# linux-bootstrap

## Oneliner

```bash

curl -fsSL https://gitea.big-chungus.me/moritz/linux-bootstrap/raw/branch/master/install.sh | bash
```

Forward flags to the bootstrapper after `--`:

```bash
# skip hardening, set hostname
curl -fsSL https://gitea.big-chungus.me/moritz/linux-bootstrap/raw/branch/master/install.sh \
  | bash -s -- --skip hardening --hostname web01

# everything including hardening
curl -fsSL https://gitea.big-chungus.me/moritz/linux-bootstrap/raw/branch/master/install.sh | bash -s -- --only base,cli,neovim,motd,shell,hardening
```

Override repo/ref/dest via env:

```bash
REF=dev DEST=/srv/bootstrap curl -fsSL https://gitea.big-chungus.me/moritz/linux-bootstrap/raw/branch/master/install.sh | bash
```

### Pure-git alternative (if git is already present)

```bash
git clone --depth=1 https://gitea.big-chungus.me/moritz/linux-bootstrap.git /opt/linux-bootstrap \
  && /opt/linux-bootstrap/bootstrap.sh
```

## Modules

| module     | default | description |
|------------|:------:|-------------|
| `base`     | yes | apt update/upgrade + essentials: git, curl, tmux, htop, tree, rsync, jq, dnsutils, mtr, build-essential, … |
| `cli`      | yes | modern CLI: ripgrep, fd, bat, fzf, btop |
| `neovim`   | yes | neovim + the lua config in `config/nvim/` |
| `motd`     | yes | dynamic login banner (host, IP, uptime, load, mem, disk, updates) |
| `shell`    | yes | `fd`/`bat` symlinks + system-wide aliases in `/etc/profile.d`, `EDITOR=nvim` |
| `hardening`| **no** | opt-in: unattended-upgrades, fail2ban sshd jail |

```bash
./bootstrap.sh --list            # show modules
./bootstrap.sh --only nvim       # just (re)deploy nvim config
./bootstrap.sh --skip motd       # run everything except motd
```

## Customizing

- nvim: edit `config/nvim/lua/core/*.lua` and `config/nvim/lua/core/plugins.lua`
- banner: edit `config/motd/01-banner.sh`
- aliases / packages: edit the `mod_*` functions in `bootstrap.sh`

## Optional: SSH hardening (do this manually, with care)

After confirming key-based login works:

```bash
sudo tee /etc/ssh/sshd_config.d/99-hardening.conf >/dev/null <<'EOF'
PasswordAuthentication no
PermitRootLogin prohibit-password
KbdInteractiveAuthentication no
EOF
sudo systemctl reload ssh   # or sshd, depending on distro
```