From 69b8abde634a38741f592156d27d54cf52de5a23 Mon Sep 17 00:00:00 2001 From: ajay Date: Fri, 7 Nov 2025 15:01:48 +0530 Subject: [PATCH 1/8] Fix(Documenso): Resolve pending status issue for Documenso deployments (fixes #1767) --- templates/compose/documenso.yaml | 42 ++++++++++++++++++-------------- 1 file changed, 24 insertions(+), 18 deletions(-) diff --git a/templates/compose/documenso.yaml b/templates/compose/documenso.yaml index 8536945ab..4fc5dd0a9 100644 --- a/templates/compose/documenso.yaml +++ b/templates/compose/documenso.yaml @@ -28,8 +28,9 @@ services: - NEXT_PRIVATE_SMTP_FROM_ADDRESS=${NEXT_PRIVATE_SMTP_FROM_ADDRESS} - NEXT_PRIVATE_DATABASE_URL=postgresql://${SERVICE_USER_POSTGRES}:${SERVICE_PASSWORD_POSTGRES}@database/${POSTGRES_DB:-documenso-db}?schema=public - NEXT_PRIVATE_DIRECT_DATABASE_URL=postgresql://${SERVICE_USER_POSTGRES}:${SERVICE_PASSWORD_POSTGRES}@database/${POSTGRES_DB:-documenso-db}?schema=public - - NEXT_PRIVATE_SIGNING_LOCAL_FILE_PATH=/app/apps/remix/certs/certificate.p12 - - NEXT_PRIVATE_SIGNING_PASSPHRASE=${SERVICE_PASSWORD_DOCUMENSO} + - NEXT_PRIVATE_SIGNING_TRANSPORT=local-file + - NEXT_PRIVATE_SIGNING_LOCAL_FILE_PATH=/app/certs/cert.p12 + - NEXT_PRIVATE_SIGNING_LOCAL_FILE_PASSPHRASE=${SERVICE_PASSWORD_DOCUMENSO} - CERT_VALID_DAYS=${CERT_VALID_DAYS:-365} - CERT_INFO_COUNTRY_NAME=${CERT_INFO_COUNTRY_NAME:-DO} - CERT_INFO_STATE_OR_PROVIDENCE=${CERT_INFO_STATE_OR_PROVIDENCE:-Santiago} @@ -49,10 +50,14 @@ services: - /bin/sh - -c - | - echo "./certs" > /tmp/certs_dir_path - echo "./make-certs.sh" > /tmp/cert_script_path - echo "${SERVICE_PASSWORD_DOCUMENSO}" > /tmp/cert_pass - + CERT_DIR="/app/certs" + CERT_PASSPHRASE="${SERVICE_PASSWORD_DOCUMENSO}" + + # Save original working directory + ORIGINAL_DIR="$(pwd)" + + mkdir -p "$CERT_DIR" + touch /tmp/cert_info_path cat < /tmp/cert_info_path [ req ] @@ -68,11 +73,10 @@ services: emailAddress = ${CERT_INFO_EMAIL} EOF - cat < "$(cat /tmp/cert_script_path)" - mkdir -p "$(cat /tmp/certs_dir_path)" && cd "$(cat /tmp/certs_dir_path)" - + cd "$CERT_DIR" + openssl genrsa -out private.key 2048 - + openssl req \ -new \ -x509 \ @@ -80,19 +84,21 @@ services: -out certificate.crt \ -days ${CERT_VALID_DAYS} \ -config /tmp/cert_info_path - + openssl pkcs12 \ -export \ - -out certificate.p12 \ + -out cert.p12 \ -inkey private.key \ -in certificate.crt \ -legacy \ - -password file:/tmp/cert_pass - EOF - chmod +x "$(cat /tmp/cert_script_path)" - - sh "$(cat /tmp/cert_script_path)" - + -passout pass:"$CERT_PASSPHRASE" + + chown 1001:1001 cert.p12 private.key certificate.crt + chmod 400 cert.p12 private.key certificate.crt + + # Return to original directory before starting application + cd "$ORIGINAL_DIR" + ./start.sh database: From 08eb6ff98144bb6ef89f45789da2203798b3bea9 Mon Sep 17 00:00:00 2001 From: ajay Date: Fri, 7 Nov 2025 15:10:04 +0530 Subject: [PATCH 2/8] Fix(Documenso): Resolve pending status issue for Documenso deployments (fixes #1767) --- templates/compose/documenso.