It’s not bad per se, but you really just need to understand the risks involved and have an idea of how to secure your services properly. I personally won’t expose anything if it doesn’t have some sort of centralized auth solution (LDAP preferred) and 2FA to better secure accounts.
It’s also good practice to have some way of mitigating brute-force attacks with something like fail2ban, and a way to outright block known bad IP addresses.