tlaurion/PrivacyBeast_Restore_Qubes_from_Tails

## PrivacyBeast_Restore_Qubes_from_Tails
#!/bin/bash

#
#GENERAL PATHS
INSTALL_DISK="/dev/sda"
WYNG_BACKUPS_ARCHIVE_DIR="/media/wyng-backups/home/user/wyng-backups/wyng.backup"
QUBES_VM_POOL="/dev/qubes_dom0"
OEM_MOUNT="/media/wyng-backups/home/user/"
GPG_OEM_KEY="/media/wyng-backups/home/user/Insurgo_2022-06-15.asc"

#Under Q4.0, VMs and dom0 root LVMs are under the same pool. On Q4.1, they are on different pools
QUBES_DOM0_POOL="/dev/qubes_dom0"

#Depending on which system we are restoring from, we might or not need sudo. Put to "" if unneeded.
SUDO_NEEDED=""


#WYNG python version options
SPARSE_MODE="--sparse-write"
WYNG_BACKUP_FROM_ARCHIVE_DIR="media/wyng-backups/home/user/wyng-backups"

#Download wyng-backup in known and well tested version
if [ $(whoami) != "root" ] && ! [ -e ./wyng-backup-fix03/wyng ]; then
	#We are not root and we do not have extracted wyng extracted in local directory
	echo "Downloading and extracting wyng in local directory..."
	wget https://github.com/tasket/wyng-backup/archive/refs/heads/fix03.tar.gz -O ./wyng-backup-fix03.tar.gz || { echo "Unable to connect to github... Check internet connectivity." && exit 1; }
	tar zxvf ./wyng-backup-fix03.tar.gz
	echo "Downloaded and extracted wyng locally. Please rerun the script with sudo now."
elif [ -e ./wyng-backup-fix03/wyng ] && [ $(whoami) == "root" ]; then
	#We have wyng extracted in local directory, and we are root. We are now able to do operations on disk.

	#Following example takes into consideration Q4.0 OEM disk image.
	if ! $SUDO_NEEDED mount | grep -q wyng-backups;then
		$SUDO_NEEDED cryptsetup luksOpen "$INSTALL_DISK"2 qubes_dom0
		$SUDO_NEEDED lvm vgchange -ay qubes_dom0
		$SUDO_NEEDED lvm lvchange -ay qubes_dom0
		$SUDO_NEEDED mkdir -p /media/wyng-backups
		$SUDO_NEEDED mount /dev/qubes_dom0/vm-wyng-backups-private /media/wyng-backups
	fi

	gpg --import "$GPG_OEM_KEY" > /dev/null 2>&1
	cd "$OEM_MOUNT" > /dev/null 2>&1
	./verify_backups.sh

	cd - > /dev/null 2>&1

	read -p "Press Enter to continue or CTRL-C to abort..."


	RestorableLVMs=$(find "$WYNG_BACKUPS_ARCHIVE_DIR/default/" -maxdepth 1 -type d | awk -F "/" '{print $NF}')
	echo "$RestorableLVMs" | while read lvm; do
		if [ -n "$lvm" ]; then
			#dom0 root is backuped under root-autosnap LVM from dom0's systemd's shutdown script.
			if [ "$lvm" == "root-autosnap" ]; then
				dest="$QUBES_DOM0_POOL/root"
			else
				dest="$QUBES_VM_POOL/$lvm"
			fi

			echo ""
			echo "Restoring wyng-backup archive: $lvm into Thin LVM volume: $dest..."
			echo "Running command: time $SUDO_NEEDED ./wyng-backup-fix03/wyng -u --from=internal:/ --subdir=$WYNG_BACKUP_FROM_ARCHIVE_DIR receive $lvm --save-to $dest $SPARSE_MODE"
			time $SUDO_NEEDED ./wyng-backup-fix03/wyng -u --from=internal:/ --subdir=$WYNG_BACKUP_FROM_ARCHIVE_DIR receive $lvm --save-to $dest $SPARSE_MODE
		fi
	done


	echo "Restoring /boot content with validated archive content..."
	bzcat /media/wyng-backups/home/user/boot.bzip2 | $SUDO_NEEDED dd of=/dev/sda1 bs=8M status=progress
	$SUDO_NEEDED sync
	echo "System restored to OEM shipped state."
	echo "Know that Qubes is not aware anymore of additional qubes that were created since OEM deloyed state. Associated LVMs of those qubes are still present and should be removed manually."
	echo "On next reboot, Heads will not recognize any state of the system."
	echo "You will have to:"
	echo "Settings->TPM/TOTP/HOTP Options -> Reset TPM. You can type your GPG Admin PIN there to reown TPM. Scan Qr code. And reseal HOTP with GPG Admin PIN when requested"
	echo "Settings-> Sign /boot content"
	echo "Settings-> Boot options -> Show boot options. From there, select first grub option showed, and then accept to modify disk, reuse encrypted partition, and type your Disk Recovery Key passphrase, GPG User PIN and renew/change your Disk Unlock Key passphrase when requested."
	echo "You will then be able to boot into known, authenticated OEM shipped disk image state."
	echo "If in doubt of Firmware state, contact Insurgo for instructions on how to flash upstream Heads version."
else
	#We neither are root, nor not root having wyng extreacted in local dir.
	#Remind user to launch first as non-root to download and extract wyng, then run as root (sudo).
	echo "You need to first execute this script without root privilege under Tails to be able to download wyng locally. Then run this script with sudo."
fi
	#!/bin/bash

