Overview
The package description could be improved.
There's no package Group, it would be nice to set, probably required.
It would be better to rewrite the build stage as:
go build -v -buildmode=pie -mod=vendor -ldflags "-s -w -X tailscale.com/version.shortStamp=%{version} -X tailscale.com/version.gitCommitStamp=%{commit}" -o tailscale ./cmd/tailscale
go build -v -buildmode=pie -mod=vendor -ldflags "-s -w -X tailscale.com/version.shortStamp=%{version} -X tailscale.com/version.gitCommitStamp=%{commit}" -o tailscaled ./cmd/tailscaled
The for loop and the many exports are not needed.
tailscaled.defaults and tailscaled.service should be source files IMHO, security team often patches service files, if you leave it in the source tarball it won't be easy to catch these files and if they are, it will be harder to patch it.