Open only the minimum ports that you need (eg. only 80 & 443 for a web server). Run simple software (eg. nginx) and keep it up to date. Minimise the impact of searching bots (eg. fail2ban). Avoid running scripts (eg. take care with php). And your server will be more secure than your modem (touch wood)!
But you only open it to your red zone machine, which should be a separate net from everything else. You're not opening your entire network to inbound traffic. If you get hacked, the damage is limited.
Host your DNS on 3rd party provider like Cloudflare and proxy all http requests. I've got traffic from all foreign countries turned off from them since I'm not an international business. I imagine you can probably configure your server to only accept connections from cloudflare if you're ultra paranoid.
My setup has nginx config files for each of the subdomains, each of which does a proxy_pass to some port for whatever the service is. Then my server box hosts like 20 different services, all of which right now I just point to from google domains using dynamic dns.
So instead I would have requests go to... what, an nginx I host on cloudflare?
You can setup Cloudflare tunnels to proxy straight to the internal reverse proxy. This hides your IP and you don't have to open any ports on your network.
If you don't want to rely on Cloudflare you can also rent a cheap VPS which you could use as a public reverse proxy which points to your internal reverse proxy through a vpn like a self-hosted wireguard or a service like tailscale. I just did this same exact setup and only had to add some nginx config to get the real IP address of the client instead of the public reverse proxy's.
Either way your own network is safe and hidden from the public.
