Problem
When running Documenso on stateless EC2 instances (e.g., in Auto Scaling Groups or with Spot instances), logs stored locally via journalctl are lost when instances are terminated. For production deployments, centralized log aggregation is essential for:
- Debugging issues across multiple instances
- Audit trail and compliance
- Monitoring and alerting
- Post-mortem analysis after instance termination
Proposed Solution
Add optional CloudWatch Logs configuration to the Documenso NixOS module, similar to how other AWS-integrated services handle logging.
Configuration Example
services.documenso = {
enable = true;
# ... existing config ...
cloudwatch = {
enable = true;
region = "eu-west-1";
logGroup = "/aws/documenso/prod";
logStream = "${config.networking.hostName}"; # or instance-id
# Optional: retention period
retentionInDays = 30; # 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, 3653
# Optional: IAM role (if not using instance profile)
# roleArn = "arn:aws:iam::123456789:role/documenso-logs";
};
};Implementation Approach
-
Use Amazon CloudWatch Agent (pkgs.amazon-cloudwatch-agent)
- Configure via systemd service that runs cloudwatch-agent
- Stream journald logs to CloudWatch
-
Integration points:
- Auto-create log group if it doesn't exist (optional)
- Use EC2 instance profile for IAM permissions (recommended)
- Support custom log format/filtering
- Integration with existing elastinix patterns
-
Required IAM permissions:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents",
"logs:DescribeLogStreams"
],
"Resource": "arn:aws:logs:*:*:log-group:/aws/documenso/*"
}
]
}
Benefits
- ✅ Makes Documenso truly stateless on EC2
- ✅ Enables Auto Scaling Group deployments
- ✅ Allows safe use of Spot instances
- ✅ Centralized logging for multi-instance setups
- ✅ Better debugging and monitoring
- ✅ Compliance and audit trail
- ✅ Log retention policies
Alternative: Vector/Fluent Bit
Could also support other log shippers:
- Vector (
pkgs.vector)
- Fluent Bit (
pkgs.fluent-bit)
But CloudWatch Logs is the most natural choice for AWS deployments.
Related
This complements the stateless architecture enabled by:
- External RDS PostgreSQL
- S3 document storage
- Optional external Redis (ElastiCache)
- agenix-encrypted certificate management
With CloudWatch Logs, Documenso can run fully stateless on EC2 with zero persistent storage requirements.
Priority
Medium - Not blocking for deployment, but important for production readiness on AWS.
Problem
When running Documenso on stateless EC2 instances (e.g., in Auto Scaling Groups or with Spot instances), logs stored locally via
journalctlare lost when instances are terminated. For production deployments, centralized log aggregation is essential for:Proposed Solution
Add optional CloudWatch Logs configuration to the Documenso NixOS module, similar to how other AWS-integrated services handle logging.
Configuration Example
Implementation Approach
Use Amazon CloudWatch Agent (
pkgs.amazon-cloudwatch-agent)Integration points:
Required IAM permissions:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents", "logs:DescribeLogStreams" ], "Resource": "arn:aws:logs:*:*:log-group:/aws/documenso/*" } ] }Benefits
Alternative: Vector/Fluent Bit
Could also support other log shippers:
pkgs.vector)pkgs.fluent-bit)But CloudWatch Logs is the most natural choice for AWS deployments.
Related
This complements the stateless architecture enabled by:
With CloudWatch Logs, Documenso can run fully stateless on EC2 with zero persistent storage requirements.
Priority
Medium - Not blocking for deployment, but important for production readiness on AWS.