None, linode vps near my 5G upstream, running a wireguard node. Pihole + unbound, nginx and local DNS ftw. Route all traffic through the vps wireguard tunnel. YMMV, I'm rural so this setup works best for me.
Quectel 5G modem with 4x CA, waveform 4x mimo antenna on 30 foot pole, pointed at tower with best signal, calyx sim card, UDM-SE + 6E Enterprise AP. Started out as a way to escape CGNAT, and port forward / bypass video bandwidth throttle on T-Mobile network, progressed into a unifi obsession / homelab.
I think many ppl are missing a step here. Setup a VPN with wireguard or similar. Then in ur sshd configs only allow ssh from ur VPN local subnet. That on top of ssh key login is pretty secure. Unless one of ur other services gets compromised and they pivot to ur VPN network. Then u prob have more problems tbh