feat: add agenix-rekey config + remote builder to uConsole

hosts/uconsole-cm5/configuration.nix

@@ -184,3 +184,21 @@
   networking.firewall.allowedTCPPorts = [ 22 ];
   networking.firewall.allowedUDPPorts = [ ];
 }
+
+  # ============================================================
+  # agenix-rekey — automatic secret re-encryption at deploy time
+  # ============================================================
+  age.rekey = {
+    # Master identities for encrypting secrets (on Thierry's laptop)
+    masterIdentities = [
+      "/home/gortium/.ssh/gortium_ssh_key"
+    ];
+
+    # uConsole SSH host pubkey — for automatic rekey at build time
+    # Once uConsole is deployed, replace with actual pubkey from:
+    #   ssh-keyscan uConsole.local | ssh-to-age
+    hostPubkey = "age1qyqszqgpqyqszqgpqyqszqgpqyqszqgpqyqszqgpqyqszqgpqyqs3290gq"; # dummy — replace after bootstrap
+  };
+
+  # Enable remote builder (distributed build via lazyworkhorse server)
+  services.remoteBuilder.enable = true;