Deploy website to IPFS (#2502)

Signed-off-by: Daniel Gray <dngray@privacyguides.org>

.github/workflows/build-offline.yml

@@ -1,93 +0,0 @@
-name: Build Offline Website
-
-on:
-  workflow_call:
-
-permissions:
-  contents: read
-
-jobs:
-  build:
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v4
-        with:
-          persist-credentials: "false"
-
-      - uses: actions/download-artifact@v4
-        with:
-          pattern: repo-*
-          path: modules
-
-      - run: |
-          rmdir modules/mkdocs-material
-          mv modules/repo-mkdocs-material-insiders modules/mkdocs-material
-          rmdir theme/assets/brand
-          mv modules/repo-brand theme/assets/brand
-
-      - name: Python setup
-        uses: actions/setup-python@v5
-        with:
-          cache: "pipenv"
-
-      - uses: actions/cache/restore@v4.0.2
-        with:
-          key: site-cache-${{ github.repository }}-en-${{ github.ref }}-${{ hashfiles('.cache/**') }}
-          path: .cache
-          restore-keys: |
-            site-cache-${{ github.repository }}-en-${{ github.ref }}-
-            site-cache-${{ github.repository }}-en-
-
-      - name: Install Python dependencies
-        run: |
-          pip install pipenv
-          pipenv install
-          sudo apt install pngquant
-
-      - name: Build website
-        env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          CARDS: false
-        run: |
-          pipenv run mkdocs build --config-file config/mkdocs-offline.yml
-          pipenv run mkdocs --version
-
-      - name: Package website
-        run: |
-          tar -czvf offline.tar.gz site
-          zip -r -q offline.zip site
-
-      - uses: actions/cache/save@v4.0.2
-        with:
-          key: site-cache-${{ github.repository }}-en-${{ github.ref }}-${{ hashfiles('.cache/**') }}
-          path: .cache
-
-      - name: Upload tar.gz file
-        uses: actions/upload-artifact@v4
-        with:
-          name: offline.tar.gz
-          path: offline.tar.gz
-
-      - name: Upload zip file
-        uses: actions/upload-artifact@v4
-        with:
-          name: offline.zip
-          path: offline.zip
-
-      - name: Create ZIM File
-        uses: addnab/docker-run-action@v3
-        with:
-          image: ghcr.io/openzim/zim-tools:3.1.3
-          options: -v ${{ github.workspace }}:/data
-          run: |
-            zimwriterfs -w index.html -I assets/brand/logos/png/square/pg-yellow.png -l eng -t "Privacy Guides" -d "Your central privacy and security resource to protect yourself online." -c "Privacy Guides" -p "Jonah Aragon" -n "Privacy Guides" -e "https://github.com/privacyguides/privacyguides.org" /data/site /data/offline-privacy_guides.zim
-
-      - name: Upload ZIM file
-        uses: actions/upload-artifact@v4
-        with:
-          name: offline-privacy_guides.zim
-          path: offline-privacy_guides.zim

.github/workflows/build.yml

@@ -3,9 +3,9 @@ name: Build Website
 on:
   workflow_call:
     inputs:
-      base_config:
+      config:
         type: string
-        default: mkdocs-production.yml
+        default: build
       ref:
         required: true
         type: string
@@ -33,6 +33,20 @@ jobs:
       contents: read
 
     steps:
+      - run: |
+          echo "GH_TOKEN=${{ secrets.GITHUB_TOKEN }}" >> $GITHUB_ENV
+
+      - if: inputs.config == 'build'
+        run: |
+          echo "MKDOCS_INHERIT=mkdocs-production.yml" >> $GITHUB_ENV
+          echo "PRODUCTION=true" >> $GITHUB_ENV
+          echo "CONTEXT=${{ inputs.context }}" >> $GITHUB_ENV
+
+      - if: inputs.config == 'offline'
+        run: |
+          echo "MKDOCS_INHERIT=mkdocs-offline.yml" >> $GITHUB_ENV
+          echo "CARDS=false" >> $GITHUB_ENV
+
       - uses: actions/checkout@v4
         with:
           repository: ${{ inputs.repo }}
@@ -90,15 +104,10 @@ jobs:
           export-variables: true
           keys-case: bypass
 
-      - env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          CONTEXT: ${{ inputs.context }}
-          MKDOCS_INHERIT: ${{ inputs.base_config }}
-          PRODUCTION: true
-        run: |
+      - run: |
           pipenv run mkdocs build --config-file config/mkdocs.${{ inputs.lang }}.yml
           pipenv run mkdocs --version
-          tar -czvf site-build-${{ inputs.lang }}.tar.gz site
+          tar -czvf site-${{ inputs.config }}-${{ inputs.lang }}.tar.gz site
 
       - uses: actions/cache/save@v4.0.2
         with:
@@ -114,5 +123,49 @@ jobs:
 
