[jks]

I recommend checking out Caddy <https://caddyserver.com/>, which replaces both Nginx and Certbot in this setup.

Tailscale <https://tailscale.com/> can remove the need to open port 22 to the world, but I wouldn't rely on it unless your VPS provider has a way to access the server console in case of configuration mistakes.

[Semaphor]

Caddy also simplifies many common Nginx configurations with a one-liner. The biggest hurdle is when you don’t have a simple configuration, as all the examples are usually only for Nginx ;)

[jim180]

I've recently discovered, that Caddy config file has a neat support for imports: https://pastebin.com/vVQYrpmj

[InvOfSmallC]

Regarding tailscale, be sure to remove the expiration flag on your server. That's how I lost mine.

[calgoo]

For Tailscale backup access, another way is to block port 22 on a firewall and then only unblock it if you need access.

[nehal3m]

If you depend on the host behind Tailscale to access the firewall from the inside then that's not going to work. Most colos I have hardware at offer a separate network for iDRAC/ILO/your flavor of OOB management, I like to use the console through that to open/close stuff like this.