@jonah the main problem is ssl / https is so hard-coded into mastodon. Self assigned certs will give an error that to most non tech people will think they're being hacked. And digicert is not worth it unless theres a decent sized community willing to chip in for the cost. Other than that its documented here https://docs.joinmastodon.org/administration/optional-features/#hidden-services

And login (as most things) works if ssl is disabled on a mastodon file as follows https://gist.github.com/hcmiya/40f3810108c954b3a24017a78844e0b6#gistcomment-2679350.

SSL is not needed for hidden services