From 1ff8270a0128d1210f559b13b97e927b14150379 Mon Sep 17 00:00:00 2001
From: Conrad Kramer <conrad@conradkramer.com>
Date: Wed, 1 Apr 2026 01:26:08 -0700
Subject: [PATCH] Advertise OIDC discovery on burrow.net

---
 nixos/modules/burrow-forge.nix | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/nixos/modules/burrow-forge.nix b/nixos/modules/burrow-forge.nix
index edf5538..890e1d3 100644
--- a/nixos/modules/burrow-forge.nix
+++ b/nixos/modules/burrow-forge.nix
@@ -199,6 +199,12 @@ in
             reverse_proxy 127.0.0.1:${toString config.services.forgejo.settings.server.HTTP_PORT}
           '';
           "${cfg.siteDomain}".extraConfig = ''
+            encode gzip zstd
+            @oidcConfig path /.well-known/openid-configuration
+            redir @oidcConfig https://${config.services.burrow.authentik.domain}/application/o/${config.services.burrow.authentik.forgejoProviderSlug}/.well-known/openid-configuration 308
+            @webfinger path /.well-known/webfinger
+            header @webfinger Content-Type application/jrd+json
+            respond @webfinger "{\"subject\":\"{query.resource}\",\"links\":[{\"rel\":\"http://openid.net/specs/connect/1.0/issuer\",\"href\":\"https://${config.services.burrow.authentik.domain}/application/o/${config.services.burrow.authentik.forgejoProviderSlug}/\"}]}" 200
             @root path /
             redir @root ${homeRepoUrl} 308
             respond 404