You are pretty much going to experience that no matter what. Even if you update UFW to only allow Cloudflare IP ranges, you will get scans against SSH and if you turn on deny logging you will see that your IP still is being scanned. Changing the IP just moves your target somewhere else for it to be indexed again. Fail2Ban rules, like you mentioned, will reduce your attack surface and get the "background" automated attacks somewhat at bay. You can do things like only allowing SNI HTTPS requests and not direct IP connections (which is what you doing with the Cloudflare proxy). From what you are saying: you are doing a solid middle of the road start. I would focus on making sure you keep the security posture up as you implement other services. Is this just for your projects or are you providing a service to customers? If it's just you - does the effort merit the work. If its customers, there are more things you can do but "do you need to" is going to be more up to you.

TL;DR - sounds like a solid starting place; don't worry about the IP address