For the “privately” part of the subject. Kris is describing a way to host apps, using valid TLS certificates, that doesn’t depend on those apps being exposed to the whole Internet; you’d then use Tailscale to connect to those. If you don’t mind (or actually want to) expose those apps to the whole Internet, the process is simpler, and indeed Tailscale isn’t required (nor is any other VPN service).