#!/usr/bin/env bash
set -euo pipefail

say(){ echo "[nft-fw-nd-priv:remove] $*"; }
ts(){ date +"%Y%m%d-%H%M%S"; }

need_root() {
  if [[ "${EUID:-$(id -u)}" -ne 0 ]]; then
    say "ERROR: Please run as root."
    exit 1
  fi
}

# Determine directory of this script (works even when called via symlink)
SCRIPT_DIR="$(cd -- "$(dirname -- "${BASH_SOURCE[0]}")" && pwd)"
BACKUP_DIR="${SCRIPT_DIR}/uninstalled-$(ts)"

ensure_backup_dir() {
  mkdir -p "$BACKUP_DIR"
}

# Move a file into BACKUP_DIR while preserving its absolute path structure
# e.g. /etc/default/nft-fw -> $BACKUP_DIR/etc/default/nft-fw
backup_then_remove() {
  local src="$1"

  if [[ -e "$src" ]]; then
    ensure_backup_dir
    local rel="${src#/}"                 # strip leading /
    local dst="${BACKUP_DIR}/${rel}"
    mkdir -p "$(dirname -- "$dst")"
    say "Backing up $src -> $dst"
    mv -f -- "$src" "$dst"
  else
    say "Not present: $src"
  fi
}

remove_file() {
  local f="$1"
  if [[ -e "$f" ]]; then
    say "Removing $f"
    rm -f -- "$f"
  else
    say "Not present: $f"
  fi
}

need_root

SERVICE="nft-fw.service"

say "Backup directory (if needed): $BACKUP_DIR"

say "Stopping/disabling systemd unit (if present)..."
if command -v systemctl >/dev/null 2>&1; then
  if systemctl list-unit-files | awk '{print $1}' | grep -qx "$SERVICE"; then
    systemctl disable --now "$SERVICE" || true
  else
    systemctl stop "$SERVICE" 2>/dev/null || true
  fi
fi

say "Trying to stop firewall via fw-stop (if installed)..."
if [[ -x /usr/local/sbin/fw-stop ]]; then
  /usr/local/sbin/fw-stop || true
fi

say "Removing installed scripts..."
remove_file /usr/local/sbin/fw-apply
remove_file /usr/local/sbin/fw-stop

say "Removing template..."
backup_then_remove /etc/nftables.conf.in

say "Removing default config..."
backup_then_remove /etc/default/nft-fw

say "Removing systemd unit file..."
backup_then_remove /etc/systemd/system/nft-fw.service

say "Reloading systemd..."
if command -v systemctl >/dev/null 2>&1; then
  systemctl daemon-reload || true
fi

say "Cleaning fail2ban drop-in (leaving fail2ban installed)..."
F2B_DROPIN="/etc/fail2ban/jail.d/nft-fw-nd-priv.local"
if [[ -e "$F2B_DROPIN" ]]; then
  backup_then_remove "$F2B_DROPIN"
  if command -v systemctl >/dev/null 2>&1; then
    systemctl restart fail2ban 2>/dev/null || true
  fi
else
  say "Not present: $F2B_DROPIN"
fi

say "Done."
say "Note: update-alternatives were left unchanged (as requested)."
say "Backups (if any) are in: $BACKUP_DIR"