Add CSP header, restructure deployment user

config/common/services/nginx.nix

@@ -21,7 +21,7 @@
 			add_header Strict-Transport-Security $hsts_header;
 
 			# Enable CSP for your services.
-			#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
+			add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
 
 			# Minimize information leaked to other domains
 			add_header 'Referrer-Policy' 'same-origin';

config/hosts/capetillo/configuration.nix

@@ -34,7 +34,7 @@
 		];
 	};
 
-	users.users.deploy = {
+	users.users.deploy-nix = {
 		isNormalUser = true;
 	extraGroups = [ "wheel" ];
 		openssh.authorizedKeys.keys = [
@@ -42,7 +42,15 @@
 		];
 	};
 
+	users.users.deploy-web = {
+		isNormalUser = true;
+		openssh.authorizedKeys.keys = [ 
+			"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILk4m1uJzxd7pDmMZgnZxqD6lEIfVPf+I4tKPo0jJJrK deploy@drone.data.coop"
+		];
+	};
+
 	users.groups.backup.members = [ "virtualMail" ];
+	users.groups.nginx.members = [ "deploy-web" ];
 
 	security.sudo.wheelNeedsPassword = false;
 
@@ -55,7 +63,6 @@
 
 	nix.trustedUsers = [
 		"root"
-	"deploy"
 		"@wheel"
 	];
 

deploy/default.nix

@@ -13,7 +13,7 @@ in import "${sources.nixus}" {} ({ config, ... }: {
 
 	nodes = {
 		mail = { lib, config, ... }: {
-			host = "deploy@nixaalb.org";
+			host = "deploy-nix@nixaalb.org";
 			configuration = ../config/hosts/capetillo/configuration.nix;
 			switchTimeout = 300;
 			successTimeout = 300;