Setting up my self-hosted PDS
A short note marking the moment.
What I built today
A self-hosted Bluesky Personal Data Server on a Hetzner CAX11 VPS in Falkenstein, registered to my holding company, hardened against the most common attack surfaces, and joined to the atproto network under my own domain handle: menno.moutonlab.eu.
This blog post itself is a test of the pipeline. The Markdown source lives in ~/spos/publications/, the CLI publishes it to two channels in one command: a record on the PDS (visible to anyone with an atproto blog reader like WhiteWind), and static HTML on this site (blog.moutonlab.eu).
What I learned
A few things stand out as worth remembering:
-
Sovereign infrastructure is reachable for one person. A €4.49/month VPS, careful attention to the threat model, and a few hours got me from "Bluesky account on someone else's server" to "Bluesky account on infrastructure I own." Not free — there is real ongoing operational cost — but achievable.
-
The protocol is more interesting than the app. Bluesky-the-application is one frontend onto the AT Protocol. Whitewind reads the same data my custom blog renderer reads. If either disappears tomorrow, the records persist on my PDS.
-
Hardening is iterative. Every layer added something — SSH key-only auth, fail2ban, UFW rate limits, security headers, Docker capability dropping, read-only container roots, audit rules, sysadmin user separation. None of these matter individually as much as they matter together.
-
The supply chain is the threat model. The interesting risks aren't bored kids running nmap — they are upstream package compromise, dependency drift, vendored projects going dark. Choosing what to trust + when to vendor + when to audit is the actual security work.
What's next
Posts will appear here as I learn things worth writing down. The Markdown files live in ~/spos/publications/; this site is just one rendering of them.
Hello world.