fix: only clean stale Tailscale names before proxies exist

The Tailscale cleanup role was deleting reserved service hostnames on later
deploy runs, which removed the live Rancher/Grafana/Prometheus/Flux proxy
nodes from the tailnet. Skip cleanup whenever the current cluster already has
those Tailscale services, while still allowing cleanup on fresh rebuilds.

ansible/site.yml

@@ -116,6 +116,16 @@
   roles:
     - doppler-bootstrap
 
+- name: Detect existing Tailscale service proxies
+  hosts: control_plane[0]
+  become: true
+  tasks:
+    - name: Check for current Tailscale service hostnames
+      command: kubectl get svc -A -o jsonpath='{range .items[*]}{.metadata.annotations.tailscale\.com/hostname}{"\n"}{end}'
+      register: existing_tailscale_hostnames
+      changed_when: false
+      failed_when: false
+
 - name: Clean up stale Tailscale devices
   hosts: localhost
   connection: local
@@ -125,9 +135,14 @@
       - grafana
       - prometheus
       - flux
-
+  tasks:
-  roles:
+    - name: Delete stale devices only before service proxies exist
-    - tailscale-cleanup
+      include_role:
+        name: tailscale-cleanup
+      when: >-
+        hostvars[groups['control_plane'][0]].existing_tailscale_hostnames.stdout_lines | default([])
+        | intersect(tailscale_reserved_hostnames)
+        | length == 0
 
 - name: Finalize
   hosts: localhost