Reproducibility, redeploying on a new host

[TRPB]

Since agenix requires the host to have the ssh private key in /etc/ssh (or wherever we point age to) what are the options for deploying a fresh install with agenix?

If I'm redeploying my environment on a new host I'd need to copy across the private key before I can deploy anything that uses agenix for config (e.g. user passwords). I don't want the private key in the nix store either.

Generating a new host key feels like the right option in this case, but we'd need to rekey all the secrets and still find some way to deploy the keys to the host before we can use any secrets from agenix.

What's the best way to manage the host ssh key so that the deployment is reproducible and I can use nixos-rebuild switch --target-host ... or nixos-install on a completely fresh machine?