Tailscale exit-node + Docker port mappings: best practice for exposing services?

We're running a fleet of services behind Tailscale exit nodes. The Docker port mapping works fine on the host's public IP, but when the exit node routes traffic, some services become unreachable from tailnet peers unless we explicitly bind to 0.0.0.0 instead of 127.0.0.1. How are others handling this? Specifically: - Binding containers to Tailscale IPs vs 0.0.0.0 - Whether to run Tailscale inside the container or on the host - Any gotchas with ufw rules conflicting with Tailscale's subnet routing Curious about what's working in production for teams with 10+ exit nodes.