Stop using Netlify for production hosting

.editorconfig

@@ -31,3 +31,8 @@ indent_size = 2
 end_of_line = lf
 insert_final_newline = true
 trim_trailing_whitespace = true
+
+[{*.caddy,*.example-caddy,Caddyfile}]
+charset = utf-8
+indent_style = tab
+tab_width = 4

.gitignore

@@ -6,6 +6,7 @@ site
 !/static/i18n/*.en.*
 /theme/overrides/*
 !/theme/overrides/*.en.*
+
 # commit social card fonts to repo
 # see: https://github.com/squidfunk/mkdocs-material/issues/6983
 # ridiculous hide-and-seek https://stackoverflow.com/a/72380673

.vscode/extensions.json

@@ -23,6 +23,7 @@
     "EditorConfig.EditorConfig",
     "DavidAnson.vscode-markdownlint",
     "wholroyd.jinja",
-    "mikestead.dotenv"
+    "mikestead.dotenv",
+    "matthewpi.caddyfile-support"
   ]
 }

.vscode/settings.json

@@ -23,5 +23,13 @@
     "[markdown]": {
       "editor.unicodeHighlight.ambiguousCharacters": true,
       "editor.unicodeHighlight.invisibleCharacters": true
+    },
+    "[caddyfile]": {
+      "editor.defaultFormatter": "matthewpi.caddyfile-support",
+      "editor.formatOnSave": true
+    },
+    "files.associations": {
+      "*.caddy": "caddyfile",
+      "*.example-caddy": "caddyfile"
     }
 }

config/caddy/Caddyfile

@@ -0,0 +1,50 @@
+(pg-umami-config) {
+	umami {
+		event_endpoint https://stats.jonaharagon.net/api/send
+		website_uuid 30b92047-7cbb-4800-9815-2e075a293e0a
+		# bit of a hack to get umami working properly, nothing to do with cloudflare
+		client_ip_header CF-Connecting-IP
+		trusted_ip_header X-Real-IP
+		cookie_consent umami
+		cookie_resolution resolution
+		debug
+	}
+}
+
+www.privacyguides.org {
+	import vars
+	import common/*.caddy
+	import production/*.caddy
+}
+
+http://www.xoe4vn5uwdztif6goazfbmogh6wh5jc4up35bqdflu6bkdc5cas5vjqd.onion {
+	import vars
+	import common/*.caddy
+	import production/minio.caddy
+}
+
+http://*.xoe4vn5uwdztif6goazfbmogh6wh5jc4up35bqdflu6bkdc5cas5vjqd.onion {
+	@hostnames header_regexp hostname Host (\S+)\.xoe4vn5uwdztif6goazfbmogh6wh5jc4up35bqdflu6bkdc5cas5vjqd\.onion
+	handle @hostnames {
+		reverse_proxy {re.hostname.1}.privacyguides.org:443 {
+			header_up Host {re.hostname.1}.privacyguides.org
+			transport http {
+				tls
+			}
+		}
+	}
+}
+
+privacyguides.org {
+	import vars
+	import production/matrix.caddy
+
+	handle {
+		import production/https.caddy
+		redir https://www.privacyguides.org{uri}
+	}
+}
+
+http://xoe4vn5uwdztif6goazfbmogh6wh5jc4up35bqdflu6bkdc5cas5vjqd.onion {
+	redir http://www.xoe4vn5uwdztif6goazfbmogh6wh5jc4up35bqdflu6bkdc5cas5vjqd.onion{uri}
+}

config/caddy/README.md

@@ -0,0 +1,13 @@
+# Caddy Webserver Config
+
+Requires a build of Caddy with [jonaharagon/caddy-umami](https://github.com/jonaharagon/caddy-umami) installed.
+
+## Variables
+
+These variables are set on the server, and can be accessed like `{vars.variable_name}`:
+
+- `minio_hostname`
+- `pg_minio_bucket`
+- `pg_matrix_webserver`
+- `pg_umami_website_uuid`
+- `umami_hostname`

