tadpole: Scope authorized_keys_command to alex

The command was hijacking auth for all users, including `gitea`, which
broke `git push` over SSH — `gitea`'s `authorized_keys` (with the
`gitea serv` command restriction) was being bypassed, and sshd would
try to exec the raw `git-receive-pack` instead.

Pass `%u` to the command and short-circuit unless the requested user
is `alex`, so other users fall back to their own `~/.ssh/authorized_keys`.

hosts/tadpole/modules/ssh/default.nix

@@ -48,6 +48,7 @@ in
       mode = "0755";
       text = ''
         #!${pkgs.bash}/bin/bash
+        [ "$1" = "alex" ] || exit 0
         for file in ${authorizedKeysPath}/*; do
           ${pkgs.coreutils}/bin/cat "$file"
         done
@@ -71,7 +72,7 @@ in
           KbdInteractiveAuthentication = false;
         };
 
-        authorizedKeysCommand = "/etc/ssh/authorized_keys_command";
+        authorizedKeysCommand = "/etc/ssh/authorized_keys_command %u";
         authorizedKeysCommandUser = "root";
       };
     };