fix: Reserve Tailscale service hostnames and tag exposed proxies

Reserve grafana/prometheus/flux alongside rancher during rebuild cleanup so
stale tailnet devices do not force -1 hostnames. Tag the exposed Tailscale
services so operator-managed proxies are provisioned with explicit prod/service
tags from the tailnet policy.

ansible/site.yml

@@ -122,6 +122,9 @@
   vars:
     tailscale_reserved_hostnames:
       - rancher
+      - grafana
+      - prometheus
+      - flux
 
   roles:
     - tailscale-cleanup

infrastructure/addons/flux-ui/flux-tailscale-service.yaml

@@ -5,6 +5,7 @@ metadata:
   namespace: flux-system
   annotations:
     tailscale.com/hostname: flux
+    tailscale.com/tags: "tag:prod,tag:flux"
     tailscale.com/proxy-class: infra-stable
 spec:
   type: LoadBalancer

infrastructure/addons/observability/grafana-tailscale-service.yaml

@@ -5,6 +5,7 @@ metadata:
   namespace: observability
   annotations:
     tailscale.com/hostname: grafana
+    tailscale.com/tags: "tag:prod,tag:grafana"
     tailscale.com/proxy-class: infra-stable
 spec:
   type: LoadBalancer

infrastructure/addons/observability/prometheus-tailscale-service.yaml

@@ -5,6 +5,7 @@ metadata:
   namespace: observability
   annotations:
     tailscale.com/hostname: prometheus
+    tailscale.com/tags: "tag:prod,tag:prometheus"
     tailscale.com/proxy-class: infra-stable
 spec:
   type: LoadBalancer

infrastructure/addons/rancher/rancher-tailscale-service.yaml

@@ -5,6 +5,7 @@ metadata:
   namespace: cattle-system
   annotations:
     tailscale.com/hostname: rancher
+    tailscale.com/tags: "tag:prod,tag:rancher"
     tailscale.com/proxy-class: infra-stable
 spec:
   type: LoadBalancer