       - uses: actions/upload-artifact@v4
         with:
-          name: site-build-${{ inputs.lang }}.tar.gz
-          path: site-build-${{ inputs.lang }}.tar.gz
+          name: site-${{ inputs.config }}-${{ inputs.lang }}.tar.gz
+          path: site-${{ inputs.config }}-${{ inputs.lang }}.tar.gz
+
+  offline_package:
+    if: inputs.config == 'offline' && inputs.lang == 'en'
+    needs: build
+    runs-on: ubuntu-latest
+    continue-on-error: ${{ inputs.continue-on-error }}
+    permissions:
+      contents: read
+
+    steps:
+      - uses: actions/download-artifact@v4
+        with:
+          name: site-offline-en.tar.gz
+
+      - run: |
+          tar -xzvf site-offline-en.tar.gz
+          tar -czvf offline.tar.gz site/en
+          zip -r -q offline.zip site/en
+
+      - name: Upload tar.gz file
+        uses: actions/upload-artifact@v4
+        with:
+          name: offline.tar.gz
+          path: offline.tar.gz
+
+      - name: Upload zip file
+        uses: actions/upload-artifact@v4
+        with:
+          name: offline.zip
+          path: offline.zip
+
+      - name: Create ZIM File
+        uses: addnab/docker-run-action@v3
+        with:
+          image: ghcr.io/openzim/zim-tools:3.1.3
+          options: -v ${{ github.workspace }}:/data
+          run: |
+            zimwriterfs -w index.html -I assets/brand/logos/png/square/pg-yellow.png -l eng -t "Privacy Guides" -d "Your central privacy and security resource to protect yourself online." -c "Privacy Guides" -p "Jonah Aragon" -n "Privacy Guides" -e "https://github.com/privacyguides/privacyguides.org" /data/site/en /data/offline-privacy_guides.zim
+
+      - name: Upload ZIM file
+        uses: actions/upload-artifact@v4
+        with:
+          name: offline-privacy_guides.zim
+          path: offline-privacy_guides.zim

.github/workflows/publish-release.yml

@@ -51,25 +51,21 @@ jobs:
     strategy:
       matrix:
         lang: [en, es, fr, he, it, nl, ru, zh-Hant]
+        build: [build, offline]
     permissions:
       contents: read
     uses: ./.github/workflows/build.yml
     with:
+      config: ${{ matrix.build }}
       ref: ${{ github.ref }}
       repo: ${{ github.repository }}
       lang: ${{ matrix.lang }}
       context: production
       continue-on-error: false
 
-  buildoffline:
-    needs: submodule
-    permissions:
-      contents: read
-    uses: ./.github/workflows/build-offline.yml
-
   release:
     name: Create release notes
-    needs: buildoffline
+    needs: build
     runs-on: ubuntu-latest
     permissions:
       contents: write
@@ -96,8 +92,12 @@ jobs:
       PROD_MINIO_SECRET_KEY: ${{ secrets.PROD_MINIO_SECRET_KEY }}
       CF_API_TOKEN: ${{ secrets.CF_API_TOKEN }}
       CF_ACCOUNT_ID: ${{ secrets.CF_ACCOUNT_ID }}
+      CLUSTER_USERNAME: ${{ secrets.CLUSTER_USERNAME }}
+      CLUSTER_PASSWORD: ${{ secrets.CLUSTER_PASSWORD }}
+      CLOUDFLARE_ZONE: ${{ secrets.CLOUDFLARE_ZONE }}
+      CLOUDFLARE_TOKEN: ${{ secrets.CLOUDFLARE_TOKEN }}
 
   cleanup:
     if: ${{ always() }}
-    needs: [build, buildoffline]
+    needs: build
     uses: privacyguides/.github/.github/workflows/cleanup.yml@main

.github/workflows/test-lint.yml

@@ -63,7 +63,7 @@ jobs:
           # ADD YOUR CUSTOM ENV VARIABLES HERE OR DEFINE THEM IN A FILE .mega-linter.yml AT THE ROOT OF YOUR REPOSITORY
           DISABLE: COPYPASTE,SPELL,HTML
           DISABLE_LINTERS: JSON_JSONLINT,MARKDOWN_MARKDOWN_TABLE_FORMATTER
-          DISABLE_ERRORS_LINTERS: CSS_STYLELINT,MARKDOWN_MARKDOWN_LINK_CHECK,YAML_YAMLLINT,DOCKERFILE_HADOLINT,REPOSITORY_TRIVY
+          DISABLE_ERRORS_LINTERS: CSS_STYLELINT,MARKDOWN_MARKDOWN_LINK_CHECK,YAML_YAMLLINT,DOCKERFILE_HADOLINT,REPOSITORY_TRIVY,REPOSITORY_CHECKOV
           EDITORCONFIG_EDITORCONFIG_CHECKER_ARGUMENTS: -disable-indentation
           ENV_DOTENV_LINTER_ARGUMENTS: "--skip QuoteCharacter"
           MARKDOWN_MARKDOWN_LINK_CHECK_FILTER_REGEX_INCLUDE: (docs)

config/mkdocs-common.yml

@@ -237,10 +237,10 @@ extra:
       ]
     cookies:
       analytics:
-        name: Self-Hosted Analytics
+        name: !ENV [ANALYTICS_COOKIE_UMAMI, "Self-Hosted Analytics"]
         checked: true
       github:
-        name: GitHub API
+        name: !ENV [ANALYTICS_COOKIE_GITHUB, "GitHub API"]
         checked: true
     actions:
       - reject
@@ -293,11 +293,11 @@ theme:
     - search.highlight
 
 extra_css:
-  - assets/stylesheets/extra.css?v=3.17.0
+  - assets/stylesheets/extra.css?v=1
 extra_javascript:
-  - assets/javascripts/randomize-element.js
-  - assets/javascripts/resolution.js
-  - assets/javascripts/feedback.js
+  - assets/javascripts/randomize-element.js?v=1
+  - assets/javascripts/resolution.js?v=1
+  - assets/javascripts/feedback.js?v=1
 
 watch:
   - ../theme
@@ -307,9 +307,7 @@ watch:
 plugins:
   tags: {}
   search: {}
-  privacy:
-    assets_exclude:
-      - cdn.jsdelivr.net/npm/mathjax@3/*
+  privacy: {}
 
 markdown_extensions:
   admonition: {}

config/mkdocs-offline.yml

@@ -18,7 +18,7 @@
 # FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
 # IN THE SOFTWARE.
 
