I stick everything behind a firewall with :80, :443 and :1194 open to the world -- HTTP, HTTPS and OpenVPN.
HTTP and HTTPS proxy through an NGinX instance, which then points to all the other servers, and manages LE Certificates.
OpenVPN requires an 8096 bit key which - you know - would take a while to brute force.
Everything is being migrated to Alpine Linux presently which a lot of people don't know how to use anyway. apt-get? What that? haha.