One thing that wasn’t mentioned: I can use *.internal.domain.com and not have that routed on public DNS (using my own DNS with pihole + unbound or adguard). Of course still valid certificate for that domain.

It feels good using a domain name I can type it and secondly *.domain.com IS publically routed, meaning all external services go there. The internal stuff I can only access via Tailscale (which automatically uses my dns).