config/caddy/common/00-matchers.caddy

@@ -0,0 +1,34 @@
+@static {
+	path *.ico *.css *.js *.gif *.webp *.avif *.jpg *.jpeg *.png *.svg *.woff *.woff2
+}
+
+@en path /en/*
+@es path /es/*
+@fr path /fr/*
+@he path /he/*
+@it path /it/*
+@nl path /nl/*
+@ru path /ru/*
+@zh-Hant path /zh-Hant/*
+
+@es-header {
+	header Accept-Language es*
+}
+@fr-header {
+	header Accept-Language fr*
+}
+@he-header {
+	header Accept-Language he*
+}
+@it-header {
+	header Accept-Language it*
+}
+@nl-header {
+	header Accept-Language nl*
+}
+@ru-header {
+	header Accept-Language ru*
+}
+@zh-Hant-header {
+	header Accept-Language zh-Hant*
+}

config/caddy/common/30-errors.caddy

@@ -0,0 +1,42 @@
+handle_errors {
+	@errors `{err.status_code} in [404]`
+	handle @errors {
+		handle @es {
+			try_files /i18n/{err.status_code}.es.html i18n/{err.status_code}.en.html
+			file_server
+		}
+		handle @fr {
+			try_files i18n/{err.status_code}.fr.html i18n/{err.status_code}.en.html
+			file_server
+		}
+		handle @he {
+			try_files i18n/{err.status_code}.he.html i18n/{err.status_code}.en.html
+			file_server
+		}
+		handle @it {
+			try_files i18n/{err.status_code}.it.html i18n/{err.status_code}.en.html
+			file_server
+		}
+		handle @nl {
+			try_files i18n/{err.status_code}.nl.html i18n/{err.status_code}.en.html
+			file_server
+		}
+		handle @ru {
+			try_files i18n/{err.status_code}.ru.html i18n/{err.status_code}.en.html
+			file_server
+		}
+		handle @zh-Hant {
+			try_files i18n/{err.status_code}.zh-Hant.html i18n/{err.status_code}.en.html
+			file_server
+		}
+		handle {
+			try_files i18n/{err.status_code}.en.html
+			file_server
+		}
+	}
+
+	# Handle all other webserver errors with a simple text response
+	handle {
+		respond "{err.status_code} {err.status_text}"
+	}
+}

config/caddy/common/30-headers.caddy

@@ -0,0 +1,16 @@
+header X-Frame-Options SAMEORIGIN
+header X-Content-Type-Options nosniff
+header X-XSS-Protection 0
+
+vars pg_csp_self "https://www.privacyguides.org https://cdn.privacyguides.org 'self'"
+# You can check whether a CSP directive will fall back to default-src on MDN.
+# Add CSP directives WITH a default-src fallback here:
+header +Content-Security-Policy "default-src 'none'; script-src {vars.pg_csp_self} 'unsafe-inline'; style-src {vars.pg_csp_self} 'unsafe-inline'; font-src {vars.pg_csp_self} data:; img-src data: {vars.pg_csp_self}; connect-src https://api.github.com https://*.privacyguides.net {vars.pg_csp_self}; frame-src https://*.privacyguides.net https://snowflake.torproject.org {vars.pg_csp_self}"
+# Add CSP directives WITHOUT a default-src fallback here:
+header +Content-Security-Policy "form-action 'self'; frame-ancestors 'none'; base-uri 'none'; sandbox allow-scripts allow-popups allow-same-origin;"
+
+header Permissions-Policy "browsing-topics=(), conversion-measurement=(), interest-cohort=(), accelerometer=(), ambient-light-sensor=(), battery=(), camera=(), display-capture=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), usb=()"
+
+header Access-Control-Allow-Origin "*"
+
+header @static Cache-Control max-age=2592000

