🎧 Prefer to listen? Audio version below. Approximately 17 minutes
You never know what's around the corner, or how an Easter Monday family medical emergency leads to running a sovereign infrastructure company twelve months later.
Easter Monday 2024 started like most bank holidays on the Island — quietly. It didn't stay that way. Caroline had a cardiac event. The kind that stops everything. By that Saturday we were in Liverpool at the Heart and Chest Hospital, doing the tests, seeing the consultants, working through the rounds of examinations that follow when someone's heart decides to misbehave. The diagnosis came back: electrical, not structural. Treatable. The ICD was implanted. Wednesday after the bank holiday we came home to Peel.
And then you sit with it.
The follow-up appointments started. Caroline doing the rounds of the cardiology team, the checks, the adjustments that come with having a device keeping your heart honest. I needed something to do with my hands and my head. Not to escape; just to be useful somewhere, to keep the brain turning over while the world recalibrated.
The HP Pavilion was sitting there running Windows Pro and quietly getting on my nerves.
The Island has a particular quality of quiet in early May — the calm before the TT turns everything loud again. Peel especially. You notice it when you need it to be louder. The appointments were booked. The follow-up calendar was filling. The ICD was doing its job. There wasn't a plan for what came next — just the particular restlessness of someone who needed to be useful and didn't yet know where to point it.
This isn't a story about a technophobe discovering computers. I've been in and around technology since the ZX Spectrum era; cassette tapes, rubber keys, and the particular joy of a program that loaded correctly first time. Through the DOS years, the IRQ hell of getting a Sound Blaster card to cooperate with DOOM, the NT3 and NT4 days when everyone else was still on Windows 95. A BSc (Hons) from the Open University in 1999; Systems Analysis and Environmental Engineering — which is perhaps why the disaster recovery planning, the lifecycle thinking, and the instinct to document failure modes before they happen feel less like discipline and more like reflex.
I made fences for a while. Wrote science fiction under a pen name. The technology didn't go anywhere, I just stopped chasing it professionally.
Coming back to Linux wasn't starting from scratch. It was picking up a tool I'd set down.
I could have gone the halfway-house route — WSL, Windows Subsystem for Linux, Linux inside Windows like a tenant who isn't quite allowed to redecorate. I didn't. If I was going to relearn Linux properly after years away from it, I was going to do it on bare metal. Native. No safety net.
The backup came first. Documents, files, everything zipped and pushed to Proton Drive and onto an external SSD. Backup first, modify later — a principle that would end up woven into everything that followed. Then I wiped it.
OpenSUSE went on first. Specifically Tumbleweed — rolling release, bleeding edge, the kind of distribution that keeps you honest. It also keeps you busy in ways you don't always want. Crontabs that argued back. Unsigned RPMs. Ghost dependencies in zypper that appeared and vanished like they were haunting the machine rather than running on it. It was character building. I built a lot of character.
By late July the character was fully built and I'd had enough. Linux Mint went on. I typed a command. It nodded. It worked. The contrast was almost offensive.
The M4 MacBook Air arrived in July too — the Grimoire, the primary workstation from that point forward. The 2015 Air retired gracefully after a decade of service.
The HP Pavilion, for what it's worth, is now running openSUSE Tumbleweed again — repurposed in January 2026, this time as a desktop rather than a production experiment. Entirely different experience when nothing critical is depending on it. It's held up fine, printing included.
The desktop sorted, the question became what to actually do with it. The answer arrived in the shape of a Mastodon server.
Mastodon is federated social media — you run your own instance, you own your data, you're part of a wider network without being dependent on anyone else's platform decisions. The technical requirements are non-trivial: Ruby, Rails, PostgreSQL, Redis, Elasticsearch, nginx, SSL certificates, object storage for media, email delivery. None of which cooperate by default.
It went live on 5 June 2025. The first admin account: @alan@lighthouse.co.im.
The Ruby gems dependency chain alone was an education. You think you're installing one thing and it turns out you're installing thirty-seven things that each have opinions about which version of the other thirty-six things should exist. Getting it stable required the kind of patience that is either a virtue or a mild personality disorder depending on your perspective.
But it ran. And it kept running.
Getting the server up was the start, not the end. The hardening followed. CrowdSec replaced Fail2ban — a collaborative intrusion prevention system that learns from network-wide threat intelligence rather than just what it sees locally. Tailscale went in for access control: the production stack sits behind a private network and nothing production-facing is open to the public internet directly.
Object storage for media offloaded to Hetzner's S3-compatible bucket in Helsinki. Backup routine: nightly local, weekly off-site pull, Proton Drive redundancy. Restore testing built into the process, not bolted on as an afterthought.
In December 2025 the server was upgraded from a CPX21 to a CPX42 — the previous spec was fine until it wasn't, at which point it was very not-fine. Caddy replaced nginx as the reverse proxy. Caddy manages SSL certificates automatically, handles configuration in a single file, and has a distinct lack of the nginx configuration syntax that looks reasonable until you've been staring at it for three hours at midnight.
In early 2026 came the Great Database Migration — a PostgreSQL upgrade that required careful choreography to execute without data loss. Planned, documented, backed up, executed, verified. The kind of operation that earns the right to be called infrastructure experience rather than just infrastructure familiarity.
OVH Gravelines joined as backup DNS. DR mirror in Gravelines for the object storage. The architecture became: Helsinki primary, Gravelines redundancy, CrowdSec perimeter, Tailscale access layer. Nothing single-point-of-failure if it could be helped.
