you start with authenticated things, like forgejo and such, and always double check that anonymous visitors don’t see any data.

but generally it’s also not wise to just expose most services to the internet. jellyfin for example had lots of leaks because lots of API functionality was accessible without authentication. I don’t know if it’s been fully fixed.
expose a wireguard, it is safe, it is security software, and access everything else through it. you can keep using your domain for internal services.

with copyparty there’s an added risk. if police finds you hosted child porn, they won’t care if it wasn’t you who uploaded it. someone reports it to them, they steal all your computers, worst case you can even end up in jail.

You are ignoring people who have walked this path and are giving you the advice right now.

Public file hosting is not where you start.

Pro-Tip: You can reverse proxy any service on your network but if the IP of your reverse proxy does not match the IP of your A record, aka your server is behind a VPN, the public will not be able to access your server.

Http/s is neat that way, if the IP’s don’t match then it’s technically considered an insecure or misconfigured setup but it works great to prevent unauthorized access to one’s server.

I must agree with other users here, hosting a public file hosting server is a bad idea, at the bare minimum Authentik or Keycloak should be in front of it but I digress, https://catbox.moe/ already endures this pain for us.

Not sure what reverse proxy you’re using but alternatively Traefik’s middleware IPAllowList works great for blacklisting all IP’s and only whitelisting the known few.