Probably don’t need to reinstall the OS on the Pi. My opinion about self-hosting at home is that it’s just a matter of trying to keep as few possible things unexposed, meaning that a VPN would fit that description. You connect to the VPN and everything else is internal to your network.
Of course, that’s not the only way and you can expose your services on the internet, but if you are not aware what things are safe to expose and what things should be kept local, it’s better to not risk it. Samba / SMB and RDP are a good examples of things that should never be exposed. For the web, if you don’t update your webservers and reverse proxies often, you probably shouldn’t expose them.
The general consensus I see on the internet is that if you want a simple setup, port forward your VPN and connect straight to your home. If you want to avoid the hassle of a VPN, like if you have more users and don’t want to give all of them access to your whole home network (although having a VPN in a segregated network is also an option), you should not expose your home’s IP address directly (I never understood why, to me it sounds silly, unless there are technical reasons, like your ISP blocking certain ports).
Most people say that if you want to expose services directly, you should use a reverse proxy on a VPS or Cloudflare. I don’t like the dependence on big tech, I believe it is antithetical to self-hosting, but if cloudflare fits the bill for anyone, use it. A direct cloudflare connection would have to be served straight to your home, unless you use both a VPS and Cloudflare, but at least only cloudflare and crazy people who scan the whole internet will know of your exposed services at home.
I saw that many people do stuff with a VPS:
- VPN on VPS
- Connecting from home to the vps through the vpn
- Setting up a reverse proxy on the vps
- Pointing the reverse proxy to point to your home server’s IP if the routes are set up properly through the tunnel
- Enabling TLS on the reverse proxy
- Happy serving
This makes the VPS your main gateway to your home, so it is important to secure it against attacks. You probably still want SSH access to it for troubleshooting purposes, so you need to set up firewall rules limiting the amount of connections can be done to it, probably a good thing to do the same on the other ports too (otherwise people can DDOS your service), then block all other incoming connections.
Since you are exposing things via HTTPS, you may also want to set restricted access to each page (user accounts on the page before you can access the actual page).
I heard of some people exposing jellyfin this way, so all their family can connect to the VPS and watch the media stored on the home server. Actually, there is one guy on this forum who does it too.
I have not set up my self-hosted services yet, because I’m retarded and don’t use hardware and software that works, so my services would be offline most of the time. The only thing I have is a few VPN sites (home connections), some security cameras that can be accessed through one VPN and my own Samba server on the other VPN. I plan on having my own chat server and Jitsi server, hopefully those would work better than the free programs you find on the like of google or apple stores (especially in voice and video quality).