The bpg/proxmox provider has to reach london-a's API and node, which only
live on the tailnet, during plan and apply. Add a setup-tailnet composite
action (Tailscale via the CI OAuth client + the deploy SSH key in an agent)
and use it in the terraform plan/apply and validate workflows. Pin the
provider's node SSH address to london-a's Tailscale IP so it isn't reached
via the API-reported LAN address.