Add CSP header, restructure deployment user

This commit is contained in:
Emelie Graven 2021-11-23 11:40:34 +01:00
parent ef89a0a949
commit 87b41e0627
Signed by: emelie
GPG key ID: C11123726DBB55A1
3 changed files with 11 additions and 4 deletions

View file

@ -21,7 +21,7 @@
add_header Strict-Transport-Security $hsts_header;
# Enable CSP for your services.
#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
# Minimize information leaked to other domains
add_header 'Referrer-Policy' 'same-origin';

View file

@ -34,7 +34,7 @@
];
};
users.users.deploy = {
users.users.deploy-nix = {
isNormalUser = true;
extraGroups = [ "wheel" ];
openssh.authorizedKeys.keys = [
@ -42,7 +42,15 @@
];
};
users.users.deploy-web = {
isNormalUser = true;
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILk4m1uJzxd7pDmMZgnZxqD6lEIfVPf+I4tKPo0jJJrK deploy@drone.data.coop"
];
};
users.groups.backup.members = [ "virtualMail" ];
users.groups.nginx.members = [ "deploy-web" ];
security.sudo.wheelNeedsPassword = false;
@ -55,7 +63,6 @@
nix.trustedUsers = [
"root"
"deploy"
"@wheel"
];

View file

@ -13,7 +13,7 @@ in import "${sources.nixus}" {} ({ config, ... }: {
nodes = {
mail = { lib, config, ... }: {
host = "deploy@nixaalb.org";
host = "deploy-nix@nixaalb.org";
configuration = ../config/hosts/capetillo/configuration.nix;
switchTimeout = 300;
successTimeout = 300;