My public VPS is now only accessible via SSH from my tailnet. One more possible attack vector less.

In Alpine Linux I switched to the linux-lts kernel, installed Tailscale from the edge-community repository via repository pinning, removed the rule to allow SSH from the Hetzner cloud firewall and finally set the Tailscale ACLs to not allow access to my other Tailscale devices from the VPS.