SSH - change port, disable root login, disable password login, setup SSH keys using SK(YubiKey in my case)
nftables - I use github.com/etkaar/nftm to keep things quick and simple. I like the fact if will convert DNS entries to IPs. I then just use dynamic DNS update clients on all my endpoints
WireGuard for access to services other than SSH(in some cases port 443 will be open if its a web server or proxy)
rsyslog to forward auth logs to my central syslog server