Add CSP header, restructure deployment user
This commit is contained in:
parent
ef89a0a949
commit
87b41e0627
|
@ -21,7 +21,7 @@
|
|||
add_header Strict-Transport-Security $hsts_header;
|
||||
|
||||
# Enable CSP for your services.
|
||||
#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
|
||||
add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
|
||||
|
||||
# Minimize information leaked to other domains
|
||||
add_header 'Referrer-Policy' 'same-origin';
|
||||
|
|
|
@ -34,7 +34,7 @@
|
|||
];
|
||||
};
|
||||
|
||||
users.users.deploy = {
|
||||
users.users.deploy-nix = {
|
||||
isNormalUser = true;
|
||||
extraGroups = [ "wheel" ];
|
||||
openssh.authorizedKeys.keys = [
|
||||
|
@ -42,7 +42,15 @@
|
|||
];
|
||||
};
|
||||
|
||||
users.users.deploy-web = {
|
||||
isNormalUser = true;
|
||||
openssh.authorizedKeys.keys = [
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILk4m1uJzxd7pDmMZgnZxqD6lEIfVPf+I4tKPo0jJJrK deploy@drone.data.coop"
|
||||
];
|
||||
};
|
||||
|
||||
users.groups.backup.members = [ "virtualMail" ];
|
||||
users.groups.nginx.members = [ "deploy-web" ];
|
||||
|
||||
security.sudo.wheelNeedsPassword = false;
|
||||
|
||||
|
@ -55,7 +63,6 @@
|
|||
|
||||
nix.trustedUsers = [
|
||||
"root"
|
||||
"deploy"
|
||||
"@wheel"
|
||||
];
|
||||
|
||||
|
|
|
@ -13,7 +13,7 @@ in import "${sources.nixus}" {} ({ config, ... }: {
|
|||
|
||||
nodes = {
|
||||
mail = { lib, config, ... }: {
|
||||
host = "deploy@nixaalb.org";
|
||||
host = "deploy-nix@nixaalb.org";
|
||||
configuration = ../config/hosts/capetillo/configuration.nix;
|
||||
switchTimeout = 300;
|
||||
successTimeout = 300;
|
||||
|
|
Loading…
Reference in a new issue