There is the basic set of rules for an internet-facing VPS, pretty much self-explanatory:
ufw allow 22 comment 'ssh tarpit'
ufw limit 2222 comment 'real ssh'
ufw allow 80,443/tcp comment 'web'
ufw allow in on tailscale0
ufw default deny incoming
ufw enable
# just in case
systemctl enable ufw