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/compose/documenso.yaml b/templates/compose/documenso.yaml index 4fc5dd0a9..e51c0e8be 100644 --- a/templates/compose/documenso.yaml +++ b/templates/compose/documenso.yaml @@ -28,7 +28,7 @@ services: - NEXT_PRIVATE_SMTP_FROM_ADDRESS=${NEXT_PRIVATE_SMTP_FROM_ADDRESS} - NEXT_PRIVATE_DATABASE_URL=postgresql://${SERVICE_USER_POSTGRES}:${SERVICE_PASSWORD_POSTGRES}@database/${POSTGRES_DB:-documenso-db}?schema=public - NEXT_PRIVATE_DIRECT_DATABASE_URL=postgresql://${SERVICE_USER_POSTGRES}:${SERVICE_PASSWORD_POSTGRES}@database/${POSTGRES_DB:-documenso-db}?schema=public - - NEXT_PRIVATE_SIGNING_TRANSPORT=local-file + - NEXT_PRIVATE_SIGNING_TRANSPORT=local - NEXT_PRIVATE_SIGNING_LOCAL_FILE_PATH=/app/certs/cert.p12 - NEXT_PRIVATE_SIGNING_LOCAL_FILE_PASSPHRASE=${SERVICE_PASSWORD_DOCUMENSO} - CERT_VALID_DAYS=${CERT_VALID_DAYS:-365} From 50accfeb2a1368ab067dc8745c78f93fa0ce77c2 Mon Sep 17 00:00:00 2001 From: ajay Date: Fri, 7 Nov 2025 16:45:16 +0530 Subject: [PATCH 3/8] fix: updated passout key --- templates/compose/documenso.yaml | 128 +++++++++++++++++++------------ 1 file changed, 79 insertions(+), 49 deletions(-) diff --git a/templates/compose/documenso.yaml b/templates/compose/documenso.yaml index e51c0e8be..6ad054240 100644 --- a/templates/compose/documenso.yaml +++ b/templates/compose/documenso.yaml @@ -11,52 +11,72 @@ services: depends_on: database: condition: service_healthy + ports: + - "3000:3000" environment: - - SERVICE_URL_DOCUMENSO_3000 - - NEXTAUTH_URL=${SERVICE_URL_DOCUMENSO} - - NEXTAUTH_SECRET=${SERVICE_BASE64_AUTHSECRET} - - NEXT_PRIVATE_ENCRYPTION_KEY=${SERVICE_BASE64_ENCRYPTIONKEY} - - NEXT_PRIVATE_ENCRYPTION_SECONDARY_KEY=${SERVICE_BASE64_SECONDARYENCRYPTIONKEY} - - NEXT_PUBLIC_WEBAPP_URL=${SERVICE_URL_DOCUMENSO} - - NEXT_PRIVATE_RESEND_API_KEY=${NEXT_PRIVATE_RESEND_API_KEY} - - NEXT_PRIVATE_SMTP_TRANSPORT=${NEXT_PRIVATE_SMTP_TRANSPORT} - - NEXT_PRIVATE_SMTP_HOST=${NEXT_PRIVATE_SMTP_HOST} - - NEXT_PRIVATE_SMTP_PORT=${NEXT_PRIVATE_SMTP_PORT} - - NEXT_PRIVATE_SMTP_USERNAME=${NEXT_PRIVATE_SMTP_USERNAME} - - NEXT_PRIVATE_SMTP_PASSWORD=${NEXT_PRIVATE_SMTP_PASSWORD} - - NEXT_PRIVATE_SMTP_FROM_NAME=${NEXT_PRIVATE_SMTP_FROM_NAME} - - NEXT_PRIVATE_SMTP_FROM_ADDRESS=${NEXT_PRIVATE_SMTP_FROM_ADDRESS} - - NEXT_PRIVATE_DATABASE_URL=postgresql://${SERVICE_USER_POSTGRES}:${SERVICE_PASSWORD_POSTGRES}@database/${POSTGRES_DB:-documenso-db}?schema=public - - NEXT_PRIVATE_DIRECT_DATABASE_URL=postgresql://${SERVICE_USER_POSTGRES}:${SERVICE_PASSWORD_POSTGRES}@database/${POSTGRES_DB:-documenso-db}?schema=public + - SERVICE_URL_DOCUMENSO_3000=http://localhost:3000 + - NEXTAUTH_URL=http://localhost:3000 + - NEXTAUTH_SECRET=${NEXTAUTH_SECRET:-test-secret-key-change-in-production} + - NEXT_PRIVATE_ENCRYPTION_KEY=${NEXT_PRIVATE_ENCRYPTION_KEY:-test-encryption-key-32-chars} + - NEXT_PRIVATE_ENCRYPTION_SECONDARY_KEY=${NEXT_PRIVATE_ENCRYPTION_SECONDARY_KEY:-test-secondary-encryption-key-64-characters-long-for-production-use} + - NEXT_PUBLIC_WEBAPP_URL=http://localhost:3000 + - NEXT_PRIVATE_RESEND_API_KEY=${NEXT_PRIVATE_RESEND_API_KEY:-} + - NEXT_PRIVATE_SMTP_TRANSPORT=${NEXT_PRIVATE_SMTP_TRANSPORT:-} + - NEXT_PRIVATE_SMTP_HOST=${NEXT_PRIVATE_SMTP_HOST:-} + - NEXT_PRIVATE_SMTP_PORT=${NEXT_PRIVATE_SMTP_PORT:-} + - NEXT_PRIVATE_SMTP_USERNAME=${NEXT_PRIVATE_SMTP_USERNAME:-} + - NEXT_PRIVATE_SMTP_PASSWORD=${NEXT_PRIVATE_SMTP_PASSWORD:-} + - NEXT_PRIVATE_SMTP_FROM_NAME=${NEXT_PRIVATE_SMTP_FROM_NAME:-} + - NEXT_PRIVATE_SMTP_FROM_ADDRESS=${NEXT_PRIVATE_SMTP_FROM_ADDRESS:-} + - NEXT_PRIVATE_DATABASE_URL=postgresql://${POSTGRES_USER:-documenso}:${POSTGRES_PASSWORD:-documenso}@database/${POSTGRES_DB:-documenso-db}?schema=public + - NEXT_PRIVATE_DIRECT_DATABASE_URL=postgresql://${POSTGRES_USER:-documenso}:${POSTGRES_PASSWORD:-documenso}@database/${POSTGRES_DB:-documenso-db}?schema=public - NEXT_PRIVATE_SIGNING_TRANSPORT=local - NEXT_PRIVATE_SIGNING_LOCAL_FILE_PATH=/app/certs/cert.p12 - - NEXT_PRIVATE_SIGNING_LOCAL_FILE_PASSPHRASE=${SERVICE_PASSWORD_DOCUMENSO} + - NEXT_PRIVATE_SIGNING_LOCAL_FILE_PASSPHRASE=${NEXT_PRIVATE_SIGNING_LOCAL_FILE_PASSPHRASE:-documenso} - CERT_VALID_DAYS=${CERT_VALID_DAYS:-365} - - CERT_INFO_COUNTRY_NAME=${CERT_INFO_COUNTRY_NAME:-DO} - - CERT_INFO_STATE_OR_PROVIDENCE=${CERT_INFO_STATE_OR_PROVIDENCE:-Santiago} - - CERT_INFO_LOCALITY_NAME=${CERT_INFO_LOCALITY_NAME:-Santiago} - - CERT_INFO_ORGANIZATION_NAME=${CERT_INFO_ORGANIZATION_NAME:-Example INC} + - CERT_INFO_COUNTRY_NAME=${CERT_INFO_COUNTRY_NAME:-US} + - CERT_INFO_STATE_OR_PROVIDENCE=${CERT_INFO_STATE_OR_PROVIDENCE:-State} + - CERT_INFO_LOCALITY_NAME=${CERT_INFO_LOCALITY_NAME:-City} + - CERT_INFO_ORGANIZATION_NAME=${CERT_INFO_ORGANIZATION_NAME:-Test Organization} - CERT_INFO_ORGANIZATIONAL_UNIT=${CERT_INFO_ORGANIZATIONAL_UNIT:-IT Department} - - CERT_INFO_EMAIL=${CERT_INFO_EMAIL:-example@gmail.com} + - CERT_INFO_EMAIL=${CERT_INFO_EMAIL:-test@example.com} - NEXT_PUBLIC_DISABLE_SIGNUP=${DISABLE_LOGIN:-false} + - SERVICE_PASSWORD_DOCUMENSO=${SERVICE_PASSWORD_DOCUMENSO:-documenso} + - SERVICE_URL_DOCUMENSO=http://localhost:3000 healthcheck: test: - CMD-SHELL - - "wget -q -O - http://documenso:3000/ | grep -q 'Sign in to your account'" - interval: 2s - timeout: 10s - retries: 20 + - "wget -q -O - http://localhost:3000/ | grep -q 'Sign in to your account' || exit 1" + interval: 10s + timeout: 5s + retries: 10 + start_period: 40s entrypoint: - /bin/sh - -c - | - CERT_DIR="/app/certs" - CERT_PASSPHRASE="${SERVICE_PASSWORD_DOCUMENSO}" + CERT_PASSPHRASE="$${NEXT_PRIVATE_SIGNING_LOCAL_FILE_PASSPHRASE}" # Save