Deployment Overview of Docuseal on Server¶

Prerequisites and Basic Requirements¶

To deploy Docuseal, the server must meet the following requirements: - Operating System: Linux distribution compatible with Docker and Docker Compose. - Privileges: Root access or a user with sudo privileges is required to manage Docker services and firewall rules. - Domain: A valid domain name configured to point to the server's IP address is required for SSL termination and reverse proxy configuration. - Ports: The following TCP ports must be open on the firewall: - Port 80 for HTTP traffic. - Port 443 for HTTPS traffic.

File and Directory Structure¶

The application configuration and data are organized within the /opt/docuseal directory. The structure includes: - /opt/docuseal/Caddyfile: The reverse proxy configuration file for Caddy. - /opt/docuseal/compose.yml: The Docker Compose definition file containing service specifications. - /opt/docuseal: The base directory for configuration files, owned by root with permissions 0755.

Docker Containers and Their Deployment¶

Docuseal is deployed using Docker Compose, which orchestrates three primary containers:

1. Application Container (app)

   • Image: docuseal/docuseal:latest
   • Exposes internal port 3000.
   • Mounts the docuseal_data volume to /data/docuseal.
   • Depends on the postgres service being healthy before starting.
   • Environment variables include FORCE_SSL set to the domain name and DATABASE_URL pointing to the PostgreSQL instance.

2. Database Container (postgres)

   • Image: postgres:15
   • Mounts the postgres_data volume to /var/lib/postgresql/data.
   • Configured with the database name docuseal, user postgres, and a password defined in the environment.
   • Includes a health check using pg_isready with a 5-second interval and timeout.

3. Proxy Container (caddy)

   • Image: caddy:latest
   • Exposes ports 80 and 443 (TCP and UDP) to the host.
   • Mounts caddy_data to /data and caddy_config to /config.
   • Mounts the host file /opt/docuseal/Caddyfile to /etc/caddy/Caddyfile in read-only mode.
   • Runs the command caddy run --config /etc/caddy/Caddyfile.

The deployment utilizes the following Docker volumes, which must be created prior to starting the services: - docuseal_data - postgres_data - caddy_data - caddy_config

Proxy Servers¶

The Caddy container acts as the reverse proxy and handles SSL termination for the application. - The Caddyfile configures the proxy to forward traffic from the configured domain to the application container at app:3000. - If a temporary domain is defined, both the primary and temporary domains are configured to forward to the application. - Caddy automatically manages SSL certificates for the specified domains.

Access Rights and Security¶

Firewall rules are configured to allow external access to the application via standard web ports. - The firewall (FirewallD) is configured to allow TCP traffic on ports 80 and 443 in the public zone. - These rules are set to be permanent and applied immediately. - The application container does not expose ports directly to the host; all traffic is routed through the Caddy proxy.

Starting, Stopping, and Updating¶

The services are managed using Docker Compose commands executed from the /opt/docuseal directory.

• Start Services:

  cd /opt/docuseal
  docker compose up -d
  

• Stop Services:

  cd /opt/docuseal
  docker compose down
  

• Update Services: To update the application to the latest version, pull the new images and restart the containers:

  cd /opt/docuseal
  docker compose pull
  docker compose up -d
  

Permission Settings¶

The configuration directory and files are set with specific ownership and permissions to ensure security and proper operation: - The directory /opt/docuseal is owned by root:root with mode 0755. - The files Caddyfile and compose.yml are owned by root:root with mode 0644. - Docker volumes are managed by the Docker daemon and do not require manual permission adjustments on the host filesystem.