You are correct. The provider owns the IP and also VPS. They theoretically have the ability to do anything within those confines. Same thing with your nameserver provider with your DNS records and the domain itself with the registrar. There's a certain level of trust that needs to be accepted for anything that goes outside the confines of your house. The good thing is those companies have more to lose than you by breaking that level of trust.

• Turn off password login for SSH and only allow SSH keys
• Cloudflare tunnel
• Configure nginx to resolve the real IPs since it will now show a bunch of Cloudflare IPs. See discussion.
• Use Fail2ban or Crowdsec for additional security for anything that gets past Cloudflare and also monitor SSH logs.
• Only incoming port that needs to be open now is SSH. If your provider has a web UI console for your VPS you can also close the SSH port, but that's a bit overkill.

Ah, I know what you mean. I managed to get them both setup in docker containers on the same server, but I'll admit getting Lemmy up was a pain. The documentation is vague on some steps, but it's FOSS so I can't complain.

• Here is my pastebin with notes for my Lemmy docker compose which is modified from their example. You'll notice it has an nginx web service. You can technically forego that and put it in your final reverse proxy. I chose not to so that it stays similar to their example.
• For Mastodon, I am using the Linuxserver container. Their documentation is straightforward IMO, but then again I'm used to their setup.
• With the two ports exposed for both services, you can then put it behind a reverse proxy.

Hope this helps!

Curious, what's the reason for one in docker and one not?

You can obfuscate your location with a reverse proxy. The biggest problem with self-hosting is what can get compromised if they get access inside your network as opposed to a VPS. Keeping up to date on what is publically facing for vulnerabilities starts to become a chore.

+1 on MXRoute and lifetime plan. It has been solid for me. The unlimited domains is also icing on the cake. I haven't even gotten close to 10 gigs but once I do I'll just transfer all the emails with attachments locally and keep chugging along.

Setup for high availability. I have a hard time taking things down now since other people rely on my setup being on.

Yep, what you're looking for is a reverse proxy. All the incoming traffic to the server goes though it, typically on TCP port 80 or 443. Reverse proxy then directs the traffic to all the backend apps. The backend apps can be literally anywhere else or even on the same server on a different port.

Traefik, Caddy, Nginx Proxy Manager, Linuxserver SWAG are the popular choices these days. See which one fits you best.

Edit: Overlooked you mentioning you are already using Traefik. Subdomain, domain, makes no difference. Just point the DNS record to your VPS and have Traefik direct it towards the correct port on the same server.