No problem with the admin node (or admin key) being in cold storage - just export it using dumpprivkey, then kill the node/server on which it was generated. You can then sign admin transactions offline, building them using the extended raw transaction interface:
You wouldn't need an intermediary node for this - instead just pass a raw unsigned transaction to the device with the admin key, call signrawtransaction (or the equivalent), and then pass it back.
As for peer discovery, you need some way of bootstrapping the process of peers finding each other. They're not going to be able to just find each other on the open Internet because there are billions of possible IP addresses. Perhaps you can use DNS for this purpose - there's no problem substituting the IP address in a node address for its domain name equivalent.
Restricting write access is easy - just use the send permission.