@psmod2

MongoDB

DigitalOcean does offer a one-click image that you can select when deploying a new Droplet which will setup MongoDB 3.2.11 on Ubuntu 16.04 (the latest LTS, or Long Term Support release). As far as security goes, I'd recommend checking out the following:

MongoDB - Encryption At Rest

MongoDB Tutorials - DigitalOcean

10 Tips to Improve MongoDB Security

As far as restricting access to the DB Droplet and only allowing access from the NodeJS server, yes, that's definitely possible using a Firewall. If using Ubuntu, you can use ufw and setup a default policy to deny all connections and then add rules that are more specific, such as allowing connection from only the NodeJS server. That can be done very easily and with only a few CLI commands.

NodeJS

When it comes to DNS, how it's handled is really up to you. You'll add DNS entries either where your domain is registered (your domain registrar) or you can change the DNS that your domain uses and set the name servers to DigitalOcean's and use the super-nice panel that they offer. Modifying DNS is relatively straight-forward, though if you have any specific questions, feel free to ask!

When it comes to denying access to certain file types, there's two ways to handle that. The first would be at the web server level (I'd recommend NGINX) and the other is within your Application where you would break down the request and check what is being requested and then either pass the request through or deny the request. You could also use a combination of the two.

@psmod2

No problem, always happy to help!

Private Networking + UFW

DigitalOcean provides Private Networking access, though given a VPS is still technically a shared environment, you'd need to use a firewall to block access on both the public and private network.

For Ubuntu and ufw, I'd recommend taking a look at the guide below to get a good feel. It covers all aspects of ufw from the basics to slightly more complex. Should you have any questions after looking at this guide, just let me know and I'll be happy to help! The most important thing is that you setup rules on both servers.

Beyond that, always make sure you define your ports before enabling the firewall. If, for example, you setup a default deny policy and turn on the firewall without allowing SSH through, you're going to end up not being able to SSH in to your server and will then have to re-image it.

UFW Essentials: Common Firewall Rules and Commands

NGINX

If it were me, I would use NGINX and then set it up to work as a proxy which essentially takes an incoming request on Port 80 (the default HTTP port) or Port 443 (the default SSL Port) and sends it to the port where your NodeJS application is listening on.

We can setup deny policies on file types with NGINX, or we can simply keep the files you want to prevent others from accessing out of the public web root (easiest option).

If you're not familiar with NGINX, I would recommend looking at the following guides to get a quick start. I work with NGINX quite a bit, so if you have any questions, feel free to ask and I'll be more than happy to help you.

How To Install Nginx on Ubuntu 16.04

Understanding Nginx HTTP Proxying, Load Balancing, Buffering, and Caching

The second guide has a lot of information in it, but don't let it scare you off. It's really easy to work with. The vast majority of that guide is prepping you to work with the various ways of working with NGINX. If you can develop with NodeJS, I have absolutely no doubt that you can handle NGINX.