From 7fa6f64a2a6764f0d70d67d4cb5a693dd13caa0b Mon Sep 17 00:00:00 2001
From: mat ess <mat@mat.services>
Date: Sun, 28 Aug 2022 02:41:20 -0400
Subject: [PATCH] Add privacy, rework some css

---
 Caddyfile                      |  10 +++-
 content/privacy.md             |  40 +++++++++++++
 fly.toml                       |  38 +++++++++++++
 nix/container.nix              |   1 +
 sass/style/main.scss           | 101 ++-------------------------------
 sass/style/parts/_header.scss  |   4 +-
 sass/style/parts/_image.scss   |   2 +-
 sass/style/parts/_misc.scss    |   2 +-
 sass/style/parts/_tags.scss    |  13 +++++
 templates/partials/footer.html |  17 ++++--
 templates/partials/header.html |   2 +
 templates/partials/nav.html    |   2 +-
 12 files changed, 127 insertions(+), 105 deletions(-)
 create mode 100644 content/privacy.md
 create mode 100644 fly.toml

diff --git a/Caddyfile b/Caddyfile
index 3b1a316..65ac39f 100644
--- a/Caddyfile
+++ b/Caddyfile
@@ -20,12 +20,19 @@ http://static-mat-services.fly.dev {
 		file_server
 	}
 
+	log {
+		output stdout
+		output net {$LOG_OUTPUT_ADDR} {
+			dial_timeout 1m
+		}
+	}
+
 	header {
 		# disable FLoC tracking
 		Permissions-Policy interest-cohort=()
 		# enable HSTS
 		# currently ramping up max-age as per https://hstspreload.org/
-		Strict-Transport-Security max-age=604800; includeSubDomains
+		Strict-Transport-Security max-age=2592000; includeSubDomains
 		# disable clients from sniffing the media type
 		X-Content-Type-Options nosniff
 		# clickjacking protection
@@ -39,6 +46,7 @@ http://static-mat-services.fly.dev {
       img-src 'self';
       style-src 'self' 'unsafe-inline';
       font-src 'self';
+			script-src 'self';
       form-action 'none';
       frame-ancestors 'none';
       base-uri 'none';
diff --git a/content/privacy.md b/content/privacy.md
new file mode 100644
index 0000000..ad5bab7
--- /dev/null
+++ b/content/privacy.md
@@ -0,0 +1,40 @@
++++
+title = "privacy notice"
+path = "privacy"
++++
+
+## summary
+
+- no javascript or other client-side tracking is performed on this site.
+- caddy server logs are enabled, but not persisted to disk.
+- caddy server logs are aggregated into a self-hosted goatcounter instance for 180 days.
+- the site is hosted by fly.io.
+
+## data that i collect
+
+### server logs
+
+this site is served with caddy, and caddy's [default logging configuration](https://caddyserver.com/docs/caddyfile/directives/log) is used. caddy logs include information such as IP address, the document being requested, the time of request, and the response status from the server. caddy logs are not stored on disk, and are only retained for as long as the fly.io logging tooling can retrieve them.
+
+#### statistics (goatcounter)
+
+caddy logs are streamed to a self-hosted instance of [goatcounter](https://www.goatcounter.com). goatcounter aggregates logs to remove personal information. this instance of goatcounter is running on fly.io, and is completely unaffiliated with the goatcounter business - i operate the server myself. aggregated log data in goatcounter is retained for 180 days. the following statistics are aggregated:
+
+- unique visitor sessions
+  - "Track unique visitors for up to 8 hours"
+- referrer + campaign
+  - Referer header or utm_campaign/utm_source/ref
+- screen size
+- country
+- language
+  - "Supported languages from Accept-Language"
+
+although it does not apply to the self hosted instance of goatcounter used by this site, the [hosted goatcounter instance's privacy policy](https://www.goatcounter.com/help/privacy) may be useful to review.
+
+### site hosting
+
+this site is hosted on fly.io. [see this page for fly.io's privacy statement](https://fly.io/legal/privacy-policy/).
+
+## data that i share
+
+logs and aggregated data are not shared with any third parties.
diff --git a/fly.toml b/fly.toml
new file mode 100644
index 0000000..31dbfda
--- /dev/null
+++ b/fly.toml
@@ -0,0 +1,38 @@
+# fly.toml file generated for static-mat-services on 2022-08-08T01:01:25-04:00
+
+app = "static-mat-services"
+kill_signal = "SIGINT"
+kill_timeout = 5
+processes = []
+
+[env]
+
+[experimental]
+  allowed_public_ports = []
+  auto_rollback = true
+
+[[services]]
+  http_checks = []
+  internal_port = 8080
+  processes = ["app"]
+  protocol = "tcp"
+  script_checks = []
+  [services.concurrency]
+    hard_limit = 25
+    soft_limit = 20
+    type = "connections"
+
+  [[services.ports]]
+    force_https = true
+    handlers = ["http"]
+    port = 80
+
+  [[services.ports]]
+    handlers = ["tls", "http"]
+    port = 443
+
+  [[services.tcp_checks]]
+    grace_period = "1s"
+    interval = "15s"
+    restart_limit = 0
+    timeout = "2s"
diff --git a/nix/container.nix b/nix/container.nix
index 0d9a9eb..70a0b43 100644
--- a/nix/container.nix
+++ b/nix/container.nix
@@ -8,6 +8,7 @@ dockerTools.buildLayeredImage {
     Cmd = [ "${caddy}/bin/caddy" "run" "-config" "${caddyfile}" ];
     Env = [
       "SITE_ROOT=${site}"
+      "LOG_OUTPUT_ADDR=tcp://[fdaa:0:742b:a7b:ab2:1:a2b5:2]:9090"
     ];
   };
 }
diff --git a/sass/style/main.scss b/sass/style/main.scss
index 7e7a84d..e9efad8 100644
--- a/sass/style/main.scss
+++ b/sass/style/main.scss
@@ -50,11 +50,11 @@ div.brand>* {
   padding: 0 0.25em;
 }
 
