40_turn_cleanup.sh

#!/usr/bin/env bash
set -euo pipefail

# ===== logging helpers =====
if [[ -f ./90_lib.sh ]]; then
  # shellcheck disable=SC1091
  source ./90_lib.sh
  load_env || true
else
  log()  { echo "[+] $*"; }
  info() { echo "[*] $*"; }
  warn() { echo "[!] $*"; }
fi

# ===== defaults (overridable via .env) =====
: "${TURN_MIN_PORT:=49152}"
: "${TURN_MAX_PORT:=65535}"
: "${TURN_DOCKER_IMAGE:=coturn/coturn:latest}"
: "${CONTAINER_NAME:=coturn}"

usage() {
  cat <<USAGE
Usage: $0 [--docker-only] [--apt-only] [--keep-firewall] [--keep-config]
Removes coturn (APT + Docker), configs under /etc/coturn, UFW rules for 3478/5349 and TURN UDP range,
and the LE renewal hook used by the docker installer.

Flags:
  --docker-only     Remove only Docker container/image and related files.
  --apt-only        Remove only APT coturn and related files.
  --keep-firewall   Do not delete UFW rules.
  --keep-config     Keep /etc/coturn directory (configs and cert copies).
USAGE
}

DOCKER_ONLY=false
APT_ONLY=false
KEEP_FW=false
KEEP_CFG=false

# ---- parse args (fixed: no phantom empty arg) ----
for arg in "$@"; do
  case "$arg" in
    --docker-only)   DOCKER_ONLY=true ;;
    --apt-only)      APT_ONLY=true ;;
    --keep-firewall) KEEP_FW=true ;;
    --keep-config)   KEEP_CFG=true ;;
    -h|--help) usage; exit 0 ;;
    *) warn "Unknown arg: $arg"; usage; exit 1 ;;
  esac
done

if [[ "$DOCKER_ONLY" == "true" && "$APT_ONLY" == "true" ]]; then
  warn "Choose at most one of --docker-only or --apt-only"
  exit 1
fi

# ===== Docker cleanup =====
if [[ "$APT_ONLY" != "true" ]]; then
  log "Docker: removing coturn container/image (if present)"
  if command -v docker >/dev/null 2>&1; then
    docker rm -f "$CONTAINER_NAME" >/dev/null 2>&1 || true
    docker image rm -f "$TURN_DOCKER_IMAGE" >/dev/null 2>&1 || true
  else
    info "Docker not installed; skipping docker removal"
  fi
fi

# ===== APT cleanup =====
if [[ "$DOCKER_ONLY" != "true" ]]; then
  log "APT: stopping & purging coturn (if installed)"
  systemctl disable --now coturn 2>/dev/null || true
  apt-get update -y >/dev/null || true
  DEBIAN_FRONTEND=noninteractive apt-get purge -y coturn || true
  DEBIAN_FRONTEND=noninteractive apt-get autoremove -y || true
fi

# ===== Files & hooks =====
if [[ "$KEEP_CFG" != "true" ]]; then
  log "Files: removing /etc/coturn configs and local cert copies"
  rm -rf /etc/coturn/certs 2>/dev/null || true
  rm -f  /etc/coturn/turnserver.conf 2>/dev/null || true
  rm -f  /etc/coturn/docker.cfg.sha256 2>/dev/null || true
  rm -f  /etc/coturn/docker.args 2>/dev/null || true
  rmdir  /etc/coturn 2>/dev/null || true
else
  info "Keeping /etc/coturn per --keep-config"
fi

HOOK="/etc/letsencrypt/renewal-hooks/deploy/30-coturn-docker-reload.sh"
if [[ -f "$HOOK" ]]; then
  log "Files: removing LE renewal hook"
  rm -f "$HOOK" || true
fi
# (Real LE certs in /etc/letsencrypt/live/** are not touched)

# ===== Firewall =====
if [[ "$KEEP_FW" != "true" ]]; then
  log "Firewall: removing UFW rules for TURN (idempotent)"
  if command -v ufw >/dev/null 2>&1; then
    ufw --force delete allow 3478/tcp  2>/dev/null || true
    ufw --force delete allow 3478/udp  2>/dev/null || true
    ufw --force delete allow 5349/tcp  2>/dev/null || true
    ufw --force delete allow 5349/udp  2>/dev/null || true
    ufw --force delete allow "${TURN_MIN_PORT}:${TURN_MAX_PORT}/udp" 2>/dev/null || true
  else
    info "UFW not installed; skipping firewall cleanup"
  fi
else
  info "Keeping firewall rules per --keep-firewall"
fi

# ===== Service artifacts & logs =====
log "Cleanup: residual service files & logs"
rm -f /etc/systemd/system/coturn.service 2>/dev/null || true
systemctl daemon-reload 2>/dev/null || true
rm -f /var/log/turnserver* /var/tmp/turn_*.log 2>/dev/null || true

info "TURN cleanup complete."
echo
echo "Next steps:"
echo "  - Verify: ss -luntp | egrep \":3478|:5349\"  (no coturn listeners)"
echo "  - Re-run your installer script fresh when ready."