The useful split is not complicated: the root domain should behave like a stable identity site, while anything that needs a running process should live behind an explicit boundary. That keeps the homepage fast and makes experiments easier to remove.
Current decision
Cloudflare stays in front for DNS and the public edge. Caddy serves the static site from the VPS today and preserves separate service routes for panels, APIs, and demos. The public root does not need a database, a login flow, or a long-running application server.
Why this matters
Personal domains often become messy because every small experiment is published as if it were part of the main site. The result is fragile routing, unclear security boundaries, and a homepage that is hard to restore. A static root avoids most of that.
Operating rule
- The homepage and writing pages are static files.
- Server-backed tools use clear paths or subdomains.
- Private panels are never described as public features.
- Every exposed service needs a rollback path before it is linked.
Next step
The cleaner long-term version is to move the static root to Cloudflare Pages and keep the VPS focused on lab services. The current setup is already compatible with that migration because the public site is just generated files.