feat: Implement two-key SSH management strategy

- Add modules/security/ssh-keys.nix for centralized SSH key management
- Generate role-specific SSH keys with geir@geokkjer.eu email:
  - Admin key (geir@geokkjer.eu-admin) for sma user server access
  - Development key (geir@geokkjer.eu-dev) for geir user and git services
- Update SSH client config with role-based host patterns
- Configure users/geir.nix and users/sma.nix with appropriate key access
- Add SSH key setup to both machine configurations
- Create scripts/setup-ssh-keys.sh for key generation automation
- Update plan.md with completed SSH security implementation

Security benefits:
- Principle of least privilege (separate admin vs dev access)
- Limited blast radius if keys are compromised
- Clear usage patterns: ssh admin-sleeper vs ssh geir@sleeper-service.home
- Maintains compatibility with existing services during transition

modules/security/ssh-keys.nix

@@ -0,0 +1,97 @@
+# SSH Key Management Module
+# Two-key strategy: admin (sma) and development (geir)
+{ config, pkgs, lib, ... }:
+
+{
+  # Global SSH daemon configuration
+  services.openssh = {
+    enable = true;
+    settings = {
+      PasswordAuthentication = false;
+      KbdInteractiveAuthentication = false;
+      PermitRootLogin = "no";
+      PubkeyAuthentication = true;
+    };
+    
+    # Use modern, secure algorithms only
+    extraConfig = ''
+      PubkeyAcceptedKeyTypes ssh-ed25519,ssh-ed25519-cert-v01@openssh.com
+      KexAlgorithms curve25519-sha256@libssh.org
+      Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com
+      MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com
+    '';
+  };
+
+  # Centralized SSH key management
+  security.ssh-keys = {
+    # Admin keys for sma user (server administration)
+    admin = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPgzKS1N7+7+N1/8U8++1pl4hapDm6TOy0QhrfrYA8mz geir@geokkjer.eu-admin"
+    ];
+    
+    # Development keys for geir user (git, daily use)
+    development = [
+      # Current key (keep for continuity during transition)
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHeOvTHIw+hZOAiWkIrz9t11UeGwxAMx7jN/1IIdgq7O geokkjer@gmail.com"
+      # New development key
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHukJK0Kc1YexvzF8PdqaqWNZdVffGoM6ePPMecrU6dM geir@geokkjer.eu-dev"
+    ];
+  };
+
+  # SSH client configuration
+  programs.ssh = {
+    enable = true;
+    extraConfig = ''
+      # Default to development key for daily use
+      Host *
+        IdentityFile ~/.ssh/id_ed25519_dev
+        AddKeysToAgent yes
+        ServerAliveInterval 60
+        ServerAliveCountMax 3
+        
+      # Admin access to servers (use sma user)
+      Host admin-* *.admin 
+        User sma
+        IdentityFile ~/.ssh/id_ed25519_admin
+        
+      # Git services (use geir user with dev key)
+      Host git.* github.com gitlab.com
+        User git
+        IdentityFile ~/.ssh/id_ed25519_dev
+        
+      # Home lab servers (geir user for development access)
+      Host sleeper-service sleeper-service.home 10.0.0.8
+        User geir
+        IdentityFile ~/.ssh/id_ed25519_dev
+        
+      Host grey-area grey-area.home 10.0.0.11
+        User geir
+        IdentityFile ~/.ssh/id_ed25519_dev
+        
+      Host reverse-proxy reverse-proxy.home 10.0.0.12
+        User geir
+        IdentityFile ~/.ssh/id_ed25519_dev
+        
+      # Admin access to servers (when needed)
+      Host admin-sleeper sleeper-service.admin
+        Hostname 10.0.0.8
+        User sma
+        IdentityFile ~/.ssh/id_ed25519_admin
+        
+      Host admin-grey grey-area.admin
+        Hostname 10.0.0.11
+        User sma
+        IdentityFile ~/.ssh/id_ed25519_admin
+        
+      Host admin-reverse reverse-proxy.admin
+        Hostname 10.0.0.12
+        User sma
+        IdentityFile ~/.ssh/id_ed25519_admin
+        
+      # Tailscale network
+      Host 100.* *.tail*
+        User geir
+        IdentityFile ~/.ssh/id_ed25519_dev
+    '';
+  };
+}