Allow tagged nodes to authenticate

[Xe]

The basic logic here is that we want tagged machines to be able to authenticate with Tailscale auth. The main problem here is that our identity model is usually one to one (one machine has one owner) but tags make this complicated (one machine can have n tags). As a stick in the mud, I propose that we allow tagged machines to connect with Tailscale auth but the first tag is the one that has "identity power".

This decision was made arbitrarily. It should probably be brought up in an eng meeting, but this works enough to make it work on my Steam Deck:

(pictured: a Valve Steam Deck running Firefox connected to Jenkins over Tailscale, proving that both Jenkins is configured to use Tailscale for auth and that a tagged node can authenticate to Jenkins)

Points of contention

1. I transformed tag:name to tag___name so that it's less likely to collide with an actual human user
2. It only picks the first tag (which may not pan out in the real world)