The bpg/proxmox provider has to reach london-a's API and node, which only
live on the tailnet, during plan and apply. Add a setup-tailnet composite
action (Tailscale via the CI OAuth client + the deploy SSH key in an agent)
and use it in the terraform plan/apply and validate workflows. Pin the
provider's node SSH address to london-a's Tailscale IP so it isn't reached
via the API-reported LAN address.
The SOPS install + version, the decrypt loop, the OpenTofu version, and
the Backblaze backend-credential extraction were copy-pasted across
terraform.yml (twice), validate-terraform.yml, and _deploy-core.yml.
A version bump meant editing the same string in up to four places and
was easy to do partially.
Pull them into three local composite actions so each is defined once:
- setup-tofu (pins OpenTofu version)
- sops-decrypt (installs SOPS, decrypts *.enc.* in place)
- tofu-backend-creds (exports Backblaze S3 creds to GITHUB_ENV)
Behaviour is unchanged; sops-decrypt also matches *.enc.env everywhere
(previously only _deploy-core did), which is a no-op in terraform/.