# -*- coding: utf-8; mode: tcl; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4 -*- vim:fenc=utf-8:ft=tcl:et:sw=4:ts=4:sts=4

PortSystem          1.0

name                macos-fortress
version             2020.12.13
revision            0

categories          net security
platforms           darwin
license             MIT
maintainers         {ieee.org:s.t.smith @essandess} openmaintainer

if {${subport} ne "${name}-easylistpac"} {
    master_sites
    distfiles
    extract.only
}

use_configure       no
build               {}

# perl5 and python3 major versions
set perl5_major_version \
                    5.28
set python3_version 3.7
set python3_version_nickname \
    [join [lrange [split ${python3_version} .] 0 1] {}]

set pf_conf         ${prefix}/etc/${name}/pf.conf
set pf_conf_prefix  "\${prefix}/etc/${name}/pf.conf"
set proxy_hostname  localhost
set proxy_server    127.0.0.1
set proxy_pac_server \
                    ${proxy_server}
set proxy_pac_directory \
                    /Library/WebServer/Documents

variant initialize_always \
    description {Always initialize all configuration files. Intended \
        for development and troubleshooting only. Working deployments \
        must disable this variant to prevent configuration files \
        being overwritten at the next upgrade. Existing configuration \
        files are not overwritten by default.} {
    ui_warn \
        "
\tAll configuration files will be initialized because
\tthe variant +initialize_always is set. Please disable
\tthis variant for working deployments.
"
}

# Network configuration
# hard-coded examples
set interface       en0

proc install_initial_configuration {args} {
    foreach f_or_d ${args} {
        if { [variant_isset "initialize_always"]
             && [file exists ${f_or_d}]
            } {
            delete ${f_or_d}.previous
            move \
                ${f_or_d} \
                ${f_or_d}.previous
        }
        if { [variant_isset "initialize_always"]
             || ![file exists ${f_or_d}]
            } {
            if { [file isfile ${f_or_d}.macports] } {
                xinstall -m 0644 \
                    ${f_or_d}.macports \
                    ${f_or_d}
            } elseif { [file isdirectory ${f_or_d}.macports] } {
                xinstall -m 0755 -d ${f_or_d}
                foreach f [glob -nocomplain ${f_or_d}.macports/*] {
                    xinstall -m 0644 ${f} \
                        ${f_or_d}/[file tail ${f}]
                }
            }
        }
    }
}

proc patch_configuration {patchfile configfile configdefault} {
    global patch.cmd patch.pre_args
    # save the previous configuration
    if { [file exists ${configfile}] } {
        delete ${configfile}.previous
        copy \
            ${configfile} \
            ${configfile}.previous
    }
    # create or initialize the configfile
    if { ![file exists ${configfile}] || [variant_isset "initialize_always"] } {
        delete ${configfile}
        if { [file exists ${configdefault}] } {
            xinstall -m 0644 ${configdefault} ${configfile}
        } elseif { [file exists ${configfile}.previous] } {
            xinstall -m 0644 ${configfile}.previous ${configfile}
        }
    }
    # patch the configfile if it's the default
    if { [portchecksum::calc_rmd160 ${configfile}]
        eq [portchecksum::calc_rmd160 ${configdefault}] } {
        system \
            "${patch.cmd} ${patch.pre_args} \
                -f -l -N -r /dev/null ${configfile} < ${patchfile}"
    } else {
        ui_warn "File ${configfile} is not the default
\tand *not* being patched."
    }
}

proc plutil_startup {plcmds label} {
    global prefix startupitem.location
    foreach cmd ${plcmds} {
        system -W ${prefix}/etc/${startupitem.location}/${label} \
            "/usr/bin/plutil ${cmd} ${label}.plist"
    }
}

set notes_pf        "The PF configuration provides an adaptive firewall\
    that blocks brute force attacks, and connections from IP addresses\
    provided by the crowd-sourced lists dshield and emergingthreats. PF\
    uses this environment variable (with default value):

\t\${PF_CONF:-${pf_conf}}

    To change site-specific launchd environment variables, use the launchd plist:

\t${prefix}/share/${name}/private.myserver.launchctl-setenv.plist"

set notes_proxy     "The proxy uses a chain of squid (port 3128) and\
    privoxy (port 8118) along with a blackhole provided by nginx (port 8119).\
    Domain names and a blacklist file are blocked, excluding\
    whitelisted domain names. These are provised in the files:

\t${prefix}/etc/${name}/blacklist.txt
\t${prefix}/etc/${name}/whitelist.txt

    The proxy also provides a proxy autoconfiguration (PAC) file with\
    blocking rules generated from easylist ad and tracker blocks. The\
    proxy uses these environment variables (with default values):

\t\${PROXY_HOSTNAME:-${proxy_hostname}}
\t\${PROXY_PAC_SERVER:-${proxy_pac_server}}
\t\${PROXY_PAC_DIRECTORY:-${proxy_pac_directory}}

    To change site-specific launchd environment variables, use the launchd plist:

\t${prefix}/share/${name}/private.myserver.launchctl-setenv.plist

    The native macOS web server is used by default to host the PAC file.\
    This web server must be launched independently with the command

sudo apachectl start

    Clients may be configured to use this proxy by either host:port or\
    the PAC file:

\t${proxy_hostname}:3128
\thttp://${proxy_hostname}/proxy.pac"

pre-fetch {
    # The way that startupitems values are quoted was changed in 2.6.3.
    # This port now relies on those changes. See:
    # https://github.com/macports/macports-base/pull/191
    if {[vercmp [macports_version] 2.6.3] < 0} {
        ui_error "${name} @${version} requires MacPorts 2.6.3 or later"
        return -code error "incompatible MacPorts version"
    }
}

if {${name} eq ${subport}} {
    description     Firewall, Blackhole, and Privatizing Proxy for Trackers, Attackers, Malware, Adware, and Spammers
    long_description \
                    Kernel-level, OS-level, and client-level security \
                    for macOS. Built to block attacks using open \
                    source databases, and block ads, malicious \
                    scripts, and conceal information used for web \
                    tracking.  Uses PF, squid, privoxy, dshield, \
                    emergingthreats, hosts file, and a proxy \
                    autoconfiguration (PAC) file.

    homepage        https://github.com/essandess/macOS-Fortress

    depends_lib-append \
                    port:${name}-pf \
                    port:${name}-proxy
    destroot {
        xinstall -d \
                    ${destroot}${prefix}/share/${name} \
                    ${destroot}${prefix}/share/${name}/logrotate.d
        xinstall -m 0755 \
            ${filespath}/macosfortress_setup_check.sh ${destroot}${prefix}/bin
        xinstall -m 0644 \
            ${filespath}/logrotate.d.macos-fortress \
            ${destroot}${prefix}/share/${name}/logrotate.d/macos-fortress
        xinstall -m 0644 \
            ${filespath}/private.myserver.launchctl-setenv.plist \
            ${destroot}${prefix}/share/${name}
        foreach cmd [list \
            "s|@PREFIX@|${prefix}|g" \
            "s|@NAME@|${name}|g" \
            "s|@PROXY_HOSTNAME@|${proxy_hostname}|g" \
            "s|@PROXY_SERVER@|${proxy_server}|g" \
            "s|@PROXY_PAC_SERVER@|${proxy_pac_server}|g" \
            "s|@PROXY_PAC_DIRECTORY@|${proxy_pac_directory}|g" \
            ] {
            reinplace -q ${cmd} \
                ${destroot}${prefix}/bin/macosfortress_setup_check.sh \
                ${destroot}${prefix}/share/${name}/logrotate.d/macos-fortress
        }
    }

    startupitem.create \
                    yes
    startupitem.start \
                    "\${prefix}/bin/port load ${name}-pf
\t\${prefix}/bin/port load ${name}-proxy"
    startupitem.stop \
                    "\${prefix}/bin/port unload ${name}-pf
\t\${prefix}/bin/port unload ${name}-proxy"
    startupitem.restart \
                    "\${prefix}/bin/port reload ${name}-pf
\t\${prefix}/bin/port reload ${name}-proxy"

    post-activate {
        # modify the launch daemons
        plutil_startup [list \
            "-remove KeepAlive" \
            "-insert RunAtLoad -bool YES" \
            "-insert StandardErrorPath -string ${prefix}/var/log/${name}.log" \
            "-insert StandardOutPath -string ${prefix}/var/log/${name}.log" \
            ] \
            org.macports.${startupitem.name}
    }

    notes   "The port ${name} is comprised of two independent.\
        configurable components: the PF firewall and the proxy chain,\
        provided by the ports:

\t${name}-pf
\t${name}-proxy

        To check the status of all the dependent daemons and to see\
        a count of the number of firewall attacks, run:

sudo macosfortress_setup_check.sh
sudo pf_attacks.sh

        After initial installation, it is necessary to kickstart these\
        launch daemons, which do not run at load:

sudo port load ${name}
sudo launchctl kickstart -k system/org.macports.${name}-dshield
sudo launchctl kickstart -k system/org.macports.${name}-emergingthreats
sudo launchctl kickstart -k system/org.macports.${name}-hosts
sudo launchctl kickstart -k system/org.macports.adblock2privoxy
sudo launchctl kickstart -k system/org.macports.${name}-easylistpac

${notes_pf}

${notes_proxy}"
}

subport ${name}-pf {
    description     PF Firewall with dhield, emergingthreats, and \
        adaptive bruteforce blocks
    long_description \
                    ${description}

    depends_lib-append \
                    port:${name}-dshield \
                    port:${name}-emergingthreats \
                    port:pcre

    destroot {
        xinstall -d \
            ${destroot}${prefix}/etc/${name} \
            ${destroot}${prefix}/var/log
        destroot.keepdirs \
            ${destroot}${prefix}/etc/${name} \
            ${destroot}${prefix}/var/log
        xinstall -m 0644 \
            ${filespath}/pf.conf \
            ${destroot}${prefix}/etc/${name}/pf.conf.macports
        xinstall -m 0644 \
            ${filespath}/blockips.conf \
            ${destroot}${prefix}/etc/${name}/blockips.conf.macports
        xinstall -m 0755 \
            ${filespath}/pf_attacks.sh \
            ${destroot}${prefix}/bin
    }

    startupitem.create \
                    yes
    startupitems \
        name        ${subport} \
        init        "PF_CONF=\"\${PF_CONF:-${pf_conf_prefix}}\"" \
        start {
                    "for tt in {1..4}; do \\"
                    "\tif \[\[ `/sbin/ifconfig | \${prefix}/bin/pcregrep -M -o '^\[^\\t:\]+:(\[^\\n\]|\\n\\t)*status: active' | egrep -o -m 1 '^\[^\\t:\]+'` = '' \]\]; then \\"
                    "\t\tsleep 45; \\"
                    "\telse \\"
                    "\t\t/sbin/pfctl -Fall \\"
                    "\t\t&& /sbin/pfctl -ef \${PF_CONF}; \\"
                    "\t\tbreak; \\"
                    "\tfi; \\"
                    "done"
        } \
        stop        { "/sbin/pfctl -d" } \
        pidfile     none \
        name        ${subport}.brutexpire \
        executable  /sbin/pfctl \
        pidfile     none \
        name        ${subport}.subports \
        start [list \
                    "\${prefix}/bin/port -p load ${name}-dshield ${name}-emergingthreats" \
        ] \
        stop [list \
                    "\${prefix}/bin/port -p unload ${name}-dshield unload ${name}-emergingthreats" \
        ] \
        restart [list \
                    "\${prefix}/bin/port -p reload ${name}-dshield ${name}-emergingthreats" \
        ] \
        pidfile     none

    post-activate {
        # use network settings for installed example configuration
        # route -n get default | grep 'interface:' | grep -o '[^ ]*$'
        set interface [exec sh -c \
            "route -n get default \
                | grep 'interface:' \
                | grep -o '\[^ \]*\$'"]

        ui_msg "Configuring ${subport} with:

interface :                ${interface}
"
        foreach cmd [list \
            "s|@PREFIX@|${prefix}|g" \
            "s|@NAME@|${name}|g" \
            "s|@INTERFACE@|${interface}|g" \
            ] {
            reinplace -q ${cmd} \
                ${prefix}/etc/${name}/pf.conf.macports
        }
        foreach cmd [list \
            "s|@PREFIX@|${prefix}|g" \
            "s|@NAME@|${name}|g" \
            ] {
            reinplace -q ${cmd} \
                ${prefix}/etc/${name}/blockips.conf.macports
        }
        install_initial_configuration \
            ${prefix}/etc/${name}/blockips.conf \
            ${prefix}/etc/${name}/pf.conf
        # modify the launch daemons
        plutil_startup [list \
            "-remove KeepAlive" \
            "-insert RunAtLoad -bool YES" \
            "-insert StandardErrorPath -string ${prefix}/var/log/${name}.log" \
            "-insert StandardOutPath -string ${prefix}/var/log/${name}.log" \
            ] \
            org.macports.${subport}
        # bruteforce expiration launchd daemon
        plutil_startup [list \
            "-insert Program -string /sbin/pfctl" \
            "-replace ProgramArguments \
                -xml '<array> \
                      <string>/sbin/pfctl</string> \
                      <string>-t</string> \
                      <string>bruteforce</string> \
                      <string>-T</string> \
                      <string>expire</string> \
                      <string>604800</string> \
                    </array>'" \
            "-remove KeepAlive" \
            "-insert RunAtLoad -bool NO" \
            "-insert StartInterval -integer 86400" \
            "-insert StandardErrorPath -string ${prefix}/var/log/${name}.log" \
            "-insert StandardOutPath -string ${prefix}/var/log/${name}.log" \
            ] \
            org.macports.${subport}.brutexpire
        plutil_startup [list \
            "-remove KeepAlive" \
            "-insert RunAtLoad -bool YES" \
            "-insert StandardErrorPath -string ${prefix}/var/log/${name}.log" \
            "-insert StandardOutPath -string ${prefix}/var/log/${name}.log" \
            ] \
            org.macports.${subport}.subports
    }

    notes   ${notes_pf}
}

subport ${name}-dshield {
    description     DShield is a community-based collaborative firewall \
        log correlation system.
    long_description \
                    ${description}

    depends_run-append \
                    port:gnupg2 \
                    port:perl${perl5_major_version} \
                    port:p${perl5_major_version}-data-validate-ip \
                    port:wget

    destroot {
        xinstall -d \
            ${destroot}${prefix}/etc/${name} \
            ${destroot}${prefix}/var/log
        destroot.keepdirs \
            ${destroot}${prefix}/etc/${name} \
            ${destroot}${prefix}/var/log
        # sudo gpg --homedir /var/root/.gnupg --export --armor --output ~/Downloads/dshield_pubkey_file.txt blocklist@dshield.org
        xinstall -m 0644 \
            ${filespath}/dshield_pubkey_file.txt \
            ${destroot}${prefix}/etc/${name}
    }

    startupitem.create \
                    yes
    startupitem.name \
                    ${subport}
    startupitem.init \
                    "\${prefix}/bin/gpg --homedir /var/root/.gnupg --import \${prefix}/etc/${name}/dshield_pubkey_file.txt"
    startupitem.start \
                    "\${prefix}/bin/wget -N -P \${prefix}/etc/${name} http://feeds.dshield.org/block.txt \\
\t&& \${prefix}/bin/wget -N -P \${prefix}/etc/${name} http://feeds.dshield.org/block.txt.asc \\
\t&& \${prefix}/bin/gpg --verify \${prefix}/etc/${name}/block.txt.asc \${prefix}/etc/${name}/block.txt \\
\t&& \${prefix}/bin/perl${perl5_major_version} -ane 'use Data::Validate::IP; my \$vip=Data::Validate::IP->new; if (/^\\w*#/) { print; } elsif (\$vip->is_ipv4(\$F\[0\]) & \$vip->is_ipv4(\$F\[1\]) & \$F\[2\] =~ /\[\[:digit:\]\]/ & (0<= \$F\[2\] & \$F\[2\]<=32)) { print \$F\[0\], \"/\", \$F\[2\], \"\\n\"; }' \\
\t\t\${prefix}/etc/${name}/block.txt \\
\t\t> /tmp/dshield_block_ip.txt \\
\t&& install -m 644 -g admin -S /tmp/dshield_block_ip.txt \${prefix}/etc/${name}/dshield_block_ip.txt ; \\
\trm -f /tmp/dshield_block_ip.txt ; \\
\t/sbin/pfctl -a blockips -T load -f \${prefix}/etc/${name}/blockips.conf"
    startupitem.pidfile \
                    none

    post-activate {
        # modify the launch daemons
        plutil_startup [list \
            "-replace ProgramArguments \
                -xml '<array> \
                      <string>${prefix}/etc/${startupitem.location}/org.macports.${startupitem.name}/${subport}.wrapper</string> \
                      <string>start</string> \
                    </array>'" \
            "-remove KeepAlive" \
            "-insert RunAtLoad -bool NO" \
            "-insert StartInterval -integer 11250" \
            "-insert StandardErrorPath -string ${prefix}/var/log/${name}.log" \
            "-insert StandardOutPath -string ${prefix}/var/log/${name}.log" \
            ] \
            org.macports.${startupitem.name}
    }

    notes \
        "The launch daemon org.macports.${subport} is configured with\
    RunAtLoad false. To initialize this service at its first load, run:

sudo port load ${subport}
sudo launchctl kickstart -k system/org.macports.${subport}"
}

subport ${name}-emergingthreats {
    description     Emerging Threats rule server.
    long_description \
                    ${description}

    depends_run-append \
                    port:wget

    destroot {
        xinstall -d \
            ${destroot}${prefix}/etc/${name} \
            ${destroot}${prefix}/var/log
        destroot.keepdirs \
            ${destroot}${prefix}/etc/${name} \
            ${destroot}${prefix}/var/log
    }

    startupitem.create \
                    yes
    startupitem.name \
                    ${subport}
    startupitem.start \
                    "\${prefix}/bin/wget -N -P \${prefix}/etc/${name} http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt ; \\
\t\${prefix}/bin/wget -N -P \${prefix}/etc/${name} http://rules.emergingthreats.net/blockrules/compromised-ips.txt ; \\
\t/sbin/pfctl -a blockips -T load -f \${prefix}/etc/${name}/blockips.conf"
    startupitem.pidfile \
                    none

    post-activate {
        # modify the launch daemons
        plutil_startup [list \
            "-replace ProgramArguments \
                -xml '<array> \
                      <string>${prefix}/etc/${startupitem.location}/org.macports.${startupitem.name}/${subport}.wrapper</string> \
                      <string>start</string> \
                    </array>'" \
            "-remove KeepAlive" \
            "-insert RunAtLoad -bool NO" \
            "-insert StartInterval -integer 47250" \
            "-insert StandardErrorPath -string ${prefix}/var/log/${name}.log" \
            "-insert StandardOutPath -string ${prefix}/var/log/${name}.log" \
            ] \
            org.macports.${startupitem.name}
    }

    notes           "The launch daemon org.macports.${subport} is configured with\
    RunAtLoad false. To initialize this service at its first load, run:

sudo port load ${subport}
sudo launchctl kickstart -k system/org.macports.${subport}"
}

subport ${name}-proxy {
    description     Blackhole and Privatizing Proxy.

    depends_lib-append \
                    port:${name}-easylistpac \
                    port:${name}-hosts \
                    port:adblock2privoxy \
                    port:privoxy \
                    port:squid4

    # squid patch file creation
    ## export prefix=${prefix}
    ## mkdir squid-orig squid-new
    ## cp ${prefix}/etc/squid/squid.conf.documented squid-orig/squid.conf
    ## cp ${prefix}/etc/squid/squid.conf.documented squid-new/squid.conf
    ## patch -p0 -f -l -N squid-new/squid.conf < ${prefix}/var/macports/sources/rsync.macports.org/macports/release/tarballs/ports/net/macos-fortress/files/squid-squid.conf.patch
    ## sed -E -i -e 's|/opt/local|@PREFIX@|g' squid-orig/squid.conf
    ## diff -NaurdwB -I '^ *#' ./squid-orig/squid.conf ./squid-new/squid.conf | sed -E -e 's/\.\/squid-(orig|new)\/(squid.conf)(\.[[:alnum:]]+)*/\.\/squid.conf/' | sed -E -e 's|/opt/local|@PREFIX@|g' > ~/Downloads/squid-squid.conf.patch
    # privoxy patch file creation
    ## mkdir privoxy-orig privoxy-new
    ## sudo cp ${prefix}/etc/privoxy/config.new privoxy-orig/config
    ## sudo cp ${prefix}/etc/privoxy/match-all.action.new privoxy-orig/match-all.action
    ## sudo cp ${prefix}/etc/privoxy/config.new privoxy-new/config
    ## sudo cp ${prefix}/etc/privoxy/match-all.action.new privoxy-new/match-all.action
    ## sudo chown `whoami` privoxy-orig/config privoxy-new/config privoxy-orig/match-all.action privoxy-new/match-all.action
    ## patch -p0 -f -l -N privoxy-new/config < ${prefix}/var/macports/sources/rsync.macports.org/macports/release/tarballs/ports/net/macos-fortress/files/privoxy-config.patch
    ## patch -p0 -f -l -N privoxy-new/match-all.action < ${prefix}/var/macports/sources/rsync.macports.org/macports/release/tarballs/ports/net/macos-fortress/files/privoxy-match-all.action.patch
    ## diff -NaurdwB -I '^ *#' ./privoxy-orig/config ./privoxy-new/config | sed -E -e 's/\.\/privoxy-(orig|new)\/(config)(\.[[:alnum:]]+)*/\.\/config/' | sed -E -e 's|/opt/local|@PREFIX@|g' > ~/Downloads/privoxy-config.patch
    ## diff -NaurdwB -I '^ *#' ./privoxy-orig/match-all.action ./privoxy-new/match-all.action | sed -E -e 's/\.\/privoxy-(orig|new)\/(config)(\.[[:alnum:]]+)*/\.\/config/' | sed -E -e 's|/opt/local|@PREFIX@|g' > ~/Downloads/privoxy-match-all.action.patch
    destroot {
        xinstall -m 0644 \
            ${filespath}/squid-squid.conf.patch \
            ${filespath}/privoxy-config.patch \
            ${filespath}/privoxy-match-all.action.patch \
            ${workpath}
        foreach cmd [list \
            "s|@PREFIX@|${prefix}|g" \
            "s|@PROXY_HOSTNAME@|${proxy_hostname}|g" \
            "s|@PROXY_SERVER@|${proxy_server}|g" \
            ] {
            reinplace -q ${cmd} \
                ${workpath}/squid-squid.conf.patch \
                ${workpath}/privoxy-config.patch \
                ${workpath}/privoxy-match-all.action.patch
        }
    }

    startupitem.create \
                    yes
    startupitems \
        name        ${subport} \
        start [list \
                    "\${prefix}/bin/port -p load ${name}-hosts squid4 privoxy adblock2privoxy ${name}-easylistpac" \
        ] \
        stop [list \
                    "\${prefix}/bin/port -p unload ${name}-hosts squid4 privoxy adblock2privoxy ${name}-easylistpac" \
        ] \
        restart [list \
                    "\${prefix}/bin/port -p reload ${name}-hosts squid4 privoxy adblock2privoxy ${name}-easylistpac" \
        ] \
        pidfile     none \
        name        ${subport}.squid-rotate \
        executable  ${prefix}/sbin/squid \
        pidfile     none

    post-activate {
        patch_configuration \
            ${workpath}/squid-squid.conf.patch \
            ${prefix}/etc/squid/squid.conf \
            ${prefix}/etc/squid/squid.conf.documented
        patch_configuration \
            ${workpath}/privoxy-config.patch \
            ${prefix}/etc/privoxy/config \
            ${prefix}/etc/privoxy/config.new
        patch_configuration \
            ${workpath}/privoxy-match-all.action.patch \
            ${prefix}/etc/privoxy/match-all.action \
            ${prefix}/etc/privoxy/match-all.action.new

        # modify the launch daemons
        plutil_startup [list \
            "-remove KeepAlive" \
            "-insert RunAtLoad -bool YES" \
            "-insert StandardErrorPath -string ${prefix}/var/log/${name}.log" \
            "-insert StandardOutPath -string ${prefix}/var/log/${name}.log" \
            ] \
            org.macports.${subport}
        # bruteforce expiration launchd daemon
        plutil_startup [list \
            "-insert Program -string ${prefix}/sbin/squid" \
            "-replace ProgramArguments \
                -xml '<array> \
                  <string>/bin/bash</string> \
                  <string>-c</string> \
                  <string>${prefix}/sbin/squid -k rotate ; find ${prefix}/var/squid/logs -mindepth 1 -mtime +30 -exec rm {} &apos;;&apos;</string>
                </array>'" \
            "-remove KeepAlive" \
            "-insert StartCalendarInterval \
                -xml '<dict> \
                  <key>Hour</key> \
                  <integer>0</integer> \
                </dict>'" \
            ] \
            org.macports.${subport}.squid-rotate
    }

    notes   ${notes_proxy}
}

subport ${name}-easylistpac {
    PortGroup       github 1.0

    github.setup    essandess easylist-pac-privoxy a357cd2e94b9d6b272816a151e35e94149636eef
    version         2020.12.13
    revision        0

    description     EasyList Tracker and Adblocks to Proxy Auto Configuration (PAC) File
    long_description \
                    Converts EasyList tracker and ad blocking rules to \
                    efficient network-level blocks in a proxy.pac file \
                    for automatic proxy network configurations and \
                    Privoxy proxy servers. Easily incorporates \
                    multiple blocking rulesets into both PAC and \
                    Privoxy formats, including easyprivacy.txt, \
                    easylist.txt, fanboy-annoyance.txt, \
                    fanboy-social.txt, antiadblockfilters.txt, \
                    malwaredomains_full.txt, and the anti-spamware \
                    list adblock-list.txt.

    homepage        https://github.com/essandess/easylist-pac-privoxy

    checksums       rmd160  92ce0639836baa6656f428930f651d10147b7ee3 \
                    sha256  288b66426814c338857dcda483b044e6659c3dfde1779bdc6e5a7969a07faff2 \
                    size    82943

    depends_lib-append \
                    port:adblock2privoxy \
                    port:python${python3_version_nickname} \
                    port:py${python3_version_nickname}-matplotlib \
                    port:py${python3_version_nickname}-numpy \
                    port:py${python3_version_nickname}-scikit-learn

    destroot {
        xinstall -d ${destroot}${prefix}/etc/${name}
        xinstall -m 0755 -W ${worksrcpath} easylist_pac.py \
            ${destroot}${prefix}/bin
        xinstall -m 0644 proxy.pac \
            ${destroot}${prefix}/etc/${name}/proxy.pac.macports
        reinplace -E \
            "1s|env\[\[:space:\]\]+python3|env ${prefix}/bin/python${python3_version}|" \
            ${destroot}${prefix}/bin/easylist_pac.py
    }

    startupitem.create \
                    yes
    startupitem.name \
                    ${subport}
    startupitem.init \
                    "PROXY_PAC_DIRECTORY=\"\${PROXY_PAC_DIRECTORY:-${proxy_pac_directory}}\"
PROXY_PAC_SERVER=\"\${PROXY_PAC_SERVER:-${proxy_pac_server}}\"
PYTHONIOENCODING=\"\${PYTHONIOENCODING:-utf_8}\"

test -f \"\${PROXY_PAC_DIRECTORY}/proxy.pac.orig\" \\
\t|| install -m 0644 -S \"\${PROXY_PAC_DIRECTORY}/proxy.pac\" \"\${PROXY_PAC_DIRECTORY}/proxy.pac.orig\""
   startupitem.start \
                    "\"\${prefix}/bin/easylist_pac.py\" \\
\t\t-p \"\${PROXY_PAC_SERVER}:3128\" -b \"\${PROXY_PAC_SERVER}:8119\" \\
\t\t-d \"\${prefix}/etc/${name}\" \\
\t\t-P \"\${PROXY_PAC_DIRECTORY}/proxy.pac.orig\" \\
\t&& install -m 0644 -g admin -S \"\${prefix}/etc/${name}/proxy.pac\" \\
\t\t\"\${PROXY_PAC_DIRECTORY}/proxy.pac\""
    startupitem.pidfile \
                    none

    post-activate {
        install_initial_configuration \
            ${prefix}/etc/${name}/proxy.pac
        if { ![file isfile ${proxy_pac_directory}/proxy.pac] } {
            xinstall -m 0644 ${prefix}/etc/${name}/proxy.pac \
                ${proxy_pac_directory}
        }
        # modify the launch daemons
        plutil_startup [list \
            "-replace ProgramArguments \
                -xml '<array> \
                      <string>${prefix}/etc/${startupitem.location}/org.macports.${startupitem.name}/${subport}.wrapper</string> \
                      <string>start</string> \
                    </array>'" \
            "-remove KeepAlive" \
            "-insert RunAtLoad -bool NO" \
            "-insert StartCalendarInterval \
                -xml '<array> \
                    <dict> \
                        <key>Weekday</key> \
                        <integer>7</integer> \
                        <key>Hour</key> \
                        <integer>1</integer> \
                        <key>Minute</key> \
                        <integer>10</integer> \
                    </dict> \
                </array>'" \
            "-insert StandardErrorPath -string ${prefix}/var/log/${name}.log" \
            "-insert StandardOutPath -string ${prefix}/var/log/${name}.log" \
            ] \
            org.macports.${startupitem.name}
    }

    notes   "The location of the proxy autoconfiguration (PAC)\
        file and the web server IP address are specified by the\
        environment variables (with default values):

\t\${PROXY_PAC_DIRECTORY:-${proxy_pac_directory}}
\t\${PROXY_PAC_SERVER:-${proxy_pac_server}}

        To change site-specific launchd environment variables,\
        use the launchd plist:

\t${prefix}/share/${name}/private.myserver.launchctl-setenv.plist

        The native macOS Web Server must be started with the command:

sudo apachectl start

        The launch daemon org.macports.${subport} is configured with\
        RunAtLoad false. To initialize this service at its first load, run:

sudo port load ${subport}
sudo launchctl kickstart -k system/org.macports.${subport}"
}

subport ${name}-hosts {
    description     A community managed and maintained hosts file.
    long_description \
                    ${subport} is a community managed and maintained \
                    hosts file that allows an additional layer of \
                    protection against access to ad, tracking, and \
                    malicious websites.

    depends_run-append \
                    port:gnupg2 \
                    port:perl${perl5_major_version} \
                    port:p${perl5_major_version}-data-validate-domain \
                    port:wget

    destroot {
        xinstall -d \
            ${destroot}${prefix}/etc/${name} \
            ${destroot}${prefix}/var/log
        destroot.keepdirs \
            ${destroot}${prefix}/etc/${name} \
            ${destroot}${prefix}/var/log
        # N.b. do *not* use filename "hosts.orig" because mprsyncup uses
        # `rsync -aIC`. The -C flag causes .orig files to be excluded
        foreach f { blacklist.txt hosts-orig whitelist.txt } {
            xinstall -m 0644 \
                ${filespath}/${f} \
                ${destroot}${prefix}/etc/${name}/${f}.macports
        }
        xinstall -d ${destroot}${prefix}/etc/${name}/hphosts
        xinstall -m 0644 \
            ${filespath}/hphosts-hosts_20180316.txt.bz2 \
            ${filespath}/hphosts-partial_20190815.asp.bz2 \
            ${filespath}/hphosts-ad_servers_20170602.txt.bz2 \
            ${destroot}${prefix}/etc/${name}/hphosts
    }

    startupitem.create \
                    yes
    startupitem.name \
                    ${subport}
    startupitem.init \
                    "function hosts_block_add () {
\tprintf \"\\n# \$1\\n\" \\
\t\t>> \"/tmp/${subport}/hosts-block.txt\"
\t\"\$3\" \"\${prefix}/etc/macos-fortress/\$2\" \\
\t\t| tr -d '\\r' \\
\t\t| \${prefix}/bin/perl${perl5_major_version} -ane 'use POSIX; use Data::Validate::Domain qw(is_domain); { if (/'\"\$4\"'/) { print qq#127.0.0.1\\t\$1\\n# if is_domain(\$1); } elsif (/^\\s*#/) { print; } }' \\
\t\t\t>> \"/tmp/${subport}/hosts-block.txt\"
}

