From 656df35578018abfa76c6aecd9eec75152887dc5 Mon Sep 17 00:00:00 2001
From: mat ess <mat@mat.services>
Date: Thu, 20 Oct 2022 21:57:27 -0400
Subject: [PATCH] Mess with headers again

---
 .drone.jsonnet     |  1 +
 flake.nix          |  7 ++++---
 headers/production | 15 ---------------
 3 files changed, 5 insertions(+), 18 deletions(-)
 delete mode 100644 headers/production

diff --git a/.drone.jsonnet b/.drone.jsonnet
index 8b0e911..c9369f6 100644
--- a/.drone.jsonnet
+++ b/.drone.jsonnet
@@ -27,6 +27,7 @@ local NetlifyStep(env) =
     settings: {
       token: { from_secret: 'netlify_token' },
       site: { from_secret: 'netlify_site_id' },
+      alias: env,
       path: '/site',
       prod: prod,
     },
diff --git a/flake.nix b/flake.nix
index 7bdf32d..a8f9a2c 100644
--- a/flake.nix
+++ b/flake.nix
@@ -21,14 +21,15 @@
           buildSite = { prod }:
             let
               inherit (pkgs.lib) optionalString;
+              ifStaging = optionalString (!prod);
               rev = if (self ? rev) then self.rev else "dirty";
             in
             ''
               optimize-images
-              ${optionalString (!prod) "BASE_URL=https://${rev}--mat-services.netlify.app"}
-              zola build --drafts ${optionalString (!prod) "--base-url $BASE_URL"}
+              ${ifStaging "BASE_URL=https://${rev}--mat-services.netlify.app"}
+              zola build --drafts ${ifStaging "--base-url $BASE_URL"}
               # zola's ignored_content setting doesn't work in static/
-              cp headers/${if prod then "production" else "staging"} public/_headers
+              ${ifStaging "cp headers/staging public/_headers"}
               rm -rf public/image/_favicon.svg
             '';
         in
diff --git a/headers/production b/headers/production
deleted file mode 100644
index a93b093..0000000
--- a/headers/production
+++ /dev/null
@@ -1,15 +0,0 @@
-/*
-  # disable FLoC tracking
-  Permissions-Policy: interest-cohort=()
-  # enable HSTS
-  Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
-  # disable clients from sniffing the media type
-  X-Content-Type-Options: nosniff
-  # clickjacking protection
-  X-Frame-Options: DENY
-  # keep referrer data off of HTTP connections
-  Referrer-Policy: no-referrer
-  # content security policy
-  # style-src 'unsafe-inline': syntax highlighting in codefences
-  # sandbox allow-popups: enable target="_blank" links to open in new tabs
-  Content-Security-Policy: default-src 'none'; img-src 'self' https://mat.services https://stats.mat.services; style-src 'self' https://mat.services 'unsafe-inline'; font-src 'self' https://mat.services; script-src 'self' https://mat.services https://stats.mat.services; form-action 'none'; frame-ancestors 'none'; base-uri 'none'; upgrade-insecure-requests; sandbox allow-same-origin allow-scripts allow-popups allow-popups-to-escape-sandbox