When I looked into it first, Pangolin seemed a bit overwhelming.

Is it hard to set up?

No, ridiculously easy with docker.

Then it follows the same principles as cloud flare.
Create a site (vpn endpoint), get a docker snippet for a newt (what they call the vpn connector), paste it in the docker compose on your Homeserver and see it come up in the Webinterface.

Then you create a public resource and point it to said site and give it a url.

Done.

Ask me if you have questions

Cool, do you get any auth and/or ingress protection?

With cloudflare, you get some auth options, can block AI crawlers (that get recognized...) etc for free

I'm a bit stumped, what do you gain from this setup?

Or do you mean just running some services through the tunnel for easy access and "hide" others behind tailscale?

the only problem is needing a google acc for login

You can use e-mail now.

Cloudflare has some opt-in auth. Mail-OTP is a nice balance imo: You can allowlist mail addresses per service/subdomain and set expiry for each.
Then for access, you first have to enter the mail address, get the OTP and then access the service.

So, nobody without access to allowed mail addresses even gets to knock on you door.

But yeah, that's why I think about going tail scale: why bother having something exposed when not needed?

I just think, some services might be nice to provide to friends, too - and having them connect to my tailnet for this is a bit too much friction, I guess