Stop using Netlify for production hosting (#2472)

Signed-off-by: Daniel Gray <dngray@privacyguides.org>

config/caddy/common/00-matchers.caddy

@@ -0,0 +1,34 @@
+@static {
+	path *.ico *.css *.js *.gif *.webp *.avif *.jpg *.jpeg *.png *.svg *.woff *.woff2
+}
+
+@en path /en/*
+@es path /es/*
+@fr path /fr/*
+@he path /he/*
+@it path /it/*
+@nl path /nl/*
+@ru path /ru/*
+@zh-Hant path /zh-Hant/*
+
+@es-header {
+	header Accept-Language es*
+}
+@fr-header {
+	header Accept-Language fr*
+}
+@he-header {
+	header Accept-Language he*
+}
+@it-header {
+	header Accept-Language it*
+}
+@nl-header {
+	header Accept-Language nl*
+}
+@ru-header {
+	header Accept-Language ru*
+}
+@zh-Hant-header {
+	header Accept-Language zh-Hant*
+}

config/caddy/common/30-errors.caddy

@@ -0,0 +1,42 @@
+handle_errors {
+	@errors `{err.status_code} in [404]`
+	handle @errors {
+		handle @es {
+			try_files /i18n/{err.status_code}.es.html i18n/{err.status_code}.en.html
+			file_server
+		}
+		handle @fr {
+			try_files i18n/{err.status_code}.fr.html i18n/{err.status_code}.en.html
+			file_server
+		}
+		handle @he {
+			try_files i18n/{err.status_code}.he.html i18n/{err.status_code}.en.html
+			file_server
+		}
+		handle @it {
+			try_files i18n/{err.status_code}.it.html i18n/{err.status_code}.en.html
+			file_server
+		}
+		handle @nl {
+			try_files i18n/{err.status_code}.nl.html i18n/{err.status_code}.en.html
+			file_server
+		}
+		handle @ru {
+			try_files i18n/{err.status_code}.ru.html i18n/{err.status_code}.en.html
+			file_server
+		}
+		handle @zh-Hant {
+			try_files i18n/{err.status_code}.zh-Hant.html i18n/{err.status_code}.en.html
+			file_server
+		}
+		handle {
+			try_files i18n/{err.status_code}.en.html
+			file_server
+		}
+	}
+
+	# Handle all other webserver errors with a simple text response
+	handle {
+		respond "{err.status_code} {err.status_text}"
+	}
+}

config/caddy/common/30-headers.caddy

@@ -0,0 +1,16 @@
+header X-Frame-Options SAMEORIGIN
+header X-Content-Type-Options nosniff
+header X-XSS-Protection 0
+
+vars pg_csp_self "https://www.privacyguides.org https://cdn.privacyguides.org 'self'"
+# You can check whether a CSP directive will fall back to default-src on MDN.
+# Add CSP directives WITH a default-src fallback here:
+header +Content-Security-Policy "default-src 'none'; script-src {vars.pg_csp_self} 'unsafe-inline'; style-src {vars.pg_csp_self} 'unsafe-inline'; font-src {vars.pg_csp_self} data:; img-src data: {vars.pg_csp_self}; connect-src https://api.github.com https://*.privacyguides.net {vars.pg_csp_self}; frame-src https://*.privacyguides.net https://snowflake.torproject.org {vars.pg_csp_self}"
+# Add CSP directives WITHOUT a default-src fallback here:
+header +Content-Security-Policy "form-action 'self'; frame-ancestors 'none'; base-uri 'none'; sandbox allow-scripts allow-popups allow-same-origin;"
+
+header Permissions-Policy "browsing-topics=(), conversion-measurement=(), interest-cohort=(), accelerometer=(), ambient-light-sensor=(), battery=(), camera=(), display-capture=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), usb=()"
+
+header Access-Control-Allow-Origin "*"
+
+header @static Cache-Control max-age=2592000

config/caddy/common/50-redirect.caddy

@@ -0,0 +1,4 @@
+redir /kb* /en/basics/why-privacy-matters/
+redir /license* https://github.com/privacyguides/privacyguides.org/tree/main/README.md#license
+redir /coc* /en/CODE_OF_CONDUCT/
+redir /team* /en/about/

