diff --git a/config/common/services/nginx.nix b/config/common/services/nginx.nix index 58ab094..e844887 100644 --- a/config/common/services/nginx.nix +++ b/config/common/services/nginx.nix @@ -21,7 +21,7 @@ add_header Strict-Transport-Security $hsts_header; # Enable CSP for your services. - #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; + add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; # Minimize information leaked to other domains add_header 'Referrer-Policy' 'same-origin'; diff --git a/config/hosts/capetillo/configuration.nix b/config/hosts/capetillo/configuration.nix index 355cc40..65bd6b1 100644 --- a/config/hosts/capetillo/configuration.nix +++ b/config/hosts/capetillo/configuration.nix @@ -34,7 +34,7 @@ ]; }; - users.users.deploy = { + users.users.deploy-nix = { isNormalUser = true; extraGroups = [ "wheel" ]; openssh.authorizedKeys.keys = [ @@ -42,7 +42,15 @@ ]; }; + users.users.deploy-web = { + isNormalUser = true; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILk4m1uJzxd7pDmMZgnZxqD6lEIfVPf+I4tKPo0jJJrK deploy@drone.data.coop" + ]; + }; + users.groups.backup.members = [ "virtualMail" ]; + users.groups.nginx.members = [ "deploy-web" ]; security.sudo.wheelNeedsPassword = false; @@ -55,7 +63,6 @@ nix.trustedUsers = [ "root" - "deploy" "@wheel" ]; diff --git a/deploy/default.nix b/deploy/default.nix index 69a7d1f..d7adde4 100644 --- a/deploy/default.nix +++ b/deploy/default.nix @@ -13,7 +13,7 @@ in import "${sources.nixus}" {} ({ config, ... }: { nodes = { mail = { lib, config, ... }: { - host = "deploy@nixaalb.org"; + host = "deploy-nix@nixaalb.org"; configuration = ../config/hosts/capetillo/configuration.nix; switchTimeout = 300; successTimeout = 300;