing NPM dependencies..."
@@ -13,34 +18,61 @@ install:
 
 build_frontend:
 	@echo "Building frontend assets..."
-	npx vite build
+	npx vite -c public/vite.config.js build
 
 build_backend:
 	@echo "Building Opengist binary..."
-	go build -tags fs_embed -o $(BINARY_NAME) .
+	go build -tags fs_embed -ldflags "-X $(VERSION_PKG)=$(GIT_TAG)" -o $(BINARY_NAME) .
 
 build: build_frontend build_backend
 
+build_crosscompile:
+	@bash ./scripts/build-all.sh
+
 build_docker:
 	@echo "Building Docker image..."
 	docker build -t $(BINARY_NAME):latest .
 
+build_dev_docker:
+	@echo "Building Docker image..."
+	docker build -t $(BINARY_NAME)-dev:latest --target dev .
+
+run_dev_docker:
+	docker run -v .:/opengist -v /opengist/node_modules -p 6157:6157 -p 16157:16157 -p 2222:2222 -v $(HOME)/.opengist-dev:/root/.opengist --rm $(BINARY_NAME)-dev:latest
+
 watch_frontend:
 	@echo "Building frontend assets..."
-	npx vite dev --port 16157
+	npx vite -c public/vite.config.js --port 16157 --host
 
 watch_backend:
 	@echo "Building Opengist binary..."
-	OG_DEV=1 npx nodemon --watch '**/*' -e html,yml,go,js --signal SIGTERM --exec 'go run . --config config.yml'
+	OG_DEV=1 npx nodemon --watch '**/*' -e html,yml,go,js --signal SIGTERM --exec 'go run -ldflags "-X $(VERSION_PKG)=$(GIT_TAG)" . --config config.yml'
 
 watch:
-	@bash ./watch.sh
+	@sh ./scripts/watch.sh
 
 clean:
 	@echo "Cleaning up build artifacts..."
-	@rm -f $(BINARY_NAME) public/manifest.json
-	@rm -rf public/assets
+	@rm -f $(BINARY_NAME)
+	@rm -rf public/assets public/.vite build
 
 clean_docker:
 	@echo "Cleaning up Docker image..."
 	@docker rmi $(BINARY_NAME)
+
+check_changes:
+	@echo "Checking for changes..."
+	@git --no-pager diff --exit-code || (echo "There are unstaged changes detected." && exit 1)
+
+go_mod:
+	@go mod download
+	@go mod tidy
+
+fmt:
+	@go fmt ./...
+
+test:
+	@OPENGIST_TEST_DB=$(TEST_DB_TYPE) go test ./... -p 1
+
+check-tr:
+	@bash ./scripts/check-translations.sh

README.md

@@ -1,66 +1,44 @@
 # Opengist
 
+<img height="108px" src="https://raw.githubusercontent.com/thomiceli/opengist/master/public/img/opengist.svg" alt="Opengist" align="right" />
+
+Opengist is a **self-hosted** Pastebin **powered by Git**. All snippets are stored in a Git repository and can be
+read and/or modified using standard Git commands, or with the web interface.
+It is similar to [GitHub Gist](https://gist.github.com/), but open-source and could be self-hosted.
+
+[Home Page](https://opengist.io) • [Documentation](https://opengist.io/docs) • [Discord](https://discord.gg/9Pm3X5scZT) • [Demo](https://demo.opengist.io)
+
+
 ![GitHub release (latest SemVer)](https://img.shields.io/github/v/release/thomiceli/opengist?sort=semver)
 ![License](https://img.shields.io/github/license/thomiceli/opengist?color=blue)
-![GitHub Workflow Status](https://img.shields.io/github/actions/workflow/status/thomiceli/opengist/go.yml)
+[![Go CI](https://github.com/thomiceli/opengist/actions/workflows/go.yml/badge.svg)](https://github.com/thomiceli/opengist/actions/workflows/go.yml)
 [![Go Report Card](https://goreportcard.com/badge/github.com/thomiceli/opengist)](https://goreportcard.com/report/github.com/thomiceli/opengist)
-
-A self-hosted pastebin **powered by Git**. [Try it here](https://opengist.thomice.li).
-
-* [Features](#features)
-* [Install](#install)
-    * [With Docker](#with-docker)
-    * [From source](#from-source)
-* [Configuration](#configuration)
-    * [Via YAML file](#configuration-via-yaml-file)
-    * [Via Environment Variables](#configuration-via-environment-variables)
-* [Administration](#administration)
-    * [Use Nginx as a reverse proxy](#use-nginx-as-a-reverse-proxy)
-    * [Use Fail2ban](#use-fail2ban)
-* [Configure OAuth](#configure-oauth)
-* [License](#license)
+[![Translate](https://tr.opengist.io/widget/_/svg-badge.svg)](https://tr.opengist.io/projects/_/opengist/)
 
 ## Features
 
-* Create public or unlisted snippets
-* Clone / Pull / Push snippets **via Git** over HTTP or SSH
-* Revisions history
+* Create public, unlisted or private snippets
+* [Init](/docs/usage/init-via-git.md) / Clone / Pull / Push snippets **via Git** over HTTP or SSH
 * Syntax highlighting ; markdown & CSV support
+* Search code in snippets; browse users snippets, likes and forks
+* Add topics to snippets
+* Embed snippets in other websites
+* Revisions history
 * Like / Fork snippets
-* Search for snippets ; browse users snippets, likes and forks
-* Editor with indentation mode & size ; drag and drop files
 * Download raw files or as a ZIP archive
-* OAuth2 login with GitHub and Gitea
-* Avatars via Gravatar or OAuth2 providers
-* Light/Dark mode
-* Responsive UI
-* Enable or disable signups
+* OAuth2 login with GitHub, GitLab, Gitea, and OpenID Connect
 * Restrict or unrestrict snippets visibility to anonymous users
-* Admin panel : delete users/gists; clean database/filesystem by syncing gists
-* SQLite database
-* Logging
-* Docker support
+* Docker support / Helm Chart
+* [More...](/docs/introduction.md#features)
 
-#### Todo
-
-- [ ] Translation
-- [ ] Code/text search
-- [ ] Embed snippets
-- [ ] Tests
-- [ ] Filesystem/Redis support for user sessions
-- [ ] Have a cool logo
-
-## Install
+## Quick start
 
 ### With Docker
 
-Docker [images](https://github.com/thomiceli/opengist/pkgs/container/opengist) are available for each release (`latest`)
-and last development commit (`dev`) :
+Docker [images](https://github.com/thomiceli/opengist/pkgs/container/opengist) are available for each release :
 
 ```shell
-docker pull ghcr.io/thomiceli/opengist       # most recent release
-
-docker pull ghcr.io/thomiceli/opengist:dev   # latest development version
+docker pull ghcr.io/thomiceli/opengist:1.12
 ```
 
 It can be used in a `docker-compose.yml` file :
@@ -70,11 +48,9 @@ It can be used in a `docker-compose.yml` file :
 3. Opengist is now running on port 6157, you can browse http://localhost:6157
 
 ```yml
-version: "3"
-
 services:
   opengist:
-    image: ghcr.io/thomiceli/opengist:1.4
+    image: ghcr.io/thomiceli/opengist:1.12
     container_name: opengist
     restart: unless-stopped
     ports:
@@ -95,9 +71,25 @@ services:
       GID: 1001
 ```
 
+### Via binary
+
+Download the archive for your system from the release page [here](https://github.com/thomiceli/opengist/releases/latest), and extract it.
+
+```shell
+# example for linux amd64
+wget https://github.com/thomiceli/opengist/releases/download/v1.12.1/opengist1.12.1-linux-amd64.tar.gz
+
+tar xzvf opengist1.12.1-linux-amd64.tar.gz
+cd opengist
+chmod +x opengist
+./opengist # with or without `--config config.yml`
+```
+
+Opengist is now running on port 6157, you can browse http://localhost:6157
+
 ### From source
 
