Nextcloud looks great, but the effort of hardening the VPS is too much (for me at least). Hackers love an IPV4 address that has nothing but a login prompt to a Nextcloud instance.
You can run it behind a reverse proxy. It won't serve anything on the naked IP, the correct host is required in the http request headers.
I've been very happy selfhosting Nextcloud (and many others, including Vaultwarden). There are very few hits that even land on the login page, and essentially all of them only probe for /wp-admin or similar paths, then promptly leave me alone once all those probes return 404.
And then there's 2FA if any actually targeted attack ever materializes. Since it's entirely unknown what's inside the Nextcloud instance, there's no clear economic benefit (aka potential benefits are entirely uncertain, the instance might be vanilla). So I'm certain there's very little reason for anyone to actually try hard enough to achieve anything at all. Keep your system updated through the normal means and you're golden.
I've been running it on my server for a few years and haven't been hacked yet (well, at least as far as I can tell). I just update it every few months, and followed the recommended security settings when I set it up (the management page in the UI will list some issues).
I've been very happy selfhosting Nextcloud (and many others, including Vaultwarden). There are very few hits that even land on the login page, and essentially all of them only probe for /wp-admin or similar paths, then promptly leave me alone once all those probes return 404.
And then there's 2FA if any actually targeted attack ever materializes. Since it's entirely unknown what's inside the Nextcloud instance, there's no clear economic benefit (aka potential benefits are entirely uncertain, the instance might be vanilla). So I'm certain there's very little reason for anyone to actually try hard enough to achieve anything at all. Keep your system updated through the normal means and you're golden.