-div.brand:hover img.logo {
+div.brand:hover img#logo {
   filter: brightness(0) invert(1);
 }
 
-img.logo {
+img#logo {
   border: none;
   height: 0.75em;
   width: 0.75em;
@@ -90,106 +90,15 @@ footer {
   font-size: 0.75em;
   display: flex;
 
-  code {
-    color: var(--text-0);
-
-    &:hover {
-      background-color: var(--primary-color);
-      color: var(--hover-color);
-      border-radius: 0;
-    }
-  }
-
-  .privacy-note {
-    flex: 2 0;
-    padding-right: 1em;
-  }
-
-  .powered-by {
+  #site-info {
     flex: 1 0;
   }
-}
 
-// Different sized headers
-h1.page-header {
-  font-weight: normal;
-  max-width: 720px;
-}
-
-h2 {
-  font-size: 1.4rem;
-  margin-top: 1.4em;
-
-  &::before {
-    content: "# ";
+  #copyright {
+    align-items: flex-end;
   }
 }
 
-h3 {
-  font-size: 1.3rem;
-  margin-top: 1.3em;
-
-  &::before {
-    content: "## ";
-  }
-}
-
-h4 {
-  font-size: 1.2rem;
-  margin-top: 1.2em;
-
-  &::before {
-    content: "### ";
-  }
-}
-
-h5 {
-  font-size: 1.1rem;
-  margin-top: 1.1em;
-
-  &::before {
-    content: "#### ";
-  }
-}
-
-h6 {
-  font-size: 1rem;
-  margin-top: 1em;
-
-  &::before {
-    content: "##### ";
-  }
-}
-
-// Tags
-ul.tags {
-  margin: 0.5rem;
-
-  li {
-    margin-right: 0.6rem;
-    display: inline-block;
-
-    a {
-      margin-left: 0;
-    }
-  }
-}
-
-// // Header dot
-// .header-dot {
-//   font-size: 1.6em;
-// }
-
-// Meta
-.meta a:hover {
-  color: white;
-}
-
-// Fixup grays
-time {
-  color: var(--text-1);
-}
-
 // Post list
 li.post-list-item {
   list-style-type: none;
diff --git a/sass/style/parts/_header.scss b/sass/style/parts/_header.scss
index f1ae61c..47a867a 100644
--- a/sass/style/parts/_header.scss
+++ b/sass/style/parts/_header.scss
@@ -1,8 +1,10 @@
-.page-header {
+h1.page-header {
   font-size: 2.75em;
   line-height: 100%;
   font-family: var(--header-font);
   margin: 4rem 0px 1rem 0px;
+
+  max-width: 720px;
 }
 
