Add kiosk setup and deployment scripts (Phases 5 + 9)

Phase 5 — RPi Kiosk:
- setup_kiosk.sh: full RPi OS Lite setup (X11, Chromium kiosk mode,
  auto-login, DPMS disabled, GPU memory split, screen rotation)
- kiosk.service: systemd unit for reliable auto-start
- update_kiosk.sh: reconfigure URL/rotation/resolution without re-setup
- Handles both Bullseye and Bookworm RPi OS versions

Phase 9 — Hardening + Deployment:
- install.sh: full server setup (apt/pacman, vigilar user, venv,
  directories, permissions, mosquitto config, systemd units)
- gen_cert.sh: TLS cert via mkcert or openssl fallback
- gen_vapid_keys.sh: VAPID keys for Web Push notifications
- setup_nut.sh: NUT configuration with USB UPS auto-detection
- backup.sh: SQLite snapshot + config archive, cron-ready
- uninstall.sh: clean removal with data preservation option
- vigilar.service: hardened systemd unit (ProtectSystem, NoNewPrivileges,
  PrivateTmp, syscall filtering)
- vigilar-mosquitto.conf: localhost-only MQTT broker config

All scripts idempotent, bash -n validated, support Debian + Arch.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

scripts/uninstall.sh

@@ -0,0 +1,130 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# Vigilar — Uninstall script
+# Stops services, removes venv, systemd units, and mosquitto config.
+# Data and config are preserved by default.
+
+VIGILAR_USER="vigilar"
+INSTALL_DIR="/opt/vigilar"
+VENV_DIR="${INSTALL_DIR}/venv"
+CONFIG_DIR="/etc/vigilar"
+DATA_DIR="/var/vigilar"
+SYSTEMD_DIR="/etc/systemd/system"
+MOSQUITTO_CONF="/etc/mosquitto/conf.d/vigilar.conf"
+
+info()  { printf '\033[1;34m[INFO]\033[0m  %s\n' "$*"; }
+ok()    { printf '\033[1;32m[ OK ]\033[0m  %s\n' "$*"; }
+warn()  { printf '\033[1;33m[WARN]\033[0m  %s\n' "$*"; }
+
+# ---------------------------------------------------------------------------
+# 1. Stop and disable services
+# ---------------------------------------------------------------------------
+
+stop_services() {
+    info "Stopping and disabling services"
+
+    if systemctl is-active vigilar.service &>/dev/null; then
+        sudo systemctl stop vigilar.service
+    fi
+    if systemctl is-enabled vigilar.service &>/dev/null; then
+        sudo systemctl disable vigilar.service
+    fi
+
+    ok "Services stopped"
+}
+
+# ---------------------------------------------------------------------------
+# 2. Remove systemd units
+# ---------------------------------------------------------------------------
+
+remove_systemd() {
+    info "Removing systemd unit"
+    if [[ -f "${SYSTEMD_DIR}/vigilar.service" ]]; then
+        sudo rm -f "${SYSTEMD_DIR}/vigilar.service"
+        sudo systemctl daemon-reload
+    fi
+    ok "Systemd unit removed"
+}
+
+# ---------------------------------------------------------------------------
+# 3. Remove mosquitto config
+# ---------------------------------------------------------------------------
+
+remove_mosquitto_conf() {
+    info "Removing Vigilar mosquitto config"
+    if [[ -f "$MOSQUITTO_CONF" ]]; then
+        sudo rm -f "$MOSQUITTO_CONF"
+        sudo systemctl restart mosquitto.service 2>/dev/null || true
+    fi
+    ok "Mosquitto config removed"
+}
+
+# ---------------------------------------------------------------------------
+# 4. Remove venv and install dir
+# ---------------------------------------------------------------------------
+
+remove_venv() {
+    info "Removing venv at ${VENV_DIR}"
+    if [[ -d "$VENV_DIR" ]]; then
+        sudo rm -rf "$VENV_DIR"
+    fi
+    if [[ -d "$INSTALL_DIR" ]]; then
+        sudo rm -rf "$INSTALL_DIR"
+    fi
+    ok "Venv removed"
+}
+
+# ---------------------------------------------------------------------------
+# 5. Remove system user
+# ---------------------------------------------------------------------------
+
+remove_user() {
+    if id "$VIGILAR_USER" &>/dev/null; then
+        info "Removing system user '${VIGILAR_USER}'"
+        sudo userdel "$VIGILAR_USER" 2>/dev/null || true
+        ok "User removed"
+    fi
+}
+
+# ---------------------------------------------------------------------------
+# 6. Optionally remove data
+# ---------------------------------------------------------------------------
+
+remove_data() {
+    if [[ -d "$DATA_DIR" ]]; then
+        echo
+        warn "Data directory exists: ${DATA_DIR}"
+        warn "This contains recordings, database, and HLS segments."
+        read -rp "Delete data directory? [y/N] " answer
+        if [[ "$answer" =~ ^[Yy]$ ]]; then
+            sudo rm -rf "$DATA_DIR"
+            ok "Data directory removed"
+        else
+            info "Data preserved at ${DATA_DIR}"
+        fi
+    fi
+}
+
+# ---------------------------------------------------------------------------
+# Main
+# ---------------------------------------------------------------------------
+
+main() {
+    info "=== Vigilar Uninstaller ==="
+    echo
+
+    stop_services
+    remove_systemd
+    remove_mosquitto_conf
+    remove_venv
+    remove_user
+    remove_data
+
+    echo
+    ok "=== Uninstall complete ==="
+    info "Config and secrets preserved at ${CONFIG_DIR}/"
+    info "To remove config/secrets too: sudo rm -rf ${CONFIG_DIR}"
+}
+
+main "$@"