The Sovereign Stack — Putting It All Together
From the Rubble | Digital Sovereignty Series | Episode 7
TLDR: The sovereign stack comes together on a VPS at 1984 Hosting in Iceland — $10/month for the infrastructure that runs Ghost (publishing), Navidrome (music streaming), and Audiobookshelf (audiobooks), all on hardware under your administrative control in a privacy-respecting jurisdiction. This is the capstone: provisioning and hardening the server, installing all three services, connecting Filen as the encrypted backbone, and the full cost comparison — ~$17/month total for a stack that replaces $50+ in subscriptions while delivering meaningfully better privacy and permanence. Digital sovereignty mirrors health sovereignty. Both start with the same question: who controls the system?
series: [“Digital Sovereignty”]
Six episodes ago you were running Windows.
You were paying monthly for software you didn’t own, on an operating system that reported your behavior to a company with no aligned interest in your privacy, storing files on servers controlled by corporations whose terms of service you’d never read, streaming music and audiobooks that could be revoked without warning or recourse.
That’s not where you are now.
This final episode is about the last layer — the VPS, the self-hosted services, and how everything built across this series connects into a coherent stack. It’s also about the bigger picture: what digital sovereignty actually means when you live it day to day, and how it maps to the other sovereignty work happening in parallel.
series: [“Digital Sovereignty”]
The VPS — Your Sovereign Server
Everything we’ve built so far lives on your local machines. That’s meaningful — your files are encrypted, your OS isn’t surveilling you, your music library is yours. But local-only has limits. You can’t access your Audiobookshelf library from your phone on the road. You can’t stream your Navidrome collection from a different device. Your Ghost site can’t publish if your laptop is closed.
A VPS — Virtual Private Server — is a rented slice of a server in a data center that runs 24/7. You administer it. You control what runs on it. It’s yours in every meaningful sense except the physical hardware.
The sovereignty-aligned choice for hosting is 1984 Hosting out of Iceland.
Named after Orwell deliberately. Iceland’s jurisdiction has stronger privacy protections than the US or most of the EU. The company’s stated values align with what we’re building. They accept cryptocurrency. The pricing is reasonable — a VPS adequate for everything in this stack runs around $10/month.
That’s the total ongoing cost of your self-hosted infrastructure. Ten dollars a month for a publishing platform, a music streaming server, and an audiobook library — all running on hardware under your administrative control, in a privacy-respecting jurisdiction, with no third party reading your content.
Compare that to the combined subscriptions you’ve replaced.
series: [“Digital Sovereignty”]
Provisioning the VPS
After spinning up a VPS at 1984 Hosting (Ubuntu 22.04 LTS is the recommended OS for Ghost), the first session is hardening — same principles as Episode 2, applied to a server.
# Update immediately
apt update && apt upgrade -y
# Create a non-root user
adduser kyle
usermod -aG sudo kyle
# Set up SSH key authentication
# Copy your public key to /home/kyle/.ssh/authorized_keys
# Disable password SSH login
# Edit /etc/ssh/sshd_config:
# PasswordAuthentication no
systemctl restart sshd
# Basic firewall
ufw allow OpenSSH
ufw allow 80
ufw allow 443
ufw enable
SSH key authentication only, no password login, firewall active before you do anything else. Same discipline as the laptop, applied to a server that will be running permanently and publicly accessible.
series: [“Digital Sovereignty”]
Ghost — Your Publishing Infrastructure
Ghost is the first service to install because its setup process is the most involved and it’s the most critical — your newsletter and subscriber list live here.
Ghost CLI handles the installation cleanly on Ubuntu:
# Install Node.js
curl -fsSL https://deb.nodesource.com/setup_18.x | sudo -E bash -
sudo apt install -y nodejs
# Install Nginx
sudo apt install -y nginx
# Install MySQL
sudo apt install -y mysql-server
# Install Ghost CLI
sudo npm install ghost-cli@latest -g
# Create directory and install Ghost
sudo mkdir -p /var/www/sovereignselfhealth
sudo chown kyle:kyle /var/www/sovereignselfhealth
cd /var/www/sovereignselfhealth
ghost install
Ghost CLI walks you through the interactive setup — domain, email configuration, SSL. Let’s Encrypt SSL is handled automatically. When it’s done, your Ghost instance is running at your domain, serving HTTPS, ready for content.
For DNS: point your domain at your VPS IP through Cloudflare. Cloudflare proxying (orange cloud) hides your origin server IP, which is worth enabling — it means your VPS IP address isn’t publicly visible in DNS records.
series: [“Digital Sovereignty”]
Navidrome — Your Music Streaming Server
Navidrome turns your local music library — the one you built with spotDL in Episode 5 — into a streaming server accessible from any device with a browser or compatible app.
