Great advice.
Only thing I would add is that it is possible to avoid exposing the Vaultwarden server to the Internet. And, you could use Wireguard for that.
