Bastion Server with Dietpi?

Hi. Bear in mind that I’m a noobie but I want to place a RPi 4 as a web server in the DMZ of my router.
I’ve got an old RPi2 that I want to use as a Bastion Server.
Im familiar with how to securely creat SSH keys for it and locking out the root account from being SSHed into with DietPi as the OS.

From scratch, how do I ‘harden’ the RPi2 running Dietpi into a Bastion Server to protect my network?

P.s. I don’t intend to run the servers all the time, its just a hobby.

Here are some general security recommendations:
Everything else depends on which servers you have finally installed, which need to be hardened individually of course.