Very true! You can also take it a step farther and setup SSHFP records for your domain.

I’ve read a lot about using a VPS with reverse proxy but I’m kind of a noob in that area. How exactly does that protect my machine?

So you’re not letting people directly connect to your server via ports. Instead, you’re sending the data through your reverse proxy. So let’s say you have a server and you want to server something off port :9000. Normally you would connect from domain.com:9000. With a reverse proxy you would setup to use a subdomain, like service.domain.com. If you choose caddy as your reverse proxy (which I highly recommend that you do) everything is served from port :443 on your proxy, which as you might know is the default SSL port.

And do I understand correctly that since we’re using the reverse proxy the possible attack surface just from finding the domain would be limited to the web interface of e.g. Jellyfin?

I wouldn’t say that it decreases your attack surface, but it does put an additional server between end-users and your server, which is nice. It acts like a firewall. If you wanted to take security to the n^th degree, you could run a connection whitelist from your home server to only allow local and connections from your rproxy (assuming it’s a dedicated IP). Doing that significantly increases your security and drastically lowers your attack vector–because even if an attack is able to determine the port, and even your home IP, they can’t connect because the connection isn’t originating from your rproxy.

Sorry for the chaotic & potentially stupid questions, I’m just really a confused beginner in this area.

You’re good. Most of this shit is honestly hard.

Depends on your setup, but generally I recommend: https://github.com/SYSTRAN/faster-whisper

If you have an available GPU for processing it’s insanely quick and better than OpenAI’s whisper.

So, docker is a viable solution, but since you’re a fullstack and will likely add more shit than you can imagine in the future, you might as well setup a proper solution.

Check out Proxmox. It’s a management platform that allows you to run containers and just about everything else you need for self-host. In addition to that, I recommend getting a very small VPS with a domain to reverse proxy your services if you want. I highly recommend caddy2 for this as it does rproxy and even ssl seamlessly.

I’m on a shitty 5G internet at home, so VPS seems like the way to go but with who?

Considering you have a poor internet connection, you’d want to keep as much locally as possible. You’re not going to be able to stream HD movies with shitty internet if you host your media on a remote server, but if you rely on a local wifi network, it’s fine. You won’t have remote access to your movies (I mean you can, but like you said, shitty internet) it’s not going to be awesome. Other services like your matrix server would be fine, but since you’re self-hosting, might as well host them at home, too. Matrix isn’t exactly resource heavy and doesn’t require a shit ton of upload to make usable.

If I’m torrenting, do I need to be careful which hosts I choose so I don’t get copyright pinged?

If you’re on 5G, and you torrent, you’ll be found out almost immediately, even with a VPN. I highly recommend a seedbox. Download to the seedbox, then use rclone or something to grab the files to your local NAS cluster (in proxmox) then stream the video’s locally.

Is there a good guide for securing and hardening my server?

I always recommend 2 things when dealing with *nix servers;

1. Run SSH from a non-standard port and drop connections on port 22.
2. Only open ports you’re using.

IMO this is really the only hardening you need, especially if you’re working with rproxy and the ports only have to be opened locally or tunneled.

Depends on how old. I don’t recommend using vastly underpowered hardware to stream media content.