#!/bin/sh
# uninstall.sh — completely remove the ZFW host firewall from a ZimaOS host.
#
# Run this ON the ZimaOS host as root:
#   sh uninstall.sh
# (or, as the unprivileged user:  echo '<password>' | sudo -S sh uninstall.sh)
#
# It undoes everything install.sh and the daemon set up, in a safe order:
#   1. revert all firewall rules -> back to stock ACCEPT (engine `revert`)
#   2. stop + disable the UI service and the boot watchdog timer
#   3. remove the watchdog units written into /etc
#   4. remove the sysext module and refresh the overlay
#   5. remove the engine, config and daemon data
#
# Every step is best-effort: a partial install (or one that was never
# committed) still uninstalls cleanly. Re-running it is harmless.
set -u

NAME="zfw"
EXT_DIR="/var/lib/extensions"
ENGINE_DIR="/DATA/zfw"
DATA_DIR="/DATA/AppData/zfw"
UI_SERVICE="zfw-ui.service"
WATCHDOG_TIMER="zfw-ui-watchdog.timer"
WATCHDOG_SERVICE="zfw-ui-watchdog.service"
PERSIST_UNIT="/etc/systemd/system/zfw.service"
WATCHDOG_SVC_PATH="/etc/systemd/system/zfw-ui-watchdog.service"
WATCHDOG_TIMER_PATH="/etc/systemd/system/zfw-ui-watchdog.timer"

say() { echo "[zfw-uninstall] $*"; }
die() { echo "[zfw-uninstall] ERROR: $*" >&2; exit 1; }

[ "$(id -u)" -eq 0 ] || die "must run as root — try:  sudo sh $0"

# --- 1. revert all firewall rules: removes ZFW-IN / ZFW-OUT / DOCKER-USER
#        edits (v4 + v6), restores stock ACCEPT, and disables + deletes the
#        boot-persistence unit. This is the step that makes the firewall stop
#        affecting traffic — do it first so the host is reachable for the rest.
if [ -x "$ENGINE_DIR/$NAME" ]; then
	say "reverting firewall rules (stock state) ..."
	"$ENGINE_DIR/$NAME" revert || say "revert reported an error — continuing cleanup"
else
	say "engine not found at $ENGINE_DIR/$NAME — skipping rule revert"
fi

# --- 2. stop + disable the UI service and the boot watchdog timer ---
say "stopping services ..."
systemctl stop    "$WATCHDOG_TIMER"   2>/dev/null || true
systemctl disable "$WATCHDOG_TIMER"   2>/dev/null || true
systemctl stop    "$WATCHDOG_SERVICE" 2>/dev/null || true
systemctl stop    "$UI_SERVICE"       2>/dev/null || true
systemctl disable "$UI_SERVICE"       2>/dev/null || true

# --- 3. remove the watchdog units the daemon wrote into /etc ---
rm -f "$WATCHDOG_SVC_PATH" "$WATCHDOG_TIMER_PATH" 2>/dev/null || true
# revert already removes $PERSIST_UNIT, but delete it again in case revert
# was skipped (engine missing).
rm -f "$PERSIST_UNIT" 2>/dev/null || true

# --- 4. remove the sysext module and refresh the overlay ---
if [ -f "$EXT_DIR/$NAME.raw" ]; then
	rm -f "$EXT_DIR/$NAME.raw"
	say "removed sysext module -> $EXT_DIR/$NAME.raw"
fi
say "refreshing sysext overlay ..."
systemd-sysext refresh 2>/dev/null || say "sysext refresh failed — a reboot will clear it"
systemctl daemon-reload 2>/dev/null || true

# --- 5. remove engine, config and daemon data ---
rm -rf "$ENGINE_DIR" 2>/dev/null || true
rm -rf "$DATA_DIR"   2>/dev/null || true
say "removed $ENGINE_DIR and $DATA_DIR"

# --- verify ---
LEFT=""
[ -f "$EXT_DIR/$NAME.raw" ]   && LEFT="$LEFT $EXT_DIR/$NAME.raw"
[ -e "$ENGINE_DIR" ]          && LEFT="$LEFT $ENGINE_DIR"
[ -e "$DATA_DIR" ]            && LEFT="$LEFT $DATA_DIR"
[ -f "$WATCHDOG_TIMER_PATH" ] && LEFT="$LEFT $WATCHDOG_TIMER_PATH"

if [ -n "$LEFT" ]; then
	say "WARNING: these items could not be removed:$LEFT"
	say "remove them manually, then reboot."
else
	say "done — ZFW fully removed. The firewall is OFF (stock ACCEPT)."
	say "the ZimaOS dashboard tile disappears after the next page reload."
fi