#!/bin/bash

## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
## See the file COPYING for copying conditions.

set -x
set -e
set -o pipefail

own_filename="$(basename "$BASH_SOURCE")"
for skip_script in $SKIP_SCRIPTS; do
   if [ "$skip_script" = "$own_filename" ]; then
      true "INFO: Skipping $own_filename, because SKIP_SCRIPTS includes it."
      exit 0
   fi
done
unset skip_script

true "INFO: Cleaning up..."

## Kill dhclient3 to prevent rewrite of /var/lib/dhcp/*.
killall dhclient3 || true
## There are .leases.
safe-rm /var/lib/dhcp/*.leases || true
## And there are .lease.
safe-rm /var/lib/dhcp/*.lease || true
## We are best of deleting the whole folder.
safe-rm -r /var/lib/dhcp/* || true

## Cleanup.
## || true to support re-running the script.
apt-get --yes autoremove --purge || true

## Get rid of /var/cache/apt/pkgcache.bin. (non-deterministic)
## || true to support re-running the script.
apt-get --yes clean || true

## No longer deleting /var/lib/tor. We install but forbid to run software such as Tor we install.
## Therefore /var/lib/tor should be empty.
## Ensure to delete /var/lib/tor. It contains sensitive stuff like the Tor consensus and the Tor entry guards.
## safe-rm -r /var/lib/tor/* || true

## Delete logs and other stuff.
safe-rm -r /tmp/* || true
safe-rm /var/log/installer/* || true
safe-rm -r /var/cache/apt/* || true
safe-rm -r /var/lib/apt/lists/* || true
safe-rm -r /var/log/installer || true
safe-rm /var/lib/dpkg/*-old || true
safe-rm /var/cache/debconf/*-old || true
## Erase rotated logs (usually wont appear unless you left your VM running for several days).
safe-rm /var/log/*.[0-9] || true
safe-rm /var/log/*.[0-9].gz || true

## Deletes /etc/system/sysinit.target.wants/systemd-timesyncd.service.
## Otherwise timedatectl still thinks systemd-timesyncd is enabled.
timedatectl set-ntp false >/dev/null 2>&1 || true
## Make sure it gets really deleted even if timedatectl does not work.
safe-rm --force /etc/systemd/system/sysinit.target.wants/systemd-timesyncd.service

## Deletes /etc/apt/sources.list.d/derivative.sources.
## Otherwise garbage apt config pointing to the derivative-maker approx proxy
## will be left on the disk.
safe-rm --force /etc/apt/sources.list.d/derivative.sources

## Deletes /etc/apt/sources.list.
## This file is no longer used since we've switched to deb822 format, and it
## ends up being left as a blank file on the disk.
safe-rm --force /etc/apt/sources.list

## non-deterministic [0]
## /var/lib/dpkg/available
## /var/lib/dpkg/available-old
dpkg --clear-avail

## non-deterministic [14]
## /etc/init.d/.depend.boot
## /etc/init.d/.depend.start
## /etc/init.d/.depend.stop
## Recreate those and therefore hopefully come up with deterministic results.
##
## Only attempt to run `insserv` when it's installed. This ensures, that this
## works on CI systems (Ubuntu) and in modified derivative versions as well.
if [ -x /sbin/insserv ]; then
   /sbin/insserv --showall
   /sbin/insserv --verbose
fi

## non-deterministic [15]
## /var/lib/urandom/random-seed
## This is no longer required for Debian Jessie?
## Should always be deleted for security reasons.
safe-rm --force /var/lib/urandom/random-seed

safe-rm --force /var/lib/systemd/random-seed
safe-rm --force /var/lib/random-seed

## non-deterministic [21]
## Only required when using the anon-shared-build-inst-tb chroot-post.d script.
## No need to manually re-create it.
## Gets automatically re-created on next run of tb-updater.
## This is no longer required for Debian Jessie?
safe-rm -r /var/cache/tb-binary/.cache/tb/gpgtmpdir || true

## Leftover from build process using mmdebstrap.
safe-rm --force /etc/apt/apt.conf.d/99mmdebstrap

## Truncate all log files, keeping user groups and permissions.
find /var/log -type f -exec cp /dev/null {} \;

[[ -v user_name ]] || user_name="user"

## Delete bash history.
safe-rm "/home/$user_name/.bash_history" || true
safe-rm "/home/$user_name/.Xauthority" || true
safe-rm "/root/.bash_history" || true
safe-rm "/root/.Xauthority" || true
history -c || true

sync
