From f8c39a2d7935898fd7d6714f423181dc4dff5426 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E2=9C=BF=20corey?= Date: Thu, 9 Apr 2026 15:21:03 -0700 Subject: [PATCH 1/3] feat(spore): add WebFinger endpoint to Pocket ID nginx vhost Serves a dynamic WebFinger response at id.zx.dev/.well-known/webfinger, echoing back the resource param as subject and returning the Pocket ID issuer URL. Required for Tailscale custom OIDC integration. Co-Authored-By: Claude Sonnet 4.6 --- modules/nixos/web/auth.nix | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/modules/nixos/web/auth.nix b/modules/nixos/web/auth.nix index 213deca4..4f8bc126 100644 --- a/modules/nixos/web/auth.nix +++ b/modules/nixos/web/auth.nix @@ -180,6 +180,13 @@ in { virtualHosts.${cfg.issuer.host} = { forceSSL = true; inherit (cfg.issuer) useACMEHost; + locations."= /.well-known/webfinger" = { + extraConfig = '' + default_type application/jrd+json; + add_header Access-Control-Allow-Origin '*' always; + return 200 '{"subject":"$arg_resource","links":[{"rel":"http://openid.net/specs/connect/1.0/issuer","href":"https://${cfg.issuer.host}"}]}'; + ''; + }; locations."/" = { proxyPass = "http://127.0.0.1:1411"; proxyWebsockets = true; From 7526008007a7a56e514bee4902fd042edece085f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E2=9C=BF=20corey?= Date: Thu, 9 Apr 2026 15:32:49 -0700 Subject: [PATCH 2/3] fix(spore): serve OIDC WebFinger on zx.dev instead of redirecting to pub.zx.dev Tailscale resolves WebFinger from the email domain (zx.dev), not the issuer host. Replace the defunct Mastodon redirect with a direct OIDC issuer response. Co-Authored-By: Claude Sonnet 4.6 --- hosts/spore/services/web/default.nix | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/hosts/spore/services/web/default.nix b/hosts/spore/services/web/default.nix index 701c9f61..cd7726e1 100644 --- a/hosts/spore/services/web/default.nix +++ b/hosts/spore/services/web/default.nix @@ -36,11 +36,12 @@ forceSSL = true; useACMEHost = "zx.dev"; locations = { - "/.well-known/webfinger" = { + "= /.well-known/webfinger" = { extraConfig = '' - add_header Access-Control-Allow-Origin '*'; + default_type application/jrd+json; + add_header Access-Control-Allow-Origin '*' always; + return 200 '{"subject":"$arg_resource","links":[{"rel":"http://openid.net/specs/connect/1.0/issuer","href":"https://id.zx.dev"}]}'; ''; - return = "301 https://pub.zx.dev$request_uri"; }; "/pgp".return = "302 https://keyoxide.org/hkp/413d1a0152bcb08d2e3ddacaf88c08579051ab48"; }; From 6a3aa877580f1887416839cdc327315250c1bc9b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E2=9C=BF=20corey?= Date: Fri, 10 Apr 2026 10:57:03 -0700 Subject: [PATCH 3/3] revert(spore): remove WebFinger from id.zx.dev vhost Tailscale resolves WebFinger at the email domain (zx.dev), not the issuer host (id.zx.dev), so the endpoint there is never used. Co-Authored-By: Claude Sonnet 4.6 --- modules/nixos/web/auth.nix | 7 ------- 1 file changed, 7 deletions(-) diff --git a/modules/nixos/web/auth.nix b/modules/nixos/web/auth.nix index 4f8bc126..213deca4 100644 --- a/modules/nixos/web/auth.nix +++ b/modules/nixos/web/auth.nix @@ -180,13 +180,6 @@ in { virtualHosts.${cfg.issuer.host} = { forceSSL = true; inherit (cfg.issuer) useACMEHost; - locations."= /.well-known/webfinger" = { - extraConfig = '' - default_type application/jrd+json; - add_header Access-Control-Allow-Origin '*' always; - return 200 '{"subject":"$arg_resource","links":[{"rel":"http://openid.net/specs/connect/1.0/issuer","href":"https://${cfg.issuer.host}"}]}'; - ''; - }; locations."/" = { proxyPass = "http://127.0.0.1:1411"; proxyWebsockets = true;