A single-file Python Flask application that turns a directory of images into a responsive thumbnail grid with a lightbox. No database, no CMS, no build step — point it at a folder and go. Thumbnails generate once with Pillow and cache to disk. Built on the same systemd, Gunicorn, and Nginx reverse-proxy pattern covered in the Flask guide.
Nginx doesn't care what's on the other end of proxy_pass. A real Flask app — log monitoring, systemd service management, and permission debugging — demonstrates the pattern that works for any backend language.
Lock down SSH with Tailscale as your primary path — encrypted WireGuard mesh, accessible from anywhere without exposing a public port. Two direct fallbacks from known home IPs for when the mesh is down, enforced at the cloud firewall level. Three paths in. No port scanners allowed.
rclone to Proton Drive, a home server over Tailscale, or any provider that speaks SFTP — with cron scheduling, age-based pruning, and a reminder that cloud convenience is not a backup strategy. One dump per database, one target automatic, one independent. What to back up, what to skip, and why provider snapshots aren't the same thing.
Serve a WordPress site from a home server through a lightweight VPS proxy — static assets mirrored to the VPS disk, dynamic requests proxied over Tailscale, and every database query running at local NVMe latency. A playground project that turned out well enough to document.
Stop port scanners and direct-to-IP attacks before they reach your server. A stateless cloud firewall — free on most providers — drops all traffic on ports 80 and 443 that doesn't originate from Cloudflare's IP ranges. Includes the certificate renewal caveat: every domain on your Let's Encrypt certificate must be proxied, or renewal breaks.