Self-Hosting on ByteGuard

Every self-hosting tutorial I've published, organized by where you are in the journey. Read top to bottom if you're starting fresh; jump to the section that matches your bottleneck if you're not.

If you've never set up a VPS, start with step 1. If your stack is already up and you're chasing security holes, jump to step 3.

Step 1 — Pick a VPS and harden it

The first hour decides whether you spend the next year fighting brute-force SSH attempts or building things. Skip the listicle "10 best VPS" articles — the differences that matter are network latency, kernel version freshness, and how the provider handles abuse complaints.

• The honest VPS comparison for self-hosters — Hetzner vs Contabo vs Vultr vs DigitalOcean. Real pricing in 2026, real performance, real abuse-complaint policies. *2,400 words.*
• I monitored 5 VPS providers from Helsinki for 30 days — uptime + latency dataset. The only piece of original-data on this blog. *Post #24.*
• Harden a Linux VPS in 10 minutes — the long-form companion to the free PDF checklist. SSH, firewall, fail2ban, kernel sysctls, unattended-upgrades. *Pin this.*
• SSH hardening: the parts that actually matter — key auth, port choice (no, don't move to 2222), match blocks, certificate auth.

Step 2 — Run your first useful service

Don't run a dozen things in week one. Pick one that solves a real problem, get it stable, then add the next.

• Vaultwarden in 12 minutes (self-hosted Bitwarden) — replace your password manager, get end-to-end-encrypted vault on your own infra.
• Self-host Gitea on Docker — your own GitHub for personal projects.
• Uptime Kuma for self-hosted monitoring — know when your stack is down before your users tell you.
• Nginx Proxy Manager vs Traefik vs Caddy — pick the right reverse proxy the first time.

Step 3 — Lock it down

Once you've got more than one service exposed, you have a perimeter to defend. This is where most self-hosters quietly leak admin panels for years.

• Docker security: what actually matters in 2026 — image provenance, capabilities, user namespaces, secrets. The 80/20.
• Fail2ban that actually works — most fail2ban configs are theater. This one isn't.
• WireGuard mesh VPN for self-hosters — admin-panel access without exposing the admin panel.
• OWASP for self-hosters — the parts of OWASP that actually apply when you're not running a 50-engineer SaaS.

Step 4 — Stay alert

Self-hosted only stays self-hosted if you keep up with the CVEs.

• CVE spotlight: how I track CVEs across my stack
• Live CVE feed at cve.byte-guard.net — filtered for self-host-relevant projects
• Weekly CVE digest goes out with the newsletter (sign up below)

Get the playbook + weekly tutorials

I send one practical tutorial each week. New subscribers get the 47-step Server Hardening Checklist (PDF) immediately.

FREE PDFServer Hardening Checklist — 47 steps

Drop your email and I’ll send the PDF plus one practical tutorial each week.

Send me the checklist →

Topic clusters

• /tag/self-hosting/ — every self-hosting post
• /tag/docker/ — Docker-specific
• /tag/vps/ — VPS hardening and benchmarks
• /tag/privacy/ — Proton arc + privacy stack