Nextcloud on Tailscale and Caddy for certs

Hello, all. I’m hoping someone can help me out. I have a Nextcloud web server running on AlmaLinux (non-container) using Apache and MariaDB as the backend. I use Nextcloud strictly on my LAN and is not exposed externally. If I absolutely have to access it externally, I use Tailscale. As far as HTTPS goes, I have a self-signed cert I created. However, I have found that some services in Nextcloud (Talk) just won’t work on Tailscale without a valid cert. I found a Tailscale write-ups about using Caddy for HTTPS certs (Caddy certificates on Tailscale · Tailscale). I am not fluent in Caddy and just learned about it today. Does anyone know if I can still run Caddy on my Nextcloud server for certs only? Would there be any interference with Apache in this case?
Thanks.

Or, do I not use Caddy and just setup the standard Tailscale cert (Enabling HTTPS · Tailscale)? Or, just setup a separate Caddy reverse proxy server to point at my Nextcloud server?

This is what I am trying to do and hopefully someone can answer my questions:

Hopefully someone here can answer my questions from the graphic.

  1. Is it possible to have two different certs on the web server?

https://web.home.lan

https://web.tailxxx.ts.net

  1. Is a reverse proxy required in this scenario?
  2. If a reverse proxy is required, is that a separate server or can it be setup on the Nextcloud web server?

I would recommend to just use Caddy as the web server, just let nextcloud run using php-fpm. This way you can serve it under various domain names with certificates of your choice, or even using the tailscale provided ones. I use that on my servers to be able to expose various services for admin purposes on my tailnet and have others exposed using letsencrypt. If you have used Caddy for a while you will never look back to Apache.

I ended up getting a certificate through Tailscale and just access the Nextcloud instance via my Tailscale network, externally and internally. Works pretty darn good.