This would be nice because I don’t need a static ip and I don’t have to leak my ip address.
How does the VPS know how to find your rpi?
Could you not just use something like duck dns on a cronjob and give out that url?
I would also need to figure out how to supply ejabberd with the correct certificates for the domain. Since it’s running on a different computer than the reverse proxy, would I have to somehow copy the certificate over every time it has to be renewed?
Since the VPS is doing your TLS termination, you would need an encrypted tunnel of some sort. Have you considered something like Istio? That provides mTLS out of the box really… I’ve never seen it for this kind of use case but I don’t see why it wouldn’t work.