feat(servers): declare SSH authorizedKeys + root mac admin trust 🔑

Move the imperative SSH-key-related scars accumulated during the
clan/VPS rollout into nix config so future installs and rebuilds
reproduce the same state:

- danny@sunken-ship + danny@phantom-ship: trust the mac admin key
  (id_ed25519_<host> on Daniel-Macbook-Air) and the host's own
  self-loopback key (used by clan ssh-ng:// nix-copy-closure back
  to the same host during `clan machines update`).
- root@sunken-ship + root@phantom-ship: trust the mac admin key so
  `clan machines update` can run its SOPS-key upload step that
  SSHes to root@<host> to write /var/lib/sops-nix/key.txt.

Existing key files (~/.ssh/id_ed25519 on each host) stay where they
are; the keypair was generated once during initial bootstrap and the
public side is now declared above. Reinstalls would regenerate and
need the pubkey re-pinned here.

nixos/hosts/phantom-ship.nix

@@ -63,8 +63,20 @@ in
     isNormalUser = true;
     extraGroups = [ "wheel" ];
     # Password is locked (key-only SSH). Use NixOS installer or recovery to reset if needed.
+    openssh.authorizedKeys.keys = [
+      # Mac admin (~/.ssh/id_ed25519_phantom_ship on Daniel-Macbook-Air).
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDNl6PrKcEhmYJVqSXNcFU6cba3neekLBGnQCkD7lWAc danny@phantom-ship"
+      # Self-loopback (clan ssh-ng:// back to this host).
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPyEX8De/b+sMAxUZIqqiPphcrWCoAsN5p8gRFubzqvB danny@phantom-ship"
+    ];
   };
 
+  # root needs the mac admin key so `clan machines update` can SSH to
+  # root@<host> for SOPS upload.
+  users.users.root.openssh.authorizedKeys.keys = [
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDNl6PrKcEhmYJVqSXNcFU6cba3neekLBGnQCkD7lWAc danny@phantom-ship"
+  ];
+
   # Key-only auth; no password or keyboard-interactive.
   services.openssh = {
     enable = true;