While I was pretty happy with my headscale/tailscale setup, I missed one part: Vanity hostnames for services. In my tailnet, only machines get nice hostnames, but for example I want access to a host like http://grafana/ for my central Grafana (a service on a random port on one box). It took a total of 49 lines of go code to build a reverse-proxy that does this. This proxy is it's own node on the tailnet, therefore it gets a hostname and takes part in the usual routing. It then uses the reverse proxy lib built into golang to proxy to the real host.

The next step could be adding automatic LetsEncrypt support via a DNS-01 challenge, as my tailnet uses a completely valid domain that I could get validated certificates for - but that doesn't really matter much to me, given I'd rather use the short hostnames made possible by a correctly set search-domain and it's all encrypted with wireguard anyway.