I love this.
Except to use tailscale you do need to bring in a while OIDC authentication provider.
It's all small and aimed at avoiding scale until the very first step, when suddenly only the big complex thing is acceptable.
I still just want to just use my email and a top. The only one of the auth providers tailscale supports that I have is GitHub, but I don't use GitHub as beyond work as I self host my git.
When the onboarding is "maintain and run a full oidc provider", all we've done is trade one aspect of complexity for another.