For clearnet use Caddy as a reverse proxy on the VPS, with directives to whatever... your self signed certs mean nothing to any system including your own without a CA whitelisted on every device that uses it

Keep the SSL termination at your reverse proxy (HAProxy) and simplify the node setup. For internal testing with node.mylan.com, rely on the wildcard certificate from HAProxy. Later, when you move to node.mydomain.com via the VPS, you can still use the reverse proxy and WireGuard setup with the proxy handling SSL.

This approach will minimize complexity and avoid unnecessary permission issues on the node, while still maintaining strong security through your existing wildcard certificates and reverse proxy.

Would this approach work for your setup?