#!/bin/bash # uninstall.sh — Remove the OAuth token sync service set -uo pipefail LOG_PREFIX="[uninstall]" log() { echo "$LOG_PREFIX $*"; } echo "" echo "Removing OAuth Token Sync for OpenClaw" echo "=======================================" echo "" # Stop and disable systemd services for svc in sync-oauth-token.service refresh-claude-token.service refresh-claude-token.timer trigger-claude-refresh.service trigger-claude-refresh.timer; do if systemctl is-active --quiet "$svc" 2>/dev/null; then log "Stopping $svc..." systemctl stop "$svc" fi if systemctl is-enabled --quiet "$svc" 2>/dev/null; then log "Disabling $svc..." systemctl disable "$svc" fi if [ -f "/etc/systemd/system/$svc" ]; then log "Removing /etc/systemd/system/$svc" rm -f "/etc/systemd/system/$svc" fi done systemctl daemon-reload 2>/dev/null # Remove installed scripts for script in /usr/local/bin/sync-oauth-token.sh /usr/local/bin/refresh-claude-token.sh /usr/local/bin/trigger-claude-refresh.sh; do if [ -f "$script" ]; then log "Removing $script" rm -f "$script" fi done # ============================================================================ # Webhook Security Cleanup (if installed) # ============================================================================ WH_INSTALLED=false for wh_file in /etc/nginx/njs/gitea-hmac-verify.js /etc/nginx/gitea-webhook-secret /etc/nginx/gitea-repo-allowlist.json /opt/webhook-security /usr/local/bin/gitea-approve-repo; do if [ -e "$wh_file" ]; then WH_INSTALLED=true break fi done if $WH_INSTALLED; then echo "" echo "Webhook security files detected." read -rp "[uninstall] Remove webhook security files? [y/N]: " WH_CONFIRM WH_CONFIRM="${WH_CONFIRM:-N}" if [[ "$WH_CONFIRM" =~ ^[Yy] ]]; then # Remove njs module if [ -f /etc/nginx/njs/gitea-hmac-verify.js ]; then log "Removing /etc/nginx/njs/gitea-hmac-verify.js" rm -f /etc/nginx/njs/gitea-hmac-verify.js fi # Remove secret file if [ -f /etc/nginx/gitea-webhook-secret ]; then log "Removing /etc/nginx/gitea-webhook-secret" rm -f /etc/nginx/gitea-webhook-secret fi # Remove allowlist if [ -f /etc/nginx/gitea-repo-allowlist.json ]; then log "Removing /etc/nginx/gitea-repo-allowlist.json" rm -f /etc/nginx/gitea-repo-allowlist.json fi # Remove scripts directory if [ -d /opt/webhook-security ]; then log "Removing /opt/webhook-security/" rm -rf /opt/webhook-security fi # Remove gitea-approve-repo helper if [ -f /usr/local/bin/gitea-approve-repo ]; then log "Removing /usr/local/bin/gitea-approve-repo" rm -f /usr/local/bin/gitea-approve-repo fi # Remove webhook-security cron entries if crontab -l 2>/dev/null | grep -q 'webhook-security\|ntfy-blocked-pickup\|rotate-webhook-secret\|webhook-audit-alert'; then log "Removing webhook-security cron entries..." crontab -l 2>/dev/null | grep -v 'webhook-security\|ntfy-blocked-pickup\|rotate-webhook-secret\|webhook-audit-alert' | crontab - log "Cron entries removed" fi log "Webhook security files removed." echo "" log "IMPORTANT: You must also remove the webhook security configuration" log "from your nginx config manually:" log " - Remove js_path, js_import, and limit_req_zone from nginx.conf http block" log " - Remove the 'location = /hooks/gitea' block from your site config" log " - Remove the 'location /hooks/gitea-upstream' block from your site config" log " - Run: nginx -t && nginx -s reload" else log "Skipping webhook security cleanup." fi fi echo "" log "Done. The following files were NOT removed (contain your credentials):" log " - /root/.openclaw/credentials/oauth.json" log " - /root/openclaw/.env (ANTHROPIC_OAUTH_TOKEN)" log " - /root/.openclaw/agents/*/agent/auth-profiles.json" echo "" log "To fully clean up, remove those manually if needed."