refactor: move tailscale join fully into cloud-init

Remove guest-agent enrollment workflow, pass TS auth key through Terraform variables/secrets, and run tailscale up with tag:k8s during cloud-init bootstrap alongside SSH key injection.

terraform/cloud-init.tf

@@ -2,9 +2,8 @@ data "template_file" "cloud_init_global" {
   template = file("${path.module}/files/cloud_init_global.tpl")
 
   vars = {
-    hostname       = "generic"
-    domain         = "home.arpa"
     SSH_KEY_PUBLIC = var.SSH_KEY_PUBLIC
+    TS_AUTHKEY     = var.TS_AUTHKEY
   }
 }
 

terraform/files/cloud_init_global.tpl

@@ -1,5 +1,4 @@
 #cloud-config
-hostname: ${hostname}
 manage_etc_hosts: true
 resolv_conf:
   nameservers:
@@ -7,9 +6,12 @@ resolv_conf:
     - 1.1.1.1
 
 preserve_hostname: false
-fqdn: ${hostname}.${domain}
 
 users:
   - name: micqdf
     ssh_authorized_keys:
       - ${SSH_KEY_PUBLIC}
+
+runcmd:
+  - [ /run/current-system/sw/bin/sh, -lc, "install -d -m 700 /var/lib/tailscale && rm -f /var/lib/tailscale/tailscaled.state" ]
+  - [ /run/current-system/sw/bin/sh, -lc, "/run/current-system/sw/bin/tailscale up --reset --auth-key='${TS_AUTHKEY}' --hostname='$(hostname)' --advertise-tags='tag:k8s'" ]

terraform/variables.tf

@@ -71,3 +71,9 @@ variable "SSH_KEY_PUBLIC" {
   type        = string
   description = "Public SSH key injected via cloud-init"
 }
+
+variable "TS_AUTHKEY" {
+  type        = string
+  sensitive   = true
+  description = "Tailscale auth key used during cloud-init enrollment"
+}