ops: add uninstall.sh, fix firewall service path

[baudbot-agent]

• bin/uninstall.sh: reverses everything setup.sh does
• setup.sh: add reminder to keep uninstall.sh in sync
• hornet-firewall.service: use REPO_DIR placeholder
• README: add uninstall commands

[greptile-apps]

Greptile Summary

Adds comprehensive uninstall functionality that reverses all system changes made by setup.sh, and fixes the firewall service to use a location-agnostic __REPO_DIR__ placeholder instead of hardcoded paths.

• New bin/uninst�.sh with --dry-run, --keep-home, and --yes flags for safe uninstallation
• Updated setup.sh to substitute __REPO_DIR__ placeholder when installing firewall service
• hornet-firewall.service now uses placeholder for ExecStart path
• Added uninstall documentation to README

Confidence Score: 4/5

• Safe to merge with one minor iptables flag inconsistency in the service file
• The uninstall script is well-structured with proper safeguards (dry-run, confirmation prompts) and systematically reverses setup.sh. The placeholder approach for the service file is solid. One syntax issue: ExecStop missing -w flag on iptables commands for lock handling consistency.
• bin/hornet-firewall.service needs the -w flag added to ExecStop

Important Files Changed

Filename	Overview
bin/uninstall.sh	New uninstall script that systematically reverses setup.sh operations with dry-run and confirmation safeguards
bin/hornet-firewall.service	Updated to use __REPO_DIR__ placeholder, making service file location-agnostic; ExecStop missing -w flag
setup.sh	Added placeholder substitution for firewall service and reminder comment to sync with uninstall.sh
README.md	Added uninstall commands documentation with dry-run and actual execution examples

Flowchart

flowchart TD
    A[Run uninstall.sh] --> B{Check root?}
    B -->|Not root| Z1[Exit: Must be root]
    B -->|Root| C{Parse flags}
    C --> D{--dry-run or --yes?}
    D -->|No| E[Show warning + prompt]
    E -->|User cancels| Z2[Exit: Aborted]
    E -->|User confirms| F[Kill processes]
    D -->|Yes| F
    
    F --> G[Stop firewall service]
    G --> H[Remove iptables rules]
    H --> I[Restore /proc mount]
    I --> J[Remove /etc/fstab entry]
    J --> K[Remove sudoers]
    K --> L[Remove wrappers]
    L --> M[Delete procview group]
    M --> N[Remove pre-commit hook]
    N --> O{--keep-home?}
    O -->|Yes| P[userdel hornet_agent]
    O -->|No| Q[userdel -r hornet_agent]
    P --> R[Show summary]
    Q --> R
    R --> S[Done]

Loading

_{Last reviewed commit: 3311981}

[greptile-apps]

_{4 files reviewed, 1 comment}

_{Edit Code Review Agent Settings | Greptile}

[sentry]

Bug: The while loop on line 139 executes iptables deletion commands directly, bypassing the --dry-run flag check and making unintended changes to the system's firewall rules.
_{Severity: MEDIUM}

Suggested Fix

Wrap the while loop in a conditional check for the $DRY_RUN flag. If $DRY_RUN is true, print a message indicating what would happen. Otherwise, execute the while loop to delete the rules. This makes the behavior consistent with the rest of the script.

if $DRY_RUN; then
  echo "  [dry-run] while iptables -w -D OUTPUT -j HORNET_OUTPUT; do :; done"
else
  while iptables -w -D OUTPUT -j HORNET_OUTPUT 2>/dev/null; do :; done
fi

Prompt for AI Agent

Review the code at the location below. A potential bug has been identified by an AI
agent.
Verify if this is a real issue. If it is, propose a fix; if not, explain why it's not
valid.

Location: bin/uninstall.sh#L139

Potential issue: In the uninstall script, a `while` loop on line 139 is used to delete
`iptables` rules. This command is executed directly in the loop's condition and is not
wrapped by the `run()` helper function. As a result, the `iptables` deletion command
will execute even when the script is run with the `--dry-run` flag, which is intended to
prevent any changes. This behavior is inconsistent with the rest of the script, where
destructive operations respect the dry-run mode, and it violates the user's expectation
that no firewall rules will be modified.

_{Did we get this right? 👍 / 👎 to inform future reviews.}