Use SITE_ROOT

.gitignore

@@ -1 +1,2 @@
 .nvimlog
+*.priv.*

static/Caddyfile

@@ -1,57 +1,61 @@
 {
-  # fly.io handles HTTPS for us
+	# fly.io handles HTTPS for us
-  auto_https off
+	auto_https off
 }
 
-http://static-mat-services.fly.dev/ {
+http://static-mat-services.fly.dev {
-  redir https://mat.services/
+	redir https://mat.services
 }
 
 :8080 {
-  root * /var/www
+	root * {$SITE_ROOT}
-  encode gzip
+	encode gzip
-  file_server
+	file_server
 
-  handle_errors {
+	handle_errors {
-    @404 {
+		@404 {
-      expression {http.error.status_code} == 404
+			expression {http.error.status_code} == 404
-    }
+		}
-    rewrite @404 /404.html
+		rewrite @404 /404.html
-    file_server
+		file_server
-  }
+	}
 
-  header {
+	log {
-    # disable FLoC tracking
+		output stdout
-    Permissions-Policy interest-cohort=()
+	}
-    # enable HSTS
+
-    # currently ramping up max-age as per https://hstspreload.org/
+	header {
-    Strict-Transport-Security max-age=604800; includeSubDomains
+		# disable FLoC tracking
-    # disable clients from sniffing the media type
+		Permissions-Policy interest-cohort=()
-    X-Content-Type-Options nosniff
+		# enable HSTS
-    # clickjacking protection
+		# currently ramping up max-age as per https://hstspreload.org/
-    X-Frame-Options DENY
+		Strict-Transport-Security max-age=2592000; includeSubDomains
-    # keep referrer data off of HTTP connections
+		# disable clients from sniffing the media type
-    Referrer-Policy no-referrer
+		X-Content-Type-Options nosniff
-    # content security policy
+		# clickjacking protection
-    # style-src 'unsafe-inline': syntax highlighting in codefences
+		X-Frame-Options DENY
-    # sandbox allow-popups: enable target="_blank" links to open in new tabs
+		# keep referrer data off of HTTP connections
-    Content-Security-Policy "default-src 'none';
+		Referrer-Policy no-referrer
+		# content security policy
+		# style-src 'unsafe-inline': syntax highlighting in codefences
+		# sandbox allow-popups: enable target="_blank" links to open in new tabs
+		Content-Security-Policy "default-src 'none';
       img-src 'self';
-      style-src 'self' https://cdn.jsdelivr.net/ 'unsafe-inline';
+      style-src 'self' 'unsafe-inline';
-      font-src 'self' https://cdn.jsdelivr.net/;
+      font-src 'self';
+			script-src 'self';
       form-action 'none';
       frame-ancestors 'none';
       base-uri 'none';
       upgrade-insecure-requests;
       sandbox allow-same-origin allow-popups allow-popups-to-escape-sandbox"
-  }
+	}
 
-  # caching
+	# caching
-  route {
+	route {
-    header /style/* Cache-Control max-age=31536000, immutable
+		header /style/* Cache-Control max-age=31536000, immutable
-    header /image/* Cache-Control max-age=31536000, immutable
+		header /image/* Cache-Control max-age=31536000, immutable
-    header /font/*  Cache-Control max-age=31536000, immutable
+		header /font/* Cache-Control max-age=31536000, immutable
-    header          Cache-Control max-age=180
+		header Cache-Control max-age=180
-  }
+	}
 }
-

static/Dockerfile

@@ -8,6 +8,8 @@ RUN nix \
 
 FROM caddy:latest
 
+ENV SITE_ROOT /var/www
+
 COPY Caddyfile /etc/caddy/Caddyfile
-COPY --from=0 /code/result /var/www
+COPY --from=0 /code/result ${SITE_ROOT}
 RUN caddy

static/fly.toml

@@ -5,7 +5,7 @@ kill_signal = "SIGINT"
 kill_timeout = 5
 processes = []
 
-[[env]]
+[env]
 
 [experimental]
   allowed_public_ports = []