-Requirements : [Git](https://git-scm.com/downloads) (2.20+), [Go](https://go.dev/doc/install) (1.19+), [Node.js](https://nodejs.org/en/download/) (16+)
+Requirements: [Git](https://git-scm.com/downloads) (2.28+), [Go](https://go.dev/doc/install) (1.23+), [Node.js](https://nodejs.org/en/download/) (16+), [Make](https://linux.die.net/man/1/make) (optional, but easier)
 
 ```shell
 git clone https://github.com/thomiceli/opengist
@@ -108,153 +100,15 @@ make
 
 Opengist is now running on port 6157, you can browse http://localhost:6157
 
-## Configuration
+---
 
-Opengist provides flexible configuration options through either a YAML file and/or environment variables. 
-You would only need to specify the configuration options you want to change — for any config option left untouched, Opengist will simply apply the default values.
+To create and run a development environment, see [run-development.md](/docs/contributing/development.md).
 
-<details>
-<summary>Configuration option list</summary>
+## Documentation
 
-| YAML Config Key       | Environment Variable     | Default value        | Description                                                                                                                       | 
-|-----------------------|--------------------------|----------------------|-----------------------------------------------------------------------------------------------------------------------------------|
-| log-level             | OG_LOG_LEVEL             | `warn`               | Set the log level to one of the following: `trace`, `debug`, `info`, `warn`, `error`, `fatal`, `panic`.                           |
-| external-url          | OG_EXTERNAL_URL          | none                 | Public URL for the Git HTTP/SSH connection. If not set, uses the URL from the request.                                            |
-| opengist-home         | OG_OPENGIST_HOME         | home directory       | Path to the directory where Opengist stores its data.                                                                             |
-| db-filename           | OG_DB_FILENAME           | `opengist.db`        | Name of the SQLite database file.                                                                                                 |
-| sqlite.journal-mode   | OG_SQLITE_JOURNAL_MODE   | `WAL`                | Set the journal mode for SQLite. More info [here](https://www.sqlite.org/pragma.html#pragma_journal_mode)                         |
-| http.host             | OG_HTTP_HOST             | `0.0.0.0`            | The host on which the HTTP server should bind.                                                                                    |
-| http.port             | OG_HTTP_PORT             | `6157`               | The port on which the HTTP server should listen.                                                                                  |
-| http.git-enabled      | OG_HTTP_GIT_ENABLED      | `true`               | Enable or disable git operations (clone, pull, push) via HTTP. (`true` or `false`)                                                |
-| http.tls-enabled      | OG_HTTP_TLS_ENABLED      | `false`              | Enable or disable TLS for the HTTP server. (`true` or `false`)                                                                    |
-| http.cert-file        | OG_HTTP_CERT_FILE        | none                 | Path to the TLS certificate file if TLS is enabled.                                                                               |
-| http.key-file         | OG_HTTP_KEY_FILE         | none                 | Path to the TLS key file if TLS is enabled.                                                                                       |
-| ssh.git-enabled       | OG_SSH_GIT_ENABLED       | `true`               | Enable or disable git operations (clone, pull, push) via SSH. (`true` or `false`)                                                 |
-| ssh.host              | OG_SSH_HOST              | `0.0.0.0`            | The host on which the SSH server should bind.                                                                                     |
-| ssh.port              | OG_SSH_PORT              | `2222`               | The port on which the SSH server should listen.                                                                                   |
-| ssh.external-domain   | OG_SSH_EXTERNAL_DOMAIN   | none                 | Public domain for the Git SSH connection, if it has to be different from the HTTP one. If not set, uses the URL from the request. |
-| ssh.keygen-executable | OG_SSH_KEYGEN_EXECUTABLE | `ssh-keygen`         | Path to the SSH key generation executable.                                                                                        |
-| github.client-key     | OG_GITHUB_CLIENT_KEY     | none                 | The client key for the GitHub OAuth application.                                                                                  |
-| github.secret         | OG_GITHUB_SECRET         | none                 | The secret for the GitHub OAuth application.                                                                                      |
-| gitea.client-key      | OG_GITEA_CLIENT_KEY      | none                 | The client key for the Gitea OAuth application.                                                                                   |
-| gitea.secret          | OG_GITEA_SECRET          | none                 | The secret for the Gitea OAuth application.                                                                                       |
-| gitea.url             | OG_GITEA_URL             | `https://gitea.com/` | The URL of the Gitea instance.                                                                                                    |
+The documentation is available at [https://opengist.io/](https://opengist.io/) or in the [/docs](/docs) directory.
 
-</details>
-
-### Configuration via YAML file
-
-The configuration file must be specified when launching the application, using the `--config` flag followed by the path to your YAML file.
-
-```shell
-./opengist --config /path/to/config.yml
-```
-
-You can start by copying and/or modifying the provided [config.yml](config.yml) file.
-
-### Configuration via Environment Variables
-
-Usage with Docker Compose :
-
-```yml
-services:
-  opengist:
-    # ...
-    environment:
-      OG_LOG_LEVEL: "info"
-      # etc.
-```
-Usage via command line :
-
-```shell
-OG_LOG_LEVEL=info ./opengist
-```
-
-## Administration
-
-### Use Nginx as a reverse proxy
-
-Configure Nginx to proxy requests to Opengist. Here is an example configuration file :
-```
-server {
-    listen 80;
-    server_name opengist.example.com;
-
-    location / {
-        proxy_pass http://127.0.0.1:6157;
-        proxy_set_header Host $host;
-        proxy_set_header X-Real-IP $remote_addr;
-        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-        proxy_set_header X-Forwarded-Proto $scheme;
-    }
-}
-```
-
-Then run :
-```shell
-service nginx restart
-```
-
-### Use Fail2ban
-
-Fail2ban can be used to ban IPs that try to bruteforce the login page.
-Log level must be set at least to `warn`.
-
-Add this filter in `etc/fail2ban/filter.d/opengist.conf` :
-```ini
-[Definition]
-failregex =  Invalid .* authentication attempt from <HOST>
-ignoreregex =
-```
-
-Add this jail in `etc/fail2ban/jail.d/opengist.conf` :
-```ini
-[opengist]
-enabled = true
-filter = opengist
-logpath = /home/*/.opengist/log/opengist.log
-maxretry = 10
-findtime = 3600
-bantime = 600
-banaction = iptables-allports
-port = anyport
-```
-
-Then run
-```shell
-service fail2ban restart
-```
-
-## Configure OAuth
-
-Opengist can be configured to use OAuth to authenticate users, with GitHub or Gitea.
-
-<details>
-<summary>Integrate Github</summary>
-
-* Add a new OAuth app in your [Github account settings](https://github.com/settings/applications/new)
-* Set 'Authorization callback URL' to `http://opengist.domain/oauth/github/callback`
-* Copy the 'Client ID' and 'Client Secret' and add them to the configuration :
-  ```yaml
-  github.client-key: <key>
-  github.secret: <secret>
-  ```
-</details>
-
-<details>
-<summary>Integrate Gitea</summary>
-
-* Add a new OAuth app in Application settings from the [Gitea instance](https://gitea.com/user/settings/applications)
-* Set 'Redirect URI' to `http://opengist.domain/oauth/gitea/callback`
-* Copy the 'Client ID' and 'Client Secret' and add them to the configuration :
-  ```yaml
-  gitea.client-key: <key>
-  gitea.secret: <secret>
-  # URL of the Gitea instance. Default: https://gitea.com/
-  gitea.url: http://localhost:3000
-  ```
-</details>
 
 ## License
 
-Opengist is licensed under the [AGPL-3.0 license](LICENSE).
+Opengist is licensed under the [AGPL-3.0 license](/LICENSE).

config.yml

@@ -1,23 +1,49 @@
-# Set the log level to one of the following: trace, debug, info, warn, error, fatal, panic. Default: warn
+# Learn more about Opengist configuration here:
+# https://github.com/thomiceli/opengist/blob/master/docs/configuration/configure.md
+# https://github.com/thomiceli/opengist/blob/master/docs/configuration/cheat-sheet.md
+
+# Set the log level to one of the following: debug, info, warn, error, fatal. Default: warn
 log-level: warn
 
-# Public URL for the Git HTTP/SSH connection.
-# If not set, uses the URL from the request
+# Set the log output to one or more of the following: `stdout`, `file`. Default: stdout,file
+log-output: stdout,file
+
+# Public URL to access to Opengist
 external-url:
 
 # Directory where Opengist will store its data. Default: ~/.opengist/
 opengist-home:
 
-# Name of the SQLite database file. Default: opengist.db
-db-filename: opengist.db
+# Secret key used for session store & encrypt MFA data on database. Default: <randomized 32 bytes>
+secret-key:
+
+# URI of the database. Default: opengist.db (SQLite) is placed in opengist-home
+# SQLite:        file:/path/to/database
+# PostgreSQL:    postgres://user:password@host:port/database
+# MySQL/MariaDB: mysql://user:password@host:port/database
+db-uri: opengist.db
+
+# Define the code indexer (either `bleve`, `meilisearch`, or empty for no index). Default: bleve
+index: bleve
+
+# Set the host for the Meiliseach server
+index.meili.host:
+
+# Set the API key for the Meiliseach server
+index.meili.api-key:
+
+# Default branch name used by Opengist when initializing Git repositories.
+# If not set, uses the Git default branch name. See https://git-scm.com/book/en/v2/Getting-Started-First-Time-Git-Setup#_new_default_branch
+git.default-branch:
 
 # Set the journal mode for SQLite. Default: WAL
 # See https://www.sqlite.org/pragma.html#pragma_journal_mode
+# For SQLite databases only.
 sqlite.journal-mode: WAL
 
-
 # HTTP server configuration
 # Host to bind to. Default: 0.0.0.0
+# Use an IP address for network binding. Use a path for Unix socket binding (e.g. /run/opengist.sock)
 http.host: 0.0.0.0
 
 # Port to bind to. Default: 6157
@@ -26,14 +52,17 @@ http.port: 6157
 # Enable or disable git operations (clone, pull, push) via HTTP (either `true` or `false`). Default: true
 http.git-enabled: true
 
-# Enable or disable TLS (either `true` or `false`). Default: false
-http.tls-enabled: false
+# File permissions for Unix socket (octal format). Default: 0666
+unix-socket-permissions: 0666
 
-# Path to the TLS certificate file if TLS is enabled
-http.cert-file:
+# Enable or disable the Prometheus metrics server (either `true` or `false`). Default: false
+metrics.enabled: false
 
-# Path to the TLS key file if TLS is enabled
-http.key-file:
+# The host on which the metrics server should bind. Default: 0.0.0.0
+metrics.host: 0.0.0.0
+
+# The port on which the metrics server should listen. Default: 6158
+metrics.port: 6158
 
 # SSH built-in server configuration
 # Note: it is not using the SSH daemon from your machine (yet)
@@ -58,16 +87,65 @@ ssh.external-domain:
 # Path or alias to ssh-keygen executable. Default: ssh-keygen
 ssh.keygen-executable: ssh-keygen
 
-
 # OAuth2 configuration
-# The callback/redirect URL must be http://opengist.domain/oauth/<github|gitea>/callback
+# The callback/redirect URL must be http://opengist.url/oauth/<github|gitlab|gitea|openid-connect>/callback
 
 # To create a new OAuth2 application using GitHub : https://github.com/settings/applications/new
 github.client-key:
 github.secret:
 
+# To create a new OAuth2 application using Gitlab : https://gitlab.com/-/user_settings/applications
+gitlab.client-key:
+gitlab.secret:
+# URL of the Gitlab instance. Default: https://gitlab.com/
+gitlab.url: https://gitlab.com/
+# The name of the GitLab instance. It is displayed in the OAuth login button. Default: GitLab
+gitlab.name: GitLab
+
 # To create a new OAuth2 application using Gitea : https://gitea.domain/user/settings/applications
 gitea.client-key:
 gitea.secret:
 # URL of the Gitea instance. Default: https://gitea.com/
 gitea.url: https://gitea.com/
+# The name of the Gitea instance. It is displayed in the OAuth login button. Default: Gitea
+gitea.name: Gitea
+
+# To create a new OAuth2 application using OpenID Connect:
+oidc.provider-name:
+oidc.client-key:
+oidc.secret:
+# Discovery endpoint of the OpenID provider. Generally something like http://auth.example.com/.well-known/openid-configuration
+oidc.discovery-url:
+# The name of the claim containing the groups
+oidc.group-claim-name:
+# The name of the group that should receive admin rights
+oidc.admin-group:
+
+# LDAP authentication configuration
+# URL of the LDAP instance e.g: ldap://ldap.example.com:389 ; if not set, LDAP authentication is disabled
+ldap.url:
+# Bind DN to authenticate against the LDAP e.g: cn=read-only-admin,dc=example,dc=com
+ldap.bind-dn:
+# The password for the Bind DN.
+ldap.bind-credentials:
+# The Base DN to start search from e.g: ou=People,dc=example,dc=com
+ldap.search-base:
+# The filter to search against (the format string %s will be replaced with the username) e.g: (uid=%s)
+ldap.search-filter:
+
+# Instance name
+# Set your own custom name to be displayed instead of 'Opengist'
+custom.name:
+
+# Custom assets
+# Add your own custom assets, that are files relatives to $opengist-home/custom/
+custom.logo:
+custom.favicon:
+
+# Static pages in footer (like legal notices, privacy policy, etc.)
+# The path can be a URL or a relative path to a file in the $opengist-home/custom/ directory
+custom.static-links:
+#  - name: Gitea
+#    path: https://gitea.com
+#  - name: Legal notices
+#    path: legal.html

docker/entrypoint.sh

@@ -7,5 +7,12 @@ groupmod -o -g "$GID" $USER
 usermod -o -u "$UID" $USER
 
 chown -R "$USER:$USER" /opengist
+chown -R "$USER:$USER" /config.yml
 
-exec su $USER -c "OG_OPENGIST_HOME=/opengist /app/opengist/opengist"
+if [ -f "/run/secrets/opengist_secrets" ]; then
+    set -a
+    . /run/secrets/opengist_secrets
+    set +a
+fi
+
+exec su $USER -c "OG_OPENGIST_HOME=/opengist /app/opengist/opengist --config /config.yml"

docs/.vitepress/config.mts

@@ -0,0 +1,98 @@
+import {defineConfig} from 'vitepress'
+
+// https://vitepress.dev/reference/site-config
+export default defineConfig({
+    title: "Opengist",
+    description: "Documention for Opengist",
+    rewrites: {
+        'index.md': 'index.md',
+        'introduction.md': 'docs/index.md',
+        ':path(.*)': 'docs/:path'
+    },
+    themeConfig: {
+        // https://vitepress.dev/reference/default-theme-config
+        logo: 'https://raw.githubusercontent.com/thomiceli/opengist/master/public/img/opengist.svg',
+        logoLink: '/',
+        nav: [
+            { text: 'Demo', link: 'https://demo.opengist.io' },
+            { text: 'Translate', link: 'https://tr.opengist.io' }
+        ],
+
+        sidebar: {
+            '/docs/': [
+            {
+                text: '', items: [
+                    {text: 'Introduction', link: '/docs'},
+                    {text: 'Installation', link: '/docs/installation', items: [
+                        {text: 'Docker', link: '/docs/installation/docker'},
+                        {text: 'Kubernetes', link: '/docs/installation/kubernetes'},
+                        {text: 'Binary', link: '/docs/installation/binary'},
+                        {text: 'Source', link: '/docs/installation/source'},
+                        ],
+                        collapsed: true
+                    },
+                    {text: 'Update', link: '/docs/update'},
+                ], collapsed: false
+            },
+            {
+                text: 'Configuration', base: '/docs/configuration', items: [
+                    {text: 'Configure Opengist', link: '/configure'},
+                    {text: 'Databases', items: [
+                        {text: 'SQLite', link: '/databases/sqlite'},
+                        {text: 'PostgreSQL', link: '/databases/postgresql'},
+                        {text: 'MySQL', link: '/databases/mysql'},
+                        ], collapsed: true
+                    },
+                    {text: 'OAuth Providers', link: '/oauth-providers'},
+                    {text: 'Custom assets', link: '/custom-assets'},
+                    {text: 'Custom links', link: '/custom-links'},
+                    {text: 'Cheat Sheet', link: '/cheat-sheet'},
+                    {text: 'Metrics', link: '/metrics'},
+                    {text: 'Admin panel', link: '/admin-panel'},
+                ], collapsed: false
+            },
+            {
+                text: 'Usage', base: '/docs/usage', items: [
+                    {text: 'Init via Git', link: '/init-via-git'},
+                    {text: 'Embed Gist', link: '/embed'},
+                    {text: 'Access Tokens', link: '/access-tokens'},
+                    {text: 'Gist as JSON', link: '/gist-json'},
+                    {text: 'Import Gists from Github', link: '/import-from-github-gist'},
+                    {text: 'Git push options', link: '/git-push-options'},
+                ], collapsed: false
+            },
+            {
+                text: 'Administration', base: '/docs/administration', items: [
+                    {text: 'Run with systemd', link: '/run-with-systemd'},
+                    {text: 'Reverse proxy', items: [
+                        {text: 'Nginx', link: '/nginx-reverse-proxy'},
+                        {text: 'Traefik', link: '/traefik-reverse-proxy'},
+                    ], collapsed: true},
+                    {text: 'Fail2ban', link: '/fail2ban-setup'},
+                    {text: 'Healthcheck', link: '/healthcheck'},
+                ], collapsed: false
+            },
+            {
+                text: 'Contributing', base: '/docs/contributing', items: [
+                    {text: 'Community', link: '/community'},
+                    {text: 'Development', link: '/development'},
+                ], collapsed: false
+            },
+
+        ]},
+
+        socialLinks: [
+            {icon: 'github', link: 'https://github.com/thomiceli/opengist'}
+        ],
+        editLink: {
+            pattern: 'https://github.com/thomiceli/opengist/edit/stable/docs/:path'
+        },
+        // @ts-ignore
+        lastUpdated: true,
+
+    },
+    head: [
+        ['link', {rel: 'icon', href: '/favicon.svg'}],
+    ],
+    ignoreDeadLinks: true
+})

docs/.vitepress/tailwind.config.js

@@ -1,8 +1,9 @@
 const colors = require('tailwindcss/colors')
 
+/** @type {import('tailwindcss').Config} */
 module.exports = {
   content: [
-    "./templates/**/*.html",
+    "./.vitepress/theme/*.vue",
   ],
   theme: {
     colors: {
@@ -22,9 +23,8 @@ module.exports = {
         800: "#232429",
         900: "#131316"
       },
-      rose: colors.rose,
-      primary: colors.sky,
-      slate: colors.slate
+      indigo: colors.indigo,
+
     },
     extend: {
       borderWidth: {
@@ -32,6 +32,6 @@ module.exports = {
       }
     },
   },
-  plugins: [require("@tailwindcss/typography"),require('@tailwindcss/forms')],
+  plugins: [],
   darkMode: 'class',
 }

docs/.vitepress/theme/Home.vue

@@ -0,0 +1,101 @@
+<script>
+import { withBase } from 'vitepress';
+import './theme.css'
+
+export default {
+
+  setup() {
+    return { withBase };
+  },
+};
+
+</script>
+
+
+<template>
+  <main class="home">
+    <header class="hero">
+      <div class="mx-auto max-w-7xl px-6 lg:px-8">
+        <div class="mx-auto  lg:text-center">
+          <img class="rotating h-36 mx-auto my-8 " src="https://raw.githubusercontent.com/thomiceli/opengist/master/public/img/opengist.svg" alt="" >
+          <a target="_blank" href="https://github.com/thomiceli/opengist/releases" class="inline-flex items-center rounded-full bg-indigo-100 hover:bg-indigo-200 px-4 py-1.5 text-lg font-medium text-indigo-700">
+              <span class="pr-1">Released 1.12</span>
+                        <svg xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 24 24" stroke-width="1.5" stroke="currentColor" class="size-4">
+              <path stroke-linecap="round" stroke-linejoin="round" d="m4.5 19.5 15-15m0 0H8.25m11.25 0v11.25" />
+            </svg>
+            </a>
+            <h1 class="mt-5 text-4xl font-bold tracking-tight sm:text-5xl">Opengist</h1>
+            <h2 class="mt-4 text-xl">Self-hosted pastebin powered by Git, open-source alternative to Github Gist.</h2>
+          </div>
+        <div class="space-x-2 my-12">
+          <a href="/docs" class="rounded-md bg-indigo-600 mt-6 px-5 py-3 text-xl font-semibold text-white shadow-sm hover:bg-indigo-500 focus-visible:outline focus-visible:outline-2 focus-visible:outline-offset-2 focus-visible:outline-indigo-600">Docs</a>
+          <a target="_blank" href="https://demo.opengist.io" class="rounded-md bg-indigo-400 mt-6 px-5 py-3 text-xl border-white font-semibold text-white shadow-sm hover:bg-indigo-300 focus-visible:outline focus-visible:outline-2 focus-visible:outline-offset-2 focus-visible:outline-indigo-600">Live demo</a>
+          <a target="_blank" href="https://github.com/thomiceli/opengist" class="rounded-md bg-gray-800 mt-6 px-3 py-3 text-xl dark:border dark:border-1 dark:border-gray-400 font-semibold text-white shadow-sm hover:bg-gray-700 focus-visible:outline focus-visible:outline-2 focus-visible:outline-offset-2 focus-visible:outline-indigo-600">
+            <svg stroke="currentColor" fill="currentColor" stroke-width="0" viewBox="0 0 16 16" class="w-7 h-auto inline" height="1em" width="1em" xmlns="http://www.w3.org/2000/svg"><path d="M8 0C3.58 0 0 3.58 0 8c0 3.54 2.29 6.53 5.47 7.59.4.07.55-.17.55-.38 0-.19-.01-.82-.01-1.49-2.01.37-2.53-.49-2.69-.94-.09-.23-.48-.94-.82-1.13-.28-.15-.68-.52-.01-.53.63-.01 1.08.58 1.23.82.72 1.21 1.87.87 2.33.66.07-.52.28-.87.51-1.07-1.78-.2-3.64-.89-3.64-3.95 0-.87.31-1.59.82-2.15-.08-.2-.36-1.02.08-2.12 0 0 .67-.21 2.2.82.64-.18 1.32-.27 2-.27s1.36.09 2 .27c1.53-1.04 2.2-.82 2.2-.82.44 1.1.16 1.92.08 2.12.51.56.82 1.27.82 2.15 0 3.07-1.87 3.75-3.65 3.95.29.25.54.73.54 1.48 0 1.07-.01 1.93-.01 2.2 0 .21.15.46.55.38A8.01 8.01 0 0 0 16 8c0-4.42-3.58-8-8-8"></path></svg>
+          </a>
+        </div>
+        <div class="border border-1 mt-6 px-5 py-3 rounded-md shadow-sm ">
+          <code class="select-all ">docker run --name <span class="text-indigo-700 dark:text-indigo-300 font-bold">opengist</span> -p <span class="text-indigo-700 dark:text-indigo-300 font-bold">6157</span>:6157 -v "<span class="text-indigo-700 dark:text-indigo-300 font-bold">$HOME/.opengist</span>:/opengist" ghcr.io/thomiceli/opengist:1</code>
+        </div>
+      </div>
+    </header>
+
+    <div class="relative w-full sm:max-w-7xl mx-auto overflow-auto">
+      <img class="block w-[200vw] max-w-none sm:w-full h-auto" :src="withBase('/opengist-demo.png')" alt="demo-opengist-screenshot" />
+    </div>
+
+  </main>
+</template>
+
+
+
+<style>
+@-webkit-keyframes rotating /* Safari and Chrome */ {
+  from {
+    -webkit-transform: rotate(0deg);
+    -o-transform: rotate(0deg);
+    transform: rotate(0deg);
+  }
+  to {
+    -webkit-transform: rotate(360deg);
+    -o-transform: rotate(360deg);
+    transform: rotate(360deg);
+  }
+}
+@keyframes rotating {
+  from {
+    -ms-transform: rotate(0deg);
+    -moz-transform: rotate(0deg);
+    -webkit-transform: rotate(0deg);
+    -o-transform: rotate(0deg);
+    transform: rotate(0deg);
+  }
+  to {
+    -ms-transform: rotate(360deg);
+    -moz-transform: rotate(360deg);
+    -webkit-transform: rotate(360deg);
+    -o-transform: rotate(360deg);
+    transform: rotate(360deg);
+  }
+}
+
+.home {
+
+  -webkit-font-smoothing: antialiased;
+  -moz-osx-font-smoothing: grayscale;
+  display: flex;
+  flex-direction: column;
+  gap: 1rem;
+  text-align: center;
+}
+
+.rotating {
+  -webkit-animation: rotating 8s linear infinite;
+  -moz-animation: rotating 4s linear infinite;
+  -ms-animation: rotating 4s linear infinite;
+  -o-animation: rotating 4s linear infinite;
+  animation: rotating 12s linear infinite;
+}
+
+
+</style>

docs/.vitepress/theme/Layout.vue

@@ -0,0 +1,16 @@
+<script setup>
+import { useData } from 'vitepress'
+import Home from './Home.vue'
+import DefaultTheme from 'vitepress/theme'
+
+const { Layout } = DefaultTheme
+const { frontmatter } = useData()
+</script>
+
+<template>
+  <Layout>
+    <template v-if="frontmatter.layout === 'home'" #home-hero-after>
+      <Home />
+    </template>
+  </Layout>
+</template>

docs/.vitepress/theme/index.ts

@@ -0,0 +1,12 @@
+import { h } from 'vue'
+import type { Theme } from 'vitepress'
+import DefaultTheme from 'vitepress/theme'
+import Layout from "./Layout.vue";
+
+export default {
+  ...DefaultTheme,
+  Layout,
+  enhanceApp({ app, router, siteData }) {
+    // ...
+  }
+} satisfies Theme

docs/.vitepress/theme/style.css

@@ -0,0 +1,147 @@
+/**
+ * Customize default theme styling by overriding CSS variables:
+ * https://github.com/vuejs/vitepress/blob/main/src/client/theme-default/styles/vars.css
+ */
+
+/**
+ * Colors
+ *
+ * Each colors have exact same color scale system with 3 levels of solid
+ * colors with different brightness, and 1 soft color.
+ *
+ * - `XXX-1`: The most solid color used mainly for colored text. It must
+ *   satisfy the contrast ratio against when used on top of `XXX-soft`.
+ *
+ * - `XXX-2`: The color used mainly for hover state of the button.
+ *
+ * - `XXX-3`: The color for solid background, such as bg color of the button.
+ *   It must satisfy the contrast ratio with pure white (#ffffff) text on
+ *   top of it.
+ *
+ * - `XXX-soft`: The color used for subtle background such as custom container
+ *   or badges. It must satisfy the contrast ratio when putting `XXX-1` colors
+ *   on top of it.
+ *
+ *   The soft color must be semi transparent alpha channel. This is crucial
+ *   because it allows adding multiple "soft" colors on top of each other
+ *   to create a accent, such as when having inline code block inside
+ *   custom containers.
+ *
+ * - `default`: The color used purely for subtle indication without any
+ *   special meanings attched to it such as bg color for menu hover state.
+ *
+ * - `brand`: Used for primary brand colors, such as link text, button with
+ *   brand theme, etc.
+ *
+ * - `tip`: Used to indicate useful information. The default theme uses the
+ *   brand color for this by default.
+ *
+ * - `warning`: Used to indicate warning to the users. Used in custom
+ *   container, badges, etc.
+ *
+ * - `danger`: Used to show error, or dangerous message to the users. Used
+ *   in custom container, badges, etc.
+ * -------------------------------------------------------------------------- */
+
+ :root {
+  --vp-c-default-1: var(--vp-c-gray-1);
+  --vp-c-default-2: var(--vp-c-gray-2);
+  --vp-c-default-3: var(--vp-c-gray-3);
+  --vp-c-default-soft: var(--vp-c-gray-soft);
+
+  --vp-c-brand-1: var(--vp-c-indigo-1);
+  --vp-c-brand-2: var(--vp-c-indigo-2);
+  --vp-c-brand-3: var(--vp-c-indigo-3);
+  --vp-c-brand-soft: var(--vp-c-indigo-soft);
+
+  --vp-c-tip-1: var(--vp-c-brand-1);
+  --vp-c-tip-2: var(--vp-c-brand-2);
+  --vp-c-tip-3: var(--vp-c-brand-3);
+  --vp-c-tip-soft: var(--vp-c-brand-soft);
+
+  --vp-c-warning-1: var(--vp-c-yellow-1);
+  --vp-c-warning-2: var(--vp-c-yellow-2);
+  --vp-c-warning-3: var(--vp-c-yellow-3);
+  --vp-c-warning-soft: var(--vp-c-yellow-soft);
+
+  --vp-c-danger-1: var(--vp-c-red-1);
+  --vp-c-danger-2: var(--vp-c-red-2);
+  --vp-c-danger-3: var(--vp-c-red-3);
+  --vp-c-danger-soft: var(--vp-c-red-soft);
+}
+
+/**
+ * Component: Button
+ * -------------------------------------------------------------------------- */
+
+:root {
+  --vp-button-brand-border: transparent;
+  --vp-button-brand-text: var(--vp-c-white);
+  --vp-button-brand-bg: var(--vp-c-brand-3);
+  --vp-button-brand-hover-border: transparent;
+  --vp-button-brand-hover-text: var(--vp-c-white);
+  --vp-button-brand-hover-bg: var(--vp-c-brand-2);
+  --vp-button-brand-active-border: transparent;
+  --vp-button-brand-active-text: var(--vp-c-white);
+  --vp-button-brand-active-bg: var(--vp-c-brand-1);
+}
+
+/**
+ * Component: Home
+ * -------------------------------------------------------------------------- */
+
+:root {
+  --vp-home-hero-name-color: transparent;
+  --vp-home-hero-name-background: -webkit-linear-gradient(
+    120deg,
+    #0f0513 30%,
+    #7e8b90
+  );
+
+  --vp-home-hero-image-background-image: linear-gradient(
+    -45deg,
+    #bd34fe 50%,
+    #47caff 50%
+  );
+  --vp-home-hero-image-filter: blur(44px);
+}
+
+@media (min-width: 640px) {
+  :root {
+    --vp-home-hero-image-filter: blur(56px);
+  }
+}
+
+@media (min-width: 960px) {
+  :root {
+    --vp-home-hero-image-filter: blur(68px);
+  }
+}
+
+/**
+ * Component: Custom Block
+ * -------------------------------------------------------------------------- */
+
+:root {
+  --vp-custom-block-tip-border: transparent;
+  --vp-custom-block-tip-text: var(--vp-c-text-1);
+  --vp-custom-block-tip-bg: var(--vp-c-brand-soft);
+  --vp-custom-block-tip-code-bg: var(--vp-c-brand-soft);
+}
+
+/**
+ * Component: Algolia
+ * -------------------------------------------------------------------------- */
+
+.DocSearch {
+  --docsearch-primary-color: var(--vp-c-brand-1) !important;
+}
+
+.content img {
+    padding-left: 20px;
+    height: 108px;
+}
+
+@tailwind base;
+@tailwind components;
+@tailwind utilities;

docs/administration/fail2ban-setup.md

@@ -0,0 +1,29 @@
+# Fail2ban setup
+
+Fail2ban can be used to ban IPs that try to bruteforce the login page.
+Log level must be set at least to `warn`.
+
+Add this filter in `etc/fail2ban/filter.d/opengist.conf` :
+```ini
+[Definition]
+failregex =  Invalid .* authentication attempt from <HOST>
+ignoreregex =
+```
+
+Add this jail in `etc/fail2ban/jail.d/opengist.conf` :
+```ini
+[opengist]
+enabled = true
+filter = opengist
+logpath = /home/*/.opengist/log/opengist.log
+maxretry = 10
+findtime = 3600
+bantime = 600
+banaction = iptables-allports
+port = anyport
+```
+
+Then run
+```shell
+service fail2ban restart
+```

docs/administration/healthcheck.md

@@ -0,0 +1,13 @@
+# Healthcheck
+
+A healthcheck is a simple HTTP GET request to the `/healthcheck` endpoint. It returns a `200 OK` response if the server is healthy.
+
+## Example
+
+```shell
+curl http://localhost:6157/healthcheck
+```
+
+```json
+{"database":"ok","opengist":"ok","time":"2024-01-04T05:18:33+01:00"}
+```

docs/administration/manage-admins.md

@@ -0,0 +1,11 @@
+# Manage admins
+
+You can add and remove Opengist admins from the CLI.
+
+```bash
+./opengist admin toggle-admin <username>
+```
+```bash
+$ ./opengist admin toggle-admin thomas
+User thomas admin set to true
+```

docs/administration/nginx-reverse-proxy.md

@@ -0,0 +1,46 @@
+# Use Nginx as a reverse proxy
+
+Configure Nginx to proxy requests to Opengist. Here are example configuration file to use Opengist on a subdomain or on a subpath.
+
+Make sure you set the base url for Opengist via the [configuration](/docs/configuration/cheat-sheet.md).
+
+### Subdomain
+```
+server {
+    listen 80;
+    server_name opengist.example.com;
+
+    location / {
+        proxy_pass http://127.0.0.1:6157;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+}
+```
+
+### Subpath
+```
+server {
+    listen 80;
+    server_name example.com;
+
+    location /opengist/ {
+        rewrite ^/opengist(/.*)$ $1 break;
+        proxy_pass http://127.0.0.1:6157;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Forwarded-Prefix /opengist;
+    }
+}
+```
+
+---
+
+To apply changes:
+```shell
+sudo systemctl restart nginx
+```

docs/administration/reset-password.md

@@ -0,0 +1,7 @@
+# Reset a user password
+
+To reset a user password, run the following command using the Opengist binary:
+
+```bash
+./opengist admin reset-password <username> <new-password>
+```

docs/administration/run-with-systemd.md

@@ -0,0 +1,92 @@
+# Run with Systemd
+
+For non-Docker users, you could run Opengist as a systemd service.
+
+## As root
+On Unix distributions with systemd, place the Opengist binary like:
+
+```shell
+sudo cp opengist /usr/local/bin
+sudo mkdir -p /var/lib/opengist
+sudo cp config.yml /etc/opengist
+```
+
+Edit the Opengist home directory configuration in `/etc/opengist/config.yml` like:
+```shell
+opengist-home: /var/lib/opengist
+```
+
+Create a new user to run Opengist:
+```shell
+sudo useradd --system opengist
+sudo mkdir -p /var/lib/opengist
+sudo chown -R opengist:opengist /var/lib/opengist
+```
+
+Then create a service file at `/etc/systemd/system/opengist.service`:
+```ini
+[Unit]
+Description=opengist Server
+After=network.target
+
+[Service]
+Type=simple
+User=opengist
+Group=opengist
+ExecStart=opengist --config /etc/opengist/config.yml
+Restart=on-failure
+
+[Install]
+WantedBy=multi-user.target
+```
+
+Finally, start the service:
+```shell
+systemctl daemon-reload
+systemctl enable --now opengist
+systemctl status opengist
+```
+
+----
+
+## As a normal user
+**NOTE: This was tested on Ubuntu 20.04 and newer. For other distros, please check the respective documentation**  
+
+#### For the purpose of this documentation, we will assume that:
+- You've followed the instructions on how to run opengist [from source](https://github.com/thomiceli/opengist?tab=readme-ov-file#from-source)
+- Your shell user is named `pastebin`
+- All commands are being executed as the `pastebin` user
+
+_If none of the above is true, then adapt the commands and paths to fit your needs._
+
+Enable lingering for the user:
+```shell
+loginctl enable-linger
+```
+
+Create the user systemd folder:
+```
+mkdir -p /home/pastebin/.config/systemd/user
+```
+
+Then create a service file at `/home/pastebin/.config/systemd/user/opengist.service`:
+```ini
+[Unit]
+Description=opengist Server
+After=network.target
+
+[Service]
+Type=simple
+ExecStart=/home/pastebin/opengist/opengist --config /home/pastebin/opengist/config.yml
+Restart=on-failure
+
+[Install]
+WantedBy=default.target
+```
+
+Finally, start the service:
+```shell
+systemctl --user daemon-reload
+systemctl --user enable --now opengist
+systemctl --user status opengist
+```

docs/administration/traefik-reverse-proxy.md

@@ -0,0 +1,48 @@
+# Use Traefik as a reverse proxy
+
+You can set up Traefik in two ways:
+
+<details>
+<summary>Using Docker labels</summary>
+
+Add these labels to your `docker-compose.yml` file:
+
+```yml
+labels:
+  - traefik.http.routers.opengist.rule=Host(`opengist.example.com`) # Change to your subdomain
+  # Uncomment the line below if you run Opengist in a subdirectory
+  # - traefik.http.routers.app1.rule=PathPrefix(`/opengist{regex:$$|/.*}`) # Change opentist in the regex to yuor subdirectory name
+  - traefik.http.routers.opengist.entrypoints=websecure # Change to the name of your 443 port entrypoint
+  - traefik.http.routers.opengist.tls.certresolver=lets-encrypt # Change to certresolver's name
+  - traefik.http.routers.opengist.service=opengist
+  - traefik.http.services.opengist.loadBalancer.server.port=6157
+```
+</details>
+<details>
+<summary>Using a <code>yml</code> file</summary>
+
+> [!Note]
+> Don't forget to change the `<server-address>` to your server's IP
+
+`traefik_dynamic.yml`
+```yml
+http:
+  routers:
+    opengist:
+      entrypoints: websecure
+      rule: Host(`opengist.example.com`) # Comment this line and uncomment the line below if using a subpath
+      # rule: PathPrefix(`/opengist{regex:$$|/.*}`) # Change opentist in the regex to yuor subdirectory name
+      # middlewares:
+      #   - opengist-fail2ban
+      service: opengist
+      tls:
+        certresolver: lets-encrypt
+  services:
+    opengist:
+      loadbalancer:
+        servers:
+          - url: "http://<server-address>:6157"
+
+```
+
+</details>

docs/configuration/admin-panel.md

@@ -0,0 +1,53 @@
+# Admin panel
+
+The first user created on your Opengist instance has access to the Admin panel.
+
+To access the Admin panel:
+
+1. Log in
+2. Click your username in the upper right corner
+3. Select `Admin`
+
+## Usage
+
+### General
+
+Here you can see some basic information, like Opengist version, alongside some stats.
+
+You can also start some actions like forcing synchronization of gists,
+starting garbage collection, etc.
+
+### Users
+
+Here you can see your users and delete them.
+
+### Gists
+
+Here you can see all the gists and some basic information about them. You also have an option
+to delete them.
+
+
+### Invitations
+
+Here you can create invitation links with some options like limiting the number of signed up
+users or setting an expiration date.
+
+> [!Note]
+> Invitation links override the `Disable signup` option but not the `Disable login form` option.
+>
+> Users will see only the OAuth providers when `Disable login form` is enabled.
+
+### Configuration
+
+Here you can change a limited number of settings without restarting the instance.
+
+- Disable signup
+    - Forbid the creation of new accounts.
+- Require login
+    - Enforce users to be logged in to see gists.
+- Allow individual gists without login
+    - Allow individual gists to be viewed and downloaded without login, while requiring login for discovering gists.
+- Disable login form
+    - Forbid logging in via the login form to force using OAuth providers instead.
+- Disable Gravatar
+    - Disable the usage of Gravatar as an avatar provider.

docs/configuration/cheat-sheet.md

@@ -0,0 +1,54 @@
+---
+aside: false
+---
+
+# Configuration Cheat Sheet
+
+| YAML Config Key         | Environment Variable                | Default value         | Description                                                                                                                                                                                                                      |
+|-------------------------|-------------------------------------|-----------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| log-level               | OG_LOG_LEVEL                        | `warn`                | Set the log level to one of the following: `debug`, `info`, `warn`, `error`, `fatal`.                                                                                                                                            |
+| log-output              | OG_LOG_OUTPUT                       | `stdout,file`         | Set the log output to one or more of the following: `stdout`, `file`.                                                                                                                                                            |
+| external-url            | OG_EXTERNAL_URL                     | none                  | Public URL to access to Opengist.                                                                                                                                                                                                |
+| opengist-home           | OG_OPENGIST_HOME                    | home directory        | Path to the directory where Opengist stores its data.                                                                                                                                                                            |
