Supports OAuth keys with ephemeral nodes

[erikologic]

Hey, I just threw this together, which fits well with my use case.

I also added an example of using multiple nodes for multiple servers to allow one Caddy instance to tunnel many services inside a Docker Compose network.
I think that's a good example for one OAuth key to sign multiple keys for multiple nodes.
Lmk if you are interested and need further modifications.

[willnorris]

Hey @erikologic, thanks for this! Would you be up for rebasing this onto main, and dropping the OAuth client stuff in favor of the native support added in tailscale/tailscale#17191? Basically, that would mean all that's missing is adding support for specifying tags, which you've got here.

For you tags code, I think the only main comment I have is to have the tags specified at the node level override what is specified globally, rather than adding to them. The idea was always that node-level config overrides global config, though this is the first field where that really matters much.

Docs for using an OAuth client would now simply be to provide the client secret as the auth_key config (or the $TS_AUTHKEY env var). Given how simple that is, I'm not sure if it really needs an additional example caddyfile.

Let me know if you're up for all that. If not, I'm happy to make the changes myself as well.