From 0b19a41b5e6d52683c1f23074b7a03baba8cbc92 Mon Sep 17 00:00:00 2001
From: "Aaron D. Lee" <aaron.daniel.lee@mgial.com>
Date: Fri, 2 Jan 2026 22:06:14 -0500
Subject: [PATCH] Add sanitize script for distributable Pi images
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- rpi/sanitize-for-image.sh: Removes personal data before imaging
  - Clears WiFi credentials
  - Removes SSH keys
  - Clears Stegasoo auth database
  - Removes logs, history, temp files
- Updated rpi/README.md with full image building workflow

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 rpi/README.md             |  78 ++++++++++++++++++++++
 rpi/sanitize-for-image.sh | 132 ++++++++++++++++++++++++++++++++++++++
 2 files changed, 210 insertions(+)
 create mode 100755 rpi/sanitize-for-image.sh

diff --git a/rpi/README.md b/rpi/README.md
index 9e8376c..a8fcd2c 100644
--- a/rpi/README.md
+++ b/rpi/README.md
@@ -97,3 +97,81 @@ rm -rf ~/stegasoo
 ## Pre-built Images
 
 Check [GitHub Releases](https://github.com/adlee-was-taken/stegasoo/releases) for pre-built SD card images.
+
+---
+
+## Building Your Own Image
+
+To create a distributable SD card image:
+
+### 1. Flash Fresh Raspberry Pi OS
+
+Use rpi-imager to flash Raspberry Pi OS (64-bit) to an SD card.
+
+In advanced settings, set:
+- Hostname: `stegasoo`
+- Enable SSH (password auth for initial setup)
+- Username/password (temporary, will work for any user)
+- Skip WiFi for distributable image
+
+### 2. Boot and Run Setup
+
+```bash
+# SSH into the Pi
+ssh pi@stegasoo.local
+
+# Run the setup script
+curl -sSL https://raw.githubusercontent.com/adlee-was-taken/stegasoo/main/rpi/setup.sh | bash
+```
+
+### 3. Test It Works
+
+```bash
+sudo systemctl start stegasoo
+curl -k https://localhost:5000  # Should return HTML
+```
+
+### 4. Sanitize for Distribution
+
+```bash
+# Download and run sanitize script
+curl -sSL https://raw.githubusercontent.com/adlee-was-taken/stegasoo/main/rpi/sanitize-for-image.sh | sudo bash
+```
+
+This removes:
+- WiFi credentials
+- SSH authorized keys
+- Bash history
+- Stegasoo auth database (users create their own admin)
+- Logs and temp files
+
+### 5. Create the Image
+
+After Pi shuts down, remove SD card and on another Linux machine:
+
+```bash
+# Find SD card device (BE CAREFUL - wrong device = data loss!)
+lsblk
+
+# Copy (replace sdX with your SD card)
+sudo dd if=/dev/sdX of=stegasoo-rpi-$(date +%Y%m%d).img bs=4M status=progress
+
+# Shrink the image (optional but recommended)
+wget https://raw.githubusercontent.com/Drewsif/PiShrink/master/pishrink.sh
+chmod +x pishrink.sh
+sudo ./pishrink.sh stegasoo-rpi-*.img
+
+# Compress
+xz -9 -T0 stegasoo-rpi-*.img
+```
+
+### 6. Distribute
+
+Upload the `.img.xz` file to GitHub Releases.
+
+Users flash with:
+```bash
+xzcat stegasoo-rpi-*.img.xz | sudo dd of=/dev/sdX bs=4M status=progress
+```
+
+Or use rpi-imager's "Use custom" option.
diff --git a/rpi/sanitize-for-image.sh b/rpi/sanitize-for-image.sh
new file mode 100755
index 0000000..33d751d
--- /dev/null
+++ b/rpi/sanitize-for-image.sh
@@ -0,0 +1,132 @@
+#!/bin/bash
+#
+# Sanitize Raspberry Pi for SD Card Image Distribution
+# Run this BEFORE creating an image with dd
+#
+# This script removes:
+#   - WiFi credentials
+#   - SSH authorized keys
+#   - User-specific data
+#   - Bash history
+#   - Logs
+#   - Stegasoo auth database (users will create their own admin)
+#
+# Usage: sudo ./sanitize-for-image.sh
+#
+
+set -e
+
+RED='\033[0;31m'
+GREEN='\033[0;32m'
+YELLOW='\033[1;33m'
+NC='\033[0m'
+
+if [ "$EUID" -ne 0 ]; then
