fix: nginx headers at server block level; add Webuzo detection to deploy

deploy.sh:
- add step 3: nginx config apply with Webuzo/standard detection
- configurable via NGINX_CONF_SRC and NGINX_DOMAIN variables

setup-project.sh:
- move add_header to server block level (inside location / they are
  overridden by Webuzo's regex location and never sent)
- detect Webuzo nginx binary (/usr/local/apps/nginx/sbin/nginx)
  instead of hardcoded systemctl reload nginx

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

scripts/deploy.sh

@@ -19,6 +19,8 @@ INSTALL_DIR="/opt/<project-name>"
 SERVICE_USER="<project-user>"
 SERVICE_NAME="<project-name>"
 HEALTH_URL="http://localhost:3000/api/health"
+NGINX_CONF_SRC="${INSTALL_DIR}/config/nginx/<project-name>.conf"  # set to "" to skip
+NGINX_DOMAIN="<your-domain>"
 # -----------------------------------------
 
 SOURCE_DIR="${1:-.}"
@@ -42,10 +44,26 @@ rsync -a --delete \
     "${SOURCE_DIR}/" "${INSTALL_DIR}/"
 chown -R "${SERVICE_USER}:${SERVICE_USER}" "${INSTALL_DIR}"
 
-echo "[2/3] Installing dependencies..."
+echo "[2/4] Installing dependencies..."
 sudo -u "${SERVICE_USER}" HOME="${INSTALL_DIR}" bash -c "cd ${INSTALL_DIR} && npm ci --omit=dev"
 
-echo "[3/3] Restarting service..."
+echo "[3/4] Updating nginx config..."
+if [[ -n "${NGINX_CONF_SRC:-}" && -f "${NGINX_CONF_SRC}" ]]; then
+    WEBUZO_DIR="/var/webuzo-data/nginx/custom/domains"
+    NGINX_BIN="/usr/local/apps/nginx/sbin/nginx"
+    if [[ -d "${WEBUZO_DIR}" ]]; then
+        cat "${NGINX_CONF_SRC}" > "${WEBUZO_DIR}/${NGINX_DOMAIN}.conf"
+    else
+        cp "${NGINX_CONF_SRC}" "/etc/nginx/conf.d/${SERVICE_NAME}.conf"
+        NGINX_BIN="nginx"
+    fi
+    "${NGINX_BIN}" -t && "${NGINX_BIN}" -s reload
+    echo "nginx reloaded"
+else
+    echo "nginx: no config source set — skipping"
+fi
+
+echo "[4/4] Restarting service..."
 systemctl daemon-reload
 systemctl restart "${SERVICE_NAME}"
 sleep 2
@@ -53,7 +71,7 @@ sleep 2
 if systemctl is-active --quiet "${SERVICE_NAME}"; then
     echo "Service running"
 else
-    echo "Error: service failed to start"; exit 1
+    echo "Error: service failed to start — check: journalctl -u ${SERVICE_NAME} -n 50"; exit 1
 fi
 
 curl -sf "${HEALTH_URL}" || { echo "FAIL: health check"; exit 1; }

scripts/setup-project.sh

@@ -198,16 +198,21 @@ else
 fi
 
 cat > "${NGINX_CONF}" << 'NGINX'
+# Security headers — at server block level so they are inherited by all
+# location blocks (including Webuzo's own regex location).
+# Do NOT move into location blocks: on Webuzo the regex location
+# location ~ (\.php|shtml|/)$ takes priority and blocks inheritance.
+add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
+add_header X-Content-Type-Options "nosniff" always;
+add_header X-Frame-Options "DENY" always;
+add_header Referrer-Policy "no-referrer" always;
+add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always;
+
 # Static files
 location / {
     root __INSTALL_DIR__/public;
     index index.html;
     try_files $uri $uri/ /index.html;
-
-    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
-    add_header X-Content-Type-Options "nosniff" always;
-    add_header X-Frame-Options "DENY" always;
-    add_header Referrer-Policy "no-referrer" always;
 }
 
 # API proxy
@@ -243,8 +248,12 @@ NGINX
 sed -i "s|__INSTALL_DIR__|${INSTALL_DIR}|g" "${NGINX_CONF}"
 sed -i "s|__PORT__|${PORT}|g" "${NGINX_CONF}"
 
-if nginx -t 2>/dev/null; then
+NGINX_BIN="/usr/local/apps/nginx/sbin/nginx"
-    systemctl reload nginx
+if [[ ! -x "${NGINX_BIN}" ]]; then
+    NGINX_BIN="nginx"
+fi
+if "${NGINX_BIN}" -t 2>/dev/null; then
+    "${NGINX_BIN}" -s reload
     echo "  ${NGINX_CONF} — nginx reloaded"
 else
     echo "  Warning: nginx config test failed. Check ${NGINX_CONF} manually."