My public VPS is now only accessible via SSH from my tailnet. One more possible attack vector less.
In Alpine Linux I switched to the
linux-lts kernel, installed Tailscale from the
edge-community repository via repository pinning, removed the rule to allow SSH from the Hetzner cloud firewall and finally set the Tailscale ACLs to not allow access to my other Tailscale devices from the VPS.