# Document Signing — DocuSeal Deployment ## Deploy ```yaml # docker-compose.yml — deployed at /root/docker/docuseal/ services: docuseal: image: docuseal/docuseal:latest container_name: docuseal restart: always ports: - "127.0.0.1:3000:3000" volumes: - ./data:/data environment: - HOST=http://localhost:3000 - FORCE_SSL=false ``` Deploy: ```bash docker compose -f /root/docker/docuseal/docker-compose.yml up -d ``` ## Live Status (Jul 7, 2026) - **URL:** https://sign.itpropartner.com — LIVE with HTTPS via Caddy - **Caddy config:** `/etc/caddy/Caddyfile` — reverse proxy to 127.0.0.1:3000 - **Admin:** info@itpropartner.com (Germaine Brown) - **API Token:** yyQ39y1fPtvWzUzFPZXfGBJhGD9ko3o7ACZLc3388sz - **Docker:** docuseal/docuseal:latest on Core (netcup) - **Data:** `/root/docker/docuseal/data/` (SQLite) - **Port 443 freed by:** Stopping Tailscale Serve (which was serving portal mockups) ## API Usage ```bash curl -s -H "X-Auth-Token: " https://sign.itpropartner.com/api/user ``` ## Why DocuSeal over Documenso | Factor | Documenso | DocuSeal | |---|---|---| | Docker image | 690 MB | 227 MB | | Database | PostgreSQL required | SQLite (no extra service) | | Embed SDK | Paid (~$300/yr) | Free (React, Vue, Angular, JS) | | Webhooks | Basic | Auto-retry | | Features | Core signing | Bulk CSV send, conditional fields, SMS | ## Usage across entities - **Debt Recovery Experts** — LPOA notarization via Proof API + service agreements via DocuSeal - **Forefront Wireless** — customer service agreements, waivers - **BoxPilot Logistics** — intake forms, LPOA - **Apex Track Experience** — liability waivers (alternative to WPForms) ## Planned Webhook (DRE) When the DRE portal builds: `https://debtrecoveryexperts.com/api/webhooks/docuseal` — events: document signed, completed, signer link opened. ## Note on Notarized Documents (LPOA) DocuSeal handles digital signatures (ESIGN/UETA compliant). For **Remote Online Notarization** (RON) of Limited Power of Attorney forms, use **Proof** (formerly Notarize) API — ~$25-35 per notarization, with on-demand notaries 24/7. Texas RON compliant (HB 3496, SB 1624). ## Digest timestamp server In DocuSeal e-signature settings, set the RFC 3161 timestamp server to: `http://timestamp.digicert.com` (DigiCert, free, no auth, universally trusted). This embeds a cryptographic timestamp in every signed document for long-term verification validity. Backup option: `http://timestamp.sectigo.com`. ## TLS setup (blocked port 443) Tailscale Serve uses port 443 for tailnet HTTPS. To run a public-facing web service on port 443 alongside Tailscale, either: - Stop Tailscale Serve (`tailscale serve --https=443 off`) — frees port 443 for Caddy/nginx. The portal mockups will lose their tailscale URL until re-served on a different port or redirected. - Or use **Cloudflare Tunnel** (cloudflared) — creates an outbound-only tunnel to Cloudflare's edge, lives on an ephemeral port, never conflicts with other services. Requires `cloudflared tunnel login` (browser-based OAuth to Cloudflare account). The tunnel cert file is created in `~/.cloudflared/`. After auth, create the tunnel, route the DNS, and configure ingress. **Pitfall:** `cloudflared tunnel login` prints a URL that must be opened in a browser OUTSIDE the terminal — it's an OAuth flow. If there's no browser available (headless server), use a different approach. ## DocuSeal auth setup After first deployment at `https://sign.itpropartner.com`, the initial visit redirects to `/setup` — create the admin account (name, email, password, company). After setup, generate an API token from Settings → API tokens. Token format: `yyQ39y...` (JWT-like string). The token read-only endpoint: `GET /api/user` with `X-Auth-Token` header. ## Backup Required `/root/docker/docuseal/data/` contains the SQLite DB (all users, templates, signed documents). NOT yet in the nightly S3 backup rotation — needs to be added.