+| secret-key              | OG_SECRET_KEY                       | randomized 32 bytes   | Secret key used for session store & encrypt MFA data on database.                                                                                                                                                                |
+| db-uri                  | OG_DB_URI                           | `opengist.db`         | URI of the database.                                                                                                                                                                                                             |
+| index                   | OG_INDEX                            | `bleve`               | Define the code indexer (either `bleve`, `meilisearch`, or empty for no index).                                                                                                                                                  |
+| index.meili.host        | OG_MEILI_HOST                       | none                  | Set the host for the Meiliseach server.                                                                                                                                                                                          |
+| index.meili.api-key     | OG_MEILI_API_KEY                    | none                  | Set the API key for the Meiliseach server.                                                                                                                                                                                       |
+| git.default-branch      | OG_GIT_DEFAULT_BRANCH               | none                  | Default branch name used by Opengist when initializing Git repositories. If not set, uses the Git default branch name. More info [here](https://git-scm.com/book/en/v2/Getting-Started-First-Time-Git-Setup#_new_default_branch) |
+| sqlite.journal-mode     | OG_SQLITE_JOURNAL_MODE              | `WAL`                 | Set the journal mode for SQLite. More info [here](https://www.sqlite.org/pragma.html#pragma_journal_mode)                                                                                                                        |
+| http.host               | OG_HTTP_HOST                        | `0.0.0.0`             | The host on which the HTTP server should bind. Use an IP address for network binding. Use a path for Unix socket binding (e.g. /run/opengist.sock)                                                                               |
+| http.port               | OG_HTTP_PORT                        | `6157`                | The port on which the HTTP server should listen.                                                                                                                                                                                 |
+| http.git-enabled        | OG_HTTP_GIT_ENABLED                 | `true`                | Enable or disable git operations (clone, pull, push) via HTTP. (`true` or `false`)                                                                                                                                               |
+| unix-socket-permissions | OG_UNIX_SOCKET_PERMISSIONS          | `0666`                | File permissions for Unix socket (octal format).                                                                                                                                                                                 |
+| metrics.enabled         | OG_METRICS_ENABLED                  | `false`               | Enable or disable Prometheus metrics server (`true` or `false`)                                                                                                                                                                  |
+| metrics.host            | OG_METRICS_HOST                     | `0.0.0.0`             | The host on which the metrics server should bind.                                                                                                                                                                                |
+| metrics.port            | OG_METRICS_PORT                     | `6158`                | The port on which the metrics server should listen.                                                                                                                                                                              |
+| ssh.git-enabled         | OG_SSH_GIT_ENABLED                  | `true`                | Enable or disable git operations (clone, pull, push) via SSH. (`true` or `false`)                                                                                                                                                |
+| ssh.host                | OG_SSH_HOST                         | `0.0.0.0`             | The host on which the SSH server should bind.                                                                                                                                                                                    |
+| ssh.port                | OG_SSH_PORT                         | `2222`                | The port on which the SSH server should listen.                                                                                                                                                                                  |
+| ssh.external-domain     | OG_SSH_EXTERNAL_DOMAIN              | none                  | Public domain for the Git SSH connection, if it has to be different from the HTTP one. If not set, uses the URL from the request.                                                                                                |
+| ssh.keygen-executable   | OG_SSH_KEYGEN_EXECUTABLE            | `ssh-keygen`          | Path to the SSH key generation executable.                                                                                                                                                                                       |
+| github.client-key       | OG_GITHUB_CLIENT_KEY                | none                  | The client key for the GitHub OAuth application.                                                                                                                                                                                 |
+| github.secret           | OG_GITHUB_SECRET                    | none                  | The secret for the GitHub OAuth application.                                                                                                                                                                                     |
+| gitlab.client-key       | OG_GITLAB_CLIENT_KEY                | none                  | The client key for the GitLab OAuth application.                                                                                                                                                                                 |
+| gitlab.secret           | OG_GITLAB_SECRET                    | none                  | The secret for the GitLab OAuth application.                                                                                                                                                                                     |
+| gitlab.url              | OG_GITLAB_URL                       | `https://gitlab.com/` | The URL of the GitLab instance.                                                                                                                                                                                                  |
+| gitlab.name             | OG_GITLAB_NAME                      | `GitLab`              | The name of the GitLab instance. It is displayed in the OAuth login button.                                                                                                                                                      |
+| gitea.client-key        | OG_GITEA_CLIENT_KEY                 | none                  | The client key for the Gitea OAuth application.                                                                                                                                                                                  |
+| gitea.secret            | OG_GITEA_SECRET                     | none                  | The secret for the Gitea OAuth application.                                                                                                                                                                                      |
+| gitea.url               | OG_GITEA_URL                        | `https://gitea.com/`  | The URL of the Gitea instance.                                                                                                                                                                                                   |
+| gitea.name              | OG_GITEA_NAME                       | `Gitea`               | The name of the Gitea instance. It is displayed in the OAuth login button.                                                                                                                                                       |
+| oidc.provider-name      | OG_OIDC_PROVIDER_NAME               | none                  | The name of the OIDC provider                                                                                                                                                                                                    |
+| oidc.client-key         | OG_OIDC_CLIENT_KEY                  | none                  | The client key for the OpenID application.                                                                                                                                                                                       |
+| oidc.secret             | OG_OIDC_SECRET                      | none                  | The secret for the OpenID application.                                                                                                                                                                                           |
+| oidc.discovery-url      | OG_OIDC_DISCOVERY_URL               | none                  | Discovery endpoint of the OpenID provider.                                                                                                                                                                                       |
+| ldap.url                | OG_LDAP_URL                         | none                  | URL of the LDAP instance; if not set, LDAP authentication is disabled                                                                                                                                                            |
+| ldap.bind-dn            | OG_LDAP_BIND_DN                     | none                  | Bind DN to authenticate against the LDAP. e.g: cn=read-only-admin,dc=example,dc=com                                                                                                                                              |
+| ldap.bind-credentials   | OG_LDAP_BIND_CREDENTIALS            | none                  | The password for the Bind DN.                                                                                                                                                                                                    |
+| ldap.search-base        | OG_LDAP_SEARCH_BASE                 | none                  | The Base DN to start search from. e.g: ou=People,dc=example,dc=com                                                                                                                                                               |
+| ldap.search-filter      | OG_LDAP_SEARCH_FILTER               | none                  | The filter to search against (the format string %s will be replaced with the username). e.g: (uid=%s)                                                                                                                            |
+| custom.name             | OG_CUSTOM_NAME                      | none                  | The name of your instance, to be displayed in the tab title                                                                                                                                                                      |
+| custom.logo             | OG_CUSTOM_LOGO                      | none                  | Path to an image, relative to $opengist-home/custom.                                                                                                                                                                             |
+| custom.favicon          | OG_CUSTOM_FAVICON                   | none                  | Path to an image, relative to $opengist-home/custom.                                                                                                                                                                             |
+| custom.static-links     | OG_CUSTOM_STATIC_LINK_#_(PATH,NAME) | none                  | Path and name to custom links, more info [here](custom-links.md).                                                                                                                                                                |

docs/configuration/configure.md

@@ -0,0 +1,72 @@
+# Configuration
+
+Opengist provides flexible configuration options through either a YAML file and/or environment variables.
+You would only need to specify the configuration options you want to change — for any config option left untouched, 
+Opengist will simply apply the default values.
+
+The [configuration cheat sheet](cheat-sheet.md) lists all available configuration options.
+
+
+## Configuration via YAML file
+
+The configuration file must be specified when launching the application, using the `--config` flag followed by the path 
+to your YAML file.
+
+Usage with Docker Compose :
+```yml
+services:
+  opengist:
+    # ...
+    volumes:
+    # ...
+    - "/path/to/config.yml:/config.yml"
+```
+
+Usage via command line :
+```shell
+./opengist --config /path/to/config.yml
+```
+
+You can start by copying and/or modifying the provided [config.yml](https://github.com/thomiceli/opengist/blob/stable/config.yml) file.
+
+
+## Configuration via Environment Variables
+
+Usage with Docker Compose :
+```yml
+services:
+  opengist:
+    # ...
+    environment:
+      OG_LOG_LEVEL: "info"
+      # etc.
+```
+
+Usage via command line :
+```shell
+OG_LOG_LEVEL=info ./opengist
+```
+
+### Using Docker Compose secrets
+
+You can use Docker Compose secrets to not expose sensitive information in your compose file, using a `.env` file.
+
+```dotenv
+# file secrets.env
+OG_GITLAB_CLIENT_KEY=your_gitlab_client_key
+OG_GITLAB_SECRET=your_gitlab_secret_key
+```
+
+And then use it in your compose file :
+
+```yml
+services:
+  opengist:
+    # ...
+    secrets:
+      - opengist_secrets
+
+secrets:
+  opengist_secrets:
+    file: ./secrets.env
+```

docs/configuration/custom-assets.md

@@ -0,0 +1,45 @@
+# Custom assets
+
+To add custom assets to your Opengist instance, you can use the `$opengist-home/custom` directory (where `$opengist-home` is the directory where Opengist stores its data).
+
+### Logo / Favicon
+
+To add a custom logo or favicon, you can add your own image file to the `$opengist-home/custom` directory, then define the relative path in the config.
+
+For example, if you have a logo file `logo.png` in the `$opengist-home/custom` directory, you can set the logo path in the config as follows:
+
+#### YAML
+```yaml
+custom.logo: logo.png
+```
+
+#### Environment variable
+```sh
+export OG_CUSTOM_LOGO=logo.png
+```
+
+Same as the favicon:
+
+#### YAML
+```yaml
+custom.favicon: favicon.png
+```
+
+#### Environment variable
+```sh
+export OG_CUSTOM_FAVICON=favicon.png
+```
+
+### Instance Name
+
+It is also possible to set a name for your instance, that would be displayed in the title bar instead of 'Opengist'.
+
+#### YAML
+```yaml
+custom.name: My Gists
+```
+
+#### Environment variable
+```sh
+export OG_CUSTOM_NAME="My Gists"
+```

docs/configuration/custom-links.md

@@ -0,0 +1,62 @@
+# Custom links
+
+On the footer of your Opengist instance, you can add links to custom static templates or any other website you want to link to.
+This can be useful for legal information, privacy policy, or any other information you want to provide to your users.
+
+To add one or more links, you can add your own file to the `$opengist-home/custom` directory or set a URL, then define the relative path and its name in the config.
+
+For example, if you have a legal information file `legal.html` in the `$opengist-home/custom` directory, and also wish to add a link to a Gitea instance, you can set the link in the config as follows:
+
+#### YAML
+```yaml
+custom.static-links:
+  - name: Legal notices
+    path: legal.html
+  - name: Gitea
+    path: https://gitea.com
+```
+
+#### Environment variable
+```sh
+OG_CUSTOM_STATIC_LINK_0_NAME="Legal Notices" \
+OG_CUSTOM_STATIC_LINK_0_PATH=legal.html \
+OG_CUSTOM_STATIC_LINK_1_NAME=Gitea \
+OG_CUSTOM_STATIC_LINK_1_PATH=https://gitea.com \
+./opengist
+```
+
+## Templating custom HTML pages
+
+In the start and end of the custom HTML files, you can use the syntax to include the header and footer of the Opengist instance:
+
+```html
+{{ template "header" . }}
+
+<!-- my content -->
+
+{{ template "footer" . }}
+```
+
+If you want your custom page to integrate well into the existing theme, you can use the following:
+
+```html
+{{ template "header" . }}
+
+<div class="py-10">
+   <header class="pb-4 ">
+      <div class="flex">
+         <div class="flex-auto">
+            <h2 class="text-2xl font-bold leading-tight">Heading</h2>
+         </div>
+      </div>
+   </header>
+   <main>
+     <h3 class="text-xl font-bold leading-tight mt-4">Sub-Heading</h3>
+     <p class="mt-4 ml-1"><!-- my content --></p>
+   </main>
+</div>
+
+{{ template "footer" . }}
+```
+
+You can adjust above as needed. Opengist uses TailwindCSS classes.

docs/configuration/databases/mysql.md

@@ -0,0 +1,47 @@
+# Using MySQL/MariaDB
+
+To use MySQL/MariaDB as the database backend, you need to set the database URI configuration to the connection string of your MySQL/MariaDB database with this format :
+
+`mysql://<user>:<password>@<host>:<port>/<database>`
+
+#### YAML
+```yaml
+# Example
+db-uri: mysql://root:passwd@localhost:3306/opengist_db
+```
+
+#### Environment variable
+```sh
+# Example
+OG_DB_URI=mysql://root:passwd@localhost:3306/opengist_db
+```
+
+### Docker Compose
+```yml
+services:
+  opengist:
+    image: ghcr.io/thomiceli/opengist:1
+    container_name: opengist
+    restart: unless-stopped
+    depends_on:
+      - mysql
+    ports:
+      - "6157:6157"
+      - "2222:2222"
+    volumes:
+      - "$HOME/.opengist:/opengist"
+    environment:
+      OG_DB_URI: mysql://opengist:secret@mysql:3306/opengist_db
+      # other configuration options
+
+  mysql:
+    image: mysql:8.4
+    restart: unless-stopped
+    volumes:
+      - "./opengist-database:/var/lib/mysql"
+    environment:
+      MYSQL_USER: opengist
+      MYSQL_PASSWORD: secret
+      MYSQL_DATABASE: opengist_db
+      MYSQL_ROOT_PASSWORD: rootsecret
+```

docs/configuration/databases/postgresql.md

@@ -0,0 +1,46 @@
+# Using PostgreSQL
+
+To use PostgreSQL as the database backend, you need to set the database URI configuration to the connection string of your PostgreSQL database with this format :
+
+`postgres://<user>:<password>@<host>:<port>/<database>`
+
+#### YAML
+```yaml
+# Example
+db-uri: postgres://postgres:passwd@localhost:5432/opengist_db
+```
+
+#### Environment variable
+```sh
+# Example
+OG_DB_URI=postgres://postgres:passwd@localhost:5432/opengist_db
+```
+
+### Docker Compose
+```yml
+services:
+  opengist:
+    image: ghcr.io/thomiceli/opengist:1
+    container_name: opengist
+    restart: unless-stopped
+    depends_on:
+      - postgres
+    ports:
+      - "6157:6157"
+      - "2222:2222"
+    volumes:
+      - "$HOME/.opengist:/opengist"
+    environment:
+      OG_DB_URI: postgres://opengist:secret@postgres:5432/opengist_db
+      # other configuration options
+
+  postgres:
+    image: postgres:16.4
+    restart: unless-stopped
+    volumes:
+      - "./opengist-database:/var/lib/postgresql/data"
+    environment:
+      POSTGRES_USER: opengist
+      POSTGRES_PASSWORD: secret
+      POSTGRES_DB: opengist_db
+```

docs/configuration/databases/sqlite.md

@@ -0,0 +1,44 @@
+# Using SQLite
+
+By default, Opengist uses SQLite as the database backend.
+
+Because SQLite is a file-based database, there is not much configuration to tweak.
+
+The configuration `db-uri`/`OG_DB_URI` refers to the path of the SQLite database file relative in the `$opengist-home/` directory (default `opengist.db`),
+although it can be left untouched. You can also use an absolute path outside the `$opengist-home/` directory.
+
+The SQLite journal mode is set to [`WAL` (Write-Ahead Logging)](https://www.sqlite.org/pragma.html#pragma_journal_mode) by default and can be changed.
+
+#### YAML
+```yaml
+# default
+db-uri: opengist.db
+sqlite.journal-mode: WAL
+
+# absolute path outside the $opengist-home/ directory
+db-uri: file:/home/user/opengist.db
+```
+
+#### Environment variable
+```sh
+# default
+OG_DB_URI=opengist.db
+OG_SQLITE_JOURNAL_MODE=WAL
+```
+
+### Docker Compose
+```yml
+services:
+  opengist:
+    image: ghcr.io/thomiceli/opengist:1
+    container_name: opengist
+    restart: unless-stopped
+    ports:
+      - "6157:6157" # HTTP port
+      - "2222:2222" # SSH port, can be removed if you don't use SSH
+    volumes:
+      - "$HOME/.opengist:/opengist"
+    environment:
+      OG_SQLITE_JOURNAL_MODE: WAL
+      # other configuration options
+```

docs/configuration/metrics.md

@@ -0,0 +1,59 @@
+# Metrics
+
+Opengist offers built-in support for Prometheus metrics to help you monitor the performance and usage of your instance. These metrics provide insights into application health, user activity, and database statistics.
+
+## Enabling metrics
+
+By default, the metrics server is disabled for security and performance reasons. To enable it, update your configuration as stated in the [configuration cheat sheet](cheat-sheet.md):
+
+```yaml
+metrics.enabled: true
+```
+
+Alternatively, you can use the environment variable:
+
+```bash
+OG_METRICS_ENABLED=true
+```
+
+Once enabled, metrics are available on a separate server at `http://0.0.0.0:6158/metrics` by default.
+
+## Configuration
+
+The metrics server runs on a separate port from the main application. By default, it binds to `0.0.0.0` (all interfaces) on port `6158`.
+
+| Config Key     | Environment Variable | Default     | Description                                    |
+|----------------|---------------------|-------------|------------------------------------------------|
+| metrics.enabled | OG_METRICS_ENABLED  | `false`     | Enable or disable the metrics server           |
+| metrics.host    | OG_METRICS_HOST     | `0.0.0.0`   | The host on which the metrics server binds     |
+| metrics.port    | OG_METRICS_PORT     | `6158`      | The port on which the metrics server listens   |
+
+Example configuration:
+
+```yaml
+metrics.enabled: true
+metrics.host: 0.0.0.0
+metrics.port: 6158
+```
+
+## Available metrics
+
+### Opengist-specific metrics
+
+| Metric Name | Type | Description |
+|-------------|------|-------------|
+| `opengist_users_total` | Gauge | Total number of registered users |
+| `opengist_gists_total` | Gauge | Total number of gists in the system |
+| `opengist_ssh_keys_total` | Gauge | Total number of SSH keys added by users |
+
+### Standard HTTP metrics
+
+In addition to the Opengist-specific metrics, standard Prometheus HTTP metrics are also available through the Echo Prometheus middleware. These include request durations, request counts, and request/response sizes.
+
+These standard metrics follow the Prometheus naming convention and include labels for HTTP method, status code, and handler path.
+
+## Security Considerations
+
+The metrics server binds to `0.0.0.0` by default, making it accessible on all network interfaces. This default works well for containerized deployments (Docker, Kubernetes) where network isolation is handled at the infrastructure level.
+
+For bare-metal or VM deployments where the metrics port may be exposed, consider restricting to localhost by setting `metrics.host: 127.0.0.1` to only allow local access.

docs/configuration/oauth-providers.md

@@ -0,0 +1,94 @@
+# Use OAuth providers
+
+Opengist can be configured to use OAuth to authenticate users, with GitHub, Gitea, or OpenID Connect.
+
+## GitHub
+
+* Add a new OAuth app in your [GitHub account settings](https://github.com/settings/applications/new)
+* Set 'Authorization callback URL' to `http://opengist.url/oauth/github/callback`
+* Copy the 'Client ID' and 'Client Secret' and add them to the [configuration](cheat-sheet.md) :
+  ```yaml
+  github.client-key: <key>
+  github.secret: <secret>
+  ```
+  ```shell
+  OG_GITHUB_CLIENT_KEY=<key>
+  OG_GITHUB_SECRET=<secret>
+  ```
+
+
+## GitLab
+
+* Add a new OAuth app in Application settings from the [GitLab instance](https://gitlab.com/-/user_settings/applications)
+* Set 'Redirect URI' to `http://opengist.url/oauth/gitlab/callback`
+* Copy the 'Client ID' and 'Client Secret' and add them to the [configuration](cheat-sheet.md) :
+  ```yaml
+  gitlab.client-key: <key>
+  gitlab.secret: <secret>
+  # URL of the GitLab instance. Default: https://gitlab.com/
+  gitlab.url: https://gitlab.com/
+  ```
+  ```shell
+  OG_GITLAB_CLIENT_KEY=<key>
+  OG_GITLAB_SECRET=<secret>
+  # URL of the GitLab instance. Default: https://gitlab.com/
+  OG_GITLAB_URL=https://gitlab.com/
+  ```
+  
+
+
+## Gitea
+
+* Add a new OAuth app in Application settings from the [Gitea instance](https://gitea.com/user/settings/applications)
+* Set 'Redirect URI' to `http://opengist.url/oauth/gitea/callback`
+* Copy the 'Client ID' and 'Client Secret' and add them to the [configuration](cheat-sheet.md) :
+  ```yaml
+  gitea.client-key: <key>
+  gitea.secret: <secret>
+  # URL of the Gitea instance. Default: https://gitea.com/
+  gitea.url: http://localhost:3000
+  ```
+  ```shell
+  OG_GITEA_CLIENT_KEY=<key>
+  OG_GITEA_SECRET=<secret>
+  # URL of the Gitea instance. Default: https://gitea.com/
+  OG_GITEA_URL=http://localhost:3000
+  ```
+  
+
+
+## OpenID Connect
+
+* Add a new OAuth app in Application settings of your OIDC provider
+* Set 'Redirect URI' to `http://opengist.url/oauth/openid-connect/callback`
+* Copy the 'Client ID', 'Client Secret', and the discovery endpoint, and add them to the [configuration](cheat-sheet.md) :
+  ```yaml
+  oidc.provider-name: <provider-name>
+  oidc.client-key: <key>
+  oidc.secret: <secret>
+  # Discovery endpoint of the OpenID provider. Generally something like http://auth.example.com/.well-known/openid-configuration
+  oidc.discovery-url: http://auth.example.com/.well-known/openid-configuration
+  ```
+  ```shell
+  OG_OIDC_PROVIDER_NAME=<provider-name>
+  OG_OIDC_CLIENT_KEY=<key>
+  OG_OIDC_SECRET=<secret>
+  # Discovery endpoint of the OpenID provider. Generally something like http://auth.example.com/.well-known/openid-configuration
+  OG_OIDC_DISCOVERY_URL=http://auth.example.com/.well-known/openid-configuration
+  ```
+
+### OIDC Admin Group
+
+OpenGist supports automatic admin privilege assignment based on OIDC group claims. To configure this feature:
+```yaml
+oidc.group-claim-name: groups        # Name of the claim containing the groups
+oidc.admin-group: admin-group-name   # Name of the group that should receive admin rights
+```
+```shell
+OG_OIDC_GROUP_CLAIM_NAME=groups
+OG_OIDC_ADMIN_GROUP=admin-group-name
+```
+
+The `group-claim-name` must match the name of the claim in your JWT token that contains the groups.
+
+Users who are members of the configured `admin-group` will automatically receive admin privileges in OpenGist. These privileges are synchronized on every login.

docs/contributing/community.md

@@ -0,0 +1,7 @@
+# Community
+
+The following is a list of resources made by happy users of Opengist. Feel free to make a PR add your own!
+
+- [Aetherinox/opengist-debian](https://github.com/Aetherinox/opengist-debian) - A Debian package for Opengist
+- [How to Install Opengist on Your Synology NAS](https://mariushosting.com/how-to-install-opengist-on-your-synology-nas/) - A guide to install Opengist on a Synology NAS
+- [Proxmox VE Helper-Script](https://community-scripts.github.io/ProxmoxVE/scripts?id=opengist) - A script to install Opengist on Proxmox VE

docs/contributing/development.md

@@ -0,0 +1,39 @@
+# Run Opengist in development mode
+
+## With Docker
+
+Assuming you have [Make](https://linux.die.net/man/1/make) installed,
+
+```shell
+# Clone the repository
+git clone git@github.com:thomiceli/opengist.git
+cd opengist
+
+# Build the development image
+make build_dev_docker
+```
+
+Now you can run the development image with the following command:
+
+```shell
+make run_dev_docker
+```
+
+Opengist is now running on port 6157, you can browse http://localhost:6157
+
+## As a binary
+
+Requirements:
+* [Git](https://git-scm.com/downloads) (2.28+)
+* [Go](https://go.dev/doc/install) (1.25+)
+* [Node.js](https://nodejs.org/en/download/) (20+)
+* [Make](https://linux.die.net/man/1/make) (optional, but easier)
+
+```shell
+git clone git@github.com:thomiceli/opengist.git
+cd opengist
+make install
+make watch
+```
+
+Opengist is now running on port 6157, you can browse http://localhost:6157

docs/index.md

@@ -0,0 +1,4 @@
+---
+layout: home
+navbar: false
+---

docs/installation.md

@@ -0,0 +1,7 @@
+# Install Opengist
+
+There are several ways to install Opengist, depending on your preferences and your environment.
+
+- [Docker](installation/docker.md)
+- [Source](installation/source.md)
+- [Binary](installation/binary.md)

docs/installation/binary.md

@@ -0,0 +1,14 @@
+# Install from binary
+
+Download the archive for your system from the release page [here](https://github.com/thomiceli/opengist/releases/latest), and extract it.
+
+```shell
+# example for linux amd64
+wget https://github.com/thomiceli/opengist/releases/download/v1.12.1/opengist1.12.1-linux-amd64.tar.gz
+
+tar xzvf opengist1.12.1-linux-amd64.tar.gz
+cd opengist
+chmod +x opengist
+./opengist # with or without `--config config.yml`
+```
+

docs/installation/docker.md

@@ -0,0 +1,41 @@
+# Install with Docker
+
+Docker [images](https://github.com/thomiceli/opengist/pkgs/container/opengist) are available for each release :
+
+```shell
+docker pull ghcr.io/thomiceli/opengist:1
+```
+
+It can be used in a `docker-compose.yml` file :
+
+1. Create a `docker-compose.yml` file with the following content
+2. Run `docker compose up -d`
+3. Opengist is now running on port 6157, you can browse http://localhost:6157
+
+```yml
+services:
+  opengist:
+    image: ghcr.io/thomiceli/opengist:1
+    container_name: opengist
+    restart: unless-stopped
+    ports:
+      - "6157:6157" # HTTP port
+      - "2222:2222" # SSH port, can be removed if you don't use SSH
+    volumes:
+      - "$HOME/.opengist:/opengist"
+    environment:
+      # OG_LOG_LEVEL: info
+      # other configuration options
+```
+
+You can define which user/group should run the container and own the files by setting the `UID` and `GID` environment
+variables :
+
+```yml
+services:
+  opengist:
+    # ...
+    environment:
+      UID: 1001
+      GID: 1001
+```

docs/installation/kubernetes.md

@@ -0,0 +1,15 @@
+# Install on Kubernetes
+
+A [Helm](https://helm.sh) chart is available to install Opengist on a Kubernetes cluster.
+Check the [Helm documentation](https://helm.sh/docs/) for more information on how to use Helm.
+
+A non-customized installation of Opengist can be done with:
+
+```bash
+helm repo add opengist https://helm.opengist.io
+ 
+helm install opengist opengist/opengist
+```
+
+Refer to the [Opengist chart](https://github.com/thomiceli/opengist/tree/master/helm/opengist) for more information 
+about the chart and to customize your installation.

docs/installation/source.md

@@ -0,0 +1,19 @@
+# Installation from source
+
+Requirements:
+* [Git](https://git-scm.com/downloads) (2.28+)
+* [Go](https://go.dev/doc/install) (1.25+)
+* [Node.js](https://nodejs.org/en/download/) (20+)
+* [Make](https://linux.die.net/man/1/make) (optional, but easier)
+
+```shell
+git clone https://github.com/thomiceli/opengist
+cd opengist
+
+git checkout v1.12.1 # optional, to checkout the latest release
+
+make
+./opengist
+```
+
+Opengist is now running on port 6157, you can browse http://localhost:6157

docs/introduction.md

@@ -0,0 +1,56 @@
+# Opengist
+
+<img height="108px" src="https://raw.githubusercontent.com/thomiceli/opengist/master/public/img/opengist.svg" alt="Opengist" align="right" />
+
+Opengist is a **self-hosted** pastebin **powered by Git**. All snippets are stored in a Git repository and can be
+read and/or modified using standard Git commands, or with the web interface. 
+It is similiar to [GitHub Gist](https://gist.github.com/), but open-source and could be self-hosted.
+
+Written in [Go](https://go.dev), Opengist aims to be fast and easy to deploy.
+
+
+## Features
+
+* Create public, unlisted or private snippets
+* [Init](usage/init-via-git.md) / Clone / Pull / Push snippets **via Git** over HTTP or SSH
+* Syntax highlighting ; markdown & CSV support
+* Search code in snippets ; browse users snippets, likes and forks
+* Add topics to snippets
+* Embed snippets in other websites
+* Revisions history
+* Like / Fork snippets
+* Editor with indentation mode & size ; drag and drop files
+* Download raw files or as a ZIP archive
+* Retrieve snippet data/metadata via a JSON API
+* OAuth2 login with GitHub, GitLab, Gitea, and OpenID Connect
+* Avatars via Gravatar or OAuth2 providers
+* Light/Dark mode
+* Responsive UI
+* Enable or disable signups
+* Restrict or unrestrict snippets visibility to anonymous users
+* Admin panel : 
+  * delete users/gists; 
+  * clean database/filesystem by syncing gists
+  * run `git gc` for all repositories
+* SQLite/PostgreSQL/MySQL database
+* Logging
+* Docker support
+
+
+## System requirements
+
+[Git](https://git-scm.com/download) is obviously required to run Opengist, as it's the main feature of the app.
+Version **2.28** or later is recommended as the app has not been tested with older Git versions and some features would not work.
+
+[OpenSSH](https://www.openssh.com/) suite if you wish to use Git over SSH.
+
+
+## Components
+
+* Backend Web Framework: [Echo](https://echo.labstack.com/)
+* ORM: [GORM](https://gorm.io/)
+* Frontend libraries:
+  * [TailwindCSS](https://tailwindcss.com/)
+  * [CodeMirror](https://codemirror.net/)
+  * [Day.js](https://day.js.org/)
+  * and [others](/package.json)

docs/public/favicon.svg

@@ -0,0 +1,17 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!-- Generator: Adobe Illustrator 27.0.0, SVG Export Plug-In . SVG Version: 6.00 Build 0)  -->
+<svg version="1.1" id="Layer_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px" viewBox="0 0 500 500" style="enable-background:new 0 0 500 500;" xml:space="preserve">
+<style type="text/css">
+	.st0{fill:#FFFFFF;}
+</style>
+<g id="document" transform="scale(1.6666666666666667 1.6666666666666667) translate(150.0 150.0)">
+	<path class="st0" d="M131.3,24.3c13.7-71-33.9-139.5-106.4-152.9C-47.7-142-117.6-95.3-131.3-24.3s33.9,139.5,106.4,152.9   C47.7,142,117.6,95.3,131.3,24.3z"/>
+	<path class="st0" d="M128.9,0c0,55.7-36.8,103-88,119.8c0.2-1.2,0.3-2.5,0.3-4c0.1-22.3,0.2-36.2,0.2-52.8   c0-11.7-0.2-18.1-0.2-18.1c1.8,0,21.1-6,29.9-12.1S89.2,15.1,90.5-1.4c1.3-16.6-6-36.2-12.4-47.8C65.3-72.4,54.7-86.6,45.4-94.5   c-9.3-7.8-16.1-6.1-22.1-1.4S8.5-76.9,2.2-71.2c-3,2.8-10.6,12-20.4,3.3C-21-70.3-38-93.6-48.5-90.6c-13.1,3.7-28.1,27.3-35.1,43.8   c-9,21-10.8,33.6-6.1,63.5c4.7,29.9,7.5,60,11.8,76.4c1,4,2.3,7.4,4,10.4c-33.2-22.8-55-60.7-55-103.5   c0-69.7,57.7-126.3,128.9-126.3S128.9-69.7,128.9,0z"/>
+	<path d="M0-145c-81.8,0-148.1,64.9-148.1,145S-81.8,145,0,145S148.1,80.1,148.1,0S81.8-145,0-145z M40.9,119.8   c0.2-1.2,0.3-2.5,0.3-4c0.1-22.3,0.2-36.2,0.2-52.8c0-11.7-0.2-18.1-0.2-18.1c1.8,0,21.1-6,29.9-12.1S89.2,15.1,90.5-1.4   c1.3-16.6-6-36.2-12.4-47.8C65.3-72.4,54.7-86.6,45.4-94.5c-9.3-7.8-16.1-6.1-22.1-1.4S8.5-76.9,2.2-71.2c-3,2.8-10.6,12-20.4,3.3   C-21-70.3-38-93.6-48.5-90.6c-13.1,3.7-28.1,27.3-35.1,43.8c-9,21-10.8,33.6-6.1,63.5c4.7,29.9,7.5,60,11.8,76.4   c1,4,2.3,7.4,4,10.4c-33.2-22.8-55-60.7-55-103.5c0-69.7,57.7-126.3,128.9-126.3S128.9-69.7,128.9,0   C128.9,55.7,92.1,103,40.9,119.8z"/>
+	<path class="st0" d="M-102.8-7.2l91.2-9.4l-0.3-7l-91.2,9.4L-102.8-7.2z"/>
+	<path class="st0" d="M12-17.3c0.8-9.6-6.5-18-16.3-18.8s-18.4,6.4-19.2,16S-17-2.1-7.2-1.3S11.2-7.7,12-17.3z"/>
+	<path class="st0" d="M62.9-24.6c0.8-9.6-6.5-18-16.3-18.8c-9.8-0.8-18.4,6.4-19.2,16c-0.8,9.6,6.5,18,16.3,18.8S62.1-15,62.9-24.6z   "/>
+	<path class="st0" d="M-11.8-16.8l67.6-7.3l-0.5-6.3l-67.5,7.3L-11.8-16.8z"/>
+	<path class="st0" d="M53.1-23.6l49.5-12.2l-0.6-6.3L52.5-29.9L53.1-23.6z"/>
+</g>
+</svg>

docs/update.md

@@ -0,0 +1,58 @@
+# Update Opengist
+
+## Make a backup
+
+Before updating, always make sure to backup the Opengist home directory, where all the data is stored. 
+
+You can do so by copying the `~/.opengist` directory (default location).
+
+```shell
+cp -r ~/.opengist ~/.opengist.bak
+```
+
+## Install the new version
+
+### With Docker
+
+Pull the last version of Opengist
+```shell
+docker pull ghcr.io/thomiceli/opengist:1
+```
+
+And restart the container, using `docker compose up -d` for example if you use docker compose.
+
+### Via binary
+
+Stop the running instance; then like your first installation of Opengist, download the archive for your system from the release page [here](https://github.com/thomiceli/opengist/releases/latest), and extract it.
+
+```shell
+# example for linux amd64
+wget https://github.com/thomiceli/opengist/releases/download/v1.12.1/opengist1.12.1-linux-amd64.tar.gz
+
+tar xzvf opengist1.12.1-linux-amd64.tar.gz
+cd opengist
+chmod +x opengist
+./opengist # with or without `--config config.yml`
+```
+
+### From source
+
+Stop the running instance; then pull the last changes from the master branch, and build the new version.
+
+```shell
+git switch master
+git pull
+make
+./opengist
+```
+
+## Restore the backup
+
+If you have any issue with the new version, you can restore the backup you made before updating.
+
+```shell
+rm -rf ~/.opengist
+cp -r ~/.opengist.bak ~/.opengist
+```
+
+Then run the old version of Opengist again.

docs/usage/access-tokens.md

@@ -0,0 +1,26 @@
+# Access tokens
+
+Access tokens are used to access your private gists and their raw content. For now, it is the only use while a future API is being developed.
+
+## Creating an access token
+
+To create an access token, follow these steps:
+1. Go to Settings
+2. Select the "Access Tokens" menu
+3. Choose a name for your token, the scope and an expiration date (optional), then click "Create Access Token"
+
+## Using an access token
+
+Once you have created an access token, you can use it to access your private gists with it.
+
+Replace `<token>` with your actual access token in the following examples.
+
+```shell
+# Access raw content of a private gist, latest revision for "file.txt". Note: this URL is obtained from the "Raw" button on the gist page.
+curl -H "Authorization: Token <token>" \
+ http://opengist.example.com/user/gist/raw/HEAD/file.txt
+
+# Access the JSON representation of a private gist. See "Gist as JSON" documentation for more details.
+curl -H "Authorization: Token <token>" \
+ http://opengist.example.com/user/gist.json
+```

docs/usage/embed.md

@@ -0,0 +1,11 @@
+# Embed a Gist to your webpage
+
+To embed a Gist to your webpage, you can add a script tag with the URL of your gist followed by `.js` to your HTML page:
+    
+```html
