[Eduard]

> I think one disadvantage of putting everything (nginx, web server, database, monitoring tools, etc.) in one machine is that suddenly your machine is exposing a myriad of ports to the internet and one mistake on your side (e.g., misconfigured auth module) is all what's needed to compromise your entire service.

All the Linux distributions I got to know use sensible defaults so that critical services don't bind to a public-facing interface / bind only to localhost, e.g. mariadb and mysql on Debian.

Besides that, Hetzner's "Robot" interface allows to configure which ports/IP addresses you allow access to your Hetzner server.