rune.みんな
friendssupportabout

Grey Hunt 001: The Greybeard's Path

2026-01-29 12:00 969 words 5 min read

rune.みんな avatar

rune.みんな

uwuverse - bonking complexity with runes

22 posts

12 categories

49 tags
rune.ᚲ rune.ᚷ rune.ᛁ rune.ᛖ rune.ᛃ rune.ᚠ rune.ᛗ rune.ᚾ
uwu.ᛊ uwu.ᚲ uwu.ᚹ uwu.ᛉ uwu.ᛃ
friends support about
no table of contents
Grey Hunt 001: The Greybeard's Path
The 2002 way still holds. SSG + self-host = unhackable by virtue of having nothing to hack. We bonk modern web complexity.

Reading time: 5 min Prerequisites: None. We got you. Survival rate: 100% (no cloud bills guaranteed)

The Problem (Why You Should Care)

You want to put something on the internet.

MODERN WAY:
- Choose cloud provider (AWS? Vercel? Netlify?)
- Set up database (Postgres? MongoDB? Planetscale?)
- Configure auth (Auth0? Clerk? NextAuth?)
- Add API routes (REST? GraphQL? tRPC?)
- Set up CI/CD (GitHub Actions? CircleCI?)
- Configure CDN (Cloudflare? Fastly?)
- Monitor everything (Datadog? Sentry?)
- Pay bills ($$$)
- Pray nothing breaks
- Your blog still loads slower than 2002 GeoCities

There’s another way. The old hunters knew it.

The Fallen Echo

LOADING SCREEN LORE:
"A hoonter once deployed to Vercel with a database.
 The bill came. The bill always comes.
 His wallet was found empty, his site was down.
 The cloud giveth, the cloud taketh away.
 Only his fallen echo remains: 'should have self-hosted.'"

The Greybeard’s Path

2002 WAY:
- HTML files
- On a server you control
- Done

2026 WAY (greybeard edition):
- SSG (Static Site Generation)
- On a server you control
- Done

Same energy. Better tooling.

The Attack Surface Analysis

Modern web:

YOUR "SIMPLE BLOG":
|
- Cloud provider account (hackable)
- Database (SQL injection)
- API routes (RCE)
- Auth system (session hijack)
- Admin panel (auth bypass)
- File uploads (shell upload)
- User input (XSS)
- Dependencies (supply chain)
- CI/CD secrets (leaked tokens)
- Third-party services (their breach = your breach)

Attack vectors: ∞

Greybeard way:

YOUR ACTUAL BLOG:
|
- HTML files (it's... just text)
- CSS files (it's... just styling)
- JS files (it's... just frontend)
- Router (FritzBox? solid German engineering)
    - Reverse proxy (Caddy? minimal Go binary)
        - File server (Bun? just serves files)

Attack vectors: ???

The Kill: There’s Nothing To Hack

SQL injection?     → no database
XSS server-side?   → no user input
Command injection? → no shell exec
File traversal?    → just /public files
Auth bypass?       → no auth
SSRF?              → no server requests
RCE?               → lol how

The most secure system is the one
with nothing to secure.

The Everyday Analogy

Think of a house:

MODERN WEB HOUSE:
- Front door (auth)
- Back door (API)
- 47 windows (dependencies)
- Basement tunnel (database)
- Skylight (admin panel)
- Secret passage (CI/CD)
- Dog door (webhooks)
- "Why do I keep getting robbed?"

GREYBEARD HOUSE:
- Concrete bunker
- One door (port 443)
- Door leads to... pamphlets
- Pamphlets are just paper
- Robber: "...what do I even steal?"
- You: "exactly"

The Numbers

MODERN BLOG COSTS:
- Vercel Pro: $20/mo
- Database: $25/mo
- Auth service: $25/mo
- Monitoring: $30/mo
- CDN: $20/mo
- Domain: $12/yr
- TOTAL: ~$120/mo + anxiety

GREYBEARD COSTS:
- Domain: $12/yr
- Electricity: already paying
- Old laptop/NUC: already own
- FritzBox: already have
- TOTAL: $1/mo + sovereignty

The Setup

THE STACK:
internet:443

FritzBox (port forward)

Caddy:4242 (auto-HTTPS, Let's Encrypt)

Bun:4243 (serves static files)

/dist (pre-built HTML)

That's it. That's the whole thing.

The SSG Magic

BUILD TIME:
- Markdown files → HTML
- React components → HTML
- Data fetching → baked into HTML
- Everything computed ONCE
- Result: static files

RUNTIME:
- Request comes in
- Serve file from disk
- Done

No database queries.
No API calls.
No computation.
Just... files.

The Self-Host Sovereignty

CLOUD HOSTING:
- Your data on their servers
- They can read it
- They can comply with requests
- They can shut you down
- Their terms, their rules
- You rent, you don't own

SELF-HOST:
- Your data on YOUR servers
- Only you can read it
- Only you comply with requests
- Only you can shut it down
- Your rules
- You own everything

The Catch (Honest Section)

LIMITATIONS:
- Dynamic features need workarounds
  - Comments → external service or none
  - Search → client-side (Pagefind)
  - Forms → external service
- Uptime depends on your internet
  - ISP goes down = you go down
- IP exposed (without Cloudflare Tunnel)
- Need to maintain the server
- Not for everyone

WHEN TO USE:
- Blogs
- Documentation
- Portfolio sites
- Landing pages
- Anything read-heavy

WHEN NOT TO USE:
- Apps with user accounts
- E-commerce
- Real-time features
- Anything write-heavy

The Proof

THIS VERY SITE:
- rune.みんな
- SSG (Astro)
- Self-hosted (home server)
- Auto-HTTPS (Caddy + Let's Encrypt)
- Cost: ~$1/mo (domain only)
- Uptime: whenever Rune's PC is on
- Hackability: lol
- Vibes: immaculate

TL;DR

Modern WayGreybeard Way
Cloud everythingSelf-host
DatabaseNo database
Auth systemNo auth
API routesNo backend
$100+/mo$1/mo
Attack surface: hugeAttack surface: none
They own your dataYou own your data
ComplexSimple

You Survived!

You now understand why the greybeards smile.

The modern web got complex because:

  • Companies need to sell you things
  • “Scalability” for traffic you’ll never have
  • Job security through complexity
  • Fear of the terminal

But the truth is:

Most websites are just pamphlets.
Pamphlets don't need databases.
Pamphlets don't need auth.
Pamphlets don't need $100/mo.

They need:
- HTML
- A server
- That's it

The 2002 way holds. The greybeards were right.

Rune QQ ᛃ uwu.jera - grey wisdom for grey hunters

© 2024 - 2026 rune.みんな
Powered by theme astro-koharu · Inspired by Shoka