Somewhere in the late summer of 2025 a realisation landed: the consultancy had stopped being hypothetical. The skills were real. The infrastructure was running. There were clients. There were conversations about audits and security assessments and whether the stack that had been built from scratch over the summer could be replicated for others.
GitHub announced it was integrating Copilot more deeply. That's when Forgejo went in — a self-hosted Git forge, because code repositories belong on infrastructure you control, not on platforms that will eventually do something you disagree with. The GitHub Copilot announcement was the trigger. The principle was already there.
In October 2025 came the incorporation decision. Articles of association drafted. The legal scaffolding that turns ‘I do some consulting’ into ‘there is a documented legal entity with governance structure and liability protection.’ In November: Haunted Lighthouse Ltd, registered under the Isle of Man Companies Act 1931. A real company. With a number and everything. The website followed.
Alongside the infrastructure hardening came the governance layer. NIST hardening applied to the stack. Architecture Decision Records written — the formal documentation of why things are the way they are, not just what they are. The sovereignty doctrine formalised: a written statement of principles about data residency, vendor dependency, hyperscaler avoidance, and what ‘in control’ actually means operationally.
The runbooks and disaster recovery materials were drafted in September. By early 2026, after the database migration and a series of smaller incidents, they were refined. A document written before a failure and a document revised after one are different things.
As a data controller running a Mastodon instance — user accounts, personal data, the whole GDPR implication stack — ICO registration wasn't optional. It went in as part of the same governance chain: not as compliance theatre, but as the correct thing to do when you're responsible for other people's data.
In March 2026 the Cyber Essentials assessment came through. Passed. The certification wasn't just a badge — it triggered a chain of practical consequences. Cyber insurance became accessible and reasonably priced. Professional indemnity followed. Directors and officers cover after that. The governance-as-design-constraint philosophy, applied from the beginning, was now producing tangible commercial outcomes.
The consultancy needed a publishing platform and a voice. The Sovereign Auditor — the article series — became the answer to both. Long-form technical content aimed at the people who actually run infrastructure: the ones who want to know what's in their stack, who controls it, and what happens when it goes wrong.
Ghost was the obvious candidate for hosting it. Polished, purpose-built for newsletters and long-form content. We tried it. Ghost and the sovereignty posture had a complicated relationship — the managed route conflicted with the principles and the self-hosted route required more wrestling than the outcome justified. Ghost went. The articles infrastructure was built directly: static, controlled, served by Caddy, backed by the same pipeline as everything else. The Substack archive migrated across. The content was ours, the pipeline was ours, the subscriber data stayed where we could see it.
Then early May 2026, the terms got rewritten. The noai tags went in across the site — an explicit technical signal to crawlers that the content is not available for AI training. The legal layer followed, terms updated to reflect that clearly and unambiguously. And this week, a batch of articles was filed with the United States Copyright Office at the Library of Congress. Registered. Timestamped. On the record.
Not because a legal fight is expected. Because the content is a commercial asset, it should be treated like one, and the same governance instinct that produced the runbooks and the DRMs and the DR mirror applies equally to the intellectual property sitting on top of the infrastructure.
I'll say it plainly: without AI assistance I would probably still be hand-crafting shell scripts.
OpenAI was the starting point. It worked well through the summer and into the autumn — a capable pair of hands for the coding, the documentation, the architecture thinking. Then in October 2025 something shifted. The developers had been adjusting things, the guardrails moved, and it was the first warning sign. I noted it and carried on.
February 2026 and it felt like it had been lobotomised. That's the only word for it. A relationship — if you can call it that — where you just instinctively know something is seriously off before you can articulate why. Gemini was too chatty. So I tried Claude.
For coding, for blue team and red team planning, for documentation, for the architecture reasoning that a sovereign infrastructure consultancy actually needs: it worked. The CVP application — the Anthropic Cyber Verification Program — followed naturally. Not a vanity exercise. A capability unlock for the offensive security and vulnerability research work the consultancy was already doing. The application went in. In April 2026 it came back approved.
The approach to AI tooling follows the same principle as everything else: the AI is a capable assistant with clearly scoped access. Not root. Not autonomous. Not making production decisions without human review. Useful within a defined boundary, auditable, controllable. The same design constraint that runs through the whole stack.
The stack today: a Hetzner CPX42 in Helsinki running Mastodon, Forgejo, Nextcloud, and Caddy. S3 object storage with a DR mirror in Gravelines. OVH backup DNS. Tailscale access, CrowdSec on the perimeter, NIST-hardened, Cyber Essentials certified, ICO registered, CVP approved. A registered Companies Act 1931 company with cyber insurance, professional indemnity, directors and officers cover, documented controls, and an audit trail that goes back to the first command run on a freshly wiped HP Pavilion in Peel in the summer of 2025.
The articles are live, the terms are clear, the copyright is filed. The content is protected the same way the infrastructure is protected — deliberately, with paperwork, before anything goes wrong.
None of it was the plan. There wasn't a plan.
There was an Easter Monday, a cardiac event, a trip to Liverpool, and a decision to come home to Peel and do something useful with the time. There was a 66-year-old with a Windows machine that was getting on his nerves and a vague idea that learning something properly might be worth doing.
One year on, Caroline's heart is being kept honest by her ICD and the follow-up rounds continue. The Haunted Lighthouse is still lit. The company is real, the infrastructure is sovereign, and the documentation was written before anything broke.
Almost everything, anyway.
The Sovereign Auditor covers supply chain security, digital sovereignty, and infrastructure policy—with particular focus on Isle of Man jurisdiction and Crown Dependency issues.
Payments via PayPal. Credentials delivered by email. No Substack. No Stripe. No middlemen.
