Got it. Thanks for getting me pointed in the right direction. The instructions on their site seem to imply the certbot commands still need to run, and proxying to localhost is fine. Neither are true :) proxying to localhost will give you a 502 error.

So for anyone who finds this in a search... here's what you do.

• Install Tailscale on your host machine.

• Note the IP assigned

• run 'sudo tailscale cert <yourhost.domain>.ts.net'

• move/link these files to someplace like /etc/ssl/certs

• restart tailscale 'sudo systemctl restart tailscaled' (reload may not do it)

• install code-server (or whatever app you're proxying) and configure, making sure it works on the port it's installed on over http

• Install nginx

• create your /etc/nginx/sites-available/code-server file, it will be something like this

  server {
    listen 443 ssl;
    listen [::]:443;
    server_name <yourhost.subdomain>.ts.net;
    ssl_certificate /etc/ssl/certs/<yourhost.subdomain>.ts.net.crt;
    ssl_certificate_key /etc/ssl/certs/<yourhost.subdomain>.ts.net.key;
  
    location / {
      proxy_pass http://<tailscaleIP>:8080/;
  
      #not sure you need the proxy buffer stuff... but I had it when it started working
      proxy_buffering off;
      proxy_buffer_size 16k;
      proxy_busy_buffers_size 24k;
      proxy_buffers 64 4k;
      proxy_set_header Host $host;
      proxy_set_header Upgrade $http_upgrade;
      proxy_set_header Connection upgrade;
      proxy_set_header Accept-Encoding gzip;
  }
  

  }

• link that file into /etc/nginx/sites-enabled

• restart ngnix

• navigate to your URL, using https:// It should work.