config/caddy/common/50-redirect.caddy

@@ -0,0 +1,4 @@
+redir /kb* /en/basics/why-privacy-matters/
+redir /license* https://github.com/privacyguides/privacyguides.org/tree/main/README.md#license
+redir /coc* /en/CODE_OF_CONDUCT/
+redir /team* /en/about/

config/caddy/common/55-redirect-lang.caddy

@@ -0,0 +1,30 @@
+route / {
+	header Cache-Control no-store
+
+	redir @es-header /es
+	redir @fr-header /fr
+	redir @he-header /he
+	redir @it-header /it
+	redir @nl-header /nl
+	redir @ru-header /ru
+	redir @zh-Hant-header /zh-Hant
+
+	# default case
+	handle {
+		redir * /en/
+	}
+}
+
+@kb {
+	path */kb */kb/*
+}
+route @kb {
+	redir @es /es/basics/why-privacy-matters/
+	redir @fr /fr/basics/why-privacy-matters/
+	redir @he /he/basics/why-privacy-matters/
+	redir @it /it/basics/why-privacy-matters/
+	redir @nl /nl/basics/why-privacy-matters/
+	redir @ru /ru/basics/why-privacy-matters/
+	redir @zh-Hant /zh-Hant/basics/why-privacy-matters/
+	redir * /en/basics/why-privacy-matters/
+}

config/caddy/common/55-redirect-outdated.caddy

@@ -0,0 +1,50 @@
+redir /browsers /en/desktop-browsers/
+redir /blog https://blog.privacyguides.org
+redir /basics/dns-overview /en/advanced/dns-overview/
+redir /basics/tor-overview /en/advanced/tor-overview/
+redir /real-time-communication/communication-network-types /en/advanced/communication-network-types
+redir /advanced/real-time-communication /en/advanced/communication-network-types
+redir /android/overview /en/os/android-overview/
+redir /linux-desktop/overview /en/os/linux-overview/
+redir /android/grapheneos-vs-calyxos https://blog.privacyguides.org/2022/04/21/grapheneos-or-calyxos/
+redir /ios/configuration https://blog.privacyguides.org/2022/10/22/ios-configuration-guide/
+redir /linux-desktop/hardening https://blog.privacyguides.org/2022/04/22/linux-system-hardening/
+redir /linux-desktop/sandboxing https://blog.privacyguides.org/2022/04/22/linux-application-sandboxing/
+redir /advanced/signal-configuration-hardening https://blog.privacyguides.org/2022/07/07/signal-configuration-and-hardening/
+redir /real-time-communication/signal-configuration-hardening https://blog.privacyguides.org/2022/07/07/signal-configuration-and-hardening/
+redir /advanced/integrating-metadata-removal https://blog.privacyguides.org/2022/04/09/integrating-metadata-removal/
+redir /advanced/erasing-data https://blog.privacyguides.org/2022/05/25/secure-data-erasure/
+redir /operating-systems /en/desktop/
+redir /threat-modeling /en/basics/threat-modeling/
+redir /self-contained-networks /en/tor/
+redir /privacy-policy /en/about/privacy-policy/
+redir /metadata-removal-tools /en/data-redaction/
+redir /basics /en/kb
+redir /software/file-encryption /en/encryption/
+redir /providers /en/tools/#service-providers
+redir /software/calendar-contacts /en/calendar/
+redir /calendar-contacts /en/calendar/
+redir /software/metadata-removal-tools /en/data-redaction/
+redir /contact /en/about/
+redir /welcome-to-privacy-guides https://blog.privacyguides.org/2021/09/14/welcome-to-privacy-guides/
+redir /software/email /en/email-clients/
+redir /providers/paste /en/tools/
+redir /blog/2019/10/05/understanding-vpns https://www.jonaharagon.com/posts/understanding-vpns/
+redir /terms-and-notices /en/about/notices/
+redir /software/networks /en/tor/
+redir /social-news-aggregator /en/news-aggregators/
+redir /basics/erasing-data https://blog.privacyguides.org/2022/05/25/secure-data-erasure/
+redir /linux-desktop /en/desktop/
+
+handle_path /providers/* {
+	redir * /en/{uri}
+}
+handle_path /software/* {
+	redir * /en/{uri}
+}
+handle_path /blog/* {
+	redir * https://blog.privacyguides.org/{uri}
+}
+handle_path /assets/* {
+	redir * /en/assets/{uri}
+}