-INHERIT: !ENV [MKDOCS_INHERIT, mkdocs-common.yml]
+INHERIT: mkdocs-common.yml
 
 # Disable any GitHub integrations
 repo_url: ""
@@ -54,8 +54,6 @@ extra:
             class: md-button
 
 theme:
-  # OFFLINE ONLY: this logo needs to be set separately because the relative path is different
-  logo: ../theme/assets/brand/logos/svg/logo/privacy-guides-logo-notext-colorbg.svg
   features:
     - navigation.tabs
     - navigation.sections

docs/android.md

@@ -123,7 +123,7 @@ GrapheneOS provides additional [security hardening](https://en.wikipedia.org/wik
 
 GrapheneOS supports [Sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play), which runs [Google Play Services](https://en.wikipedia.org/wiki/Google_Play_Services) fully sandboxed like any other regular app. This means you can take advantage of most Google Play Services, such as [push notifications](https://firebase.google.com/docs/cloud-messaging), while giving you full control over their permissions and access, and while containing them to a specific [work profile](os/android-overview.md#work-profile) or [user profile](os/android-overview.md#user-profiles) of your choice.
 
-Google Pixel phones are the only devices that currently meet GrapheneOS's [hardware security requirements](https://grapheneos.org/faq#device-support).
+Google Pixel phones are the only devices that currently meet GrapheneOS's [hardware security requirements](https://grapheneos.org/faq#future-devices).
 
 [Why we recommend GrapheneOS over CalyxOS :material-arrow-right-drop-circle:](https://blog.privacyguides.org/2022/04/21/grapheneos-or-calyxos){ .md-button }
 
@@ -281,7 +281,7 @@ Main privacy features include:
 
 Metadata is not currently deleted from video files but that is planned.
 
-The image orientation metadata is not deleted. If you enable location (in Secure Camera) that **won't** be deleted either. If you want to delete that later you will need to use an external app such as [ExifEraser](data-redaction.md#exiferaser).
+The image orientation metadata is not deleted. If you enable location (in Secure Camera) that **won't** be deleted either. If you want to delete that later you will need to use an external app such as [ExifEraser](data-redaction.md#exiferaser-android).
 
 </div>
 
@@ -322,6 +322,7 @@ The image orientation metadata is not deleted. If you enable location (in Secure
 **Obtainium** is an app manager which allows you to install and update apps directly from the developer's own releases page (i.e. GitHub, GitLab, the developer's website, etc.), rather than a centralized app store/repository. It supports automatic background updates on Android 12 and higher.
 
 [:octicons-repo-16: Repository](https://github.com/ImranR98/Obtainium#readme){ .md-button .md-button--primary }
+[:octicons-info-16:](https://github.com/ImranR98/Obtainium/wiki){ .card-link title=Documentation}
 [:octicons-code-16:](https://github.com/ImranR98/Obtainium){ .card-link title="Source Code" }
 [:octicons-heart-16:](https://github.com/sponsors/ImranR98){ .card-link title=Contribute }
 
@@ -363,7 +364,7 @@ The Google Play Store requires a Google account to login which is not great for
 
 </div>
 
-Aurora Store does not allow you to download paid apps with their anonymous account feature. You can optionally log in with your Google account with Aurora Store to download apps you have purchased, which does give access to the list of apps you've installed to Google, however you still benefit from not requiring the full Google Play client and Google Play Services or microG on your device.
+Aurora Store does not allow you to download paid apps with their anonymous account feature. You can optionally log in with your Google account with Aurora Store to download apps you have purchased, which does give access to the list of apps you've installed to Google. However, you still benefit from not requiring the full Google Play client and Google Play Services or microG on your device.
 
 ### Manually with RSS Notifications
 
@@ -429,7 +430,7 @@ That said, the [F-Droid](https://f-droid.org/en/packages) and [IzzyOnDroid](http
 <div class="admonition note" markdown>
 <p class="admonition-title">F-Droid Basic</p>
 
-In some rare cases, the developer of an app will only distribute it through F-Droid ([Gadgetbridge](https://gadgetbridge.org) is one example of this). If you really need an app like that, we recommend using the newer [F-Droid Basic](https://f-droid.org/en/packages/org.fdroid.basic) client instead of the original F-Droid app to obtain it. F-Droid Basic can do unattended updates without privileged extension or root, and has a reduced feature set (limiting attack surface).
+In some rare cases, the developer of an app will only distribute it through F-Droid ([Gadgetbridge](https://gadgetbridge.org) is one example of this). If you really need an app like that, we recommend using the newer [F-Droid Basic](https://f-droid.org/en/packages/org.fdroid.basic) client instead of the original F-Droid app to obtain it. F-Droid Basic supports automatic background updates without privileged extension or root, and has a reduced feature set (limiting attack surface).
 
