update bootstrap script + onboarding docs

bootstrap

@@ -129,21 +129,32 @@ cloneRepo() {
         git -C "$HOME/.dotfiles" pull origin
     fi
     sleep 5
+}
 
-    if [[ $GITLAB_TOKEN == "" ]] && [[ $GITLAB_LOGIN == "" ]] && [ ! -d "$HOME/.dotfiles/secrets" ]; then
+# Decouple secrets repo cloning process from the main
+cloneSecretsRepo() {
+    # Since I also have an GitHub mirror of that private repo, maybe we can set an variable for that
+    if [[ $USE_GH_SECRETS_MIRROR != "" ]]; then
+       true # just an bypass command to avoid these steps below
+    elif [[ $GITLAB_TOKEN == "" ]] && [[ $GITLAB_LOGIN == "" ]] && [ ! -d "$HOME/.dotfiles/secrets" ]; then
         error "GitLab login and token can't be blank!" && exit 1
     # Probably change my GitLab SaaS username with yours
     elif [[ $GITLAB_LOGIN != "ajhalili2006" ]] && [ ! -d "$HOME/.dotfiles/secrets" ]; then
         error "Only Andrei Jiroh can do this!" && exit 1
     elif [[ $GITLAB_LOGIN == "ajhalili2006" ]] && [[ $GITLAB_TOKEN == "" ]] && [ ! -d "$HOME/.dotfiles/secrets" ]; then
-        error "Missing GitLab SaaS PAT! Check your Bitwarden vault for that key." && exit 1
+        error "Missing GitLab SaaS PAT! Check your Bitwarden vault for that key or use GitHub mirror instead." && exit 1
     fi
 
     if [ ! -d "$HOME/.dotfiles/secrets" ]; then
         echoStageName "Cloning secrets repo"
-        git clone https://$GITLAB_LOGIN:$GITLAB_TOKEN@gitlab.com/ajhalili2006/dotfiles-secrets $HOME/.dotfiles/secrets
-        [ $? != "0" ] && echo "error: That kinda sus, but either only Andrei Jiroh can proceed or maybe the PAT you used is invalid." && exit 1
+
+        if [[ $USE_GH_SECRETS_MIRROR != "" ]]; then
+          gh repo clone ajhalili2006/dotfiles-secrets
+        elif ! git clone https://$GITLAB_LOGIN:$GITLAB_TOKEN@gitlab.com/ajhalili2006/dotfiles-secrets $HOME/.dotfiles/secrets; then
+          echo "error: That kinda sus, but either only Andrei Jiroh can proceed or maybe the PAT you used is invalid." && exit 1
+        fi
         chmod 760 $HOME/.dotfiles/secrets
+        git -C "$HOME/.dotfiles/secrets" remote set-url origin git@gitlab.com:ajhalili2006/dotfiles-secrets
     else
         chmod 760 $HOME/.dotfiles/secrets
         git -C "$HOME/.dotfiles/secrets" fetch --all
@@ -152,6 +163,15 @@ cloneRepo() {
     sleep 5
 }
 
+# Install GitHub CLI if we're gonna use that GitHub mirror
+ghCli() {
+  if [[ $DOTFILES_OS_NAME == "debian-ubuntu" ]] && [[ "$(command -v gh)" == "" ]]; then
+     curl -fsSL https://cli.github.com/packages/githubcli-archive-keyring.gpg | sudo gpg --dearmor -o /usr/share/keyrings/githubcli-archive-keyring.gpg
+     echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/githubcli-archive-keyring.gpg] https://cli.github.com/packages stable main" | sudo tee /etc/apt/sources.list.d/github-cli.list > /dev/null
+     sudo apt update && sudo apt install gh
+  fi
+}
+
 cleanup() {
     echoStageName "Bootstrapper successfully ran, cleaning up to ensure no secrets are leaked on env vars..."
     # just add chaos to these secrets to avoid leaks
@@ -237,12 +257,15 @@ copyNanoConfig() {
 
