As to the ssh part: you have the general format
/usr/bin/ssh -i /where/ever/identity-file [username@]address-or-resolvable-name command-to-run
so as to as user “username” and as identified by private key “/where/ever/identity-file” on system “address-or-resolvable-name” run “command-to-run”.
If you leave out “username@” the default is for ssh to login as its invoking user; in the case of being run through a systemd unit file and unless specifically tweaked this means user “root” (and, careful, any said tweaking changes the invoking user as such but will not e.g. get you that user’s normal environment, and generally you don’t).
In the case of the router your config made it clear that, yes, you needed to login as user “root” which is why you leaving the “username@” part out works. For the Pi I’d however feel it more likely you in fact need to log in as your user on the Pi and run the command as said user? While I don’t know about your Pi often sshd on a somewhat generic system is not even OOTB configured to accept root logins.
I.e., if you from the command line shut down the Pi with, as your user,
ssh address-or-resolvable-name-for-the-pi poweroff
and you have in that case no ~/.ssh/config fragment also naming user “root” for the Pi you may need to from the ExecStart say for example “majik@address-or-resolvable-name-for-the-pi”. So just transpose things in that manner.
As to the .service file: yes, for type oneshot you can specify multiple commands for ExecStart, either as indeed multiple ExecStart= lines or with them on one line separated by " ; " (note: that’s space-semicolon-space). Order is still the normal order in which you want things executed.
It’s of course also possible to e.g. relay to a private executable shell script with
ExecStart=/usr/local/bin/shutdown-my-stuff.sh
or some such if you want to get more involved; if for example you’d want to loop around shutting down your Pi and/or make sure it has shut down before you kill the router. Depends I guess on your scripting tastes and prowess
The mentioned blah@.service files are not involved here; they exist as a way to parametrize service files. I for example used to use/advise on one for people/systems that had difficulty keeping Wake-on-LAN enabled on their NIC over boot. I.e., you’d have e.g.
/etc/systemd/system/wol@.service:
[Unit]
Description=Wake-on-LAN (%i)
Requires=network.target
After=network.target
[Service]
ExecStart=/sbin/ethtool -s %i wol g
Type=oneshot
[Install]
WantedBy=multi-user.target
and then enable it for specific NICs with e.g.
systemctl enable wol@enp3s0
and/or enp4s2 and/or whatever. Anycase then, not so much related here.