diff --git a/.gitignore b/.gitignore
index 81297bd..a23f68e 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1,2 @@
 .nvimlog
+*.priv.*
\ No newline at end of file
diff --git a/static/Caddyfile b/static/Caddyfile
index 228b3d9..b5c1a75 100644
--- a/static/Caddyfile
+++ b/static/Caddyfile
@@ -1,57 +1,61 @@
 {
-  # fly.io handles HTTPS for us
-  auto_https off
+	# fly.io handles HTTPS for us
+	auto_https off
 }
 
-http://static-mat-services.fly.dev/ {
-  redir https://mat.services/
+http://static-mat-services.fly.dev {
+	redir https://mat.services
 }
 
 :8080 {
-  root * /var/www
-  encode gzip
-  file_server
+	root * {$SITE_ROOT}
+	encode gzip
+	file_server
 
-  handle_errors {
-    @404 {
-      expression {http.error.status_code} == 404
-    }
-    rewrite @404 /404.html
-    file_server
-  }
+	handle_errors {
+		@404 {
+			expression {http.error.status_code} == 404
+		}
+		rewrite @404 /404.html
+		file_server
+	}
 
-  header {
-    # disable FLoC tracking
-    Permissions-Policy interest-cohort=()
-    # enable HSTS
-    # currently ramping up max-age as per https://hstspreload.org/
-    Strict-Transport-Security max-age=604800; includeSubDomains
-    # disable clients from sniffing the media type
-    X-Content-Type-Options nosniff
-    # clickjacking protection
-    X-Frame-Options DENY
-    # keep referrer data off of HTTP connections
-    Referrer-Policy no-referrer
-    # content security policy
-    # style-src 'unsafe-inline': syntax highlighting in codefences
-    # sandbox allow-popups: enable target="_blank" links to open in new tabs
-    Content-Security-Policy "default-src 'none';
+	log {
+		output stdout
+	}
+
+	header {
+		# disable FLoC tracking
+		Permissions-Policy interest-cohort=()
+		# enable HSTS
+		# currently ramping up max-age as per https://hstspreload.org/
+		Strict-Transport-Security max-age=2592000; includeSubDomains
+		# disable clients from sniffing the media type
+		X-Content-Type-Options nosniff
+		# clickjacking protection
+		X-Frame-Options DENY
+		# keep referrer data off of HTTP connections
+		Referrer-Policy no-referrer
+		# content security policy
+		# style-src 'unsafe-inline': syntax highlighting in codefences
+		# sandbox allow-popups: enable target="_blank" links to open in new tabs
+		Content-Security-Policy "default-src 'none';
       img-src 'self';
-      style-src 'self' https://cdn.jsdelivr.net/ 'unsafe-inline';
-      font-src 'self' https://cdn.jsdelivr.net/;
+      style-src 'self' 'unsafe-inline';
+      font-src 'self';
+			script-src 'self';
       form-action 'none';
       frame-ancestors 'none';
       base-uri 'none';
       upgrade-insecure-requests;
       sandbox allow-same-origin allow-popups allow-popups-to-escape-sandbox"
-  }
+	}
 
-  # caching
-  route {
-    header /style/* Cache-Control max-age=31536000, immutable
-    header /image/* Cache-Control max-age=31536000, immutable
-    header /font/*  Cache-Control max-age=31536000, immutable
-    header          Cache-Control max-age=180
-  }
+	# caching
+	route {
+		header /style/* Cache-Control max-age=31536000, immutable
+		header /image/* Cache-Control max-age=31536000, immutable
+		header /font/* Cache-Control max-age=31536000, immutable
+		header Cache-Control max-age=180
+	}
 }
-
diff --git a/static/Dockerfile b/static/Dockerfile
index b14a44a..751efd1 100644
--- a/static/Dockerfile
+++ b/static/Dockerfile
@@ -8,6 +8,8 @@ RUN nix \
 
 FROM caddy:latest
 
+ENV SITE_ROOT /var/www
+
 COPY Caddyfile /etc/caddy/Caddyfile
-COPY --from=0 /code/result /var/www
+COPY --from=0 /code/result ${SITE_ROOT}
 RUN caddy
\ No newline at end of file
diff --git a/static/fly.toml b/static/fly.toml
index 6016db0..31dbfda 100644
--- a/static/fly.toml
+++ b/static/fly.toml
@@ -5,7 +5,7 @@ kill_signal = "SIGINT"
 kill_timeout = 5
 processes = []
 
-[[env]]
+[env]
 
 [experimental]
   allowed_public_ports = []