feat(ssh): pin the Gitea remote in the managed ssh config

The flake's origin (ssh://git@code.emmathe.dev) must resolve on every host.
Add a matchBlock for code.emmathe.dev: user git, Port 30009 (Gitea's
non-default SSH port -- the critical bit), the dedicated
~/.ssh/code.emmathe.dev key, and identitiesOnly. The work box keeps its own
ssh config (programs.ssh forced off there) which already has the entry.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

lyrathorpe/home/shell.nix

@@ -224,6 +224,15 @@
     extraConfig = lib.optionalString pkgs.stdenv.hostPlatform.isDarwin ''
       UseKeychain yes
     '';
+    # Gitea remote (the flake's origin) -- required on every host. Pins the
+    # dedicated key so the right identity is offered. identitiesOnly avoids
+    # "too many authentication failures" when the agent holds several keys.
+    matchBlocks."code.emmathe.dev" = {
+      user = "git";
+      port = 30009; # Gitea listens on a non-default SSH port
+      identityFile = "~/.ssh/code.emmathe.dev";
+      identitiesOnly = true;
+    };
   };
 
   # Run a user ssh-agent on Linux (macOS provides one via launchd). EDaaS also