Require tun device and trust Tailscale interface in firewall

flakes/common/nix_modules/tailnet.nix

@@ -20,6 +20,16 @@
       "--no-logs-no-support"
     ];
   };
+
+  systemd.services.tailscaled = {
+    after = [
+      "systemd-modules-load.service"
+      "dev-net-tun.device"
+    ];
+    wants = [ "dev-net-tun.device" ];
+    requires = [ "dev-net-tun.device" ];
+  };
+
   networking.firewall.trustedInterfaces = [ config.services.tailscale.interfaceName ];
   networking.firewall.checkReversePath = "loose";
 }