{
"$type": "com.whtwnd.blog.entry",
"content": "# Setting up my self-hosted PDS\n\nA short note marking the moment.\n\n## What I built today\n\nA self-hosted Bluesky Personal Data Server on a Hetzner CAX11 VPS in Falkenstein, registered to my holding company, hardened against the most common attack surfaces, and joined to the atproto network under my own domain handle: [menno.moutonlab.eu](https://bsky.app/profile/menno.moutonlab.eu).\n\nThis blog post itself is a test of the pipeline. The Markdown source lives in `~/spos/publications/`, the CLI publishes it to two channels in one command: a record on the PDS (visible to anyone with an atproto blog reader like WhiteWind), and static HTML on this site (`blog.moutonlab.eu`).\n\n## What I learned\n\nA few things stand out as worth remembering:\n\n1. **Sovereign infrastructure is reachable for one person.** A €4.49/month VPS, careful attention to the threat model, and a few hours got me from \"Bluesky account on someone else's server\" to \"Bluesky account on infrastructure I own.\" Not free — there is real ongoing operational cost — but achievable.\n\n2. **The protocol is more interesting than the app.** Bluesky-the-application is one frontend onto the AT Protocol. Whitewind reads the same data my custom blog renderer reads. If either disappears tomorrow, the records persist on my PDS.\n\n3. **Hardening is iterative.** Every layer added something — SSH key-only auth, fail2ban, UFW rate limits, security headers, Docker capability dropping, read-only container roots, audit rules, sysadmin user separation. None of these matter individually as much as they matter together.\n\n4. **The supply chain is the threat model.** The interesting risks aren't bored kids running nmap — they are upstream package compromise, dependency drift, vendored projects going dark. Choosing what to trust + when to vendor + when to audit is the actual security work.\n\n## What's next\n\nPosts will appear here as I learn things worth writing down. The Markdown files live in `~/spos/publications/`; this site is just one rendering of them.\n\nHello world.\n",
"createdAt": "2026-05-15T22:30:00.000Z",
"title": "Setting up my self-hosted PDS"
}