From 87b41e0627877f6aebdd0eb0a9754d0a984d75d0 Mon Sep 17 00:00:00 2001
From: Emelie Graven <emelie@graven.dev>
Date: Tue, 23 Nov 2021 11:40:34 +0100
Subject: [PATCH] Add CSP header, restructure deployment user

---
 config/common/services/nginx.nix         |  2 +-
 config/hosts/capetillo/configuration.nix | 11 +++++++++--
 deploy/default.nix                       |  2 +-
 3 files changed, 11 insertions(+), 4 deletions(-)

diff --git a/config/common/services/nginx.nix b/config/common/services/nginx.nix
index 58ab094..e844887 100644
--- a/config/common/services/nginx.nix
+++ b/config/common/services/nginx.nix
@@ -21,7 +21,7 @@
 			add_header Strict-Transport-Security $hsts_header;
 
 			# Enable CSP for your services.
-			#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
+			add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
 
 			# Minimize information leaked to other domains
 			add_header 'Referrer-Policy' 'same-origin';
diff --git a/config/hosts/capetillo/configuration.nix b/config/hosts/capetillo/configuration.nix
index 355cc40..65bd6b1 100644
--- a/config/hosts/capetillo/configuration.nix
+++ b/config/hosts/capetillo/configuration.nix
@@ -34,7 +34,7 @@
 		];
 	};
 
-	users.users.deploy = {
+	users.users.deploy-nix = {
 		isNormalUser = true;
 	extraGroups = [ "wheel" ];
 		openssh.authorizedKeys.keys = [
@@ -42,7 +42,15 @@
 		];
 	};
 
+	users.users.deploy-web = {
+		isNormalUser = true;
+		openssh.authorizedKeys.keys = [ 
+			"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILk4m1uJzxd7pDmMZgnZxqD6lEIfVPf+I4tKPo0jJJrK deploy@drone.data.coop"
+		];
+	};
+
 	users.groups.backup.members = [ "virtualMail" ];
+	users.groups.nginx.members = [ "deploy-web" ];
 
 	security.sudo.wheelNeedsPassword = false;
 
@@ -55,7 +63,6 @@
 
 	nix.trustedUsers = [
 		"root"
-	"deploy"
 		"@wheel"
 	];
 
diff --git a/deploy/default.nix b/deploy/default.nix
index 69a7d1f..d7adde4 100644
--- a/deploy/default.nix
+++ b/deploy/default.nix
@@ -13,7 +13,7 @@ in import "${sources.nixus}" {} ({ config, ... }: {
 
 	nodes = {
 		mail = { lib, config, ... }: {
-			host = "deploy@nixaalb.org";
+			host = "deploy-nix@nixaalb.org";
 			configuration = ../config/hosts/capetillo/configuration.nix;
 			switchTimeout = 300;
 			successTimeout = 300;