The architecture: your MP3 files sync to the VPS via your Filen encrypted storage or direct upload, Navidrome reads the library directory and builds an indexed database, you stream through the web UI or any Subsonic-compatible app on your phone.
# Install Navidrome
sudo apt install -y navidrome
# Configure it
sudo nano /etc/navidrome/navidrome.toml
Minimal configuration:
MusicFolder = "/home/kyle/music"
DataFolder = "/home/kyle/navidrome-data"
Port = 4533
# Start and enable
sudo systemctl start navidrome
sudo systemctl enable navidrome
Add a Nginx reverse proxy configuration so Navidrome is accessible at a subdomain (e.g., music.yourdomain.com) over HTTPS rather than a raw port. Ghost CLI will have already configured Nginx — add a new server block for Navidrome following the same pattern.
On your phone, install a Subsonic-compatible app — Symfonium on Android or Amperfy on iOS are well-regarded options. Point them at your Navidrome URL with your credentials. Your entire music library, streamed from your own server, to any device, anywhere.
series: [“Digital Sovereignty”]
Audiobookshelf — Your Audiobook Library
Same pattern as Navidrome, applied to audiobooks.
# Audiobookshelf via Docker is the cleanest install path
sudo apt install -y docker.io
sudo systemctl start docker
sudo systemctl enable docker
# Run Audiobookshelf
docker run -d \
--name audiobookshelf \
--restart unless-stopped \
-e PUID=1000 \
-e PGID=1000 \
-p 13378:80 \
-v /home/kyle/audiobookshelf/config:/config \
-v /home/kyle/audiobookshelf/metadata:/metadata \
-v /home/kyle/audiobooks:/audiobooks \
ghcr.io/advplyr/audiobookshelf
Add a Nginx reverse proxy for a subdomain (books.yourdomain.com), get a Let’s Encrypt certificate for it, and your audiobook library is accessible from anywhere via HTTPS.
The Audiobookshelf mobile apps handle offline sync — download books to your phone for offline listening. Planes, commutes, anywhere without reliable internet.
series: [“Digital Sovereignty”]
Filen as the Backbone
Filen runs across all of this, not just on your local machines.
Your Obsidian vault syncs through Filen — changes on any device propagate to all others. Your music library, if too large for the VPS by default, can live in Filen and be mounted or synced to the VPS. Your Ghost content exports go to Filen as backups. Sensitive documents never touch an unencrypted cloud.
Filen is the connective tissue between local machines and the VPS — encrypted in transit, encrypted at rest, keys held only by you.
series: [“Digital Sovereignty”]
Claude Desktop + MCP as the Workflow Layer
The AI layer sits on top of all of this.
Claude Desktop with the filesystem MCP server pointed at your Obsidian vault and project directories means you can have a working conversation with your own knowledge base. Query across your notes. Draft content with context from your existing writing. Distill 300 files into 20 focused reference documents.
This is AI used as a tool — deliberate, configured, limited to what you’ve explicitly granted access to. Not an always-on assistant with access to your browser history and email. A tool you open when you need it, with a clear understanding of what it can and cannot see.
The stack doesn’t require AI to function. It’s improved by having it available in a controlled way.
series: [“Digital Sovereignty”]
Open Brain — The Stack Gets Memory
After everything in this series was built and running, one more layer emerged that changed how the whole thing works.
The problem: a knowledge base you can’t search semantically is slower than it should be. Obsidian is excellent for structured notes. It doesn’t answer questions like “what have I captured about identity and sovereignty over the past three months?” without you already knowing what to search for.
The solution: Postgres with pgvector running on your VPS, a custom MCP server exposing it to Claude, and a lightweight capture workflow that turns thoughts into embeddings.
Every meaningful insight, decision, status update, or captured thought gets ingested into a Postgres database with a vector embedding alongside it. When you ask a question — in plain language, through Claude — the MCP server does a similarity search across your entire personal knowledge base and returns the closest matches. Not keyword search. Semantic search. The meaning of what you wrote, not just the words.
It runs on the same Bastion VPS as everything else. No new infrastructure, no additional cost. Postgres is another Docker container alongside Audiobookshelf. The MCP server is a small Node.js process. The total overhead is minimal.
Episode 8 covers the full setup: the Postgres + pgvector container, the MCP server, the capture workflow, and what the sovereign stack becomes when it can remember and reason over your own history.
