Hardening DietPI for hosting a small website?

Hi everybody,

I’ve setup my DietPi home server about two weeks ago and couldn’t be happier with it. It’s a headless setup that I access via SSH.
So far, it runs AdGuard Home with Unbound and Wireguard. It also performs daily backups to an external thumb drive.

I now want to host a small website with nginx and make it accessible to the world wide web.
I’m looking for suggestions on how to further harden by setup to protected it and the currently running services.

So far, I’ve created a new user, setup SSH-keys and disabled access without them, I’ve also installed Fail2Ban, which currently is inactive. What else should I do?

Will setting up Certbot mess with my already running services. I want to keep them exclusive to the home network and Wireguard.

Any suggestions?