Initial commit

.github/renovate.json

@@ -0,0 +1,5 @@
+{
+  "extends": [
+    "config:base"
+  ]
+}

.github/workflows/build-docker-image.yaml

@@ -0,0 +1,33 @@
+name: ci
+
+on:
+  push:
+    branches:
+      - "master"
+    tags:
+      - "[0-9]+.[0-9]+.[0-9]+"
+
+jobs:
+  docker:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v2
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+      - name: Login to GHCR
+        uses: docker/login-action@v2
+        if: github.event_name != 'pull_request'
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Build and push
+        id: docker_build
+        uses: docker/build-push-action@v3
+        with:
+          push: true
+          platforms: linux/amd64,linux/arm64,linux/arm/v7
+          tags: |
+            ghcr.io/${{ github.repository_owner }}/simple-webfinger:${{ github.ref_name }}
+            ghcr.io/${{ github.repository_owner }}/simple-webfinger:latest

.gitignore

@@ -0,0 +1,129 @@
+# Byte-compiled / optimized / DLL files
+__pycache__/
+*.py[cod]
+*$py.class
+
+# C extensions
+*.so
+
+# Distribution / packaging
+.Python
+build/
+develop-eggs/
+dist/
+downloads/
+eggs/
+.eggs/
+lib/
+lib64/
+parts/
+sdist/
+var/
+wheels/
+pip-wheel-metadata/
+share/python-wheels/
+*.egg-info/
+.installed.cfg
+*.egg
+MANIFEST
+
+# PyInstaller
+#  Usually these files are written by a python script from a template
+#  before PyInstaller builds the exe, so as to inject date/other infos into it.
+*.manifest
+*.spec
+
+# Installer logs
+pip-log.txt
+pip-delete-this-directory.txt
+
+# Unit test / coverage reports
+htmlcov/
+.tox/
+.nox/
+.coverage
+.coverage.*
+.cache
+nosetests.xml
+coverage.xml
+*.cover
+*.py,cover
+.hypothesis/
+.pytest_cache/
+
+# Translations
+*.mo
+*.pot
+
+# Django stuff:
+*.log
+local_settings.py
+db.sqlite3
+db.sqlite3-journal
+
+# Flask stuff:
+instance/
+.webassets-cache
+
+# Scrapy stuff:
+.scrapy
+
+# Sphinx documentation
+docs/_build/
+
+# PyBuilder
+target/
+
+# Jupyter Notebook
+.ipynb_checkpoints
+
+# IPython
+profile_default/
+ipython_config.py
+
+# pyenv
+.python-version
+
+# pipenv
+#   According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control.
+#   However, in case of collaboration, if having platform-specific dependencies or dependencies
+#   having no cross-platform support, pipenv may install dependencies that don't work, or not
+#   install all needed dependencies.
+#Pipfile.lock
+
+# PEP 582; used by e.g. github.com/David-OConnor/pyflow
+__pypackages__/
+
+# Celery stuff
+celerybeat-schedule
+celerybeat.pid
+
+# SageMath parsed files
+*.sage.py
+
+# Environments
+.env
+.venv
+env/
+venv/
+ENV/
+env.bak/
+venv.bak/
+
+# Spyder project settings
+.spyderproject
+.spyproject
+
+# Rope project settings
+.ropeproject
+
+# mkdocs documentation
+/site
+
+# mypy
+.mypy_cache/
+.dmypy.json
+dmypy.json
+
+# Pyre type checker
+.pyre/

Dockerfile

@@ -0,0 +1,13 @@
+# syntax=docker/dockerfile:1.4
+FROM --platform=$BUILDPLATFORM python:3.10-alpine
+
+WORKDIR /app
+
+COPY requirements.txt /app
+RUN --mount=type=cache,target=/root/.cache/pip \
+    pip3 install -r requirements.txt
+
+COPY app.py /app
+
+ENTRYPOINT ["python3"]
+CMD ["app.py"]

README.md

@@ -0,0 +1,16 @@
+# Simple Webfinger
+
+A simple, Flask-based webfinger handler.
+
+Simple Webfinger was created to provide an ODIC href from a basic YAML configuration file. Ideally to use with Tailscale and Authentik.
+
+## Configuration
+
+The `example-config.yaml` has the basic layout of the YAML file, which has the following fields. This should be provided as `config.yaml` in the working directory you're running the process.
+
+| Key         | Value Example               | Description                                                   |
+| ----------- | --------------------------- | ------------------------------------------------------------- |
+| `domain`    | `doofnet.uk`                | The domain to respond to, it'll return 404s for anything else |
+| `oidc_href` | `https://id.doofnet.uk/...` | The href to return for OIDC rels                              |
+
+

app.py

@@ -0,0 +1,27 @@
+from flask import Flask, request, abort
+import yaml
+
+app = Flask(__name__)
+
+with open('config.yaml', 'rb') as fobj:
+    data = yaml.load(fobj, yaml.SafeLoader)
+
+
+@app.route("/.well-known/webfinger")
+def webfinger():
+    resource = request.args.get('resource')
+
+    if resource.split('@')[1] != data['domain']:
+        abort(404)
+
+    return {
+        'subject': resource,
+        'links': [{
+            'rel': "http://openid.net/specs/connect/1.0/issuer",
+            'href': data['oidc_href'],
+        }]
+    }
+
+
+if __name__ == '__main__':
+    app.run(host='0.0.0.0', port=8000)

example-config.yaml

@@ -0,0 +1,2 @@
+domain: doofnet.uk
+oidc_href: https://id.doofnet.uk/application/o/tailscale/.well-known/openid-configuration

requirements-dev.txt

@@ -0,0 +1,2 @@
+flake8
+autopep8

requirements.txt

@@ -0,0 +1,2 @@
+flask
+pyyaml