feat(network): route tailscale dns through adguard

- Configure Headscale to use the VPS Tailscale IP (100.64.0.3) as the global DNS server instead of external providers.

- Add firewall rules to allow DNS requests over the `tailscale0` interface.

- Add iptables PREROUTING rules to redirect standard DNS (port 53) from Tailscale clients to AdGuard Home (port 5353) to resolve port conflicts with `aardvark-dns`.

modules/headscale.nix

@@ -105,8 +105,7 @@ in
           domains = [ ];
           nameservers = {
             global = [
-              "https://dns.mullvad.net/dns-query"
-              "https://dns.quad9.net/dns-query"
+              "100.64.0.3"
             ];
           };
           override_local_dns = true;