coolify/templates/compose/documenso.yaml

# documentation: https://docs.documenso.com/
# slogan: Document signing, finally open source
# category: productivity
# tags: signing, opensource, document, pdf, e-signature, digital-signature, document-signing, pdf-signing, docusign
# logo: svgs/documenso.png
# port: 3000

services:
  documenso:
    image: documenso/documenso:v1.12.10 # Released at Oct 9, 2025
    depends_on:
      database:
        condition: service_healthy
    ports:
      - "3000:3000"
    environment:
      - SERVICE_URL_DOCUMENSO_3000=http://localhost:3000
      - NEXTAUTH_URL=http://localhost:3000
      - NEXTAUTH_SECRET=${NEXTAUTH_SECRET:-test-secret-key-change-in-production}
      - NEXT_PRIVATE_ENCRYPTION_KEY=${NEXT_PRIVATE_ENCRYPTION_KEY:-test-encryption-key-32-chars}
      - NEXT_PRIVATE_ENCRYPTION_SECONDARY_KEY=${NEXT_PRIVATE_ENCRYPTION_SECONDARY_KEY:-test-secondary-encryption-key-64-characters-long-for-production-use}
      - NEXT_PUBLIC_WEBAPP_URL=http://localhost:3000
      - NEXT_PRIVATE_RESEND_API_KEY=${NEXT_PRIVATE_RESEND_API_KEY:-}
      - NEXT_PRIVATE_SMTP_TRANSPORT=${NEXT_PRIVATE_SMTP_TRANSPORT:-}
      - NEXT_PRIVATE_SMTP_HOST=${NEXT_PRIVATE_SMTP_HOST:-}
      - NEXT_PRIVATE_SMTP_PORT=${NEXT_PRIVATE_SMTP_PORT:-}
      - NEXT_PRIVATE_SMTP_USERNAME=${NEXT_PRIVATE_SMTP_USERNAME:-}
      - NEXT_PRIVATE_SMTP_PASSWORD=${NEXT_PRIVATE_SMTP_PASSWORD:-}
      - NEXT_PRIVATE_SMTP_FROM_NAME=${NEXT_PRIVATE_SMTP_FROM_NAME:-}
      - NEXT_PRIVATE_SMTP_FROM_ADDRESS=${NEXT_PRIVATE_SMTP_FROM_ADDRESS:-}
      - NEXT_PRIVATE_DATABASE_URL=postgresql://${POSTGRES_USER:-documenso}:${POSTGRES_PASSWORD:-documenso}@database/${POSTGRES_DB:-documenso-db}?schema=public
      - NEXT_PRIVATE_DIRECT_DATABASE_URL=postgresql://${POSTGRES_USER:-documenso}:${POSTGRES_PASSWORD:-documenso}@database/${POSTGRES_DB:-documenso-db}?schema=public
      - NEXT_PRIVATE_SIGNING_TRANSPORT=local
      - NEXT_PRIVATE_SIGNING_LOCAL_FILE_PATH=/app/certs/cert.p12
      - NEXT_PRIVATE_SIGNING_LOCAL_FILE_PASSPHRASE=${NEXT_PRIVATE_SIGNING_LOCAL_FILE_PASSPHRASE:-documenso}
      - CERT_VALID_DAYS=${CERT_VALID_DAYS:-365}
      - CERT_INFO_COUNTRY_NAME=${CERT_INFO_COUNTRY_NAME:-US}
      - CERT_INFO_STATE_OR_PROVIDENCE=${CERT_INFO_STATE_OR_PROVIDENCE:-State}
      - CERT_INFO_LOCALITY_NAME=${CERT_INFO_LOCALITY_NAME:-City}
      - CERT_INFO_ORGANIZATION_NAME=${CERT_INFO_ORGANIZATION_NAME:-Test Organization}
      - CERT_INFO_ORGANIZATIONAL_UNIT=${CERT_INFO_ORGANIZATIONAL_UNIT:-IT Department}
      - CERT_INFO_EMAIL=${CERT_INFO_EMAIL:-test@example.com}
      - NEXT_PUBLIC_DISABLE_SIGNUP=${DISABLE_LOGIN:-false}
      - SERVICE_PASSWORD_DOCUMENSO=${SERVICE_PASSWORD_DOCUMENSO:-documenso}
      - SERVICE_URL_DOCUMENSO=http://localhost:3000
    healthcheck:
      test:
        - CMD-SHELL
        - "wget -q -O - http://localhost:3000/ | grep -q 'Sign in to your account' || exit 1"
      interval: 10s
      timeout: 5s
      retries: 10
      start_period: 40s
    entrypoint:
      - /bin/sh
      - -c
      - |
        CERT_PASSPHRASE="$${NEXT_PRIVATE_SIGNING_LOCAL_FILE_PASSPHRASE}"
        
