I have a suspicion you're using Headscale? If so, I urge you to consider Ionscale. I use it with Authentik as the IdP.

Personally commiting to using Tailscale as a core foundation of my infrastructure and Ionscale is my hedge against getting Hashicorped.

> Service discovery is basically just Docker's internal DNS. Caddy-docker-proxy can use it to find healthy upstreams

Do you have a writeup of this somewhere? I'm unaware of being able to manage Docker's internal DNS over some kind of an API (would appreciate if you know a way to). The only way I know is to manipulate network aliases via Docker Engine API. As a result I use Hickory DNS with RFC 2136. That coupled with Caddy-docker-proxy gets me extremely close.