diff --git a/nixos/access/gensokyo.nix b/nixos/access/gensokyo.nix
index 48dc6bc5..7d7f3213 100644
--- a/nixos/access/gensokyo.nix
+++ b/nixos/access/gensokyo.nix
@@ -4,9 +4,13 @@
   lib,
   pkgs,
   ...
-}: {
+}: let
+  inherit (lib.modules) mkMerge mkAfter;
+  inherit (lib.strings) escapeRegex;
+  inherit (gensokyo-zone.lib) domain;
+in {
   services.nginx.virtualHosts.gensokyoZone = {
-    serverName = config.networking.domain;
+    serverName = domain;
     locations = {
       "/" = {
         root = gensokyo-zone.inputs.website.packages.${pkgs.system}.gensokyoZone;
@@ -19,6 +23,37 @@
           }
         ];
       };
+      "/.well-known/webfinger" = let
+        # https://www.rfc-editor.org/rfc/rfc7033#section-3.1
+        oidc = {
+          subject = "acct:${acct}@${domain}";
+          links = [
+            {
+              rel = "http://openid.net/specs/connect/1.0/issuer";
+              href = "https://sso.${domain}/realms/${domain}";
+            }
+          ];
+        };
+        acct = "$webfinger_oidc_acct";
+      in {
+        headers.set.Access-Control-Allow-Origin = "*";
+        extraConfig = mkMerge [
+          ''
+            set ${acct} "";
+            if ($arg_resource ~* "^acct(%3A|:)([^%@]*)(%40|@)${escapeRegex domain}$") {
+              set ${acct} $2;
+              add_header "Content-Type" "application/jrd+json";
+            }
+            if ($arg_rel !~* "http.*openid\.net") {
+              set ${acct} "";
+            }
+            if (${acct} = "") {
+              return 404;
+            }
+          ''
+          (mkAfter "return 200 '${builtins.toJSON oidc}';")
+        ];
+      };
     };
   };
 }