diff --git a/assets/compose b/assets/compose
index d3f2e3b..3c92d93 160000
--- a/assets/compose
+++ b/assets/compose
@@ -1 +1 @@
-Subproject commit d3f2e3b7b9dcb03b0bd7df0278faca6b64ea9272
+Subproject commit 3c92d93366bcf301878f83bcdec6b6de7246d652
diff --git a/flake.nix b/flake.nix
index 3828560..ef6ec8f 100644
--- a/flake.nix
+++ b/flake.nix
@@ -130,6 +130,8 @@
               nixos-uconsole.nixosModules.configtxt
               (nixos-uconsole.nixosModules.cm { lib = nixpkgs-uconsole.lib; isCM4 = false; })
               nixos-uconsole.nixosModules.base
+              # agenix pour déchiffrer les secrets au déploiement
+              agenix.nixosModules.default
               # Notre config
               ./hosts/uconsole-cm5/configuration.nix
               ./hosts/uconsole-cm5/hardware-configuration.nix
diff --git a/hosts/uconsole-cm5/configuration.nix b/hosts/uconsole-cm5/configuration.nix
index 3b4cf52..4b35976 100644
--- a/hosts/uconsole-cm5/configuration.nix
+++ b/hosts/uconsole-cm5/configuration.nix
@@ -28,8 +28,37 @@
   # ============================================================
   networking.networkmanager.enable = true;
 
-  # WiFi connection — Thierry ajoutera le password dans un secret agenix
-  # networking.networkmanager.connections = { ... };
+  # ============================================================
+  # WiFi credentials from agenix (SSID + password encrypted)
+  # ============================================================
+  age.secrets.uconsole-wifi = {
+    file = ../../secrets/uconsole-wifi.age;
+    owner = "root";
+    group = "root";
+    mode = "0400";
+  };
+
+  # Write WiFi connection at activation (reads decrypted age secret)
+  systemd.services.ensure-wifi = {
+    description = "Configure WiFi from age secret";
+    after = [ "network.target" "age-uconsole-wifi.service" ];
+    wants = [ "age-uconsole-wifi.service" ];
+    before = [ "NetworkManager-wait-online.service" ];
+    wantedBy = [ "multi-user.target" ];
+    serviceConfig = {
+      Type = "oneshot";
+      RemainAfterExit = true;
+      ExecStart = let
+        wifi-setup = pkgs.writeShellScript "wifi-setup" ''
+          SSID="$(head -1 /run/secrets/uconsole-wifi)"
+          PASS="$(tail -1 /run/secrets/uconsole-wifi)"
+          if ! nmcli -t connection show "$SSID" >/dev/null 2>&1; then
+            nmcli device wifi connect "$SSID" password "$PASS"
+          fi
+        '';
+      in "${wifi-setup}";
+    };
+  };
 
   # ============================================================
   # Kernel parameters from nixos-uconsole CM5 module
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index d5c44d6..df6acfc 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -11,4 +11,5 @@ in
   "lazyworkhorse_host_ssh_key.age".publicKeys = authorizedKeys;
   "n8n_ssh_key.age".publicKeys = authorizedKeys;
   "openclaw_gateway_token.age".publicKeys = authorizedKeys;
+  "uconsole-wifi.age".publicKeys = authorizedKeys;
 }