I move SSH to a different port... I know it's easy enough to discover through a port scan, but it cuts a LOT of noise down. For home, I only allow the wireguard port from the outside.
I tend to start with Ubuntu Server these days as the SSH config is pretty much where I want in the box and will import my public key during setup. I also now use Caddy for reverse-proxy duties over Nginx.
I tend to start with Ubuntu Server these days as the SSH config is pretty much where I want in the box and will import my public key during setup. I also now use Caddy for reverse-proxy duties over Nginx.