fix(tailscale): reset stale serve state on restart

- Purpose: backport PR #2600 to the 7.2 branch so Docker template changes clear old Tailscale Serve and Funnel exposure.\n- Before: switching a container from Funnel or Serve to No removed the env vars but left the persisted Tailscale serve/funnel config active after restart.\n- Why: the container hook only applied new serve settings when TAILSCALE_SERVE_PORT was present and never reset existing serve state stored in the Tailscale state directory.\n- What: reset both tailscale funnel and tailscale serve state after tailscale comes online, then reapply the current template-managed mode when configured.\n- How: add explicit reset commands before the Serve/Funnel capability check and before issuing any new serve or funnel command.\n- Source: cherry-picked from b90ca2f.

Author: elibosley

share/docker/tailscale_container_hook

@@ -298,6 +298,13 @@ while true; do
   sleep 2
 done
 
+# Clear persisted Serve/Funnel state before applying the current template mode.
+# Without this, switching the template from Funnel/Serve to No leaves the old
+# config active in the existing Tailscale state directory after restart.
+echo "Resetting Tailscale Serve/Funnel configuration"
+tailscale funnel reset >/dev/null 2>&1 || true
+tailscale serve reset >/dev/null 2>&1 || true
+
 if [ ! -z "${TAILSCALE_SERVE_PORT}" ] && [ "$(tailscale status --json | jq -r '.CurrentTailnet.MagicDNSEnabled')" != "false" ] && [ -z "$(tailscale status --json | jq -r '.Self.Capabilities[] | select(. == "https")')" ]; then
   echo "ERROR: Enable MagicDNS and HTTPS on your Tailscale account to use Tailscale Serve/Funnel."
   echo "See: https://tailscale.com/kb/1153/enabling-https"