feat: allow officina-ci to SSH to officina-instance hosts (#361)

Add Tailscale ACL grant and SSH rule so tag:officina-ci can reach
tag:officina-instance on port 22 as root. Required for the officina
provision-host-secrets workflow to deposit tokens and trigger the
reconciler via tailscale ssh.

Author: noahwhite

opentofu/modules/tailscale/main.tofu

@@ -84,6 +84,11 @@ resource "tailscale_acl" "soc_tailnet_acl" {
         "src" : ["tag:officina-instance"],
         "dst" : ["tag:infisical"],
         "ip" : ["443"]
+      },
+      {
+        "src" : ["tag:officina-ci"],
+        "dst" : ["tag:officina-instance"],
+        "ip" : ["22"]
       }
     ],
     "ssh" = [
@@ -119,6 +124,12 @@ resource "tailscale_acl" "soc_tailnet_acl" {
         "dst"    = ["tag:officina-instance"],
         "users"  = ["core"],
       },
+      {
+        "action" = "accept",
+        "src"    = ["tag:officina-ci"],
+        "dst"    = ["tag:officina-instance"],
+        "users"  = ["root"],
+      },
     ],
     "groups" = {
       "group:devs" = ["noah@noahwhite.net"],