Best practices for rotating Tailscale auth keys on headless VPS fleet?

We run about 12 headless VPS nodes across Hetzner and OVH, all connected via Tailscale. The auth keys expire every 180 days and we've been manually rotating them one by one via the admin console — which is painful at 2am when a node drops. Has anyone here automated key rotation? Specifically: - Do you use a central orchestrator that ssh's into each node, runs `tailscale up --authkey=<new>`, and verifies connectivity before moving to the next? - Or do you rely on Tailscale OAuth + a service account that auto-renews? - What's your rollback strategy when a node fails to re-auth and you've lost SSH access (only Tailscale IP was in the allowlist)? We're considering writing a small Python orchestrator that: (1) generates new auth keys via the Tailscale API, (2) SSH in sequentially, (3) verify ping over Tailscale, (4) move on. But curious if there's a simpler approach we're missing. Not looking for vendor recommendations — just operational patterns that worked in practice.