If you use tailscale you can omit the raspberry pi and tunnel directly from the reverse proxy to each server (could do this with wireguard but requires a little more setup). Also you can configure your cloud server as an exit node so that all traffic from your device go through it, sort of as a vpn service. It's not as anonymous as a paid VPN service but at least you bypass the ISP or local wifi provider if you're out and about.
Our family uses Humhub. It's pretty similar to Facebook and installation/maintenance is pretty easy. The only issue would be that there's no mobile app, however it works quite well on mobile browsers.