And since i don't post my valid urls anywhere no web-scraper can find them
You would ah... be surprised. My urls aren't published anywhere and I currently have 4 active decisions and over 300 alerts from crowdsec.
It's true none of those threat actors know my valid subdomains, but that doesn't mean they don't know I'm there.
I use it for all of my external services. It's just wireguard and traefik under the hood. I have no familiarity with bunkerweb, but pangolin integrates with crowdsec. Specifically it comes out of the box with traefik bouncer, but it is relatively straightforward to add the crowdsec firewall bouncer on the host machine which I have found to be adequate for my needs.
It's not, though?
I cannot recommend The Dog Stars (https://app.thestorygraph.com/books/dbff7c12-aff3-4b55-ae20-9b2d0051c92d) enough. It has a peculiar style to it and, admittedly, it took me a couple starts until I got hooked. I am so glad I stuck with it. A very literary post-apocalyptic fiction story with more action than Station Eleven, but a similarly compelling character study.
Have you considered running Wireguard or Headscale instead of keeping SSH open? I don't know how big an issue it is since you've changed the SSH port and use keys, but opening SSH in any respect freaks me out.
Divers wearing headphones? Regardless, I suspect that after a million years there won't be much left of the headphones.