nixos: tailscale auto-connect via agenix auth key

nixos/tailscale.nix

@@ -6,5 +6,54 @@ makeEnable config "myModules.tailscale" true {
 
   # Handy even if you only enable the service and run `tailscale up` manually.
   environment.systemPackages = [ pkgs.tailscale ];
-}
 
+  # Optional: unattended enrollment using a pre-auth key stored in agenix.
+  #
+  # Plaintext content "DISABLED" means "do nothing".
+  age.secrets.tailscale-authkey = {
+    file = ./secrets/tailscale-authkey.age;
+    owner = "root";
+    group = "root";
+    mode = "0400";
+  };
+
+  systemd.services.tailscale-autoconnect = {
+    description = "Auto-connect Tailscale (optional, via agenix auth key)";
+    wantedBy = [ "multi-user.target" ];
+    after = [ "network-online.target" "tailscaled.service" "agenix.service" ];
+    wants = [ "network-online.target" "tailscaled.service" ];
+
+    unitConfig = {
+      ConditionPathExists = config.age.secrets.tailscale-authkey.path;
+    };
+
+    serviceConfig = {
+      Type = "oneshot";
+      RemainAfterExit = true;
+    };
+
+    script = ''
+      set -euo pipefail
+
+      key_file='${config.age.secrets.tailscale-authkey.path}'
+      if [ ! -s "$key_file" ]; then
+        exit 0
+      fi
+      if [ "$(cat "$key_file")" = "DISABLED" ]; then
+        exit 0
+      fi
+
+      state="$(${pkgs.tailscale}/bin/tailscale status --json 2>/dev/null | ${pkgs.jq}/bin/jq -r '.BackendState // empty' || true)"
+      if [ "$state" = "Running" ]; then
+        exit 0
+      fi
+
+      # First-time (or post-logout) login.
+      ${pkgs.tailscale}/bin/tailscale up \\
+        --auth-key "file:$key_file" \\
+        --accept-dns=true \\
+        --operator=imalison \\
+        --timeout=60s
+    '';
+  };
+}