 </div>
 

docs/browser-extensions.md

@@ -59,7 +59,7 @@ uBlock Origin also has a "Lite" version of their extension, which offers a very
 **uBlock Origin Lite** is a Manifest V3 compatible content blocker. Compared to the original *uBlock Origin*, this extension does not require broad "read/modify data" permissions to function.
 
 [:octicons-repo-16: Repository](https://github.com/uBlockOrigin/uBOL-home#readme){ .md-button .md-button--primary }
-[:octicons-eye-16:](https://github.com/gorhill/uBlock/wiki/Privacy-policy){ .card-link title="Privacy Policy" }
+[:octicons-eye-16:](https://github.com/uBlockOrigin/uBOL-home/wiki/Privacy-policy){ .card-link title="Privacy Policy" }
 [:octicons-info-16:](https://github.com/uBlockOrigin/uBOL-home/wiki){ .card-link title=Documentation}
 [:octicons-code-16:](https://github.com/gorhill/uBlock/tree/master/platform/mv3){ .card-link title="Source Code" }
 

docs/calendar.md

@@ -18,7 +18,7 @@ Multiple calendars and extended sharing functionality is limited to paid subscri
 
 [:octicons-home-16: Homepage](https://tuta.com/calendar){ .md-button .md-button--primary }
 [:octicons-eye-16:](https://tuta.com/privacy){ .card-link title="Privacy Policy" }
-[:octicons-info-16:](https://tuta.com/faq){ .card-link title=Documentation}
+[:octicons-info-16:](https://tuta.com/support){ .card-link title=Documentation}
 [:octicons-code-16:](https://github.com/tutao/tutanota){ .card-link title="Source Code" }
 [:octicons-heart-16:](https://tuta.com/community){ .card-link title=Contribute }
 
@@ -43,11 +43,11 @@ Multiple calendars and extended sharing functionality is limited to paid subscri
 
 ![Proton](assets/img/calendar/proton-calendar.svg){ align=right }
 
-**Proton Calendar** is an encrypted calendar service available to Proton members via web or mobile clients. Features include: automatic E2EE of all data, sharing features, import/export functionality, and [more](https://proton.me/support/proton-calendar-guide). Those on the free tier get access to 3 calendars, whereas paid subscribers can create up to 25 calendars. Extended sharing functionality is also limited to paid subscribers.
+**Proton Calendar** is an encrypted calendar service available to Proton members via web or mobile clients. Features include: automatic E2EE of all data, sharing features, import/export functionality, and [more](https://proton.me/support/proton-calendar-guide). Those on the free tier gain access to 3 calendars, whereas paid subscribers can create up to 25 calendars. Extended sharing functionality is also limited to paid subscribers.
 
 [:octicons-home-16: Homepage](https://proton.me/calendar){ .md-button .md-button--primary }
 [:octicons-eye-16:](https://proton.me/legal/privacy){ .card-link title="Privacy Policy" }
-[:octicons-info-16:](https://proton.me/support/proton-calendar-guide){ .card-link title=Documentation}
+[:octicons-info-16:](https://proton.me/support/calendar){ .card-link title=Documentation}
 [:octicons-code-16:](https://github.com/ProtonMail/WebClients){ .card-link title="Source Code" }
 
 <details class="downloads" markdown>

docs/desktop-browsers.md

@@ -104,7 +104,7 @@ This is required to prevent advanced forms of tracking, but does come at the cos
 
 ### Mullvad Leta
 
-Mullvad Browser comes with DuckDuckGo set as the default [search engine](search-engines.md), but it also comes preinstalled with **Mullvad Leta**, a search engine which requires an active Mullvad VPN subscription to access. Mullvad Leta queries Google's paid search API directly (which is why it is limited to paying subscribers), however because of this limitation it is possible for Mullvad to correlate search queries and Mullvad VPN accounts. For this reason we discourage the use of Mullvad Leta, even though Mullvad collects very little information about their VPN subscribers.
+Mullvad Browser comes with DuckDuckGo set as the default [search engine](search-engines.md), but it also comes preinstalled with **Mullvad Leta**, a search engine which requires an active Mullvad VPN subscription to access. Mullvad Leta queries Google's paid search API directly, which is why it is limited to paying subscribers. However, it is possible for Mullvad to correlate search queries and Mullvad VPN accounts because of this limitation. For this reason we discourage the use of Mullvad Leta, even though Mullvad collects very little information about their VPN subscribers.
 
 ## Firefox
 
@@ -116,7 +116,7 @@ Mullvad Browser comes with DuckDuckGo set as the default [search engine](search-
 
 [:octicons-home-16: Homepage](https://firefox.com){ .md-button .md-button--primary }
 [:octicons-eye-16:](https://mozilla.org/privacy/firefox){ .card-link title="Privacy Policy" }
-[:octicons-info-16:](https://firefox-source-docs.mozilla.org){ .card-link title=Documentation}
+[:octicons-info-16:](https://support.mozilla.org/products/firefox){ .card-link title=Documentation}
 [:octicons-code-16:](https://hg.mozilla.org/mozilla-central){ .card-link title="Source Code" }
 [:octicons-heart-16:](https://donate.mozilla.org){ .card-link title=Contribute }
 
@@ -145,12 +145,19 @@ These options can be found in :material-menu: → **Settings**
 
 #### Search
 
-- [ ] Uncheck **Provide search suggestions**
+- [ ] Uncheck **Show search suggestions**
 
 Search suggestion features may not be available in your region.
 