original working directory - ORIGINAL_DIR="$(pwd)" + ORIGINAL_DIR="$$(pwd)" - mkdir -p "$CERT_DIR" + # Find openssl binary (should be available in v1.12.10+) + OPENSSL_CMD="$$(which openssl 2>/dev/null || command -v openssl 2>/dev/null || echo '/usr/bin/openssl')" + + # Verify openssl is available + if ! $$OPENSSL_CMD version >/dev/null 2>&1; then + echo "Error: OpenSSL not found. Please use Documenso image v1.12.10 or later." + exit 1 + fi + + # Create certificate directory - use /app/certs (writable by user 1001) + CERT_DIR="/app/certs" + mkdir -p "$$CERT_DIR" || { + # Fallback to tmp if app directory not writable + CERT_DIR="/tmp/certs" + mkdir -p "$$CERT_DIR" + echo "Warning: Using fallback directory: $$CERT_DIR" + } touch /tmp/cert_info_path cat < /tmp/cert_info_path @@ -64,53 +84,63 @@ services: distinguished_name = req_distinguished_name prompt = no [ req_distinguished_name ] - C = ${CERT_INFO_COUNTRY_NAME} - ST = ${CERT_INFO_STATE_OR_PROVIDENCE} - L = ${CERT_INFO_LOCALITY_NAME} - O = ${CERT_INFO_ORGANIZATION_NAME} - OU = ${CERT_INFO_ORGANIZATIONAL_UNIT} - CN = ${SERVICE_URL_DOCUMENSO} - emailAddress = ${CERT_INFO_EMAIL} + C = $${CERT_INFO_COUNTRY_NAME} + ST = $${CERT_INFO_STATE_OR_PROVIDENCE} + L = $${CERT_INFO_LOCALITY_NAME} + O = $${CERT_INFO_ORGANIZATION_NAME} + OU = $${CERT_INFO_ORGANIZATIONAL_UNIT} + CN = $${SERVICE_URL_DOCUMENSO} + emailAddress = $${CERT_INFO_EMAIL} EOF - cd "$CERT_DIR" + cd "$$CERT_DIR" - openssl genrsa -out private.key 2048 + $$OPENSSL_CMD genrsa -out private.key 2048 - openssl req \ + $$OPENSSL_CMD req \ -new \ -x509 \ -key private.key \ -out certificate.crt \ - -days ${CERT_VALID_DAYS} \ + -days $${CERT_VALID_DAYS} \ -config /tmp/cert_info_path - openssl pkcs12 \ + $$OPENSSL_CMD pkcs12 \ -export \ -out cert.p12 \ -inkey private.key \ -in certificate.crt \ -legacy \ - -passout pass:"$CERT_PASSPHRASE" + -passout pass:"$$CERT_PASSPHRASE" - chown 1001:1001 cert.p12 private.key certificate.crt + # Set permissions (may fail if not root, but will work in Coolify) + chown 1001:1001 cert.p12 private.key certificate.crt 2>/dev/null || true chmod 400 cert.p12 private.key certificate.crt + # Update environment variable if directory changed + if [ "$$CERT_DIR" != "/app/certs" ]; then + export NEXT_PRIVATE_SIGNING_LOCAL_FILE_PATH="$$CERT_DIR/cert.p12" + fi + # Return to original directory before starting application - cd "$ORIGINAL_DIR" + cd "$$ORIGINAL_DIR" ./start.sh database: image: postgres:17 environment: - - POSTGRES_USER=${SERVICE_USER_POSTGRES} - - POSTGRES_PASSWORD=${SERVICE_PASSWORD_POSTGRES} + - POSTGRES_USER=${POSTGRES_USER:-documenso} + - POSTGRES_PASSWORD=${POSTGRES_PASSWORD:-documenso} - POSTGRES_DB=${POSTGRES_DB:-documenso-db} volumes: - documenso_postgresql_data:/var/lib/postgresql/data healthcheck: - test: ["CMD-SHELL", "pg_isready -U $${POSTGRES_USER} -d $${POSTGRES_DB}"] + test: ["CMD-SHELL", "pg_isready -U ${POSTGRES_USER:-documenso} -d ${POSTGRES_DB:-documenso-db}"] interval: 5s - timeout: 20s + timeout: 5s retries: 10 + start_period: 10s + +volumes: + documenso_postgresql_data: \ No newline at end of file From 40eb399b360a818843cd05d9cc9ee91d7370e408 Mon Sep 17 00:00:00 2001 From: ajay Date: Fri, 7 Nov 2025 16:54:31 +0530 Subject: [PATCH 4/8] fix: updated envs --- templates/compose/documenso.yaml | 22 +++++++++++++++------- 1 file changed, 15 insertions(+), 7 deletions(-) diff --git a/templates/compose/documenso.yaml b/templates/compose/documenso.yaml index 6ad054240..76e62fcb4 100644 --- a/templates/compose/documenso.yaml +++ b/templates/compose/documenso.yaml @@ -11,8 +11,6 @@ services: depends_on: database: condition: service_healthy - ports: - - "3000:3000" environment: - SERVICE_URL_DOCUMENSO_3000=http://localhost:3000 - NEXTAUTH_URL=http://localhost:3000 @@ -32,17 +30,16 @@ services: - NEXT_PRIVATE_DIRECT_DATABASE_URL=postgresql://${POSTGRES_USER:-documenso}:${POSTGRES_PASSWORD:-documenso}@database/${POSTGRES_DB:-documenso-db}?schema=public - NEXT_PRIVATE_SIGNING_TRANSPORT=local - NEXT_PRIVATE_SIGNING_LOCAL_FILE_PATH=/app/certs/cert.p12 - - NEXT_PRIVATE_SIGNING_LOCAL_FILE_PASSPHRASE=${NEXT_PRIVATE_SIGNING_LOCAL_FILE_PASSPHRASE:-documenso} + - NEXT_PRIVATE_SIGNING_LOCAL_FILE_PASSPHRASE=${SERVICE_PASSWORD_DOCUMENSO} - CERT_VALID_DAYS=${CERT_VALID_DAYS:-365} - CERT_INFO_COUNTRY_NAME=${CERT_INFO_COUNTRY_NAME:-US} - CERT_INFO_STATE_OR_PROVIDENCE=${CERT_INFO_STATE_OR_PROVIDENCE:-State} - CERT_INFO_LOCALITY_NAME=${CERT_INFO_LOCALITY_NAME:-City} - CERT_INFO_ORGANIZATION_NAME=${CERT_INFO_ORGANIZATION_NAME:-Test Organization} - CERT_INFO_ORGANIZATIONAL_UNIT=${CERT_INFO_ORGANIZATIONAL_UNIT:-IT Department} - - CERT_INFO_EMAIL=${CERT_INFO_EMAIL:-test@example.com} + - CERT_INFO_EMAIL=${CERT_INFO_EMAIL:-example@example.com} - NEXT_PUBLIC_DISABLE_SIGNUP=${DISABLE_LOGIN:-false} - - SERVICE_PASSWORD_DOCUMENSO=${SERVICE_PASSWORD_DOCUMENSO:-documenso} - - SERVICE_URL_DOCUMENSO=http://localhost:3000 + - SERVICE_PASSWORD_DOCUMENSO=${SERVICE_PASSWORD_DOCUMENSO:-} healthcheck: test: - CMD-SHELL @@ -56,6 +53,7 @@ services: - -c - | CERT_PASSPHRASE="$${NEXT_PRIVATE_SIGNING_LOCAL_FILE_PASSPHRASE}" + PASSPHRASE_FILE="/tmp/cert_passphrase" # Save original working directory ORIGINAL_DIR="$$(pwd)" @@ -78,6 +76,11 @@ services: echo "Warning: Using fallback directory: $$CERT_DIR" } + # Create passphrase file for secure handling (prevents exposure in process list) + # This avoids shell word-splitting issues and prevents passphrase from appearing in ps/process list + echo -n "$$CERT_PASSPHRASE" > "$$PASSPHRASE_FILE" + chmod 600 "$$PASSPHRASE_FILE" + touch /tmp/cert_info_path cat < /tmp/cert_info_path [ req ] @@ -105,13 +108,18 @@ services: -days $${CERT_VALID_DAYS} \ -config /tmp/cert_info_path + # Create