#!/usr/bin/env bash
# Bootstrap the age-plugin-tpm identity for a desktop host (mreow / yarn).
#
# Produces a TPM-sealed age identity at /var/lib/agenix/tpm-identity and
# prints the recipient string to add to secrets/secrets.nix.
#
# Usage:
#   doas scripts/bootstrap-desktop-tpm.sh
#
# After running:
#   1. Append the printed recipient to the `tpm` list in secrets/secrets.nix.
#   2. Re-encrypt: nix-shell -p age-plugin-tpm rage --run \
#        'agenix -r -i ~/.ssh/id_ed25519'
#   3. Commit + ./deploy.sh switch.

set -euo pipefail

if [[ $EUID -ne 0 ]]; then
  echo "this script must run as root (access to /dev/tpmrm0 + /var/lib/agenix)" >&2
  exit 1
fi

host=$(hostname -s)
id_file=/var/lib/agenix/tpm-identity

install -d -m 0700 -o root -g root /var/lib/agenix

if [[ -f "$id_file" ]]; then
  echo "existing identity found at $id_file — preserving"
else
  echo "generating TPM-sealed age identity..."
  nix-shell -p age-plugin-tpm --run "age-plugin-tpm --generate -o $id_file"
  chmod 0400 "$id_file"
  chown root:root "$id_file"
fi

# Read the recipient directly from the identity file header — no TPM
# round-trip needed, no nix run, no set -e hazards.
recipient=$(grep '^# Recipient:' "$id_file" | awk '{print $3}')
if [[ -z "$recipient" ]]; then
  echo "failed to read recipient from $id_file" >&2
  exit 1
fi

cat <<EOF

recipient for $host:
  "$recipient $host"

next steps (run on a workstation with git-crypt unlocked):
  1. edit secrets/secrets.nix and add the line above to the \`tpm\` list.
  2. re-encrypt: nix-shell -p age-plugin-tpm rage --run 'agenix -r -i ~/.ssh/id_ed25519'
  3. git commit + ./deploy.sh switch
EOF