Deployment Overview of Docuseal on Server¶

Prerequisites and Basic Requirements¶

The deployment of Docuseal requires a Linux server environment with Docker and Docker Compose installed. The following specifications are mandatory for a successful installation:

Operating System: Linux distribution supporting Docker Engine.
Privileges: root or sudo access is required to manage Docker containers, create volumes, and modify firewall rules.
Network Access: The server must have an accessible domain name configured for SSL termination.
Ports: TCP ports 80 and 443 must be open on the server firewall to allow external traffic.

FQDN of the Final Panel¶

The application is accessible via the hostkey.in domain. The fully qualified domain name (FQDN) follows the format: docuseal<Server ID>.hostkey.in

The service listens on port 443 for secure HTTPS connections. The Server ID is a variable specific to the deployment instance and is appended to the docuseal prefix.

File and Directory Structure¶

All configuration files and data for the Docuseal deployment are organized within the /opt directory on the host system.

/opt/docuseal: The primary directory containing application configuration and orchestration files.
/opt/docuseal/Caddyfile: The reverse proxy configuration file for the Caddy server.
/opt/docuseal/compose.yml: The Docker Compose definition file specifying services, networks, and volumes.

Application Installation Process¶

The application is deployed using Docker Compose. The installation involves creating specific Docker volumes for data persistence and launching the services defined in the compose file.

The installation creates the following Docker volumes:
docuseal_data: Stores the primary application data for Docuseal.
postgres_data: Stores the PostgreSQL database files.
caddy_data: Stores Caddy's persistent data, including SSL certificates.
caddy_config: Stores Caddy's runtime configuration and temporary files.
The services are launched using the docker compose command from the /opt/docuseal directory. The deployment ensures the PostgreSQL database is healthy before starting the application.

Access Rights and Security¶

Security is managed through firewall rules and container isolation.

Firewall Configuration: The firewall allows traffic only on the following ports in the public zone:
Port 80 (TCP): Required for HTTP requests and SSL certificate issuance.
Port 443 (TCP): Required for HTTPS traffic.
Container Isolation: Services communicate via an internal Docker network. The application container (app) does not expose ports directly to the host; instead, it communicates internally with the caddy proxy.

Databases¶

Docuseal utilizes a PostgreSQL database for data storage.

Database Type: PostgreSQL version 15.
Connection Method: The application connects to the database via the internal Docker network using the service name postgres.
Storage Location: Data is persisted in the postgres_data Docker volume mounted to /var/lib/postgresql/data within the container.
Settings:
User: postgres
Database Name: docuseal
Host: postgres
Port: 5432

Docker Containers and Their Deployment¶

The deployment consists of three primary containers orchestrated by Docker Compose:

App Container
Image: docuseal/docuseal:latest
Internal Port: Exposes port 3000 internally.
Volumes: Mounts docuseal_data to /data/docuseal.
Dependencies: Starts only after the postgres service is healthy.
Environment: Configured with FORCE_SSL and DATABASE_URL.
Postgres Container
Image: postgres:15
Volumes: Mounts postgres_data to /var/lib/postgresql/data.
Health Check: Monitors readiness using pg_isready.
Caddy Container
Image: caddy:latest
Command: caddy run --config /etc/caddy/Caddyfile
Ports: Hosts ports 80 (TCP) and 443 (TCP/UDP) on the server.
Volumes: Mounts caddy_data to /data, caddy_config to /config, and the host Caddyfile to /etc/caddy/Caddyfile.

Proxy Servers¶

Caddy is used as the reverse proxy and SSL termination handler.

Configuration File: The proxy configuration is defined in /opt/docuseal/Caddyfile.
Functionality: The Caddyfile routes incoming traffic from the configured domain to the app service on port 3000.
SSL: Caddy automatically manages SSL certificates for the specified domain, ensuring secure HTTPS connections.
Domains: Supports the primary domain and optional temporary domains if defined in the configuration.

Permission Settings¶

The configuration files and directories on the host system have the following permissions:

Directory /opt/docuseal:
Owner: root
Group: root
Mode: 0755 (readable and executable by all, writable by root)
Configuration Files (Caddyfile, compose.yml):
Owner: root
Group: root
Mode: 0644 (readable by all, writable by root)

Location of Configuration Files and Data¶

The following locations contain the critical configuration and data for the deployed system:

Component	Path on Host	Purpose
Application Config	`/opt/docuseal/Caddyfile`	Reverse proxy and SSL configuration
Docker Compose	`/opt/docuseal/compose.yml`	Service orchestration definition
App Data	`docuseal_data` (Docker Volume)	Persistent storage for Docuseal
Database Data	`postgres_data` (Docker Volume)	PostgreSQL database files
Proxy Data	`caddy_data` (Docker Volume)	Caddy certificates and caches
Proxy Config	`caddy_config` (Docker Volume)	Caddy runtime configuration

Available Ports for Connection¶

The server exposes the following ports to external users:

Port	Protocol	Description
80	TCP	HTTP traffic (redirected to HTTPS)
443	TCP	HTTPS traffic (secured application access)
443	UDP	HTTP/2 and QUIC support

Starting, Stopping, and Updating¶

Service management is handled via Docker Compose commands executed from the /opt/docuseal directory.

Start the Application:

cd /opt/docuseal && docker compose up -d

Stop the Application:

cd /opt/docuseal && docker compose down

Update the Application: To update to the latest version, pull the new images and restart the containers:
```
cd /opt/docuseal && docker compose pull && docker compose up -d
```

View Logs:

cd /opt/docuseal && docker compose logs -f