Caddy Reverse Proxy with Basic Auth for services which are critical like my 3d printer. Without auth for other services like my website or jellyfin and such. I use docker for everything so that’s another layer of safety for me.
I have port 443 open and use subdomains for most stuff. Some other ports for non-HTTP services but I don’t have any right now.
I have a ThinkCentre m90q with an i3. It’s a few years old. It’s a lot more powerful than a Pi. A Pi will not cut it.
You will preferably need something with modern hardware encoding. Support for h265 and AV1 is a requirement nowadays to play high quality sources and find anything for newer stuff. Moreso if you want to watch 4k content.