Fix Tailscale: separate systemd service for mesh connection

Problem: extraUpFlags in services.tailscale blocks boot if network
is not ready or Headscale is unreachable.

Solution:
- services.tailscale.enable = true (installs tailscale)
- Separate kawa-mesh-connect systemd service:
  - Waits for network-online.target
  - Waits for tailscaled.service
  - Connects to mesh after boot

Commands to verify:
  systemctl status tailscaled
  systemctl status kawa-mesh-connect
  tailscale status

nixos/kawa.nix

@@ -15,7 +15,7 @@ in
     hostname = mkOption {
       type = types.str;
       default = "kawa-node";
-      description = "Hostname du nœud KAWA (fixe, pas dynamique)";
+      description = "Hostname du nœud KAWA (fixe)";
     };
     
     headscaleUrl = mkOption {
@@ -27,43 +27,33 @@ in
     authKey = mkOption {
       type = types.str;
       default = "f43f36ef159b3df799eb316b81bdac1b415c7cc2add174d0";
-      description = "Clé d'authentification Headscale";
-    };
-    
-    natsServer = mkOption {
-      type = types.str;
-      default = "100.64.0.1:4222";
-      description = "Serveur NATS";
-    };
-    
-    enableOllama = mkOption {
-      type = types.bool;
-      default = false;
-      description = "Activer Ollama";
-    };
-    
-    enableSyncthing = mkOption {
-      type = types.bool;
-      default = true;
-      description = "Activer Syncthing";
+      description = "Clé d'authentification";
     };
   };
 
   config = mkIf cfg.enable {
-    # Hostname fixe (pas de lecture /sys)
     networking.hostName = cfg.hostname;
     
-    # Tailscale
+    # Tailscale - installation de base
     services.tailscale = {
       enable = true;
-      extraUpFlags = [
-        "--login-server=${cfg.headscaleUrl}"
-        "--authkey=${cfg.authKey}"
-        "--force-reauth"
-      ];
+      package = pkgs.tailscale;
     };
     
-    # NATS (options corrigées pour Nixpkgs récent)
+    # Connexion au mesh via systemd (après le boot)
+    systemd.services.kawa-mesh-connect = {
+      description = "KAWA Mesh Auto-Connect";
+      after = [ "network-online.target" "tailscaled.service" ];
+      wants = [ "network-online.target" ];
+      wantedBy = [ "multi-user.target" ];
+      serviceConfig = {
+        Type = "oneshot";
+        RemainAfterExit = true;
+        ExecStart = "${pkgs.tailscale}/bin/tailscale up --login-server=${cfg.headscaleUrl} --authkey=${cfg.authKey} --force-reauth";
+      };
+    };
+    
+    # NATS
     services.nats = {
       enable = true;
       settings = {
@@ -72,21 +62,6 @@ in
       };
     };
     
-    # Ollama (optionnel)
-    services.ollama = mkIf cfg.enableOllama {
-      enable = true;
-      acceleration = null; # CPU uniquement
-      host = "0.0.0.0";
-      port = 11434;
-    };
-    
-    # Syncthing
-    services.syncthing = mkIf cfg.enableSyncthing {
-      enable = true;
-      user = "kawa";
-      group = "kawa";
-    };
-    
     # SSH
     services.openssh = {
       enable = true;
@@ -98,27 +73,14 @@ in
     
     # Firewall
     networking.firewall = {
-      allowedTCPPorts = [ 22 4222 22000 11434 ];
+      allowedTCPPorts = [ 22 4222 22000 ];
       allowedUDPPorts = [ 41641 22000 ];
       trustedInterfaces = [ "tailscale0" ];
     };
     
-    # Utilisateur KAWA
-    users.users.kawa = {
-      isNormalUser = true;
-      extraGroups = [ "wheel" "networkmanager" "tailscale" ];
-      initialPassword = "kawa2026";
-    };
-    
     # Packages
     environment.systemPackages = with pkgs; [
-      git
-      vim
-      tailscale
-      nats-cli
-      curl
-      wget
-      htop
+      git vim tailscale nats-cli curl wget htop
     ];
   };
 }