nginx just has a lower barrier to entry (imo) if you’re not looking to sign your own certs. Caddy is great for that.
That said, I didn’t know Caddy had a beta feature for serving Tailscale certs automatically. So I incorrectly thought you were barking up the completely wrong tree, which you apparently are not. I’ll look at your tech details more.