 Search suggestions send everything you type in the address bar to the default search engine, regardless of whether you submit an actual search. Disabling search suggestions allows you to more precisely control what data you send to your search engine provider.
 
+##### Firefox Suggest (US only)
+
+[Firefox Suggest](https://support.mozilla.org/kb/firefox-suggest) is a feature similar to search suggestions which is only available in the US. We recommend disabling it for the same reason we recommend disabling search suggestions. If you don't see these options under the **Address Bar** header, you do not have the new experience and can ignore these changes.
+
+- [ ] Uncheck **Suggestions from Firefox**
+- [ ] Uncheck **Suggestions from sponsors**
+
 #### Privacy & Security
 
 ##### Enhanced Tracking Protection
@@ -159,13 +166,6 @@ Search suggestions send everything you type in the address bar to the default se
 
 This protects you by blocking social media trackers, fingerprinting scripts (note that this does not protect you from *all* fingerprinting), cryptominers, cross-site tracking cookies, and some other tracking content. ETP protects against many common threats, but it does not block all tracking avenues because it is designed to have minimal to no impact on site usability.
 
-##### Firefox Suggest (US only)
-
-[Firefox Suggest](https://support.mozilla.org/kb/firefox-suggest) is a feature similar to search suggestions which is only available in the US. We recommend disabling it for the same reason we recommend disabling search suggestions. If you don't see these options under the **Address Bar** header, you do not have the new experience and can ignore these changes.
-
-- [ ] Uncheck **Suggestions from the web**
-- [ ] Uncheck **Suggestions from sponsors**
-
 ##### Sanitize on Close
 
 If you want to stay logged in to particular sites, you can allow exceptions in **Cookies and Site Data** → **Manage Exceptions...**
@@ -182,7 +182,7 @@ This protects you from persistent cookies, but does not protect you against cook
 
 > Firefox sends data about your Firefox version and language; device operating system and hardware configuration; memory, basic information about crashes and errors; outcome of automated processes like updates, safebrowsing, and activation to us. When Firefox sends data to us, your IP address is temporarily collected as part of our server logs.
 
-Additionally, the Firefox Accounts service collects [some technical data](https://mozilla.org/privacy/firefox/#firefox-accounts). If you use a Firefox Account you can opt-out:
+Additionally, the Mozilla Accounts service collects [some technical data](https://mozilla.org/privacy/mozilla-accounts). If you use a Mozilla Account you can opt-out:
 
 1. Open your [profile settings on accounts.firefox.com](https://accounts.firefox.com/settings#data-collection)
 2. Uncheck **Data Collection and Use** > **Help improve Firefox Accounts**

docs/desktop.md

@@ -83,6 +83,7 @@ A large portion of [Arch Linux’s packages](https://reproducible.archlinux.org)
 **Fedora Atomic Desktops** are variants of Fedora which use the `rpm-ostree` package manager and have a strong focus on containerized workflows and Flatpak for desktop applications. All of these variants follow the same release schedule as Fedora Workstation, benefiting from the same fast updates and staying very close to upstream.
 
 [:octicons-home-16: Homepage](https://fedoraproject.org/atomic-desktops){ .md-button .md-button--primary }
+[:octicons-info-16:](https://docs.fedoraproject.org/en-US/emerging){ .card-link title=Documentation}
 [:octicons-heart-16:](https://whatcanidoforfedora.org){ .card-link title=Contribute }
 
 </details>

docs/dns.md

@@ -20,7 +20,7 @@ These are our favorite public DNS resolvers based on their privacy and security
 | [**AdGuard Public DNS**](https://adguard-dns.io/en/public-dns.html) | [:octicons-link-external-24:](https://adguard.com/en/privacy/dns.html) | Cleartext   DoH/3   DoT   DoQ   DNSCrypt | Some[^1] | Anonymized | Based on server choice. Filter list being used can be found here. [:octicons-link-external-24:](https://github.com/AdguardTeam/AdGuardDNS) | Yes [:octicons-link-external-24:](https://adguard.com/en/blog/encrypted-dns-ios-14.html) |
 | [**Cloudflare**](https://developers.cloudflare.com/1.1.1.1/setup) | [:octicons-link-external-24:](https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver) | Cleartext   DoH/3   DoT | Some[^2] | No | Based on server choice. | No [:octicons-link-external-24:](https://community.cloudflare.com/t/requesting-1-1-1-1-signed-profiles-for-apple/571846) |
 | [**Control D Free DNS**](https://controld.com/free-dns) | [:octicons-link-external-24:](https://controld.com/privacy) | Cleartext   DoH/3   DoT   DoQ | Optional[^3] | No | Based on server choice. | Yes [:octicons-link-external-24:](https://docs.controld.com/docs/macos-platform) |
-| [**dns0.eu**](https://dns0.eu) | [:octicons-link-external-24:](https://dns0.eu/privacy) | Cleartext   DoH/3   DoH   DoT   DoQ | No | Anonymized | Based on server choice. | Yes [:octicons-link-external-24:](https://www.dns0.eu/zero.dns0.eu.mobileconfig) |
+| [**dns0.eu**](https://dns0.eu) | [:octicons-link-external-24:](https://dns0.eu/privacy) | Cleartext   DoH/3   DoH   DoT   DoQ | No | Anonymized | Based on server choice. | Yes [:octicons-link-external-24:](https://dns0.eu/zero.dns0.eu.mobileconfig) |
 | [**Mullvad**](https://mullvad.net/en/help/dns-over-https-and-dns-over-tls) | [:octicons-link-external-24:](https://mullvad.net/en/help/no-logging-data-policy) | DoH   DoT | No[^4] | No | Based on server choice. Filter list being used can be found here. [:octicons-link-external-24:](https://github.com/mullvad/dns-adblock) | Yes [:octicons-link-external-24:](https://mullvad.net/en/blog/profiles-to-configure-our-encrypted-dns-on-apple-devices) |
 | [**Quad9**](https://quad9.net) | [:octicons-link-external-24:](https://quad9.net/privacy/policy) | Cleartext   DoH   DoT   DNSCrypt | Some[^5] | Optional | Based on server choice, malware blocking by default. | Yes [:octicons-link-external-24:](https://quad9.net/news/blog/ios-mobile-provisioning-profiles) |
 