P12 certificate using file-based passphrase (prevents exposure in process list) + # Private key is not encrypted, so we only need -passout (not -passin) $$OPENSSL_CMD pkcs12 \ -export \ -out cert.p12 \ -inkey private.key \ -in certificate.crt \ -legacy \ - -passout pass:"$$CERT_PASSPHRASE" + -passout file:"$$PASSPHRASE_FILE" + + # Clean up passphrase file immediately after use + rm -f "$$PASSPHRASE_FILE" # Set permissions (may fail if not root, but will work in Coolify) chown 1001:1001 cert.p12 private.key certificate.crt 2>/dev/null || true From 1cd98f7b5aa347c749def32426b78cd48c6f2de1 Mon Sep 17 00:00:00 2001 From: ajay Date: Fri, 7 Nov 2025 17:02:09 +0530 Subject: [PATCH 5/8] fix: secure deploy --- templates/compose/documenso.yaml | 60 +++++++++++++++++--------------- 1 file changed, 31 insertions(+), 29 deletions(-) diff --git a/templates/compose/documenso.yaml b/templates/compose/documenso.yaml index 76e62fcb4..f78c04f7f 100644 --- a/templates/compose/documenso.yaml +++ b/templates/compose/documenso.yaml @@ -12,32 +12,34 @@ services: database: condition: service_healthy environment: - - SERVICE_URL_DOCUMENSO_3000=http://localhost:3000 - - NEXTAUTH_URL=http://localhost:3000 - - NEXTAUTH_SECRET=${NEXTAUTH_SECRET:-test-secret-key-change-in-production} - - NEXT_PRIVATE_ENCRYPTION_KEY=${NEXT_PRIVATE_ENCRYPTION_KEY:-test-encryption-key-32-chars} - - NEXT_PRIVATE_ENCRYPTION_SECONDARY_KEY=${NEXT_PRIVATE_ENCRYPTION_SECONDARY_KEY:-test-secondary-encryption-key-64-characters-long-for-production-use} - - NEXT_PUBLIC_WEBAPP_URL=http://localhost:3000 - - NEXT_PRIVATE_RESEND_API_KEY=${NEXT_PRIVATE_RESEND_API_KEY:-} - - NEXT_PRIVATE_SMTP_TRANSPORT=${NEXT_PRIVATE_SMTP_TRANSPORT:-} - - NEXT_PRIVATE_SMTP_HOST=${NEXT_PRIVATE_SMTP_HOST:-} - - NEXT_PRIVATE_SMTP_PORT=${NEXT_PRIVATE_SMTP_PORT:-} - - NEXT_PRIVATE_SMTP_USERNAME=${NEXT_PRIVATE_SMTP_USERNAME:-} - - NEXT_PRIVATE_SMTP_PASSWORD=${NEXT_PRIVATE_SMTP_PASSWORD:-} - - NEXT_PRIVATE_SMTP_FROM_NAME=${NEXT_PRIVATE_SMTP_FROM_NAME:-} - - NEXT_PRIVATE_SMTP_FROM_ADDRESS=${NEXT_PRIVATE_SMTP_FROM_ADDRESS:-} - - NEXT_PRIVATE_DATABASE_URL=postgresql://${POSTGRES_USER:-documenso}:${POSTGRES_PASSWORD:-documenso}@database/${POSTGRES_DB:-documenso-db}?schema=public - - NEXT_PRIVATE_DIRECT_DATABASE_URL=postgresql://${POSTGRES_USER:-documenso}:${POSTGRES_PASSWORD:-documenso}@database/${POSTGRES_DB:-documenso-db}?schema=public + - SERVICE_URL_DOCUMENSO_3000 + - NEXTAUTH_URL=${SERVICE_URL_DOCUMENSO} + - NEXTAUTH_SECRET=${SERVICE_BASE64_AUTHSECRET} + - NEXT_PRIVATE_ENCRYPTION_KEY=${SERVICE_BASE64_ENCRYPTIONKEY} + - NEXT_PRIVATE_ENCRYPTION_SECONDARY_KEY=${SERVICE_BASE64_SECONDARYENCRYPTIONKEY} + - NEXT_PUBLIC_WEBAPP_URL=${SERVICE_URL_DOCUMENSO} + - NEXT_PRIVATE_RESEND_API_KEY=${NEXT_PRIVATE_RESEND_API_KEY} + - NEXT_PRIVATE_SMTP_TRANSPORT=${NEXT_PRIVATE_SMTP_TRANSPORT} + - NEXT_PRIVATE_SMTP_HOST=${NEXT_PRIVATE_SMTP_HOST} + - NEXT_PRIVATE_SMTP_PORT=${NEXT_PRIVATE_SMTP_PORT} + - NEXT_PRIVATE_SMTP_USERNAME=${NEXT_PRIVATE_SMTP_USERNAME} + - NEXT_PRIVATE_SMTP_PASSWORD=${NEXT_PRIVATE_SMTP_PASSWORD} + - NEXT_PRIVATE_SMTP_FROM_NAME=${NEXT_PRIVATE_SMTP_FROM_NAME} + - NEXT_PRIVATE_SMTP_FROM_ADDRESS=${NEXT_PRIVATE_SMTP_FROM_ADDRESS} + - NEXT_PRIVATE_DATABASE_URL=postgresql://${SERVICE_USER_POSTGRES}:${SERVICE_PASSWORD_POSTGRES}@database/${POSTGRES_DB:-documenso-db}?schema=public + - NEXT_PRIVATE_DIRECT_DATABASE_URL=postgresql://${SERVICE_USER_POSTGRES}:${SERVICE_PASSWORD_POSTGRES}@database/${POSTGRES_DB:-documenso-db}?schema=public + - NEXT_PRIVATE_SIGNING_LOCAL_FILE_PATH=/app/apps/remix/certs/certificate.p12 + - NEXT_PRIVATE_SIGNING_PASSPHRASE=${SERVICE_PASSWORD_DOCUMENSO} - NEXT_PRIVATE_SIGNING_TRANSPORT=local - NEXT_PRIVATE_SIGNING_LOCAL_FILE_PATH=/app/certs/cert.p12 - NEXT_PRIVATE_SIGNING_LOCAL_FILE_PASSPHRASE=${SERVICE_PASSWORD_DOCUMENSO} - CERT_VALID_DAYS=${CERT_VALID_DAYS:-365} - - CERT_INFO_COUNTRY_NAME=${CERT_INFO_COUNTRY_NAME:-US} - - CERT_INFO_STATE_OR_PROVIDENCE=${CERT_INFO_STATE_OR_PROVIDENCE:-State} - - CERT_INFO_LOCALITY_NAME=${CERT_INFO_LOCALITY_NAME:-City} - - CERT_INFO_ORGANIZATION_NAME=${CERT_INFO_ORGANIZATION_NAME:-Test Organization} + - CERT_INFO_COUNTRY_NAME=${CERT_INFO_COUNTRY_NAME:-DO} + - CERT_INFO_STATE_OR_PROVIDENCE=${CERT_INFO_STATE_OR_PROVIDENCE:-Santiago} + - CERT_INFO_LOCALITY_NAME=${CERT_INFO_LOCALITY_NAME:-Santiago} + - CERT_INFO_ORGANIZATION_NAME=${CERT_INFO_ORGANIZATION_NAME:-Example INC} - CERT_INFO_ORGANIZATIONAL_UNIT=${CERT_INFO_ORGANIZATIONAL_UNIT:-IT Department} - - CERT_INFO_EMAIL=${CERT_INFO_EMAIL:-example@example.com} + - CERT_INFO_EMAIL=${CERT_INFO_EMAIL:-example@gmail.com} - NEXT_PUBLIC_DISABLE_SIGNUP=${DISABLE_LOGIN:-false} - SERVICE_PASSWORD_DOCUMENSO=${SERVICE_PASSWORD_DOCUMENSO:-} healthcheck: @@ -87,13 +89,13 @@ services: distinguished_name = req_distinguished_name prompt = no [ req_distinguished_name ] - C = $${CERT_INFO_COUNTRY_NAME} - ST = $${CERT_INFO_STATE_OR_PROVIDENCE} - L = $${CERT_INFO_LOCALITY_NAME} - O = $${CERT_INFO_ORGANIZATION_NAME} - OU = $${CERT_INFO_ORGANIZATIONAL_UNIT} - CN = $${SERVICE_URL_DOCUMENSO} - emailAddress = $${CERT_INFO_EMAIL} + C = ${CERT_INFO_COUNTRY_NAME} + ST = ${CERT_INFO_STATE_OR_PROVIDENCE} + L = ${CERT_INFO_LOCALITY_NAME} + O = ${CERT_INFO_ORGANIZATION_NAME} + OU = ${CERT_INFO_ORGANIZATIONAL_UNIT} + CN = ${SERVICE_URL_DOCUMENSO} + emailAddress = ${CERT_INFO_EMAIL} EOF cd "$$CERT_DIR" @@ -139,7 +141,7 @@ services: image: postgres:17 environment: - POSTGRES_USER=${POSTGRES_USER:-documenso} - - POSTGRES_PASSWORD=${POSTGRES_PASSWORD:-documenso} + - POSTGRES_PASSWORD=${POSTGRES_PASSWORD:-PLACEHOLDER_PASSWORD} - POSTGRES_DB=${POSTGRES_DB:-documenso-db} volumes: - documenso_postgresql_data:/var/lib/postgresql/data From 