SeedDMS 6 Document Management System on Ubuntu 24.04 on Azure User Guide
Overview
SeedDMS is a mature, web based open source Document Management System. It organises files into a browsable folder tree with full version history, controls who can see and edit each folder or document through per object access control lists, runs documents through review and approval workflows, tags them with categories and attributes, and finds them again with full text search. It also exposes a WebDAV endpoint and a REST API. The cloudimg image ships SeedDMS 6 served by nginx and PHP 8.3 FPM on a hardened, fully patched Ubuntu 24.04 LTS base, together with a bundled local MariaDB server so the appliance is complete and useful on its own. The install wizard is pre completed and locked, so the platform is ready the moment the instance boots. The bundled MariaDB listens only on the loopback interface (127.0.0.1:3306). A unique administrator password is generated on the first boot of every VM. Backed by 24/7 cloudimg support.
What is included:
- SeedDMS 6 served by nginx and PHP 8.3 FPM, managed by systemd
- A bundled MariaDB server holding the SeedDMS database, already installed and ready
- The install wizard pre completed and locked, and the web install tool removed
- A per VM administrator password generated on first boot and recorded in a root only file
- No shipped default login: the well known SeedDMS
admin/adminaccount is never shipped; the administrator password ships rotated to a discarded random and the real per VM password is set on first boot - MariaDB bound to
127.0.0.1only, never exposed to the network - Document content stored under
/var/lib/seeddms/data, kept separate from both the web root and the application code nginx.service,php8.3-fpm.serviceandmariadb.serviceas enabled systemd units- An unauthenticated
/healthzendpoint for Azure Load Balancer health probes - 24/7 cloudimg support
Prerequisites
An active Azure subscription, an SSH key pair, and a VNet plus subnet in the target region. Standard_B2s (2 vCPU / 4 GiB RAM) is a sensible starting point for a small team; step up to Standard_D2s_v3 for heavier document workloads. NSG inbound: allow 22/tcp from your management network and 80/tcp for the application (add 443/tcp if you terminate TLS on the VM). The bundled MariaDB is never exposed: it listens on 127.0.0.1 only, so port 3306 stays off the network.
Step 1 - Deploy from the Azure Marketplace
Sign in to the Azure Portal, choose Create a resource, search the Marketplace for SeedDMS by cloudimg, and select Create. On Basics pick your subscription, resource group, region and size; under Administrator account choose SSH public key and paste your key; under Inbound port rules allow SSH (22) and HTTP (80). Then Review + create then Create.
Step 2 - Deploy from the Azure CLI
az vm create \
--resource-group <your-rg> \
--name seeddms \
--image <marketplace-image-urn> \
--size Standard_B2s \
--admin-username azureuser \
--generate-ssh-keys \
--public-ip-sku Standard
Then open port 80:
az vm open-port --resource-group <your-rg> --name seeddms --port 80
Step 3 - Confirm the services are running
SSH in as azureuser and confirm nginx, PHP FPM, MariaDB and the first boot service are all active. Note that MariaDB listens only on 127.0.0.1:3306 while nginx serves SeedDMS on port 80.
systemctl is-active nginx php8.3-fpm mariadb seeddms-firstboot
ss -tlnp | grep -E ':80 |:3306 ' | sed 's/ */ /g'

Step 4 - Retrieve the per VM administrator password
Every VM generates its own SeedDMS administrator password on first boot and writes it, along with the login user and the application URL, to a root only credentials file. Read it with sudo:
sudo cat /root/seeddms-credentials.txt

You sign in to SeedDMS as user admin with the SEEDDMS_ADMIN_PASSWORD from this file. On the box itself you can also run sudo mariadb to reach the database directly over the local socket without a password.
Step 5 - Sign in
Browse to http://<vm-public-ip>/. You land on the SeedDMS sign in page. Enter user ID admin and the password from Step 4.

