diff --git a/Caddyfile b/Caddyfile
index b5c1a75..ea3017b 100644
--- a/Caddyfile
+++ b/Caddyfile
@@ -20,10 +20,6 @@ http://static-mat-services.fly.dev {
 		file_server
 	}
 
-	log {
-		output stdout
-	}
-
 	header {
 		# disable FLoC tracking
 		Permissions-Policy interest-cohort=()
@@ -40,22 +36,28 @@ http://static-mat-services.fly.dev {
 		# style-src 'unsafe-inline': syntax highlighting in codefences
 		# sandbox allow-popups: enable target="_blank" links to open in new tabs
 		Content-Security-Policy "default-src 'none';
-      img-src 'self';
+      img-src 'self' https://stats.mat.services;
       style-src 'self' 'unsafe-inline';
       font-src 'self';
-			script-src 'self';
+			script-src 'self' https://stats.mat.services;
       form-action 'none';
       frame-ancestors 'none';
       base-uri 'none';
       upgrade-insecure-requests;
-      sandbox allow-same-origin allow-popups allow-popups-to-escape-sandbox"
+      sandbox
+				allow-same-origin
+				allow-scripts
+				allow-popups 
+				allow-popups-to-escape-sandbox"
 	}
 
 	# caching
+	@static {
+		path *.bmp *.jpg *.png *.svg *.gif *.pdf *.css *.js *.woff *.woff2
+	}
 	route {
-		header /style/* Cache-Control max-age=31536000, immutable
-		header /image/* Cache-Control max-age=31536000, immutable
-		header /font/* Cache-Control max-age=31536000, immutable
 		header Cache-Control max-age=180
+		header /sitemap.xml Cache-Control max-age=0
+		header @static Cache-Control max-age=31536000, immutable
 	}
 }
diff --git a/flake.lock b/flake.lock
index d0c5e84..4b42956 100644
--- a/flake.lock
+++ b/flake.lock
@@ -36,6 +36,26 @@
         "type": "github"
       }
     },
+    "gitignore": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1660459072,
+        "narHash": "sha256-8DFJjXG8zqoONA1vXtgeKXy68KdJL5UaXR8NtVMUbx8=",
+        "owner": "hercules-ci",
+        "repo": "gitignore.nix",
+        "rev": "a20de23b925fd8264fd7fad6454652e142fd7f73",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hercules-ci",
+        "repo": "gitignore.nix",
+        "type": "github"
+      }
+    },
     "nixpkgs": {
       "locked": {
         "lastModified": 1661450036,
@@ -56,6 +76,7 @@
       "inputs": {
         "apollo": "apollo",
         "flake-parts": "flake-parts",
+        "gitignore": "gitignore",
         "nixpkgs": "nixpkgs"
       }
     }
diff --git a/flake.nix b/flake.nix
index 84a9317..e8fe4ca 100644
--- a/flake.nix
+++ b/flake.nix
@@ -5,18 +5,21 @@
     nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
     flake-parts.url = "github:hercules-ci/flake-parts";
     flake-parts.inputs.nixpkgs.follows = "nixpkgs";
+    gitignore.url = "github:hercules-ci/gitignore.nix";
+    gitignore.inputs.nixpkgs.follows = "nixpkgs";
 
     # theme - inlined now, not used
     apollo.url = "github:not-matthias/apollo";
     apollo.flake = false;
   };
 
-  outputs = { self, flake-parts, ... }@inputs:
+  outputs = { self, flake-parts, gitignore, ... }@inputs:
     flake-parts.lib.mkFlake { inherit self; } {
       imports = [ ];
       systems = inputs.nixpkgs.lib.systems.flakeExposed;
       perSystem = { config, self', inputs', pkgs, system, ... }:
         let
+          inherit (gitignore.lib) gitignoreSource;
           # TODO: move these to a flake-module
           inherit (pkgs.callPackage ./nix { }) container deploy fonts optimize-images themes;
           inherit (fonts) copyFonts linkFonts;
@@ -28,8 +31,8 @@
         {
           packages.default = with pkgs; stdenv.mkDerivation {
             pname = "personal-site";
-            version = "2022-08-27";
-            src = ./.;
+            version = "2022-09-06";
+            src = gitignoreSource ./.;
             nativeBuildInputs = [ optimize-images zola ];
             configurePhase = copyTheme + copyFonts;
             buildPhase = ''
@@ -45,11 +48,11 @@
             shellHook = linkTheme + linkFonts;
           };
           packages.container = container {
-            caddyfile = builtins.readFile ./Caddyfile;
+            caddyfile = ./Caddyfile;
             site = config.packages.default;
           };
           apps.deploy.program =
-            let deploy' = deploy { dockerImage = config.packages.container; };
+            let deploy' = deploy { dockerImage = self.packages.x86_64-linux.container; };
             in "${deploy'}/bin/deploy";
         };
     };
diff --git a/nix/deploy.nix b/nix/deploy.nix
index b3bd8aa..5b2e286 100644
--- a/nix/deploy.nix
+++ b/nix/deploy.nix
@@ -4,6 +4,7 @@ writeShellScriptBin "deploy" ''
   set -euxo pipefail
   export PATH="${lib.makeBinPath [(docker.override { clientOnly = true; }) flyctl]}:$PATH"
   archive=${dockerImage}
-  image=$(docker load < $archive | awk '{ print $3; }')
-  flyctl deploy -i $image
+  # load archive, drop all output except last line (in case of warnings), print image name
+  image=$(docker load < $archive | tail -n1 | awk '{ print $3; }')
+  flyctl deploy --image $image --local-only
 ''