Self-Host Guide

Deploy SatGate in Your Infrastructure

Run SatGate Gateway on your own servers with full control. Community OSS includes Default Protection + Charge (L402) — free forever.

OSS vs Enterprise

OSS (Apache-2.0): Default Protection, Capability Tokens, L402/Charge, Basic Governance
Enterprise: + Observe, Control, FleetOps, RBAC, Hybrid deployment
Contact sales@satgate.io for enterprise licensing

Docker

Quick start with containers

Kubernetes

Production-ready Helm chart

Binary

Direct installation

Prerequisites

PostgreSQL 14+ — For token storage, audit logs, and governance
Redis 7+ — For rate limiting and caching (optional for single-instance)
Lightning Node — LND, CLN, or Phoenixd for Charge mode (optional)

Docker Deployment

1. Pull the Image

bash

# OSS version (Default Protection + L402)
docker pull ghcr.io/satgate-io/satgate-gateway:latest-oss

# Or build from source
git clone https://github.com/SatGate-io/satgate.git
cd satgate
docker compose up -d

2. Create Configuration

Create a config.yaml file:

yaml

# config.yaml
server:
  port: 8080
  
admin:
  separateListener: "127.0.0.1:9090"  # Internal only
  
database:
  url: "${DATABASE_URL}"
  
redis:
  url: "${REDIS_URL}"
  
# Your protected API routes
routes:
  - path: /api/*
    upstream: https://your-api.example.com
    policy: charge   # OSS: Default Protection + L402 payment required
    
# Lightning (optional, for Charge mode)
# lightning:
#   provider: phoenixd
#   url: http://phoenixd:9740

3. Run with Docker Compose

yaml

# docker-compose.yml
version: '3.8'
services:
  gateway:
    image: ghcr.io/satgate-io/satgate-gateway:latest-oss
    ports:
      - "8080:8080"
    environment:
      - DATABASE_URL=postgres://user:pass@postgres:5432/satgate
      - REDIS_URL=redis://redis:6379
      - ADMIN_TOKEN=${ADMIN_TOKEN}  # Generate with: openssl rand -hex 32
      - L402_ROOT_KEY=${L402_ROOT_KEY}  # Generate with: openssl rand -base64 32
    volumes:
      - ./config.yaml:/app/config.yaml
    depends_on:
      - postgres
      - redis

  postgres:
    image: postgres:16-alpine
    environment:
      POSTGRES_DB: satgate
      POSTGRES_USER: user
      POSTGRES_PASSWORD: pass
    volumes:
      - postgres_data:/var/lib/postgresql/data

  redis:
    image: redis:7-alpine
    volumes:
      - redis_data:/data

volumes:
  postgres_data:
  redis_data:

4. Start Services

bash

# Generate secrets
export ADMIN_TOKEN=$(openssl rand -hex 32)
export L402_ROOT_KEY=$(openssl rand -base64 32)

# Start
docker compose up -d

# Verify
curl http://localhost:8080/healthz

Kubernetes Deployment

1. Add Helm Repository

bash

helm repo add satgate https://charts.satgate.io
helm repo update

2. Create Values File

yaml

# values.yaml
replicaCount: 2

config:
  routes:
    - path: /api/*
      upstream: https://your-api.example.com
      policy: charge   # OSS: Default Protection + L402

secrets:
  adminToken: ""      # Set via --set or external secret
  l402RootKey: ""     # Set via --set or external secret

postgresql:
  enabled: true       # Use subchart, or set to false and provide existing
  
redis:
  enabled: true       # Use subchart, or set to false and provide existing

ingress:
  enabled: true
  className: nginx
  hosts:
    - host: gateway.example.com
      paths:
        - path: /
          pathType: Prefix
  tls:
    - secretName: gateway-tls
      hosts:
        - gateway.example.com

3. Install

bash

# Generate secrets
ADMIN_TOKEN=$(openssl rand -hex 32)
L402_ROOT_KEY=$(openssl rand -base64 32)

# Install OSS version
helm install satgate satgate/gateway-oss \
  --namespace satgate --create-namespace \
  --set secrets.adminToken=$ADMIN_TOKEN \
  --set secrets.l402RootKey=$L402_ROOT_KEY \
  -f values.yaml

4. Verify Deployment

bash

kubectl get pods -n satgate
kubectl logs -n satgate -l app.kubernetes.io/name=satgate-gateway

Binary Installation

1. Download Binary

bash

# Linux AMD64 (OSS)
curl -L https://github.com/SatGate-io/satgate/releases/latest/download/satgate-linux-amd64 -o satgate
chmod +x satgate

# macOS ARM64 (Apple Silicon, OSS)
curl -L https://github.com/SatGate-io/satgate/releases/latest/download/satgate-darwin-arm64 -o satgate
chmod +x satgate

# Or build from source
git clone https://github.com/SatGate-io/satgate.git
cd satgate
go build -o satgate ./cmd/satgate

# Verify signature (recommended)
cosign verify-blob --signature satgate-gateway.sig satgate-gateway

2. Create Configuration

yaml

# /etc/satgate/config.yaml
server:
  port: 8080

admin:
  separateListener: "127.0.0.1:9090"

database:
  url: "postgres://user:pass@localhost:5432/satgate"

routes:
  - path: /api/*
    upstream: https://your-api.example.com
    policy: charge   # OSS: Default Protection + L402

3. Create Systemd Service

ini

# /etc/systemd/system/satgate.service
[Unit]
Description=SatGate Gateway
After=network.target postgresql.service

[Service]
Type=simple
User=satgate
ExecStart=/usr/local/bin/satgate-gateway --config /etc/satgate/config.yaml
Restart=always
RestartSec=5
Environment=ADMIN_TOKEN=<your-token>
Environment=L402_ROOT_KEY=<your-key>

[Install]
WantedBy=multi-user.target

4. Start Service

bash

sudo systemctl daemon-reload
sudo systemctl enable satgate
sudo systemctl start satgate
sudo systemctl status satgate

Security Checklist

Required for Production

Generate unique secrets
Never use defaults. Use openssl rand -hex 32
Isolate admin API
Bind to 127.0.0.1 or internal network only
Enable TLS
Use a reverse proxy (nginx, Traefik) or load balancer for TLS termination
Disable dev features
Set enableDevLogin: false and enableSwaggerUI: false

Next Steps

Documentation

Full API reference and guides

Try the Demo

Test policy modes interactively

GitHub

Source code and issues

Try SatGate Cloud

Managed service with free tier

Need Help?

Enterprise support available for production deployments

support@satgate.io GitHub Discussions