After signing in you land on the DMS root folder view, which shows the folder tree on the left, folder information in the centre and a drag and drop fast upload panel on the right.

Step 6 - Add folders and documents
From any folder use Add subfolder to build out your folder structure, then Add document to upload a file. Each document you add can carry a name, comment, keywords, categories, an expiry date and a sequence position, and every subsequent upload to the same document is kept as a new version with the full history preserved.

Step 7 - Manage users and access
Open Admin tools then User management to create users and groups and assign them roles. Combine users and groups with per folder and per document access control lists to control exactly who can read, write, review or approve each part of your document tree. This is also where you rotate the administrator's own password from the web interface.

Step 8 - No known or default credentials
SeedDMS ships upstream with a well known admin / admin account. The cloudimg image never ships it: the administrator password is rotated to a discarded random value at build time, and the real per VM administrator password is generated with a unique random secret on the first boot of every VM. You can prove both facts on the box. The user table holds only the admin and disabled guest rows, the well known default password hash is absent, and the built in round trip check confirms the per VM administrator signs in through the SeedDMS login form:
sudo mariadb -N -B seeddms -e "SELECT id,login,role FROM tblUsers ORDER BY id;"
sudo mariadb -N -B seeddms -e "SELECT count(*) AS default_admin_present FROM tblUsers WHERE login='admin' AND pwd='21232f297a57a5a743894a0e4a801fc3';"
sudo bash /usr/local/sbin/seeddms-cred-roundtrip.sh

Step 9 - Verify the stack and where your data lives
Confirm the health endpoint, the installed schema version and where your document content lives. The web root at /var/www/seeddms/www holds only application code, the configuration file sits outside the web root at /var/www/seeddms/conf/settings.xml, and all uploaded document content is stored under /var/lib/seeddms/data, kept separate from both the web root and the code so it is never web reachable and survives an application upgrade:
curl -sI http://127.0.0.1/healthz | head -1
sudo mariadb -N -B seeddms -e "SELECT concat('SeedDMS schema ',major,'.',minor,'.',subminor) FROM tblVersion;"
ls -ld /var/www/seeddms/www /var/www/seeddms/conf /var/lib/seeddms/data

Adding your own domain and TLS
The appliance serves plain HTTP on port 80. For production, point a DNS record at your VM and obtain a certificate with Let's Encrypt:
sudo apt-get install -y certbot python3-certbot-nginx
sudo certbot --nginx -d <your-domain>
SeedDMS derives its base URL from the request Host header, so once you reach the VM on your domain over HTTPS the links render correctly with no further change.
Backing up
Your document data is the SeedDMS database plus the document content directory. Dump the database and archive the content tree:
sudo mysqldump seeddms > /tmp/seeddms-backup.sql
sudo tar czf /tmp/seeddms-content-backup.tar.gz -C /var/lib/seeddms data
Copy both files off the VM on your usual schedule. To restore, load the SQL dump into the seeddms database and unpack the archive back to /var/lib/seeddms/data.
Security notes
- SeedDMS serves plain HTTP on port 80 out of the box. For anything beyond a trusted network, add your own domain and TLS as above, or front the VM with Azure Application Gateway.
- The bundled MariaDB listens on
127.0.0.1only and is never reachable from the network. Administer it through SeedDMS or over SSH withsudo mariadb. - The administrator password is unique per VM and no known or blank credential authenticates. Keep
/root/seeddms-credentials.txtprotected. To rotate the password, sign in and change it under Admin tools then User management, or from the box set a new one directly:
sudo mariadb seeddms -e "UPDATE tblUsers SET pwd=MD5('<new-password>') WHERE login='admin'"
- The configuration file and document content live outside the web root, and nginx denies
/inc,/utils,/doc,/installand dotfiles, so code, configuration and uploaded files are never web reachable. - Apply operating system updates regularly with
sudo apt update && sudo apt upgrade; unattended security updates are enabled by default.