[jwells89]

Spinning up a VPS for things like this is tempting to me too, but not having done significant backend work in over a decade my worry would be with administering it — namely keeping it up to date, secure, and configured correctly (initial setup is easy). What's the popular way of handling that these days?

[ggpsv]

Every case is different but as a baseline, you could use Ubuntu or Debian for automatic security upgrades via unattended-upgrades[0], harden ssh by allowing only pubkey authentication, disallow all public incoming connections in the firewall except for https traffic if you're serving a public service, everything else (ssh, etc) can go over wireguard (tailscale makes this easy). Use a webserver like nginx or caddy for tls termination, serving static assets, and proxying requests to an application listening on localhost or wireguard.

[0]: https://wiki.debian.org/UnattendedUpgrades