Some Ideas of Security measurements (mostly going further than what you asked for)
The whole Infrastructure is behind OPNSense HA gateways, they run VPN and guest proxy/ reverse proxy. Servers use apt proxy, maybe your own mirror but this is mostly overkill for security reasons.
DNSSEC is also a great but IMO optional thing to do for most infrastructures.
The PVE servers are in a separate VLAN which cant be accessed by guests.
The guests run their network interfaces on bridges attached to e.g. eno1.66 and are not allowed to do tagging by themselves.
It is a good idea to also integrate some kind of centralized auth realm into your PVE. It comes with the risks and benefits but breaks it a bit more up than root@..
As mentioned above: RSA Keys + Passphrase, 2FA for every server + VPN.
you could run OpenVAS for a constant vulnerability scan for guests, internal and external applications.
Don't forget about physical security as well, motion detectors with intrusion alerts. Both silent and non-silent alarms. Disabling USB access, or better lock down the whole server/ rack/ row/ room/ building ;-)
Monitor wireless-lan network environment for fake access points, deauth attacks,...