I’ve found great success using a hardened ssh config with a limited set of supported Cyphers/MACs/KexAlgorithms. Nothing ever gets far enough to even trigger fail2ban. Then of course it’s key only login from there.

Agree with others, Vaultwarden is probably your best bet. I’ve found the default app to be a little flaky, but ended up using Keyguard, which I’ve found really good.

I used to use Keypass+Syncthing, but found sync conflicts too often (due to Syncthing support for Android), hence the switch.