I'm running it inside a podman container with 16 G of RAM, with a velocity proxy etc. Should be ideal

Originally I'd change the SSH port, obviously only allow pubkey based auth.

Now however, I do everything over wireguard. Every device has Wireguard Access and depending on that different rules what they can access.