feat: Implement two-key SSH management strategy

- Add modules/security/ssh-keys.nix for centralized SSH key management
- Generate role-specific SSH keys with geir@geokkjer.eu email:
  - Admin key (geir@geokkjer.eu-admin) for sma user server access
  - Development key (geir@geokkjer.eu-dev) for geir user and git services
- Update SSH client config with role-based host patterns
- Configure users/geir.nix and users/sma.nix with appropriate key access
- Add SSH key setup to both machine configurations
- Create scripts/setup-ssh-keys.sh for key generation automation
- Update plan.md with completed SSH security implementation

Security benefits:
- Principle of least privilege (separate admin vs dev access)
- Limited blast radius if keys are compromised
- Clear usage patterns: ssh admin-sleeper vs ssh geir@sleeper-service.home
- Maintains compatibility with existing services during transition

scripts/setup-ssh-keys.sh

@@ -0,0 +1,89 @@
+#!/usr/bin/env bash
+# SSH Key Generation Script - Two-Key Strategy
+# Generates admin and development SSH keys
+
+set -euo pipefail
+
+SSH_DIR="$HOME/.ssh"
+HOSTNAME="$(hostname)"
+EMAIL_BASE="geir@geokkjer.eu"
+
+echo "🔑 Setting up SSH keys for $HOSTNAME"
+echo "📧 Using email base: $EMAIL_BASE"
+
+# Create SSH directory if it doesn't exist
+mkdir -p "$SSH_DIR"
+chmod 700 "$SSH_DIR"
+
+# Backup existing key if it exists
+if [[ -f "$SSH_DIR/id_ed25519" ]]; then
+    echo "💾 Backing up existing key to id_ed25519.backup"
+    cp "$SSH_DIR/id_ed25519" "$SSH_DIR/id_ed25519.backup"
+    cp "$SSH_DIR/id_ed25519.pub" "$SSH_DIR/id_ed25519.pub.backup"
+fi
+
+echo ""
+echo "🔐 Generating two SSH keys:"
+echo "  1. Admin key (for sma user, server administration)"
+echo "  2. Development key (for geir user, git, daily use)"
+echo ""
+
+# Generate admin key
+ADMIN_KEY="$SSH_DIR/id_ed25519_admin"
+if [[ ! -f "$ADMIN_KEY" ]]; then
+    echo "🔐 Generating admin key..."
+    ssh-keygen -t ed25519 -f "$ADMIN_KEY" -C "$EMAIL_BASE-admin" -N ""
+    chmod 600 "$ADMIN_KEY"
+    chmod 644 "$ADMIN_KEY.pub"
+    echo "✅ Generated: $ADMIN_KEY"
+else
+    echo "⏭️  Admin key already exists"
+fi
+
+# Generate development key  
+DEV_KEY="$SSH_DIR/id_ed25519_dev"
+if [[ ! -f "$DEV_KEY" ]]; then
+    echo "🔐 Generating development key..."
+    ssh-keygen -t ed25519 -f "$DEV_KEY" -C "$EMAIL_BASE-dev" -N ""
+    chmod 600 "$DEV_KEY"
+    chmod 644 "$DEV_KEY.pub"
+    echo "✅ Generated: $DEV_KEY"
+else
+    echo "⏭️  Development key already exists"
+fi
+
+echo ""
+echo "🎯 Next steps:"
+echo "1. Add these public keys to your NixOS configuration:"
+echo "2. Deploy updated configuration to target servers"
+echo "3. Test SSH access with both keys"
+echo "4. Update external Git services with new development key"
+echo ""
+
+echo "📋 Public keys to add to NixOS configuration:"
+echo ""
+
+if [[ -f "$ADMIN_KEY.pub" ]]; then
+    echo "# Admin key (add to security.ssh-keys.admin in modules/security/ssh-keys.nix)"
+    echo "\"$(cat "$ADMIN_KEY.pub")\""
+    echo ""
+fi
+
+if [[ -f "$DEV_KEY.pub" ]]; then
+    echo "# Development key (add to security.ssh-keys.development in modules/security/ssh-keys.nix)" 
+    echo "\"$(cat "$DEV_KEY.pub")\""
+    echo ""
+fi
+
+echo "💡 Usage examples:"
+echo "  ssh geir@sleeper-service.home     # Uses dev key automatically"
+echo "  ssh admin-sleeper                 # Uses admin key for sma user"
+echo "  git clone git@github.com:user/repo # Uses dev key for git"
+echo ""
+
+echo "🔄 To update your Git remotes with the new key:"
+echo "  # Add new key to GitHub/GitLab first, then:"
+echo "  ssh -T git@github.com  # Test the connection"
+echo ""
+
+echo "✅ SSH key setup complete!"