nixos/tailscale: add authKeyFile option

Auth key registers new nodes without needing to sign in via a browser

Tailscale sends status changes with systemd-notify.
https://github.com/tailscale/tailscale/blob/v1.44.0/ipn/ipnlocal/local.go#L3670

nixos/modules/services/networking/tailscale.nix

@@ -49,6 +49,15 @@ in {
         When set to `server` or `both`, IP forwarding will be enabled.
       '';
     };
+
+    authKeyFile = mkOption {
+      type = types.nullOr types.path;
+      default = null;
+      example = "/run/secrets/tailscale_key";
+      description = lib.mdDoc ''
+        A file containing the auth key.
+      '';
+    };
   };
 
   config = mkIf cfg.enable {
@@ -82,6 +91,21 @@ in {
       stopIfChanged = false;
     };
 
+    systemd.services.tailscaled-autoconnect = mkIf (cfg.authKeyFile != null) {
+      after = ["tailscale.service"];
+      wants = ["tailscale.service"];
+      wantedBy = [ "multi-user.target" ];
+      serviceConfig = {
+        Type = "oneshot";
+      };
+      script = with pkgs; ''
+        status=$(${config.systemd.package}/bin/systemctl show -P StatusText tailscaled.service)
+        if [[ $status != Connected* ]]; then
+          ${pkgs.tailscale}/bin/tailscale up --auth-key 'file:${cfg.authKeyFile}'
+        fi
+      '';
+    };
+
     boot.kernel.sysctl = mkIf (cfg.useRoutingFeatures == "server" || cfg.useRoutingFeatures == "both") {
       "net.ipv4.conf.all.forwarding" = mkOverride 97 true;
       "net.ipv6.conf.all.forwarding" = mkOverride 97 true;