It’s not that I didn’t like it, I just wanted to back to basics! A simple config file on each machine, job done

Exactly that, VPS2 handles the WireGuard port and has no domain pointing to it, so it’s basically hiding in plain sight. VPS1 holds the domain and handles the web traffic.

I keep SSH open on both, but locked down (key-based auth + restricted to my IPs).

Your idea of using the provider firewall (Ionos in my case) as a “mechanical” lock is a good one, block it at the edge and only open it when needed. I’ve thought about doing that, but I’m generally happy relying on a hardened SSH config and the provider’s KVM if everything goes sideways.

Thank you for the heads up, turns out it was the custom html code in the code blocks causing the issue. Fixed now.

dist-upgrade and full-upgrade are essentially the same command but yeah, I won’t be using apt upgrade again in the future! Like I said in my post, the joys of being self taught is that you learn by my making mistakes and that’s part of the “fun” 🤣