 installShellCheck() {
     echoStageName "Installing Shellcheck"
+
+    scversion="stable" # or "v0.4.7", or "latest"
+    SHELLCHECK_ARCHIVE_URL="https://github.com/koalaman/shellcheck/releases/download/${scversion?}/shellcheck-${scversion?}.linux.x86_64.tar.xz" # TODO: Also detect other arches, especially on i386
+
     if [[ $SKIP_DEPENDENCY_INSTALL == "" ]]; then
-      scversion="stable" # or "v0.4.7", or "latest"
       current_shellcheck_path=$(command -v shellcheck)
-      isOwnedByUser="$(find $PREFIX/bin -user $USER -file shellcheck)"
+      isOwnedByUser="$(find $PREFIX/bin -user $USER -name shellcheck)"
       current_path_dir="$(dirname $current_shellcheck_path)"
-      wget -qO- "https://github.com/koalaman/shellcheck/releases/download/${scversion?}/shellcheck-${scversion?}.linux.x86_64.tar.xz" | tar -xJv -C "$HOME"
+      wget -qO- "$SHELLCHECK_ARCHIVE_URL" | tar -xJv -C "$HOME"
       if [[ $current_shellcheck_path == "" ]]; then
         cp "$HOME/shellcheck-${scversion}/shellcheck" "$PREFIX/bin"
       elif [[ $current_shellcheck_path == "$PREFIX/bin/shellcheck" ]]; then
@@ -371,6 +394,10 @@ main() {
     # step 2: install needed tools and create ~/.local/bin
     installDeps
     userspcaeBinDirCheck
+    [[ $USE_GH_SECRETS_MIRROR != "" ]] && ghCli
+
+    # Possibly interactively sign in to the CLI if GITHUB_TOKEN isn't provided
+    [[ $GITHUB_TOKEN == "" && $USE_GH_SECRETS_MIRROR == "" ]] && gh auth login
 
     # step 3.1: then clone the repo
     cloneRepo
@@ -387,6 +414,7 @@ main() {
     installCode
 
     # step 5: copy and symlink files
+    cloneSecretsRepo # Run this before we even copy the ssh keys!
     copyGitConfig
     copyNanoConfig
     copyBashrc

docs/onboarding.md

@@ -5,7 +5,7 @@ This onboarding page documents how do I bootstrap stuff for an new Linux machine
 ## Prerequisites
 
 * Access to my Bitwarden vault for GitLab PAT on an Vaultwarden instance at Railway. Once email has been fixed, probably my phone with 2FA number used for Google OR Authy app and Telegram client of choice.
-* An working browser, preferrly Chrome or Firefox.
+* An working browser, preferrly Firefox.
 * An desktop environment preinstalled, in case of Alpine/Arch/Gentoo-based distros, proceed with Xfce4. Unless has atleast 4 GBs of memory on an amd64 machine, install GNOME or KDE instead.
 
 ### Pre-flight Check
@@ -15,14 +15,22 @@ This onboarding page documents how do I bootstrap stuff for an new Linux machine
 * Check if Bash and/or Git is preinstalled while in live environment.
 * Remember to note down the root password! You may also need to take down notes of your regular account password too, if sudo is configured.
 * If you're trying an new distro (Arch, Gentoo, RHEL) or got an ChromeOS preinstalled and enabled devmode and Linux stuff, please install the tools one by one and note it down here in this document.
+* Check if that distro either has GitHub CLI from the official package repos (or atleast community maintained ones). Otherwise, maybe opt to building from source or use prebuilt binaries from GitHub Releases.
 
 ## Termux
 
-TODO
+> **:warning: Termux is only available for Android 7 to 9 on F-roid due to compatibility reasons!** Things start to blur once you upgrade to Android 10 or above, as more restrictions have been implemented, see ISSUE-TODO-LINK.
 
 ## Debian, Ubuntu and friends
 
-TODO
+Bash, GNU coreutils and curl/wget is pre-installed, but you may need to manually upgrade to their latest versions from the backports, especially if they're too far from the latest release.
+
+As an final check before proceeding, install gnupg and friends before running the bootstrap script:
+
+```sh
+# they'll be also installed if you don't do this
+sudo apt install gnupg gnupg-agent dirmgr --yes
+```
 
 ## Alpine Linux
 
@@ -48,11 +56,7 @@ http://dl-cdn.alpinelinux.org/alpine/edge/community
 
 Now, run `apk update` followed by `apk upgrade` to update all packages to their latest versions in the `edge` branch.
 
-Finally, follow the bootstrapping process of the dotfiles in the root README, which, as usual:
-
-* export both the GitLab SaaS username and password with `export GITLAB_LOGIN=ajhalili2006 GITLAB_TOKEN=pat-from-bw-vault`
-* run the main script with `curl -fsSL https://ajhalili2006.gitlab.io/linux-bootstrap.sh | bash -`
-* optionally run the post-setup script to add my package signing key for Alpine, GPG keys, and probably my KeexPass stuff with `./tools/post-setup/alpine.sh`
+Finally, follow the bootstrapping process of the dotfiles as mentioned in the root README.
 
 ## Gitpod?