fix: admin CSP allow inline scripts

script-src 'self' 'unsafe-inline' added to admin Content-Security-Policy.
default-src 'self' was blocking OverType editor init block and
the dev live-reload poller. Admin section is auth-gated so
unsafe-inline is acceptable.

TODO.md

@@ -11,6 +11,10 @@ Pending tasks have been split into topic files under [`todo/`](todo/README.md):
 
 ## Recently completed (this session)
 
+- [x] `scripts/deploy-server.sh` — add step 4: `systemctl reload nginx` runs automatically; remove manual reload instruction from justfile
+
+- [x] `nginx/posterg.conf` — add `script-src 'self' 'unsafe-inline'` to admin CSP; `default-src 'self'` was blocking OverType init script and live-reload poller
+
 - [x] `RateLimit.php` — silence `mkdir()` with `@`; guard `file_put_contents` with `is_writable()` check so permission errors degrade gracefully (allow request, skip write) instead of spamming nginx error log
 - [x] `scripts/deploy-server.sh` + `scripts/setup-server.sh` — add `mkdir -p storage/cache/rate_limit` + `chown`/`chmod 2775` so php-fpm has write access on fresh deploys
 

justfile

@@ -70,7 +70,6 @@ deploy-nginx:
     @echo "Files uploaded. SSH into the server and run:"
     @echo ""
     @echo "  sudo bash /tmp/deploy-server.sh"
-    @echo "  sudo systemctl reload nginx"
     @echo ""
 
 [group('deploy')]

nginx/posterg.conf

@@ -123,8 +123,10 @@ server {
         # Rate limiting for admin
         limit_req zone=admin burst=20 nodelay;
 
-        # Content-Security-Policy - Tighter policy for admin
+        # Content-Security-Policy - Admin policy
-        add_header Content-Security-Policy "default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; object-src 'none'; frame-ancestors 'none';" always;
+        # script-src needs 'unsafe-inline' for the OverType editor init block
+        # and the live-reload poller (dev only). Admin is already auth-gated.
+        add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; object-src 'none'; frame-ancestors 'none';" always;
 
         # Disable directory listing
         autoindex off;

scripts/deploy-server.sh

@@ -84,15 +84,21 @@ else
     exit 1
 fi
 
+# ── Step 4: Reload nginx ─────────────────────────────────────────────────────
+printf "\n"
+echo "📋 Step 4: Reloading nginx..."
+echo "------------------------------"
+
+systemctl reload nginx
+ok "Nginx reloaded"
+
 # ── Done ──────────────────────────────────────────────────────────────────────
 printf "\n"
 ok "Permissions fixed"
 ok "Nginx config installed"
 ok "Configuration validated"
-printf "\n"
+ok "Nginx reloaded"
-warn "Nginx has not been reloaded yet."
+printf "\nVerify:\n"
-printf "Run: sudo systemctl reload nginx\n\n"
+printf "  https://posterg.erg.be/\n"
-printf "After reload, verify:\n"
+printf "  https://posterg.erg.be/admin/\n"
-printf "  • https://posterg.erg.be/\n"
+printf "  https://posterg.erg.be/storage/posterg.db (should 403/404)\n"
-printf "  • https://posterg.erg.be/admin/\n"
-printf "  • https://posterg.erg.be/storage/posterg.db (should 403/404)\n"