I have fail2ban running as well, didn‘t mention it in the op. Also closed all ports beside 80 and 443, which are routed through my NPM proxy. SSH is allowed, but login only with ssh key, no pw authentication.
So far it‘s running well, but I expect things to break when I‘ll need to update parts of it. I have a snapshot from which i can reinstall, but recurring backups need yet to be set up.
I run Nginx with Nginx Proxy Manager web-ui, which makes setting up proxy hosts and handling letsencrypt certificates really easy. I also use Portainer to manage my docker containers. This works well for the stuff I mentioned above (Nextcloud, Matrix, Lemmy mostly)
If I can get Mastodon into the same setup, it'd be neat. I just found a lot of discussion with problems, so I thought I'll ask about it before I spend a few hours in vain :)
I spent a lot of time googling and on youtube, to get a basic understanding for what I was trying to achieve, 2 weeks of after-work time at least. If I should guess 40-50 hours in total. Getting a single piece to work, by following a tutorial can be easy but to get all the things working together was a struggle. Once I had a better grasp on what a reverse proxy is and how docker containers work together in networks, pieces started to fall into place.