        # Save original working directory
        ORIGINAL_DIR="$$(pwd)"
        
        # Find openssl binary (should be available in v1.12.10+)
        OPENSSL_CMD="$$(which openssl 2>/dev/null || command -v openssl 2>/dev/null || echo '/usr/bin/openssl')"
        
        # Verify openssl is available
        if ! $$OPENSSL_CMD version >/dev/null 2>&1; then
          echo "Error: OpenSSL not found. Please use Documenso image v1.12.10 or later."
          exit 1
        fi
        
        # Create certificate directory - use /app/certs (writable by user 1001)
        CERT_DIR="/app/certs"
        mkdir -p "$$CERT_DIR" || {
          # Fallback to tmp if app directory not writable
          CERT_DIR="/tmp/certs"
          mkdir -p "$$CERT_DIR"
          echo "Warning: Using fallback directory: $$CERT_DIR"
        }
        
        touch /tmp/cert_info_path
        cat <<EOF > /tmp/cert_info_path
        [ req ]
        distinguished_name = req_distinguished_name
        prompt = no
        [ req_distinguished_name ]
        C            = $${CERT_INFO_COUNTRY_NAME}
        ST           = $${CERT_INFO_STATE_OR_PROVIDENCE}
        L            = $${CERT_INFO_LOCALITY_NAME}
        O            = $${CERT_INFO_ORGANIZATION_NAME}
        OU           = $${CERT_INFO_ORGANIZATIONAL_UNIT}
        CN           = $${SERVICE_URL_DOCUMENSO}
        emailAddress = $${CERT_INFO_EMAIL}
        EOF

        cd "$$CERT_DIR"
        
        $$OPENSSL_CMD genrsa -out private.key 2048
        
        $$OPENSSL_CMD req \
          -new \
          -x509 \
          -key private.key \
          -out certificate.crt \
          -days $${CERT_VALID_DAYS} \
          -config /tmp/cert_info_path
        
        $$OPENSSL_CMD pkcs12 \
          -export \
          -out cert.p12 \
          -inkey private.key \
          -in certificate.crt \
          -legacy \
          -passout pass:"$$CERT_PASSPHRASE"
        
        # Set permissions (may fail if not root, but will work in Coolify)
        chown 1001:1001 cert.p12 private.key certificate.crt 2>/dev/null || true
        chmod 400 cert.p12 private.key certificate.crt
        
        # Update environment variable if directory changed
        if [ "$$CERT_DIR" != "/app/certs" ]; then
          export NEXT_PRIVATE_SIGNING_LOCAL_FILE_PATH="$$CERT_DIR/cert.p12"
        fi
        
        # Return to original directory before starting application
        cd "$$ORIGINAL_DIR"
        
        ./start.sh

  database:
    image: postgres:17
    environment:
      - POSTGRES_USER=${POSTGRES_USER:-documenso}
      - POSTGRES_PASSWORD=${POSTGRES_PASSWORD:-documenso}
      - POSTGRES_DB=${POSTGRES_DB:-documenso-db}
    volumes:
      - documenso_postgresql_data:/var/lib/postgresql/data
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -U ${POSTGRES_USER:-documenso} -d ${POSTGRES_DB:-documenso-db}"]
      interval: 5s
      timeout: 5s
      retries: 10
      start_period: 10s

volumes:
  documenso_postgresql_data: