#!/bin/sh

set -eu
export LC_ALL='C'

# Metadata.
if [ -z "${HBLOCK_VERSION+x}"    ]; then HBLOCK_VERSION='3.4.2'; fi
if [ -z "${HBLOCK_AUTHOR+x}"     ]; then HBLOCK_AUTHOR='Héctor Molinero Fernández <hector@molinero.dev>'; fi
if [ -z "${HBLOCK_LICENSE+x}"    ]; then HBLOCK_LICENSE='MIT, https://opensource.org/licenses/MIT'; fi
if [ -z "${HBLOCK_REPOSITORY+x}" ]; then HBLOCK_REPOSITORY='https://github.com/hectorm/hblock'; fi

# Emulate ksh if the shell is zsh.
if [ -n "${ZSH_VERSION-}" ]; then emulate -L ksh; fi

# Define system and user configuration directories.
if [ -z "${ETCDIR+x}" ]; then ETCDIR='/etc'; fi
if [ -z "${XDG_CONFIG_HOME+x}" ]; then XDG_CONFIG_HOME="${HOME-}/.config"; fi

# Remove temporary files on exit.
cleanup() { ret="$?"; rm -rf -- "${TMPDIR:-${TMP:-/tmp}}/hblock.${$}."*; trap - EXIT; exit "${ret:?}"; }
{ trap cleanup EXIT ||:; trap cleanup TERM ||:; trap cleanup INT ||:; trap cleanup HUP ||:; } 2>/dev/null

# Built-in header.
HOSTNAME="${HOSTNAME-"$(uname -n)"}"
HBLOCK_HEADER_BUILTIN="$(cat <<-EOF
	127.0.0.1       localhost ${HOSTNAME?}
	255.255.255.255 broadcasthost
	::1             localhost ${HOSTNAME?}
	::1             ip6-localhost ip6-loopback
	fe00::0         ip6-localnet
	ff00::0         ip6-mcastprefix
	ff02::1         ip6-allnodes
	ff02::2         ip6-allrouters
	ff02::3         ip6-allhosts
EOF
)"

# Built-in footer.
HBLOCK_FOOTER_BUILTIN=''

# Built-in sources.
HBLOCK_SOURCES_BUILTIN="$(cat <<-'EOF'
	https://raw.githubusercontent.com/hectorm/hmirror/master/data/adaway.org/list.txt
	https://raw.githubusercontent.com/hectorm/hmirror/master/data/adblock-nocoin-list/list.txt
	https://raw.githubusercontent.com/hectorm/hmirror/master/data/adguard-cname-trackers/list.txt
	https://raw.githubusercontent.com/hectorm/hmirror/master/data/adguard-simplified/list.txt
	https://raw.githubusercontent.com/hectorm/hmirror/master/data/dandelionsprout-nordic/list.txt
	https://raw.githubusercontent.com/hectorm/hmirror/master/data/easylist/list.txt
	https://raw.githubusercontent.com/hectorm/hmirror/master/data/easylist-ara/list.txt
	https://raw.githubusercontent.com/hectorm/hmirror/master/data/easylist-bul/list.txt
	https://raw.githubusercontent.com/hectorm/hmirror/master/data/easylist-ces-slk/list.txt
	https://raw.githubusercontent.com/hectorm/hmirror/master/data/easylist-deu/list.txt
	https://raw.githubusercontent.com/hectorm/hmirror/master/data/easylist-fra/list.txt
	https://raw.githubusercontent.com/hectorm/hmirror/master/data/easylist-heb/list.txt
	https://raw.githubusercontent.com/hectorm/hmirror/master/data/easylist-ind/list.txt
	https://raw.githubusercontent.com/hectorm/hmirror/master/data/easylist-ita/list.txt
	https://raw.githubusercontent.com/hectorm/hmirror/master/data/easylist-kor/list.txt
	https://raw.githubusercontent.com/hectorm/hmirror/master/data/easylist-lav/list.txt
	https://raw.githubusercontent.com/hectorm/hmirror/master/data/easylist-lit/list.txt
	https://raw.githubusercontent.com/hectorm/hmirror/master/data/easylist-nld/list.txt
	https://raw.githubusercontent.com/hectorm/hmirror/master/data/easylist-por/list.txt
	https://raw.githubusercontent.com/hectorm/hmirror/master/data/easylist-rus/list.txt
	https://raw.githubusercontent.com/hectorm/hmirror/master/data/easylist-spa/list.txt
	https://raw.githubusercontent.com/hectorm/hmirror/master/data/easylist-zho/list.txt
	https://raw.githubusercontent.com/hectorm/hmirror/master/data/easyprivacy/list.txt
	https://raw.githubusercontent.com/hectorm/hmirror/master/data/eth-phishing-detect/list.txt
	https://raw.githubusercontent.com/hectorm/hmirror/master/data/gfrogeye-firstparty-trackers/list.txt
	https://raw.githubusercontent.com/hectorm/hmirror/master/data/hostsvn/list.txt
	https://raw.githubusercontent.com/hectorm/hmirror/master/data/kadhosts/list.txt
	https://raw.githubusercontent.com/hectorm/hmirror/master/data/matomo.org-spammers/list.txt
	https://raw.githubusercontent.com/hectorm/hmirror/master/data/mitchellkrogza-badd-boyz-hosts/list.txt
	https://raw.githubusercontent.com/hectorm/hmirror/master/data/pgl.yoyo.org/list.txt
	https://raw.githubusercontent.com/hectorm/hmirror/master/data/phishing.army/list.txt
	https://raw.githubusercontent.com/hectorm/hmirror/master/data/socram8888-notonmyshift/list.txt
	https://raw.githubusercontent.com/hectorm/hmirror/master/data/someonewhocares.org/list.txt
	https://raw.githubusercontent.com/hectorm/hmirror/master/data/spam404.com/list.txt
	https://raw.githubusercontent.com/hectorm/hmirror/master/data/stevenblack/list.txt
	https://raw.githubusercontent.com/hectorm/hmirror/master/data/turkish-ad-hosts/list.txt
	https://raw.githubusercontent.com/hectorm/hmirror/master/data/ublock/list.txt
	https://raw.githubusercontent.com/hectorm/hmirror/master/data/ublock-2020/list.txt
	https://raw.githubusercontent.com/hectorm/hmirror/master/data/ublock-2021/list.txt
	https://raw.githubusercontent.com/hectorm/hmirror/master/data/ublock-2022/list.txt
	https://raw.githubusercontent.com/hectorm/hmirror/master/data/ublock-2023/list.txt
	https://raw.githubusercontent.com/hectorm/hmirror/master/data/ublock-abuse/list.txt
	https://raw.githubusercontent.com/hectorm/hmirror/master/data/ublock-badware/list.txt
	https://raw.githubusercontent.com/hectorm/hmirror/master/data/ublock-privacy/list.txt
	https://raw.githubusercontent.com/hectorm/hmirror/master/data/urlhaus/list.txt
EOF
)"

# Built-in allowlist.
HBLOCK_ALLOWLIST_BUILTIN=''

# Built-in denylist.
HBLOCK_DENYLIST_BUILTIN="$(cat <<-'EOF'
	# Special domain that is used to check if hBlock is enabled.
	hblock-check.molinero.dev
EOF
)"

# Parse command line options.
optParse() {
	SEP="$(printf '\037')"
	while [ "${#}" -gt '0' ]; do
		case "${1?}" in
			# Short options that accept a value need a "*" in their pattern because they can be found in the "-A<value>" form.
			'-O'*|'--output') optArgStr "${@-}"; outputFile="${optArg?}"; shift "${optShift:?}" ;;
			'-H'*|'--header') optArgStr "${@-}"; headerFile="${optArg?}"; shift "${optShift:?}" ;;
			'-F'*|'--footer') optArgStr "${@-}"; footerFile="${optArg?}"; shift "${optShift:?}" ;;
			'-S'*|'--sources') optArgStr "${@-}"; sourcesFile="${optArg?}"; shift "${optShift:?}" ;;
			'-A'*|'--allowlist') optArgStr "${@-}"; allowlistFile="${optArg?}"; shift "${optShift:?}" ;;
			'-D'*|'--denylist') optArgStr "${@-}"; denylistFile="${optArg?}"; shift "${optShift:?}" ;;
			'-R'*|'--redirection') optArgStr "${@-}"; redirection="${optArg?}"; shift "${optShift:?}" ;;
			'-W'*|'--wrap') optArgStr "${@-}"; wrap="${optArg?}"; shift "${optShift:?}" ;;
			'-T'*|'--template') optArgStr "${@-}"; template="${optArg?}"; shift "${optShift:?}" ;;
			'-C'*|'--comment') optArgStr "${@-}"; comment="${optArg?}"; shift "${optShift:?}" ;;
			'-l' |'--lenient'|'--no-lenient') optArgBool "${@-}"; lenient="${optArg:?}" ;;
			'-r' |'--regex'|'--no-regex') optArgBool "${@-}"; regex="${optArg:?}" ;;
			'-f' |'--filter-subdomains'|'--no-filter-subdomains') optArgBool "${@-}"; filterSubdomains="${optArg:?}" ;;
			'-c' |'--continue'|'--no-continue') optArgBool "${@-}"; continue="${optArg:?}" ;;
			'-p'*|'--parallel') optArgStr "${@-}"; parallel="${optArg?}"; shift "${optShift:?}" ;;
			'-q' |'--quiet'|'--no-quiet') optArgBool "${@-}"; quiet="${optArg:?}" ;;
			'-x'*|'--color') optArgStr "${@-}"; color="${optArg?}"; shift "${optShift:?}" ;;
			'-v' |'--version') showVersion ;;
			'-h' |'--help') showHelp ;;
			# If "--" is found, the remaining positional parameters are saved and the parsing ends.
			--) shift; _IFS="${IFS?}"; IFS="${SEP:?}"; POS="${POS-}${POS+${SEP:?}}${*-}"; IFS="${_IFS?}"; break ;;
			# If a long option in the form "--opt=value" is found, it is split into "--opt" and "value".
			--*=*) optSplitEquals "${@-}"; shift; set -- "${optName:?}" "${optArg?}" "${@-}"; continue ;;
			# If an option did not match any pattern, an error is thrown.
			-?|--*) optDie "Illegal option ${1:?}" ;;
			# If multiple short options in the form "-AB" are found, they are split into "-A" and "-B".
			-?*) optSplitShort "${@-}"; shift; set -- "${optAName:?}" "${optBName:?}" "${@-}"; continue ;;
			# If a positional parameter is found, it is saved.
			*) POS="${POS-}${POS+${SEP:?}}${1?}" ;;
		esac
		shift
	done
}
optSplitShort() {
	optAName="${1%"${1#??}"}"; optBName="-${1#??}"
}
optSplitEquals() {
	optName="${1%="${1#--*=}"}"; optArg="${1#--*=}"
}
optArgStr() {
	if [ -n "${1#??}" ] && [ "${1#--}" = "${1:?}" ]; then optArg="${1#??}"; optShift='0';
	elif [ -n "${2+x}" ]; then optArg="${2-}"; optShift='1';
	else optDie "No argument for ${1:?} option"; fi
}
optArgBool() {
	if [ "${1#--no-}" = "${1:?}" ]; then optArg='true';
	else optArg='false'; fi
}
optDie() {
	printf '%s\n' "${@-}" "Try 'hblock --help' for more information" >&2
	exit 2
}

# Show help and quit.
showHelp() {
	printf '%s\n' "$(sed -e 's/%NL/\n/g' <<-EOF
		Usage: hblock [OPTION]...

		hBlock is a POSIX-compliant shell script that gets a list of domains that serve
		ads, tracking scripts and malware from multiple sources and creates a hosts
		file, among other formats, that prevents your system from connecting to them.

		Options:

		 -O, --output <FILE|->, \${HBLOCK_OUTPUT_FILE}%NL
		    Output file location.%NL
		    If equals "-", it is printed to stdout.%NL
		    (default: ${outputFile?})%NL
		 -H, --header <FILE|builtin|none|->, \${HBLOCK_HEADER_FILE}%NL
		    File to be included at the beginning of the output file.%NL
		    If equals "builtin", the built-in value is used.%NL
		    If equals "none", an empty value is used.%NL
		    If equals "-", the stdin content is used.%NL
		    If unspecified and any of the following files exists, its content is used.%NL
		        \${XDG_CONFIG_HOME}/hblock/header%NL
		        ${ETCDIR?}/hblock/header%NL
		    (default: ${headerFile?})%NL
		 -F, --footer <FILE|builtin|none|->, \${HBLOCK_FOOTER_FILE}%NL
		    File to be included at the end of the output file.%NL
		    If equals "builtin", the built-in value is used.%NL
		    If equals "none", an empty value is used.%NL
		    If equals "-", the stdin content is used.%NL
		    If unspecified and any of the following files exists, its content is used.%NL
		        \${XDG_CONFIG_HOME}/hblock/footer%NL
		        ${ETCDIR?}/hblock/footer%NL
		    (default: ${footerFile?})%NL
		 -S, --sources <FILE|builtin|none|->, \${HBLOCK_SOURCES_FILE}%NL
		    File with line separated URLs used to generate the blocklist.%NL
		    If equals "builtin", the built-in value is used.%NL
		    If equals "none", an empty value is used.%NL
		    If equals "-", the stdin content is used.%NL
		    If unspecified and any of the following files exists, its content is used.%NL
		        \${XDG_CONFIG_HOME}/hblock/sources.list%NL
		        ${ETCDIR?}/hblock/sources.list%NL
		    (default: ${sourcesFile?})%NL
		 -A, --allowlist <FILE|builtin|none|->, \${HBLOCK_ALLOWLIST_FILE}%NL
		    File with line separated entries to be removed from the blocklist.%NL
		    If equals "builtin", the built-in value is used.%NL
		    If equals "none", an empty value is used.%NL
		    If equals "-", the stdin content is used.%NL
		    If unspecified and any of the following files exists, its content is used.%NL
		        \${XDG_CONFIG_HOME}/hblock/allow.list%NL
		        ${ETCDIR?}/hblock/allow.list%NL
		    (default: ${allowlistFile?})%NL
		 -D, --denylist <FILE|builtin|none|->, \${HBLOCK_DENYLIST_FILE}%NL
		    File with line separated entries to be added to the blocklist.%NL
		    If equals "builtin", the built-in value is used.%NL
		    If equals "none", an empty value is used.%NL
		    If equals "-", the stdin content is used.%NL
		    If unspecified and any of the following files exists, its content is used.%NL
		        \${XDG_CONFIG_HOME}/hblock/deny.list%NL
		        ${ETCDIR?}/hblock/deny.list%NL
		    (default: ${denylistFile?})%NL
		 -R, --redirection <REDIRECTION>, \${HBLOCK_REDIRECTION}%NL
		    Redirection for all entries in the blocklist.%NL
		    (default: ${redirection?})%NL
		 -W, --wrap <NUMBER>, \${HBLOCK_WRAP}%NL
		    Break blocklist lines after this number of entries.%NL
		    (default: ${wrap?})%NL
		 -T, --template <TEMPLATE>, \${HBLOCK_TEMPLATE}%NL
		    Template applied to each entry.%NL
		    %D = <DOMAIN>, %R = <REDIRECTION>%NL
		    (default: ${template?})%NL
		 -C, --comment <COMMENT>, \${HBLOCK_COMMENT}%NL
		    Character used for comments.%NL
		    (default: ${comment?})%NL
		 -l, --[no-]lenient, \${HBLOCK_LENIENT}%NL
		    Match all entries from sources regardless of their IP, instead of
		    0.0.0.0, 127.0.0.1, ::, ::1 or nothing.%NL
		    (default: ${lenient?})%NL
		 -r, --[no-]regex, \${HBLOCK_REGEX}%NL
		    Use POSIX BREs in the allowlist instead of fixed strings.%NL
		    (default: ${regex?})%NL
		 -f, --[no-]filter-subdomains, \${HBLOCK_FILTER_SUBDOMAINS}%NL
		    Do not include subdomains when the parent domain is also blocked.
		    Useful for reducing the blocklist size in cases such as when DNS blocking
		    makes these subdomains redundant.%NL
		    (default: ${filterSubdomains?})%NL
		 -c, --[no-]continue, \${HBLOCK_CONTINUE}%NL
		    Do not abort if a download error occurs.%NL
		    (default: ${continue?})%NL
		 -p, --parallel, \${HBLOCK_PARALLEL}%NL
		    Maximum concurrency for parallel downloads.%NL
		    (default: ${parallel?})%NL
		 -q, --[no-]quiet, \${HBLOCK_QUIET}%NL
		    Suppress non-error messages.%NL
		    (default: ${quiet?})%NL
		 -x, --color <auto|true|false>, \${HBLOCK_COLOR}%NL
		    Colorize the output.%NL
		    (default: ${color?})%NL
		 -v, --version%NL
		    Show version number and quit.%NL
		 -h, --help%NL
		    Show this help and quit.

		Report bugs to: <https://github.com/hectorm/hblock/issues>
	EOF
	)"
	exit 0
}

# Show version number and quit.
showVersion() {
	printf '%s\n' "$(cat <<-EOF
		hBlock ${HBLOCK_VERSION:?}
		Author: ${HBLOCK_AUTHOR:?}
		License: ${HBLOCK_LICENSE:?}
		Repository: ${HBLOCK_REPOSITORY:?}
	EOF
	)"
	exit 0
}

# Check if a program exists.
exists() {
	# shellcheck disable=SC2230
	if command -v true; then command -v -- "${1:?}"
	elif eval type type; then eval type -- "${1:?}"
	else which -- "${1:?}"; fi >/dev/null 2>&1
}

# Pretty print methods.
printInfo() {  [ -n "${NO_STDOUT+x}" ] || printf "${COLOR_RESET-}[${COLOR_BGREEN-}INFO${COLOR_RESET-}] %s\n" "${@-}"; }
printWarn() {  [ -n "${NO_STDERR+x}" ] || printf "${COLOR_RESET-}[${COLOR_BYELLOW-}WARN${COLOR_RESET-}] %s\n" "${@-}" >&2; }
printError() { [ -n "${NO_STDERR+x}" ] || printf "${COLOR_RESET-}[${COLOR_BRED-}ERROR${COLOR_RESET-}] %s\n" "${@-}" >&2; }
printList() {  [ -n "${NO_STDOUT+x}" ] || printf "${COLOR_RESET-} ${COLOR_BCYAN-}*${COLOR_RESET-} %s\n" "${@-}"; }

# Print a pseudorandom string.
rand() { :& awk -v N="${!}" 'BEGIN{srand();printf("%08x%06x",rand()*2^31-1,N)}'; }

# Create a temporary directory, file or FIFO special file.
createTemp() {
	# POSIX does not specify the mktemp utility, so here comes a hacky solution.
	while t="${TMPDIR:-${TMP:-/tmp}}/hblock.${$}.$(rand)" && [ -e "${t:?}" ]; do sleep 1; done
	(
		umask 077
		case "${1-}" in
			'dir') mkdir -- "${t:?}" ;;
			'file') touch -- "${t:?}" ;;
			'fifo') mkfifo -- "${t:?}" ;;
		esac
		printf '%s' "${t:?}"
	)
}

# Write stdin to a file.
sponge() {
	spongeFile="$(createTemp 'file')"; cat > "${spongeFile:?}"
	cat -- "${spongeFile:?}" > "${1:?}"; rm -f -- "${spongeFile:?}"
}

# Count files or directories in a directory.
dirCount() { [ -e "${1:?}" ] && printf '%s' "${#}" || printf '%s' '0'; }

# Print to stdout the contents of a URL.
fetchUrl() {
	# If the protocol is "file://" we can omit the download and simply use cat.
	if [ "${1#file://}" != "${1:?}" ]; then cat -- "${1#file://}"
	else
		userAgent='Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0'
		if exists curl; then curl -fsSL -A "${userAgent:?}" -- "${1:?}"
		elif exists wget; then wget -qO- -U "${userAgent:?}" -- "${1:?}"
		elif exists fetch; then fetch -qo- --user-agent="${userAgent:?}" -- "${1:?}"
		else
			printError 'curl, wget or fetch are required for this script'
			exit 1
		fi
	fi
}

# Remove comments from string.
removeComments() { sed -e 's/[[:blank:]]*#.*//;/^$/d'; }

# Transform hosts file entries to domain names.
sanitizeBlocklist() {
	leadingScript='s/^[[:blank:]]*//'
	trailingScript='s/[[:blank:]]*\(#.*\)\{0,1\}$//'
	if [ "${1:?}" = 'true' ]; then
		ipv4Script='s/^\([0-9]\{1,3\}\.\)\{3\}[0-9]\{1,3\}[[:blank:]]\{1,\}//'
		ipv6Script='s/^\([0-9a-f]\{0,4\}:\)\{2,7\}[0-9a-f]\{0,4\}[[:blank:]]\{1,\}//'
	else
		ipv4Script='s/^\(0\)\{0,1\}\(127\)\{0,1\}\(\.[0-9]\{1,3\}\)\{3\}[[:blank:]]\{1,\}//'
		ipv6Script='s/^\(0\{0,4\}:\)\{2,7\}0\{0,3\}[01]\{0,1\}[[:blank:]]\{1,\}//'
	fi
	domainRegex='\([0-9a-z_-]\{1,63\}\.\)\{1,\}[a-z][0-9a-z-]\{0,61\}[0-9a-z]\.\{0,1\}'
	tr -d '\r' | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' \
		| sed -e "${leadingScript:?};${ipv4Script:?};${ipv6Script:?};${trailingScript:?}" \
		| { grep -e "^${domainRegex:?}\([[:blank:]]\{1,\}${domainRegex:?}\)*$" ||:; } \
		| tr -s ' \t' '\n' | sed 's/\.$//'
}

# Remove reserved Top Level Domains.
removeReservedTLDs() {
	sed -e '/\.corp$/d' \
		-e '/\.domain$/d' \
		-e '/\.example$/d' \
		-e '/\.home$/d' \
		-e '/\.host$/d' \
		-e '/\.invalid$/d' \
		-e '/\.lan$/d' \
		-e '/\.local$/d' \
		-e '/\.localdomain$/d' \
		-e '/\.localhost$/d' \
		-e '/\.test$/d'
}

main() {
	usrConfDir="${XDG_CONFIG_HOME?}/hblock"
	sysConfDir="${ETCDIR?}/hblock"

	# Source environment file if exists.
	# shellcheck disable=SC1091
	if [ -f "${usrConfDir:?}/environment" ]; then
		set -a; . "${usrConfDir:?}/environment"; set +a
	elif [ -f "${sysConfDir:?}/environment" ]; then
		set -a; . "${sysConfDir:?}/environment"; set +a
	fi

	# Output file location.
	outputFile="${HBLOCK_OUTPUT_FILE-"${ETCDIR?}/hosts"}"

	# File to be included at the beginning of the output file.
	headerFile='builtin'
	if [ -n "${HBLOCK_HEADER+x}" ]; then
		HBLOCK_HEADER_BUILTIN="${HBLOCK_HEADER?}"
	elif [ -n "${HBLOCK_HEADER_FILE+x}" ]; then
		headerFile="${HBLOCK_HEADER_FILE?}"
	elif [ -f "${usrConfDir:?}/header" ]; then
		headerFile="${usrConfDir:?}/header"
	elif [ -f "${sysConfDir:?}/header" ]; then
		headerFile="${sysConfDir:?}/header"
	fi

	# File to be included at the end of the output file.
	footerFile='builtin'
	if [ -n "${HBLOCK_FOOTER+x}" ]; then
		HBLOCK_FOOTER_BUILTIN="${HBLOCK_FOOTER?}"
	elif [ -n "${HBLOCK_FOOTER_FILE+x}" ]; then
		footerFile="${HBLOCK_FOOTER_FILE?}"
	elif [ -f "${usrConfDir:?}/footer" ]; then
		footerFile="${usrConfDir:?}/footer"
	elif [ -f "${sysConfDir:?}/footer" ]; then
		footerFile="${sysConfDir:?}/footer"
	fi

	# File with line separated URLs used to generate the blocklist.
	sourcesFile='builtin'
	if [ -n "${HBLOCK_SOURCES+x}" ]; then
		HBLOCK_SOURCES_BUILTIN="${HBLOCK_SOURCES?}"
	elif [ -n "${HBLOCK_SOURCES_FILE+x}" ]; then
		sourcesFile="${HBLOCK_SOURCES_FILE?}"
	elif [ -f "${usrConfDir:?}/sources.list" ]; then
		sourcesFile="${usrConfDir:?}/sources.list"
	elif [ -f "${sysConfDir:?}/sources.list" ]; then
		sourcesFile="${sysConfDir:?}/sources.list"
	fi

	# File with line separated entries to be removed from the blocklist.
	allowlistFile='builtin'
	if [ -n "${HBLOCK_ALLOWLIST+x}" ]; then
		HBLOCK_ALLOWLIST_BUILTIN="${HBLOCK_ALLOWLIST?}"
	elif [ -n "${HBLOCK_ALLOWLIST_FILE+x}" ]; then
		allowlistFile="${HBLOCK_ALLOWLIST_FILE?}"
	elif [ -f "${usrConfDir:?}/allow.list" ]; then
		allowlistFile="${usrConfDir:?}/allow.list"
	elif [ -f "${sysConfDir:?}/allow.list" ]; then
		allowlistFile="${sysConfDir:?}/allow.list"
	fi

	# File with line separated entries to be added to the blocklist.
	denylistFile='builtin'
	if [ -n "${HBLOCK_DENYLIST+x}" ]; then
		HBLOCK_DENYLIST_BUILTIN="${HBLOCK_DENYLIST?}"
	elif [ -n "${HBLOCK_DENYLIST_FILE+x}" ]; then
		denylistFile="${HBLOCK_DENYLIST_FILE?}"
	elif [ -f "${usrConfDir:?}/deny.list" ]; then
		denylistFile="${usrConfDir:?}/deny.list"
	elif [ -f "${sysConfDir:?}/deny.list" ]; then
		denylistFile="${sysConfDir:?}/deny.list"
	fi

	# Redirection for all entries in the blocklist.
	redirection="${HBLOCK_REDIRECTION-"0.0.0.0"}"

	# Break blocklist lines after this number of entries.
	wrap="${HBLOCK_WRAP-"1"}"

	# Template applied to each entry.
	template="${HBLOCK_TEMPLATE-"%R %D"}"

	# Character used for comments.
	comment="${HBLOCK_COMMENT-"#"}"

	# Match all entries from sources, regardless of their IP.
	lenient="${HBLOCK_LENIENT-"false"}"

	# Use POSIX BREs instead of fixed strings.
	regex="${HBLOCK_REGEX-"false"}"

	# Do not include subdomains when the parent domain is also blocked.
	filterSubdomains="${HBLOCK_FILTER_SUBDOMAINS-"false"}"

	# Abort if a download error occurs.
	continue="${HBLOCK_CONTINUE-"false"}"

	# Maximum concurrency for parallel downloads.
	parallel="${HBLOCK_PARALLEL-"4"}"

	# Colorize the output.
	color="${HBLOCK_COLOR-"auto"}"

	# Suppress non-error messages.
	quiet="${HBLOCK_QUIET-"false"}"

	# Parse command line options.
	# shellcheck disable=SC2086
	{ optParse "${@-}"; _IFS="${IFS?}"; IFS="${SEP:?}"; set -- ${POS-} >/dev/null; IFS="${_IFS?}"; }

	# Define terminal colors if the color option is enabled or in auto mode if STDOUT is attached to a TTY and the
	# "NO_COLOR" variable is not set (https://no-color.org).
	if [ "${color:?}" = 'true' ] || { [ "${color:?}" = 'auto' ] && [ -z "${NO_COLOR+x}" ] && [ -t 1 ]; }; then
		COLOR_RESET="$({ exists tput && tput sgr0; } 2>/dev/null || printf '\033[0m')"
		COLOR_BRED="$({ exists tput && tput bold && tput setaf 1; } 2>/dev/null || printf '\033[1;31m')"
		COLOR_BGREEN="$({ exists tput && tput bold && tput setaf 2; } 2>/dev/null || printf '\033[1;32m')"
		COLOR_BYELLOW="$({ exists tput && tput bold && tput setaf 3; } 2>/dev/null || printf '\033[1;33m')"
		COLOR_BCYAN="$({ exists tput && tput bold && tput setaf 6; } 2>/dev/null || printf '\033[1;36m')"
	fi

	# Set "NO_STDOUT" variable if the quiet option is enabled (other methods will honor this variable).
	if [ "${quiet:?}" = 'true' ]; then
		NO_STDOUT='true'
	fi

	# Check the header file.
	case "${headerFile:?}" in
		# If the file value equals "-", use stdin.
		'-') headerFile="$(createTemp 'file')"; cat <&0 > "${headerFile:?}" ;;
		# If the file value equals "none", use an empty file.
		'none') headerFile="$(createTemp 'file')" ;;
		# If the file value equals "builtin", use the built-in value.
		'builtin') headerFile="$(createTemp 'file')"; printf '%s' "${HBLOCK_HEADER_BUILTIN?}" > "${headerFile:?}" ;;
		# If the file does not exist, throw an error.
		*) [ -e "${headerFile:?}" ] || { printError "No such file: ${headerFile:?}"; exit 1; } ;;
	esac

	# Check the footer file.
	case "${footerFile:?}" in
		# If the file value equals "-", use stdin.
		'-') footerFile="$(createTemp 'file')"; cat <&0 > "${footerFile:?}" ;;
		# If the file value equals "none", use an empty file.
		'none') footerFile="$(createTemp 'file')" ;;
		# If the file value equals "builtin", use the built-in value.
		'builtin') footerFile="$(createTemp 'file')"; printf '%s' "${HBLOCK_FOOTER_BUILTIN?}" > "${footerFile:?}" ;;
		# If the file does not exist, throw an error.
		*) [ -e "${footerFile:?}" ] || { printError "No such file: ${footerFile:?}"; exit 1; } ;;
	esac

	# Check the sources file.
	case "${sourcesFile:?}" in
		# If the file value equals "-", use stdin.
		'-') sourcesFile="$(createTemp 'file')"; cat <&0 > "${sourcesFile:?}" ;;
		# If the file value equals "none", use an empty file.
		'none') sourcesFile="$(createTemp 'file')" ;;
		# If the file value equals "builtin", use the built-in value.
		'builtin') sourcesFile="$(createTemp 'file')"; printf '%s' "${HBLOCK_SOURCES_BUILTIN?}" > "${sourcesFile:?}" ;;
		# If the file does not exist, throw an error.
		*) [ -e "${sourcesFile:?}" ] || { printError "No such file: ${sourcesFile:?}"; exit 1; } ;;
	esac

	# Check the allowlist file.
	case "${allowlistFile:?}" in
		# If the file value equals "-", use stdin.
		'-') allowlistFile="$(createTemp 'file')"; cat <&0 > "${allowlistFile:?}" ;;
		# If the file value equals "none", use an empty file.
		'none') allowlistFile="$(createTemp 'file')" ;;
		# If the file value equals "builtin", use the built-in value.
		'builtin') allowlistFile="$(createTemp 'file')"; printf '%s' "${HBLOCK_ALLOWLIST_BUILTIN?}" > "${allowlistFile:?}" ;;
		# If the file does not exist, throw an error.
		*) [ -e "${allowlistFile:?}" ] || { printError "No such file: ${allowlistFile:?}"; exit 1; } ;;
	esac

	# Check the denylist file.
	case "${denylistFile:?}" in
		# If the file value equals "-", use stdin.
		'-') denylistFile="$(createTemp 'file')"; cat <&0 > "${denylistFile:?}" ;;
		# If the file value equals "none", use an empty file.
		'none') denylistFile="$(createTemp 'file')" ;;
		# If the file value equals "builtin", use the built-in value.
		'builtin') denylistFile="$(createTemp 'file')"; printf '%s' "${HBLOCK_DENYLIST_BUILTIN?}" > "${denylistFile:?}" ;;
		# If the file does not exist, throw an error.
		*) [ -e "${denylistFile:?}" ] || { printError "No such file: ${denylistFile:?}"; exit 1; } ;;
	esac

	# Create an empty blocklist file.
	blocklistFile="$(createTemp 'file')"

	# If the sources file is not empty, each source is downloaded and appended to the blocklist file.
	if [ -s "${sourcesFile:?}" ]; then
		printInfo 'Downloading sources'

		sourcesDlDir="$(createTemp 'dir')"
		sourcesUrlFile="$(createTemp 'file')"

		# Read the sources file ignoring comments or empty lines.
		removeComments < "${sourcesFile:?}" > "${sourcesUrlFile:?}"

		while IFS= read -r url || [ -n "${url?}" ]; do
			# Wait if the number of running jobs exceeds the concurrency limit.
			if [ "${parallel:?}" -gt '0' ]; then
				while [ "${parallel:?}" -le "$(dirCount "${sourcesDlDir:?}"/*.part)" ]; do
					# POSIX does not specify the "-n" option, wait for the last PID as fallback.
					# shellcheck disable=SC3045
					wait -n 2>/dev/null || wait "${!}"
				done
			fi

			# Initialize the download job and send it to the background.
			printList "${url:?}"
			sourceDlFile="${sourcesDlDir:?}"/"$(rand)"
			touch -- "${sourceDlFile:?}.part"
			{
				if fetchUrl "${url:?}" > "${sourceDlFile:?}.part"; then
					if [ -e "${sourceDlFile:?}.part" ]; then
						printf '\n' >> "${sourceDlFile:?}.part"
						mv -- "${sourceDlFile:?}.part" "${sourceDlFile:?}"
					fi
				else
					rm -f -- "${sourceDlFile:?}.part"
					if [ "${continue:?}" = 'true' ]; then
						printWarn "Cannot obtain source: ${url:?}"
					else
						printError "Cannot obtain source: ${url:?}"
						{ kill "${$}"; exit 1; } 2>/dev/null
					fi
				fi
			} &
		done < "${sourcesUrlFile:?}"
		wait

		# Append downloaded sources to the blocklist file.
		cat -- "${sourcesDlDir:?}"/* >> "${blocklistFile:?}"
		rm -rf -- "${sourcesDlDir:?}"
	fi

	# If the denylist file is not empty, it is appended to the blocklist file.
	if [ -s "${denylistFile:?}" ]; then
		printInfo 'Applying denylist'
		cat -- "${denylistFile:?}" >> "${blocklistFile:?}"
	fi

	# If the blocklist file is not empty, it is sanitized.
	if [ -s "${blocklistFile:?}" ]; then
		printInfo 'Sanitizing blocklist'
		sanitizeBlocklist "${lenient:?}" < "${blocklistFile:?}" | removeReservedTLDs | sponge "${blocklistFile:?}"
	fi

	# If the allowlist file is not empty, the entries on it are removed from the blocklist file.
	if [ -s "${allowlistFile:?}" ]; then
		printInfo 'Applying allowlist'
		allowlistPatternFile="$(createTemp 'file')"
		# Entries are treated as regexes depending on whether the regex option is enabled.
		removeComments < "${allowlistFile:?}" >> "${allowlistPatternFile:?}"
		if [ "${regex:?}" = 'true' ]; then
			grep -vf "${allowlistPatternFile:?}" -- "${blocklistFile:?}" | sponge "${blocklistFile:?}"
		else
			grep -Fxvf "${allowlistPatternFile:?}" -- "${blocklistFile:?}" | sponge "${blocklistFile:?}"
		fi
		rm -f -- "${allowlistPatternFile:?}"
	fi

	# If the blocklist file is not empty, it is filtered and sorted.
	if [ -s "${blocklistFile:?}" ]; then
		if [ "${filterSubdomains:?}" = 'true' ]; then
			printInfo 'Filtering redundant subdomains'
			awkReverseScript="$(cat <<-'EOF'
				BEGIN { FS = "." }
				{
					for (i = NF; i > 0; i--) {
						printf("%s%s", $i, (i > 1 ? FS : RS))
					}
				}
			EOF
			)"
			awkFilterScript="$(cat <<-'EOF'
				BEGIN { p = "." }
				{
					if (index($0, p) != 1) {
						print($0); p = $0"."
					}
				}
			EOF
			)"
			awk "${awkReverseScript:?}" < "${blocklistFile:?}" | sort \
				| awk "${awkFilterScript:?}" | awk "${awkReverseScript:?}" \
				| sponge "${blocklistFile:?}"
		fi

		printInfo 'Sorting blocklist'
		sort < "${blocklistFile:?}" | uniq | sponge "${blocklistFile:?}"
	fi

	# Count blocked domains.
	blocklistCount="$(wc -l < "${blocklistFile:?}" | awk '{print($1)}')"

	# If the blocklist file is not empty, the format template is applied.
	if [ -s "${blocklistFile:?}" ]; then
		printInfo 'Applying format template'
		# The number of domains per line is equal to the value of the wrap option.
		if [ "${wrap:?}" -gt '1' ]; then
			awkWrapScript='{ORS=(NR%W?FS:RS)}1;END{if(NR%W){printf(RS)}}'
			awk -v FS=' ' -v RS='\n' -v W="${wrap:?}" "${awkWrapScript:?}" < "${blocklistFile:?}" \
				| sponge "${blocklistFile:?}"
		fi
		# The following awk script replaces in the template the variables starting with a % sign with their value.
		awkTemplateScript="$(cat <<-'EOF'
			BEGIN {
				Tl = length(T); split(T, Ta, "")
				for (i = 1; i <= Tl; i++) {
					if (Ta[i] == "%") {
						i++; if (Ta[i] == "D") { Vn[++Vl] = "D"; Vp[Vl] = i - 1 }
						else if (Ta[i] == "R") { Vn[++Vl] = "R"; Vp[Vl] = i - 1 }
						else if (Ta[i] == "%") { Vn[++Vl] = "%"; Vp[Vl] = i - 1 }
					}
				}
			}
			{
				o = T
				for (i = Vl; i > 0 ; i--) {
					if (Vn[i] == "D") v = $0
					else if (Vn[i] == "R") v = R
					else if (Vn[i] == "%") v = "%"
					else v = ""
					o = substr(o, 1, Vp[i] - 1) v substr(o, Vp[i] + 2)
				}
				print(o)
			}
		EOF
		)"
		awk -v T="${template?}" -v R="${redirection?}" "${awkTemplateScript:?}" < "${blocklistFile:?}" \
			| sponge "${blocklistFile:?}"
	fi

	printOutputFile() {
		# Define "C" variable for convenience.
		C="${comment?}"

		# Append banner to the output file.
		if [ -n "${C?}" ]; then
			cat <<-EOF
				${C?} Generated with hBlock ${HBLOCK_VERSION:?} (${HBLOCK_REPOSITORY:?})
				${C?} Blocked domains: ${blocklistCount:?}
			EOF
			if [ -z "${SOURCE_DATE_EPOCH+x}" ]; then
				cat <<-EOF
					${C?} Date: $(date)
				EOF
			fi
		fi

		# If the header file is not empty, it is appended to the output file.
		if [ -s "${headerFile:?}" ]; then
			[ -z "${C?}" ] || printf '\n%s\n' "${C?} BEGIN HEADER"
			awk 1 < "${headerFile:?}"
			[ -z "${C?}" ] || printf '%s\n' "${C?} END HEADER"
		fi

		# If the blocklist file is not empty, it is appended to the output file.
		if [ -s "${blocklistFile:?}" ]; then
			[ -z "${C?}" ] || printf '\n%s\n' "${C?} BEGIN BLOCKLIST"
			awk 1 < "${blocklistFile:?}"
			[ -z "${C?}" ] || printf '%s\n' "${C?} END BLOCKLIST"
		fi

		# If the footer file is not empty, it is appended to the output file.
		if [ -s "${footerFile:?}" ]; then
			[ -z "${C?}" ] || printf '\n%s\n' "${C?} BEGIN FOOTER"
			awk 1 < "${footerFile:?}"
			[ -z "${C?}" ] || printf '%s\n' "${C?} END FOOTER"
		fi
	}

	# If the file name equals "-", print to stdout.
	if [ "${outputFile:?}" = '-' ]; then
		printOutputFile
	# Try writing the file.
	elif touch -- "${outputFile:?}" >/dev/null 2>&1; then
		printOutputFile > "${outputFile:?}"
	# If writing fails, try with sudo.
	elif exists sudo && exists tee; then
		printOutputFile | sudo tee -- "${outputFile:?}" >/dev/null
	# Throw an error for everything else.
	else
		printError "Cannot write file: ${outputFile:?}"
		exit 1
	fi

	printInfo "${blocklistCount:?} blocked domains!"
}

main "${@-}"
