I have been working on a similar problem..
As a malicious bad actor Its not hard to map out a network a combination of DNS reconnaissance / a few SYN packets and a few probing requests. Yet, if using a Rev-Proxy (Hybrid rev-proxy) style setup Admin only has to expose 80:443 (Even 80 can get forced to HTTPS) and if admin has to only monitor those 2 ports then its feasible to create a blacklist and geoip blocking rules and some autoban trip rules > fail2ban jail conditions.
Its what a DMZ is for no? you put your edge device/firewall appliance inside the DMZ behind the perimeter firewall and in front of the LAN firewall. its how you control ingress into your network from the edge. You can even take it further out and come in over a PVN link which adds an extra layer of ossification. Yes, don't map your rev-proxy ports to actual service ports use some high dynamic range port numbers: Src 443 : Dst 62443 (example) [with Cloudflare tunnels you can use default ports 443:443 mapping if you like as you control edge - more below.]
Have you considered a combination of a Rev Proxy combined with Cloudflare Tunnels ? You are able to control ingress and egress traffic & setup TLS filtering rules plus a lot more.
Alternatively, You can go with a "Zerotrust" and use something like "StepOne" for the CA issuance and revoking, all streamlined and then something like "NGINX Proxy Manager" / "Caddy2" to manage the Edge/perimeter ingress traffic.
Cloudflare tunnels is pretty clumsy, and are locked into using their 1dot1dot1dot1@DNS servers (Which isn't really a bad thing!) but works and is secure, especially, if users are meet with a forced landing portal. You can take a step further with a hybrid OAUTH2 Forced landing portal to access restricted namespace via MFA. The NPM/CF tunnel/StepOneCA/PortainerEE run quite happily under 1 docker stack and one docker image/container.
Second option, would be to use something like OPNSence I am in the process of building this out using x6 port J6xx5 based Embedded device It will sit outside the LAN in DMZ land with perimeter firewall in front of the DMZ behind CF Tunnels. Will still use rev Proxy just for the URL mapping/subdomains.
Also for DynDNS users checkout DNSExit as you can update DNS Zones from single $curl one liner (Cloudflare's API updates is a little more tricky *Bearer tokens etc*) plus with DNSExit you have certbot / letsencrypt access via the API too to automate the SSL refresh every 30/60/90days. which is inside wanip_update.sh > triggered via Cron task 30mins to update my records.
There is a lot of legacy stuff I need to change up now as newer Layer 7 stuff is coming out and its time to migrate from the old ways and embrace the new Terraform/Ansible/Docker methods.. One wicked helpful combination of tools to ensure your network is running tip-top are as follows Kuma Uptime (Monitoring/Ping/HTTPs API) Triggers/Alerts AND a tool I've just started to use called "N8N" Its a way to build Automation Flow using drag and drop basically.. Its very powerful especially with webhooks; Anyway, Its an all singing, All dancing War machine..
One final idea you guys may want to look at is Umbrel OS. Its basically, a Bitcoin node 'slash' personal Raspberry Pi OS Server.. I used the same Docker stack as the developers of Umbrel in my development stack. NGINX manages the proxy and is locked down for remote stuff accesible only over TOR. Quite secure. *I guess this could be added to a CF Tunnel and remove TOR remote*
Proxmox is very powerful when managing all my stacks incl storage pools.
Also Authelia/Traffik/MeshCentral/Uptime Kuma/N8N
Use UmbrelOS dockerfile as a blueprint to build out your own custom env.
Use Cloudflare Tunnels - ingress/egress/TLS filtering rules
NXINX Proxy Manager is the Business.. or Traffik/Caddy2
Now all the Zero trust Layer7 stuff is becoming more mainstream Plus you have tailscale as a solutions too..
My next move is to use dedicated PfSence /OPNSence setup under dedicated firewall appliance in combination of CF Tunnels/NPM and Authelia (MFA/SSO).
Anyway.. Hope this helps..