Use Tailscale app connector for ArgoCD

We should be able to expose ArgoCD over an App Connector, keeping it locked down to machines in the tailnet, while also giving it a public DNS record and TLS certificate. Then it should be easy to do `argocd app diff` with the CLI locally or in Github Actions.