System requirements
Host operating system
Section titled “Host operating system”- A 64-bit Linux server (Ubuntu 22.04 LTS / Debian 12 / RHEL 9 or equivalent).
- Docker Engine 24+ and the Docker Compose v2 plugin (
docker compose). - System timezone and NTP configured (signing timestamps must be accurate).
Hardware sizing
Section titled “Hardware sizing”| Tier | Concurrent users / volume | vCPU | RAM | Notes |
|---|---|---|---|---|
| Evaluation / small | ≤ 25 active users, light signing | 4 | 8 GB | Single host, all containers |
| Production / medium | ≤ 250 active users | 8 | 16 GB | Single host; consider external/managed MySQL |
| High volume | 250+ users, heavy OCR/conversion | 16+ | 32 GB+ | Split DB to its own host; scale backend replicas behind a LB |
Document conversion (LibreOffice), OCR (Tesseract), and PDF signing are the CPU/RAM-heavy operations — size up if you process large/scanned documents frequently.
Storage
Section titled “Storage”| Data | Mount | Sizing guidance |
|---|---|---|
| Documents (originals, converted, signed, stamped) | qsign_storage volume | The dominant consumer. Budget generously and monitor — a busy production instance can reach 100 GB+. Plan for growth + backups. |
| MySQL data | qsign_mysql volume | Metadata only (no document blobs) — typically hundreds of MB to a few GB. |
| Solr index | qsign_solr volume | Small relative to documents; rebuildable. |
| Logs | qsign_logs volume / stdout | Rotate; size per retention policy. |
Use SSD-backed storage for the MySQL and document volumes. Ensure the document volume is included in your backup regime (see 06-operations).
Network & ports
Section titled “Network & ports”Externally published (by the nginx container only):
| Port | Purpose |
|---|---|
443/tcp | HTTPS (primary) |
80/tcp | HTTP — redirect to HTTPS and ACME / Let’s Encrypt challenges |
Internal-only (do NOT expose to untrusted networks): 3000 (frontend), 8000
(backend), 8080/8090 (esign), 3306 (MySQL), 6379 (Redis), 8983 (Solr),
3310 (ClamAV). These communicate over the internal Docker network by service name.
Outbound (egress) the host needs, depending on enabled features:
| Destination | Required for |
|---|---|
| Your email provider’s API (Zeptomail/Resend) or SMTP | Transactional email (signing invites, reminders) — strongly recommended |
| NSDL/Protean eSign gateway | Aadhaar eSign (India only) |
| RFC-3161 TSA endpoint | DSC trusted timestamps (if enabled) |
| Container image registry | Pulling QSign images (or import archives offline) |
| Stripe / Razorpay | Billing (optional; usually not needed on-prem) |
| LLM provider, SMS provider, identity providers | AI features, SMS, SSO (all optional) |
For a fully air-gapped install, disable the optional outbound integrations and provide images as offline archives; e-Signature + DSC (with a local/no TSA) can work without internet, but Aadhaar eSign cannot (it depends on the external gateway).
TLS / certificates
Section titled “TLS / certificates”- A DNS name for the service (e.g.,
sign.example.com) resolving to the host. - A TLS certificate: either Let’s Encrypt via the bundled
certbot(needs port 80 reachable for ACME), or your own/internal CA certificate mounted intonginx.
Software prerequisites checklist
Section titled “Software prerequisites checklist”- Docker Engine 24+ and Compose v2 installed and running.
- DNS record for the chosen hostname pointing to the host.
- Inbound 443 (and 80 for ACME) open to your users; all other ports firewalled.
- Persistent, backed-up storage for the document + MySQL volumes.
- Accurate clock (NTP).
- QSign image references / archives from Quoqo.
- (If Aadhaar) Protean/NSDL ASP credentials + signing certificate.
- (If DSC) signing certificate(s); the agent for token-based signing.
- An email-sending account (provider API key or SMTP).