BTW why bother with TLS over already-encrypted and authenticated Wireguard tunnels? Is this just so that browsers won't complain, or do you have a more complex threat model?
Sorry for late reply, exactly that yeah - so the browser doesn't complain. I'm not worried about the security of HTTP over wireguard or anything like that. And domain names are easier to remember than ports so... http://raspberrypi:8123/ vs homeassistant.raspberrypi.local (or something)