+<script src="http://opengist.url/user/gist-url.js"></script>
+
+<!-- Dark mode: -->
+<script src="http://opengist.url/user/gist-url.js?dark"></script>
+```
+

docs/usage/gist-json.md

@@ -0,0 +1,37 @@
+# Retrieve Gist as JSON
+
+To retrieve a Gist as JSON, you can add `.json` to the end of the URL of your gist:
+
+```shell
+curl http://opengist.url/thomas/my-gist.json | jq '.'
+```
+
+It returns a JSON object with the following structure similar to this one:
+```json
+{
+  "created_at": "2023-04-12T13:15:20+02:00",
+  "description": "",
+  "embed": {
+    "css": "http://localhost:6157/assets/embed-94abc261.css",
+    "html": "<div class=\"opengist-embed\" id=\"my-gist\">\n    <div class=\"html \">\n    \n        <div class=\"rounded-md border-1 border-gray-100 dark:border-gray-800 overflow-auto mb-4\">\n            <div class=\"border-b-1 border-gray-100 dark:border-gray-700 text-xs p-2 pl-4 bg-gray-50 dark:bg-gray-800 text-gray-400\">\n                <a target=\"_blank\" href=\"http://localhost:6157/thomas/my-gist#file-hello-md\"><span class=\"font-bold text-gray-700 dark:text-gray-200\">hello.md</span> · 21 B · Markdown</a>\n                <span class=\"float-right\"><a target=\"_blank\" href=\"http://localhost:6157\">Hosted via Opengist</a> · <span class=\"text-gray-700 dark:text-gray-200 font-bold\"><a target=\"_blank\" href=\"http://localhost:6157/thomas/my-gist/raw/HEAD/hello.md\">view raw</a></span></span>\n            </div>\n            \n            \n            \n            <div class=\"chroma markdown markdown-body p-8\"><h1>Welcome to Opengist</h1>\n</div>\n            \n\n        </div>\n    \n    </div>\n</div>\n",
+    "js": "http://localhost:6157/thomas/my-gist.js",
+    "js_dark": "http://localhost:6157/thomas/my-gist.js?dark"
+  },
+  "files": [
+    {
+      "filename": "hello.md",
+      "size": 21,
+      "human_size": "21 B",
+      "content": "# Welcome to Opengist",
+      "truncated": false,
+      "type": "Markdown"
+    }
+  ],
+  "id": "my-gist",
+  "owner": "thomas",
+  "title": "hello.md",
+  "uuid": "8622b297bce54b408e36d546cef8019d",
+  "visibility": "public"
+}
+```
+

docs/usage/git-push-options.md

@@ -0,0 +1,32 @@
+# Push Options
+
+Opengist has support for a few [Git push options](https://git-scm.com/docs/git-push#Documentation/git-push.txt--oltoptiongt). 
+
+These options are passed to `git push` command and can be used to change the metadata of a gist.
+
+## Set URL
+
+```shell
+git push -o url=mygist # Will set the URL to https://opengist.example.com/user/mygist
+```
+
+## Change title
+
+```shell
+git push -o title=Gist123
+git push -o title="My Gist 123"
+```
+
+## Change description
+
+```shell
+git push -o description="This is my gist description"
+```
+
+## Change visibility
+
+```shell
+git push -o visibility=public
+git push -o visibility=unlisted
+git push -o visibility=private
+```

docs/usage/import-from-github-gist.md

@@ -0,0 +1,23 @@
+# Import Gists from GitHub
+
+After running Opengist at least once, you can import your Gists from GitHub using this script:
+
+```shell
+github_user=user # replace with your GitHub username
+opengist_url="http://user:password@opengist.url/init" # replace user, password and Opengist url
+
+curl -s https://api.github.com/users/"$github_user"/gists?per_page=100 | jq '.[] | .git_pull_url' -r | while read url; do 
+    git clone "$url"
+    repo_dir=$(basename "$url" .git)
+    
+    # Add remote, push, and remove the directory
+    if [ -d "$repo_dir" ]; then
+        cd "$repo_dir"
+        git remote add gist "$opengist_url"
+        git push -u gist --all
+        cd ..
+        rm -rf "$repo_dir"
+    fi
+done
+```
+

docs/usage/init-via-git.md

@@ -0,0 +1,64 @@
+# Init Gists via Git
+
+Opengist allows you to create new snippets via Git over HTTP. You can create gists with either auto-generated URLs or custom URLs of your choice.
+
+Simply init a new Git repository where your file(s) is/are located:
+
+```shell
+git init
+git add .
+git commit -m "My cool snippet"
+```
+
+### Option A: Regular URL
+
+Create a gist with a custom URL using the format `http://opengist.url/username/custom-url`, where `username` is your authenticated username and `custom-url` is your desired gist identifier.
+
+The gist must not exist yet if you want to create it, otherwise you will just push to the existing gist.
+
+```shell
+git remote add origin http://opengist.url/thomas/my-custom-gist
+
+git push -u origin master
+```
+
+**Requirements for custom URLs:**
+- The username must match your authenticated username
+- URL format: `http://opengist.url/username/custom-url`
+- The custom URL becomes your gist's identifier and title
+- `.git` suffix is automatically removed if present
+
+### Option B: Init endpoint
+
+Use the special `http://opengist.url/init` endpoint to create a gist with an automatically generated URL:
+
+```shell
+git remote add origin http://opengist.url/init
+
+git push -u origin master
+```
+
+## Authentication
+
+When you push, you'll be prompted to authenticate:
+
+```shell
+Username for 'http://opengist.url': thomas
+Password for 'http://thomas@opengist.url': [your-password]
+Enumerating objects: 3, done.
+Counting objects: 100% (3/3), done.
+Delta compression using up to 8 threads
+Compressing objects: 100% (2/2), done.
+Writing objects: 100% (3/3), 416 bytes | 416.00 KiB/s, done.
+Total 3 (delta 0), reused 0 (delta 0), pack-reused 0
+remote:
+remote: Your new repository has been created here: http://opengist.url/thomas/6051e930f140429f9a2f3bb1fa101066
+remote:
+remote: If you want to keep working with your gist, you could set the remote URL via:
+remote: git remote set-url origin http://opengist.url/thomas/6051e930f140429f9a2f3bb1fa101066
+remote:
+To http://opengist.url/init
+ * [new branch]      master -> master
+```
+
+<video controls="controls" src="https://github.com/thomiceli/opengist/assets/27960254/3fe1a0ba-b638-4928-83a1-f38e46fea066" />

fs_embed.go

@@ -1,8 +0,0 @@
-//go:build fs_embed
-
-package main
-
-import "embed"
-
-//go:embed templates/*/*.html public/manifest.json public/assets/*.js public/assets/*.css public/assets/*.svg public/assets/*.png
-var dirFS embed.FS

fs_os.go

@@ -1,7 +0,0 @@
-//go:build !fs_embed
-
-package main
-
-import "os"
-
-var dirFS = os.DirFS(".")

go.mod

@@ -1,42 +1,125 @@
 module github.com/thomiceli/opengist
 
-go 1.19
+go 1.25.5
 
 require (
-	github.com/go-playground/validator/v10 v10.11.0
-	github.com/google/uuid v1.3.0
-	github.com/gorilla/sessions v1.2.1
-	github.com/labstack/echo/v4 v4.10.0
-	github.com/markbates/goth v1.77.0
-	github.com/mattn/go-sqlite3 v1.14.13
-	github.com/rs/zerolog v1.29.0
-	golang.org/x/crypto v0.2.0
-	golang.org/x/text v0.7.0
+	github.com/Kunde21/markdownfmt/v3 v3.1.0
+	github.com/alecthomas/chroma/v2 v2.23.1
+	github.com/blevesearch/bleve/v2 v2.5.7
+	github.com/dustin/go-humanize v1.0.1
+	github.com/gabriel-vasile/mimetype v1.4.12
+	github.com/glebarez/sqlite v1.11.0
+	github.com/go-ldap/ldap/v3 v3.4.12
+	github.com/go-playground/validator/v10 v10.30.1
+	github.com/go-webauthn/webauthn v0.15.0
+	github.com/google/uuid v1.6.0
+	github.com/gorilla/schema v1.4.1
+	github.com/gorilla/securecookie v1.1.2
+	github.com/gorilla/sessions v1.4.0
+	github.com/labstack/echo-contrib v0.17.4
+	github.com/labstack/echo/v4 v4.15.0
+	github.com/markbates/goth v1.82.0
+	github.com/meilisearch/meilisearch-go v0.36.0
+	github.com/pquerna/otp v1.5.0
+	github.com/prometheus/client_golang v1.23.2
+	github.com/rs/zerolog v1.34.0
+	github.com/stretchr/testify v1.11.1
+	github.com/urfave/cli/v2 v2.27.7
+	github.com/yuin/goldmark v1.7.16
+	github.com/yuin/goldmark-emoji v1.0.6
+	github.com/yuin/goldmark-highlighting/v2 v2.0.0-20230729083705-37449abec8cc
+	go.abhg.dev/goldmark/mermaid v0.6.0
+	golang.org/x/crypto v0.47.0
+	golang.org/x/text v0.33.0
 	gopkg.in/yaml.v3 v3.0.1
-	gorm.io/driver/sqlite v1.3.2
-	gorm.io/gorm v1.23.5
+	gorm.io/driver/mysql v1.6.0
+	gorm.io/driver/postgres v1.6.0
+	gorm.io/gorm v1.31.1
 )
 
 require (
-	github.com/go-playground/locales v0.14.0 // indirect
-	github.com/go-playground/universal-translator v0.18.0 // indirect
-	github.com/golang-jwt/jwt v3.2.2+incompatible // indirect
-	github.com/golang/protobuf v1.4.2 // indirect
-	github.com/gorilla/context v1.1.1 // indirect
-	github.com/gorilla/mux v1.6.2 // indirect
-	github.com/gorilla/securecookie v1.1.1 // indirect
+	filippo.io/edwards25519 v1.1.0 // indirect
+	github.com/Azure/go-ntlmssp v0.1.0 // indirect
+	github.com/RoaringBitmap/roaring/v2 v2.14.4 // indirect
+	github.com/andybalholm/brotli v1.2.0 // indirect
+	github.com/beorn7/perks v1.0.1 // indirect
+	github.com/bits-and-blooms/bitset v1.24.4 // indirect
+	github.com/blevesearch/bleve_index_api v1.3.1 // indirect
+	github.com/blevesearch/geo v0.2.4 // indirect
+	github.com/blevesearch/go-faiss v1.0.27 // indirect
+	github.com/blevesearch/go-porterstemmer v1.0.3 // indirect
+	github.com/blevesearch/gtreap v0.1.1 // indirect
+	github.com/blevesearch/mmap-go v1.2.0 // indirect
+	github.com/blevesearch/scorch_segment_api/v2 v2.4.1 // indirect
+	github.com/blevesearch/segment v0.9.1 // indirect
+	github.com/blevesearch/snowballstem v0.9.0 // indirect
+	github.com/blevesearch/upsidedown_store_api v1.0.2 // indirect
+	github.com/blevesearch/vellum v1.2.0 // indirect
+	github.com/blevesearch/zapx/v11 v11.4.2 // indirect
+	github.com/blevesearch/zapx/v12 v12.4.2 // indirect
+	github.com/blevesearch/zapx/v13 v13.4.2 // indirect
+	github.com/blevesearch/zapx/v14 v14.4.2 // indirect
+	github.com/blevesearch/zapx/v15 v15.4.2 // indirect
+	github.com/blevesearch/zapx/v16 v16.3.0 // indirect
+	github.com/boombuler/barcode v1.1.0 // indirect
+	github.com/cespare/xxhash/v2 v2.3.0 // indirect
+	github.com/clipperhouse/stringish v0.1.1 // indirect
+	github.com/clipperhouse/uax29/v2 v2.4.0 // indirect
+	github.com/cpuguy83/go-md2man/v2 v2.0.7 // indirect
+	github.com/davecgh/go-spew v1.1.1 // indirect
+	github.com/dlclark/regexp2 v1.11.5 // indirect
+	github.com/fxamacker/cbor/v2 v2.9.0 // indirect
+	github.com/glebarez/go-sqlite v1.22.0 // indirect
+	github.com/go-asn1-ber/asn1-ber v1.5.8-0.20250403174932-29230038a667 // indirect
+	github.com/go-chi/chi/v5 v5.2.3 // indirect
+	github.com/go-playground/locales v0.14.1 // indirect
+	github.com/go-playground/universal-translator v0.18.1 // indirect
+	github.com/go-sql-driver/mysql v1.9.3 // indirect
+	github.com/go-viper/mapstructure/v2 v2.4.0 // indirect
+	github.com/go-webauthn/x v0.1.26 // indirect
+	github.com/golang-jwt/jwt/v5 v5.3.0 // indirect
+	github.com/golang/snappy v1.0.0 // indirect
+	github.com/google/go-tpm v0.9.6 // indirect
+	github.com/gorilla/mux v1.8.1 // indirect
+	github.com/jackc/pgpassfile v1.0.0 // indirect
+	github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761 // indirect
+	github.com/jackc/pgx/v5 v5.8.0 // indirect
+	github.com/jackc/puddle/v2 v2.2.2 // indirect
 	github.com/jinzhu/inflection v1.0.0 // indirect
 	github.com/jinzhu/now v1.1.5 // indirect
-	github.com/labstack/gommon v0.4.0 // indirect
-	github.com/leodido/go-urn v1.2.1 // indirect
-	github.com/mattn/go-colorable v0.1.13 // indirect
-	github.com/mattn/go-isatty v0.0.17 // indirect
+	github.com/json-iterator/go v1.1.12 // indirect
+	github.com/kr/text v0.2.0 // indirect
+	github.com/labstack/gommon v0.4.2 // indirect
+	github.com/leodido/go-urn v1.4.0 // indirect
+	github.com/mattn/go-colorable v0.1.14 // indirect
+	github.com/mattn/go-isatty v0.0.20 // indirect
+	github.com/mattn/go-runewidth v0.0.19 // indirect
+	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
+	github.com/modern-go/reflect2 v1.0.2 // indirect
+	github.com/mschoch/smat v0.2.0 // indirect
+	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
+	github.com/ncruces/go-strftime v1.0.0 // indirect
+	github.com/pmezard/go-difflib v1.0.0 // indirect
+	github.com/prometheus/client_model v0.6.2 // indirect
+	github.com/prometheus/common v0.67.5 // indirect
+	github.com/prometheus/procfs v0.19.2 // indirect
+	github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec // indirect
+	github.com/russross/blackfriday/v2 v2.1.0 // indirect
 	github.com/valyala/bytebufferpool v1.0.0 // indirect
 	github.com/valyala/fasttemplate v1.2.2 // indirect
-	golang.org/x/net v0.7.0 // indirect
-	golang.org/x/oauth2 v0.0.0-20200902213428-5d25da1a8d43 // indirect
-	golang.org/x/sys v0.5.0 // indirect
-	golang.org/x/time v0.2.0 // indirect
-	google.golang.org/appengine v1.6.6 // indirect
-	google.golang.org/protobuf v1.25.0 // indirect
+	github.com/x448/float16 v0.8.4 // indirect
+	github.com/xrash/smetrics v0.0.0-20250705151800-55b8f293f342 // indirect
+	go.etcd.io/bbolt v1.4.3 // indirect
+	go.yaml.in/yaml/v2 v2.4.3 // indirect
+	golang.org/x/exp v0.0.0-20260112195511-716be5621a96 // indirect
+	golang.org/x/net v0.49.0 // indirect
+	golang.org/x/oauth2 v0.34.0 // indirect
+	golang.org/x/sync v0.19.0 // indirect
+	golang.org/x/sys v0.40.0 // indirect
+	golang.org/x/time v0.14.0 // indirect
+	google.golang.org/protobuf v1.36.11 // indirect
+	modernc.org/libc v1.67.7 // indirect
+	modernc.org/mathutil v1.7.1 // indirect
+	modernc.org/memory v1.11.0 // indirect
+	modernc.org/sqlite v1.44.3 // indirect
 )

go.sum

@@ -1,498 +1,345 @@
-cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
-cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
-cloud.google.com/go v0.38.0/go.mod h1:990N+gfupTy94rShfmMCWGDn0LpTmnzTp2qbd1dvSRU=
-cloud.google.com/go v0.44.1/go.mod h1:iSa0KzasP4Uvy3f1mN/7PiObzGgflwredwwASm/v6AU=
-cloud.google.com/go v0.44.2/go.mod h1:60680Gw3Yr4ikxnPRS/oxxkBccT6SA1yMk63TGekxKY=
-cloud.google.com/go v0.45.1/go.mod h1:RpBamKRgapWJb87xiFSdk4g1CME7QZg3uwTez+TSTjc=
-cloud.google.com/go v0.46.3/go.mod h1:a6bKKbmY7er1mI7TEI4lsAkts/mkhTSZK8w33B4RAg0=
-cloud.google.com/go v0.50.0/go.mod h1:r9sluTvynVuxRIOHXQEHMFffphuXHOMZMycpNR5e6To=
-cloud.google.com/go v0.52.0/go.mod h1:pXajvRH/6o3+F9jDHZWQ5PbGhn+o8w9qiu/CffaVdO4=
-cloud.google.com/go v0.53.0/go.mod h1:fp/UouUEsRkN6ryDKNW/Upv/JBKnv6WDthjR6+vze6M=
-cloud.google.com/go v0.54.0/go.mod h1:1rq2OEkV3YMf6n/9ZvGWI3GWw0VoqH/1x2nd8Is/bPc=
-cloud.google.com/go v0.56.0/go.mod h1:jr7tqZxxKOVYizybht9+26Z/gUq7tiRzu+ACVAMbKVk=
-cloud.google.com/go v0.57.0/go.mod h1:oXiQ6Rzq3RAkkY7N6t3TcE6jE+CIBBbA36lwQ1JyzZs=
-cloud.google.com/go v0.62.0/go.mod h1:jmCYTdRCQuc1PHIIJ/maLInMho30T/Y0M4hTdTShOYc=
-cloud.google.com/go v0.65.0/go.mod h1:O5N8zS7uWy9vkA9vayVHs65eM1ubvY4h553ofrNHObY=
-cloud.google.com/go v0.67.0/go.mod h1:YNan/mUhNZFrYUor0vqrsQ0Ffl7Xtm/ACOy/vsTS858=
-cloud.google.com/go/bigquery v1.0.1/go.mod h1:i/xbL2UlR5RvWAURpBYZTtm/cXjCha9lbfbpx4poX+o=
-cloud.google.com/go/bigquery v1.3.0/go.mod h1:PjpwJnslEMmckchkHFfq+HTD2DmtT67aNFKH1/VBDHE=
-cloud.google.com/go/bigquery v1.4.0/go.mod h1:S8dzgnTigyfTmLBfrtrhyYhwRxG72rYxvftPBK2Dvzc=
-cloud.google.com/go/bigquery v1.5.0/go.mod h1:snEHRnqQbz117VIFhE8bmtwIDY80NLUZUMb4Nv6dBIg=
-cloud.google.com/go/bigquery v1.7.0/go.mod h1://okPTzCYNXSlb24MZs83e2Do+h+VXtc4gLoIoXIAPc=
-cloud.google.com/go/bigquery v1.8.0/go.mod h1:J5hqkt3O0uAFnINi6JXValWIb1v0goeZM77hZzJN/fQ=
-cloud.google.com/go/datastore v1.0.0/go.mod h1:LXYbyblFSglQ5pkeyhO+Qmw7ukd3C+pD7TKLgZqpHYE=
-cloud.google.com/go/datastore v1.1.0/go.mod h1:umbIZjpQpHh4hmRpGhH4tLFup+FVzqBi1b3c64qFpCk=
-cloud.google.com/go/pubsub v1.0.1/go.mod h1:R0Gpsv3s54REJCy4fxDixWD93lHJMoZTyQ2kNxGRt3I=
-cloud.google.com/go/pubsub v1.1.0/go.mod h1:EwwdRX2sKPjnvnqCa270oGRyludottCI76h+R3AArQw=
-cloud.google.com/go/pubsub v1.2.0/go.mod h1:jhfEVHT8odbXTkndysNHCcx0awwzvfOlguIAii9o8iA=
-cloud.google.com/go/pubsub v1.3.1/go.mod h1:i+ucay31+CNRpDW4Lu78I4xXG+O1r/MAHgjpRVR+TSU=
-cloud.google.com/go/storage v1.0.0/go.mod h1:IhtSnM/ZTZV8YYJWCY8RULGVqBDmpoyjwiyrjsg+URw=
-cloud.google.com/go/storage v1.5.0/go.mod h1:tpKbwo567HUNpVclU5sGELwQWBDZ8gh0ZeosJ0Rtdos=
-cloud.google.com/go/storage v1.6.0/go.mod h1:N7U0C8pVQ/+NIKOBQyamJIeKQKkZ+mxpohlUTyfDhBk=
-cloud.google.com/go/storage v1.8.0/go.mod h1:Wv1Oy7z6Yz3DshWRJFhqM/UCfaWIRTdp0RXyy7KQOVs=
-cloud.google.com/go/storage v1.10.0/go.mod h1:FLPqc6j+Ki4BU591ie1oL6qBQGu2Bl/tZ9ullr3+Kg0=
-dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU=
-github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
-github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=
-github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
-github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI=
-github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI=
-github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU=
-github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
-github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
-github.com/coreos/go-systemd/v22 v22.3.3-0.20220203105225-a9a7ef127534/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=
+filippo.io/edwards25519 v1.1.0 h1:FNf4tywRC1HmFuKW5xopWpigGjJKiJSV0Cqo0cJWDaA=
+filippo.io/edwards25519 v1.1.0/go.mod h1:BxyFTGdWcka3PhytdK4V28tE5sGfRvvvRV7EaN4VDT4=
+github.com/Azure/go-ntlmssp v0.1.0 h1:DjFo6YtWzNqNvQdrwEyr/e4nhU3vRiwenz5QX7sFz+A=
+github.com/Azure/go-ntlmssp v0.1.0/go.mod h1:NYqdhxd/8aAct/s4qSYZEerdPuH1liG2/X9DiVTbhpk=
+github.com/Kunde21/markdownfmt/v3 v3.1.0 h1:KiZu9LKs+wFFBQKhrZJrFZwtLnCCWJahL+S+E/3VnM0=
+github.com/Kunde21/markdownfmt/v3 v3.1.0/go.mod h1:tPXN1RTyOzJwhfHoon9wUr4HGYmWgVxSQN6VBJDkrVc=
+github.com/RoaringBitmap/roaring/v2 v2.14.4 h1:4aKySrrg9G/5oRtJ3TrZLObVqxgQ9f1znCRBwEwjuVw=
+github.com/RoaringBitmap/roaring/v2 v2.14.4/go.mod h1:oMvV6omPWr+2ifRdeZvVJyaz+aoEUopyv5iH0u/+wbY=
+github.com/alecthomas/assert/v2 v2.11.0 h1:2Q9r3ki8+JYXvGsDyBXwH3LcJ+WK5D0gc5E8vS6K3D0=
+github.com/alecthomas/assert/v2 v2.11.0/go.mod h1:Bze95FyfUr7x34QZrjL+XP+0qgp/zg8yS+TtBj1WA3k=
+github.com/alecthomas/chroma/v2 v2.2.0/go.mod h1:vf4zrexSH54oEjJ7EdB65tGNHmH3pGZmVkgTP5RHvAs=
+github.com/alecthomas/chroma/v2 v2.23.1 h1:nv2AVZdTyClGbVQkIzlDm/rnhk1E9bU9nXwmZ/Vk/iY=
+github.com/alecthomas/chroma/v2 v2.23.1/go.mod h1:NqVhfBR0lte5Ouh3DcthuUCTUpDC9cxBOfyMbMQPs3o=
+github.com/alecthomas/repr v0.0.0-20220113201626-b1b626ac65ae/go.mod h1:2kn6fqh/zIyPLmm3ugklbEi5hg5wS435eygvNfaDQL8=
+github.com/alecthomas/repr v0.5.2 h1:SU73FTI9D1P5UNtvseffFSGmdNci/O6RsqzeXJtP0Qs=
+github.com/alecthomas/repr v0.5.2/go.mod h1:Fr0507jx4eOXV7AlPV6AVZLYrLIuIeSOWtW57eE/O/4=
+github.com/alexbrainman/sspi v0.0.0-20250919150558-7d374ff0d59e h1:4dAU9FXIyQktpoUAgOJK3OTFc/xug0PCXYCqU0FgDKI=
+github.com/alexbrainman/sspi v0.0.0-20250919150558-7d374ff0d59e/go.mod h1:cEWa1LVoE5KvSD9ONXsZrj0z6KqySlCCNKHlLzbqAt4=
+github.com/andybalholm/brotli v1.2.0 h1:ukwgCxwYrmACq68yiUqwIWnGY0cTPox/M94sVwToPjQ=
+github.com/andybalholm/brotli v1.2.0/go.mod h1:rzTDkvFWvIrjDXZHkuS16NPggd91W3kUSvPlQ1pLaKY=
+github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
+github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
+github.com/bits-and-blooms/bitset v1.24.4 h1:95H15Og1clikBrKr/DuzMXkQzECs1M6hhoGXLwLQOZE=
+github.com/bits-and-blooms/bitset v1.24.4/go.mod h1:7hO7Gc7Pp1vODcmWvKMRA9BNmbv6a/7QIWpPxHddWR8=
+github.com/blevesearch/bleve/v2 v2.5.7 h1:2d9YrL5zrX5EBBW++GOaEKjE+NPWeZGaX77IM26m1Z8=
+github.com/blevesearch/bleve/v2 v2.5.7/go.mod h1:yj0NlS7ocGC4VOSAedqDDMktdh2935v2CSWOCDMHdSA=
+github.com/blevesearch/bleve_index_api v1.3.1 h1:LdH3CQgBbIZ5UI/5Pykz87e0jfeQtVnrdZ2WUBrHHwU=
+github.com/blevesearch/bleve_index_api v1.3.1/go.mod h1:xvd48t5XMeeioWQ5/jZvgLrV98flT2rdvEJ3l/ki4Ko=
+github.com/blevesearch/geo v0.2.4 h1:ECIGQhw+QALCZaDcogRTNSJYQXRtC8/m8IKiA706cqk=
+github.com/blevesearch/geo v0.2.4/go.mod h1:K56Q33AzXt2YExVHGObtmRSFYZKYGv0JEN5mdacJJR8=
+github.com/blevesearch/go-faiss v1.0.27 h1:7cBImYDDQ82WJd5RUZ1ie6zXztCsC73W94ZzwOjkatk=
+github.com/blevesearch/go-faiss v1.0.27/go.mod h1:OMGQwOaRRYxrmeNdMrXJPvVx8gBnvE5RYrr0BahNnkk=
+github.com/blevesearch/go-porterstemmer v1.0.3 h1:GtmsqID0aZdCSNiY8SkuPJ12pD4jI+DdXTAn4YRcHCo=
+github.com/blevesearch/go-porterstemmer v1.0.3/go.mod h1:angGc5Ht+k2xhJdZi511LtmxuEf0OVpvUUNrwmM1P7M=
+github.com/blevesearch/gtreap v0.1.1 h1:2JWigFrzDMR+42WGIN/V2p0cUvn4UP3C4Q5nmaZGW8Y=
+github.com/blevesearch/gtreap v0.1.1/go.mod h1:QaQyDRAT51sotthUWAH4Sj08awFSSWzgYICSZ3w0tYk=
+github.com/blevesearch/mmap-go v1.2.0 h1:l33nNKPFcBjJUMwem6sAYJPUzhUCABoK9FxZDGiFNBI=
+github.com/blevesearch/mmap-go v1.2.0/go.mod h1:Vd6+20GBhEdwJnU1Xohgt88XCD/CTWcqbCNxkZpyBo0=
+github.com/blevesearch/scorch_segment_api/v2 v2.4.1 h1:os52/JeCSLZ0YUkOuLk/Z7pu0SKUMofDPUg+VnbrRD0=
+github.com/blevesearch/scorch_segment_api/v2 v2.4.1/go.mod h1:zvilBm4BNfbnTRLW7KgCTNgk2R31JaWzwRc2BEcD7Is=
+github.com/blevesearch/segment v0.9.1 h1:+dThDy+Lvgj5JMxhmOVlgFfkUtZV2kw49xax4+jTfSU=
+github.com/blevesearch/segment v0.9.1/go.mod h1:zN21iLm7+GnBHWTao9I+Au/7MBiL8pPFtJBJTsk6kQw=
+github.com/blevesearch/snowballstem v0.9.0 h1:lMQ189YspGP6sXvZQ4WZ+MLawfV8wOmPoD/iWeNXm8s=
+github.com/blevesearch/snowballstem v0.9.0/go.mod h1:PivSj3JMc8WuaFkTSRDW2SlrulNWPl4ABg1tC/hlgLs=
+github.com/blevesearch/upsidedown_store_api v1.0.2 h1:U53Q6YoWEARVLd1OYNc9kvhBMGZzVrdmaozG2MfoB+A=
+github.com/blevesearch/upsidedown_store_api v1.0.2/go.mod h1:M01mh3Gpfy56Ps/UXHjEO/knbqyQ1Oamg8If49gRwrQ=
+github.com/blevesearch/vellum v1.2.0 h1:xkDiOEsHc2t3Cp0NsNZZ36pvc130sCzcGKOPMzXe+e0=
+github.com/blevesearch/vellum v1.2.0/go.mod h1:uEcfBJz7mAOf0Kvq6qoEKQQkLODBF46SINYNkZNae4k=
+github.com/blevesearch/zapx/v11 v11.4.2 h1:l46SV+b0gFN+Rw3wUI1YdMWdSAVhskYuvxlcgpQFljs=
+github.com/blevesearch/zapx/v11 v11.4.2/go.mod h1:4gdeyy9oGa/lLa6D34R9daXNUvfMPZqUYjPwiLmekwc=
+github.com/blevesearch/zapx/v12 v12.4.2 h1:fzRbhllQmEMUuAQ7zBuMvKRlcPA5ESTgWlDEoB9uQNE=
+github.com/blevesearch/zapx/v12 v12.4.2/go.mod h1:TdFmr7afSz1hFh/SIBCCZvcLfzYvievIH6aEISCte58=
+github.com/blevesearch/zapx/v13 v13.4.2 h1:46PIZCO/ZuKZYgxI8Y7lOJqX3Irkc3N8W82QTK3MVks=
+github.com/blevesearch/zapx/v13 v13.4.2/go.mod h1:knK8z2NdQHlb5ot/uj8wuvOq5PhDGjNYQQy0QDnopZk=
+github.com/blevesearch/zapx/v14 v14.4.2 h1:2SGHakVKd+TrtEqpfeq8X+So5PShQ5nW6GNxT7fWYz0=
+github.com/blevesearch/zapx/v14 v14.4.2/go.mod h1:rz0XNb/OZSMjNorufDGSpFpjoFKhXmppH9Hi7a877D8=
+github.com/blevesearch/zapx/v15 v15.4.2 h1:sWxpDE0QQOTjyxYbAVjt3+0ieu8NCE0fDRaFxEsp31k=
+github.com/blevesearch/zapx/v15 v15.4.2/go.mod h1:1pssev/59FsuWcgSnTa0OeEpOzmhtmr/0/11H0Z8+Nw=
+github.com/blevesearch/zapx/v16 v16.3.0 h1:hF6VlN15E9CB40RMPyqOIhlDw1OOo9RItumhKMQktxw=
+github.com/blevesearch/zapx/v16 v16.3.0/go.mod h1:zCFjv7McXWm1C8rROL+3mUoD5WYe2RKsZP3ufqcYpLY=
+github.com/boombuler/barcode v1.0.1-0.20190219062509-6c824513bacc/go.mod h1:paBWMcWSl3LHKBqUq+rly7CNSldXjb2rDl3JlRe0mD8=
+github.com/boombuler/barcode v1.1.0 h1:ChaYjBR63fr4LFyGn8E8nt7dBSt3MiU3zMOZqFvVkHo=
+github.com/boombuler/barcode v1.1.0/go.mod h1:paBWMcWSl3LHKBqUq+rly7CNSldXjb2rDl3JlRe0mD8=
+github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
+github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
+github.com/chromedp/cdproto v0.0.0-20250803210736-d308e07a266d h1:ZtA1sedVbEW7EW80Iz2GR3Ye6PwbJAJXjv7D74xG6HU=
+github.com/chromedp/cdproto v0.0.0-20250803210736-d308e07a266d/go.mod h1:NItd7aLkcfOA/dcMXvl8p1u+lQqioRMq/SqDp71Pb/k=
+github.com/chromedp/chromedp v0.14.0 h1:/xE5m6wEBwivhalHwlCOyYfBcAJNwg4nLw96QiCfYr0=
+github.com/chromedp/chromedp v0.14.0/go.mod h1:rHzAv60xDE7VNy/MYtTUrYreSc0ujt2O1/C3bzctYBo=
+github.com/chromedp/sysutil v1.1.0 h1:PUFNv5EcprjqXZD9nJb9b/c9ibAbxiYo4exNWZyipwM=
+github.com/chromedp/sysutil v1.1.0/go.mod h1:WiThHUdltqCNKGc4gaU50XgYjwjYIhKWoHGPTUfWTJ8=
+github.com/clipperhouse/stringish v0.1.1 h1:+NSqMOr3GR6k1FdRhhnXrLfztGzuG+VuFDfatpWHKCs=
+github.com/clipperhouse/stringish v0.1.1/go.mod h1:v/WhFtE1q0ovMta2+m+UbpZ+2/HEXNWYXQgCt4hdOzA=
+github.com/clipperhouse/uax29/v2 v2.4.0 h1:RXqE/l5EiAbA4u97giimKNlmpvkmz+GrBVTelsoXy9g=
+github.com/clipperhouse/uax29/v2 v2.4.0/go.mod h1:Wn1g7MK6OoeDT0vL+Q0SQLDz/KpfsVRgg6W7ihQeh4g=
+github.com/coreos/go-systemd/v22 v22.5.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=
+github.com/cpuguy83/go-md2man/v2 v2.0.7 h1:zbFlGlXEAKlwXpmvle3d8Oe3YnkKIK4xSRTd3sHPnBo=
+github.com/cpuguy83/go-md2man/v2 v2.0.7/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g=
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/decred/dcrd/crypto/blake256 v1.0.0/go.mod h1:sQl2p6Y26YV+ZOcSTP6thNdn47hh8kt6rqSlvmrXFAc=
-github.com/decred/dcrd/dcrec/secp256k1/v4 v4.0.0-20210816181553-5444fa50b93d/go.mod h1:tmAIfUFEirG/Y8jhZ9M+h36obRZAk/1fcSpXwAVlfqE=
-github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
-github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
-github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98=
-github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
-github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU=
-github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
-github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
-github.com/go-playground/assert/v2 v2.0.1 h1:MsBgLAaY856+nPRTKrp3/OZK38U/wa0CcBYNjji3q3A=
-github.com/go-playground/assert/v2 v2.0.1/go.mod h1:VDjEfimB/XKnb+ZQfWdccd7VUvScMdVu0Titje2rxJ4=
-github.com/go-playground/locales v0.14.0 h1:u50s323jtVGugKlcYeyzC0etD1HifMjqmJqb8WugfUU=
-github.com/go-playground/locales v0.14.0/go.mod h1:sawfccIbzZTqEDETgFXqTho0QybSa7l++s0DH+LDiLs=
-github.com/go-playground/universal-translator v0.18.0 h1:82dyy6p4OuJq4/CByFNOn/jYrnRPArHwAcmLoJZxyho=
-github.com/go-playground/universal-translator v0.18.0/go.mod h1:UvRDBj+xPUEGrFYl+lu/H90nyDXpg0fqeB/AQUGNTVA=
-github.com/go-playground/validator/v10 v10.11.0 h1:0W+xRM511GY47Yy3bZUbJVitCNg2BOGlCyvTqsp/xIw=
-github.com/go-playground/validator/v10 v10.11.0/go.mod h1:i+3WkQ1FvaUjjxh1kSvIA4dMGDBiPU55YFDl0WbKdWU=
-github.com/goccy/go-json v0.9.6/go.mod h1:6MelG93GURQebXPDq3khkgXZkazVtN9CRI+MGFi0w8I=
+github.com/dlclark/regexp2 v1.4.0/go.mod h1:2pZnwuY/m+8K6iRw6wQdMtk+rH5tNGR1i55kozfMjCc=
+github.com/dlclark/regexp2 v1.7.0/go.mod h1:DHkYz0B9wPfa6wondMfaivmHpzrQ3v9q8cnmRbL6yW8=
+github.com/dlclark/regexp2 v1.11.5 h1:Q/sSnsKerHeCkc/jSTNq1oCm7KiVgUMZRDUoRu0JQZQ=
+github.com/dlclark/regexp2 v1.11.5/go.mod h1:DHkYz0B9wPfa6wondMfaivmHpzrQ3v9q8cnmRbL6yW8=
+github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkpeCY=
+github.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+mFykh5fBlto=
+github.com/fxamacker/cbor/v2 v2.9.0 h1:NpKPmjDBgUfBms6tr6JZkTHtfFGcMKsw3eGcmD/sapM=
+github.com/fxamacker/cbor/v2 v2.9.0/go.mod h1:vM4b+DJCtHn+zz7h3FFp/hDAI9WNWCsZj23V5ytsSxQ=
+github.com/gabriel-vasile/mimetype v1.4.12 h1:e9hWvmLYvtp846tLHam2o++qitpguFiYCKbn0w9jyqw=
+github.com/gabriel-vasile/mimetype v1.4.12/go.mod h1:d+9Oxyo1wTzWdyVUPMmXFvp4F9tea18J8ufA774AB3s=
+github.com/glebarez/go-sqlite v1.22.0 h1:uAcMJhaA6r3LHMTFgP0SifzgXg46yJkgxqyuyec+ruQ=
+github.com/glebarez/go-sqlite v1.22.0/go.mod h1:PlBIdHe0+aUEFn+r2/uthrWq4FxbzugL0L8Li6yQJbc=
+github.com/glebarez/sqlite v1.11.0 h1:wSG0irqzP6VurnMEpFGer5Li19RpIRi2qvQz++w0GMw=
+github.com/glebarez/sqlite v1.11.0/go.mod h1:h8/o8j5wiAsqSPoWELDUdJXhjAhsVliSn7bWZjOhrgQ=
+github.com/go-asn1-ber/asn1-ber v1.5.8-0.20250403174932-29230038a667 h1:BP4M0CvQ4S3TGls2FvczZtj5Re/2ZzkV9VwqPHH/3Bo=
+github.com/go-asn1-ber/asn1-ber v1.5.8-0.20250403174932-29230038a667/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0=
+github.com/go-chi/chi/v5 v5.2.3 h1:WQIt9uxdsAbgIYgid+BpYc+liqQZGMHRaUwp0JUcvdE=
+github.com/go-chi/chi/v5 v5.2.3/go.mod h1:L2yAIGWB3H+phAw1NxKwWM+7eUH/lU8pOMm5hHcoops=
+github.com/go-json-experiment/json v0.0.0-20250725192818-e39067aee2d2 h1:iizUGZ9pEquQS5jTGkh4AqeeHCMbfbjeb0zMt0aEFzs=
+github.com/go-json-experiment/json v0.0.0-20250725192818-e39067aee2d2/go.mod h1:TiCD2a1pcmjd7YnhGH0f/zKNcCD06B029pHhzV23c2M=
+github.com/go-ldap/ldap/v3 v3.4.12 h1:1b81mv7MagXZ7+1r7cLTWmyuTqVqdwbtJSjC0DAp9s4=
+github.com/go-ldap/ldap/v3 v3.4.12/go.mod h1:+SPAGcTtOfmGsCb3h1RFiq4xpp4N636G75OEace8lNo=
+github.com/go-playground/assert/v2 v2.2.0 h1:JvknZsQTYeFEAhQwI4qEt9cyV5ONwRHC+lYKSsYSR8s=
+github.com/go-playground/assert/v2 v2.2.0/go.mod h1:VDjEfimB/XKnb+ZQfWdccd7VUvScMdVu0Titje2rxJ4=
+github.com/go-playground/locales v0.14.1 h1:EWaQ/wswjilfKLTECiXz7Rh+3BjFhfDFKv/oXslEjJA=
+github.com/go-playground/locales v0.14.1/go.mod h1:hxrqLVvrK65+Rwrd5Fc6F2O76J/NuW9t0sjnWqG1slY=
+github.com/go-playground/universal-translator v0.18.1 h1:Bcnm0ZwsGyWbCzImXv+pAJnYK9S473LQFuzCbDbfSFY=
+github.com/go-playground/universal-translator v0.18.1/go.mod h1:xekY+UJKNuX9WP91TpwSH2VMlDf28Uj24BCp08ZFTUY=
+github.com/go-playground/validator/v10 v10.30.1 h1:f3zDSN/zOma+w6+1Wswgd9fLkdwy06ntQJp0BBvFG0w=
+github.com/go-playground/validator/v10 v10.30.1/go.mod h1:oSuBIQzuJxL//3MelwSLD5hc2Tu889bF0Idm9Dg26cM=
+github.com/go-sql-driver/mysql v1.9.3 h1:U/N249h2WzJ3Ukj8SowVFjdtZKfu9vlLZxjPXV1aweo=
+github.com/go-sql-driver/mysql v1.9.3/go.mod h1:qn46aNg1333BRMNU69Lq93t8du/dwxI64Gl8i5p1WMU=
+github.com/go-viper/mapstructure/v2 v2.4.0 h1:EBsztssimR/CONLSZZ04E8qAkxNYq4Qp9LvH92wZUgs=
+github.com/go-viper/mapstructure/v2 v2.4.0/go.mod h1:oJDH3BJKyqBA2TXFhDsKDGDTlndYOZ6rGS0BRZIxGhM=
+github.com/go-webauthn/webauthn v0.15.0 h1:LR1vPv62E0/6+sTenX35QrCmpMCzLeVAcnXeH4MrbJY=
+github.com/go-webauthn/webauthn v0.15.0/go.mod h1:hcAOhVChPRG7oqG7Xj6XKN1mb+8eXTGP/B7zBLzkX5A=
+github.com/go-webauthn/x v0.1.26 h1:eNzreFKnwNLDFoywGh9FA8YOMebBWTUNlNSdolQRebs=
+github.com/go-webauthn/x v0.1.26/go.mod h1:jmf/phPV6oIsF6hmdVre+ovHkxjDOmNH0t6fekWUxvg=
+github.com/gobwas/httphead v0.1.0 h1:exrUm0f4YX0L7EBwZHuCF4GDp8aJfVeBrlLQrs6NqWU=
+github.com/gobwas/httphead v0.1.0/go.mod h1:O/RXo79gxV8G+RqlR/otEwx4Q36zl9rqC5u12GKvMCM=
+github.com/gobwas/pool v0.2.1 h1:xfeeEhW7pwmX8nuLVlqbzVc7udMDrwetjEv+TZIz1og=
+github.com/gobwas/pool v0.2.1/go.mod h1:q8bcK0KcYlCgd9e7WYLm9LpyS+YeLd8JVDW6WezmKEw=
+github.com/gobwas/ws v1.4.0 h1:CTaoG1tojrh4ucGPcoJFiAQUAsEWekEWvLy7GsVNqGs=
+github.com/gobwas/ws v1.4.0/go.mod h1:G3gNqMNtPppf5XUz7O4shetPpcZ1VJ7zt18dlUeakrc=
 github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
-github.com/golang-jwt/jwt v3.2.2+incompatible h1:IfV12K8xAKAnZqdXVzCZ+TOjboZ2keLg81eXfW3O+oY=
-github.com/golang-jwt/jwt v3.2.2+incompatible/go.mod h1:8pz2t5EyA70fFQQSrl6XZXzqecmYZeUEB8OUGHkxJ+I=
-github.com/golang-jwt/jwt/v4 v4.2.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg=
-github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
-github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
-github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
-github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
-github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
-github.com/golang/mock v1.2.0/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
-github.com/golang/mock v1.3.1/go.mod h1:sBzyDLLjw3U8JLTeZvSv8jJB+tU5PVekmnlKIyFUx0Y=
-github.com/golang/mock v1.4.0/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw=
-github.com/golang/mock v1.4.1/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw=
-github.com/golang/mock v1.4.3/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw=
-github.com/golang/mock v1.4.4/go.mod h1:l3mdAwkq5BuhzHwde/uurv3sEJeZMXNpwsxVWU71h+4=
-github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
-github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
-github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
-github.com/golang/protobuf v1.3.3/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw=
-github.com/golang/protobuf v1.3.4/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw=
-github.com/golang/protobuf v1.3.5/go.mod h1:6O5/vntMXwX2lRkT1hjjk0nAC1IDOTvTlVgjlRvqsdk=
-github.com/golang/protobuf v1.4.0-rc.1/go.mod h1:ceaxUfeHdC40wWswd/P6IGgMaK3YpKi5j83Wpe3EHw8=
-github.com/golang/protobuf v1.4.0-rc.1.0.20200221234624-67d41d38c208/go.mod h1:xKAWHe0F5eneWXFV3EuXVDTCmh+JuBKY0li0aMyXATA=
-github.com/golang/protobuf v1.4.0-rc.2/go.mod h1:LlEzMj4AhA7rCAGe4KMBDvJI+AwstrUpVNzEA03Pprs=
-github.com/golang/protobuf v1.4.0-rc.4.0.20200313231945-b860323f09d0/go.mod h1:WU3c8KckQ9AFe+yFwt9sWVRKCVIyN9cPHBJSNnbL67w=
-github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvqG2KuDX0=
-github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QDs8UjoX8=
-github.com/golang/protobuf v1.4.2 h1:+Z5KGCizgyZCbGh1KZqA0fcLLkwbsjIzS4aV2v7wJX0=
-github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=
-github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
-github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
-github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
-github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
-github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
-github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.4.1/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.5.1/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.5.2 h1:X2ev0eStA3AbceY54o37/0PQ/UWqKEiiO2dKL5OPaFM=
-github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs=
-github.com/google/martian/v3 v3.0.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0=
-github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc=
-github.com/google/pprof v0.0.0-20190515194954-54271f7e092f/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc=
-github.com/google/pprof v0.0.0-20191218002539-d4f498aebedc/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=
-github.com/google/pprof v0.0.0-20200212024743-f11f1df84d12/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=
-github.com/google/pprof v0.0.0-20200229191704-1ebb73c60ed3/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=
-github.com/google/pprof v0.0.0-20200430221834-fc25d7d30c6d/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=
-github.com/google/pprof v0.0.0-20200708004538-1a94d8640e99/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=
-github.com/google/pprof v0.0.0-20200905233945-acf8798be1f7/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=
-github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI=
-github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I=
-github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
-github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg=
-github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk=
-github.com/gorilla/context v1.1.1 h1:AWwleXJkX/nhcU9bZSnZoi3h/qGYqQAGhq6zZe/aQW8=
-github.com/gorilla/context v1.1.1/go.mod h1:kBGZzfjB9CEq2AlWe17Uuf7NDRt0dE0s8S51q0aT7Yg=
-github.com/gorilla/mux v1.6.2 h1:Pgr17XVTNXAk3q/r4CpKzC5xBM/qW1uVLV+IhRZpIIk=
-github.com/gorilla/mux v1.6.2/go.mod h1:1lud6UwP+6orDFRuTfBEV8e9/aOM/c4fVVCaMa2zaAs=
-github.com/gorilla/pat v0.0.0-20180118222023-199c85a7f6d1/go.mod h1:YeAe0gNeiNT5hoiZRI4yiOky6jVdNvfO2N6Kav/HmxY=
-github.com/gorilla/securecookie v1.1.1 h1:miw7JPhV+b/lAHSXz4qd/nN9jRiAFV5FwjeKyCS8BvQ=
-github.com/gorilla/securecookie v1.1.1/go.mod h1:ra0sb63/xPlUeL+yeDciTfxMRAA+MP+HVt/4epWDjd4=
-github.com/gorilla/sessions v1.1.1/go.mod h1:8KCfur6+4Mqcc6S0FEfKuN15Vl5MgXW92AE8ovaJD0w=
-github.com/gorilla/sessions v1.2.1 h1:DHd3rPN5lE3Ts3D8rKkQ8x/0kqfeNmBAaiSi+o7FsgI=
-github.com/gorilla/sessions v1.2.1/go.mod h1:dk2InVEVJ0sfLlnXv9EAgkf6ecYs/i80K/zI+bUmuGM=
-github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
-github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
-github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
-github.com/jarcoal/httpmock v0.0.0-20180424175123-9c70cfe4a1da/go.mod h1:ks+b9deReOc7jgqp+e7LuFiCBH6Rm5hL32cLcEAArb4=
+github.com/golang-jwt/jwt/v5 v5.3.0 h1:pv4AsKCKKZuqlgs5sUmn4x8UlGa0kEVt/puTpKx9vvo=
+github.com/golang-jwt/jwt/v5 v5.3.0/go.mod h1:fxCRLWMO43lRc8nhHWY6LGqRcf+1gQWArsqaEUEa5bE=
+github.com/golang/snappy v1.0.0 h1:Oy607GVXHs7RtbggtPBnr2RmDArIsAefDwvrdWvRhGs=
+github.com/golang/snappy v1.0.0/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q=
+github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
+github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
+github.com/google/go-tpm v0.9.6 h1:Ku42PT4LmjDu1H5C5ISWLlpI1mj+Zq7sPGKoRw2XROA=
+github.com/google/go-tpm v0.9.6/go.mod h1:h9jEsEECg7gtLis0upRBQU+GhYVH6jMjrFxI8u6bVUY=
+github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
+github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0=
+github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
+github.com/google/pprof v0.0.0-20250317173921-a4b03ec1a45e h1:ijClszYn+mADRFY17kjQEVQ1XRhq2/JR1M3sGqeJoxs=
+github.com/google/pprof v0.0.0-20250317173921-a4b03ec1a45e/go.mod h1:boTsfXsheKC2y+lKOCMpSfarhxDeIzfZG1jqGcPl3cA=
+github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
+github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/gorilla/mux v1.8.1 h1:TuBL49tXwgrFYWhqrNgrUNEY92u81SPhu7sTdzQEiWY=
+github.com/gorilla/mux v1.8.1/go.mod h1:AKf9I4AEqPTmMytcMc0KkNouC66V3BtZ4qD5fmWSiMQ=
+github.com/gorilla/schema v1.4.1 h1:jUg5hUjCSDZpNGLuXQOgIWGdlgrIdYvgQ0wZtdK1M3E=
+github.com/gorilla/schema v1.4.1/go.mod h1:Dg5SSm5PV60mhF2NFaTV1xuYYj8tV8NOPRo4FggUMnM=
+github.com/gorilla/securecookie v1.1.2 h1:YCIWL56dvtr73r6715mJs5ZvhtnY73hBvEF8kXD8ePA=
+github.com/gorilla/securecookie v1.1.2/go.mod h1:NfCASbcHqRSY+3a8tlWJwsQap2VX5pwzwo4h3eOamfo=
+github.com/gorilla/sessions v1.4.0 h1:kpIYOp/oi6MG/p5PgxApU8srsSw9tuFbt46Lt7auzqQ=
+github.com/gorilla/sessions v1.4.0/go.mod h1:FLWm50oby91+hl7p/wRxDth9bWSuk0qVL2emc7lT5ik=
+github.com/hashicorp/go-uuid v1.0.3 h1:2gKiV6YVmrJ1i2CKKa9obLvRieoRGviZFL26PcT/Co8=
+github.com/hashicorp/go-uuid v1.0.3/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
+github.com/hashicorp/golang-lru/v2 v2.0.7 h1:a+bsQ5rvGLjzHuww6tVxozPZFVghXaHOwFs4luLUK2k=
+github.com/hashicorp/golang-lru/v2 v2.0.7/go.mod h1:QeFd9opnmA6QUJc5vARoKUSoFhyfM2/ZepoAG6RGpeM=
+github.com/hexops/gotextdiff v1.0.3 h1:gitA9+qJrrTCsiCl7+kh75nPqQt1cx4ZkudSTLoUqJM=
+github.com/hexops/gotextdiff v1.0.3/go.mod h1:pSWU5MAI3yDq+fZBTazCSJysOMbxWL1BSow5/V2vxeg=
+github.com/jackc/pgpassfile v1.0.0 h1:/6Hmqy13Ss2zCq62VdNG8tM1wchn8zjSGOBJ6icpsIM=
+github.com/jackc/pgpassfile v1.0.0/go.mod h1:CEx0iS5ambNFdcRtxPj5JhEz+xB6uRky5eyVu/W2HEg=
+github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761 h1:iCEnooe7UlwOQYpKFhBabPMi4aNAfoODPEFNiAnClxo=
+github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761/go.mod h1:5TJZWKEWniPve33vlWYSoGYefn3gLQRzjfDlhSJ9ZKM=
+github.com/jackc/pgx/v5 v5.8.0 h1:TYPDoleBBme0xGSAX3/+NujXXtpZn9HBONkQC7IEZSo=
+github.com/jackc/pgx/v5 v5.8.0/go.mod h1:QVeDInX2m9VyzvNeiCJVjCkNFqzsNb43204HshNSZKw=
+github.com/jackc/puddle/v2 v2.2.2 h1:PR8nw+E/1w0GLuRFSmiioY6UooMp6KJv0/61nB7icHo=
+github.com/jackc/puddle/v2 v2.2.2/go.mod h1:vriiEXHvEE654aYKXXjOvZM39qJ0q+azkZFrfEOc3H4=
+github.com/jcmturner/aescts/v2 v2.0.0 h1:9YKLH6ey7H4eDBXW8khjYslgyqG2xZikXP0EQFKrle8=
+github.com/jcmturner/aescts/v2 v2.0.0/go.mod h1:AiaICIRyfYg35RUkr8yESTqvSy7csK90qZ5xfvvsoNs=
+github.com/jcmturner/dnsutils/v2 v2.0.0 h1:lltnkeZGL0wILNvrNiVCR6Ro5PGU/SeBvVO/8c/iPbo=
+github.com/jcmturner/dnsutils/v2 v2.0.0/go.mod h1:b0TnjGOvI/n42bZa+hmXL+kFJZsFT7G4t3HTlQ184QM=
+github.com/jcmturner/gofork v1.7.6 h1:QH0l3hzAU1tfT3rZCnW5zXl+orbkNMMRGJfdJjHVETg=
+github.com/jcmturner/gofork v1.7.6/go.mod h1:1622LH6i/EZqLloHfE7IeZ0uEJwMSUyQ/nDd82IeqRo=
+github.com/jcmturner/goidentity/v6 v6.0.1 h1:VKnZd2oEIMorCTsFBnJWbExfNN7yZr3EhJAxwOkZg6o=
+github.com/jcmturner/goidentity/v6 v6.0.1/go.mod h1:X1YW3bgtvwAXju7V3LCIMpY0Gbxyjn/mY9zx4tFonSg=
+github.com/jcmturner/gokrb5/v8 v8.4.4 h1:x1Sv4HaTpepFkXbt2IkL29DXRf8sOfZXo8eRKh687T8=
+github.com/jcmturner/gokrb5/v8 v8.4.4/go.mod h1:1btQEpgT6k+unzCwX1KdWMEwPPkkgBtP+F6aCACiMrs=
+github.com/jcmturner/rpc/v2 v2.0.3 h1:7FXXj8Ti1IaVFpSAziCZWNzbNuZmnvw/i6CqLNdWfZY=
+github.com/jcmturner/rpc/v2 v2.0.3/go.mod h1:VUJYCIDm3PVOEHw8sgt091/20OJjskO/YJki3ELg/Hc=
 github.com/jinzhu/inflection v1.0.0 h1:K317FqzuhWc8YvSVlFMCCUb36O/S9MCKRDI7QkRKD/E=
 github.com/jinzhu/inflection v1.0.0/go.mod h1:h+uFLlag+Qp1Va5pdKtLDYj+kHp5pxUVkryuEj+Srlc=
-github.com/jinzhu/now v1.1.4/go.mod h1:d3SSVoowX0Lcu0IBviAWJpolVfI5UJVZZ7cO71lE/z8=
 github.com/jinzhu/now v1.1.5 h1:/o9tlHleP7gOFmsnYNz3RGnqzefHA47wQpKrrdTIwXQ=
 github.com/jinzhu/now v1.1.5/go.mod h1:d3SSVoowX0Lcu0IBviAWJpolVfI5UJVZZ7cO71lE/z8=
-github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU=
-github.com/jstemmer/go-junit-report v0.9.1/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/XSXhF0NWZEnDohbsk=
-github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
-github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
-github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
-github.com/kr/pretty v0.3.0 h1:WgNl7dwNpEZ6jJ9k1snq4pZsg7DOEN8hP9Xw0Tsjwk0=
