Idk about giving a comprehensive answer, but getting full marks on the nextcloud security scanner is a good start: https://scan.nextcloud.com/

I check mine periodically and make sure I’m on the latest version, use 2fa (passkey) and hope that does the trick.

Also there’s a plugin for brute force protection.

A very effective first step is to put it on a vhost with a domain you control, and drop traffic to the default vhost. 99.999% of scanners are just going through IPs looking for stuff, so don’t give them anything. Better yet, block any IP that scans you more than a dozen or so times.

Obviously some stuff will find you through cert issuance logs, but most of the bastards don’t bother with that level of sophistication.

Of course it is. That’s literally what it is made for

Define securely.

I’ve run my nextcloud online for a few years with no incidents, it’s behind Apache, I keep it up to date, I have a bit of extra hardening (but none of it really hardens nextcloud itself it would just make running exploits on my server more visible).

It doesn’t really add security in the traditional sense but for a personal server logging outbound traffic and having it email me when something non standard initiates a connection also gives me an added sense of security.

Mine is publicly exposed using the standard nextcloud:stable-apache docker container, with nginx (past) / traefik (present) handling TLS termination, but not otherwise adding additional security measures.

It’s been this way for several years and I’m yet to have issues, but it’s certainly not bulletproof since a critical vuln in Nextcloud could pwn it. That just hasn’t happened.

mTLS?

Yes. Not only that, but it can be exposed at garagantuan scale for the last decade. Use of a vpn is totally optional.

There’s a lot of discussion on a very recent post about doing this for Jellyfin. You should start by reading that: https://discuss.online/post/40181742