Yep, but this comes with a tradeoff: all of your services now have a valid key/cert for your whole domain, significantly increasing the blast radius if one service is compromised.

Correct, that's what I did with caddy, which is now periodically renewing my wildcard certificate through a DNS-01 challenge.

Unfortunately they are a bit extra bothersome to automate (depending on your DNS provider/setup) because of the DNS CNAME-method validation requirement.