From 050f2d4761ae93a00f123f8bab932f872c24c65a Mon Sep 17 00:00:00 2001
From: Hermes <hermes@lazyworkhorse.net>
Date: Thu, 18 Jun 2026 17:17:29 -0400
Subject: [PATCH] feat: add agenix-rekey config + remote builder to uConsole

---
 hosts/uconsole-cm5/configuration.nix | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/hosts/uconsole-cm5/configuration.nix b/hosts/uconsole-cm5/configuration.nix
index 4c87088..bc6a14a 100644
--- a/hosts/uconsole-cm5/configuration.nix
+++ b/hosts/uconsole-cm5/configuration.nix
@@ -184,3 +184,21 @@
   networking.firewall.allowedTCPPorts = [ 22 ];
   networking.firewall.allowedUDPPorts = [ ];
 }
+
+  # ============================================================
+  # agenix-rekey — automatic secret re-encryption at deploy time
+  # ============================================================
+  age.rekey = {
+    # Master identities for encrypting secrets (on Thierry's laptop)
+    masterIdentities = [
+      "/home/gortium/.ssh/gortium_ssh_key"
+    ];
+
+    # uConsole SSH host pubkey — for automatic rekey at build time
+    # Once uConsole is deployed, replace with actual pubkey from:
+    #   ssh-keyscan uConsole.local | ssh-to-age
+    hostPubkey = "age1qyqszqgpqyqszqgpqyqszqgpqyqszqgpqyqszqgpqyqszqgpqyqs3290gq"; # dummy — replace after bootstrap
+  };
+
+  # Enable remote builder (distributed build via lazyworkhorse server)
+  services.remoteBuilder.enable = true;