#!/bin/bash -e
# vim: set ts=4 sw=4 sts=4 et :
#
# qubes-whonix-sysinit - Called by systemd during the sysinit boot stage to
#                        initialize required configurations for Whonix
#
# This file is part of Qubes+Whonix.
# Copyright (C) 2014 - 2015 Jason Mehring <nrgaway@gmail.com>
# License: GPL-2+
# Authors: Jason Mehring
#
#   This program is free software; you can redistribute it and/or
#   modify it under the terms of the GNU General Public License
#   as published by the Free Software Foundation; either version 2
#   of the License, or (at your option) any later version.
#
#   This program is distributed in the hope that it will be useful,
#   but WITHOUT ANY WARRANTY; without even the implied warranty of
#   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#   GNU General Public License for more details.
#
#   You should have received a copy of the GNU General Public License
#   along with this program.  If not, see <http://www.gnu.org/licenses/>.

source /usr/lib/qubes-whonix/utility_functions.sh

# Location of files which contains list of protected files
PROTECTED_FILE_LIST='/etc/qubes/protected-files.d/qubes-whonix'

# Files that will marked as being protected to eliminate modification from Qubes
PROTECTED_FILES=(
    '/etc/resolv.conf'
    '/etc/hostname'
    '/etc/hosts'
    '/etc/localtime'
    '/etc/timezone'
)

# Make sure all .anondist files in list are not immutable. Fixes immutable issue
immutableFilesDisable "${PROTECTED_FILES}"
immutableFilesDisable "${PROTECTED_FILES}" ".anondist"

for protected_file in "${PROTECTED_FILES[@]}"; do

    # Enable protected services
    if ! grep -q "^${protected_file}$" "${PROTECTED_FILE_LIST}" 2>/dev/null; then
        echo -e "${protected_file}" >> "${PROTECTED_FILE_LIST}"
    fi

    # Make sure we are using a copy of the anondist file and if not
    # copy the anondist file
    copyAnondist "${protected_file}"
done

# Gateway
if [ -e /var/run/qubes-service/whonix-gateway ]; then

    # Allow whonix-gateway to act as an update-proxy
    touch /var/run/qubes-service/qubes-updates-proxy

    # Search and replace tinyproxy error files so we can inject code that
    # we can use to identify that its a tor proxy so updates are secure
    error_file=/usr/share/tinyproxy/default.html
    grep -q "${PROXY_META}" "${error_file}" || {
        sed -i "s/<\/head>/${PROXY_META}\n<\/head>/" "${error_file}"
    }
fi

# Make sure hostname is correct
/bin/hostname host
