Keep the SSL termination at your reverse proxy (HAProxy) and simplify the node setup. For internal testing with node.mylan.com, rely on the wildcard certificate from HAProxy. Later, when you move to node.mydomain.com via the VPS, you can still use the reverse proxy and WireGuard setup with the proxy handling SSL.

This approach will minimize complexity and avoid unnecessary permission issues on the node, while still maintaining strong security through your existing wildcard certificates and reverse proxy.

Would this approach work for your setup?