-github.com/kr/pretty v0.3.0/go.mod h1:640gp4NfQd8pI5XOwp5fnNeVWj67G7CFk/SaSQn7NBk=
-github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
-github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
+github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
+github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
+github.com/klauspost/compress v1.18.0 h1:c/Cqfb0r+Yi+JtIEq73FWXVkRonBlf0CRNYc8Zttxdo=
+github.com/klauspost/compress v1.18.0/go.mod h1:2Pp+KzxcywXVXMr50+X0Q/Lsb43OQHYWRCY2AiWywWQ=
+github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
+github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
-github.com/labstack/echo/v4 v4.10.0 h1:5CiyngihEO4HXsz3vVsJn7f8xAlWwRr3aY6Ih280ZKA=
-github.com/labstack/echo/v4 v4.10.0/go.mod h1:S/T/5fy/GigaXnHTkh0ZGe4LpkkQysvRjFMSUTkDRNQ=
-github.com/labstack/gommon v0.4.0 h1:y7cvthEAEbU0yHOf4axH8ZG2NH8knB9iNSoTO8dyIk8=
-github.com/labstack/gommon v0.4.0/go.mod h1:uW6kP17uPlLJsD3ijUYn3/M5bAxtlZhMI6m3MFxTMTM=
-github.com/leodido/go-urn v1.2.1 h1:BqpAaACuzVSgi/VLzGZIobT2z4v53pjosyNd9Yv6n/w=
-github.com/leodido/go-urn v1.2.1/go.mod h1:zt4jvISO2HfUBqxjfIshjdMTYS56ZS/qv49ictyFfxY=
-github.com/lestrrat-go/backoff/v2 v2.0.8/go.mod h1:rHP/q/r9aT27n24JQLa7JhSQZCKBBOiM/uP402WwN8Y=
-github.com/lestrrat-go/blackmagic v1.0.0/go.mod h1:TNgH//0vYSs8VXDCfkZLgIrVTTXQELZffUV0tz3MtdQ=
-github.com/lestrrat-go/httpcc v1.0.0/go.mod h1:tGS/u00Vh5N6FHNkExqGGNId8e0Big+++0Gf8MBnAvE=
-github.com/lestrrat-go/iter v1.0.1/go.mod h1:zIdgO1mRKhn8l9vrZJZz9TUMMFbQbLeTsbqPDrJ/OJc=
-github.com/lestrrat-go/jwx v1.2.21/go.mod h1:9cfxnOH7G1gN75CaJP2hKGcxFEx5sPh1abRIA/ZJVh4=
-github.com/lestrrat-go/option v1.0.0/go.mod h1:5ZHFbivi4xwXxhxY9XHDe2FHo6/Z7WWmtT7T5nBBp3I=
-github.com/markbates/going v1.0.0/go.mod h1:I6mnB4BPnEeqo85ynXIx1ZFLLbtiLHNXVgWeFO9OGOA=
-github.com/markbates/goth v1.77.0 h1:s3scqnWv/Zq/a5M766V0FKsLfOdFNdh/HEkuWCKbvT8=
-github.com/markbates/goth v1.77.0/go.mod h1:X6xdNgpapSENS0O35iTBBcMHoJDQDfI9bJl+APCkYMc=
-github.com/mattn/go-colorable v0.1.11/go.mod h1:u5H1YNBxpqRaxsYJYSkiCWKzEfiAb1Gb520KVy5xxl4=
-github.com/mattn/go-colorable v0.1.12/go.mod h1:u5H1YNBxpqRaxsYJYSkiCWKzEfiAb1Gb520KVy5xxl4=
-github.com/mattn/go-colorable v0.1.13 h1:fFA4WZxdEF4tXPZVKMLwD8oUnCTTo08duU7wxecdEvA=
+github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc=
+github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw=
+github.com/labstack/echo-contrib v0.17.4 h1:g5mfsrJfJTKv+F5uNKCyrjLK7js+ZW6HTjg4FnDxxgk=
+github.com/labstack/echo-contrib v0.17.4/go.mod h1:9O7ZPAHUeMGTOAfg80YqQduHzt0CzLak36PZRldYrZ0=
+github.com/labstack/echo/v4 v4.15.0 h1:hoRTKWcnR5STXZFe9BmYun9AMTNeSbjHi2vtDuADJ24=
+github.com/labstack/echo/v4 v4.15.0/go.mod h1:xmw1clThob0BSVRX1CRQkGQ/vjwcpOMjQZSZa9fKA/c=
+github.com/labstack/gommon v0.4.2 h1:F8qTUNXgG1+6WQmqoUWnz8WiEU60mXVVw0P4ht1WRA0=
+github.com/labstack/gommon v0.4.2/go.mod h1:QlUFxVM+SNXhDL/Z7YhocGIBYOiwB0mXm1+1bAPHPyU=
+github.com/leodido/go-urn v1.4.0 h1:WT9HwE9SGECu3lg4d/dIA+jxlljEa1/ffXKmRjqdmIQ=
+github.com/leodido/go-urn v1.4.0/go.mod h1:bvxc+MVxLKB4z00jd1z+Dvzr47oO32F/QSNjSBOlFxI=
+github.com/markbates/goth v1.82.0 h1:8j/c34AjBSTNzO7zTsOyP5IYCQCMBTRBHAbBt/PI0bQ=
+github.com/markbates/goth v1.82.0/go.mod h1:/DRlcq0pyqkKToyZjsL2KgiA1zbF1HIjE7u2uC79rUk=
 github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg=
-github.com/mattn/go-isatty v0.0.14/go.mod h1:7GGIvUiUoEMVVmxf/4nioHXj79iQHKdU27kJ6hsGG94=
+github.com/mattn/go-colorable v0.1.14 h1:9A9LHSqF/7dyVVX6g0U9cwm9pG3kP9gSzcuIPHPsaIE=
+github.com/mattn/go-colorable v0.1.14/go.mod h1:6LmQG8QLFO4G5z1gPvYEzlUgJ2wF+stgPZH1UqBm1s8=
 github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM=
-github.com/mattn/go-isatty v0.0.17 h1:BTarxUcIeDqL27Mc+vyvdWYSL28zpIhv3RoTdsLMPng=
-github.com/mattn/go-isatty v0.0.17/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM=
-github.com/mattn/go-sqlite3 v1.14.12/go.mod h1:NyWgC/yNuGj7Q9rpYnZvas74GogHl5/Z4A/KQRfk6bU=
-github.com/mattn/go-sqlite3 v1.14.13 h1:1tj15ngiFfcZzii7yd82foL+ks+ouQcj8j/TPq3fk1I=
-github.com/mattn/go-sqlite3 v1.14.13/go.mod h1:NyWgC/yNuGj7Q9rpYnZvas74GogHl5/Z4A/KQRfk6bU=
-github.com/mrjones/oauth v0.0.0-20180629183705-f4e24b6d100c/go.mod h1:skjdDftzkFALcuGzYSklqYd8gvat6F1gZJ4YPVbkZpM=
-github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod h1:pJLUxLENpZxwdsKMEsNbx1VGcRFpLqf3715MtcvvzbA=
+github.com/mattn/go-isatty v0.0.19/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
+github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
+github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
+github.com/mattn/go-runewidth v0.0.19 h1:v++JhqYnZuu5jSKrk9RbgF5v4CGUjqRfBm05byFGLdw=
+github.com/mattn/go-runewidth v0.0.19/go.mod h1:XBkDxAl56ILZc9knddidhrOlY5R/pDhgLpndooCuJAs=
+github.com/meilisearch/meilisearch-go v0.36.0 h1:N1etykTektXt5KPcSbhBO0d5Xx5NaKj4pJWEM7WA5dI=
+github.com/meilisearch/meilisearch-go v0.36.0/go.mod h1:HBfHzKMxcSbTOvqdfuRA/yf6Vk9IivcwKocWRuW7W78=
+github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
+github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg=
+github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
+github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9Gz0M=
+github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
+github.com/mschoch/smat v0.2.0 h1:8imxQsjDm8yFEAVBe7azKmKSgzSkZXDuKkSq9374khM=
+github.com/mschoch/smat v0.2.0/go.mod h1:kc9mz7DoBKqDyiRL7VZN8KvXQMWeTaVnttLRXOlotKw=
+github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA=
+github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
+github.com/ncruces/go-strftime v1.0.0 h1:HMFp8mLCTPp341M/ZnA4qaf7ZlsbTc+miZjCLOFAw7w=
+github.com/ncruces/go-strftime v1.0.0/go.mod h1:Fwc5htZGVVkseilnfgOVb9mKy6w1naJmn9CehxcKcls=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
-github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
-github.com/rogpeppe/go-internal v1.6.1/go.mod h1:xXDCJY+GAPziupqXw64V24skbSoqbTEfhy4qGm1nDQc=
-github.com/rogpeppe/go-internal v1.8.0 h1:FCbCCtXNOY3UtUuHUYaghJg4y7Fd14rXifAYUAtL9R8=
-github.com/rogpeppe/go-internal v1.8.0/go.mod h1:WmiCO8CzOY8rg0OYDC4/i/2WRWAB6poM+XZ2dLUbcbE=
-github.com/rs/xid v1.4.0/go.mod h1:trrq9SKmegXys3aeAKXMUTdJsYXVwGY3RLcfgqegfbg=
-github.com/rs/zerolog v1.29.0 h1:Zes4hju04hjbvkVkOhdl2HpZa+0PmVwigmo8XoORE5w=
-github.com/rs/zerolog v1.29.0/go.mod h1:NILgTygv/Uej1ra5XxGf82ZFSLk58MFGAUS2o6usyD0=
+github.com/pquerna/otp v1.5.0 h1:NMMR+WrmaqXU4EzdGJEE1aUUI0AMRzsp96fFFWNPwxs=
+github.com/pquerna/otp v1.5.0/go.mod h1:dkJfzwRKNiegxyNb54X/3fLwhCynbMspSyWKnvi1AEg=
+github.com/prometheus/client_golang v1.23.2 h1:Je96obch5RDVy3FDMndoUsjAhG5Edi49h0RJWRi/o0o=
+github.com/prometheus/client_golang v1.23.2/go.mod h1:Tb1a6LWHB3/SPIzCoaDXI4I8UHKeFTEQ1YCr+0Gyqmg=
+github.com/prometheus/client_model v0.6.2 h1:oBsgwpGs7iVziMvrGhE53c/GrLUsZdHnqNwqPLxwZyk=
+github.com/prometheus/client_model v0.6.2/go.mod h1:y3m2F6Gdpfy6Ut/GBsUqTWZqCUvMVzSfMLjcu6wAwpE=
+github.com/prometheus/common v0.67.5 h1:pIgK94WWlQt1WLwAC5j2ynLaBRDiinoAb86HZHTUGI4=
+github.com/prometheus/common v0.67.5/go.mod h1:SjE/0MzDEEAyrdr5Gqc6G+sXI67maCxzaT3A2+HqjUw=
+github.com/prometheus/procfs v0.19.2 h1:zUMhqEW66Ex7OXIiDkll3tl9a1ZdilUOd/F6ZXw4Vws=
+github.com/prometheus/procfs v0.19.2/go.mod h1:M0aotyiemPhBCM0z5w87kL22CxfcH05ZpYlu+b4J7mw=
+github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec h1:W09IVJc94icq4NjY3clb7Lk8O1qJ8BdBEF8z0ibU0rE=
+github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec/go.mod h1:qqbHyh8v60DhA7CoWK5oRCqLrMHRGoxYCSS9EjAz6Eo=
+github.com/rogpeppe/go-internal v1.12.0 h1:exVL4IDcn6na9z1rAb56Vxr+CgyK3nn3O+epU5NdKM8=
+github.com/rogpeppe/go-internal v1.12.0/go.mod h1:E+RYuTGaKKdloAfM02xzb0FW3Paa99yedzYV+kq4uf4=
+github.com/rs/xid v1.6.0/go.mod h1:7XoLgs4eV+QndskICGsho+ADou8ySMSjJKDIan90Nz0=
+github.com/rs/zerolog v1.34.0 h1:k43nTLIwcTVQAncfCw4KZ2VY6ukYoZaBPNOE8txlOeY=
+github.com/rs/zerolog v1.34.0/go.mod h1:bJsvje4Z08ROH4Nhs5iH600c3IkWhwp44iRc54W6wYQ=
+github.com/russross/blackfriday/v2 v2.1.0 h1:JIOH55/0cWyOuilr9/qlrm0BSXldqnqwMsf35Ld67mk=
+github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
-github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
-github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=
-github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
-github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
-github.com/stretchr/testify v1.8.1 h1:w7B6lhMri9wdJUVmEZPGGhZzrYTPvgJArz7wNPgYKsk=
+github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
+github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
+github.com/urfave/cli/v2 v2.27.7 h1:bH59vdhbjLv3LAvIu6gd0usJHgoTTPhCFib8qqOwXYU=
+github.com/urfave/cli/v2 v2.27.7/go.mod h1:CyNAG/xg+iAOg0N4MPGZqVmv2rCoP267496AOXUZjA4=
 github.com/valyala/bytebufferpool v1.0.0 h1:GqA5TC/0021Y/b9FG4Oi9Mr3q7XYx6KllzawFIhcdPw=
 github.com/valyala/bytebufferpool v1.0.0/go.mod h1:6bBcMArwyJ5K/AmCkWv1jt77kVWyCJ6HpOuEn7z0Csc=
-github.com/valyala/fasttemplate v1.2.1/go.mod h1:KHLXt3tVN2HBp8eijSv/kGJopbvo7S+qRAEEKiv+SiQ=
 github.com/valyala/fasttemplate v1.2.2 h1:lxLXG0uE3Qnshl9QyaK6XJxMXlQZELvChBOCmQD0Loo=
 github.com/valyala/fasttemplate v1.2.2/go.mod h1:KHLXt3tVN2HBp8eijSv/kGJopbvo7S+qRAEEKiv+SiQ=
-github.com/yuin/goldmark v1.1.25/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
-github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
-github.com/yuin/goldmark v1.1.32/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
-github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
-go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU=
-go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8=
-go.opencensus.io v0.22.2/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
-go.opencensus.io v0.22.3/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
-go.opencensus.io v0.22.4/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
-golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
-golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
-golang.org/x/crypto v0.0.0-20211215153901-e495a2d5b3d3/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
-golang.org/x/crypto v0.0.0-20220214200702-86341886e292/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
-golang.org/x/crypto v0.2.0 h1:BRXPfhNivWL5Yq0BGQ39a2sW6t44aODpfxkWjYdzewE=
-golang.org/x/crypto v0.2.0/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4=
-golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
-golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
-golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
-golang.org/x/exp v0.0.0-20190829153037-c13cbed26979/go.mod h1:86+5VVa7VpoJ4kLfm080zCjGlMRFzhUhsZKEZO7MGek=
-golang.org/x/exp v0.0.0-20191030013958-a1ab85dbe136/go.mod h1:JXzH8nQsPlswgeRAPE3MuO9GYsAcnJvJ4vnMwN/5qkY=
-golang.org/x/exp v0.0.0-20191129062945-2f5052295587/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4=
-golang.org/x/exp v0.0.0-20191227195350-da58074b4299/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4=
-golang.org/x/exp v0.0.0-20200119233911-0405dc783f0a/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4=
-golang.org/x/exp v0.0.0-20200207192155-f17229e696bd/go.mod h1:J/WKrq2StrnmMY6+EHIKF9dgMWnmCNThgcyBT1FY9mM=
-golang.org/x/exp v0.0.0-20200224162631-6cc2880d07d6/go.mod h1:3jZMyOhIsHpP37uCMkUooju7aAi5cS1Q23tOzKc+0MU=
-golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js=
-golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0=
-golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
-golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU=
-golang.org/x/lint v0.0.0-20190301231843-5614ed5bae6f/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
-golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
-golang.org/x/lint v0.0.0-20190409202823-959b441ac422/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
-golang.org/x/lint v0.0.0-20190909230951-414d861bb4ac/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
-golang.org/x/lint v0.0.0-20190930215403-16217165b5de/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
-golang.org/x/lint v0.0.0-20191125180803-fdd1cda4f05f/go.mod h1:5qLYkcX4OjUUV8bRuDixDT3tpyyb+LUpUlRWLxfhWrs=
-golang.org/x/lint v0.0.0-20200130185559-910be7a94367/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
-golang.org/x/lint v0.0.0-20200302205851-738671d3881b/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
-golang.org/x/mobile v0.0.0-20190312151609-d3739f865fa6/go.mod h1:z+o9i4GpDbdi3rU15maQ/Ox0txvL9dWGYEHz965HBQE=
-golang.org/x/mobile v0.0.0-20190719004257-d2bd2a29d028/go.mod h1:E/iHnbuqvinMTCcRqshq8CkpyQDoeVncDDYHnLhea+o=
-golang.org/x/mod v0.0.0-20190513183733-4bf6d317e70e/go.mod h1:mXi4GBBbnImb6dmsKGUJ2LatrhH/nqhxcFungHvyanc=
-golang.org/x/mod v0.1.0/go.mod h1:0QHyrYULN0/3qlju5TqG8bIK38QM8yzMo5ekMj3DlcY=
-golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
-golang.org/x/mod v0.1.1-0.20191107180719-034126e5016b/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
-golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
-golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
-golang.org/x/net v0.0.0-20190501004415-9ce7a6920f09/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
-golang.org/x/net v0.0.0-20190503192946-f4e77d36d62c/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
-golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks=
-golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20190628185345-da137c7871d7/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20190724013045-ca1201d0de80/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20191209160850-c0dbc17a3553/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20200114155413-6afb5195e5aa/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20200202094626-16171245cfb2/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20200222125558-5a598a2470a0/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20200301022130-244492dfa37a/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20200324143707-d3edc9973b7e/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
-golang.org/x/net v0.0.0-20200501053045-e0ff5e5a1de5/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
-golang.org/x/net v0.0.0-20200506145744-7e3656a0809f/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
-golang.org/x/net v0.0.0-20200513185701-a91f0712d120/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
-golang.org/x/net v0.0.0-20200520182314-0ba52f642ac2/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
-golang.org/x/net v0.0.0-20200625001655-4c5254603344/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
-golang.org/x/net v0.0.0-20200707034311-ab3426394381/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
-golang.org/x/net v0.0.0-20200822124328-c89045814202/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
-golang.org/x/net v0.0.0-20200927032502-5d4f70055728/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
-golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
-golang.org/x/net v0.7.0 h1:rJrUqqhjsgNp7KqAIc25s9pZnjU7TUcSY7HcVZjdn1g=
-golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
-golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
-golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
-golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
-golang.org/x/oauth2 v0.0.0-20191202225959-858c2ad4c8b6/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
-golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
-golang.org/x/oauth2 v0.0.0-20200902213428-5d25da1a8d43 h1:ld7aEMNHoBnnDAX15v1T6z31v8HwR2A9FYOuAhWqkwc=
-golang.org/x/oauth2 v0.0.0-20200902213428-5d25da1a8d43/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
-golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20190227155943-e225da77a7e6/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190502145724-3ef323f4f1fd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190507160741-ecd444e8653b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190606165138-5da285871e9c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190624142023-c5567b49c5d0/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190726091711-fc99dfbffb4e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20191001151750-bb3f8db39f24/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20191228213918-04cbcbbfeed8/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200113162924-86b910548bc1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200122134326-e047566fdf82/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200202164722-d101bd2416d5/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200212091648-12a6c2dcc1e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200223170610-d5e6a3e2c0ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200302150141-5c8b2ff67527/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200331124033-c3d80250170d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200501052902-10377860bb8e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200511232937-7e40ca221e25/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200515095857-1151b9dac4a9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200523222454-059865788121/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200803210538-64077c9b5642/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200905004654-be1d3432aa8f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20210806184541-e5e7981a1069/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20210927094055-39ccf1dd6fa6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20211103235746-7861aae1554b/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=
+github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg=
+github.com/xrash/smetrics v0.0.0-20250705151800-55b8f293f342 h1:FnBeRrxr7OU4VvAzt5X7s6266i6cSVkkFPS0TuXWbIg=
+github.com/xrash/smetrics v0.0.0-20250705151800-55b8f293f342/go.mod h1:Ohn+xnUBiLI6FVj/9LpzZWtj1/D6lUovWYBkxHVV3aM=
+github.com/xyproto/randomstring v1.0.5 h1:YtlWPoRdgMu3NZtP45drfy1GKoojuR7hmRcnhZqKjWU=
+github.com/xyproto/randomstring v1.0.5/go.mod h1:rgmS5DeNXLivK7YprL0pY+lTuhNQW3iGxZ18UQApw/E=
+github.com/yuin/goldmark v1.4.15/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
+github.com/yuin/goldmark v1.7.16 h1:n+CJdUxaFMiDUNnWC3dMWCIQJSkxH4uz3ZwQBkAlVNE=
+github.com/yuin/goldmark v1.7.16/go.mod h1:ip/1k0VRfGynBgxOz0yCqHrbZXhcjxyuS66Brc7iBKg=
+github.com/yuin/goldmark-emoji v1.0.6 h1:QWfF2FYaXwL74tfGOW5izeiZepUDroDJfWubQI9HTHs=
+github.com/yuin/goldmark-emoji v1.0.6/go.mod h1:ukxJDKFpdFb5x0a5HqbdlcKtebh086iJpI31LTKmWuA=
+github.com/yuin/goldmark-highlighting/v2 v2.0.0-20230729083705-37449abec8cc h1:+IAOyRda+RLrxa1WC7umKOZRsGq4QrFFMYApOeHzQwQ=
+github.com/yuin/goldmark-highlighting/v2 v2.0.0-20230729083705-37449abec8cc/go.mod h1:ovIvrum6DQJA4QsJSovrkC4saKHQVs7TvcaeO8AIl5I=
+go.abhg.dev/goldmark/mermaid v0.6.0 h1:VvkYFWuOjD6cmSBVJpLAtzpVCGM1h0B7/DQ9IzERwzY=
+go.abhg.dev/goldmark/mermaid v0.6.0/go.mod h1:uMc+PcnIH2NVL7zjH10Q1wr7hL3+4n4jUMifhyBYB9I=
+go.etcd.io/bbolt v1.4.3 h1:dEadXpI6G79deX5prL3QRNP6JB8UxVkqo4UPnHaNXJo=
+go.etcd.io/bbolt v1.4.3/go.mod h1:tKQlpPaYCVFctUIgFKFnAlvbmB3tpy1vkTnDWohtc0E=
+go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
+go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
+go.uber.org/mock v0.6.0 h1:hyF9dfmbgIX5EfOdasqLsWD6xqpNZlXblLB/Dbnwv3Y=
+go.uber.org/mock v0.6.0/go.mod h1:KiVJ4BqZJaMj4svdfmHM0AUx4NJYO8ZNpPnZn1Z+BBU=
+go.yaml.in/yaml/v2 v2.4.3 h1:6gvOSjQoTB3vt1l+CU+tSyi/HOjfOjRLJ4YwYZGwRO0=
+go.yaml.in/yaml/v2 v2.4.3/go.mod h1:zSxWcmIDjOzPXpjlTTbAsKokqkDNAVtZO0WOMiT90s8=
+golang.org/x/crypto v0.47.0 h1:V6e3FRj+n4dbpw86FJ8Fv7XVOql7TEwpHapKoMJ/GO8=
+golang.org/x/crypto v0.47.0/go.mod h1:ff3Y9VzzKbwSSEzWqJsJVBnWmRwRSHt/6Op5n9bQc4A=
+golang.org/x/exp v0.0.0-20260112195511-716be5621a96 h1:Z/6YuSHTLOHfNFdb8zVZomZr7cqNgTJvA8+Qz75D8gU=
+golang.org/x/exp v0.0.0-20260112195511-716be5621a96/go.mod h1:nzimsREAkjBCIEFtHiYkrJyT+2uy9YZJB7H1k68CXZU=
+golang.org/x/mod v0.32.0 h1:9F4d3PHLljb6x//jOyokMv3eX+YDeepZSEo3mFJy93c=
+golang.org/x/mod v0.32.0/go.mod h1:SgipZ/3h2Ci89DlEtEXWUk/HteuRin+HHhN+WbNhguU=
+golang.org/x/net v0.49.0 h1:eeHFmOGUTtaaPSGNmjBKpbng9MulQsJURQUAfUwY++o=
+golang.org/x/net v0.49.0/go.mod h1:/ysNB2EvaqvesRkuLAyjI1ycPZlQHM3q01F02UY/MV8=
+golang.org/x/oauth2 v0.34.0 h1:hqK/t4AKgbqWkdkcAeI8XLmbK+4m4G5YeQRrmiotGlw=
+golang.org/x/oauth2 v0.34.0/go.mod h1:lzm5WQJQwKZ3nwavOZ3IS5Aulzxi68dUSgRHujetwEA=
+golang.org/x/sync v0.19.0 h1:vV+1eWNmZ5geRlYjzm2adRgW2/mcpevXNg50YZtPCE4=
+golang.org/x/sync v0.19.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
 golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.5.0 h1:MUK/U/4lj1t1oPg0HfuXDN/Z1wv31ZJ/YcPiGccS4DU=
-golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
-golang.org/x/term v0.5.0 h1:n2a8QNdAb0sZNpU9R1ALUXBbY+w51fCQDN+7EdxNBsY=
-golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
-golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
-golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
-golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
-golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
-golang.org/x/text v0.7.0 h1:4BRB4x83lYWy72KwLD/qYDuTu7q9PjSagHvijDw7cLo=
-golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
-golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
-golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
-golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
-golang.org/x/time v0.2.0 h1:52I/1L54xyEQAYdtcSuxtiT84KGYTBGXwayxmIpNJhE=
-golang.org/x/time v0.2.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
-golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY=
-golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
-golang.org/x/tools v0.0.0-20190312151545-0bb0c0a6e846/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
-golang.org/x/tools v0.0.0-20190312170243-e65039ee4138/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
-golang.org/x/tools v0.0.0-20190425150028-36563e24a262/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
-golang.org/x/tools v0.0.0-20190506145303-2d16b83fe98c/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
-golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
-golang.org/x/tools v0.0.0-20190606124116-d0a3d012864b/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
-golang.org/x/tools v0.0.0-20190621195816-6e04913cbbac/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
-golang.org/x/tools v0.0.0-20190628153133-6cdbf07be9d0/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
-golang.org/x/tools v0.0.0-20190816200558-6889da9d5479/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20190911174233-4f2ddba30aff/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20191012152004-8de300cfc20a/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20191113191852-77e3bb0ad9e7/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20191115202509-3a792d9c32b2/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20191125144606-a911d9008d1f/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20191130070609-6e064ea0cf2d/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20191216173652-a0e659d51361/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
-golang.org/x/tools v0.0.0-20191227053925-7b8e75db28f4/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
-golang.org/x/tools v0.0.0-20200117161641-43d50277825c/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
-golang.org/x/tools v0.0.0-20200122220014-bf1340f18c4a/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
-golang.org/x/tools v0.0.0-20200130002326-2f3ba24bd6e7/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
-golang.org/x/tools v0.0.0-20200204074204-1cc6d1ef6c74/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
-golang.org/x/tools v0.0.0-20200207183749-b753a1ba74fa/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
-golang.org/x/tools v0.0.0-20200212150539-ea181f53ac56/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
-golang.org/x/tools v0.0.0-20200224181240-023911ca70b2/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
-golang.org/x/tools v0.0.0-20200227222343-706bc42d1f0d/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
-golang.org/x/tools v0.0.0-20200304193943-95d2e580d8eb/go.mod h1:o4KQGtdN14AW+yjsvvwRTJJuXz8XRtIHtEnmAXLyFUw=
-golang.org/x/tools v0.0.0-20200312045724-11d5b4c81c7d/go.mod h1:o4KQGtdN14AW+yjsvvwRTJJuXz8XRtIHtEnmAXLyFUw=
-golang.org/x/tools v0.0.0-20200331025713-a30bf2db82d4/go.mod h1:Sl4aGygMT6LrqrWclx+PTx3U+LnKx/seiNR+3G19Ar8=
-golang.org/x/tools v0.0.0-20200501065659-ab2804fb9c9d/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
-golang.org/x/tools v0.0.0-20200512131952-2bc93b1c0c88/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
-golang.org/x/tools v0.0.0-20200515010526-7d3b6ebf133d/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
-golang.org/x/tools v0.0.0-20200618134242-20370b0cb4b2/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
-golang.org/x/tools v0.0.0-20200729194436-6467de6f59a7/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA=
-golang.org/x/tools v0.0.0-20200804011535-6c149bb5ef0d/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA=
-golang.org/x/tools v0.0.0-20200825202427-b303f430e36d/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA=
-golang.org/x/tools v0.0.0-20200904185747-39188db58858/go.mod h1:Cj7w3i3Rnn0Xh82ur9kSqwfTHTeVxaDqrfMjpcNT6bE=
-golang.org/x/tools v0.0.0-20200929161345-d7fc70abf50f/go.mod h1:z6u4i615ZeAfBE4XtMziQW1fSVJXACjjbWkB/mvPzlU=
-golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 h1:go1bK/D/BFZV2I8cIQd1NKEZ+0owSTG1fDTci4IqFcE=
-golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-google.golang.org/api v0.4.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE=
-google.golang.org/api v0.7.0/go.mod h1:WtwebWUNSVBH/HAw79HIFXZNqEvBhG+Ra+ax0hx3E3M=
-google.golang.org/api v0.8.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg=
-google.golang.org/api v0.9.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg=
-google.golang.org/api v0.13.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI=
-google.golang.org/api v0.14.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI=
-google.golang.org/api v0.15.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI=
-google.golang.org/api v0.17.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE=
-google.golang.org/api v0.18.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE=
-google.golang.org/api v0.19.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE=
-google.golang.org/api v0.20.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE=
-google.golang.org/api v0.22.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE=
-google.golang.org/api v0.24.0/go.mod h1:lIXQywCXRcnZPGlsd8NbLnOjtAoL6em04bJ9+z0MncE=
-google.golang.org/api v0.28.0/go.mod h1:lIXQywCXRcnZPGlsd8NbLnOjtAoL6em04bJ9+z0MncE=
-google.golang.org/api v0.29.0/go.mod h1:Lcubydp8VUV7KeIHD9z2Bys/sm/vGKnG1UHuDBSrHWM=
-google.golang.org/api v0.30.0/go.mod h1:QGmEvQ87FHZNiUVJkT14jQNYJ4ZJjdRF23ZXz5138Fc=
-google.golang.org/api v0.32.0/go.mod h1:/XrVsuzM0rZmrsbjJutiuftIzeuTQcEeaYcSk/mQ1dg=
-google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
-google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
-google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
-google.golang.org/appengine v1.6.1/go.mod h1:i06prIuMbXzDqacNJfV5OdTW448YApPu5ww/cMBSeb0=
-google.golang.org/appengine v1.6.5/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
-google.golang.org/appengine v1.6.6 h1:lMO5rYAqUxkmaj76jAkRUvt5JZgFymx/+Q5Mzfivuhc=
-google.golang.org/appengine v1.6.6/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
-google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=
-google.golang.org/genproto v0.0.0-20190307195333-5fe7a883aa19/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
-google.golang.org/genproto v0.0.0-20190418145605-e7d98fc518a7/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
-google.golang.org/genproto v0.0.0-20190425155659-357c62f0e4bb/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
-google.golang.org/genproto v0.0.0-20190502173448-54afdca5d873/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
-google.golang.org/genproto v0.0.0-20190801165951-fa694d86fc64/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc=
-google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc=
-google.golang.org/genproto v0.0.0-20190911173649-1774047e7e51/go.mod h1:IbNlFCBrqXvoKpeg0TB2l7cyZUmoaFKYIwrEpbDKLA8=
-google.golang.org/genproto v0.0.0-20191108220845-16a3f7862a1a/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=
-google.golang.org/genproto v0.0.0-20191115194625-c23dd37a84c9/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=
-google.golang.org/genproto v0.0.0-20191216164720-4f79533eabd1/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=
-google.golang.org/genproto v0.0.0-20191230161307-f3c370f40bfb/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=
-google.golang.org/genproto v0.0.0-20200115191322-ca5a22157cba/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=
-google.golang.org/genproto v0.0.0-20200122232147-0452cf42e150/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=
-google.golang.org/genproto v0.0.0-20200204135345-fa8e72b47b90/go.mod h1:GmwEX6Z4W5gMy59cAlVYjN9JhxgbQH6Gn+gFDQe2lzA=
-google.golang.org/genproto v0.0.0-20200212174721-66ed5ce911ce/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
-google.golang.org/genproto v0.0.0-20200224152610-e50cd9704f63/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
-google.golang.org/genproto v0.0.0-20200228133532-8c2c7df3a383/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
-google.golang.org/genproto v0.0.0-20200305110556-506484158171/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
-google.golang.org/genproto v0.0.0-20200312145019-da6875a35672/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
-google.golang.org/genproto v0.0.0-20200331122359-1ee6d9798940/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
-google.golang.org/genproto v0.0.0-20200430143042-b979b6f78d84/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
-google.golang.org/genproto v0.0.0-20200511104702-f5ebc3bea380/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
-google.golang.org/genproto v0.0.0-20200515170657-fc4c6c6a6587/go.mod h1:YsZOwe1myG/8QRHRsmBRE1LrgQY60beZKjly0O1fX9U=
-google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo=
-google.golang.org/genproto v0.0.0-20200618031413-b414f8b61790/go.mod h1:jDfRM7FcilCzHH/e9qn6dsT145K34l5v+OpcnNgKAAA=
-google.golang.org/genproto v0.0.0-20200729003335-053ba62fc06f/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
-google.golang.org/genproto v0.0.0-20200804131852-c06518451d9c/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
-google.golang.org/genproto v0.0.0-20200825200019-8632dd797987/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
-google.golang.org/genproto v0.0.0-20200904004341-0bd0a958aa1d/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
-google.golang.org/genproto v0.0.0-20200929141702-51c3e5b607fe/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
-google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
-google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38=
-google.golang.org/grpc v1.21.1/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM=
-google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg=
-google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY=
-google.golang.org/grpc v1.26.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
-google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
-google.golang.org/grpc v1.27.1/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
-google.golang.org/grpc v1.28.0/go.mod h1:rpkK4SK4GF4Ach/+MFLZUBavHOvF2JJB5uozKKal+60=
-google.golang.org/grpc v1.29.1/go.mod h1:itym6AZVZYACWQqET3MqgPpjcuV5QH3BxFS3IjizoKk=
-google.golang.org/grpc v1.30.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak=
-google.golang.org/grpc v1.31.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak=
-google.golang.org/grpc v1.31.1/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak=
-google.golang.org/grpc v1.32.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak=
-google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
-google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
-google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM=
-google.golang.org/protobuf v1.20.1-0.20200309200217-e05f789c0967/go.mod h1:A+miEFZTKqfCUM6K7xSMQL9OKL/b6hQv+e19PK+JZNE=
-google.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzikPIcrTAo=
-google.golang.org/protobuf v1.22.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
-google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
-google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
-google.golang.org/protobuf v1.24.0/go.mod h1:r/3tXBNzIEhYS9I1OUVjXDlt8tc493IdKGjtUeSXeh4=
-google.golang.org/protobuf v1.25.0 h1:Ejskq+SyPohKW+1uil0JJMtmHCgJPJ/qWTxr8qp+R4c=
-google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c=
+golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.40.0 h1:DBZZqJ2Rkml6QMQsZywtnjnnGvHza6BTfYFWY9kjEWQ=
+golang.org/x/sys v0.40.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+golang.org/x/term v0.39.0 h1:RclSuaJf32jOqZz74CkPA9qFuVTX7vhLlpfj/IGWlqY=
+golang.org/x/term v0.39.0/go.mod h1:yxzUCTP/U+FzoxfdKmLaA0RV1WgE0VY7hXBwKtY/4ww=
+golang.org/x/text v0.33.0 h1:B3njUFyqtHDUI5jMn1YIr5B0IE2U0qck04r6d4KPAxE=
+golang.org/x/text v0.33.0/go.mod h1:LuMebE6+rBincTi9+xWTY8TztLzKHc/9C1uBCG27+q8=
+golang.org/x/time v0.14.0 h1:MRx4UaLrDotUKUdCIqzPC48t1Y9hANFKIRpNx+Te8PI=
+golang.org/x/time v0.14.0/go.mod h1:eL/Oa2bBBK0TkX57Fyni+NgnyQQN4LitPmob2Hjnqw4=
+golang.org/x/tools v0.41.0 h1:a9b8iMweWG+S0OBnlU36rzLp20z1Rp10w+IY2czHTQc=
+golang.org/x/tools v0.41.0/go.mod h1:XSY6eDqxVNiYgezAVqqCeihT4j1U2CCsqvH3WhQpnlg=
+google.golang.org/protobuf v1.36.11 h1:fV6ZwhNocDyBLK0dj+fg8ektcVegBBuEolpbTQyBNVE=
+google.golang.org/protobuf v1.36.11/go.mod h1:HTf+CrKn2C3g5S8VImy6tdcUvCska2kB7j23XfzDpco=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
-gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI=
-gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-gorm.io/driver/sqlite v1.3.2 h1:nWTy4cE52K6nnMhv23wLmur9Y3qWbZvOBz+V4PrGAxg=
-gorm.io/driver/sqlite v1.3.2/go.mod h1:B+8GyC9K7VgzJAcrcXMRPdnMcck+8FgJynEehEPM16U=
-gorm.io/gorm v1.23.4/go.mod h1:l2lP/RyAtc1ynaTjFksBde/O8v9oOGIApu2/xRitmZk=
-gorm.io/gorm v1.23.5 h1:TnlF26wScKSvknUC/Rn8t0NLLM22fypYBlvj1+aH6dM=
-gorm.io/gorm v1.23.5/go.mod h1:l2lP/RyAtc1ynaTjFksBde/O8v9oOGIApu2/xRitmZk=
-honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
-honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
-honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
-honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
-honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg=
-honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
-honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
-rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8=
-rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0=
-rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA=
+gorm.io/driver/mysql v1.6.0 h1:eNbLmNTpPpTOVZi8MMxCi2aaIm0ZpInbORNXDwyLGvg=
+gorm.io/driver/mysql v1.6.0/go.mod h1:D/oCC2GWK3M/dqoLxnOlaNKmXz8WNTfcS9y5ovaSqKo=
+gorm.io/driver/postgres v1.6.0 h1:2dxzU8xJ+ivvqTRph34QX+WrRaJlmfyPqXmoGVjMBa4=
+gorm.io/driver/postgres v1.6.0/go.mod h1:vUw0mrGgrTK+uPHEhAdV4sfFELrByKVGnaVRkXDhtWo=
+gorm.io/gorm v1.31.1 h1:7CA8FTFz/gRfgqgpeKIBcervUn3xSyPUmr6B2WXJ7kg=
+gorm.io/gorm v1.31.1/go.mod h1:XyQVbO2k6YkOis7C2437jSit3SsDK72s7n7rsSHd+Gs=
+modernc.org/cc/v4 v4.27.1 h1:9W30zRlYrefrDV2JE2O8VDtJ1yPGownxciz5rrbQZis=
+modernc.org/cc/v4 v4.27.1/go.mod h1:uVtb5OGqUKpoLWhqwNQo/8LwvoiEBLvZXIQ/SmO6mL0=
+modernc.org/ccgo/v4 v4.30.1 h1:4r4U1J6Fhj98NKfSjnPUN7Ze2c6MnAdL0hWw6+LrJpc=
+modernc.org/ccgo/v4 v4.30.1/go.mod h1:bIOeI1JL54Utlxn+LwrFyjCx2n2RDiYEaJVSrgdrRfM=
+modernc.org/fileutil v1.3.40 h1:ZGMswMNc9JOCrcrakF1HrvmergNLAmxOPjizirpfqBA=
+modernc.org/fileutil v1.3.40/go.mod h1:HxmghZSZVAz/LXcMNwZPA/DRrQZEVP9VX0V4LQGQFOc=
+modernc.org/gc/v2 v2.6.5 h1:nyqdV8q46KvTpZlsw66kWqwXRHdjIlJOhG6kxiV/9xI=
+modernc.org/gc/v2 v2.6.5/go.mod h1:YgIahr1ypgfe7chRuJi2gD7DBQiKSLMPgBQe9oIiito=
+modernc.org/gc/v3 v3.1.1 h1:k8T3gkXWY9sEiytKhcgyiZ2L0DTyCQ/nvX+LoCljoRE=
+modernc.org/gc/v3 v3.1.1/go.mod h1:HFK/6AGESC7Ex+EZJhJ2Gni6cTaYpSMmU/cT9RmlfYY=
+modernc.org/goabi0 v0.2.0 h1:HvEowk7LxcPd0eq6mVOAEMai46V+i7Jrj13t4AzuNks=
+modernc.org/goabi0 v0.2.0/go.mod h1:CEFRnnJhKvWT1c1JTI3Avm+tgOWbkOu5oPA8eH8LnMI=
+modernc.org/libc v1.67.7 h1:H+gYQw2PyidyxwxQsGTwQw6+6H+xUk+plvOKW7+d3TI=
+modernc.org/libc v1.67.7/go.mod h1:UjCSJFl2sYbJbReVQeVpq/MgzlbmDM4cRHIYFelnaDk=
+modernc.org/mathutil v1.7.1 h1:GCZVGXdaN8gTqB1Mf/usp1Y/hSqgI2vAGGP4jZMCxOU=
+modernc.org/mathutil v1.7.1/go.mod h1:4p5IwJITfppl0G4sUEDtCr4DthTaT47/N3aT6MhfgJg=
+modernc.org/memory v1.11.0 h1:o4QC8aMQzmcwCK3t3Ux/ZHmwFPzE6hf2Y5LbkRs+hbI=
+modernc.org/memory v1.11.0/go.mod h1:/JP4VbVC+K5sU2wZi9bHoq2MAkCnrt2r98UGeSK7Mjw=
+modernc.org/opt v0.1.4 h1:2kNGMRiUjrp4LcaPuLY2PzUfqM/w9N23quVwhKt5Qm8=
+modernc.org/opt v0.1.4/go.mod h1:03fq9lsNfvkYSfxrfUhZCWPk1lm4cq4N+Bh//bEtgns=
+modernc.org/sortutil v1.2.1 h1:+xyoGf15mM3NMlPDnFqrteY07klSFxLElE2PVuWIJ7w=
+modernc.org/sortutil v1.2.1/go.mod h1:7ZI3a3REbai7gzCLcotuw9AC4VZVpYMjDzETGsSMqJE=
+modernc.org/sqlite v1.44.3 h1:+39JvV/HWMcYslAwRxHb8067w+2zowvFOUrOWIy9PjY=
+modernc.org/sqlite v1.44.3/go.mod h1:CzbrU2lSB1DKUusvwGz7rqEKIq+NUd8GWuBBZDs9/nA=
+modernc.org/strutil v1.2.1 h1:UneZBkQA+DX2Rp35KcM69cSsNES9ly8mQWD71HKlOA0=
+modernc.org/strutil v1.2.1/go.mod h1:EHkiggD70koQxjVdSBM3JKM7k6L0FbGE5eymy9i3B9A=
+modernc.org/token v1.1.0 h1:Xl7Ap9dKaEs5kLoOQeQmPWevfnk/DM5qcLcYlA8ys6Y=
+modernc.org/token v1.1.0/go.mod h1:UGzOrNV1mAFSEB63lOFHIpNRUVMvYTc6yu1SMY/XTDM=

helm/opengist/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

helm/opengist/CHANGELOG.md

@@ -0,0 +1,29 @@
+# Helm Chart Changelog
+
+## 0.6.0 - 2026-02-03
+
+- Bump Opengist image to 1.12.1
+
+## 0.5.0 - 2026-01-27
+
+- Bump Opengist image to 1.12.0
+- Add StatefulSet support
+- Add Prometheus ServiceMonitor support if Opengist metrics are enabled
+- New service for metrics endpoint, dissociated from the main service
+- Use existing pvc claim of provided
+
+## 0.4.0 - 2025-09-30
+
+- Bump Opengist image to 1.11.1
+
+## 0.3.0 - 2025-09-21
+
+- Bump Opengist image to 1.11.0
+
+## 0.2.0 - 2025-05-10
+
+- Add `deployment.env[]` in values
+
+## 0.1.0 - 2025-04-06
+
+- Initial release, with Opengist image 1.10.0

helm/opengist/Chart.lock

@@ -0,0 +1,9 @@
+dependencies:
+- name: postgresql
+  repository: oci://registry-1.docker.io/bitnamicharts
+  version: 16.7.27
+- name: meilisearch
+  repository: https://meilisearch.github.io/meilisearch-kubernetes
+  version: 0.17.1
+digest: sha256:ad702e35f258fed1f804d3e48b071767499f5730e099a8c461610950e5182368
+generated: "2025-09-21T04:49:08.679554149+02:00"

helm/opengist/Chart.yaml

@@ -0,0 +1,19 @@
+apiVersion: v2
+name: opengist
+description: Opengist Helm chart for Kubernetes
+type: application
+version: 0.6.0
+appVersion: 1.12.1
+home: https://opengist.io
+icon: https://raw.githubusercontent.com/thomiceli/opengist/master/public/img/opengist.svg
+sources:
+  - https://github.com/thomiceli/opengist
+dependencies:
+  - name: postgresql
+    repository: oci://registry-1.docker.io/bitnamicharts
+    version: 16.7.27
+    condition: postgresql.enabled
+  - name: meilisearch
+    repository: https://meilisearch.github.io/meilisearch-kubernetes
+    version: 0.17.1
+    condition: meilisearch.enabled

helm/opengist/README.md

@@ -0,0 +1,451 @@
+# Opengist Helm Chart
+
+![Version: 0.6.0](https://img.shields.io/badge/Version-0.6.0-informational?style=flat-square) ![AppVersion: 1.12.1](https://img.shields.io/badge/AppVersion-1.12.1-informational?style=flat-square)
+
+Opengist Helm chart for Kubernetes. Check [CHANGELOG.md](CHANGELOG.md) for release notes.
+
+* [Install](#install)
+* [Configuration](#configuration)
+* [Metrics & Monitoring](#metrics--monitoring)
+* [Dependencies](#dependencies)
+  * [Meilisearch Indexer](#meilisearch-indexer)
+  * [PostgreSQL Database](#postgresql-database)
+
+## Install
+
+```bash
