Output: Generate output to paste into ~/.ssh/config and gpg2 --import

[cfcs]

gpg2 --import "${output_directory}"/secret.asc
# rememer that it's gpg2 and that plain old 'gpg' doesn't handle ed25519

and

Host *
    User ${OUR_USERNAME}
    IdentityFile ${OUTPUT_DIRECTORY}/id_ed25519

and

cat "${output_directory}"/id_ed25519.pub | ssh HOST tee -a .ssh/authorized_keys

[cfcs]

Load key into ssh-agent from stdin:

#     -c      Indicates that added identities should be subject to confirmation
#             before being used for authentication.  Confirmation is performed
#             by the SSH_ASKPASS program mentioned below.  Successful confirma‐
#             tion is signaled by a zero exit status from the SSH_ASKPASS pro‐
#             gram, rather than text entered into the requester.
#     -k      When loading keys into or deleting keys from the agent, process
#             plain private keys only and skip certificates.

cat ~/.ssh/id_ed25519 | ssh-add -c -k -

Note that for -c you need to pass a SSH_ASKPASS=/usr/bin/ssh-askpass environment variable to ssh-agent, which may not be there.