feat(spore): add WebFinger endpoint to Pocket ID nginx vhost (#431)

stackptr · claude · web-flow · commit ee3ebdf9c945 · 2026-04-10T18:01:18.000Z
* feat(spore): add WebFinger endpoint to Pocket ID nginx vhost

Serves a dynamic WebFinger response at id.zx.dev/.well-known/webfinger,
echoing back the resource param as subject and returning the Pocket ID
issuer URL. Required for Tailscale custom OIDC integration.

Co-Authored-By: Claude Sonnet 4.6 &lt;noreply@anthropic.com&gt;

* fix(spore): serve OIDC WebFinger on zx.dev instead of redirecting to pub.zx.dev

Tailscale resolves WebFinger from the email domain (zx.dev), not the
issuer host. Replace the defunct Mastodon redirect with a direct OIDC
issuer response.

Co-Authored-By: Claude Sonnet 4.6 &lt;noreply@anthropic.com&gt;

* revert(spore): remove WebFinger from id.zx.dev vhost

Tailscale resolves WebFinger at the email domain (zx.dev), not the
issuer host (id.zx.dev), so the endpoint there is never used.

Co-Authored-By: Claude Sonnet 4.6 &lt;noreply@anthropic.com&gt;

---------

Co-authored-by: Claude Sonnet 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/hosts/spore/services/web/default.nix b/hosts/spore/services/web/default.nix
@@ -36,11 +36,12 @@
         forceSSL = true;
         useACMEHost = "zx.dev";
         locations = {
-          "/.well-known/webfinger" = {
+          "= /.well-known/webfinger" = {
             extraConfig = ''
-              add_header Access-Control-Allow-Origin '*';
+              default_type application/jrd+json;
+              add_header Access-Control-Allow-Origin '*' always;
+              return 200 '{"subject":"$arg_resource","links":[{"rel":"http://openid.net/specs/connect/1.0/issuer","href":"https://id.zx.dev"}]}';
             '';
-            return = "301 https://pub.zx.dev$request_uri";
           };
           "/pgp".return = "302 https://keyoxide.org/hkp/413d1a0152bcb08d2e3ddacaf88c08579051ab48";
         };