docs/email-aliasing.md

@@ -40,7 +40,7 @@ Using an aliasing service requires trusting both your email provider and your al
 
 [:octicons-home-16: Homepage](https://addy.io){ .md-button .md-button--primary }
 [:octicons-eye-16:](https://addy.io/privacy){ .card-link title="Privacy Policy" }
-[:octicons-info-16:](https://app.addy.io/docs){ .card-link title=Documentation}
+[:octicons-info-16:](https://addy.io/faq){ .card-link title=Documentation}
 [:octicons-code-16:](https://github.com/anonaddy){ .card-link title="Source Code" }
 [:octicons-heart-16:](https://addy.io/donate){ .card-link title=Contribute }
 

docs/email-clients.md

@@ -9,7 +9,7 @@ Our recommendation list contains email clients that support both [OpenPGP](encry
 <details class="warning" markdown>
 <summary>Email does not provide forward secrecy</summary>
 
-When using end-to-end encryption (E2EE) technology like OpenPGP, email will still have [some metadata](email.md#email-metadata-overview) that is not encrypted in the header of the email.
+When using end-to-end encryption (E2EE) technology like OpenPGP, email will still have [some metadata](basics/email-security.md#email-metadata-overview) that is not encrypted in the header of the email.
 
 OpenPGP also does not support [forward secrecy](https://en.wikipedia.org/wiki/Forward_secrecy), which means if either your or the recipient's private key is ever stolen, all previous messages encrypted with it will be exposed: [How do I protect my private keys?](basics/email-security.md) Consider using a medium that provides forward secrecy:
 
@@ -61,7 +61,7 @@ These options can be found in :material-menu: → **Settings** → **Privacy & S
 
 #### Thunderbird-user.js (advanced)
 
-[`thunderbird-user.js`](https://github.com/HorlogeSkynet/thunderbird-user.js), is a set of configurations options that aims to disable as many of the web-browsing features within Thunderbird as possible in order to reduce surface area and maintain privacy. Some of the changes are backported from the [Arkenfox project](https://github.com/arkenfox/user.js).
+[`thunderbird-user.js`](https://github.com/HorlogeSkynet/thunderbird-user.js) is a set of configurations options that aims to disable as many of the web-browsing features within Thunderbird as possible in order to reduce attack surface and maintain privacy. Some of the changes are backported from the [Arkenfox project](https://github.com/arkenfox/user.js).
 
 ## Platform Specific
 
@@ -93,7 +93,7 @@ Apple Mail has the ability to load remote content in the background or block it
 
 [:octicons-home-16: Homepage](https://canarymail.io){ .md-button .md-button--primary }
 [:octicons-eye-16:](https://canarymail.io/privacy.html){ .card-link title="Privacy Policy" }
-[:octicons-info-16:](https://canarymail.zendesk.com){ .card-link title=Documentation}
+[:octicons-info-16:](https://canarymail.io/help){ .card-link title=Documentation}
 
 <details class="downloads" markdown>
 <summary>Downloads</summary>

docs/email.md

@@ -71,7 +71,7 @@ OpenPGP also does not support Forward secrecy, which means if either your or the
 
 Free accounts have some limitations, such as not being able to search body text and not having access to [Proton Mail Bridge](https://proton.me/mail/bridge), which is required to use a [recommended desktop email client](email-clients.md) (e.g. Thunderbird). Paid accounts include features like Proton Mail Bridge, additional storage, and custom domain support. A [letter of attestation](https://proton.me/blog/security-audit-all-proton-apps) was provided for Proton Mail's apps on 9th November 2021 by [Securitum](https://research.securitum.com).
 
-If you have the Proton Unlimited, Business, or Visionary Plan, you also get [SimpleLogin](email-aliasing.md#simplelogin) Premium for free.
+If you have the Proton Unlimited, Business, Family, or Visionary Plan, you also get [SimpleLogin](email-aliasing.md#simplelogin) Premium for free.
 
