Your First Sovereign Machine

Every service you use is a building you rent. Dropbox holds the keys to your files. Google holds the keys to your photos and your calendar and probably your front door. The landlords are competent and the buildings are well-maintained, but the lease is conditional, the terms change without your consent, and the day they decide your account doesn't fit their policies you find out what tenancy really means.

The alternative is not paranoia. It is to own one small, unglamorous box on your own network, a single node, sitting next to your router, running Linux you control, and to build the muscle of operating it. Once you have that muscle, every future decision about what to host yourself becomes a calm calculation instead of a project. The Pi is the entry-level version of that node. It is also, for most people, sufficient.

This guide is the boring, careful version of the build: choose the hardware that doesn't fight you, install the OS that won't surprise you in two years, harden it correctly on the first boot so you never have to think about it again, and put it on the network so it's always reachable. The work is not exciting. The result is.

Stop being a tenant. Own one box, properly, and the rest gets easier than you've been told.

By the end of an afternoon you will have a hardened, headless Linux node on your network: keys-only SSH, firewall enabled, automatic security updates, reliable hostname, a static lease, and a thirty-second observability loop. Nothing public-facing yet, that's a later guide, but the foundation that everything else gets built on.

The Pi is the cheap part of this build. The supporting cast is where most first-time builds fail. A weak power supply will corrupt your filesystem every other reboot. A no-name microSD card will die in six months. A passive case will throttle the CPU under any real load. Buy the dull, known-good versions of all three and the box stops fighting you.

• Raspberry Pi 5 (8 GB)

  ref ↗

  Compute · ARM64 · ~$80

  The 4 GB will work; the 8 GB gives headroom for the services you'll add later. Pi 4 still fine if that's what you have.

• Official 27 W USB-C PSU

  ref ↗

  Power · the most important $12 you'll spend

  Pi 5 negotiates 5 V/5 A. Random USB chargers under-deliver and silently corrupt the SD card. Buy the official one.

• Argon ONE V3 case

  ref ↗

  Cooling + I/O · passive heatsink + quiet fan

  Moves all the I/O to the back, holds CPU under 60°C indefinitely. Not required; very nice.

• Samsung Pro Endurance microSD (64 GB+)

  Boot/storage · endurance-rated

  Or skip the SD entirely and use an NVMe HAT (below). Avoid no-name 'high-speed' cards, they're rated for cameras, not 24/7 writes.

• Pimoroni NVMe Base + WD SN770 (250 GB)

  ref ↗

  Better storage · ~10× SD durability

  Optional but strongly recommended. NVMe boot survives a decade; SD boot survives a year if you're lucky.

• Cat 6 ethernet cable

  Network · wired beats Wi-Fi every time

  Lower latency, no driver headaches, no random disconnects. Plug it into the router and forget it.

Four credible choices for a Pi. They are not equivalent. Pick the one whose surprises you can absorb.

Raspberry Pi Imager will pre-bake your SSH key, hostname, username, locale, and Wi-Fi credentials into the image before first boot. Use it, it is the single biggest reduction in first-boot friction in the Pi ecosystem.

1. STEP 01

   Generate an SSH key if you don't have one.

   Ed25519 is the modern default. Use a passphrase; keep the private key on disk; never put it on the Pi.

   ▌ ssh-keygen

   copy

   # Skip if you already have ~/.ssh/id_ed25519
   ssh-keygen -t ed25519 -C "$(whoami)@$(hostname), pi-fleet"
   
   # Print the public key, you'll paste it into Imager
   cat ~/.ssh/id_ed25519.pub

2. STEP 02

   Flash with Raspberry Pi Imager.

   Install Imager (Mac, Linux, Windows). Choose Ubuntu Server 24.04 LTS (64-bit). Choose your storage, microSD or NVMe in a USB enclosure. Then click the gear icon before writing and fill in: hostname, username, your public SSH key (paste it), locale, and Wi-Fi credentials if you must (skip if wired).

3. STEP 03

   Boot and wait two minutes.

   First boot expands the filesystem, applies your settings, and brings up SSH. Don't rush it; impatient power-cycling here is how you corrupt the install.

With mDNS working you can reach the Pi by its hostname. If mDNS isn't resolving on your network, find it by IP first and come back to the hostname step in §06.

# By hostname (mDNS)
ssh ops@thalos.local

# Or by IP, find it on the router or with arp
arp -a | grep -i raspberry

# First thing inside the box, always
sudo apt update && sudo apt full-upgrade -y && sudo apt autoremove -y
sudo reboot

Hardening is a 15-minute job on first boot and a one-week nightmare if you put it off. Do the five steps below in order; each one is short.

1. STEP 01

   Lock down SSH: keys only, no root.

   Drop a config snippet under /etc/ssh/sshd_config.d/ so it survives package updates. Don't edit the main file.

   ▌ 99-hardening.conf

   copy

   # Keys-only authentication
   PasswordAuthentication no
   KbdInteractiveAuthentication no
   ChallengeResponseAuthentication no
   
   # No root login
   PermitRootLogin no
   
   # Restrict to explicit users
   AllowUsers ops
   
   # Disconnect idle/dead sessions
   ClientAliveInterval 300
   ClientAliveCountMax 2
   
   # Apply
   # sudo systemctl restart ssh

   Before you restart sshd: open a second terminal and confirm you can still log in with your key. If you can,sudo systemctl restart ssh. If you can't, fix it before the first session times out.

