A short note marking the moment.
A self-hosted Bluesky Personal Data Server on a Hetzner CAX11 VPS in Falkenstein, registered to my holding company, hardened against the most common attack surfaces, and joined to the atproto network under my own domain handle: menno.moutonlab.eu.
This blog post itself is a test of the pipeline. The Markdown source lives in ~/spos/publications/, the CLI publishes it to two channels in one command: a record on the PDS (visible to anyone with an atproto blog reader like WhiteWind), and static HTML on this site (blog.moutonlab.eu).
A few things stand out as worth remembering:
Sovereign infrastructure is reachable for one person. A €4.49/month VPS, careful attention to the threat model, and a few hours got me from "Bluesky account on someone else's server" to "Bluesky account on infrastructure I own." Not free — there is real ongoing operational cost — but achievable.
The protocol is more interesting than the app. Bluesky-the-application is one frontend onto the AT Protocol. Whitewind reads the same data my custom blog renderer reads. If either disappears tomorrow, the records persist on my PDS.
Hardening is iterative. Every layer added something — SSH key-only auth, fail2ban, UFW rate limits, security headers, Docker capability dropping, read-only container roots, audit rules, sysadmin user separation. None of these matter individually as much as they matter together.
The supply chain is the threat model. The interesting risks aren't bored kids running nmap — they are upstream package compromise, dependency drift, vendored projects going dark. Choosing what to trust + when to vendor + when to audit is the actual security work.
Posts will appear here as I learn things worth writing down. The Markdown files live in ~/spos/publications/; this site is just one rendering of them.
Hello world.
]]>