Add CSP header, restructure deployment user

2021-11-23 11:40:34 +01:00 · 2021-11-23 11:40:34 +01:00 · 87b41e0627
parent ef89a0a949
commit 87b41e0627
3 changed files with 11 additions and 4 deletions
--- a/config/common/services/nginx.nix
+++ b/config/common/services/nginx.nix
@ -21,7 +21,7 @@
 			add_header Strict-Transport-Security $hsts_header;

 			# Enable CSP for your services.
-			#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
+			add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;

 			# Minimize information leaked to other domains
 			add_header 'Referrer-Policy' 'same-origin';
--- a/config/hosts/capetillo/configuration.nix
+++ b/config/hosts/capetillo/configuration.nix
@ -34,7 +34,7 @@
 		];
 	};

-	users.users.deploy = {
+	users.users.deploy-nix = {
 		isNormalUser = true;
 	extraGroups = [ "wheel" ];
 		openssh.authorizedKeys.keys = [
@ -42,7 +42,15 @@
 		];
 	};

+	users.users.deploy-web = {
+		isNormalUser = true;
+		openssh.authorizedKeys.keys = [ 
+			"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILk4m1uJzxd7pDmMZgnZxqD6lEIfVPf+I4tKPo0jJJrK deploy@drone.data.coop"
+		];
+	};
+
 	users.groups.backup.members = [ "virtualMail" ];
+	users.groups.nginx.members = [ "deploy-web" ];

 	security.sudo.wheelNeedsPassword = false;

@ -55,7 +63,6 @@

 	nix.trustedUsers = [
 		"root"
-	"deploy"
 		"@wheel"
 	];

--- a/deploy/default.nix
+++ b/deploy/default.nix
@ -13,7 +13,7 @@ in import "${sources.nixus}" {} ({ config, ... }: {

 	nodes = {
 		mail = { lib, config, ... }: {
-			host = "deploy@nixaalb.org";
+			host = "deploy-nix@nixaalb.org";
 			configuration = ../config/hosts/capetillo/configuration.nix;
 			switchTimeout = 300;
 			successTimeout = 300;