The short version: the stack went from a collection of tools to something that compounds. Every thought captured makes the next conversation with Claude more grounded in your actual context. That’s a qualitatively different capability than a file system the AI can read.
series: [“Digital Sovereignty”]
The Maintenance Rhythm
Sovereignty requires maintenance. Not much — but some. Here’s the realistic weekly and monthly rhythm:
Weekly (10 minutes):
- Check Ghost is running:
ghost ls - Glance at Mailgun delivery stats if you’ve sent newsletters
- Review Navidrome and Audiobookshelf are accessible
Monthly (30 minutes):
- Update Ghost:
cd /var/www/yoursite && ghost update - Update system packages:
sudo apt update && sudo apt upgrade - Run Ghost doctor:
ghost doctor - Check disk usage:
df -h - Export Ghost content backup from admin panel
Quarterly:
- Full backup download — Ghost export, Navidrome library check, Audiobookshelf metadata export
- Review costs — VPS, Filen, Mailgun — make sure nothing has crept up unexpectedly
- Security review — run through the Episode 2 checklist on the VPS
The discipline is minimal compared to the peace of mind. You’re not managing a complex enterprise system. You’re maintaining a small, focused set of tools that you understand and control.
series: [“Digital Sovereignty”]
The Full Cost Picture
What does this actually cost per month?
| Service | Cost | What It Replaced |
|---|---|---|
| 1984 Hosting VPS | ~$10/month | Ghost.org ($25+/month), hosting fees |
| Filen (paid tier) | ~$3/month | Google Drive, OneDrive, Dropbox |
| Mailgun | $0 | ConvertKit, Mailchimp |
| Navidrome | $0 | Spotify ($11/month) |
| Audiobookshelf | $0 | Audible ($15/month) |
| Domains (~2) | ~$4/month amortized | — |
| Total | ~$17/month | $50+/month in subscriptions |
The math is not the point — sovereignty isn’t primarily a financial calculation. But it’s worth noting that the sovereign stack is cheaper than what it replaces, while delivering meaningfully better control, privacy, and permanence.
series: [“Digital Sovereignty”]
Digital Sovereignty Mirrors Health Sovereignty
I want to close this series where it started — with the parallel that makes all of this coherent rather than just a collection of tech decisions.
The pattern in conventional medicine is the same pattern in big tech: a system that profits from your dependency, defaults set to serve the system’s interests rather than yours, complexity designed to discourage exit, and the implicit message that you should trust the institution and not ask too many questions.
The FDN approach to health says: run your own tests. Get your own data. Understand what’s actually happening in your biology rather than accepting someone else’s interpretation of a panel designed for different purposes. Build your own protocol based on your specific situation.
The digital sovereignty approach says the same thing with different variables. Run your own servers. Own your own data. Understand what’s actually running on your machine rather than accepting defaults designed for someone else’s benefit. Build your own stack based on your specific needs and values.
Both require more upfront effort than the default path. Both pay off in ways that compound over time. Both require a certain tolerance for friction — not everything works perfectly on the first try, and that’s fine, that’s part of learning the system rather than being managed by it.
The veteran angle runs through both too. The military trains you to understand your equipment, know your systems, not take anything on faith that you can verify. That discipline translates directly to both health sovereignty and digital sovereignty. Trust but verify. Better: verify, then trust.
series: [“Digital Sovereignty”]
What You’ve Built
By the end of this series, running everything:
- An OS that doesn’t surveil you, on a machine that’s hardened and locked down
- Encrypted cloud sync across all your devices, with keys only you hold
- A published Ghost site with email newsletter, running on a privacy-respecting server in Iceland
- A local music library you own outright, streamed from your own server to any device
- An audiobook library liberated from DRM, hosted on your own infrastructure
- An AI workflow layer that accesses your local files without handing your documents to a cloud
- A password manager and communication stack that treat your data as yours
- A self-hosted semantic memory layer — your own thoughts, searchable by meaning, on your own infrastructure (Episode 8)
Total recurring cost: around $17/month. Total privacy exposure to surveillance capitalism: significantly reduced. Total platform dependency: one VPS provider you could migrate off in an afternoon if needed.
That’s the destination. The journey is documented in the six episodes before this one.
series: [“Digital Sovereignty”]
Resources
- 1984 Hosting: 1984.hosting — Iceland VPS, privacy-aligned
- Njalla: njal.la — alternative privacy-first VPS and domain registration
- Ghost: ghost.org — self-hosted publishing platform
- Navidrome: navidrome.org — self-hosted music streaming
- Audiobookshelf: audiobookshelf.org — self-hosted audiobook server
- Cloudflare: cloudflare.com — DNS and DDoS protection, free tier
- Symfonium (Android): Subsonic-compatible music app
- Amperfy (iOS): Subsonic-compatible music app
series: [“Digital Sovereignty”]
Episode 8 covers the final layer: Open Brain, semantic memory, and what the sovereign stack becomes when it can think across your own history. The series continues.
If you found this series useful, the best thing you can do is share it with one person who needs it. No algorithm required.
series: [“Digital Sovereignty”]
From the Rubble is written by Kyle — Marine veteran, FDN-P practitioner, 30-year conspiracy realist. Digital sovereignty, health sovereignty, and the overlap between them. No corporate funding. No ads. No permission required.