+helm repo add opengist https://helm.opengist.io
+ 
+helm install opengist opengist/opengist
+```
+
+## Configuration
+
+This part explains how to configure the Opengist instance using the Helm chart. The `config.yml` file used by Opengist
+is mounted from a Kubernetes Secret with a key `config.yml` and the values formatted as YAML.
+
+### Using values
+
+Using Helm values, you can define the values from a key name `config`
+
+```yaml
+config:
+  log-level: "warn"
+  log-output: "stdout"
+```
+
+This will create a Kubernetes secret named `opengist` mounted to the pod as a file with the YAML content of the secret,
+used by Opengist.
+
+### Using an existing secret
+
+If you wish to not store sensitive data in your Helm values, you can create a Kubernetes secret with a key `config.yml`
+and values formatted as YAML. You can then reference this secret in the Helm chart with the `configExistingSecret` key.
+
+If defined, this existing secret will be used instead of creating a new one.
+
+```yaml
+configExistingSecret: <name of the secret>
+```
+
+## Metrics & Monitoring
+
+Opengist exposes Prometheus metrics on a separate port (default: `6158`). The metrics server runs independently from the main HTTP server for security.
+
+### Enabling Metrics
+
+To enable metrics, set `metrics.enabled: true` in your Opengist config:
+
+```yaml
+config:
+  metrics.enabled: true
+```
+
+This will:
+1. Start a metrics server on port 6158 inside the container
+2. Create a Kubernetes Service exposing the metrics ports
+
+### Available Metrics
+
+| Metric Name | Type | Description |
+|-------------|------|-------------|
+| `opengist_users_total` | Gauge | Total number of registered users |
+| `opengist_gists_total` | Gauge | Total number of gists |
+| `opengist_ssh_keys_total` | Gauge | Total number of SSH keys |
+| `opengist_request_duration_seconds_*` | Histogram | HTTP request duration metrics |
+
+### ServiceMonitor for Prometheus Operator
+
+If you're using [Prometheus Operator](https://github.com/prometheus-operator/prometheus-operator), you can enable automatic service discovery with a ServiceMonitor:
+
+```yaml
+config:
+  metrics.enabled: true
+
+service:
+  metrics:
+    serviceMonitor:
+      enabled: true
+      labels:
+        release: prometheus  # match your Prometheus serviceMonitorSelector
+```
+
+### Manual Prometheus Configuration
+
+If you're not using Prometheus Operator, you can configure Prometheus to scrape the metrics endpoint directly:
+
+```yaml
+scrape_configs:
+  - job_name: 'opengist'
+    static_configs:
+      - targets: ['opengist-metrics:6158']
+    metrics_path: /metrics
+```
+
+Or use Kubernetes service discovery:
+
+```yaml
+scrape_configs:
+  - job_name: 'opengist'
+    kubernetes_sd_configs:
+      - role: service
+    relabel_configs:
+      - source_labels: [__meta_kubernetes_service_label_app_kubernetes_io_component]
+        regex: metrics
+        action: keep
+      - source_labels: [__meta_kubernetes_service_label_app_kubernetes_io_name]
+        regex: opengist
+        action: keep
+```
+
+## Dependencies
+
+### Meilisearch Indexer
+
+By default, Opengist uses the `bleve` indexer. **It is NOT available** if there is multiple replicas of the opengist pod (only one pod can open the index at the same time).
+
+Instead, for multiple replicas setups, you **MUST** use the `meilisearch` indexer.
+
+By setting `meilisearch.enabled: true`, the [Meilisearch chart](https://github.com/meilisearch/meilisearch-kubernetes) will be deployed aswell. 
+You must define the `meilisearch.host` (Kubernetes Service) and `meilisearch.key` (value created by Meilisearch) values to connect to the Meilisearch instance in your Opengist config :
+
+```yaml
+index: meilisearch
+index.meili.host: http://opengist-meilisearch:7700 # pointing to the K8S Service
+index.meili.api-key: MASTER_KEY                    # generated by Meilisearch
+```
+
+If you want to use the `bleve` indexer, you need to set the `replicas` to `1`.
+
+#### Passing Meilisearch configuration via nested Helm values
+
+When using the Helm CLI with `--set`, avoid mixing a scalar `config.index` value with nested `config.index.meili.*` keys. Instead use a nested map and a `type` field which the chart flattens automatically. Example:
+
+```bash
+helm template opengist ./helm/opengist \
+  --set statefulSet.enabled=true \
+  --set replicaCount=2 \
+  --set persistence.enabled=true \
+  --set persistence.existingClaim=opengist-shared-rwx \
+  --set postgresql.enabled=false \
+  --set config.db-uri="postgres://user:pass@db-host:5432/opengist" \
+  --set meilisearch.enabled=true \
+  --set config.index.type=meilisearch \
+  --set config.index.meili.host="http://opengist-meilisearch:7700" \
+  --set config.index.meili.api-key="MASTER_KEY"
+```
+
+Rendered `config.yml` fragment:
+
+```yaml
+index: meilisearch
+index.meili.host: http://opengist-meilisearch:7700
+index.meili.api-key: MASTER_KEY
+```
+
+How it works:
+
+* You provide a map under `config.index` with keys `type` and `meili`.
+* The template detects `config.index.type` and rewrites `index: <type>`.
+* Nested `config.index.meili.host` / `api-key` are lifted to flat keys `index.meili.host` and `index.meili.api-key` required by Opengist.
+
+If you set `--set config.index=meilisearch` directly and also try to set `--set config.index.meili.host=...`, Helm will first create the nested structure then overwrite it with the scalar, losing the host. Always prefer the `config.index.type` pattern for CLI usage.
+
+### PostgreSQL Database
+
+By default, Opengist uses the `sqlite` database. If needed, this chart also deploys a PostgreSQL instance.
+
+By setting `postgresql.enabled: true`, the [Bitnami PostgreSQL chart](https://github.com/bitnami/charts/tree/main/bitnami/postgresql) will be deployed aswell.
+You must define the `postgresql.host`, `postgresql.port`, `postgresql.database`, `postgresql.username` and `postgresql.password` values to connect to the PostgreSQL instance.
+
+Then define the connection string in your Opengist config:
+
+```yaml
+db-uri: postgres://user:password@opengist-postgresql:5432/opengist
+```
+Note: `opengist-postgresql` is the name of the K8S Service deployed by this chart.
+
+### Database Configuration
+
+You can supply an externally managed database connection explicitly via `config.db-uri` (PostgreSQL/MySQL) or enable the bundled PostgreSQL subchart.
+
+Behavior:
+
+* If `postgresql.enabled: true` and `config.db-uri` is omitted, the chart auto-generates:
+  `postgres://<username>:<password>@<release-name>-postgresql:<port>/<database>` using values under `postgresql.global.postgresql.auth.*`.
+* If any of username/password/database are missing, templating fails fast with an error message.
+* If you prefer an external database or a different Postgres distribution, set `postgresql.enabled: false` and provide `config.db-uri` yourself.
+
+**Licensing note**: Bitnami's PostgreSQL distribution may have licensing constraints. For strictly open alternatives use an external managed PostgreSQL/MySQL service and disable the subchart.
+
+### Multi-Replica Requirements
+
+Running more than one Opengist replica (Deployment or StatefulSet) requires:
+
+1. Non-SQLite database (`config.db-uri` must start with `postgres://` or `mysql://`).
+2. Shared RWX storage if using StatefulSet with `replicaCount > 1` (provide `persistence.existingClaim`). The chart now fails fast if you attempt `replicaCount > 1` without an explicit shared claim to prevent silent data divergence across per‑pod PVCs.
+
+The chart will fail fast during templating if these conditions are not met when scaling above 1 replica.
+
+Examples:
+
+* External PostgreSQL:
+
+```yaml
+postgresql:
+  enabled: false
+config:
+  db-uri: postgres://user:pass@db-host:5432/opengist
+  index: meilisearch
+statefulSet:
+  enabled: true
+replicaCount: 2
+persistence:
+  existingClaim: opengist-shared-rwx
+```
+
+Bundled PostgreSQL (auto db-uri):
+
+```yaml
+postgresql:
+  enabled: true
+config:
+  index: meilisearch
+statefulSet:
+  enabled: true
+replicaCount: 2
+persistence:
+  existingClaim: opengist-shared-rwx
+```
+
+#### Recovering from an initial misconfiguration
+
+If you previously scaled a StatefulSet above 1 replica **without** an `existingClaim`, each pod received its own PVC and only one held the authoritative `/opengist` data. To consolidate:
+
+1. Scale down to 1 replica (keep the pod with the desired data):
+
+```bash
+kubectl scale sts/opengist --replicas=1
+```
+
+1. (Optional) Inspect other PVCs and manually copy any missing files by temporarily attaching them to a debug pod.
+1. Create or provision a ReadWriteMany (NFS / CephFS / Longhorn RWX / etc.) PersistentVolumeClaim named (for example) `opengist-shared-rwx`.
+1. Update values with `persistence.existingClaim: opengist-shared-rwx` and re‑deploy.
+1. Scale back up:
+
+```bash
+kubectl scale sts/opengist --replicas=2
+```
+
+Going forward, all replicas mount the same shared volume and data remains consistent.
+
+### Quick Start Examples
+
+Common deployment scenarios with copy-paste configurations:
+
+#### Scenario 1: Single replica with SQLite (default)
+
+Minimal local development setup with ephemeral or persistent storage:
+
+```yaml
+# Ephemeral (emptyDir)
+statefulSet:
+  enabled: true
+replicaCount: 1
+persistence:
+  enabled: false
+
+# OR with persistent RWO storage
+statefulSet:
+  enabled: true
+replicaCount: 1
+persistence:
+  enabled: true
+  mode: perReplica  # default
+```
+
+#### Scenario 2: Multi-replica with external PostgreSQL + existing RWX PVC
+
+Production HA setup with your own database and storage:
+
+```yaml
+statefulSet:
+  enabled: true
+replicaCount: 2
+postgresql:
+  enabled: false
+config:
+  db-uri: "postgres://user:pass@db-host:5432/opengist"
+  index: meilisearch  # required for multi-replica
+persistence:
+  enabled: true
+  mode: shared
+  existingClaim: "opengist-shared-rwx"  # pre-created RWX PVC
+meilisearch:
+  enabled: true
+```
+
+#### Scenario 3: Multi-replica with bundled PostgreSQL + auto-created RWX PVC
+
+Chart manages both database and storage:
+
+```yaml
+statefulSet:
+  enabled: true
+replicaCount: 2
+postgresql:
+  enabled: true
+  global:
+    postgresql:
+      auth:
+        username: opengist
+        password: changeme
+        database: opengist
+config:
+  index: meilisearch
+persistence:
+  enabled: true
+  mode: shared
+  existingClaim: ""  # empty to trigger auto-creation
+  create:
+    enabled: true
+    accessModes: [ReadWriteMany]
+    storageClass: "nfs-client"  # your RWX-capable storage class
+    size: 20Gi
+meilisearch:
+  enabled: true
+```
+
+### Persistence Modes
+
+The chart supports two persistence strategies controlled by `persistence.mode`:
+
+| Mode        | Behavior | Scaling | Storage Objects | Recommended Use |
+|-------------|----------|---------|-----------------|-----------------|
+| `perReplica` (default) | One PVC per pod via StatefulSet `volumeClaimTemplates` (RWO) when no `existingClaim` | Safe only at `replicaCount=1` unless you supply `existingClaim` | One PVC per replica | Local dev, quick single-node trials |
+| `shared`    | Single RWX PVC (existing or auto-created) mounted by all pods | Horizontally scalable | One shared PVC | Production / HA |
+
+Configuration examples:
+
+Per-replica (single node):
+
+```yaml
+statefulSet:
+  enabled: true
+persistence:
+  mode: perReplica
+  enabled: true
+  accessModes:
+    - ReadWriteOnce
+```
+
+Shared (scale ready) with an existing RWX claim:
+
+```yaml
+statefulSet:
+  enabled: true
+replicaCount: 2
+persistence:
+  mode: shared
+  existingClaim: opengist-shared-rwx
+```
+
+Shared with chart-created RWX PVC:
+
+```yaml
+statefulSet:
+  enabled: true
+replicaCount: 2
+persistence:
+  mode: shared
+  existingClaim: ""    # leave empty
+  create:
+    enabled: true
+    accessModes: [ReadWriteMany]
+    size: 10Gi
+```
+
+When `mode=shared` and `existingClaim` is empty, the chart creates a single PVC named `<release>-shared` (suffix configurable via `persistence.create.nameSuffix`).
+
+Fail-fast conditions:
+
+* `replicaCount>1` & missing external DB (still enforced).
+* `replicaCount>1` & persistence disabled.
+* `replicaCount>1` & neither `existingClaim` nor `mode=shared`.
+* `mode=shared` & create.enabled=true but `accessModes` lacks `ReadWriteMany`.
+
+Migration (perReplica → shared): scale down to 1, create RWX claim (or rely on create.enabled), copy data, switch mode to shared, scale up.
+
+### Troubleshooting
+
+#### Common Errors and Solutions
+
+##### Error: "replicaCount=2 requires PostgreSQL/MySQL config.db-uri; scheme 'sqlite' unsupported"
+
+* **Cause**: Multi-replica with SQLite database
+* **Solution**: Either scale down to `replicaCount: 1` or configure external database:
+
+```yaml
+config:
+  db-uri: "postgres://user:pass@host:5432/opengist"
+```
+
+##### Error: "replicaCount=2 requires either persistence.existingClaim OR persistence.mode=shared"
+
+* **Cause**: Multi-replica without shared storage
+* **Solution**: Choose one approach:
+
+```yaml
+# Option A: Use existing PVC
+persistence:
+  existingClaim: "my-rwx-pvc"
+
+# Option B: Let chart create PVC
+persistence:
+  mode: shared
+  create:
+    enabled: true
+    accessModes: [ReadWriteMany]
+```
+
+##### Error: "persistence.mode=shared create.accessModes must include ReadWriteMany for multi-replica"
+
+* **Cause**: Chart-created PVC lacks RWX access mode
+* **Solution**: Ensure RWX is specified:
+
+```yaml
+persistence:
+  create:
+    accessModes:
+      - ReadWriteMany
+```
+
+##### Pods mount different data (data divergence)
+
+* **Cause**: Previously scaled with `perReplica` mode and `replicaCount > 1`
+* **Solution**: Follow recovery steps in "Recovering from an initial misconfiguration" section above
+
+##### PVC creation fails: "no storage class available with ReadWriteMany"
+
+* **Cause**: Cluster lacks RWX-capable storage provisioner
+* **Solution**: Install a storage provider (NFS, CephFS, Longhorn) or use external managed storage and provide `existingClaim`

helm/opengist/templates/NOTES.txt

@@ -0,0 +1,22 @@
+1. Get the application URL by running these commands:
+{{- if .Values.ingress.enabled }}
+{{- range $host := .Values.ingress.hosts }}
+  {{- range .paths }}
+  http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }}{{ .path }}
+  {{- end }}
+{{- end }}
+{{- else if contains "NodePort" .Values.service.http.type }}
+  export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "opengist.fullname" . }})
+  export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
+  echo http://$NODE_IP:$NODE_PORT
+{{- else if contains "LoadBalancer" .Values.service.http.type }}
+     NOTE: It may take a few minutes for the LoadBalancer IP to be available.
+           You can watch its status by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "opengist.fullname" . }}'
+  export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "opengist.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}")
+  echo http://$SERVICE_IP:{{ .Values.service.http.port }}
+{{- else if contains "ClusterIP" .Values.service.http.type }}
+  export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "opengist.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
+  export CONTAINER_PORT=$(kubectl get pod --namespace {{ .Release.Namespace }} $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}")
+  echo "Visit http://127.0.0.1:8080 to use your application"
+  kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:$CONTAINER_PORT
+{{- end }}

helm/opengist/templates/_helpers.tpl

@@ -0,0 +1,85 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "opengist.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "opengist.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "opengist.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "opengist.labels" -}}
+helm.sh/chart: {{ include "opengist.chart" . }}
+app: {{ include "opengist.name" . }}
+{{ include "opengist.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "opengist.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "opengist.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "opengist.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "opengist.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create image URI
+*/}}
+{{- define "opengist.image" -}}
+{{- if .Values.image.digest -}}
+{{- printf "%s@%s" .Values.image.repository .Values.image.digest -}}
+{{- else -}}
+{{- printf "%s:%s" .Values.image.repository (.Values.image.tag | default .Chart.AppVersion) -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Create secret name
+*/}}
+{{- define "opengist.secretName" -}}
+{{- if .Values.configExistingSecret -}}
+{{- printf "%s" (tpl .Values.configExistingSecret $) -}}
+{{- else -}}
+{{- printf "%s" (include "opengist.fullname" .) -}}
+{{- end -}}
+{{- end -}}

helm/opengist/templates/deployment.yaml

@@ -0,0 +1,134 @@
+{{- if not .Values.statefulSet.enabled }}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "opengist.fullname" . }}
+  namespace: {{ .Values.namespace | default .Release.Namespace }}
+  labels:
+    {{- include "opengist.labels" . | nindent 4 }}
+    {{- if .Values.deployment.labels }}
+    {{- toYaml .Values.deployment.labels | nindent 4 }}
+    {{- end }}
+  {{- with .Values.deployment.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  {{- if not .Values.autoscaling.enabled }}
+  replicas: {{ .Values.replicaCount }}
+  {{- end }}
+  selector:
+    matchLabels:
+      {{- include "opengist.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      annotations:
+        checksum/config: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }}
+      {{- with .Values.podAnnotations }}
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      labels:
+        {{- include "opengist.labels" . | nindent 8 }}
+        {{- with .Values.podLabels }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
+    spec:
+      {{- if .Values.deployment.terminationGracePeriodSeconds }}
+      terminationGracePeriodSeconds: {{ .Values.deployment.terminationGracePeriodSeconds }}
+      {{- end }}
+      {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      serviceAccountName: {{ include "opengist.serviceAccountName" . }}
+      securityContext:
+        {{- toYaml .Values.podSecurityContext | nindent 8 }}
+      initContainers:
+        - name: init-config
+          image: busybox:1.37
+          imagePullPolicy: IfNotPresent
+          command: ['sh', '-c', 'cp /init/config/config.yml /config-volume/config.yml']
+          volumeMounts:
+            - name: config-secret
+              mountPath: /init/config
+            - name: config-volume
+              mountPath: /config-volume
+          {{- if .Values.deployment.env }}
+          env:
+            {{- toYaml .Values.deployment.env | nindent 12 }}
+          {{- end }}
+      containers:
+        - name: {{ .Chart.Name }}
+          securityContext:
+            {{- toYaml .Values.securityContext | nindent 12 }}
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          ports:
+            - name: http
+              containerPort: {{ .Values.service.http.port }}
+              protocol: TCP
+          {{- if index .Values.config "metrics.enabled" }}
+            - name: metrics
+              containerPort: {{ .Values.service.metrics.port }}
+              protocol: TCP
+          {{- end }}
+          {{- if .Values.livenessProbe.enabled }}
+          livenessProbe:
+            {{- toYaml (omit .Values.livenessProbe "enabled") | nindent 12 }}
+            httpGet:
+              port: http
+              path: /healthcheck
+          {{- end }}
+          {{- if .Values.readinessProbe.enabled }}
+          readinessProbe:
+            {{- toYaml (omit .Values.readinessProbe "enabled") | nindent 12 }}
+            httpGet:
+              port: http
+              path: /healthcheck
+          {{- end }}
+          resources:
+            {{- toYaml .Values.resources | nindent 12 }}
+          volumeMounts:
+            - name: config-volume
+              mountPath: /config.yml
+              subPath: config.yml
+            - name: opengist-data
+              mountPath: /opengist
+          {{- if gt (len .Values.extraVolumeMounts) 0 }}
+            {{- toYaml .Values.extraVolumeMounts | nindent 12 }}
+          {{- end }}
+      volumes:
+        - name: opengist-data
+          {{- if .Values.persistence.enabled }}
+          persistentVolumeClaim:
+            {{- if .Values.persistence.existingClaim }}
+            claimName: {{ .Values.persistence.existingClaim }}
+            {{- else }}
+            claimName: {{ include "opengist.fullname" . }}-data
+            {{- end }}
+          {{- else }}
+          emptyDir: {}
+          {{- end }}
+        - name: config-secret
+          secret:
+            secretName: {{ include "opengist.secretName" . }}
+            defaultMode: 511
+        - name: config-volume
+          emptyDir: {}
+      {{- if gt (len .Values.extraVolumes) 0 }}
+        {{- toYaml .Values.extraVolumes | nindent 8 }}
+      {{- end }}
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+
+{{- end }}

helm/opengist/templates/hpa.yaml

@@ -0,0 +1,37 @@
+{{- if .Values.autoscaling.enabled }}
+apiVersion: autoscaling/v2
+kind: HorizontalPodAutoscaler
+metadata:
+  name: {{ include "opengist.fullname" . }}
+  namespace: {{ .Values.namespace | default .Release.Namespace }}
+  labels:
+    {{- include "opengist.labels" . | nindent 4 }}
+  {{- with .Values.autoscaling.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  scaleTargetRef:
+    apiVersion: apps/v1
+    kind: Deployment
+    name: {{ include "opengist.fullname" . }}
+  minReplicas: {{ .Values.autoscaling.minReplicas }}
+  maxReplicas: {{ .Values.autoscaling.maxReplicas }}
+  metrics:
+    {{- if .Values.autoscaling.targetCPUUtilizationPercentage }}
+    - type: Resource
+      resource:
+        name: cpu
+        target:
+          type: Utilization
+          averageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }}
+    {{- end }}
+    {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }}
+    - type: Resource
+      resource:
+        name: memory
+        target:
+          type: Utilization
+          averageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }}
+    {{- end }}
+{{- end }}

helm/opengist/templates/ingress.yaml

@@ -0,0 +1,47 @@
+{{- if .Values.ingress.enabled -}}
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: {{ include "opengist.fullname" . }}
+  namespace: {{ .Values.namespace | default .Release.Namespace }}
+  labels:
+    {{- include "opengist.labels" . | nindent 4 }}
+    {{- if .Values.ingress.labels }}
+    {{- toYaml .Values.service.http.labels  | nindent 4 }}
+    {{- end }}
+  {{- with .Values.ingress.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  {{- with .Values.ingress.className }}
+  ingressClassName: {{ . }}
+  {{- end }}
+  {{- if .Values.ingress.tls }}
+  tls:
+    {{- range .Values.ingress.tls }}
+    - hosts:
+        {{- range .hosts }}
+        - {{ . | quote }}
+        {{- end }}
+      secretName: {{ .secretName }}
+    {{- end }}
+  {{- end }}
+  rules:
+    {{- range .Values.ingress.hosts }}
+    - host: {{ .host | quote }}
+      http:
+        paths:
+          {{- range .paths }}
+          - path: {{ .path }}
+            {{- with .pathType }}
+            pathType: {{ . }}
+            {{- end }}
+            backend:
+              service:
+                name: {{ include "opengist.fullname" $ }}-http
+                port:
+                  number: {{ $.Values.service.http.port }}
+          {{- end }}
+    {{- end }}
+{{- end }}

helm/opengist/templates/pdb.yaml

@@ -0,0 +1,14 @@
+{{- if .Values.podDisruptionBudget -}}
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: {{ include "opengist.fullname" . }}
+  namespace: {{ .Values.namespace | default .Release.Namespace }}
+  labels:
+    {{- include "opengist.labels" . | nindent 4 }}
+spec:
+  selector:
+    matchLabels:
+      {{- include "opengist.selectorLabels" . | nindent 6 }}
+  {{- toYaml .Values.podDisruptionBudget | nindent 2 }}
+{{- end -}}

helm/opengist/templates/pvc-shared.yaml

@@ -0,0 +1,48 @@
+{{- /*
+This template creates a standalone PersistentVolumeClaim for shared persistence mode.
+
+Rendering conditions:
+  - statefulSet.enabled=true
+  - persistence.enabled=true
+  - persistence.mode=shared
+  - persistence.existingClaim is empty/unset
+  - persistence.create.enabled=true
+
+When rendered, this PVC is mounted by ALL replicas in the StatefulSet (typically with ReadWriteMany
+access mode for multi-replica deployments). This avoids per-replica volumeClaimTemplates and enables
+horizontal scaling with a single shared storage backend.
+
+If persistence.existingClaim is set, this template does NOT render; the StatefulSet instead references
+the existing claim name directly.
+*/}}
+{{- if and .Values.statefulSet.enabled .Values.persistence.enabled (eq (default "perReplica" .Values.persistence.mode) "shared") (ne (default "" .Values.persistence.existingClaim) "") | not }}{{- end }}
+{{- if and .Values.statefulSet.enabled .Values.persistence.enabled (eq (default "perReplica" .Values.persistence.mode) "shared") (eq (default "" .Values.persistence.existingClaim) "") .Values.persistence.create.enabled }}
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: {{ include "opengist.fullname" . }}-{{ default "shared" .Values.persistence.create.nameSuffix }}
+  labels:
+    {{- include "opengist.labels" . | nindent 4 }}
+    {{- with .Values.persistence.create.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+  {{- with .Values.persistence.create.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  accessModes:
+    {{- if .Values.persistence.create.accessModes }}
+    {{- toYaml .Values.persistence.create.accessModes | nindent 4 }}
+    {{- else }}
+    - ReadWriteMany
+    {{- end }}
+  resources:
+    requests:
+      storage: {{ default .Values.persistence.size .Values.persistence.create.size }}
+  volumeMode: Filesystem
+  {{- $sc := default .Values.persistence.storageClass .Values.persistence.create.storageClass }}
+  {{- if $sc }}
+  storageClassName: {{ $sc | quote }}
+  {{- end }}
+{{- end }}

helm/opengist/templates/pvc.yaml

@@ -0,0 +1,28 @@
+{{- if and .Values.persistence.enabled (not .Values.statefulSet.enabled) (not .Values.persistence.existingClaim) }}
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: {{ include "opengist.fullname" . }}-data
+  namespace: {{ .Release.Namespace }}
+{{- with .Values.persistence.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  labels:
+    {{- include "opengist.labels" . | nindent 4 }}
+    {{- if .Values.persistence.labels }}
+    {{- toYaml .Values.persistence.labels | nindent 4 }}
+    {{- end }}
+spec:
+  accessModes:
+  {{- if gt .Values.replicaCount 1.0 }}
+    - ReadWriteMany
+  {{- else }}
+    {{- .Values.persistence.accessModes | toYaml | nindent 4 }}
+  {{- end }}
+  volumeMode: Filesystem
+  storageClassName: {{ .Values.persistence.storageClass | quote }}
+  resources:
+    requests:
+      storage: {{ .Values.persistence.size }}
+{{- end }}

helm/opengist/templates/secret.yaml

@@ -0,0 +1,62 @@
+{{- if (not .Values.configExistingSecret) }}
+{{- $cfg := deepCopy .Values.config }}
+{{- /* Backward compatibility: map db-uri (deprecated) to db-uri key still expected by app, also accept dbUri coming from user */}}
+{{- if and (hasKey $cfg "dbUri") (not (hasKey $cfg "db-uri")) }}
+  {{- $_ := set $cfg "db-uri" (index $cfg "dbUri") }}
+{{- end }}
+{{- $dburi := default "" (index $cfg "db-uri") }}
+{{- /* Flatten possible nested index.meili.* structure if user passed --set config.index.meili.host=... */}}
+{{- if and (hasKey $cfg "index") (kindIs "map" (index $cfg "index")) }}
+  {{- $indexMap := (index $cfg "index") }}
+  {{- if hasKey $indexMap "type" }}
+    {{- $_ := set $cfg "index" (index $indexMap "type") }}
+  {{- end }}
+  {{- if hasKey $indexMap "meili" }}
+    {{- $meili := (index $indexMap "meili") }}
+    {{- if hasKey $meili "host" }}
+      {{- $_ := set $cfg "index.meili.host" (index $meili "host") }}
+    {{- end }}
+    {{- if hasKey $meili "api-key" }}
+      {{- $_ := set $cfg "index.meili.api-key" (index $meili "api-key") }}
+    {{- end }}
+  {{- end }}
+{{- end }}
+{{- if and .Values.postgresql.enabled (eq $dburi "") }}
+  {{- $user := default "" .Values.postgresql.global.postgresql.auth.username }}
+  {{- $pass := default "" .Values.postgresql.global.postgresql.auth.password }}
+  {{- $db := default "" .Values.postgresql.global.postgresql.auth.database }}
+  {{- $port := default 5432 .Values.postgresql.global.postgresql.service.ports.postgresql }}
+  {{- if or (eq $user "") (eq $pass "") (eq $db "") }}
+    {{- fail "postgresql.enabled=true requires username/password/database (postgresql.global.postgresql.auth.*) or set config.db-uri manually" }}
+  {{- end }}
+  {{- $autoHost := printf "%s-postgresql" (include "opengist.fullname" .) }}
+  {{- $autoUri := printf "postgres://%s:%s@%s:%d/%s" $user $pass $autoHost $port $db }}
+  {{- $_ := set $cfg "db-uri" $autoUri }}
+{{- end }}
+{{- $replicas := int .Values.replicaCount }}
+{{- $index := default "" (index $cfg "index") }}
+{{- /* Auto-set Meilisearch host if subchart enabled and host missing */}}
+{{- $meiliHost := default "" (index $cfg "index.meili.host") }}
+{{- if and .Values.meilisearch.enabled (eq $meiliHost "") }}
+  {{- $autoMeiliHost := printf "http://%s-meilisearch:7700" (include "opengist.fullname" .) }}
+  {{- $_ := set $cfg "index.meili.host" $autoMeiliHost }}
+  {{- if or (eq $index "") (ne $index "meilisearch") }}
+    {{- $_ := set $cfg "index" "meilisearch" }}
+    {{- $index = "meilisearch" }}
+  {{- end }}
+{{- end }}
+{{- if and (gt $replicas 1) (or (eq $index "") (eq $index "bleve")) }}
+  {{- fail "replicaCount>1 requires index set to 'meilisearch' (bleve not supported with multiple replicas)" }}
+{{- end }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "opengist.fullname" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+{{ include "opengist.labels" . | indent 4 }}
+type: Opaque
+stringData:
+  config.yml: |-
+    {{- $cfg | toYaml | nindent 4 }}
+{{- end }}

helm/opengist/templates/serviceaccount.yaml

@@ -0,0 +1,13 @@
+{{- if .Values.serviceAccount.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "opengist.serviceAccountName" . }}
+  namespace: {{ .Values.namespace | default .Release.Namespace }}
+  labels:
+    {{- include "opengist.labels" . | nindent 4 }}
+  {{- with .Values.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end }}

helm/opengist/templates/servicemonitor.yaml

@@ -0,0 +1,41 @@
+{{- if and (index .Values.config "metrics.enabled") .Values.service.metrics.serviceMonitor.enabled }}
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: {{ include "opengist.fullname" . }}
+  namespace: {{ .Values.namespace | default .Release.Namespace }}
+  labels:
+    {{- include "opengist.labels" . | nindent 4 }}
+    {{- with .Values.service.metrics.serviceMonitor.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+  {{- with .Values.service.metrics.serviceMonitor.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  endpoints:
+    - port: metrics
+      {{- with .Values.service.metrics.serviceMonitor.interval }}
+      interval: {{ . }}
+      {{- end }}
+      {{- with .Values.service.metrics.serviceMonitor.scrapeTimeout }}
+      scrapeTimeout: {{ . }}
+      {{- end }}
+      path: /metrics
+      {{- with .Values.service.metrics.serviceMonitor.relabelings }}
+      relabelings:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.service.metrics.serviceMonitor.metricRelabelings }}
+      metricRelabelings:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+  namespaceSelector:
+    matchNames:
+      - {{ .Values.namespace | default .Release.Namespace }}
+  selector:
+    matchLabels:
+      {{- include "opengist.selectorLabels" . | nindent 6 }}
+      app.kubernetes.io/component: metrics
+{{- end }}

helm/opengist/templates/statefulset.yaml

@@ -0,0 +1,267 @@
+{{- if .Values.statefulSet.enabled }}
+{{- /*
+========================================
+VALIDATION BLOCK: Multi-replica requirements
+========================================
+Enforces constraints for scaling beyond 1 replica:
+  1. Database: Must use PostgreSQL/MySQL (not SQLite)
+  2. Persistence: Must be enabled
+  3. Storage sharing: Must use either existingClaim or mode=shared with create.enabled
+  4. Access mode: For mode=shared + create, must specify ReadWriteMany
+*/}}
+{{- $replicas := int .Values.replicaCount }}
+{{- $dburi := "" }}
+{{- if and .Values.config (hasKey .Values.config "dbUri") }}
+  {{- $dburi = (index .Values.config "dbUri") }}
+{{- else if and .Values.config (hasKey .Values.config "db-uri") }}
+  {{- $dburi = (index .Values.config "db-uri") }}
+{{- end }}
+{{- $scheme := "" }}
+{{- if ne $dburi "" }}
+  {{- $parts := splitList "://" $dburi }}
+  {{- if gt (len $parts) 0 }}
+    {{- $scheme = lower (index $parts 0) }}
+  {{- end }}
+{{- end }}
+{{- $multiAllowed := or (eq $scheme "postgres") (eq $scheme "postgresql") (eq $scheme "mysql") (eq $scheme "mariadb") }}
+{{- $p := .Values.persistence }}
+{{- $mode := default "perReplica" $p.mode }}
+{{- $hasExisting := ne (default "" $p.existingClaim) "" }}
+{{- $isShared := eq $mode "shared" }}
+
+{{- /* Fail fast: Database validation */}}
+{{- if and (gt $replicas 1) (not $multiAllowed) }}
+  {{- fail (printf "replicaCount=%d requires PostgreSQL/MySQL config.db-uri; scheme '%s' unsupported" $replicas $scheme) }}
+{{- end }}
+
+{{- /* Fail fast: Persistence must be enabled */}}
+{{- if and (gt $replicas 1) (not $p.enabled) }}
+  {{- fail (printf "replicaCount=%d requires persistence.enabled=true" $replicas) }}
+{{- end }}
+
+{{- /* Fail fast: Prevent per-replica PVC divergence */}}
+{{- if and (gt $replicas 1) (not (or $hasExisting $isShared)) }}
+  {{- fail (printf "replicaCount=%d requires either persistence.existingClaim (shared RWX PVC) OR persistence.mode=shared to create one; perReplica PVCs would diverge" $replicas) }}
+{{- end }}
+
+{{- /* Fail fast: Shared mode requires PVC source */}}
+{{- if and (gt $replicas 1) $isShared (not $hasExisting) (hasKey $p "create") (not (get $p.create "enabled")) }}
+  {{- fail (printf "persistence.mode=shared but neither existingClaim nor create.enabled=true provided") }}
+{{- end }}
+
+{{- /* Fail fast: Auto-created shared PVC must be RWX */}}
+{{- if and (gt $replicas 1) $isShared (not $hasExisting) $p.create.enabled }}
+  {{- $am := list }}
+  {{- if hasKey $p.create "accessModes" }}
+    {{- $am = $p.create.accessModes }}
+  {{- end }}
+  {{- $rwxOk := false }}
+  {{- range $am }}
+    {{- if or (eq . "ReadWriteMany") (eq . "RWX") }}
+      {{- $rwxOk = true }}
+    {{- end }}
+  {{- end }}
+  {{- if not $rwxOk }}
+    {{- fail "persistence.mode=shared create.accessModes must include ReadWriteMany for multi-replica" }}
+  {{- end }}
+{{- end }}
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: {{ include "opengist.fullname" . }}
+  namespace: {{ .Values.namespace | default .Release.Namespace }}
+  labels:
+    {{- include "opengist.labels" . | nindent 4 }}
+    {{- if .Values.deployment.labels }}
+    {{- toYaml .Values.deployment.labels | nindent 4 }}
+    {{- end }}
+  {{- with .Values.deployment.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  replicas: {{ .Values.replicaCount }}
+  serviceName: {{ include "opengist.fullname" . }}-http
+  podManagementPolicy: {{ .Values.statefulSet.podManagementPolicy }}
+  updateStrategy:
+    {{- toYaml .Values.statefulSet.updateStrategy | nindent 2 }}
+  selector:
+    matchLabels:
+      {{- include "opengist.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      annotations:
+        checksum/config: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }}
+      {{- with .Values.podAnnotations }}
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      labels:
+        {{- include "opengist.labels" . | nindent 8 }}
+        {{- with .Values.podLabels }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
+    spec:
+      {{- if .Values.deployment.terminationGracePeriodSeconds }}
+      terminationGracePeriodSeconds: {{ .Values.deployment.terminationGracePeriodSeconds }}
+      {{- end }}
+      {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      serviceAccountName: {{ include "opengist.serviceAccountName" . }}
+      securityContext:
+        {{- toYaml .Values.podSecurityContext | nindent 8 }}
+      initContainers:
+        - name: init-config
+          image: busybox:1.37
+          imagePullPolicy: IfNotPresent
+          command: ['sh', '-c', 'cp /init/config/config.yml /config-volume/config.yml']
+          volumeMounts:
+            - name: config-secret
+              mountPath: /init/config
+            - name: config-volume
+              mountPath: /config-volume
+          {{- if .Values.deployment.env }}
+          env:
+            {{- toYaml .Values.deployment.env | nindent 12 }}
+          {{- end }}
+      containers:
+        - name: {{ .Chart.Name }}
+          securityContext:
+            {{- toYaml .Values.securityContext | nindent 12 }}
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          ports:
+            - name: http
+              containerPort: {{ .Values.service.http.port }}
+              protocol: TCP
+          {{- if .Values.service.ssh.enabled }}
+            - name: ssh
+              containerPort: {{ .Values.service.ssh.port }}
+              protocol: TCP
+          {{- end }}
+          {{- if index .Values.config "metrics.enabled" }}
+            - name: metrics
+              containerPort: {{ .Values.service.metrics.port }}
+              protocol: TCP
+          {{- end }}
+          {{- if .Values.livenessProbe.enabled }}
+          livenessProbe:
+            {{- toYaml (omit .Values.livenessProbe "enabled") | nindent 12 }}
+            httpGet:
+              port: http
+              path: /healthcheck
+          {{- end }}
+          {{- if .Values.readinessProbe.enabled }}
+          readinessProbe:
+            {{- toYaml (omit .Values.readinessProbe "enabled") | nindent 12 }}
+            httpGet:
+              port: http
+              path: /healthcheck
+          {{- end }}
+          resources:
+            {{- toYaml .Values.resources | nindent 12 }}
+          volumeMounts:
+            - name: config-volume
+              mountPath: /config.yml
+              subPath: config.yml
+            - name: opengist-data
+              mountPath: /opengist
+          {{- if gt (len .Values.extraVolumeMounts) 0 }}
+            {{- toYaml .Values.extraVolumeMounts | nindent 12 }}
+          {{- end }}
+      volumes:
+        - name: config-secret
+          secret:
+            secretName: {{ include "opengist.secretName" . }}
+            defaultMode: 511
+        - name: config-volume
+          emptyDir: {}
+        {{- /*
+        ========================================
+        VOLUME MOUNTING DECISION TREE
+        ========================================
+        Priority order:
+          1. existingClaim (user-provided PVC) → mount directly
+          2. mode=shared (chart-created PVC)   → mount shared PVC
+          3. mode=perReplica                   → use volumeClaimTemplates (defined below)
+          4. persistence disabled              → use emptyDir (ephemeral)
+        */}}
+        {{- if .Values.persistence.enabled }}
+          {{- if ne (default "" .Values.persistence.existingClaim) "" }}
+            {{- /* User-provided existing claim: mount directly */}}
+        - name: opengist-data
+          persistentVolumeClaim:
+            claimName: {{ .Values.persistence.existingClaim }}
+          {{- else if eq (default "perReplica" .Values.persistence.mode) "shared" }}
+            {{- /* Chart creates shared PVC (via pvc-shared.yaml), reference by name */}}
+        - name: opengist-data
+          persistentVolumeClaim:
