fix: make tailscale enrollment clone-safe and hostname-aware

Reset cloned tailscale state before first join, remove one-shot marker dependency, and allow workflow host entries in host=hostname format so nodes join with VM-aligned tailscale names.

nixos/template-base/configuration.nix

@@ -49,20 +49,21 @@
       RemainAfterExit = true;
     };
     script = ''
-      if [ -f /var/lib/tailscale/.joined ]; then
-        exit 0
-      fi
-
       if [ ! -s /etc/tailscale/authkey ]; then
         exit 0
       fi
 
       key="$(cat /etc/tailscale/authkey)"
-      ${pkgs.tailscale}/bin/tailscale up --auth-key="$key" --hostname="$(hostname)"
+      ts_hostname=""
+      if [ -s /etc/tailscale/hostname ]; then
+        ts_hostname="--hostname=$(cat /etc/tailscale/hostname)"
+      fi
+
+      rm -f /var/lib/tailscale/tailscaled.state
+      ${pkgs.tailscale}/bin/tailscale up --reset --auth-key="$key" $ts_hostname
 
-      install -d -m 0700 /var/lib/tailscale
-      touch /var/lib/tailscale/.joined
       rm -f /etc/tailscale/authkey
+      rm -f /etc/tailscale/hostname
     '';
   };