Geo keys give full read-only access to all projects on the instance. Secondary
nodes place the private key in `~git/.ssh/id_rsa` - when promoted to being a
primary node, this key may be used by ordinary users for tasks like repository
mirroring, or anything else that shells out to an ssh command.

None of these tasks run on secondary nodes, but once the node is promoted to a
primary, it is essential that the key is no longer a valid geo node!