 Proton Mail has internal crash reports that they **do not** share with third parties. This can be disabled in: **Settings** > **Go to Settings** > **Account** > **Security and privacy** > **Send crash reports**.
 
@@ -136,7 +136,7 @@ Mailbox.org lets you use your own domain, and they support [catch-all](https://k
 
 #### :material-check:{ .pg-green } Private Payment Methods
 
-Mailbox.org doesn't accept any cryptocurrencies as a result of their payment processor BitPay suspending operations in Germany. However, they do accept Cash by mail, cash payment to bank account, bank transfer, credit card, PayPal and couple of German-specific processors: paydirekt and Sofortüberweisung.
+Mailbox.org doesn't accept any cryptocurrencies as a result of their payment processor BitPay suspending operations in Germany. However, they do accept cash by mail, cash payment to bank account, bank transfer, credit card, PayPal and couple of German-specific processors: paydirekt and Sofortüberweisung.
 
 #### :material-check:{ .pg-green } Account Security
 
@@ -156,7 +156,7 @@ Mailbox.org also supports the discovery of public keys via HTTP from their [Web
 
 #### :material-information-outline:{ .pg-blue } Account Termination
 
-Your account will be set to a restricted user account when your contract ends, after [30 days it will be irrevocably deleted](https://kb.mailbox.org/en/private/payment-article/what-happens-at-the-end-of-my-contract).
+Your account will be set to a restricted user account when your contract ends. It will be irrevocably deleted after [30 days](https://kb.mailbox.org/en/private/payment-article/what-happens-at-the-end-of-my-contract).
 
 #### :material-information-outline:{ .pg-blue } Additional Functionality
 

docs/frontends.md

@@ -124,7 +124,7 @@ LibreTube allows you to store your subscription list and playlists locally on yo
 
 [:octicons-home-16: Homepage](https://libretube.dev){ .md-button .md-button--primary }
 [:octicons-eye-16:](https://github.com/libre-tube/LibreTube/blob/master/PRIVACY_POLICY.md){ .card-link title="Privacy Policy" }
-[:octicons-info-16:](https://github.com/libre-tube/LibreTube#readme){ .card-link title=Documentation}
+[:octicons-info-16:](https://libretube.dev/#faq){ .card-link title=Documentation}
 [:octicons-code-16:](https://github.com/libre-tube/LibreTube){ .card-link title="Source Code" }
 [:octicons-heart-16:](https://github.com/libre-tube/LibreTube#donate){ .card-link title=Contribute }
 
@@ -158,7 +158,7 @@ Your subscription list and playlists are saved locally on your Android device.
 
 [:octicons-home-16: Homepage](https://newpipe.net){ .md-button .md-button--primary }
 [:octicons-eye-16:](https://newpipe.net/legal/privacy){ .card-link title="Privacy Policy" }
-[:octicons-info-16:](https://teamnewpipe.github.io/documentation){ .card-link title=Documentation}
+[:octicons-info-16:](https://newpipe.net/FAQ){ .card-link title=Documentation}
 [:octicons-code-16:](https://github.com/TeamNewPipe/NewPipe){ .card-link title="Source Code" }
 [:octicons-heart-16:](https://newpipe.net/donate){ .card-link title=Contribute }
 

docs/passwords.md

@@ -337,17 +337,13 @@ KeePassXC stores its export data as [CSV](https://en.wikipedia.org/wiki/Comma-se
 
 Additionally, there is an offline-only version offered: [Strongbox Zero](https://apps.apple.com/app/id1581589638). This version is stripped down in an attempt to reduce attack surface.
 
-### Command-line
-
-These products are minimal password managers that can be used within scripting applications.
-
-#### gopass
+### gopass (CLI)
 
 <div class="admonition recommendation" markdown>
 
 ![gopass logo](assets/img/password-management/gopass.svg){ align=right }
 
-**gopass** is a password manager for the command line written in Go. It works on all major desktop and server operating systems (Linux, macOS, BSD, Windows).
+**gopass** is a minimal password manager for the command line written in Go. It can be used within scripting applications and works on all major desktop and server operating systems (Linux, macOS, BSD, Windows).
 
 [:octicons-home-16: Homepage](https://gopass.pw){ .md-button .md-button--primary }
 [:octicons-info-16:](https://github.com/gopasspw/gopass/tree/master/docs){ .card-link title=Documentation}

docs/search-engines.md

@@ -89,6 +89,7 @@ When you are using a SearXNG instance, be sure to go read their privacy policy.
 **Startpage** is a private search engine known for serving [Google and Bing](https://support.startpage.com/hc/articles/4522435533844-What-is-the-relationship-between-Startpage-and-your-search-partners-like-Google-and-Microsoft-Bing) search results.  One of Startpage's unique features is the [Anonymous View](https://startpage.com/en/anonymous-view), which puts forth efforts to standardize user activity to make it more difficult to be uniquely identified. The feature can be useful for hiding [some](https://support.startpage.com/hc/articles/4455540212116-The-Anonymous-View-Proxy-technical-details) network and browser properties. Unlike the name suggests, the feature should not be relied upon for anonymity. If you are looking for anonymity, use the [Tor Browser](tor.md#tor-browser) instead.
 
