Sovereign data is cheap now, and that changes the default

For most of my career, the rational default was to rent. Need a database? Managed Postgres. Auth? A hosted provider. Search? Search-as-a-service. Email? A transactional plan with a monthly tier. Each decision was individually correct: the ops work to run these yourself was real, your time was worth more, and the bills were small. So you signed up, again and again, and woke up one day paying five vendors for a side project that has eleven users.

The maths quietly flipped, and the default hasn’t caught up.

The thesis

A single small cloud server now runs a dozen services for the price of one of the SaaS plans it replaces — and the thing that used to make that a bad trade, the operational tax, has mostly evaporated.

Two changes did it. First, the services themselves got plug-and-play. PocketBase is one Go binary against SQLite — auth, database, file storage, realtime, an admin UI, all of it, with effectively zero config. Meilisearch is a container and an API key. Caddy gets you automatic Let’s Encrypt TLS in three lines. imgproxy resizes images on the fly with an env var. None of these need a DBA, a Helm chart, or a weekend.

Second — and this is the part people underweight — the LLM in your editor erased the rest of the tax. The reason renting won for so long wasn’t the monthly cost; it was that self-hosting meant knowing things. systemd timers. Borg’s prune syntax. Why your SQLite backup is corrupt because you rsync’d it mid-write. rsync’s --inplace versus temp-and-rename. The dozen small operational facts that each cost an evening to learn and a year to forget. That knowledge used to be the moat around managed services. Now I describe the constraint and the model writes the backup script, explains why .backup beats a raw copy, and catches the WAL gotcha before it bites. The friction that justified the subscription is gone.

What the bill actually looks like

I run plocic-infra — every side project’s backend — on one Hetzner VM in Helsinki. On it: several PocketBase instances, search, image processing, a transactional mailer, a private npm registry, crash reporting, and monitoring. Eleven containers, one Caddy out front, one predictable invoice in euros.

Priced as SaaS, that same stack is a managed database, a hosted backend, a search tier, an email plan, a private-registry seat, and an APM subscription — call it a few hundred a month once you’re past the free tiers, scaling with usage in ways you can’t predict. Priced as a box, it’s a single line item that doesn’t move when project number four ships. Adding that fourth project costs a twelve-line block in docker-compose.yml, not another signup.

Where this genuinely wins

It’s not just cost. The reasons that actually matter to me, in order:

1. Sovereignty. The data sits on a disk in the EU, under EU law, in formats I can read (SQLite files, plain JSON), with a backup I can restore anywhere. That jurisdiction is the point: GDPR, data residency, and a legal regime I actually operate under — not a US provider’s terms of service that can change with a press release. No vendor can deprecate my product, change my pricing, or hold my export hostage.
2. One bill, predictable. Flat, in one currency, not a usage graph I have to watch.
3. No lock-in. It’s docker-compose and shell scripts. The exit is git clone somewhere else.
4. It’s auditable. I can read every line of what runs. Try that with your auth provider.

The part that stopped being paranoid

For years, “but what if the vendor disappears or changes the terms” sounded like prepper-talk. It isn’t anymore — two failure modes that used to be hypothetical have both happened in public.

The platform changes on its schedule, not yours — and sometimes it isn’t even the company’s call. The Fable 5 fiasco was the latest reminder of the mild version: a capability you’ve built on gets pulled, throttled, or rewritten overnight by a company whose roadmap you don’t get to see. But it pointed at the harder version too — the talk of restricting access for non-US citizens. That’s no longer a vendor decision; it’s a government one. And if a US administration can wall off a model from the rest of the world, it can in principle do the same to any US-hosted service: sanctions, export controls, a geofence drawn by people you don’t vote for and can’t appeal to. If you’re not American and your stack lives on American infrastructure, your access is a policy decision away from gone — and no SLA covers that. You wake up to a deprecation notice, a model that behaves differently, a pricing page that moved, or a region that simply stops answering — and your product, your users, and your weekend are hostage to a room you’ll never sit in. When you don’t own the thing underneath you, you don’t own the thing on top of it either.

Everyone renting from the same three landlords is itself the risk. Most of the internet now runs on a tiny number of providers — AWS, Cloudflare, a couple of others. We’ve watched a single bad config push at Cloudflare and a single bad day in AWS us-east-1 take down half the web at once, including services that did nothing wrong except share infrastructure with everyone else. Those weren’t freak accidents; they were warnings, and we’ve had enough of them now that treating them as one-offs is a choice. Concentration is fragility, and the whole industry has quietly centralised onto the same handful of single points of failure.

A box in Helsinki doesn’t make me invincible — Hetzner can have a bad day too. But it makes me independent. The blast radius is mine alone, not shared with half the planet; the data is under EU jurisdiction and in formats I can pick up and move; and neither a boardroom I’ll never sit in nor a foreign statute I’m not party to can quietly delete what I built or lock me out of it. After the last couple of years, that independence reads less like paranoia and more like basic risk management.

The honest trade-offs

This isn’t renting is dumb. Renting was the right answer for a decade, and it still is in specific places.

• You own uptime. One box is one box. For side projects that’s fine; for someone’s payroll it isn’t. The day this needs five-nines and multi-region failover, a managed provider earns its margin back instantly.
• Plug-and-play has an edge. PocketBase and friends are wonderful until you need something they deliberately don’t do. Know where the wall is before you hit it — same rule as picking a framework from the workload, not the vibe.
• The LLM removed the friction, not the responsibility. It writes the backup script; you still have to run a real restore and confirm it works. Untested backups aren’t backups. The model is a fast junior who’s read every man page — not the person who gets paged.

What might reverse this entry

Two things would push me back toward renting:

• Egress and scale. If a project’s traffic or storage genuinely outgrows one box, the calculus changes and orchestration stops being overkill. I haven’t hit it for anything I’d call a side project.
• Serverless gets boringly cheap and portable. If the platforms converge on something as exit-cheap as a docker-compose file — no lock-in, no surprise usage bills — the ownership argument weakens. I’m not holding my breath, but I’d happily be wrong.

Until then, the default I’d hand anyone asking “where should my side project’s backend live” is: one small box, Docker, plug-and-play services, a backup you’ve actually restored once. It’s cheaper than it’s ever been, and for the first time the operational knowledge it used to demand is a prompt away.