+            claimName: {{ include "opengist.fullname" . }}-{{ default "shared" .Values.persistence.create.nameSuffix }}
+          {{- else if not .Values.persistence.enabled }}
+        - name: opengist-data
+          emptyDir: {}
+          {{- end }}
+        {{- else }}
+        - name: opengist-data
+          emptyDir: {}
+        {{- end }}
+        {{- if gt (len .Values.extraVolumes) 0 }}
+          {{- toYaml .Values.extraVolumes | nindent 8 }}
+        {{- end }}
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+  {{- /*
+  ========================================
+  VOLUMECLAIMTEMPLATES DECISION TREE
+  ========================================
+  volumeClaimTemplates are ONLY used for perReplica mode when:
+    - persistence.enabled=true
+    - persistence.existingClaim is empty
+    - persistence.mode=perReplica (default)
+
+  This creates one PVC per replica (RWO typically).
+
+  NOT used when:
+    - existingClaim is set (PVC already exists, referenced in volumes above)
+    - mode=shared (standalone PVC created via pvc-shared.yaml)
+    - persistence disabled (emptyDir used)
+
+  WARNING: perReplica + replicaCount>1 causes data divergence. Use shared mode for multi-replica.
+  */}}
+  {{- if and .Values.persistence.enabled (ne (default "" .Values.persistence.existingClaim) "") }}
+    {{- /* existingClaim path: no volumeClaimTemplates, already mounted above */}}
+  {{- else if and .Values.persistence.enabled (eq (default "perReplica" .Values.persistence.mode) "shared") }}
+    {{- /* shared mode: no volumeClaimTemplates, standalone PVC rendered via pvc-shared.yaml */}}
+  {{- else if and .Values.persistence.enabled (eq (default "perReplica" .Values.persistence.mode) "perReplica") }}
+  volumeClaimTemplates:
+    - metadata:
+        name: opengist-data
+        labels:
+          {{- include "opengist.labels" . | nindent 10 }}
+        {{- with .Values.persistence.annotations }}
+        annotations:
+          {{- toYaml . | nindent 10 }}
+        {{- end }}
+      spec:
+        accessModes:
+          {{- .Values.persistence.accessModes | toYaml | nindent 10 }}
+        volumeMode: Filesystem
+        {{- if .Values.persistence.storageClass }}
+        storageClassName: {{ .Values.persistence.storageClass | quote }}
+        {{- end }}
+        resources:
+          requests:
+            storage: {{ .Values.persistence.size | default "10Gi" }}
+  {{- end }}
+{{- end }}

helm/opengist/templates/svc-http.yaml

@@ -0,0 +1,47 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "opengist.fullname" . }}-http
+  namespace: {{ .Values.namespace | default .Release.Namespace }}
+  labels:
+    {{- include "opengist.labels" . | nindent 4 }}
+    {{- if .Values.service.http.labels }}
+    {{- toYaml .Values.service.http.labels  | nindent 4 }}
+    {{- end }}
+  {{- with .Values.service.http.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+
+spec:
+  type: {{ .Values.service.http.type }}
+  {{- if eq .Values.service.http.type "LoadBalancer" }}
+  {{- if and .Values.service.http.loadBalancerIP }}
+  loadBalancerIP: {{ .Values.service.http.loadBalancerIP  }}
+  {{- end }}
+  {{- if .Values.service.http.loadBalancerSourceRanges }}
+  loadBalancerSourceRanges:
+  {{- range .Values.service.http.loadBalancerSourceRanges }}
+    - {{ . }}
+  {{- end }}
+  {{- end }}
+  {{- end }}
+  {{- if .Values.service.http.externalIPs }}
+  externalIPs:
+    {{- toYaml .Values.service.http.externalIPs | nindent 4 }}
+  {{- end }}
+  {{- if .Values.service.http.externalTrafficPolicy }}
+  externalTrafficPolicy: {{ .Values.service.http.externalTrafficPolicy }}
+  {{- end }}
+  {{- if and .Values.service.http.clusterIP (eq .Values.service.http.type "ClusterIP") }}
+  clusterIP: {{ .Values.service.http.clusterIP }}
+  {{- end }}
+  ports:
+    - name: http
+      port: {{ .Values.service.http.port }}
+    {{- if  .Values.service.http.nodePort }}
+      nodePort: {{ .Values.service.http.nodePort }}
+    {{- end }}
+      targetPort: {{ index .Values.config "http.port" }}
+  selector:
+    {{- include "opengist.selectorLabels" . | nindent 4 }}

helm/opengist/templates/svc-metrics.yaml

@@ -0,0 +1,32 @@
+{{- if index .Values.config "metrics.enabled" }}
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "opengist.fullname" . }}-metrics
+  namespace: {{ .Values.namespace | default .Release.Namespace }}
+  labels:
+    {{- include "opengist.labels" . | nindent 4 }}
+    app.kubernetes.io/component: metrics
+    {{- with .Values.service.metrics.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+  {{- with .Values.service.metrics.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  type: {{ .Values.service.metrics.type }}
+  {{- if .Values.service.metrics.clusterIP }}
+  clusterIP: {{ .Values.service.metrics.clusterIP }}
+  {{- end }}
+  ports:
+    - port: {{ .Values.service.metrics.port }}
+      targetPort: metrics
+      protocol: TCP
+      name: metrics
+      {{- if and (eq .Values.service.metrics.type "NodePort") .Values.service.metrics.nodePort }}
+      nodePort: {{ .Values.service.metrics.nodePort }}
+      {{- end }}
+  selector:
+    {{- include "opengist.selectorLabels" . | nindent 4 }}
+{{- end }}

helm/opengist/templates/svc-ssh.yaml

@@ -0,0 +1,64 @@
+{{- if .Values.service.ssh.enabled }}
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "opengist.fullname" . }}-ssh
+  namespace: {{ .Values.namespace | default .Release.Namespace }}
+  labels:
+    {{- include "opengist.labels" . | nindent 4 }}
+    {{- if .Values.service.ssh.labels }}
+    {{- toYaml .Values.service.ssh.labels  | nindent 4 }}
+    {{- end }}
+  {{- with .Values.service.http.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  type: {{ .Values.service.ssh.type }}
+  {{- if eq .Values.service.ssh.type "LoadBalancer" }}
+  {{- if .Values.service.ssh.loadBalancerClass }}
+  loadBalancerClass: {{ .Values.service.ssh.loadBalancerClass }}
+  {{- end }}
+  {{- if .Values.service.ssh.loadBalancerIP }}
+  loadBalancerIP: {{ .Values.service.ssh.loadBalancerIP }}
+  {{- end -}}
+  {{- if .Values.service.ssh.loadBalancerSourceRanges }}
+  loadBalancerSourceRanges:
+  {{- range .Values.service.ssh.loadBalancerSourceRanges }}
+    - {{ . }}
+  {{- end }}
+  {{- end }}
+  {{- end }}
+  {{- if and .Values.service.ssh.clusterIP (eq .Values.service.ssh.type "ClusterIP") }}
+  clusterIP: {{ .Values.service.ssh.clusterIP }}
+  {{- end }}
+  {{- if .Values.service.ssh.externalIPs }}
+  externalIPs:
+    {{- toYaml .Values.service.ssh.externalIPs | nindent 4 }}
+  {{- end }}
+  {{- if .Values.service.ssh.ipFamilyPolicy }}
+  ipFamilyPolicy: {{ .Values.service.ssh.ipFamilyPolicy }}
+  {{- end }}
+  {{- with .Values.service.ssh.ipFamilies }}
+  ipFamilies:
+  {{- toYaml . | nindent 4 }}
+  {{- end -}}
+  {{- if .Values.service.ssh.externalTrafficPolicy }}
+  externalTrafficPolicy: {{ .Values.service.ssh.externalTrafficPolicy }}
+  {{- end }}
+  ports:
+    - name: ssh
+      port: {{ .Values.service.ssh.port }}
+      {{- if .Values.service.ssh.nodePort }}
+      nodePort: {{ .Values.service.ssh.nodePort }}
+      {{- end }}
+      {{- if index .Values.config "ssh.port" }}
+      targetPort: {{ index .Values.config "ssh.port" }}
+      {{- else }}
+      targetPort: 2222
+      {{- end }}
+      protocol: TCP
+
+  selector:
+    {{- include "opengist.selectorLabels" . | nindent 4 }}
+{{- end }}

helm/opengist/templates/tests/test-connection.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: "{{ include "opengist.fullname" . }}-test-connection"
+  labels:
+    {{- include "opengist.labels" . | nindent 4 }}
+  annotations:
+    "helm.sh/hook": test
+spec:
+  containers:
+    - name: wget
+      image: busybox
+      command: ['wget']
+      args: ['{{ include "opengist.fullname" . }}:{{ .Values.service.port }}']
+  restartPolicy: Never

helm/opengist/values.yaml

@@ -0,0 +1,296 @@
+## Kubernetes workload configuration for Opengist
+nameOverride: ""
+fullnameOverride: ""
+namespace: ""
+
+## Opengist YAML Application Config. See more at https://opengist.io/docs/configuration/cheat-sheet.html
+## This will create a Kubernetes secret with the key `config.yml` containing the YAML configuration mounted in the pod.
+config:
+  log-level: "warn"
+  log-output: "stdout"
+  metrics.enabled: false
+
+## If defined, the existing secret will be used instead of creating a new one.
+## The secret must contain a key named `config.yml` with the YAML configuration.
+configExistingSecret: ""
+
+## Define the image repository and tag to use.
+image:
+  repository: ghcr.io/thomiceli/opengist
+  pullPolicy: Always
+  tag: "1.12.1"
+  digest: ""
+imagePullSecrets: []
+# - name: "image-pull-secret"
+
+## Define the deployment replica count
+replicaCount: 1
+
+## Define the deployment strategy type
+strategy:
+  type: "RollingUpdate"
+  rollingUpdate:
+    maxSurge: "100%"
+    maxUnavailable: 0
+
+## StatefulSet configuration
+## Enables StatefulSet workload instead of Deployment (required for volumeClaimTemplates or stable pod identities).
+##
+## Single-replica SQLite example (default behavior):
+##   statefulSet.enabled: true
+##   replicaCount: 1
+##   persistence.mode: perReplica  # or omit (default)
+##   # Creates one PVC per pod via volumeClaimTemplates (RWO)
+##
+## Multi-replica requirements (replicaCount > 1):
+##   1. External database: config.db-uri must be postgres:// or mysql:// (SQLite NOT supported)
+##   2. Shared storage: Use ONE of:
+##      a) Existing claim:  persistence.existingClaim: "my-rwx-pvc"
+##      b) Chart-created:   persistence.mode: shared + persistence.create.enabled: true + accessModes: [ReadWriteMany]
+##   3. Chart will FAIL FAST if constraints are not met to prevent data divergence
+##
+## Persistence decision tree:
+##   - persistence.existingClaim set         → mount that PVC directly (no volumeClaimTemplates)
+##   - persistence.mode=shared + create.*    → chart creates single RWX PVC, all pods mount it
+##   - persistence.mode=perReplica (default) → volumeClaimTemplates (one PVC/pod, RWO typically)
+##   - persistence.enabled=false             → emptyDir (ephemeral)
+
+statefulSet:
+  enabled: false
+  podManagementPolicy: OrderedReady
+  updateStrategy:
+    type: RollingUpdate
+
+## Security Context settings
+## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+podSecurityContext:
+  fsGroup: 1000
+securityContext: {}
+# allowPrivilegeEscalation: false
+
+## Pod Disruption Budget settings
+## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/
+podDisruptionBudget: {}
+#  maxUnavailable: 1
+#  minAvailable: 1
+
+## Set the Kubernetes service type
+## ref: https://kubernetes.io/docs/concepts/services-networking/service/
+service:
+  http:
+    type: ClusterIP
+    clusterIP:
+    port: 6157
+    nodePort:
+    loadBalancerIP:
+    externalIPs: []
+    labels: {}
+    annotations: {}
+    loadBalancerSourceRanges: []
+    externalTrafficPolicy:
+
+  ssh:
+    enabled: true
+    type: ClusterIP
+    clusterIP:
+    port: 2222
+    nodePort:
+    loadBalancerIP:
+    externalIPs: []
+    labels: {}
+    annotations: {}
+    loadBalancerSourceRanges: []
+    externalTrafficPolicy:
+
+  # A metrics K8S service on port 6158 is created when the Opengist config metrics.enabled: true
+  metrics:
+    type: ClusterIP
+    clusterIP:
+    port: 6158
+    nodePort:
+    labels: {}
+    annotations: {}
+
+    # A service monitor can be used to work with your Prometheus setup.
+    serviceMonitor:
+      enabled: true
+      labels: {}
+      #  release: kube-prom-stack
+      interval:
+      scrapeTimeout:
+      annotations: {}
+      relabelings: []
+      metricRelabelings: []
+
+## HTTP Ingress for Opengist
+## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/
+ingress:
+  enabled: false
+  className: ""
+  labels: {}
+    # node-role.kubernetes.io/ingress: platform
+  annotations: {}
+    # kubernetes.io/ingress.class: nginx
+  hosts:
+    - host: opengist.example.com
+      paths:
+        - path: /
+          pathType: Prefix
+  tls: []
+    # - secretName: opengist-tls
+    #   hosts:
+    #     - opengist.example.com
+
+## Service Account for Opengist pods
+## ref: https://kubernetes.io/docs/concepts/security/service-accounts/
+serviceAccount:
+  create: true
+  annotations: {}
+  name: ""
+
+## Persistent storage for /opengist data directory
+## ref: https://kubernetes.io/docs/concepts/storage/persistent-volumes/
+persistence:
+  enabled: true
+
+  ## Persistence mode controls how storage is provisioned:
+  ##
+  ## perReplica (DEFAULT):
+  ##   - StatefulSet creates one PVC per replica via volumeClaimTemplates
+  ##   - Typically RWO (ReadWriteOnce) storage
+  ##   - Safe ONLY for replicaCount=1 (multi-replica causes data divergence)
+  ##   - Use when: single-node dev/test, no horizontal scaling needed
+  ##
+  ## shared:
+  ##   - Single RWX (ReadWriteMany) PVC shared by all replicas
+  ##   - Required for replicaCount > 1
+  ##   - Two provisioning paths:
+  ##     a) existingClaim: "my-rwx-pvc" (you manage the PVC lifecycle)
+  ##     b) existingClaim: "" + create.enabled: true (chart creates PVC automatically)
+  ##   - Use when: multi-replica HA, horizontal scaling, shared file access
+  ##
+  ## WARNING: Switching modes after initial deploy requires manual data migration:
+  ##   1. Scale down to 1 replica
+  ##   2. Create/provision RWX PVC and copy data
+  ##   3. Update values: mode=shared, existingClaim or create.enabled
+  ##   4. Scale up
+  mode: perReplica
+
+  ## Reference an existing PVC (takes precedence over create.*)
+  ## When set:
+  ##   - Chart will NOT create a PVC
+  ##   - StatefulSet mounts this claim directly (no volumeClaimTemplates)
+  ##   - Must be RWX for replicaCount > 1
+  ## Example: existingClaim: "opengist-shared-rwx"
+  existingClaim: ""
+
+  ## Common persistence parameters (apply to perReplica mode OR as defaults for create.*)
+  storageClass: ""       # Empty = cluster default
+  labels: {}
+  annotations:
+    helm.sh/resource-policy: keep  # Prevents PVC deletion on helm uninstall
+  size: 5Gi
+  accessModes:
+    - ReadWriteOnce      # perReplica default; override to [ReadWriteMany] if using existingClaim
+  subPath: ""            # Optional subpath within volume
+
+  ## Chart-managed PVC creation (ONLY for mode=shared when existingClaim is empty)
+  ## Renders templates/pvc-shared.yaml
+  create:
+    enabled: true
+    nameSuffix: shared   # PVC name: <release-name>-shared
+    storageClass: ""     # Empty = cluster default; override if you need specific storage class
+    size: 5Gi            # Override top-level persistence.size if needed
+    accessModes:
+      - ReadWriteMany    # REQUIRED for multi-replica; NFS/CephFS/Longhorn RWX/etc.
+    labels: {}
+    annotations: {}
+    ## Example for specific storage:
+    ##   storageClass: "nfs-client"
+    ##   size: 20Gi
+
+extraVolumes: []
+extraVolumeMounts: []
+
+## Additional pod labels and annotations
+podLabels: {}
+podAnnotations: {}
+
+## Configure resource requests and limits
+## ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+resources: {}
+  # limits:
+  #   cpu: 100m
+  #   memory: 128Mi
+  # requests:
+  #   cpu: 100m
+  #   memory: 128Mi
+
+
+## Configure the liveness and readiness probes
+## ref: https://kubernetes.io/docs/concepts/configuration/liveness-readiness-startup-probes/
+livenessProbe:
+  enabled: true
+  initialDelaySeconds: 200
+  timeoutSeconds: 1
+  periodSeconds: 10
+  successThreshold: 1
+  failureThreshold: 5
+
+readinessProbe:
+  enabled: true
+  initialDelaySeconds: 5
+  timeoutSeconds: 1
+  periodSeconds: 10
+  successThreshold: 1
+  failureThreshold: 3
+
+## Define autoscaling configuration using Horizontal Pod Autoscaler
+## ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/
+autoscaling:
+  enabled: false
+  minReplicas: 1
+  maxReplicas: 10
+  targetCPUUtilizationPercentage: 80
+  # targetMemoryUtilizationPercentage: 80
+  annotations: {}
+
+## Additional deployment configuration
+deployment:
+  env: []
+  terminationGracePeriodSeconds: 60
+  labels: {}
+  annotations: {}
+
+## Set pod assignment with node labels
+## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/
+nodeSelector: {}
+tolerations: []
+affinity: {}
+
+## Use PostgreSQL as a database, using Bitnami's PostgreSQL Helm chart
+## ref: https://artifacthub.io/packages/helm/bitnami/postgresql/16.5.6
+postgresql:
+  enabled: false
+  global:
+    postgresql:
+      auth:
+        username: opengist
+        password: opengist
+        database: opengist
+      service:
+        ports:
+          postgresql: 5432
+  primary:
+    persistence:
+      size: 10Gi
+
+
+## Use Meilisearch as a code indexer, using Meilisearch's Helm chart
+## ref: https://github.com/meilisearch/meilisearch-kubernetes/tree/meilisearch-0.12.0
+meilisearch:
+  enabled: false
+  environment:
+    MEILI_ENV: "production"
+  auth:
+    existingMasterKeySecret:

internal/actions/actions.go

@@ -0,0 +1,185 @@
+package actions
+
+import (
+	"github.com/rs/zerolog/log"
+	"github.com/thomiceli/opengist/internal/config"
+	"github.com/thomiceli/opengist/internal/db"
+	"github.com/thomiceli/opengist/internal/git"
+	"github.com/thomiceli/opengist/internal/index"
+	"os"
+	"path/filepath"
+	"strings"
+	"sync"
+)
+
+type ActionStatus struct {
+	Running bool
+}
+
+const (
+	SyncReposFromFS = iota
+	SyncReposFromDB
+	GitGcRepos
+	SyncGistPreviews
+	ResetHooks
+	IndexGists
+	SyncGistLanguages
+)
+
+var (
+	mutex   sync.Mutex
+	actions = make(map[int]ActionStatus)
+)
+
+func updateActionStatus(actionType int, running bool) {
+	actions[actionType] = ActionStatus{
+		Running: running,
+	}
+}
+
+func IsRunning(actionType int) bool {
+	mutex.Lock()
+	defer mutex.Unlock()
+	return actions[actionType].Running
+}
+
+func Run(actionType int) {
+	mutex.Lock()
+
+	if actions[actionType].Running {
+		mutex.Unlock()
+		return
+	}
+
+	updateActionStatus(actionType, true)
+	mutex.Unlock()
+
+	defer func() {
+		mutex.Lock()
+		updateActionStatus(actionType, false)
+		mutex.Unlock()
+	}()
+
+	var functionToRun func()
+	switch actionType {
+	case SyncReposFromFS:
+		functionToRun = syncReposFromFS
+	case SyncReposFromDB:
+		functionToRun = syncReposFromDB
+	case GitGcRepos:
+		functionToRun = gitGcRepos
+	case SyncGistPreviews:
+		functionToRun = syncGistPreviews
+	case ResetHooks:
+		functionToRun = resetHooks
+	case IndexGists:
+		functionToRun = indexGists
+	case SyncGistLanguages:
+		functionToRun = syncGistLanguages
+	default:
+		log.Error().Msg("Unknown action type")
+	}
+
+	functionToRun()
+}
+
+func syncReposFromFS() {
+	log.Info().Msg("Syncing repositories from filesystem...")
+	gists, err := db.GetAllGistsRows()
+	if err != nil {
+		log.Error().Err(err).Msg("Cannot get gists")
+		return
+	}
+	for _, gist := range gists {
+		// if repository does not exist, delete gist from database
+		if _, err := os.Stat(git.RepositoryPath(gist.User.Username, gist.Uuid)); err != nil && !os.IsExist(err) {
+			if err2 := gist.Delete(); err2 != nil {
+				log.Error().Err(err2).Msgf("Cannot delete gist %d", gist.ID)
+			}
+		}
+	}
+}
+
+func syncReposFromDB() {
+	log.Info().Msg("Syncing repositories from database...")
+	entries, err := filepath.Glob(filepath.Join(config.GetHomeDir(), "repos", "*", "*"))
+	if err != nil {
+		log.Error().Err(err).Msg("Cannot read repos directories")
+		return
+	}
+
+	for _, e := range entries {
+		path := strings.Split(e, string(os.PathSeparator))
+		gist, _ := db.GetGist(path[len(path)-2], path[len(path)-1])
+
+		if gist.ID == 0 {
+			if err := git.DeleteRepository(path[len(path)-2], path[len(path)-1]); err != nil {
+				log.Error().Err(err).Msgf("Cannot delete repository %s/%s", path[len(path)-2], path[len(path)-1])
+			}
+		}
+	}
+}
+
+func gitGcRepos() {
+	log.Info().Msg("Garbage collecting all repositories...")
+	if err := git.GcRepos(); err != nil {
+		log.Error().Err(err).Msg("Error garbage collecting repositories")
+	}
+}
+
+func syncGistPreviews() {
+	log.Info().Msg("Syncing all Gist previews...")
+
+	gists, err := db.GetAllGistsRows()
+	if err != nil {
+		log.Error().Err(err).Msg("Cannot get gists")
+		return
+	}
+	for _, gist := range gists {
+		if err = gist.UpdatePreviewAndCount(false); err != nil {
+			log.Error().Err(err).Msgf("Cannot update preview and count for gist %d", gist.ID)
+		}
+	}
+}
+
+func resetHooks() {
+	log.Info().Msg("Resetting Git server hooks for all repositories...")
+	if err := git.ResetHooks(); err != nil {
+		log.Error().Err(err).Msg("Error resetting hooks for repositories")
+	}
+}
+
+func indexGists() {
+	log.Info().Msg("Indexing all Gists...")
+	gists, err := db.GetAllGistsRows()
+	if err != nil {
+		log.Error().Err(err).Msg("Cannot get gists")
+		return
+	}
+
+	for _, gist := range gists {
+		log.Info().Msgf("Indexing gist %d", gist.ID)
+		indexedGist, err := gist.ToIndexedGist()
+		if err != nil {
+			log.Error().Err(err).Msgf("Cannot convert gist %d to indexed gist", gist.ID)
+			continue
+		}
+		if err = index.AddInIndex(indexedGist); err != nil {
+			log.Error().Err(err).Msgf("Cannot index gist %d", gist.ID)
+		}
+	}
+}
+
+func syncGistLanguages() {
+	log.Info().Msg("Syncing all Gist languages...")
+	gists, err := db.GetAllGistsRows()
+	if err != nil {
+		log.Error().Err(err).Msg("Cannot get gists")
+		return
+	}
+
+	for _, gist := range gists {
+		log.Info().Msgf("Syncing languages for gist %d", gist.ID)
+		gist.UpdateLanguages()
+	}
+}

internal/auth/auth.go

@@ -0,0 +1,18 @@
+package auth
+
+type AuthInfoProvider interface {
+	RequireLogin() (bool, error)
+	AllowGistsWithoutLogin() (bool, error)
+}
+
+func ShouldAllowUnauthenticatedGistAccess(prov AuthInfoProvider, isSingleGistAccess bool) (bool, error) {
+	require, err := prov.RequireLogin()
+	if err != nil {
+		return false, err
+	}
+	allow, err := prov.AllowGistsWithoutLogin()
+	if err != nil {
+		return false, err
+	}
+	return !require || (isSingleGistAccess && allow), nil
+}

internal/auth/ldap/ldap.go

@@ -0,0 +1,64 @@
+package ldap
+
+import (
+	"fmt"
+	"github.com/go-ldap/ldap/v3"
+	"github.com/thomiceli/opengist/internal/config"
+)
+
+func Enabled() bool {
+	return config.C.LDAPUrl != ""
+}
+
+// Authenticate attempts to authenticate a user against the configured LDAP instance.
+func Authenticate(username, password string) (bool, error) {
+	l, err := ldap.DialURL(config.C.LDAPUrl)
+	if err != nil {
+		return false, fmt.Errorf("unable to connect to URI: %v", config.C.LDAPUrl)
+	}
+	defer func(l *ldap.Conn) {
+		_ = l.Close()
+	}(l)
+
+	// First bind with a read only user
+	err = l.Bind(config.C.LDAPBindDn, config.C.LDAPBindCredentials)
+	if err != nil {
+		return false, err
+	}
+
+	searchFilter := fmt.Sprintf(config.C.LDAPSearchFilter, username)
+	searchRequest := ldap.NewSearchRequest(
+		config.C.LDAPSearchBase,
+		ldap.ScopeWholeSubtree,
+		ldap.NeverDerefAliases,
+		0,
+		0,
+		false,
+		searchFilter,
+		[]string{"dn"},
+		nil,
+	)
+
+	sr, err := l.Search(searchRequest)
+	if err != nil {
+		return false, err
+	}
+
+	if len(sr.Entries) != 1 {
+		return false, nil
+	}
+
+	// Bind as the user to verify their password
+	err = l.Bind(sr.Entries[0].DN, password)
+	if err != nil {
+		return false, nil
+	}
+
+	// Rebind as the read only user for any further queries
+	err = l.Bind(config.C.LDAPBindDn, config.C.LDAPBindCredentials)
+	if err != nil {
+		return false, err
+	}
+
+	return true, nil
+}

internal/auth/oauth/gitea.go

@@ -0,0 +1,89 @@
+package oauth
+
+import (
+	gocontext "context"
+
+	"net/http"
+
+	"github.com/markbates/goth"
+	"github.com/markbates/goth/gothic"
+	"github.com/markbates/goth/providers/gitea"
+	"github.com/thomiceli/opengist/internal/config"
+	"github.com/thomiceli/opengist/internal/db"
+	"github.com/thomiceli/opengist/internal/web/context"
+)
+
+type GiteaProvider struct {
+	Provider
+	URL string
+}
+
+func (p *GiteaProvider) RegisterProvider() error {
+	goth.UseProviders(
+		gitea.NewCustomisedURL(
+			config.C.GiteaClientKey,
+			config.C.GiteaSecret,
+			urlJoin(p.URL, "/oauth/gitea/callback"),
+			urlJoin(config.C.GiteaUrl, "/login/oauth/authorize"),
+			urlJoin(config.C.GiteaUrl, "/login/oauth/access_token"),
+			urlJoin(config.C.GiteaUrl, "/api/v1/user"),
+		),
+	)
+
+	return nil
+}
+
+func (p *GiteaProvider) BeginAuthHandler(ctx *context.Context) {
+	ctxValue := gocontext.WithValue(ctx.Request().Context(), gothic.ProviderParamKey, GiteaProviderString)
+	ctx.SetRequest(ctx.Request().WithContext(ctxValue))
+
+	gothic.BeginAuthHandler(ctx.Response(), ctx.Request())
+}
+
+func (p *GiteaProvider) UserHasProvider(user *db.User) bool {
+	return user.GiteaID != ""
+}
+
+func NewGiteaProvider(url string) *GiteaProvider {
+	return &GiteaProvider{
+		URL: url,
+	}
+}
+
+type GiteaCallbackProvider struct {
+	CallbackProvider
+	User *goth.User
+}
+
+func (p *GiteaCallbackProvider) GetProvider() string {
+	return GiteaProviderString
+}
+
+func (p *GiteaCallbackProvider) GetProviderUser() *goth.User {
+	return p.User
+}
+
+func (p *GiteaCallbackProvider) GetProviderUserID(user *db.User) bool {
+	return user.GiteaID != ""
+}
+
+func (p *GiteaCallbackProvider) GetProviderUserSSHKeys() ([]string, error) {
+	resp, err := http.Get(urlJoin(config.C.GiteaUrl, p.User.NickName+".keys"))
+	if err != nil {
+		return nil, err
+	}
+	defer resp.Body.Close()
+
+	return readKeys(resp)
+}
+
+func (p *GiteaCallbackProvider) UpdateUserDB(user *db.User) {
+	user.GiteaID = p.User.UserID
+	user.AvatarURL = p.User.AvatarURL
+}
+
+func NewGiteaCallbackProvider(user *goth.User) CallbackProvider {
+	return &GiteaCallbackProvider{
+		User: user,
+	}
+}

internal/auth/oauth/github.go

@@ -0,0 +1,84 @@
+package oauth
+
+import (
+	gocontext "context"
+	"github.com/markbates/goth"
+	"github.com/markbates/goth/gothic"
+	"github.com/markbates/goth/providers/github"
+	"github.com/thomiceli/opengist/internal/config"
+	"github.com/thomiceli/opengist/internal/db"
+	"github.com/thomiceli/opengist/internal/web/context"
+	"net/http"
+)
+
+type GitHubProvider struct {
+	Provider
+	URL string
+}
+
+func (p *GitHubProvider) RegisterProvider() error {
+	goth.UseProviders(
+		github.New(
+			config.C.GithubClientKey,
+			config.C.GithubSecret,
+			urlJoin(p.URL, "/oauth/github/callback"),
+		),
+	)
+
+	return nil
+}
+
+func (p *GitHubProvider) BeginAuthHandler(ctx *context.Context) {
+	ctxValue := gocontext.WithValue(ctx.Request().Context(), gothic.ProviderParamKey, GitHubProviderString)
+	ctx.SetRequest(ctx.Request().WithContext(ctxValue))
+
+	gothic.BeginAuthHandler(ctx.Response(), ctx.Request())
+}
+
+func (p *GitHubProvider) UserHasProvider(user *db.User) bool {
+	return user.GithubID != ""
+}
+
+func NewGitHubProvider(url string) *GitHubProvider {
+	return &GitHubProvider{
+		URL: url,
+	}
+}
+
+type GitHubCallbackProvider struct {
+	CallbackProvider
+	User *goth.User
+}
+
+func (p *GitHubCallbackProvider) GetProvider() string {
+	return GitHubProviderString
+}
+
+func (p *GitHubCallbackProvider) GetProviderUser() *goth.User {
+	return p.User
+}
+
+func (p *GitHubCallbackProvider) GetProviderUserID(user *db.User) bool {
+	return user.GithubID != ""
+}
+
+func (p *GitHubCallbackProvider) GetProviderUserSSHKeys() ([]string, error) {
+	resp, err := http.Get("https://github.com/" + p.User.NickName + ".keys")
+	if err != nil {
+		return nil, err
+	}
+	defer resp.Body.Close()
+
+	return readKeys(resp)
+}
+
+func (p *GitHubCallbackProvider) UpdateUserDB(user *db.User) {
+	user.GithubID = p.User.UserID
+	user.AvatarURL = "https://avatars.githubusercontent.com/u/" + p.User.UserID + "?v=4"
+}
+
+func NewGitHubCallbackProvider(user *goth.User) CallbackProvider {
+	return &GitHubCallbackProvider{
+		User: user,
+	}
+}

internal/auth/oauth/gitlab.go

@@ -0,0 +1,118 @@
+package oauth
+
+import (
+	gocontext "context"
+	gojson "encoding/json"
+	"io"
+	"net/http"
+
+	"github.com/markbates/goth"
+	"github.com/markbates/goth/gothic"
+	"github.com/markbates/goth/providers/gitlab"
+	"github.com/rs/zerolog/log"
+	"github.com/thomiceli/opengist/internal/config"
+	"github.com/thomiceli/opengist/internal/db"
+	"github.com/thomiceli/opengist/internal/web/context"
+)
+
+type GitLabProvider struct {
+	Provider
+	URL string
+}
+
+func (p *GitLabProvider) RegisterProvider() error {
+	goth.UseProviders(
+		gitlab.NewCustomisedURL(
+			config.C.GitlabClientKey,
+			config.C.GitlabSecret,
+			urlJoin(p.URL, "/oauth/gitlab/callback"),
+			urlJoin(config.C.GitlabUrl, "/oauth/authorize"),
+			urlJoin(config.C.GitlabUrl, "/oauth/token"),
+			urlJoin(config.C.GitlabUrl, "/api/v4/user"),
+		),
+	)
+
+	return nil
+}
+
+func (p *GitLabProvider) BeginAuthHandler(ctx *context.Context) {
+	ctxValue := gocontext.WithValue(ctx.Request().Context(), gothic.ProviderParamKey, GitLabProviderString)
+	ctx.SetRequest(ctx.Request().WithContext(ctxValue))
+
+	gothic.BeginAuthHandler(ctx.Response(), ctx.Request())
+}
+
+func (p *GitLabProvider) UserHasProvider(user *db.User) bool {
+	return user.GitlabID != ""
+}
+
+func NewGitLabProvider(url string) *GitLabProvider {
+	return &GitLabProvider{
+		URL: url,
+	}
+}
+
+type GitLabCallbackProvider struct {
+	CallbackProvider
+	User *goth.User
+}
+
+func (p *GitLabCallbackProvider) GetProvider() string {
+	return GitLabProviderString
+}
+
+func (p *GitLabCallbackProvider) GetProviderUser() *goth.User {
+	return p.User
+}
+
+func (p *GitLabCallbackProvider) GetProviderUserID(user *db.User) bool {
+	return user.GitlabID != ""
+}
+
+func (p *GitLabCallbackProvider) GetProviderUserSSHKeys() ([]string, error) {
+	resp, err := http.Get(urlJoin(config.C.GitlabUrl, p.User.NickName+".keys"))
+	if err != nil {
+		return nil, err
+	}
+	defer resp.Body.Close()
+
+	return readKeys(resp)
+}
+
+func (p *GitLabCallbackProvider) UpdateUserDB(user *db.User) {
+	user.GitlabID = p.User.UserID
+
+	resp, err := http.Get(urlJoin(config.C.GitlabUrl, "/api/v4/avatar?size=400&email=", p.User.Email))
+	if err != nil {
+		log.Error().Err(err).Msg("Cannot get user avatar from GitLab")
+		return
+	}
+	defer resp.Body.Close()
+
+	body, err := io.ReadAll(resp.Body)
+	if err != nil {
+		log.Error().Err(err).Msg("Cannot read Gitlab response body")
+		return
+	}
+
+	var result map[string]interface{}
+	err = gojson.Unmarshal(body, &result)
+	if err != nil {
+		log.Error().Err(err).Msg("Cannot unmarshal Gitlab response body")
+		return
+	}
+
+	field, ok := result["avatar_url"]
+	if !ok {
+		log.Error().Msg("Field 'avatar_url' not found in Gitlab JSON response")
+		return
+	}
+
+	user.AvatarURL = field.(string)
+}
+
+func NewGitLabCallbackProvider(user *goth.User) CallbackProvider {
+	return &GitLabCallbackProvider{
+		User: user,
+	}
+}

internal/auth/oauth/openid.go

@@ -0,0 +1,86 @@
+package oauth
+
+import (
+	gocontext "context"
+	"errors"
+	"github.com/markbates/goth"
+	"github.com/markbates/goth/gothic"
+	"github.com/markbates/goth/providers/openidConnect"
+	"github.com/thomiceli/opengist/internal/config"
+	"github.com/thomiceli/opengist/internal/db"
+	"github.com/thomiceli/opengist/internal/web/context"
+)
+
+type OIDCProvider struct {
+	Provider
+	URL string
+}
+
+func (p *OIDCProvider) RegisterProvider() error {
+	oidcProvider, err := openidConnect.New(
+		config.C.OIDCClientKey,
+		config.C.OIDCSecret,
+		urlJoin(p.URL, "/oauth/openid-connect/callback"),
+		config.C.OIDCDiscoveryUrl,
+		"openid",
+		"email",
+		"profile",
+		config.C.OIDCGroupClaimName,
+	)
+
+	if err != nil {
+		return errors.New("Cannot create OIDC provider: " + err.Error())
+	}
+
+	goth.UseProviders(oidcProvider)
+	return nil
+}
+
+func (p *OIDCProvider) BeginAuthHandler(ctx *context.Context) {
+	ctxValue := gocontext.WithValue(ctx.Request().Context(), gothic.ProviderParamKey, OpenIDConnectString)
+	ctx.SetRequest(ctx.Request().WithContext(ctxValue))
+
+	gothic.BeginAuthHandler(ctx.Response(), ctx.Request())
+}
+
+func (p *OIDCProvider) UserHasProvider(user *db.User) bool {
+	return user.OIDCID != ""
+}
+
+func NewOIDCProvider(url string) *OIDCProvider {
+	return &OIDCProvider{
+		URL: url,
+	}
+}
+
+type OIDCCallbackProvider struct {
+	CallbackProvider
+	User *goth.User
+}
+
+func (p *OIDCCallbackProvider) GetProvider() string {
+	return OpenIDConnectString
+}
+
+func (p *OIDCCallbackProvider) GetProviderUser() *goth.User {
+	return p.User
+}
+
+func (p *OIDCCallbackProvider) GetProviderUserID(user *db.User) bool {
+	return user.OIDCID != ""
+}
+
+func (p *OIDCCallbackProvider) GetProviderUserSSHKeys() ([]string, error) {
+	return nil, nil
+}
+
+func (p *OIDCCallbackProvider) UpdateUserDB(user *db.User) {
+	user.OIDCID = p.User.UserID
+	user.AvatarURL = p.User.AvatarURL
+}
+
+func NewOIDCCallbackProvider(user *goth.User) CallbackProvider {
+	return &OIDCCallbackProvider{
+		User: user,
+	}
+}

internal/auth/oauth/provider.go

@@ -0,0 +1,93 @@
+package oauth
+
+import (
+	"fmt"
+	"github.com/markbates/goth"
+	"github.com/markbates/goth/gothic"
+	"github.com/rs/zerolog/log"
+	"github.com/thomiceli/opengist/internal/db"
+	"github.com/thomiceli/opengist/internal/web/context"
+	"io"
+	"net/http"
+	"net/url"
+	"strings"
+)
+
+const (
+	GitHubProviderString = "github"
+	GitLabProviderString = "gitlab"
+	GiteaProviderString  = "gitea"
+	OpenIDConnectString  = "openid-connect"
+)
+
+type Provider interface {
+	RegisterProvider() error
+	BeginAuthHandler(ctx *context.Context)
+	UserHasProvider(user *db.User) bool
+}
+
+type CallbackProvider interface {
+	GetProvider() string
+	GetProviderUser() *goth.User
+	GetProviderUserID(user *db.User) bool
+	GetProviderUserSSHKeys() ([]string, error)
+	UpdateUserDB(user *db.User)
+}
+
+func DefineProvider(provider string, url string) (Provider, error) {
+	switch provider {
+	case GitHubProviderString:
+		return NewGitHubProvider(url), nil
+	case GitLabProviderString:
+		return NewGitLabProvider(url), nil
+	case GiteaProviderString:
+		return NewGiteaProvider(url), nil
+	case OpenIDConnectString:
+		return NewOIDCProvider(url), nil
+	}
+
+	return nil, fmt.Errorf("unsupported provider %s", provider)
+}
+
+func CompleteUserAuth(ctx *context.Context) (CallbackProvider, error) {
+	user, err := gothic.CompleteUserAuth(ctx.Response(), ctx.Request())
+	if err != nil {
+		return nil, err
+	}
+
+	switch user.Provider {
+	case GitHubProviderString:
+		return NewGitHubCallbackProvider(&user), nil
+	case GitLabProviderString:
+		return NewGitLabCallbackProvider(&user), nil
+	case GiteaProviderString:
+		return NewGiteaCallbackProvider(&user), nil
+	case OpenIDConnectString:
+		return NewOIDCCallbackProvider(&user), nil
+	}
+
+	return nil, fmt.Errorf("unsupported provider %s", user.Provider)
+}
+
+func urlJoin(base string, elem ...string) string {
+	joined, err := url.JoinPath(base, elem...)
+	if err != nil {
+		log.Error().Err(err).Msg("Cannot join url")
+	}
+
+	return joined
+}
+
+func readKeys(response *http.Response) ([]string, error) {
+	body, err := io.ReadAll(response.Body)
+	if err != nil {
+		return nil, fmt.Errorf("could not get user keys %v", err)
+	}
+
+	keys := strings.Split(string(body), "\n")
+	if len(keys[len(keys)-1]) == 0 {
+		keys = keys[:len(keys)-1]
+	}
+
+	return keys, nil
+}

internal/auth/password/argon2id.go

@@ -0,0 +1,77 @@
+package password
+
+import (
+	"crypto/rand"
+	"crypto/subtle"
+	"encoding/base64"
+	"errors"
+	"fmt"
+	"strings"
+
+	"golang.org/x/crypto/argon2"
+)
+
+type argon2ID struct {
+	format  string
+	version int
+	time    uint32
+	memory  uint32
+	keyLen  uint32
+	saltLen uint32
+	threads uint8
+}
+
+var Argon2id = argon2ID{
+	format:  "$argon2id$v=%d$m=%d,t=%d,p=%d$%s$%s",
+	version: argon2.Version,
+	time:    1,
+	memory:  64 * 1024,
+	keyLen:  32,
+	saltLen: 16,
+	threads: 4,
+}
+
+func (a argon2ID) Hash(plain string) (string, error) {
+	salt := make([]byte, a.saltLen)
+	if _, err := rand.Read(salt); err != nil {
+		return "", err
+	}
+
+	hash := argon2.IDKey([]byte(plain), salt, a.time, a.memory, a.threads, a.keyLen)
+
+	return fmt.Sprintf(a.format, a.version, a.memory, a.time, a.threads,
+		base64.RawStdEncoding.EncodeToString(salt),
+		base64.RawStdEncoding.EncodeToString(hash),
+	), nil
+}
+
+func (a argon2ID) Verify(plain, hash string) (bool, error) {
+	if hash == "" {
+		return false, nil
+	}
+
+	hashParts := strings.Split(hash, "$")
+
+	if len(hashParts) != 6 {
+		return false, errors.New("invalid hash")
+	}
+
+	_, err := fmt.Sscanf(hashParts[3], "m=%d,t=%d,p=%d", &a.memory, &a.time, &a.threads)
+	if err != nil {
+		return false, err
+	}
+
+	salt, err := base64.RawStdEncoding.DecodeString(hashParts[4])
+	if err != nil {
+		return false, err
+	}
+
+	decodedHash, err := base64.RawStdEncoding.DecodeString(hashParts[5])
+	if err != nil {
+		return false, err
+	}
+
+	hashToCompare := argon2.IDKey([]byte(plain), salt, a.time, a.memory, a.threads, uint32(len(decodedHash)))
+
+	return subtle.ConstantTimeCompare(decodedHash, hashToCompare) == 1, nil
+}

internal/auth/password/argon2id_test.go

@@ -0,0 +1,427 @@
+package password
+
+import (
+	"encoding/base64"
+	"strings"
+	"testing"
+)
+
+func TestArgon2ID_Hash(t *testing.T) {
+	tests := []struct {
+		name    string
+		plain   string
+		wantErr bool
+	}{
+		{
+			name:    "basic password",
+			plain:   "password123",
+			wantErr: false,
+		},
+		{
+			name:    "empty string",
+			plain:   "",
+			wantErr: false,
+		},
+		{
+			name:    "long password",
+			plain:   strings.Repeat("a", 10000),
+			wantErr: false,
+		},
+		{
+			name:    "unicode password",
+			plain:   "パスワード🔒",
+			wantErr: false,
+		},
+		{
+			name:    "special characters",
+			plain:   "!@#$%^&*()_+-=[]{}|;:',.<>?/`~",
+			wantErr: false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			hash, err := Argon2id.Hash(tt.plain)
+			if (err != nil) != tt.wantErr {
+				t.Errorf("Argon2id.Hash() error = %v, wantErr %v", err, tt.wantErr)
+				return
+			}
+
+			if !tt.wantErr {
+				// Verify the hash format
+				if !strings.HasPrefix(hash, "$argon2id$") {
+					t.Errorf("Hash does not start with $argon2id$: %v", hash)
+				}
+
+				// Verify all parts are present
+				parts := strings.Split(hash, "$")
+				if len(parts) != 6 {
+					t.Errorf("Hash has %d parts, expected 6: %v", len(parts), hash)
+				}
+
+				// Verify salt is properly encoded
+				if len(parts) >= 5 {
+					_, err := base64.RawStdEncoding.DecodeString(parts[4])
+					if err != nil {
+						t.Errorf("Salt is not properly base64 encoded: %v", err)
+					}
+				}
+
+				// Verify hash is properly encoded
+				if len(parts) >= 6 {
+					_, err := base64.RawStdEncoding.DecodeString(parts[5])
+					if err != nil {
+						t.Errorf("Hash is not properly base64 encoded: %v", err)
+					}
+				}
+			}
+		})
+	}
+}
+
+func TestArgon2ID_Verify(t *testing.T) {
+	// Generate a valid hash for testing
+	testPassword := "correctpassword"
+	validHash, err := Argon2id.Hash(testPassword)
+	if err != nil {
+		t.Fatalf("Failed to generate test hash: %v", err)
+	}
+
+	tests := []struct {
+		name      string
+		plain     string
+		hash      string
+		wantMatch bool
+		wantErr   bool
+	}{
+		{
+			name:      "correct password",
+			plain:     testPassword,
+			hash:      validHash,
+			wantMatch: true,
+			wantErr:   false,
+		},
+		{
+			name:      "incorrect password",
+			plain:     "wrongpassword",
+			hash:      validHash,
+			wantMatch: false,
+			wantErr:   false,
+		},
+		{
+			name:      "empty password",
+			plain:     "",
+			hash:      validHash,
+			wantMatch: false,
+			wantErr:   false,
+		},
+		{
+			name:      "empty hash",
+			plain:     testPassword,
+			hash:      "",
+			wantMatch: false,
+			wantErr:   false,
+		},
+		{
+			name:      "invalid hash - too few parts",
+			plain:     testPassword,
+			hash:      "$argon2id$v=19$m=65536",
+			wantMatch: false,
+			wantErr:   true,
+		},
+		{
+			name:      "invalid hash - too many parts",
+			plain:     testPassword,
+			hash:      "$argon2id$v=19$m=65536,t=1,p=4$salt$hash$extra",
+			wantMatch: false,
+			wantErr:   true,
+		},
+		{
+			name:      "invalid hash - malformed parameters",
+			plain:     testPassword,
+			hash:      "$argon2id$v=19$invalid$salt$hash",
+			wantMatch: false,
+			wantErr:   true,
+		},
+		{
+			name:      "invalid hash - bad base64 salt",
+			plain:     testPassword,