 [:octicons-home-16: Homepage](https://startpage.com){ .md-button .md-button--primary }
+[:simple-torbrowser:](http://startpagel6srwcjlue4zgq3zevrujfaow726kjytqbbjyrswwmjzcqd.onion){ .card-link title="Onion Service" }
 [:octicons-eye-16:](https://startpage.com/en/privacy-policy){ .card-link title="Privacy Policy" }
 [:octicons-info-16:](https://support.startpage.com/hc/categories/4481917470356-Startpage-Search-Engine){ .card-link title=Documentation}
 
@@ -96,16 +97,11 @@ When you are using a SearXNG instance, be sure to go read their privacy policy.
 
 </div>
 
-<div class="admonition warning" markdown>
-<p class="admonition-title">Warning</p>
-
-Startpage regularly limits service access to certain IP addresses, such as IPs reserved for VPNs or Tor. [DuckDuckGo](#duckduckgo) and [Brave Search](#brave-search) are friendlier options if your threat model requires hiding your IP address from the search provider.
-
-</div>
-
 Startpage is based in the Netherlands. According to their [privacy policy](https://startpage.com/en/privacy-policy), they log details such as: operating system, type of browser, and language. They do not log your IP address, search queries, or other personally identifying information.
 
-Startpage's majority shareholder is System1 who is an adtech company. We don't believe that to be an issue as they have a distinctly separate [privacy policy](https://system1.com/terms/privacy-policy). The Privacy Guides team reached out to Startpage [back in 2020](https://web.archive.org/web/20210118031008/https://blog.privacytools.io/relisting-startpage) to clear up any concerns with System1's sizeable investment into the service. We were satisfied with the answers we received.
+Startpage's majority shareholder is System1 who is an adtech company. We don't believe that to be an issue as they have a distinctly separate [privacy policy](https://system1.com/terms/privacy-policy). The Privacy Guides team reached out to Startpage [back in 2020](https://blog.privacyguides.org/2020/05/03/relisting-startpage/) to clear up any concerns with System1's sizeable investment into the service, and we were satisfied with the answers we received.
+
+Startpage previously placed limitations on VPN and [Tor](tor.md) users, but they recently created an [official](https://support.startpage.com/hc/en-us/articles/24786602537364-Startpage-s-Tor-onion-service) Tor hidden service, and as of April 2024 we have no longer noticed extra roadblocks for Tor or [VPN](vpn.md) users.
 
 ## Criteria
 

docs/vpn.md

@@ -62,7 +62,7 @@ Our recommended providers use encryption, support WireGuard & OpenVPN, and have
 
 #### :material-check:{ .pg-green } 91 Countries
 
-Proton VPN has [servers in 91 countries](https://protonvpn.com/vpn-servers) [or 8 if you use their free plan](https://protonvpn.com/free-vpn).(1) Picking a VPN provider with a server nearest to you will reduce latency of the network traffic you send. This is because of a shorter route (fewer hops) to the destination.
+Proton VPN has [servers in 91 countries](https://protonvpn.com/vpn-servers) or [5](https://protonvpn.com/support/how-to-create-free-vpn-account) if you use their [free plan](https://protonvpn.com/free-vpn/server).(1) Picking a VPN provider with a server nearest to you will reduce latency of the network traffic you send. This is because of a shorter route (fewer hops) to the destination.
 { .annotate }
 
 1. Last checked: 2024-04-02
@@ -169,7 +169,7 @@ IVPN [recommends](https://ivpn.net/wireguard) the use of WireGuard with their se
 
 #### :material-information-outline:{ .pg-blue } IPv6 Support
 
-IVPN allows you to [connect to services using IPv6](https://www.ivpn.net/knowledgebase/general/do-you-support-ipv6) but doesn't allow you to connect from a device using an IPv6 address.
+IVPN allows you to [connect to services using IPv6](https://ivpn.net/knowledgebase/general/do-you-support-ipv6) but doesn't allow you to connect from a device using an IPv6 address.
 
 #### :material-alert-outline:{ .pg-orange } Remote Port Forwarding
 

includes/strings.en.env

@@ -1,5 +1,7 @@
 ANALYTICS_CONSENT_BODY="We collect anonymous statistics about your visits to help us improve the site. We do not track you across other websites. If you disable this, we will not know when you have visited our site. We will save a single cookie in your browser to remember your preference."
 ANALYTICS_CONSENT_TITLE="Contribute anonymous statistics"
+ANALYTICS_COOKIE_GITHUB="GitHub API"
+ANALYTICS_COOKIE_UMAMI="Self-Hosted Analytics"
 ANALYTICS_FEEDBACK_NEGATIVE_NAME="This page could be improved"
 ANALYTICS_FEEDBACK_NEGATIVE_NOTE='Thanks for your feedback! If you want to let us know more, please leave a post on our <a href="https://discuss.privacyguides.net/c/site-development/7" target="_blank" rel="noopener">forum</a>.'
 ANALYTICS_FEEDBACK_POSITIVE_NAME="This page was helpful"

theme/partials/copyright.html

@@ -24,7 +24,7 @@
 <!-- Copyright information -->
 <div class="md-copyright">
   {% if copyright %}
-    <div class="md-copyright__highlight">
+    <div class="md-copyright__highlight" title="This version of Privacy Guides was built on {{ build_date_utc.strftime('%B %d, %Y at %I:%M%p') }}">
       {{ copyright.intro }}
       <br />
       {{ copyright.note }}