feat(nginx): OIDC webfinger

2026-02-09 12:29:19 -08:00 · 2024-07-31 11:59:51 -07:00 · 2024-07-31 11:59:51 -07:00 · 9e1a9aa752
commit 9e1a9aa752
parent ffde3c1c27
1 changed files with 37 additions and 2 deletions
--- a/nixos/access/gensokyo.nix
+++ b/nixos/access/gensokyo.nix
@ -4,9 +4,13 @@
  lib,
  pkgs,
  ...
-}: {
+}: let
+  inherit (lib.modules) mkMerge mkAfter;
+  inherit (lib.strings) escapeRegex;
+  inherit (gensokyo-zone.lib) domain;
+in {
  services.nginx.virtualHosts.gensokyoZone = {
-    serverName = config.networking.domain;
+    serverName = domain;
    locations = {
      "/" = {
        root = gensokyo-zone.inputs.website.packages.${pkgs.system}.gensokyoZone;
@ -19,6 +23,37 @@
          }
        ];
      };
+      "/.well-known/webfinger" = let
+        # https://www.rfc-editor.org/rfc/rfc7033#section-3.1
+        oidc = {
+          subject = "acct:${acct}@${domain}";
+          links = [
+            {
+              rel = "http://openid.net/specs/connect/1.0/issuer";
+              href = "https://sso.${domain}/realms/${domain}";
+            }
+          ];
+        };
+        acct = "$webfinger_oidc_acct";
+      in {
+        headers.set.Access-Control-Allow-Origin = "*";
+        extraConfig = mkMerge [
+          ''
+            set ${acct} "";
+            if ($arg_resource ~* "^acct(%3A|:)([^%@]*)(%40|@)${escapeRegex domain}$") {
+              set ${acct} $2;
+              add_header "Content-Type" "application/jrd+json";
+            }
+            if ($arg_rel !~* "http.*openid\.net") {
+              set ${acct} "";
+            }
+            if (${acct} = "") {
+              return 404;
+            }
+          ''
+          (mkAfter "return 200 '${builtins.toJSON oidc}';")
+        ];
+      };
    };
  };
 }