+			hash:      "$argon2id$v=19$m=65536,t=1,p=4$not-valid-base64!@#$hash",
+			wantMatch: false,
+			wantErr:   true,
+		},
+		{
+			name:      "invalid hash - bad base64 hash",
+			plain:     testPassword,
+			hash:      "$argon2id$v=19$m=65536,t=1,p=4$dGVzdA$not-valid-base64!@#",
+			wantMatch: false,
+			wantErr:   true,
+		},
+		{
+			name:      "wrong algorithm prefix",
+			plain:     testPassword,
+			hash:      "$bcrypt$rounds=10$saltsaltsaltsaltsalt",
+			wantMatch: false,
+			wantErr:   true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			match, err := Argon2id.Verify(tt.plain, tt.hash)
+			if (err != nil) != tt.wantErr {
+				t.Errorf("Argon2id.Verify() error = %v, wantErr %v", err, tt.wantErr)
+				return
+			}
+			if match != tt.wantMatch {
+				t.Errorf("Argon2id.Verify() match = %v, wantMatch %v", match, tt.wantMatch)
+			}
+		})
+	}
+}
+
+func TestArgon2ID_SaltUniqueness(t *testing.T) {
+	password := "testpassword"
+	iterations := 10
+
+	hashes := make(map[string]bool)
+	salts := make(map[string]bool)
+
+	for i := 0; i < iterations; i++ {
+		hash, err := Argon2id.Hash(password)
+		if err != nil {
+			t.Fatalf("Hash iteration %d failed: %v", i, err)
+		}
+
+		// Check hash uniqueness
+		if hashes[hash] {
+			t.Errorf("Duplicate hash generated at iteration %d", i)
+		}
+		hashes[hash] = true
+
+		// Extract and check salt uniqueness
+		parts := strings.Split(hash, "$")
+		if len(parts) >= 5 {
+			salt := parts[4]
+			if salts[salt] {
+				t.Errorf("Duplicate salt generated at iteration %d", i)
+			}
+			salts[salt] = true
+		}
+
+		// Verify each hash works
+		match, err := Argon2id.Verify(password, hash)
+		if err != nil || !match {
+			t.Errorf("Hash %d failed verification: err=%v, match=%v", i, err, match)
+		}
+	}
+}
+
+func TestArgon2ID_HashFormat(t *testing.T) {
+	password := "testformat"
+	hash, err := Argon2id.Hash(password)
+	if err != nil {
+		t.Fatalf("Hash failed: %v", err)
+	}
+
+	parts := strings.Split(hash, "$")
+	if len(parts) != 6 {
+		t.Fatalf("Expected 6 parts, got %d: %v", len(parts), hash)
+	}
+
+	// Part 0 should be empty (before first $)
+	if parts[0] != "" {
+		t.Errorf("Part 0 should be empty, got: %v", parts[0])
+	}
+
+	// Part 1 should be "argon2id"
+	if parts[1] != "argon2id" {
+		t.Errorf("Part 1 should be 'argon2id', got: %v", parts[1])
+	}
+
+	// Part 2 should be version
+	if !strings.HasPrefix(parts[2], "v=") {
+		t.Errorf("Part 2 should start with 'v=', got: %v", parts[2])
+	}
+
+	// Part 3 should be parameters
+	if !strings.Contains(parts[3], "m=") || !strings.Contains(parts[3], "t=") || !strings.Contains(parts[3], "p=") {
+		t.Errorf("Part 3 should contain m=, t=, and p=, got: %v", parts[3])
+	}
+
+	// Part 4 should be base64 encoded salt
+	salt, err := base64.RawStdEncoding.DecodeString(parts[4])
+	if err != nil {
+		t.Errorf("Salt (part 4) is not valid base64: %v", err)
+	}
+	if len(salt) != int(Argon2id.saltLen) {
+		t.Errorf("Salt length is %d, expected %d", len(salt), Argon2id.saltLen)
+	}
+
+	// Part 5 should be base64 encoded hash
+	decodedHash, err := base64.RawStdEncoding.DecodeString(parts[5])
+	if err != nil {
+		t.Errorf("Hash (part 5) is not valid base64: %v", err)
+	}
+	if len(decodedHash) != int(Argon2id.keyLen) {
+		t.Errorf("Hash length is %d, expected %d", len(decodedHash), Argon2id.keyLen)
+	}
+}
+
+func TestArgon2ID_CaseModification(t *testing.T) {
+	// Passwords should be case-sensitive
+	password := "TestPassword"
+	hash, err := Argon2id.Hash(password)
+	if err != nil {
+		t.Fatalf("Hash failed: %v", err)
+	}
+
+	// Correct case should match
+	match, err := Argon2id.Verify(password, hash)
+	if err != nil || !match {
+		t.Errorf("Correct password failed: err=%v, match=%v", err, match)
+	}
+
+	// Wrong case should not match
+	match, err = Argon2id.Verify("testpassword", hash)
+	if err != nil {
+		t.Errorf("Verify returned error: %v", err)
+	}
+	if match {
+		t.Error("Password verification should be case-sensitive")
+	}
+
+	match, err = Argon2id.Verify("TESTPASSWORD", hash)
+	if err != nil {
+		t.Errorf("Verify returned error: %v", err)
+	}
+	if match {
+		t.Error("Password verification should be case-sensitive")
+	}
+}
+
+func TestArgon2ID_InvalidParameters(t *testing.T) {
+	password := "testpassword"
+
+	tests := []struct {
+		name    string
+		hash    string
+		wantErr bool
+	}{
+		{
+			name:    "negative memory parameter",
+			hash:    "$argon2id$v=19$m=-1,t=1,p=4$dGVzdHNhbHQ$testhash",
+			wantErr: true,
+		},
+		{
+			name:    "negative time parameter",
+			hash:    "$argon2id$v=19$m=65536,t=-1,p=4$dGVzdHNhbHQ$testhash",
+			wantErr: true,
+		},
+		{
+			name:    "negative parallelism parameter",
+			hash:    "$argon2id$v=19$m=65536,t=1,p=-4$dGVzdHNhbHQ$testhash",
+			wantErr: true,
+		},
+		{
+			name:    "zero memory parameter",
+			hash:    "$argon2id$v=19$m=0,t=1,p=4$dGVzdHNhbHQ$testhash",
+			wantErr: false, // argon2 may handle this, we just test parsing
+		},
+		{
+			name:    "missing parameter value",
+			hash:    "$argon2id$v=19$m=,t=1,p=4$dGVzdHNhbHQ$testhash",
+			wantErr: true,
+		},
+		{
+			name:    "non-numeric parameter",
+			hash:    "$argon2id$v=19$m=abc,t=1,p=4$dGVzdHNhbHQ$testhash",
+			wantErr: true,
+		},
+		{
+			name:    "missing parameters separator",
+			hash:    "$argon2id$v=19$m=65536 t=1 p=4$dGVzdHNhbHQ$testhash",
+			wantErr: true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			_, err := Argon2id.Verify(password, tt.hash)
+			if (err != nil) != tt.wantErr {
+				t.Errorf("Argon2id.Verify() error = %v, wantErr %v", err, tt.wantErr)
+			}
+		})
+	}
+}
+
+func TestArgon2ID_ConcurrentHashing(t *testing.T) {
+	password := "testpassword"
+	concurrency := 10
+
+	type result struct {
+		hash string
+		err  error
+	}
+
+	results := make(chan result, concurrency)
+
+	// Generate hashes concurrently
+	for i := 0; i < concurrency; i++ {
+		go func() {
+			hash, err := Argon2id.Hash(password)
+			results <- result{hash: hash, err: err}
+		}()
+	}
+
+	// Collect results
+	hashes := make(map[string]bool)
+	for i := 0; i < concurrency; i++ {
+		res := <-results
+		if res.err != nil {
+			t.Errorf("Concurrent hash %d failed: %v", i, res.err)
+			continue
+		}
+
+		// Check for duplicates
+		if hashes[res.hash] {
+			t.Errorf("Duplicate hash generated in concurrent test")
+		}
+		hashes[res.hash] = true
+
+		// Verify each hash works
+		match, err := Argon2id.Verify(password, res.hash)
+		if err != nil || !match {
+			t.Errorf("Hash %d failed verification: err=%v, match=%v", i, err, match)
+		}
+	}
+}
+
+func TestArgon2ID_VeryLongPassword(t *testing.T) {
+	// Test with extremely long password (100KB)
+	password := strings.Repeat("a", 100*1024)
+
+	hash, err := Argon2id.Hash(password)
+	if err != nil {
+		t.Fatalf("Failed to hash very long password: %v", err)
+	}
+
+	match, err := Argon2id.Verify(password, hash)
+	if err != nil {
+		t.Fatalf("Failed to verify very long password: %v", err)
+	}
+
+	if !match {
+		t.Error("Very long password failed verification")
+	}
+
+	// Verify wrong password still fails
+	wrongPassword := strings.Repeat("b", 100*1024)
+	match, err = Argon2id.Verify(wrongPassword, hash)
+	if err != nil {
+		t.Errorf("Verify returned error: %v", err)
+	}
+	if match {
+		t.Error("Wrong very long password should not match")
+	}
+}

internal/auth/password/password.go

@@ -0,0 +1,9 @@
+package password
+
+func HashPassword(code string) (string, error) {
+	return Argon2id.Hash(code)
+}
+
+func VerifyPassword(code, hashedCode string) (bool, error) {
+	return Argon2id.Verify(code, hashedCode)
+}

internal/auth/password/password_test.go

@@ -0,0 +1,193 @@
+package password
+
+import (
+	"strings"
+	"testing"
+)
+
+func TestHashPassword(t *testing.T) {
+	tests := []struct {
+		name     string
+		password string
+		wantErr  bool
+	}{
+		{
+			name:     "simple password",
+			password: "password123",
+			wantErr:  false,
+		},
+		{
+			name:     "empty password",
+			password: "",
+			wantErr:  false,
+		},
+		{
+			name:     "long password",
+			password: strings.Repeat("a", 1000),
+			wantErr:  false,
+		},
+		{
+			name:     "special characters",
+			password: "p@ssw0rd!#$%^&*()",
+			wantErr:  false,
+		},
+		{
+			name:     "unicode characters",
+			password: "パスワード123",
+			wantErr:  false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			hash, err := HashPassword(tt.password)
+			if (err != nil) != tt.wantErr {
+				t.Errorf("HashPassword() error = %v, wantErr %v", err, tt.wantErr)
+				return
+			}
+			if !tt.wantErr {
+				// Verify hash format
+				if !strings.HasPrefix(hash, "$argon2id$") {
+					t.Errorf("HashPassword() returned invalid hash format: %v", hash)
+				}
+				// Verify hash has correct number of parts
+				parts := strings.Split(hash, "$")
+				if len(parts) != 6 {
+					t.Errorf("HashPassword() returned hash with incorrect number of parts: %v", len(parts))
+				}
+			}
+		})
+	}
+}
+
+func TestVerifyPassword(t *testing.T) {
+	// Pre-generate a known hash for testing
+	testPassword := "testpassword123"
+	testHash, err := HashPassword(testPassword)
+	if err != nil {
+		t.Fatalf("Failed to generate test hash: %v", err)
+	}
+
+	tests := []struct {
+		name      string
+		password  string
+		hash      string
+		wantMatch bool
+		wantErr   bool
+	}{
+		{
+			name:      "correct password",
+			password:  testPassword,
+			hash:      testHash,
+			wantMatch: true,
+			wantErr:   false,
+		},
+		{
+			name:      "incorrect password",
+			password:  "wrongpassword",
+			hash:      testHash,
+			wantMatch: false,
+			wantErr:   false,
+		},
+		{
+			name:      "empty password against valid hash",
+			password:  "",
+			hash:      testHash,
+			wantMatch: false,
+			wantErr:   false,
+		},
+		{
+			name:      "empty hash",
+			password:  testPassword,
+			hash:      "",
+			wantMatch: false,
+			wantErr:   false,
+		},
+		{
+			name:      "invalid hash format",
+			password:  testPassword,
+			hash:      "invalid",
+			wantMatch: false,
+			wantErr:   true,
+		},
+		{
+			name:      "malformed hash - wrong prefix",
+			password:  testPassword,
+			hash:      "$bcrypt$invalid$hash",
+			wantMatch: false,
+			wantErr:   true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			match, err := VerifyPassword(tt.password, tt.hash)
+			if (err != nil) != tt.wantErr {
+				t.Errorf("VerifyPassword() error = %v, wantErr %v", err, tt.wantErr)
+				return
+			}
+			if match != tt.wantMatch {
+				t.Errorf("VerifyPassword() match = %v, wantMatch %v", match, tt.wantMatch)
+			}
+		})
+	}
+}
+
+func TestHashPasswordUniqueness(t *testing.T) {
+	password := "testpassword"
+
+	// Generate multiple hashes of the same password
+	hash1, err := HashPassword(password)
+	if err != nil {
+		t.Fatalf("Failed to hash password: %v", err)
+	}
+
+	hash2, err := HashPassword(password)
+	if err != nil {
+		t.Fatalf("Failed to hash password: %v", err)
+	}
+
+	// Hashes should be different due to different salts
+	if hash1 == hash2 {
+		t.Error("HashPassword() should generate unique hashes for the same password")
+	}
+
+	// But both should verify correctly
+	match1, err := VerifyPassword(password, hash1)
+	if err != nil || !match1 {
+		t.Errorf("Failed to verify first hash: err=%v, match=%v", err, match1)
+	}
+
+	match2, err := VerifyPassword(password, hash2)
+	if err != nil || !match2 {
+		t.Errorf("Failed to verify second hash: err=%v, match=%v", err, match2)
+	}
+}
+
+func TestPasswordRoundTrip(t *testing.T) {
+	tests := []string{
+		"simple",
+		"with spaces and special chars !@#$%",
+		"パスワード",
+		strings.Repeat("long", 100),
+		"",
+	}
+
+	for _, password := range tests {
+		t.Run(password, func(t *testing.T) {
+			hash, err := HashPassword(password)
+			if err != nil {
+				t.Fatalf("HashPassword() failed: %v", err)
+			}
+
+			match, err := VerifyPassword(password, hash)
+			if err != nil {
+				t.Fatalf("VerifyPassword() failed: %v", err)
+			}
+
+			if !match {
+				t.Error("Password round trip failed: hashed password does not verify")
+			}
+		})
+	}
+}

internal/auth/totp/aes.go

@@ -0,0 +1,48 @@
+package totp
+
+import (
+	"crypto/aes"
+	"crypto/cipher"
+	"crypto/rand"
+	"fmt"
+	"io"
+)
+
+func AESEncrypt(key, text []byte) ([]byte, error) {
+	block, err := aes.NewCipher(key)
+	if err != nil {
+		return nil, err
+	}
+
+	ciphertext := make([]byte, aes.BlockSize+len(text))
+	iv := ciphertext[:aes.BlockSize]
+	if _, err = io.ReadFull(rand.Reader, iv); err != nil {
+		return nil, err
+	}
+	// TODO: remove deprecated
+	//nolint:staticcheck
+	stream := cipher.NewCFBEncrypter(block, iv)
+	stream.XORKeyStream(ciphertext[aes.BlockSize:], text)
+
+	return ciphertext, nil
+}
+
+func AESDecrypt(key, ciphertext []byte) ([]byte, error) {
+	block, err := aes.NewCipher(key)
+	if err != nil {
+		return nil, err
+	}
+
+	if len(ciphertext) < aes.BlockSize {
+		return nil, fmt.Errorf("ciphertext too short")
+	}
+
+	iv := ciphertext[:aes.BlockSize]
+	ciphertext = ciphertext[aes.BlockSize:]
+	// TODO: remove deprecated
+	//nolint:staticcheck
+	stream := cipher.NewCFBDecrypter(block, iv)
+	stream.XORKeyStream(ciphertext, ciphertext)
+
+	return ciphertext, nil
+}

internal/auth/totp/aes_test.go

@@ -0,0 +1,430 @@
+package totp
+
+import (
+	"bytes"
+	"crypto/aes"
+	"testing"
+)
+
+func TestAESEncrypt(t *testing.T) {
+	tests := []struct {
+		name    string
+		key     []byte
+		text    []byte
+		wantErr bool
+	}{
+		{
+			name:    "basic encryption with 16-byte key",
+			key:     []byte("1234567890123456"), // 16 bytes (AES-128)
+			text:    []byte("hello world"),
+			wantErr: false,
+		},
+		{
+			name:    "basic encryption with 24-byte key",
+			key:     []byte("123456789012345678901234"), // 24 bytes (AES-192)
+			text:    []byte("hello world"),
+			wantErr: false,
+		},
+		{
+			name:    "basic encryption with 32-byte key",
+			key:     []byte("12345678901234567890123456789012"), // 32 bytes (AES-256)
+			text:    []byte("hello world"),
+			wantErr: false,
+		},
+		{
+			name:    "empty text",
+			key:     []byte("1234567890123456"),
+			text:    []byte(""),
+			wantErr: false,
+		},
+		{
+			name:    "long text",
+			key:     []byte("1234567890123456"),
+			text:    []byte("This is a much longer text that spans multiple blocks and should be encrypted properly without any issues"),
+			wantErr: false,
+		},
+		{
+			name:    "binary data",
+			key:     []byte("1234567890123456"),
+			text:    []byte{0x00, 0x01, 0x02, 0x03, 0xFF, 0xFE, 0xFD},
+			wantErr: false,
+		},
+		{
+			name:    "invalid key length - too short",
+			key:     []byte("short"),
+			text:    []byte("hello world"),
+			wantErr: true,
+		},
+		{
+			name:    "invalid key length - 17 bytes",
+			key:     []byte("12345678901234567"), // 17 bytes (invalid)
+			text:    []byte("hello world"),
+			wantErr: true,
+		},
+		{
+			name:    "nil key",
+			key:     nil,
+			text:    []byte("hello world"),
+			wantErr: true,
+		},
+		{
+			name:    "empty key",
+			key:     []byte(""),
+			text:    []byte("hello world"),
+			wantErr: true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			ciphertext, err := AESEncrypt(tt.key, tt.text)
+			if (err != nil) != tt.wantErr {
+				t.Errorf("AESEncrypt() error = %v, wantErr %v", err, tt.wantErr)
+				return
+			}
+
+			if !tt.wantErr {
+				// Verify ciphertext is not empty
+				if len(ciphertext) == 0 {
+					t.Error("AESEncrypt() returned empty ciphertext")
+				}
+
+				// Verify ciphertext length is correct (IV + encrypted text)
+				expectedLen := aes.BlockSize + len(tt.text)
+				if len(ciphertext) != expectedLen {
+					t.Errorf("AESEncrypt() ciphertext length = %d, want %d", len(ciphertext), expectedLen)
+				}
+
+				// Verify ciphertext is different from plaintext (unless text is empty)
+				if len(tt.text) > 0 && bytes.Equal(ciphertext[aes.BlockSize:], tt.text) {
+					t.Error("AESEncrypt() ciphertext matches plaintext")
+				}
+
+				// Verify IV is present and non-zero
+				iv := ciphertext[:aes.BlockSize]
+				allZeros := true
+				for _, b := range iv {
+					if b != 0 {
+						allZeros = false
+						break
+					}
+				}
+				if allZeros {
+					t.Error("AESEncrypt() IV is all zeros")
+				}
+			}
+		})
+	}
+}
+
+func TestAESDecrypt(t *testing.T) {
+	validKey := []byte("1234567890123456")
+	validText := []byte("hello world")
+
+	// Encrypt some data to use for valid test cases
+	validCiphertext, err := AESEncrypt(validKey, validText)
+	if err != nil {
+		t.Fatalf("Failed to create valid ciphertext: %v", err)
+	}
+
+	tests := []struct {
+		name       string
+		key        []byte
+		ciphertext []byte
+		wantErr    bool
+	}{
+		{
+			name:       "valid decryption",
+			key:        validKey,
+			ciphertext: validCiphertext,
+			wantErr:    false,
+		},
+		{
+			name:       "ciphertext too short - empty",
+			key:        validKey,
+			ciphertext: []byte(""),
+			wantErr:    true,
+		},
+		{
+			name:       "ciphertext too short - less than block size",
+			key:        validKey,
+			ciphertext: []byte("short"),
+			wantErr:    true,
+		},
+		{
+			name:       "ciphertext exactly block size (IV only, no data)",
+			key:        validKey,
+			ciphertext: make([]byte, aes.BlockSize),
+			wantErr:    false,
+		},
+		{
+			name:       "invalid key length",
+			key:        []byte("short"),
+			ciphertext: validCiphertext,
+			wantErr:    true,
+		},
+		{
+			name:       "wrong key",
+			key:        []byte("6543210987654321"),
+			ciphertext: validCiphertext,
+			wantErr:    false, // Decryption succeeds but produces garbage
+		},
+		{
+			name:       "nil key",
+			key:        nil,
+			ciphertext: validCiphertext,
+			wantErr:    true,
+		},
+		{
+			name:       "nil ciphertext",
+			key:        validKey,
+			ciphertext: nil,
+			wantErr:    true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			plaintext, err := AESDecrypt(tt.key, tt.ciphertext)
+			if (err != nil) != tt.wantErr {
+				t.Errorf("AESDecrypt() error = %v, wantErr %v", err, tt.wantErr)
+				return
+			}
+
+			if !tt.wantErr {
+				// For valid decryption with correct key, verify we get original text
+				if tt.name == "valid decryption" && !bytes.Equal(plaintext, validText) {
+					t.Errorf("AESDecrypt() plaintext = %v, want %v", plaintext, validText)
+				}
+
+				// For ciphertext with only IV, plaintext should be empty
+				if tt.name == "ciphertext exactly block size (IV only, no data)" && len(plaintext) != 0 {
+					t.Errorf("AESDecrypt() plaintext length = %d, want 0", len(plaintext))
+				}
+			}
+		})
+	}
+}
+
+func TestAESEncryptDecrypt_RoundTrip(t *testing.T) {
+	tests := []struct {
+		name string
+		key  []byte
+		text []byte
+	}{
+		{
+			name: "basic round trip",
+			key:  []byte("1234567890123456"),
+			text: []byte("hello world"),
+		},
+		{
+			name: "empty text round trip",
+			key:  []byte("1234567890123456"),
+			text: []byte(""),
+		},
+		{
+			name: "long text round trip",
+			key:  []byte("1234567890123456"),
+			text: []byte("This is a very long text that contains multiple blocks of data and should be encrypted and decrypted correctly without any data loss or corruption"),
+		},
+		{
+			name: "binary data round trip",
+			key:  []byte("1234567890123456"),
+			text: []byte{0x00, 0x01, 0x02, 0x03, 0xFF, 0xFE, 0xFD, 0xFC},
+		},
+		{
+			name: "unicode text round trip",
+			key:  []byte("1234567890123456"),
+			text: []byte("Hello 世界! 🔐 Encryption"),
+		},
+		{
+			name: "AES-192 round trip",
+			key:  []byte("123456789012345678901234"),
+			text: []byte("testing AES-192"),
+		},
+		{
+			name: "AES-256 round trip",
+			key:  []byte("12345678901234567890123456789012"),
+			text: []byte("testing AES-256"),
+		},
+		{
+			name: "special characters",
+			key:  []byte("1234567890123456"),
+			text: []byte("!@#$%^&*()_+-=[]{}|;':\",./<>?"),
+		},
+		{
+			name: "newlines and tabs",
+			key:  []byte("1234567890123456"),
+			text: []byte("line1\nline2\tline3\r\nline4"),
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			// Encrypt
+			ciphertext, err := AESEncrypt(tt.key, tt.text)
+			if err != nil {
+				t.Fatalf("AESEncrypt() failed: %v", err)
+			}
+
+			// Decrypt
+			plaintext, err := AESDecrypt(tt.key, ciphertext)
+			if err != nil {
+				t.Fatalf("AESDecrypt() failed: %v", err)
+			}
+
+			// Verify plaintext matches original
+			if !bytes.Equal(plaintext, tt.text) {
+				t.Errorf("Round trip failed: got %v, want %v", plaintext, tt.text)
+			}
+		})
+	}
+}
+
+func TestAESEncrypt_Uniqueness(t *testing.T) {
+	key := []byte("1234567890123456")
+	text := []byte("hello world")
+	iterations := 10
+
+	ciphertexts := make(map[string]bool)
+
+	for i := 0; i < iterations; i++ {
+		ciphertext, err := AESEncrypt(key, text)
+		if err != nil {
+			t.Fatalf("Iteration %d failed: %v", i, err)
+		}
+
+		// Each encryption should produce different ciphertext (due to random IV)
+		ciphertextStr := string(ciphertext)
+		if ciphertexts[ciphertextStr] {
+			t.Errorf("Duplicate ciphertext generated at iteration %d", i)
+		}
+		ciphertexts[ciphertextStr] = true
+
+		// But all should decrypt to the same plaintext
+		plaintext, err := AESDecrypt(key, ciphertext)
+		if err != nil {
+			t.Fatalf("Iteration %d decryption failed: %v", i, err)
+		}
+		if !bytes.Equal(plaintext, text) {
+			t.Errorf("Iteration %d: decrypted text doesn't match original", i)
+		}
+	}
+}
+
+func TestAESEncrypt_IVUniqueness(t *testing.T) {
+	key := []byte("1234567890123456")
+	text := []byte("test data")
+	iterations := 20
+
+	ivs := make(map[string]bool)
+
+	for i := 0; i < iterations; i++ {
+		ciphertext, err := AESEncrypt(key, text)
+		if err != nil {
+			t.Fatalf("Iteration %d failed: %v", i, err)
+		}
+
+		// Extract IV (first block)
+		iv := ciphertext[:aes.BlockSize]
+		ivStr := string(iv)
+
+		// Each IV should be unique
+		if ivs[ivStr] {
+			t.Errorf("Duplicate IV generated at iteration %d", i)
+		}
+		ivs[ivStr] = true
+	}
+}
+
+func TestAESDecrypt_WrongKey(t *testing.T) {
+	originalKey := []byte("1234567890123456")
+	wrongKey := []byte("6543210987654321")
+	text := []byte("secret message")
+
+	// Encrypt with original key
+	ciphertext, err := AESEncrypt(originalKey, text)
+	if err != nil {
+		t.Fatalf("AESEncrypt() failed: %v", err)
+	}
+
+	// Decrypt with wrong key - should not error but produce wrong plaintext
+	plaintext, err := AESDecrypt(wrongKey, ciphertext)
+	if err != nil {
+		t.Fatalf("AESDecrypt() with wrong key failed: %v", err)
+	}
+
+	// Plaintext should be different from original
+	if bytes.Equal(plaintext, text) {
+		t.Error("AESDecrypt() with wrong key produced correct plaintext")
+	}
+}
+
+func TestAESDecrypt_CorruptedCiphertext(t *testing.T) {
+	key := []byte("1234567890123456")
+	text := []byte("hello world")
+
+	// Encrypt
+	ciphertext, err := AESEncrypt(key, text)
+	if err != nil {
+		t.Fatalf("AESEncrypt() failed: %v", err)
+	}
+
+	// Corrupt the ciphertext (flip a bit in the encrypted data, not the IV)
+	if len(ciphertext) > aes.BlockSize {
+		corruptedCiphertext := make([]byte, len(ciphertext))
+		copy(corruptedCiphertext, ciphertext)
+		corruptedCiphertext[aes.BlockSize] ^= 0xFF
+
+		// Decrypt corrupted ciphertext - should not error but produce wrong plaintext
+		plaintext, err := AESDecrypt(key, corruptedCiphertext)
+		if err != nil {
+			t.Fatalf("AESDecrypt() with corrupted ciphertext failed: %v", err)
+		}
+
+		// Plaintext should be different from original
+		if bytes.Equal(plaintext, text) {
+			t.Error("AESDecrypt() with corrupted ciphertext produced correct plaintext")
+		}
+	}
+}
+
+func TestAESEncryptDecrypt_DifferentKeySizes(t *testing.T) {
+	tests := []struct {
+		name    string
+		keySize int
+	}{
+		{"AES-128", 16},
+		{"AES-192", 24},
+		{"AES-256", 32},
+	}
+
+	text := []byte("test message for different key sizes")
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			// Generate key of specified size
+			key := make([]byte, tt.keySize)
+			for i := range key {
+				key[i] = byte(i)
+			}
+
+			// Encrypt
+			ciphertext, err := AESEncrypt(key, text)
+			if err != nil {
+				t.Fatalf("AESEncrypt() failed: %v", err)
+			}
+
+			// Decrypt
+			plaintext, err := AESDecrypt(key, ciphertext)
+			if err != nil {
+				t.Fatalf("AESDecrypt() failed: %v", err)
+			}
+
+			// Verify
+			if !bytes.Equal(plaintext, text) {
+				t.Errorf("Round trip failed for %s", tt.name)
+			}
+		})
+	}
+}

internal/auth/totp/totp.go

@@ -0,0 +1,62 @@
+package totp
+
+import (
+	"bytes"
+	"crypto/rand"
+	"encoding/base64"
+	"html/template"
+	"image/png"
+	"strings"
+
+	"github.com/pquerna/otp/totp"
+)
+
+const secretSize = 16
+
+func GenerateQRCode(username, siteUrl string, secret []byte) (string, template.URL, []byte, error) {
+	var err error
+	if secret == nil {
+		secret, err = generateSecret()
+		if err != nil {
+			return "", "", nil, err
+		}
+	}
+
+	otpKey, err := totp.Generate(totp.GenerateOpts{
+		SecretSize:  secretSize,
+		Issuer:      "Opengist (" + strings.ReplaceAll(siteUrl, ":", "") + ")",
+		AccountName: username,
+		Secret:      secret,
+	})
+	if err != nil {
+		return "", "", nil, err
+	}
+
+	qrcode, err := otpKey.Image(320, 240)
+	if err != nil {
+		return "", "", nil, err
+	}
+
+	var imgBytes bytes.Buffer
+	if err = png.Encode(&imgBytes, qrcode); err != nil {
+		return "", "", nil, err
+	}
+
+	qrcodeImage := template.URL("data:image/png;base64," + base64.StdEncoding.EncodeToString(imgBytes.Bytes()))
+
+	return otpKey.Secret(), qrcodeImage, secret, nil
+}
+
+func Validate(passcode, secret string) bool {
+	return totp.Validate(passcode, secret)
+}
+
+func generateSecret() ([]byte, error) {
+	secret := make([]byte, secretSize)
+	_, err := rand.Reader.Read(secret)
+	if err != nil {
+		return nil, err
+	}
+
+	return secret, nil
+}

internal/auth/totp/totp_test.go

@@ -0,0 +1,431 @@
+package totp
+
+import (
+	"encoding/base64"
+	"strings"
+	"sync"
+	"testing"
+	"time"
+
+	"github.com/pquerna/otp/totp"
+)
+
+func TestGenerateQRCode(t *testing.T) {
+	tests := []struct {
+		name     string
+		username string
+		siteUrl  string
+		secret   []byte
+		wantErr  bool
+	}{
+		{
+			name:     "basic generation with nil secret",
+			username: "testuser",
+			siteUrl:  "opengist.io",
+			secret:   nil,
+			wantErr:  false,
+		},
+		{
+			name:     "basic generation with provided secret",
+			username: "testuser",
+			siteUrl:  "opengist.io",
+			secret:   []byte("1234567890123456"),
+			wantErr:  false,
+		},
+		{
+			name:     "username with special characters",
+			username: "test.user",
+			siteUrl:  "opengist.io",
+			secret:   nil,
+			wantErr:  false,
+		},
+		{
+			name:     "site URL with protocol and port",
+			username: "testuser",
+			siteUrl:  "https://opengist.io:6157",
+			secret:   nil,
+			wantErr:  false,
+		},
+		{
+			name:     "empty username",
+			username: "",
+			siteUrl:  "opengist.io",
+			secret:   nil,
+			wantErr:  true,
+		},
+		{
+			name:     "empty site URL",
+			username: "testuser",
+			siteUrl:  "",
+			secret:   nil,
+			wantErr:  false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			secretStr, qrcode, secretBytes, err := GenerateQRCode(tt.username, tt.siteUrl, tt.secret)
+			if (err != nil) != tt.wantErr {
+				t.Errorf("GenerateQRCode() error = %v, wantErr %v", err, tt.wantErr)
+				return
+			}
+
+			if !tt.wantErr {
+				// Verify secret string is not empty
+				if secretStr == "" {
+					t.Error("GenerateQRCode() returned empty secret string")
+				}
+
+				// Verify QR code image is generated
+				if qrcode == "" {
+					t.Error("GenerateQRCode() returned empty QR code")
+				}
+
+				// Verify QR code has correct data URI prefix
+				if !strings.HasPrefix(string(qrcode), "data:image/png;base64,") {
+					t.Errorf("QR code does not have correct data URI prefix: %s", qrcode[:50])
+				}
+
+				// Verify QR code is valid base64 after prefix
+				base64Data := strings.TrimPrefix(string(qrcode), "data:image/png;base64,")
+				_, err := base64.StdEncoding.DecodeString(base64Data)
+				if err != nil {
+					t.Errorf("QR code base64 data is invalid: %v", err)
+				}
+
+				// Verify secret bytes are returned
+				if secretBytes == nil {
+					t.Error("GenerateQRCode() returned nil secret bytes")
+				}
+
+				// Verify secret bytes have correct length
+				if len(secretBytes) != secretSize {
+					t.Errorf("Secret bytes length = %d, want %d", len(secretBytes), secretSize)
+				}
+
+				// If a secret was provided, verify it matches what was returned
+				if tt.secret != nil && string(secretBytes) != string(tt.secret) {
+					t.Error("Returned secret bytes do not match provided secret")
+				}
+			}
+		})
+	}
+}
+
+func TestGenerateQRCode_SecretUniqueness(t *testing.T) {
+	username := "testuser"
+	siteUrl := "opengist.io"
+	iterations := 10
+
+	secrets := make(map[string]bool)
+	secretBytes := make(map[string]bool)
+
+	for i := 0; i < iterations; i++ {
+		secretStr, _, secret, err := GenerateQRCode(username, siteUrl, nil)
+		if err != nil {
+			t.Fatalf("Iteration %d failed: %v", i, err)
+		}
+
+		// Check secret string uniqueness
+		if secrets[secretStr] {
+			t.Errorf("Duplicate secret string generated at iteration %d", i)
+		}
+		secrets[secretStr] = true
+
+		// Check secret bytes uniqueness
+		secretKey := string(secret)
+		if secretBytes[secretKey] {
+			t.Errorf("Duplicate secret bytes generated at iteration %d", i)
+		}
+		secretBytes[secretKey] = true
+	}
+}
+
+func TestGenerateQRCode_WithProvidedSecret(t *testing.T) {
+	username := "testuser"
+	siteUrl := "opengist.io"
+	providedSecret := []byte("mysecret12345678")
+
+	// Generate QR code multiple times with the same secret
+	secretStr1, _, secret1, err := GenerateQRCode(username, siteUrl, providedSecret)
+	if err != nil {
+		t.Fatalf("First generation failed: %v", err)
+	}
+
+	secretStr2, _, secret2, err := GenerateQRCode(username, siteUrl, providedSecret)
+	if err != nil {
+		t.Fatalf("Second generation failed: %v", err)
+	}
+
+	// Secret strings should be the same when using the same input secret
+	if secretStr1 != secretStr2 {
+		t.Error("Secret strings differ when using the same provided secret")
+	}
+
+	// Secret bytes should match the provided secret
+	if string(secret1) != string(providedSecret) {
+		t.Error("Returned secret bytes do not match provided secret (first call)")
+	}
+	if string(secret2) != string(providedSecret) {
+		t.Error("Returned secret bytes do not match provided secret (second call)")
+	}
+}
+
+func TestGenerateQRCode_ConcurrentGeneration(t *testing.T) {
+	username := "testuser"
+	siteUrl := "opengist.io"
+	concurrency := 10
+
+	type result struct {
+		secretStr   string
+		secretBytes []byte
+		err         error
+	}
+
+	results := make(chan result, concurrency)
+	var wg sync.WaitGroup
+
+	for i := 0; i < concurrency; i++ {
+		wg.Add(1)
+		go func() {
+			defer wg.Done()
+			secretStr, _, secretBytes, err := GenerateQRCode(username, siteUrl, nil)
+			results <- result{secretStr: secretStr, secretBytes: secretBytes, err: err}
+		}()
+	}
+
+	wg.Wait()
+	close(results)
+
+	secrets := make(map[string]bool)
+	for res := range results {
+		if res.err != nil {
+			t.Errorf("Concurrent generation failed: %v", res.err)
+			continue
+		}
+
+		// Check for duplicates
+		if secrets[res.secretStr] {
+			t.Error("Duplicate secret generated in concurrent test")
+		}
+		secrets[res.secretStr] = true
+	}
+}
+
+func TestValidate(t *testing.T) {
+	// Generate a valid secret for testing
+	_, _, secret, err := GenerateQRCode("testuser", "opengist.io", nil)
+	if err != nil {
+		t.Fatalf("Failed to generate secret: %v", err)
+	}
+
+	// Convert secret bytes to base32 string for TOTP
+	secretStr, _, _, err := GenerateQRCode("testuser", "opengist.io", secret)
+	if err != nil {
+		t.Fatalf("Failed to generate secret string: %v", err)
+	}
+
+	// Generate a valid passcode for the current time
+	validPasscode, err := totp.GenerateCode(secretStr, time.Now())
+	if err != nil {
+		t.Fatalf("Failed to generate valid passcode: %v", err)
+	}
+
+	tests := []struct {
+		name      string
+		passcode  string
+		secret    string
+		wantValid bool
+	}{
+		{
+			name:      "valid passcode",
+			passcode:  validPasscode,
+			secret:    secretStr,
+			wantValid: true,
+		},
+		{
+			name:      "invalid passcode - wrong digits",
+			passcode:  "000000",
+			secret:    secretStr,
+			wantValid: false,
+		},
+		{
+			name:      "invalid passcode - wrong length",
+			passcode:  "123",
+			secret:    secretStr,
+			wantValid: false,
+		},
+		{
+			name:      "empty passcode",
+			passcode:  "",
+			secret:    secretStr,
+			wantValid: false,
+		},
+		{
+			name:      "empty secret",
+			passcode:  validPasscode,
+			secret:    "",
+			wantValid: false,
+		},
+		{
+			name:      "invalid secret format",
+			passcode:  validPasscode,
+			secret:    "not-a-valid-base32-secret!@#",
+			wantValid: false,
+		},
+		{
+			name:      "passcode with letters",
+			passcode:  "12345A",
+			secret:    secretStr,
+			wantValid: false,
+		},
+		{
+			name:      "passcode with spaces",
+			passcode:  "123 456",
+			secret:    secretStr,
+			wantValid: false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			valid := Validate(tt.passcode, tt.secret)
+			if valid != tt.wantValid {
+				t.Errorf("Validate() = %v, want %v", valid, tt.wantValid)
+			}
+		})
+	}
+}
+
+func TestValidate_TimeDrift(t *testing.T) {
+	// Generate a valid secret
+	secretStr, _, _, err := GenerateQRCode("testuser", "opengist.io", nil)
+	if err != nil {
+		t.Fatalf("Failed to generate secret: %v", err)
+	}
+
+	// Test that passcodes from previous and next time windows are accepted
+	// (TOTP typically accepts codes from ±1 time window for clock drift)
+	pastTime := time.Now().Add(-30 * time.Second)
+	futureTime := time.Now().Add(30 * time.Second)
+
+	pastPasscode, err := totp.GenerateCode(secretStr, pastTime)
+	if err != nil {
+		t.Fatalf("Failed to generate past passcode: %v", err)
+	}
+
+	futurePasscode, err := totp.GenerateCode(secretStr, futureTime)
+	if err != nil {
+		t.Fatalf("Failed to generate future passcode: %v", err)
+	}
+
+	// These should be valid due to time drift tolerance
+	if !Validate(pastPasscode, secretStr) {
+		t.Error("Validate() rejected passcode from previous time window")
+	}
+
+	if !Validate(futurePasscode, secretStr) {
+		t.Error("Validate() rejected passcode from next time window")
+	}
+}
+
+func TestValidate_ExpiredPasscode(t *testing.T) {
+	// Generate a valid secret
+	secretStr, _, _, err := GenerateQRCode("testuser", "opengist.io", nil)
+	if err != nil {
+		t.Fatalf("Failed to generate secret: %v", err)
+	}
+
+	// Generate a passcode from 2 minutes ago (should be expired)
+	oldTime := time.Now().Add(-2 * time.Minute)
+	oldPasscode, err := totp.GenerateCode(secretStr, oldTime)
+	if err != nil {
+		t.Fatalf("Failed to generate old passcode: %v", err)
+	}
+
+	// This should be invalid
+	if Validate(oldPasscode, secretStr) {
+		t.Error("Validate() accepted expired passcode from 2 minutes ago")
+	}
+}
+
+func TestValidate_RoundTrip(t *testing.T) {
+	// Test full round trip: generate secret, generate code, validate code
+	tests := []struct {
+		name     string
+		username string
+		siteUrl  string
+	}{
+		{
+			name:     "basic round trip",
+			username: "testuser",
+			siteUrl:  "opengist.io",
+		},
+		{
+			name:     "round trip with dot in username",
+			username: "test.user",
+			siteUrl:  "opengist.io",
+		},
+		{
+			name:     "round trip with hyphen in username",
+			username: "test-user",
+			siteUrl:  "opengist.io",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			// Generate QR code and secret
+			secretStr, _, _, err := GenerateQRCode(tt.username, tt.siteUrl, nil)
+			if err != nil {
+				t.Fatalf("GenerateQRCode() failed: %v", err)
+			}
+
+			// Generate a valid passcode
+			passcode, err := totp.GenerateCode(secretStr, time.Now())
+			if err != nil {
+				t.Fatalf("GenerateCode() failed: %v", err)
+			}
+
+			// Validate the passcode
+			if !Validate(passcode, secretStr) {
+				t.Error("Validate() rejected valid passcode")
+			}
+
+			// Validate wrong passcode fails
+			wrongPasscode := "000000"
+			if passcode == wrongPasscode {
+				wrongPasscode = "111111"
+			}
+			if Validate(wrongPasscode, secretStr) {
+				t.Error("Validate() accepted invalid passcode")
+			}
+		})
+	}
+}
+
+func TestGenerateSecret(t *testing.T) {
+	// Test the internal generateSecret function behavior through GenerateQRCode
+	for i := 0; i < 10; i++ {
+		_, _, secret, err := GenerateQRCode("testuser", "opengist.io", nil)
+		if err != nil {
+			t.Fatalf("Iteration %d: generateSecret() failed: %v", i, err)
+		}
+
+		if len(secret) != secretSize {
+			t.Errorf("Iteration %d: secret length = %d, want %d", i, len(secret), secretSize)
+		}
+
+		// Verify secret is not all zeros (extremely unlikely with crypto/rand)
+		allZeros := true
+		for _, b := range secret {
+			if b != 0 {
+				allZeros = false
+				break
+			}
+		}
+		if allZeros {
+			t.Errorf("Iteration %d: secret is all zeros", i)
+		}
+	}
+}

internal/auth/try_login.go

@@ -0,0 +1,83 @@
+package auth
+
+import (
+	"errors"
+
+	"github.com/rs/zerolog/log"
+	"github.com/thomiceli/opengist/internal/auth/ldap"
+	passwordpkg "github.com/thomiceli/opengist/internal/auth/password"
+	"github.com/thomiceli/opengist/internal/db"
+	"gorm.io/gorm"
+)
+
+type AuthError struct {
+	message string
+}
+
+func (e AuthError) Error() string {
+	return e.message
+}
+
+func TryAuthentication(username, password string) (*db.User, error) {
+	user, err := db.GetUserByUsername(username)
+	if err != nil {
+		if !errors.Is(err, gorm.ErrRecordNotFound) {
+			log.Error().Err(err).Msgf("Cannot get user by username %s", username)
+			return nil, err
+		}
+	}
+
+	if user.Password != "" {
+		return tryDbLogin(user, password)
+	} else {
+		if ldap.Enabled() {
+			return tryLdapLogin(username, password)
+		}
+		return nil, AuthError{"no authentication method available"}
+	}
+}
+
+func tryDbLogin(user *db.User, password string) (*db.User, error) {
+	if ok, err := passwordpkg.VerifyPassword(password, user.Password); !ok {
+		if err != nil {
+			log.Error().Err(err).Msg("Password verification failed")
+			return nil, err
+		}
+		return nil, AuthError{"invalid password"}
+	}
+
+	return user, nil
+}
+
+func tryLdapLogin(username, password string) (user *db.User, err error) {
+	ok, err := ldap.Authenticate(username, password)
+	if err != nil {
+		log.Error().Err(err).Msg("LDAP authentication failed")
+		return nil, err
+	}
+
+	if !ok {
+		return nil, AuthError{"invalid LDAP credentials"}
+	}
+
+	if user, err = db.GetUserByUsername(username); err != nil {
+		if !errors.Is(err, gorm.ErrRecordNotFound) {
+			log.Error().Err(err).Msgf("Cannot get user by username %s", username)
+			return nil, err
+		}
+	}
+
+	if errors.Is(err, gorm.ErrRecordNotFound) {
+		user = &db.User{
+			Username: username,
+		}
+		if err = user.Create(); err != nil {
+			log.Warn().Err(err).Msg("Cannot create user after LDAP authentication")
+			return nil, err
+		}
+
+		return user, nil
+	}
+
+	return user, nil
+}

internal/auth/webauthn/user.go

@@ -0,0 +1,58 @@
+package webauthn
+
+import (
+	"encoding/binary"
+	"github.com/go-webauthn/webauthn/protocol"
+	"github.com/go-webauthn/webauthn/webauthn"
+	"github.com/thomiceli/opengist/internal/db"
+)
+
+type user struct {
+	*db.User
+}
+
+func (u *user) WebAuthnID() []byte {
+	return uintToBytes(u.ID)
+}
+
+func (u *user) WebAuthnName() string {
+	return u.Username
+}
+
+func (u *user) WebAuthnDisplayName() string {
+	return u.Username
+}
+
+func (u *user) WebAuthnCredentials() []webauthn.Credential {
+	dbCreds, err := db.GetAllWACredentialsForUser(u.ID)
+	if err != nil {
+		return nil
+	}
+
+	return dbCreds
+}
+
+func (u *user) Exclusions() []protocol.CredentialDescriptor {
+	creds := u.WebAuthnCredentials()
+	exclusions := make([]protocol.CredentialDescriptor, len(creds))
+	for i, cred := range creds {
+		exclusions[i] = cred.Descriptor()
+	}
+
+	return exclusions
+}
+
+func discoverUser(rawID []byte, _ []byte) (webauthn.User, error) {
+	ogUser, err := db.GetUserByCredentialID(rawID)
+	if err != nil {
+		return nil, err
+	}
+
+	return &user{User: ogUser}, nil
+}
+
+func uintToBytes(n uint) []byte {
+	b := make([]byte, 8)
+	binary.BigEndian.PutUint64(b, uint64(n))
+	return b
+}