Proxmox on a NUC. Separate RPI running HaProxy to route requests. Public 443 forwards to haproxy. All on separate vlan from home network.
Router allows ssh across vlan for specific IPs.
Ssh only available from the specific IPs.
Some of the VPS on proxmox run Nebula protocol (like tailscale but self hosted) and there is a lighthouse on a $2 VPS. This allows me to access specific resources only from mesh network when away from home.