chore(tailscale): update

nixos/secrets/tailscale.yaml

@@ -1,11 +1,8 @@
-tailscale-key-reisen: ENC[AES256_GCM,data:+1bVMPZuIY3JvjkoW6MPetYHwEwQvnEGLuq/Z8sz8hEo2/FUnyC6cuNTONwOSslUYAQH2pzMmvlukgZjPw==,iv:uFC2ye9+VivOI0zvGpnSLut00slDhrSWesNQigY0QYw=,tag:tahk1HX2YaqY6BFOlrKohg==,type:str]
-tailscale-key-gensokyo: ENC[AES256_GCM,data:x5H+5/7Q/3jnZMSyQYxbBRX1dsKnH6bfrXA/7iAH29dYhM+GJnzZGbJGSmWYxyVTBkxAEjZ52R4Jzh1MF1I=,iv:YitklVniLloLnKi74xz/zGHRO1/361zFSFOug076tE4=,tag:UcTW8mzHomxgDv6Nl23XBw==,type:str]
+tailscale-key-reisen: ENC[AES256_GCM,data:V9bVM2ZR2UR617JtpBe88NucelKftfYxHBp/pa9REZrWk4af1nCI76gicyrp8MzsU/zqsTVP/KhIgag0ZA==,iv:fmZbWzfWA+gqMbuD3llVgrM5AxzlsyVLU1d0QDsQr54=,tag:8I3nRnMQAjYahddZT0OtVA==,type:str]
+tailscale-key-meiling: ENC[AES256_GCM,data:uZN9RU2WihMZ6ZpKZKezVCwYRIp1SwGqELREIdvG6v10Xv2HWoqjAku1LdUUNCDmm7Ftst19JicRQAo86Oc=,iv:pooHdgQKrL7YxqF/65bbmtV5/tpvvsUh+x88dgILbe8=,tag:9RTIfDK5KEKjytQbDUon0Q==,type:str]
+tailscale-key-gensokyo: ENC[AES256_GCM,data:Og0yZZvf2oHLPqjeFIUxf+tA8hb5Z6kwDmYexcH8ZTerU7kd6DQwt9lgvEVUDZVQdYYXyEydGPo4RKIdYZE=,iv:AWd5a8QT9wnclENFQ1Sg+4J+OCaD+2VfxSPAmaOGGTo=,tag:sLcqyQBbtD6EpaV3GcBkjQ==,type:str]
 sops:
     shamir_threshold: 1
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
     age:
         - recipient: age12ze362pu5mza6ef9akrptr7hfe4auaqul4rkta7kyy2tnrstqensgmujeq
           enc: |
@@ -115,8 +112,8 @@ sops:
             SnUxWHJhZlNSM0JNb1h4cGQ3ZlNHajQKHyRMD8RVSTm7wzugq+aoUNbWi9oeIJI8
             xbN0jAdacSBA01DTIXuASrdMWEcQ+m0gjZCu9WdpuG0/o8CSUElfTg==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-09-05T20:54:01Z"
-    mac: ENC[AES256_GCM,data:nSmR/TD/I0XZNDZv7Iv8PQqVtm0kSWaW+jIvlPbc+rbHJFRboiU6+G6nEsjEQ+DHIa4u3Pj4DWc9m11kkSACMzOnPY7FEur1g4rDlypHE5nFmDuaCnonz8RsPL2M0nYK9ihEWKl3m5G7w/UEV76x3nVGg4h/pxeI2Hivc+2iFrU=,iv:oZIexRyzxEkYAvUqcpESGh2IZpvksacsbAZhkt+YxHU=,tag:2uX9zSWyd8tm9PVDPebC+Q==,type:str]
+    lastmodified: "2025-09-07T06:53:13Z"
+    mac: ENC[AES256_GCM,data:AKrKZ/9M7lNjsOwjKNpnEtPJaVs5k20SAB4CymwcwET7cpAasoxDKDwd2dRCqXMwR+ufOBq7zp6L1ZbbGCgj5xNYKvgk4tsknNGDp9WD0laHWMHS2eTRuT7TyajKiG0JBZ6XtR6NWN80shuuheYrWBX9D12aKU5Qp84AibV0kf4=,iv:tZigo6FOsGXB8gEABs4gpO/DWFiPLxwA5F3nWnYhs/Q=,tag:WxI2z7nMeZi3tIgO43lodw==,type:str]
     pgp:
         - created_at: "2025-06-14T18:51:35Z"
           enc: |-
@@ -154,4 +151,4 @@ sops:
             -----END PGP MESSAGE-----
           fp: 65BD3044771CB6FB
     unencrypted_suffix: _unencrypted
-    version: 3.9.0
+    version: 3.10.2

nixos/tailscale.nix

@@ -35,13 +35,14 @@ in {
     services.tailscale.enable = mkDefault true;
 
     sops.secrets.tailscale-key = let
-      keyReisen = "tailscale-key-reisen";
+      keyNode = "tailscale-key-${systemConfig.proxmox.node.name}";
       keyGenso = "tailscale-key-gensokyo";
-      sharedKeys = [keyReisen keyGenso];
+      # TODO: populate via lib.generate.nodeNames or something
+      sharedKeys = [keyGenso "tailscale-key-reisen" "tailscale-key-meiling"];
     in
       mkIf cfg.enable {
         key = mkMerge [
-          (mkIf (systemConfig.proxmox.enabled && systemConfig.proxmox.node.name == "reisen") (mkDefault keyReisen))
+          (mkIf systemConfig.proxmox.enabled (mkDefault keyNode))
           (mkIf (config.networking.domain == gensokyo-zone.lib.domain) (mkAlmostOptionDefault keyGenso))
         ];
         sopsFile = mkIf (elem config.sops.secrets.tailscale-key.key sharedKeys) (