Self-Hosting Guide
Run your own Trinity infrastructure on any Linux machine, container, or cloud platform.
Choosing a Deployment Option
Trinity offers two server components. Choose one (or both) depending on your environment:
| Option | Component | Best For | Stack |
|---|---|---|---|
| A | Connect (Go) | Self-hosted VPS, Raspberry Pi, Docker | Go + SQLite |
| B | Spirit (TS) | Cloudflare Workers, edge/serverless | TypeScript + D1 |
Which should I choose? If you want full control and a single binary, go with Connect. If you want zero-ops edge deployment, go with Spirit.
Option A: Trinity Connect (Self-Hosted)
Prerequisites
- Go 1.24+
- GCC (for SQLite CGO compilation)
- A Linux machine (VPS, Raspberry Pi, Docker container)
Build & Run
cd connect
# Set environment variables
export PORT=8080
export DB_PATH=./trinity.db
# Run the server
go run main.goConfiguration
| Env Variable | Default | Description |
|---|---|---|
PORT | 8080 | HTTP port to listen on |
DB_PATH | ./trinity.db | Path to SQLite database |
API Endpoints
| Method | Path | Description |
|---|---|---|
POST | /api/v1/drop | Submit an encrypted CSR (Blind Drop) |
GET | / | Admin Dashboard (HTMX) |
Docker Deployment
# Example Dockerfile
FROM golang:1.24-alpine AS builder
RUN apk add --no-cache gcc musl-dev
WORKDIR /app
COPY connect/ .
RUN go build -o trinity-connect .
FROM alpine:latest
COPY --from=builder /app/trinity-connect /usr/local/bin/
EXPOSE 8080
CMD ["trinity-connect"]Reverse Proxy (Caddy)
# Caddyfile
pki.example.com {
reverse_proxy localhost:8080
}Caddy will automatically provision a TLS certificate from Let's Encrypt.
Litestream (Optional)
For production, use Litestream to continuously replicate your SQLite database to S3-compatible storage:
# litestream.yml
dbs:
- path: /data/trinity.db
replicas:
- url: s3://my-bucket/trinity.dbOption B: Trinity Spirit (Cloudflare Workers)
Prerequisites
- Node.js 18+
- A Cloudflare account (free tier works)
- Wrangler CLI:
npm install -g wrangler
Setup
cd spirit
# Install dependencies
npm install
# Configure wrangler.toml with your account details
# (Update account_id and database_binding)
# Create the D1 database
wrangler d1 create trinity-spirit
# Apply the schema
wrangler d1 execute trinity-spirit --file=schema.sqlDeploy
# Deploy to Cloudflare Workers
wrangler deployEnvironment Variables
Set these via the Cloudflare dashboard or wrangler secret:
| Secret | Description |
|---|---|
ENROLLMENT_TOKEN | Bearer token for API authentication |
API Endpoints
| Method | Path | Description |
|---|---|---|
POST | /requests | Submit a CSR or Blind Drop |
GET | /certificates/:id | Poll for signed certificate |
Connecting Passport to Your Server
Once your server is running, configure Trinity Passport to connect to it:
- Open Trinity Passport and go to Settings.
- Enter your Spirit URL (e.g.,
https://pki.example.com). - Enter your Enrollment Token.
- Click Save.
The "Submit to Cloud" button will now appear on pending identities, allowing users to submit CSRs (or encrypted Blind Drops) directly to your server.
Security Checklist
- ✅ Use HTTPS (TLS) in production — never expose the API over plain HTTP.
- ✅ Rotate enrollment tokens regularly.
- ✅ Keep the Authority CLI offline — never install it on the same machine as the server.
- ✅ Back up your SQLite database (or use Litestream for continuous replication).
- ✅ Monitor audit logs for suspicious activity.
Next Steps
- Getting Started — Set up the Authority CLI first
- Architecture — Understand the full system design
- Blind Drops — How encrypted CSR transport works