	#
	#GENERAL PATHS
	INSTALL_DISK="/dev/sda"
	WYNG_BACKUPS_ARCHIVE_DIR="/media/wyng-backups/home/user/wyng-backups/wyng.backup"
	QUBES_VM_POOL="/dev/qubes_dom0"
	OEM_MOUNT="/media/wyng-backups/home/user/"
	GPG_OEM_KEY="/media/wyng-backups/home/user/Insurgo_2022-06-15.asc"

	#Under Q4.0, VMs and dom0 root LVMs are under the same pool. On Q4.1, they are on different pools
	QUBES_DOM0_POOL="/dev/qubes_dom0"

	#Depending on which system we are restoring from, we might or not need sudo. Put to "" if unneeded.
	SUDO_NEEDED=""


	#WYNG python version options
	SPARSE_MODE="--sparse-write"
	WYNG_BACKUP_FROM_ARCHIVE_DIR="media/wyng-backups/home/user/wyng-backups"

	#Download wyng-backup in known and well tested version
	if [ $(whoami) != "root" ] && ! [ -e ./wyng-backup-fix03/wyng ]; then
	#We are not root and we do not have extracted wyng extracted in local directory
	echo "Downloading and extracting wyng in local directory..."
	wget https://github.com/tasket/wyng-backup/archive/refs/heads/fix03.tar.gz -O ./wyng-backup-fix03.tar.gz \|\| { echo "Unable to connect to github... Check internet connectivity." && exit 1; }
	tar zxvf ./wyng-backup-fix03.tar.gz
	echo "Downloaded and extracted wyng locally. Please rerun the script with sudo now."
	elif [ -e ./wyng-backup-fix03/wyng ] && [ $(whoami) == "root" ]; then
	#We have wyng extracted in local directory, and we are root. We are now able to do operations on disk.

	#Following example takes into consideration Q4.0 OEM disk image.
	if ! $SUDO_NEEDED mount \| grep -q wyng-backups;then
	$SUDO_NEEDED cryptsetup luksOpen "$INSTALL_DISK"2 qubes_dom0
	$SUDO_NEEDED lvm vgchange -ay qubes_dom0
	$SUDO_NEEDED lvm lvchange -ay qubes_dom0
	$SUDO_NEEDED mkdir -p /media/wyng-backups
	$SUDO_NEEDED mount /dev/qubes_dom0/vm-wyng-backups-private /media/wyng-backups
	fi

	gpg --import "$GPG_OEM_KEY" > /dev/null 2>&1
	cd "$OEM_MOUNT" > /dev/null 2>&1
	./verify_backups.sh

	cd - > /dev/null 2>&1

	read -p "Press Enter to continue or CTRL-C to abort..."


	RestorableLVMs=$(find "$WYNG_BACKUPS_ARCHIVE_DIR/default/" -maxdepth 1 -type d \| awk -F "/" '{print $NF}')
	echo "$RestorableLVMs" \| while read lvm; do
	if [ -n "$lvm" ]; then
	#dom0 root is backuped under root-autosnap LVM from dom0's systemd's shutdown script.
	if [ "$lvm" == "root-autosnap" ]; then
	dest="$QUBES_DOM0_POOL/root"
	else
	dest="$QUBES_VM_POOL/$lvm"
	fi

	echo ""
	echo "Restoring wyng-backup archive: $lvm into Thin LVM volume: $dest..."
	echo "Running command: time $SUDO_NEEDED ./wyng-backup-fix03/wyng -u --from=internal:/ --subdir=$WYNG_BACKUP_FROM_ARCHIVE_DIR receive $lvm --save-to $dest $SPARSE_MODE"
	time $SUDO_NEEDED ./wyng-backup-fix03/wyng -u --from=internal:/ --subdir=$WYNG_BACKUP_FROM_ARCHIVE_DIR receive $lvm --save-to $dest $SPARSE_MODE
	fi
	done


	echo "Restoring /boot content with validated archive content..."
	bzcat /media/wyng-backups/home/user/boot.bzip2 \| $SUDO_NEEDED dd of=/dev/sda1 bs=8M status=progress
	$SUDO_NEEDED sync
	echo "System restored to OEM shipped state."
	echo "Know that Qubes is not aware anymore of additional qubes that were created since OEM deloyed state. Associated LVMs of those qubes are still present and should be removed manually."
	echo "On next reboot, Heads will not recognize any state of the system."
	echo "You will have to:"
	echo "Settings->TPM/TOTP/HOTP Options -> Reset TPM. You can type your GPG Admin PIN there to reown TPM. Scan Qr code. And reseal HOTP with GPG Admin PIN when requested"
	echo "Settings-> Sign /boot content"
	echo "Settings-> Boot options -> Show boot options. From there, select first grub option showed, and then accept to modify disk, reuse encrypted partition, and type your Disk Recovery Key passphrase, GPG User PIN and renew/change your Disk Unlock Key passphrase when requested."
	echo "You will then be able to boot into known, authenticated OEM shipped disk image state."
	echo "If in doubt of Firmware state, contact Insurgo for instructions on how to flash upstream Heads version."
	else
	#We neither are root, nor not root having wyng extreacted in local dir.
	#Remind user to launch first as non-root to download and extract wyng, then run as root (sudo).
	echo "You need to first execute this script without root privilege under Tails to be able to download wyng locally. Then run this script with sudo."
	fi