update: rotate SSH access via cloud-init secret

Inject SSH public key through Terraform/cloud-init from Gitea secret so access can be rotated without rebuilding the template image.

.gitea/workflows/terraform-apply.yml

@@ -23,6 +23,7 @@ jobs:
         run: |
           cat > secrets.auto.tfvars << EOF
           pm_api_token_secret = "${{ secrets.PM_API_TOKEN_SECRET }}"
+          SSH_KEY_PUBLIC      = "${{ secrets.SSH_KEY_PUBLIC }}"
           EOF
           cat > backend.hcl << EOF
           bucket                      = "${{ secrets.B2_TF_BUCKET }}"

.gitea/workflows/terraform-plan.yml

@@ -25,6 +25,7 @@ jobs:
           echo "PM_API_TOKEN_SECRET length: $(echo -n '${{ secrets.PM_API_TOKEN_SECRET }}' | wc -c)"
           cat > secrets.auto.tfvars << EOF
           pm_api_token_secret = "${{ secrets.PM_API_TOKEN_SECRET }}"
+          SSH_KEY_PUBLIC      = "${{ secrets.SSH_KEY_PUBLIC }}"
           EOF
           cat > backend.hcl << EOF
           bucket                      = "${{ secrets.B2_TF_BUCKET }}"