Felt a bit like a faff to me, so I never bothered. Does depend upon your threat model though

Passwordless login only. No root login. Fail2ban. Add ufw to stop accidental open port shenanigans, and you are locked down enough

Same model! Good for keeping the wine glass dry on the outside and popping up the kindle

I did stress test interviews for DevOps positions. I explicitly told them that and gave them a task and a time limit. I would watch what they did and there was nothing out of bounds as long as they were solving problems. For example, I would give them an account in cloud provider and then task them with spinning up a k8s cluster with a few basic services and make it scalable, then watch and heckle as they googled around and brought up services. The objective wasn’t to complete the task though, it was too see how they approached problem solving. Good times.