+    echo -e "${RED}Error: Must run as root (sudo)${NC}"
+    exit 1
+fi
+
+echo -e "${YELLOW}"
+echo "╔═══════════════════════════════════════════════════════════════╗"
+echo "║         Sanitize Pi for Image Distribution                    ║"
+echo "║                                                               ║"
+echo "║   This will remove personal data and prepare for imaging.     ║"
+echo "║   The system will shut down when complete.                    ║"
+echo "╚═══════════════════════════════════════════════════════════════╝"
+echo -e "${NC}"
+
+read -p "Continue? This cannot be undone! [y/N] " -n 1 -r
+echo
+if [[ ! $REPLY =~ ^[Yy]$ ]]; then
+    echo "Aborted."
+    exit 1
+fi
+
+echo -e "${GREEN}[1/8]${NC} Removing WiFi credentials..."
+if [ -f /etc/wpa_supplicant/wpa_supplicant.conf ]; then
+    cat > /etc/wpa_supplicant/wpa_supplicant.conf << 'EOF'
+ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=netdev
+update_config=1
+country=US
+
+# Add your WiFi network here on first boot:
+# network={
+#     ssid="YourNetworkName"
+#     psk="YourPassword"
+# }
+EOF
+    echo "  WiFi credentials cleared"
+else
+    echo "  No wpa_supplicant.conf found"
+fi
+
+echo -e "${GREEN}[2/8]${NC} Removing SSH authorized keys..."
+for user_home in /home/*; do
+    if [ -d "$user_home/.ssh" ]; then
+        rm -f "$user_home/.ssh/authorized_keys"
+        rm -f "$user_home/.ssh/known_hosts"
+        echo "  Cleared $user_home/.ssh/"
+    fi
+done
+rm -f /root/.ssh/authorized_keys /root/.ssh/known_hosts 2>/dev/null || true
+
+echo -e "${GREEN}[3/8]${NC} Clearing bash history..."
+for user_home in /home/*; do
+    rm -f "$user_home/.bash_history"
+    rm -f "$user_home/.python_history"
+done
+rm -f /root/.bash_history /root/.python_history 2>/dev/null || true
+history -c
+
+echo -e "${GREEN}[4/8]${NC} Removing Stegasoo user data..."
+# Remove auth database (users create their own admin on first run)
+rm -rf /home/*/stegasoo/frontends/web/instance/
+# Remove SSL certs (will be regenerated)
+rm -rf /home/*/stegasoo/frontends/web/certs/
+# Remove any .env files with channel keys
+rm -f /home/*/stegasoo/frontends/web/.env
+echo "  Stegasoo instance data cleared"
+
+echo -e "${GREEN}[5/8]${NC} Clearing logs..."
+journalctl --rotate
+journalctl --vacuum-time=1s
+rm -rf /var/log/*.log /var/log/*.gz /var/log/*.[0-9]
+rm -rf /var/log/apt/*
+rm -rf /var/log/journal/*
+find /var/log -type f -name "*.log" -delete 2>/dev/null || true
+echo "  Logs cleared"
+
+echo -e "${GREEN}[6/8]${NC} Clearing temporary files..."
+rm -rf /tmp/*
+rm -rf /var/tmp/*
+echo "  Temp files cleared"
+
+echo -e "${GREEN}[7/8]${NC} Clearing package cache..."
+apt-get clean
+rm -rf /var/cache/apt/archives/*
+echo "  Package cache cleared"
+
+echo -e "${GREEN}[8/8]${NC} Final cleanup..."
+# Remove this script's evidence
+rm -f /root/.bash_history
+sync
+
+echo ""
+echo -e "${GREEN}╔═══════════════════════════════════════════════════════════════╗${NC}"
+echo -e "${GREEN}║                    Sanitization Complete!                     ║${NC}"
+echo -e "${GREEN}╚═══════════════════════════════════════════════════════════════╝${NC}"
+echo ""
+echo "The system is ready for imaging."
+echo ""
+echo -e "${YELLOW}Next steps:${NC}"
+echo "  1. Shut down: sudo shutdown -h now"
+echo "  2. Remove SD card"
+echo "  3. On another machine, copy with:"
+echo "     sudo dd if=/dev/sdX of=stegasoo-rpi.img bs=4M status=progress"
+echo "  4. Compress: xz -9 stegasoo-rpi.img"
+echo ""
+read -p "Shut down now? [y/N] " -n 1 -r
+echo
+if [[ $REPLY =~ ^[Yy]$ ]]; then
+    shutdown -h now
+fi