Currently I expose port 22 for SSH, 443 for Nginx and a couple extra for Syncthing (to mirror my media files between a Hetzner Storage Box and my NAS at home).
There's a specific setup I tried to build once but didn't manage:
Expose only Wireguard port from my VPS
make it so that when (and only when) a device is connected to the VPS via Wireguard, then mydomain.xyz will target the VPS' IP (and therefore hit my Nginx proxy which redirects to my various services at myservices.mydomain.xyz.
I tried by having a Adguard Home running on that same VPS, and setting its IP as the DNS in the wg0.conf that goes on the client device but it didn't work.