fix(ssh): document hardware-backed SSH keys and set up backup key

modules/ssh/authorized-keys.nix

@@ -17,13 +17,15 @@ in
   };
 
   # auto generate authorized_keys from `authorizedHosts`
-  config.users.users.${username}.openssh.authorizedKeys.keys = lib.flatten (
-    map (
-      hostname:
-      let
-        keyFile = ../../hosts/${hostname}/ssh_user.pub;
-      in
-      lib.optionals (builtins.pathExists keyFile) (lib.splitString "\n" (builtins.readFile keyFile))
-    ) ((builtins.filter (h: h != config.host.name) adminHosts) ++ config.ssh.authorizedHosts)
-  );
+  config.users.users.${username}.openssh.authorizedKeys.keys =
+    lib.flatten (
+      map (
+        hostname:
+        let
+          keyFile = ../../hosts/${hostname}/ssh_user.pub;
+        in
+        lib.optionals (builtins.pathExists keyFile) (lib.splitString "\n" (builtins.readFile keyFile))
+      ) ((builtins.filter (h: h != config.host.name) adminHosts) ++ config.ssh.authorizedHosts)
+    )
+    ++ lib.splitString "\n" (builtins.readFile ./ssh_bak.pub);
 }