#!/bin/bash
set -eo pipefail

#### Update system
echo '> Update packages ...'
dnf -y -q update
dnf -q clean all

### Cleans all audit logs
echo '> Cleaning all audit logs ...'
if [ -f /var/log/audit/audit.log ]; then
    cat /dev/null >/var/log/audit/audit.log
fi

if [ -f /var/log/wtmp ]; then
    cat /dev/null >/var/log/wtmp
fi

if [ -f /var/log/lastlog ]; then
    cat /dev/null >/var/log/lastlog
fi

### Cleans persistent udev rules
echo '> Cleaning persistent udev rules ...'
if [ -f /etc/udev/rules.d/70-persistent-net.rules ]; then
    rm /etc/udev/rules.d/70-persistent-net.rules
fi

### Clean the /tmp directories
echo '> Cleaning /tmp directories ...'
rm -rf /tmp/*
rm -rf /var/tmp/*
rm -rf /var/cache/dnf/*

### Clean the SSH keys
echo '> Cleaning the SSH keys ...'
shred -u /etc/ssh/*_key /etc/ssh/*_key.pub
rm -f /etc/ssh/ssh_config.d/allow-root-ssh.conf
rm -rf /root/.ssh/authorized_keys
sed -i 's/PermitRootLogin yes/#PermitRootLogin prohibit-password/g' /etc/ssh/sshd_config

### Clean the machine-id
echo '> Cleaning the machine-id ...'
truncate -s 0 /etc/machine-id
rm -f /var/lib/dbus/machine-id
mkdir -p /var/lib/dbus
ln -s /etc/machine-id /var/lib/dbus/machine-id

### Prepare cloud-init
echo '> Preparing cloud-init ...'
rm -f /etc/cloud/cloud-init.disabled

### Clean the shell history
echo '> Cleaning the shell history ...'
unset HISTFILE
history -cw
echo >~/.bash_history
rm -f /root/.bash_history

### Done
echo '> Done.'