Three Practical Edge Deployment Notes
Before every reload, run nginx -t and verify certificates under /etc/letsencrypt/live to avoid avoidable downtime.
Keep the exposure surface small: allow only required ports, prefer default-deny ingress, and audit rules with ufw status verbose and nft list ruleset.
For service changes, validate config first, then restart one component at a time and confirm with systemctl status and recent journal logs.