I'm in the middle of setting up my own homeserver. Still deciding on what/if I want to expose to the internet and not just local network and while setting everything up and tinkering is part of the fun for me. I get some people just want results that they can rely on. Tailscale, while not a perfect option, is still an option and if they're fine with the risk profile I can understand sacrificing some security for it.
For a homeserver:
- SSH with key-only auth, exposed directly. This has worked for decades. Consider non-standard port to reduce log noise (not security, just quieter logs), fail2ban if you want
- Access internal services via SSH tunnels or just work on the box directly
- If exposing HTTP(S): reverse proxy (nginx/caddy) with TLS, rate limiting
- Databases, admin panels, monitoring - access via SSH, not public (ideally)
You do not need a VPN layer if you are comfortable with SSH. It has been battle-tested longer than most alternatives.
The fun part of tinkering is also learning what is actually necessary vs. cargo-culted advice. You will find most "security hardening" guides are overkill for a homeserver with sensible defaults.