Files
hermes-skills/skills/devops/infrastructure-automation/references/docuseal-deployment.md
T

3.9 KiB

Document Signing — DocuSeal Deployment

Deploy

# docker-compose.yml — deployed at /root/docker/docuseal/
services:
  docuseal:
    image: docuseal/docuseal:latest
    container_name: docuseal
    restart: always
    ports:
      - "127.0.0.1:3000:3000"
    volumes:
      - ./data:/data
    environment:
      - HOST=http://localhost:3000
      - FORCE_SSL=false

Deploy:

docker compose -f /root/docker/docuseal/docker-compose.yml up -d

Live Status (Jul 7, 2026)

  • URL: https://sign.itpropartner.com — LIVE with HTTPS via Caddy
  • Caddy config: /etc/caddy/Caddyfile — reverse proxy to 127.0.0.1:3000
  • Admin: info@itpropartner.com (Germaine Brown)
  • API Token: yyQ39y1fPtvWzUzFPZXfGBJhGD9ko3o7ACZLc3388sz
  • Docker: docuseal/docuseal:latest on Core (netcup)
  • Data: /root/docker/docuseal/data/ (SQLite)
  • Port 443 freed by: Stopping Tailscale Serve (which was serving portal mockups)

API Usage

curl -s -H "X-Auth-Token: <token>" https://sign.itpropartner.com/api/user

Why DocuSeal over Documenso

Factor Documenso DocuSeal
Docker image 690 MB 227 MB
Database PostgreSQL required SQLite (no extra service)
Embed SDK Paid (~$300/yr) Free (React, Vue, Angular, JS)
Webhooks Basic Auto-retry
Features Core signing Bulk CSV send, conditional fields, SMS

Usage across entities

  • Debt Recovery Experts — LPOA notarization via Proof API + service agreements via DocuSeal
  • Forefront Wireless — customer service agreements, waivers
  • BoxPilot Logistics — intake forms, LPOA
  • Apex Track Experience — liability waivers (alternative to WPForms)

Planned Webhook (DRE)

When the DRE portal builds: https://debtrecoveryexperts.com/api/webhooks/docuseal — events: document signed, completed, signer link opened.

Note on Notarized Documents (LPOA)

DocuSeal handles digital signatures (ESIGN/UETA compliant). For Remote Online Notarization (RON) of Limited Power of Attorney forms, use Proof (formerly Notarize) API — ~$25-35 per notarization, with on-demand notaries 24/7. Texas RON compliant (HB 3496, SB 1624).

Digest timestamp server

In DocuSeal e-signature settings, set the RFC 3161 timestamp server to: http://timestamp.digicert.com (DigiCert, free, no auth, universally trusted). This embeds a cryptographic timestamp in every signed document for long-term verification validity. Backup option: http://timestamp.sectigo.com.

TLS setup (blocked port 443)

Tailscale Serve uses port 443 for tailnet HTTPS. To run a public-facing web service on port 443 alongside Tailscale, either:

  • Stop Tailscale Serve (tailscale serve --https=443 off) — frees port 443 for Caddy/nginx. The portal mockups will lose their tailscale URL until re-served on a different port or redirected.
  • Or use Cloudflare Tunnel (cloudflared) — creates an outbound-only tunnel to Cloudflare's edge, lives on an ephemeral port, never conflicts with other services. Requires cloudflared tunnel login (browser-based OAuth to Cloudflare account). The tunnel cert file is created in ~/.cloudflared/. After auth, create the tunnel, route the DNS, and configure ingress.

Pitfall: cloudflared tunnel login prints a URL that must be opened in a browser OUTSIDE the terminal — it's an OAuth flow. If there's no browser available (headless server), use a different approach.

DocuSeal auth setup

After first deployment at https://sign.itpropartner.com, the initial visit redirects to /setup — create the admin account (name, email, password, company). After setup, generate an API token from Settings → API tokens. Token format: yyQ39y... (JWT-like string). The token read-only endpoint: GET /api/user with X-Auth-Token header.

Backup Required

/root/docker/docuseal/data/ contains the SQLite DB (all users, templates, signed documents). NOT yet in the nightly S3 backup rotation — needs to be added.