87a97468c2821a7a6dbebc31a9f515944152ae9a Mon Sep 17 00:00:00 2001 From: ajay Date: Fri, 7 Nov 2025 17:03:00 +0530 Subject: [PATCH 6/8] fix: secure deploy --- templates/compose/documenso.yaml | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/templates/compose/documenso.yaml b/templates/compose/documenso.yaml index f78c04f7f..26baad6c2 100644 --- a/templates/compose/documenso.yaml +++ b/templates/compose/documenso.yaml @@ -149,8 +149,4 @@ services: test: ["CMD-SHELL", "pg_isready -U ${POSTGRES_USER:-documenso} -d ${POSTGRES_DB:-documenso-db}"] interval: 5s timeout: 5s - retries: 10 - start_period: 10s - -volumes: - documenso_postgresql_data: \ No newline at end of file + retries: 10 \ No newline at end of file From c93c238be2758e9ddaf7a8b5685f5488e0fc5e99 Mon Sep 17 00:00:00 2001 From: ajay Date: Fri, 7 Nov 2025 17:06:39 +0530 Subject: [PATCH 7/8] fix: secure deploy --- templates/compose/documenso.yaml | 14 ++++++-------- 1 file changed, 6 insertions(+), 8 deletions(-) diff --git a/templates/compose/documenso.yaml b/templates/compose/documenso.yaml index 26baad6c2..87ed25c43 100644 --- a/templates/compose/documenso.yaml +++ b/templates/compose/documenso.yaml @@ -45,11 +45,10 @@ services: healthcheck: test: - CMD-SHELL - - "wget -q -O - http://localhost:3000/ | grep -q 'Sign in to your account' || exit 1" - interval: 10s - timeout: 5s - retries: 10 - start_period: 40s + - "wget -q -O - http://documenso:3000/ | grep -q 'Sign in to your account'" + interval: 2s + timeout: 10s + retries: 20 entrypoint: - /bin/sh - -c @@ -146,7 +145,6 @@ services: volumes: - documenso_postgresql_data:/var/lib/postgresql/data healthcheck: - test: ["CMD-SHELL", "pg_isready -U ${POSTGRES_USER:-documenso} -d ${POSTGRES_DB:-documenso-db}"] - interval: 5s - timeout: 5s + test: ["CMD-SHELL", "pg_isready -U $${POSTGRES_USER} -d $${POSTGRES_DB}"] + timeout: 20s retries: 10 \ No newline at end of file From e3c3962d07fdd86c2b8a8c893467c5f721ebf91b Mon Sep 17 00:00:00 2001 From: ajay Date: Fri, 7 Nov 2025 17:08:01 +0530 Subject: [PATCH 8/8] fix: updated postgres --- templates/compose/documenso.yaml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/templates/compose/documenso.yaml b/templates/compose/documenso.yaml index 87ed25c43..5c1398db5 100644 --- a/templates/compose/documenso.yaml +++ b/templates/compose/documenso.yaml @@ -139,12 +139,13 @@ services: database: image: postgres:17 environment: - - POSTGRES_USER=${POSTGRES_USER:-documenso} - - POSTGRES_PASSWORD=${POSTGRES_PASSWORD:-PLACEHOLDER_PASSWORD} + - POSTGRES_USER=${SERVICE_USER_POSTGRES} + - POSTGRES_PASSWORD=${SERVICE_PASSWORD_POSTGRES} - POSTGRES_DB=${POSTGRES_DB:-documenso-db} volumes: - documenso_postgresql_data:/var/lib/postgresql/data healthcheck: test: ["CMD-SHELL", "pg_isready -U $${POSTGRES_USER} -d $${POSTGRES_DB}"] + interval: 5s timeout: 20s retries: 10 \ No newline at end of file