PermitRootLogin I would set to yes.
sudo systemctl restart ssh will only restart your ssh client and not the ssh server you try to restart. Use sshd insted.
I personally find it easier to use no root during setup and import my ssh keys from github using ssh-import-id.
UFW doesn't harm, but if the host is on your Proxmox Hypervisor, it is probably behind a deny all incoming firewall anyway. That is also why I would leave IPv6 on.
Like other have noted, Crowdsec is a little bit more complex to setup but also offers more features. As a side note, Fail2ban is unfortunatly not IPv6 ready.
Just like you don't really need UFW, not really harmful and for piece of mind :)
But to be honest, I am no expert either. I look at your config and think, just leave everything at default besides these twos:
PubkeyAuthentication yes PasswordAuthentication no
Things like
don't matter for public key auth.