dotfiles/bin/.bin/load_keys

#!/usr/bin/env bash
set -euo pipefail

HOST="${HOST:-$(hostname -s 2>/dev/null || hostname)}"
PASS_BASE="personal/ssh"
STORE_ROOT="${PASSWORD_STORE_DIR:-$HOME/.password-store}"
ABS_BASE_PATH="${STORE_ROOT}/${PASS_BASE}"

# Ensure ssh-agent is running
if [[ -z "${SSH_AUTH_SOCK:-}" ]]; then
    eval "$(ssh-agent -s)"
fi

# Verify the base path exists
if [[ ! -d "$ABS_BASE_PATH" ]]; then
  echo "ERROR: Base path not found in pass: $PASS_BASE" >&2
  exit 1
fi


# Loop through each identity subdirectory
echo -n "Loading ssh keys for host: "
while IFS= read -r dir; do
  IDENTITY=$(basename "$dir")

  # Find the latest .gpg file by name (ISO sort) and hostname
  LATEST_FILE=$(find "$dir" -maxdepth 1 -name "*.gpg" -exec basename {} \; \
    | sed 's/\.gpg$//' \
    | sort -r \
    | head -n 1)

  if [[ -z "$LATEST_FILE" ]]; then
    continue
  fi

  echo -n "$HOST"
  
  # Decrypt and pipe directly to ssh-add
  # The '-' tells ssh-add to read the key from standard input (stdin)
  pass show "${PASS_BASE}/${IDENTITY}/${LATEST_FILE}" | ssh-add - >/dev/null 2>&1

done < <(find "$ABS_BASE_PATH" -mindepth 1 -maxdepth 1 -type d -name "*${HOST}*")