Hosting hidden services: is my setup safe?

I run hidden services (ssh, personal cloud server) on a minimal debian VM install (no DE) behind a Whonix Gateway. I use VirtualBox, but I guess I could easily do the same with KVM, just didn’t have the time yet to make the switch. I chose a minimal debian instead of a Whonix Workstation because I wanted something smaller and to be more in control.

My debian VM /etc/network/interfaces is pretty easy:

allow-hotplug enp0s3
iface enp0s3 inet static
	address 10.152.152.12

And the/etc/resolv.conf file is empty.

As the debian VM has no gateway and no DNS resolver, it cannot connect to the internet, even with Whonix Gateway. This is on purpose for security reasons. Hidden services hostnames and keys are stored on the Whonix Gateway and the IP address in the Whonix Gateway’s /etc/tor/torrc configuration file is debian VM’s 10.152.152.12.

All works well. But I was wondering is my setting was good enough security wise. Is there something I have not thought about (I am not talking about leaking problems related to apache/nginx, etc., just regarding the network settings)?