Add secrets-bao module and conditional Tailnet headscale auth

flakes/common/nix_modules/tailnet.nix

@@ -4,17 +4,9 @@
   lib,
   ...
 }:
-let
-  hasSecret =
-    secret:
-    let
-      secrets = config.age.secrets or { };
-    in
-    secrets ? ${secret} && secrets.${secret} != null;
-in
 {
   environment.systemPackages = with pkgs; [ tailscale ];
-  services.tailscale = lib.mkIf (hasSecret "headscale_auth") {
+  services.tailscale = {
     enable = true;
     openFirewall = true;
     useRoutingFeatures = "client";