The easiest way I found is to use caddy which already has tailscale support and will fetch a certificate for hosts behind your tailnet address.
The easiest way I found is to use caddy which already has tailscale support and will fetch a certificate for hosts behind your tailnet address.