EST. 2026 · SINGAPORE

// A FIELD EXPERIMENT IN RUNNING YOUR OWN CORNER OF THE INTERNET

THE WHOLE
STACK,
OWNED.

This page is served from a small computer at home, through our own addresses, our own autonomous system, and our own nameservers — to learn how anycast, multihoming and BGP actually behave when you hold all the pieces yourself. Rented: wires and names. Owned: the rest.

FIG. 1 REQUEST PATH

 you
  │  https://www.oddie.app
  ▼
┌─────────────────────────────────────────────┐
│  ANYCAST  2001:df7:2b40::/48 · AS154742     │
│  BGP announces the same address everywhere; │
│  routing delivers you to the nearest edge   │
└─────────────────────┬───────────────────────┘
                      ▼
        ┌── EDGE SGP-01 (Flatcar) ──┐
        │  caddy · TLS + cache      │
        │  HIT ──▶ served here ──▶ you
        │  MISS                     │
        └───────────┬───────────────┘
                    │ wireguard · 3 ms
                    ▼
        HOME · proxmox VM «odette-www»
        a debian box next to the cat

TAB. 1 SYSTEM INVENTORY

ROUTING
BIRD 2 · BGP to upstream · RPKI-valid ROA · one AS of our own: 154742
ADDRESSES
IPv6 /48, APNIC-assigned · IPv4 /24 in transfer — v4 currently borrows the edge's address
DNS
Knot · ns.oddie.sg + ns.oddie.ch — two names, two TLDs, two registries, one anycast fleet · DNSSEC, single CSK, ECDSA P-256
EDGE OS
Flatcar, immutable · daemons as systemd-sysext images · a full reinstall is one pasted Ignition file, zero manual steps
CACHE
Caddy + Souin at the edge · TLS terminates there · the assets on this page are cache hits and never travel home
TUNNEL
WireGuard, edge <-> living room · the origin has no public entrance of its own
WATCH
Gatus on the edge · public resolvers as canaries · alerts by Telegram and mail
THIS PAGE
hand-written HTML/CSS · two self-hosted fonts · zero external requests, zero scripts, zero cookies

MEMO WHY BOTHER

Because the interesting parts of the internet — who may announce which addresses, why packets take the route they take, what breaks when a link dies — are invisible from inside a rented cloud. Announcing one prefix from several places and watching half the world arrive at each is the kind of lesson you can only buy with your own ASN.

Next: a second edge in Europe announcing the same /48 — then this exact URL is served from two continents and the nearest one wins. After that: the IPv4 /24 goes live, the home LAN gets real public addresses, and the last rented pieces retire.

MEMO WHAT SOVEREIGN MEANS HERE

The addresses are registry-assigned to us, not leased from a host. A provider can cancel a server; the /48 and AS154742 move to the next wire unchanged. The nameserver names live under two TLDs, at two registrars, in two jurisdictions — no single decision removes both. Keys — DNSSEC, WireGuard, TLS — are generated here and stay here.

The remainder is rented because it has to be, or because it has to be elsewhere. Transit is a relationship, not a possession — peering reduces it, nothing removes it. Every domain name is an entry in someone's registry; ours are spread across two so neither is a single point of decision. The edge VMs could become owned hardware in a rack — that swap costs money, not architecture.

1Password and Telegram stay external on purpose: the keys that restore this platform and the alarm that watches it must not share a failure domain with it. Everything else runs on machines we can touch.

TAB. 2 GLOSSARY

AS / ASN
A network with its own routing identity. Ours: 154742.
BGP
How networks tell each other which addresses live where. No central authority — announcements, trust, and filters.
PREFIX
A block of addresses announced as one unit. Here: 2001:df7:2b40::/48.
ANYCAST
The same prefix announced from several places. Routing takes each visitor to the nearest copy — no load balancer involved.
MULTIHOMING
More than one way in. A link dies, the announcement stays, traffic reroutes on its own.
RPKI
A signed statement of which AS may announce which prefix. Hijacked announcements get dropped at the border.
DNSSEC
Signatures on DNS answers, so a resolver can verify nobody rewrote them in transit.

FIG. 2 SEE FOR YOURSELF

$ curl -sI https://www.oddie.app | grep -iE 'cache-status|x-oddie-edge'
x-oddie-edge: sgp-01
cache-status: Souin; hit; ttl=…

Which edge answered you, and whether your copy came from cache. When the second edge exists, that first line depends on where you are.

Odette, a long-haired ginger cat, in front of her networking equipment. Rendered as a 1-bit dithered halftone.

FILE THE NAMESAKE

NAME
Odette
ROLE
Supervisor, machine room
COAT
Long-haired ginger
ACCESS
Root. Unrequested, irrevocable.
NOTES
The platform is named after her. She sits beside the servers and tolerates the fan noise. Original photograph available to cache-warm visitors: odette.jpg