 .centered-header {
diff --git a/sass/style/parts/_image.scss b/sass/style/parts/_image.scss
index 11cd73d..b7cd5bd 100644
--- a/sass/style/parts/_image.scss
+++ b/sass/style/parts/_image.scss
@@ -1,4 +1,4 @@
-img:not(.logo) {
+img:not(#logo) {
   border: 3px solid #ececec;
   max-width: 100%;
   border-radius: 5px;
diff --git a/sass/style/parts/_misc.scss b/sass/style/parts/_misc.scss
index cecb254..e6c8015 100644
--- a/sass/style/parts/_misc.scss
+++ b/sass/style/parts/_misc.scss
@@ -51,7 +51,7 @@ a:hover {
 }
 
 time {
-  color: grey;
+  color: var(--text-1);
 }
 
 /* Remove post list padding */
diff --git a/sass/style/parts/_tags.scss b/sass/style/parts/_tags.scss
index 461530c..935560e 100644
--- a/sass/style/parts/_tags.scss
+++ b/sass/style/parts/_tags.scss
@@ -9,4 +9,17 @@
 .tags a:hover {
   color: var(--hover_color);
   background-color: var(--primary-color);
+}
+
+ul.tags {
+  margin: 0.5rem;
+
+  li {
+    margin-right: 0.6rem;
+    display: inline-block;
+
+    a {
+      margin-left: 0;
+    }
+  }
 }
\ No newline at end of file
diff --git a/templates/partials/footer.html b/templates/partials/footer.html
index 73d7c5a..ad4de02 100644
--- a/templates/partials/footer.html
+++ b/templates/partials/footer.html
@@ -1,7 +1,16 @@
 <footer>
-  <p>powered by <a href="https://getzola.org" target="_blank" rel="noopener noreferral"><code>zola</code></a> + <a
-      href="https://github.com/not-matthias/apollo" target="_blank" rel="noopener noreferral"><code>apollo</code></a>
-    and
-    <a href="https://nixos.org" target="_blank" rel="noopener noreferral"><code>nix</code></a>.
+  <div id="site-info">
+    <p id="powered-by">
+      powered by <a href="https://getzola.org" target="_blank" rel="noopener noreferral">zola</a> + <a
+        href="https://github.com/not-matthias/apollo" target="_blank" rel="noopener noreferral">apollo</a>
+      and
+      <a href="https://nixos.org" target="_blank" rel="noopener noreferral">nix</a>.
+    </p>
+    <p id="privacy-note">
+      <a href="/privacy">privacy notice</a>.
+    </p>
+  </div>
+  <p id="copyright">
+    &copy; 2022 mat ess.
   </p>
 </footer>
\ No newline at end of file
diff --git a/templates/partials/header.html b/templates/partials/header.html
index 5760df1..36e3060 100644
--- a/templates/partials/header.html
+++ b/templates/partials/header.html
@@ -47,4 +47,6 @@
   <link rel="stylesheet" href="{{ get_url(path=stylesheet, cachebust=true) }}">
   {% endfor %}
   {% endif %}
+
+  <link rel="canonical" href="{{ get_url(path=current_path) }}" />
 </head>
\ No newline at end of file
diff --git a/templates/partials/nav.html b/templates/partials/nav.html
index ec24d52..f514ee5 100644
--- a/templates/partials/nav.html
+++ b/templates/partials/nav.html
@@ -1,6 +1,6 @@
 <header>
   <div class="main brand">
-    <a href={{ config.base_url }}><img class=logo src="{{ get_url(path=config.extra.favicon, cachebust=true) }}"
+    <a href={{ config.base_url }}><img id="logo" src="{{ get_url(path=config.extra.favicon, cachebust=true) }}"
         alt="" />{{ config.title }}</a>
   </div>