function hosts_block_wget_and_add () {
\t\${prefix}/bin/wget -N -P \"\${prefix}/etc/macos-fortress/\$2\" \"\$1\"
\thosts_block_add \"\$1\" \"\$2/\$(basename \$1)\" \"\$3\" \"\$4\"
}"
    startupitem.start \
                    "( test -f \${prefix}/etc/${name}/hosts-orig \\
\t\t|| install -m 0644 -S /etc/hosts ${prefix}/etc/${name}/hosts-orig )
\t( test -d /tmp/${subport} || mkdir /tmp/${subport} )
\tcp ${prefix}/etc/${name}/hosts-orig /tmp/${subport}/hosts
\t( test -f ${prefix}/etc/${name}/whitelist.txt \\
\t\t|| printf '\\n# whitelisted hosts (FQDN and DN) will be deleted from ${subport}\\n#\\n' \\
\t\t\t> ${prefix}/etc/${name}/whitelist.txt )
\t# empty hosts-block.txt
\t> \"/tmp/${subport}/hosts-block.txt\"
\thosts_block_wget_and_add \\
\t\thttps://raw.githubusercontent.com/StevenBlack/hosts/master/hosts \\
\t\tStevenBlack \\
\t\tcat \\
\t\t'^0\\.0\\.0\\.0\\s+(.+)$'
\thosts_block_wget_and_add \\
\t\thttps://mirror1.malwaredomains.com/files/justdomains \\
\t\tmalwaredomains \\
\t\tcat \\
\t\t'^\\s*(\[^#\\s\].*)\$'
\thosts_block_wget_and_add \\
\t\thttps://sysctl.org/cameleon/hosts \\
\t\tcameleon \\
\t\tcat \\
\t\t'^127\\.0\\.0\\.1\\s+(.+)\$'
\thosts_block_wget_and_add \\
\t\thttps://s3.amazonaws.com/lists.disconnect.me/simple_tracking.txt \\
\t\tdisconnect \\
\t\tcat \\
\t\t'^\\s*(\[^#\\s\].*)\$'
\thosts_block_wget_and_add \\
\t\thttps://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt \\
\t\tdisconnect \\
\t\tcat \\
\t\t'^\\s*(\[^#\\s\].*)\$'
\thosts_block_add \\
\t\t'http://hosts-file.net/download/hosts.zip \[no longer maintained\]' \\
\t\thphosts/hphosts-hosts_20180316.txt.bz2 \\
\t\tbzcat \\
\t\t'^127\\.0\\.0\\.1\\s+(.+)\$'
\thosts_block_add \\
\t\t'http://hosts-file.net/hphosts-partial.asp \[no longer maintained\]' \\
\t\thphosts/hphosts-partial_20190815.asp.bz2 \\
\t\tbzcat \\
\t\t'^127\\.0\\.0\\.1\\s+(.+)\$'
\thosts_block_add \\
\t\t'https://hosts-file.net/ad_servers.txt \[no longer maintained\]' \\
\t\thphosts/hphosts-ad_servers_20170602.txt.bz2 \\
\t\tbzcat \\
\t\t'^127\\.0\\.0\\.1\\s+(.+)\$'
\tegrep -v -e '^(127\\.0\\.0\\.1|::1)\\s+localhost\$' \"/tmp/${subport}/hosts-block.txt\" \\
\t\t> \"/tmp/${subport}/hosts-block-\$\$.txt\" \\
\t\t&& mv \"/tmp/${subport}/hosts-block-\$\$.txt\" \"/tmp/${subport}/hosts-block.txt\"
\t# ordered unique lines
\tawk '!x\[\$0\]++' \"/tmp/${subport}/hosts-block.txt\" \\
\t\t> \"/tmp/${subport}/hosts-block-\$\$.txt\" \\
\t\t&& mv \"/tmp/${subport}/hosts-block-\$\$.txt\" \"/tmp/${subport}/hosts-block.txt\"
\t( test -f \${prefix}/etc/${name}/blacklist.txt \\
\t\t&& cat \${prefix}/etc/${name}/blacklist.txt \\
\t\t>> \"/tmp/${subport}/hosts\" )
\tgrep -v -E \"`\${prefix}/bin/perl${perl5_major_version} -ane 'BEGIN{\$s=qw#\\\\s+(#}; { if (!/^\\w*#/&length(\$F\[0\])>0){\$s = \$s . \$F\[0\] . qw(|);}} END{\$s = substr(\$s,0,length(\$s)-1) . qw#)\\\\s*#; \$s=~s/\\\\./\\\\\\\\./g; print \$s;}' \${prefix}/etc/${name}/whitelist.txt`\" /tmp/${subport}/hosts-block.txt \\
\t\t>> /tmp/${subport}/hosts
\tinstall -m 0644 -S \"/tmp/${subport}/hosts\" \"\${prefix}/etc/${name}/${subport}\"
\trm -fr \"/tmp/${subport}\"
\t${prefix}/sbin/squid -k reconfigure"
    startupitem.stop \
                    "true"
    startupitem.pidfile \
                    none

    post-activate {
        install_initial_configuration \
            ${prefix}/etc/${name}/blacklist.txt \
            ${prefix}/etc/${name}/hosts-orig \
            ${prefix}/etc/${name}/whitelist.txt
        # modify the launch daemons
        plutil_startup [list \
            "-replace ProgramArguments \
                -xml '<array> \
                      <string>${prefix}/etc/${startupitem.location}/org.macports.${startupitem.name}/${subport}.wrapper</string> \
                      <string>start</string> \
                    </array>'" \
            "-remove KeepAlive" \
            "-insert RunAtLoad -bool NO" \
            "-insert StartInterval -integer 86850" \
            "-insert StandardErrorPath -string ${prefix}/var/log/${name}.log" \
            "-insert StandardOutPath -string ${prefix}/var/log/${name}.log" \
            ] \
            org.macports.${startupitem.name}
    }

    notes   "The launch daemon org.macports.${subport} is configured with\
    RunAtLoad false. To initialize this service at its first load, run:

    sudo port load ${subport}
    sudo launchctl kickstart -k system/org.macports.${subport}"
}

subport ${name}-hphosts {
    # This port can be removed on September 8, 2020.
    PortGroup       obsolete 1.0

    description     A community managed and maintained hosts file.
    long_description \
                    hpHosts is no longer maintained.  It was is a \
                    community managed and maintained hosts file that \
                    allows an additional layer of protection against \
                    access to ad, tracking, and malicious websites.

    livecheck.type  none

    pre-configure {
        ui_error "Please do not install this port because it has been replaced by '${name}-hosts'."
        return -code error
    }
}

if { [variant_isset "initialize_always"] } {
    if {[exists notes]} {
        # leave a blank line after the existing notes
        notes-append ""
    }
    notes-append \
        "The variant +initialize_always is set, which initializes\
        all configuration files. Please disable this variant for\
        working deployments."
}