2. STEP 02

   Default-deny firewall with UFW.

   UFW is the friendly front-end to iptables. Three commands and you're done.

   ▌ ufw

   copy

   sudo apt install -y ufw
   sudo ufw default deny incoming
   sudo ufw default allow outgoing
   sudo ufw allow 22/tcp
   sudo ufw enable
   sudo ufw status verbose

3. STEP 03

   fail2ban for the noise floor.

   The public-internet SSH banner sees ~10k scan attempts a day even on a residential IP. UFW drops the syn floods; fail2ban bans the IPs that actually try to authenticate.

   ▌ jail.local

   copy

   sudo apt install -y fail2ban
   
   sudo tee /etc/fail2ban/jail.local >/dev/null <<'EOF'
   [DEFAULT]
   bantime  = 1h
   findtime = 10m
   maxretry = 5
   
   [sshd]
   enabled = true
   port    = ssh
   backend = systemd
   EOF
   
   sudo systemctl enable --now fail2ban
   sudo fail2ban-client status sshd

4. STEP 04

   Unattended security upgrades.

   The single highest-ROI configuration you can do. Security patches apply themselves; you get an email if anything goes wrong; you stop having to think about it.

   ▌ unattended

   copy

   sudo apt install -y unattended-upgrades apt-listchanges
   sudo dpkg-reconfigure --priority=low unattended-upgrades  # answer Yes
   
   # Edit and uncomment the Unattended-Upgrade::Mail line:
   sudo nano /etc/apt/apt.conf.d/50unattended-upgrades
   #   Unattended-Upgrade::Mail "you@example.com";
   #   Unattended-Upgrade::Automatic-Reboot "true";
   #   Unattended-Upgrade::Automatic-Reboot-Time "04:00";
   
   # Dry-run to confirm the config is valid
   sudo unattended-upgrades --dry-run --debug

5. STEP 05

   Sysctl + journald hygiene (small wins).

   Two small tweaks: cap journal size so logs don't fill the disk, and tighten a few network sysctls.

   ▌ hygiene

   copy

   # Cap journals
   sudo mkdir -p /etc/systemd/journald.conf.d
   echo -e "[Journal]\nSystemMaxUse=500M" \
     | sudo tee /etc/systemd/journald.conf.d/size.conf
   
   # Network sysctls
   sudo tee /etc/sysctl.d/99-hardening.conf >/dev/null <<'EOF'
   net.ipv4.conf.all.rp_filter = 1
   net.ipv4.conf.all.accept_redirects = 0
   net.ipv4.conf.all.send_redirects = 0
   net.ipv4.tcp_syncookies = 1
   EOF
   sudo sysctl --system

A server that changes IP every week isn't a server, it's a scavenger hunt. Two changes make it reachable forever.

1. STEP 01

   Static DHCP lease at the router.

   Open the router admin, find DHCP reservations, and bind the Pi's MAC address to a fixed IP outside the DHCP pool (e.g. 192.168.1.10). This is preferable to setting a static IP on the Pi itself: when you move networks the Pi still gets a working DHCP lease, and the router owns the source of truth.

2. STEP 02

   Confirm hostname and mDNS.

   Ubuntu Server ships with systemd-resolved and does not enable mDNS by default. Install avahi for.local resolution from your laptop.

   ▌ hostname + mdns

   copy

   hostnamectl status
   # If wrong: sudo hostnamectl set-hostname thalos
   
   sudo apt install -y avahi-daemon
   sudo systemctl enable --now avahi-daemon
   
   # From your laptop:
   ping thalos.local

You don't need Prometheus yet. You need three commands you can type from memory, plus one daemon that records bandwidth. Anything more is premature.

# Errors since last boot
journalctl -p err -b --no-pager | tail -n 50

# Uptime + load
uptime

# Disk
df -h /

# Memory
free -h

# Failed services
systemctl --failed

sudo apt install -y vnstat smartmontools
sudo systemctl enable --now vnstat

# Bandwidth, wait a day before reading
vnstat -d
vnstat -m

# NVMe SMART (skip if SD-only)
sudo smartctl -a /dev/nvme0n1 | grep -E 'Temperature|Percentage Used|Power_On'

# Confirm only 22 is open
nmap -p- thalos.local

# Confirm passwords are refused
ssh -o PasswordAuthentication=yes -o PubkeyAuthentication=no ops@thalos.local
# expected: "Permission denied (publickey)."

# Confirm key auth works
ssh ops@thalos.local 'uptime && df -h / && systemctl --failed'

Same rule as every honest guide: the protections section is only credible if the limits section is honest.

With the foundation in place, three guides build out from here. Take them in the order most operators do.

• NEXT IN TRACK

  Run Your Own Node →

  Sovereignty at the protocol layer.

• HARDWARE PERIMETER

  The Protectli Vault →

  A real firewall before you expose anything.

• REFERENCE BUILD

  pfSense on Bare Metal →

  The firewall this box deserves to sit behind.