Wireguard for network access, istio gateway for exposing services, and keycloak for SSO. I want to experiment with Teleport for more fine grained access to my services.
If I had more exposed services I would mess with crowdsec for some another firewall rule set and maybe even exposing it through a TOR service proxy.