You are spot on with the **inetd** comparison. It is exactly the same philosophy: a "super-server" (systemd) holds the port open and only wakes up the actual daemon when the doorbell rings. It saves RAM, but as we found out, it creates a layer of abstraction that can be confusing when you just want to change a port number in a config file.

Here is the clarification on the other points:

### 1. The `!` Syntax

Yes, the `!` is a logical **NOT**.

`ConditionPathExists=!/etc/ssh/sshd_not_to_be_run` translates to:

*"Only start this unit if `/etc/ssh/sshd_not_to_be_run` does **NOT** exist."*

### 2. `BindIPv6Only=ipv6-only` (The "Duh" factor)

This looks tautological, but it handles a specific Linux kernel quirk.

By default, if you bind a socket to `[::]` (all IPv6 addresses), Linux also automatically binds it to IPv4 (using "IPv4-mapped IPv6 addresses").

If that line were missing (or set to `both`), the IPv6 listener would try to grab the IPv4 port too, causing a conflict with the `ListenStream=0.0.0.0:22` line above it. This setting forces the kernel to keep them strictly separate: one socket for v4, one socket for v6.

### 3. Session Anxiety

Your realization is 100% correct.

When you connect via SSH:

1. The listener (Port 22) accepts the handshake.

2. The OS spawns a specific process for *your* session.

3. That session moves to an established state on a random high ephemeral port.

The "Listening Port" is just the front door. Once you are inside (authenticated), you are in a private room. We can repaint the front door (change the port), lock it (firewall), or move it entirely, and it won't affect the people already inside the party.

**Next Step:**

Now that you have a cert, a firewall, and a clear understanding of the systemd plumbing, is there anything else you need to configure on this VPS, or shall we call this ticket closed?