Great that you included your threat model, but you should have specified the type of services that you host/provide.
One thing i would look into is disabling any port that is not necessary (like 80 and 443) and disable ssh on the wider network.
Host a wireguard endpoint in the internal network that acts like a bastion and allows you to ssh-jump to any other host and VM on the network.
Wireguard is more secure than ssh, assuming sound crypto and hygiene for both, because you can’t probe a host from the outside and know if wireguard is running or not
this is a very bad article. It talks about “zero trust” but then suggests you to use corporate software, the cloud, sketchy russian apps to monitor your traffic at home. Also, I am not spending 2 hours a day going through my logs, nor I want a VM/container with 8GB of ram wasting 40% of my GPU on grafana.