refactor(ssh): decentralize SSH configuration to per-host services

Restructures SSH trust relationships from global to host-specific configuration
for better locality of concern and principle of least privilege.

Changes:
- Collapse nixos/common/global/ssh/ back to ssh.nix (single-file module)
- Move internal host trust (fuchsia/viridian) to per-host services/ssh/
- Split BorgBase known hosts by repository (li9kg944 for fuchsia, r7ag7x1w for viridian)
- Add viridian SSH server config to accept backup connections from fuchsia
- Add fuchsia borgbackup passphrase for offsite backups
- Configure viridian to create /srv/borg-repo/fuchsia for remote backups

This enables the 3-2-1 backup strategy with fuchsia backing up to both viridian
(onsite) and BorgBase (offsite) with proper SSH authentication.

nixos/viridian/services/ssh/default.nix

@@ -0,0 +1,29 @@
+{inputs, ...}: let
+  # Fuchsia's host key for backup authentication
+  fuchsiaHostKey = builtins.readFile (
+    "${inputs.self}/nixos/fuchsia/ssh_host_ed25519_key.pub"
+  );
+in {
+  # Trust fuchsia's host keys for SSH connections
+  programs.ssh.knownHosts = {
+    "fuchsia-ed25519" = {
+      hostNames = ["fuchsia"];
+      publicKeyFile = "${inputs.self}/nixos/fuchsia/ssh_host_ed25519_key.pub";
+    };
+    "fuchsia-rsa" = {
+      hostNames = ["fuchsia"];
+      publicKeyFile = "${inputs.self}/nixos/fuchsia/ssh_host_rsa_key.pub";
+    };
+  };
+
+  # Trust BorgBase repository (offsite backup target)
+  programs.ssh.knownHostsFiles = [
+    ./borgbase_hosts
+  ];
+
+  # Accept remote backups from fuchsia using host key authentication
+  users.users.root.openssh.authorizedKeys.keys = [
+    # Restrict fuchsia to only run borg serve in /srv/borg-repo
+    ''command="borg serve --restrict-to-path /srv/borg-repo",restrict ${fuchsiaHostKey}''
+  ];
+}