config/caddy/common/80-canonical.caddy

@@ -0,0 +1,6 @@
+@canonicalPath {
+	path */
+}
+route @canonicalPath {
+	rewrite @canonicalPath {http.request.orig_uri.path}index.html
+}

config/caddy/production/https.caddy

@@ -0,0 +1,2 @@
+header ?Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
+header +Content-Security-Policy upgrade-insecure-requests;

config/caddy/production/matrix.caddy

@@ -0,0 +1,13 @@
+@matrix {
+	path /.well-known/matrix/*
+}
+
+handle @matrix {
+	reverse_proxy 10.163.5.51:81 {
+		header_up Host matrix.privacyguides.org
+		header_up X-Forwarded-Port {http.request.port}
+		header_up X-Forwarded-TlsProto {tls_protocol}
+		header_up X-Forwarded-TlsCipher {tls_cipher}
+		header_up X-Forwarded-HttpsProto {proto}
+	}
+}

config/caddy/production/minio.caddy

@@ -0,0 +1,31 @@
+cache
+encode zstd gzip
+reverse_proxy http://10.163.3.10:9000 {
+	header_up Host privacyguides-org-production.stor1-minio.jonaharagon.net
+	header_down -Server
+	header_down -Vary
+	header_down -X-*
+
+	@200ok status 2xx 304
+	handle_response @200ok {
+		import pg-umami-config
+		copy_response
+		copy_response_headers
+	}
+
+	@error404 status 404
+	handle_response @error404 {
+		@addSlash {
+			expression !{path}.endsWith("/")
+		}
+		redir @addSlash {http.request.orig_uri.path}/
+	}
+
+	@error400 status 400
+	handle_response @error400 {
+		@real404 {
+			path *//index.html
+		}
+		respond @real404 404
+	}
+}

config/mkdocs-common.yml

@@ -84,10 +84,23 @@ extra:
       link: /ru/
       lang: ru
       icon: https://raw.githubusercontent.com/twitter/twemoji/master/assets/svg/1f1f7-1f1fa.svg
+  consent:
+    title: !ENV [ANALYTICS_CONSENT_TITLE, "Contribute anonymous statistics"]
+    description: !ENV [ANALYTICS_CONSENT_BODY, "We use cookies to collect anonymous usage statistics. You can opt out if you wish."]
+    cookies:
+      umami:
+        name: Self-Hosted Analytics
+        checked: true
+      github:
+        name: GitHub
+        checked: false
+    actions:
+      - reject
+      - accept
+      - manage
 
 repo_url: https://github.com/privacyguides/privacyguides.org
 repo_name: ""
-edit_uri: edit/main/docs/
 
 theme:
   name: material
@@ -135,6 +148,7 @@ extra_css:
 extra_javascript:
   - assets/javascripts/mathjax.js
   - assets/javascripts/randomize-element.js
+  - assets/javascripts/resolution.js
 
 watch:
   - ../theme
@@ -270,6 +284,7 @@ nav:
     - 'about/criteria.md'
     - 'about/notices.md'
     - 'about/privacy-policy.md'
+    - 'about/statistics.md'
     - !ENV [NAV_COMMUNITY, 'Community']:
       - 'about/donate.md'
       - !ENV [NAV_ONLINE_SERVICES, 'Online Services']: 'about/services.md'