Like 10 nodes behind tailscale/wireguard in a private network, with only 2 nodes where you have a port open on 80/443, those are exposed to the public network. The rest of the nodes are all private like db, redis, etc etc.
Check out https://github.com/psviderski/uncloud I'm building. Multi-machine deployments and a private WireGuard network spanning locations (even behind a NAT) are its core capabilities.