config/caddy/common/55-redirect-lang.caddy

@@ -0,0 +1,30 @@
+route / {
+	header Cache-Control no-store
+
+	redir @es-header /es
+	redir @fr-header /fr
+	redir @he-header /he
+	redir @it-header /it
+	redir @nl-header /nl
+	redir @ru-header /ru
+	redir @zh-Hant-header /zh-Hant
+
+	# default case
+	handle {
+		redir * /en/
+	}
+}
+
+@kb {
+	path */kb */kb/*
+}
+route @kb {
+	redir @es /es/basics/why-privacy-matters/
+	redir @fr /fr/basics/why-privacy-matters/
+	redir @he /he/basics/why-privacy-matters/
+	redir @it /it/basics/why-privacy-matters/
+	redir @nl /nl/basics/why-privacy-matters/
+	redir @ru /ru/basics/why-privacy-matters/
+	redir @zh-Hant /zh-Hant/basics/why-privacy-matters/
+	redir * /en/basics/why-privacy-matters/
+}

config/caddy/common/55-redirect-outdated.caddy

@@ -0,0 +1,50 @@
+redir /browsers /en/desktop-browsers/
+redir /blog https://blog.privacyguides.org
+redir /basics/dns-overview /en/advanced/dns-overview/
+redir /basics/tor-overview /en/advanced/tor-overview/
+redir /real-time-communication/communication-network-types /en/advanced/communication-network-types
+redir /advanced/real-time-communication /en/advanced/communication-network-types
+redir /android/overview /en/os/android-overview/
+redir /linux-desktop/overview /en/os/linux-overview/
+redir /android/grapheneos-vs-calyxos https://blog.privacyguides.org/2022/04/21/grapheneos-or-calyxos/
+redir /ios/configuration https://blog.privacyguides.org/2022/10/22/ios-configuration-guide/
+redir /linux-desktop/hardening https://blog.privacyguides.org/2022/04/22/linux-system-hardening/
+redir /linux-desktop/sandboxing https://blog.privacyguides.org/2022/04/22/linux-application-sandboxing/
+redir /advanced/signal-configuration-hardening https://blog.privacyguides.org/2022/07/07/signal-configuration-and-hardening/
+redir /real-time-communication/signal-configuration-hardening https://blog.privacyguides.org/2022/07/07/signal-configuration-and-hardening/
+redir /advanced/integrating-metadata-removal https://blog.privacyguides.org/2022/04/09/integrating-metadata-removal/
+redir /advanced/erasing-data https://blog.privacyguides.org/2022/05/25/secure-data-erasure/
+redir /operating-systems /en/desktop/
+redir /threat-modeling /en/basics/threat-modeling/
+redir /self-contained-networks /en/tor/
+redir /privacy-policy /en/about/privacy-policy/
+redir /metadata-removal-tools /en/data-redaction/
+redir /basics /en/kb
+redir /software/file-encryption /en/encryption/
+redir /providers /en/tools/#service-providers
+redir /software/calendar-contacts /en/calendar/
+redir /calendar-contacts /en/calendar/
+redir /software/metadata-removal-tools /en/data-redaction/
+redir /contact /en/about/
+redir /welcome-to-privacy-guides https://blog.privacyguides.org/2021/09/14/welcome-to-privacy-guides/
+redir /software/email /en/email-clients/
+redir /providers/paste /en/tools/
+redir /blog/2019/10/05/understanding-vpns https://www.jonaharagon.com/posts/understanding-vpns/
+redir /terms-and-notices /en/about/notices/
+redir /software/networks /en/tor/
+redir /social-news-aggregator /en/news-aggregators/
+redir /basics/erasing-data https://blog.privacyguides.org/2022/05/25/secure-data-erasure/
+redir /linux-desktop /en/desktop/
+
+handle_path /providers/* {
+	redir * /en/{uri}
+}
+handle_path /software/* {
+	redir * /en/{uri}
+}
+handle_path /blog/* {
+	redir * https://blog.privacyguides.org/{uri}
+}
+handle_path /assets/* {
+	redir * /en/assets/{uri}
+}

config/caddy/common/80-canonical.caddy

@@ -0,0 +1,6 @@
+@canonicalPath {
+	path */
+}
+route @canonicalPath {
+	rewrite @canonicalPath {http.request.orig_uri.path}index.html
+}