feat(networking): use client-id and client-secret for tailscale auth

modules/nixos/default.nix

@@ -95,7 +95,6 @@ in
       age.sshKeyPaths = [ "/persist/home/rafiq/.ssh/id_ed25519" ];
       secrets = {
         "keys/openrouter" = { };
-        "keys/tailscale" = { };
         "keys/gemini" = { };
         "keys/cvt-jira" = { };
         "keys/cloudflare" = { };
@@ -104,6 +103,8 @@ in
         "rafiq/hashedPassword".neededForUsers = true;
         "rafiq/personalEmailPassword" = { };
         "rafiq/workEmailPassword" = { };
+        "tailscale/client-id" = { };
+        "tailscale/client-secret" = { };
       };
     };
     environment.shellInit = # sh

modules/nixos/networking/default.nix

@@ -17,7 +17,8 @@ in
 
   services.tailscale = {
     enable = true;
-    authKeyFile = config.sops.secrets."keys/tailscale".path;
+    authKeyFile = config.sops.secrets."tailscale/client-secret".path;
+    authKeyParameters.preauthorized = true;
   };
   persistDirs = singleton "/var/lib/tailscale";
 }

secrets/secrets.yaml

@@ -5,7 +5,6 @@ rafiq:
     oldSMBCredentials: ENC[AES256_GCM,data:aY41trUJcvGa584H0A==,iv:3h9AZ33HXWT4D/vGMyy/o+TXyGg75Ixcj3+h2EskvIQ=,tag:dDo55h1ljOYLZBHn9bK7ew==,type:str]
 keys:
     openrouter: ENC[AES256_GCM,data:Uddc0leKVD2xxpvDpsTJV3qZ4oe89Uz6dJMuzF/TeI5iIrG+DNIAYPcnIQiA6LDScO9mag8XNiYpYH7lyMnUg1cvThChiVhO+A==,iv:RHSrL/L74dSvLKAvGwyMME53RzKr2+RDnI8xBpDJVng=,tag:d81mr26SeStmAa8UgEF/LA==,type:str]
-    tailscale: ENC[AES256_GCM,data:sW64TZY/GtWD+8KOQDHYvnwzWiqOlsJ5782utaxVwUaiWa18hU+Ppd3gp/8f0R3rK6gskaPC22iuCuzvuA==,iv:TN2zWKgU6eXH3uaL7Ci2JKmo8Ql4DUSWS3Lxfnag7j4=,tag:s5of4wLdCp6b5VMGWLLxvw==,type:str]
     gemini: ENC[AES256_GCM,data:t4XTzJLMbHBG7LNaWMwO0YyYHREYOp4Zn95Kwshunnpwq9ezVv+0,iv:ZHq1ytak7Qy5a/zHghwEIWRinDWAkk2Vxw4iu/Q/UPk=,tag:Wyk0FqLTOWelznWHg/anxg==,type:str]
     cvt-jira: ENC[AES256_GCM,data:y9enN905hAxp9F6TPcnYdcnA7VQQjTsysltBn7k9CVtOYUDBX5UKCbO4VEE=,iv:Hy/RshBTSFqEVlHq/fi/UqNdbzBvMaBmXnSHAz0WplY=,tag:bBgB+HJdHRu4bg/f9vq9nw==,type:str]
     cloudflare: ENC[AES256_GCM,data:nrtHnQR0Oon9BrSN0AeAjl8H8B7quuwSu/Qjabe9HFpWgcZq9n1JCA==,iv:ovyHqy5iKXDYXe4H7eRA51+kODhP+vAWoc98cS/6zG0=,tag:JyktO6EMRZ00CRhTb03+fg==,type:str]
@@ -19,6 +18,9 @@ librechat:
     jwt_refresh_secret: ENC[AES256_GCM,data:/4X6h51oRRaOg7UZ/zUcS1L8QyFnhsTYrz8D6R3ZP/tFAEMO/IfYJHHQQ8UtgKjAEwIVYcpIco8lUDhm06folw==,iv:02/LgoiMZ6MzBSd+JAi+iuF3dzqsVyqX6gQfWPY8sIc=,tag:5VrCh7ZKNJD3ynjcyQpVyg==,type:str]
 matterbridge:
     mattermost-password: ENC[AES256_GCM,data:sMk4M2gADl1iPA7XEH1/D3sw,iv:YnTYTo0NVJVLtS/uhaodoCuyDqJf6IKCojKFljKSFCE=,tag:8vEK0RyxopiPUcML6hwqpg==,type:str]
+tailscale:
+    client-id: ENC[AES256_GCM,data:YxL4lpnSpz+UQQdoVK/KC/o=,iv:ZGV/ZAdvpmUUlRcbP60ALcxMVzdiXiAxedRyl4sZbaQ=,tag:18Qmvw9aK8CaUUKXE7C7MA==,type:str]
+    client-secret: ENC[AES256_GCM,data:+PZ3iqj/s6HOoCZJqglt+uzGXy5bJmnqqt7dQReZj/5HTNUlE+QqnCdXNoQkGqnuZ/TN44AExZpowh6NXYyGVQ==,iv:LCZgNZz7qCfk1zXcZTczSoA0a9BF36sV+IpB+ce73P0=,tag:E/vVE6persTCPKbOvvmTjw==,type:str]
 sops:
     age:
         - recipient: age12l33pas8eptwjc7ewux3d8snyzfzwz0tn9qg5kw8le79fswmjgjqdjgyy6
@@ -30,7 +32,7 @@ sops:
             WXFKbjNMWDF0LzNyekJJMGFva2diemcKQTc8ODuK6IWqRhulHiCF92aU+3p23riY
             M94Nzh+VT6QTFOgb3J7bBJMLhRH/fkQb6L6ia2n9QrVXFyYYMJ0oBw==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-06-17T19:11:07Z"
-    mac: ENC[AES256_GCM,data:EVDPzk2P284ULwMx/hCQeP4eehIiqx5OxhNDc17KhjRv19iPUjzhX7/SQy+r34ZfiKSFnB2W3zmhl6JtGqme10v4xZDT+D5wBLrYU7h4ylht65iDo0Eaw38TNLXPNqfNlKWqTcpgvMpez26CdL/7v3bUKU0aLYX0HkVxl2CQt5g=,iv:gujsDVgpH7RajOliQxL7Unkm24Xqp7BEeYtUMyXq2oc=,tag:KdKXPJ4cF2myFe4vJ1/YnQ==,type:str]
+    lastmodified: "2025-06-29T19:38:14Z"
+    mac: ENC[AES256_GCM,data:vn5y4Jlbv6foOB15XWE8kVsxIfTqswUDNsOoOyL/84AZtD69E5QpiUE6ed1DmQAcKxEI/H8OYbdijFYJ5jB8CGp8huwuQ4h+dYKDV+OtX7uk6w2E31fcJ54xCYdpHA3rTyiEh3S5aS+YLcEsHWmHlwebBxYg3tIwXDSOcVrIGgo=,iv:KfpSrigxu8dxjHO1sINTAuZ0mfRVsHsliqHRxfWQq4E=,tag:z3lBzeBETxZOQ9/hSFd/cg==,type:str]
     unencrypted_suffix: _unencrypted
     version: 3.10.2