fix: stabilize tailscale enrollment without cloud-init rollback

Create /etc/tailscale before writing runtime key, add progress logging and unbuffered output in enroll script, and shorten guest-agent wait to fail faster when enrollment cannot run.

nixos/template-base/configuration.nix

@@ -49,6 +49,8 @@
       RemainAfterExit = true;
     };
     script = ''
+      install -d -m 0700 /etc/tailscale
+
       if [ ! -s /etc/tailscale/authkey ]; then
         exit 0
       fi
@@ -59,6 +61,7 @@
         ts_hostname="--hostname=$(cat /etc/tailscale/hostname)"
       fi
 
+      install -d -m 0700 /var/lib/tailscale
       rm -f /var/lib/tailscale/tailscaled.state
       ${pkgs.tailscale}/bin/tailscale up --reset --auth-key="$key" $ts_hostname