diff --git a/docker-compose.yaml b/docker-compose.yaml
new file mode 100644
index 0000000..cee4eee
--- /dev/null
+++ b/docker-compose.yaml
@@ -0,0 +1,11 @@
+version: "3.9"
+services:
+  resty:
+    image: openresty/openresty:1.21.4.1-4-alpine
+    ports:
+      - "8696:80"
+    environment:
+      - 'LUA_PATH=/?.lua;/aproxy/?.lua'
+    volumes:
+      - ./nginx.conf:/etc/nginx/conf.d/default.conf:ro
+      - .:/aproxy:ro
diff --git a/main.lua b/main.lua
new file mode 100644
index 0000000..ed7677f
--- /dev/null
+++ b/main.lua
@@ -0,0 +1,44 @@
+local CONFIG_PATH = ".;/etc/aproxy"
+
+-- function loadConfig()
+--     -- TODO load config_path
+--     return require("./config.lua")
+-- end
+-- 
+-- local config = loadConfig()
+
+function log(msg)
+    ngx.log(ngx.STDERR, tostring(msg))
+end
+
+local WANTED_SCRIPTS = {
+    'scripts.webfinger_allowlist'
+}
+
+local compiled_chain = {}
+
+for _, module_name in pairs(WANTED_SCRIPTS) do
+    log('load module', module_name)
+    mod = require(module_name)
+    log('load module', mod)
+    table.insert(compiled_chain, mod)
+end
+
+local function onRequest()
+    log('AWOOOOGA')
+
+   for _,mod in ipairs(compiled_chain) do
+       log(mod)
+       local mod_config = {accounts = {"a@a.com"}}
+       local result, body = mod.callback(mod_config)
+       log(result)
+       log(body)
+       if not result then
+            ngx.status = 400
+            ngx.say(body or "request denied")
+            ngx.exit(400)
+       end
+   end
+end
+
+return onRequest
diff --git a/nginx.conf b/nginx.conf
new file mode 100644
index 0000000..81904be
--- /dev/null
+++ b/nginx.conf
@@ -0,0 +1,15 @@
+  server {
+    listen 80;
+    lua_code_cache off;
+
+    location / {
+      default_type text/html;
+
+      # must happen before proxy_pass
+      access_by_lua_block {
+        require("aproxy.main")()
+      }
+
+      proxy_pass http://localhost:9999;
+    }
+  }
diff --git a/scripts/webfinger_allowlist.lua b/scripts/webfinger_allowlist.lua
new file mode 100644
index 0000000..c036494
--- /dev/null
+++ b/scripts/webfinger_allowlist.lua
@@ -0,0 +1,44 @@
+function webfingerCallback(cfg)
+    local args, err = ngx.req.get_uri_args()
+    if err == "truncated" then
+      return false, 'uri args too long'
+    end
+
+    local resource = args['resource']
+    if resource ~= nil then
+      for _, account in ipairs(cfg.accounts) do
+        if resource == account then
+          return true
+        end
+      end
+    end
+
+    return false
+end
+
+return {
+    name='WebfingerAllowlist',
+    author='luna@l4.pm',
+    title='Webfinger Allowlist',
+    description=[[
+    Prevent unecessary DB load by discarding requests to users that we know
+    won't exist.
+
+    Useful for small instances.
+    ]],
+    apiVersion=1,
+    callback=webfingerCallback,
+    callbacks = {
+        ['/.well-known/webfinger'] = webfingerCallback
+    },
+    config={
+        ['accounts'] = {
+            type='table',
+            value={
+                type='string',
+                description='ap id'
+            },
+            description = 'list of account ids (in email@domain form) to pass through to AP'
+        }
+    },
+}