That is usually what I already do. Good to know I'm on the right path.
When possible I disable root login as well (though Coolify seems to need it on, even if without password).