From 286e43b5de6941f0bcd3441b68f06c63d1d20792 Mon Sep 17 00:00:00 2001 From: Alex Lebens Date: Tue, 31 Mar 2026 01:30:37 +0000 Subject: [PATCH] tmp/paperless (#5302) Reviewed-on: https://gitea.alexlebens.dev/alexlebens/infrastructure/pulls/5302 --- clusters/cl01tl/helm/blocky/values.yaml | 1 + clusters/cl01tl/helm/gatus/values.yaml | 6 +- clusters/cl01tl/helm/homepage/values.yaml | 6 + clusters/cl01tl/helm/paperless-ngx/Chart.lock | 24 ++ clusters/cl01tl/helm/paperless-ngx/Chart.yaml | 51 +++++ .../templates/external-secret.yaml | 54 +++++ .../cl01tl/helm/paperless-ngx/values.yaml | 207 ++++++++++++++++++ hosts/ps08rp/blocky/config.yml | 1 + hosts/ps09rp/blocky/config.yml | 1 + 9 files changed, 348 insertions(+), 3 deletions(-) create mode 100644 clusters/cl01tl/helm/paperless-ngx/Chart.lock create mode 100644 clusters/cl01tl/helm/paperless-ngx/Chart.yaml create mode 100644 clusters/cl01tl/helm/paperless-ngx/templates/external-secret.yaml create mode 100644 clusters/cl01tl/helm/paperless-ngx/values.yaml diff --git a/clusters/cl01tl/helm/blocky/values.yaml b/clusters/cl01tl/helm/blocky/values.yaml index 37af9628d..7e991614e 100644 --- a/clusters/cl01tl/helm/blocky/values.yaml +++ b/clusters/cl01tl/helm/blocky/values.yaml @@ -144,6 +144,7 @@ blocky: objects IN CNAME traefik-cl01tl ollama IN CNAME traefik-cl01tl omni-tools IN CNAME traefik-cl01tl + paperless-ngx IN CNAME traefik-cl01tl photoview IN CNAME traefik-cl01tl plex IN CNAME traefik-cl01tl postiz IN CNAME traefik-cl01tl diff --git a/clusters/cl01tl/helm/gatus/values.yaml b/clusters/cl01tl/helm/gatus/values.yaml index 4e54fa97c..523d52b46 100644 --- a/clusters/cl01tl/helm/gatus/values.yaml +++ b/clusters/cl01tl/helm/gatus/values.yaml @@ -164,15 +164,15 @@ gatus: - name: roundcube url: https://mail.alexlebens.net <<: *defaults + - name: paperless-ngx + url: https://paperless-ngx.alexlebens.net + <<: *defaults - name: kiwix url: https://kiwix.alexlebens.net <<: *defaults - name: excalidraw url: https://excalidraw.alexlebens.net <<: *defaults - - name: languagetool - url: https://languagetool.alexlebens.net - <<: *defaults - name: gitea url: https://gitea.alexlebens.net <<: *defaults diff --git a/clusters/cl01tl/helm/homepage/values.yaml b/clusters/cl01tl/helm/homepage/values.yaml index b2738f406..36330cfa9 100644 --- a/clusters/cl01tl/helm/homepage/values.yaml +++ b/clusters/cl01tl/helm/homepage/values.yaml @@ -304,6 +304,12 @@ homepage: href: https://mail.alexlebens.net siteMonitor: http://roundcube.roundcube:80 statusStyle: dot + - Documents: + icon: sh-paperless-ngx.webp + description: Paperless-ngx + href: https://paperless-ngx.alexlebens.net + siteMonitor: http://paperless-ngx.paperless-ngx:80 + statusStyle: dot - Wiki: icon: sh-kiwix-light.webp description: Kiwix diff --git a/clusters/cl01tl/helm/paperless-ngx/Chart.lock b/clusters/cl01tl/helm/paperless-ngx/Chart.lock new file mode 100644 index 000000000..ff6ddf460 --- /dev/null +++ b/clusters/cl01tl/helm/paperless-ngx/Chart.lock @@ -0,0 +1,24 @@ +dependencies: +- name: app-template + repository: https://bjw-s-labs.github.io/helm-charts/ + version: 4.6.2 +- name: postgres-cluster + repository: oci://harbor.alexlebens.net/helm-charts + version: 7.11.0 +- name: valkey + repository: oci://harbor.alexlebens.net/helm-charts + version: 0.5.0 +- name: volsync-target + repository: oci://harbor.alexlebens.net/helm-charts + version: 0.8.0 +- name: volsync-target + repository: oci://harbor.alexlebens.net/helm-charts + version: 0.8.0 +- name: volsync-target + repository: oci://harbor.alexlebens.net/helm-charts + version: 0.8.0 +- name: volsync-target + repository: oci://harbor.alexlebens.net/helm-charts + version: 0.8.0 +digest: sha256:08acc0818deaede4bb7515be7cbb1253f30036b70af6038caa69e4bd3cc02412 +generated: "2026-03-30T20:25:47.995874-05:00" diff --git a/clusters/cl01tl/helm/paperless-ngx/Chart.yaml b/clusters/cl01tl/helm/paperless-ngx/Chart.yaml new file mode 100644 index 000000000..f5ee8ab4f --- /dev/null +++ b/clusters/cl01tl/helm/paperless-ngx/Chart.yaml @@ -0,0 +1,51 @@ +apiVersion: v2 +name: paperless-ngx +version: 1.0.0 +description: Paperless-ngx +keywords: + - paperless-ngx + - documents +home: https://docs.alexlebens.dev/applications/paperless-ngx/ +sources: + - https://github.com/paperless-ngx/paperless-ngx + - https://github.com/gotenberg/gotenberg + - https://github.com/paperless-ngx/paperless-ngx/pkgs/container/paperless-ngx + - https://hub.docker.com/r/gotenberg/gotenberg + - https://github.com/bjw-s-labs/helm-charts/tree/main/charts/other/app-template + - https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/postgres-cluster + - https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/valkey + - https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/volsync-target +maintainers: + - name: alexlebens +dependencies: + - name: app-template + alias: paperless-ngx + repository: https://bjw-s-labs.github.io/helm-charts/ + version: 4.6.2 + - name: postgres-cluster + alias: postgres-18-cluster + version: 7.11.0 + repository: oci://harbor.alexlebens.net/helm-charts + - name: valkey + alias: valkey + version: 0.5.0 + repository: oci://harbor.alexlebens.net/helm-charts + - name: volsync-target + alias: volsync-target-data + version: 0.8.0 + repository: oci://harbor.alexlebens.net/helm-charts + - name: volsync-target + alias: volsync-target-media + version: 0.8.0 + repository: oci://harbor.alexlebens.net/helm-charts + - name: volsync-target + alias: volsync-target-export + version: 0.8.0 + repository: oci://harbor.alexlebens.net/helm-charts + - name: volsync-target + alias: volsync-target-consume + version: 0.8.0 + repository: oci://harbor.alexlebens.net/helm-charts +icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/paperless-ngx.png +# renovate: datasource=github-releases depName=paperless-ngx/paperless-ngx +appVersion: 2.20.13 diff --git a/clusters/cl01tl/helm/paperless-ngx/templates/external-secret.yaml b/clusters/cl01tl/helm/paperless-ngx/templates/external-secret.yaml new file mode 100644 index 000000000..14522de8b --- /dev/null +++ b/clusters/cl01tl/helm/paperless-ngx/templates/external-secret.yaml @@ -0,0 +1,54 @@ +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: paperless-ngx-secret + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: paperless-ngx-secret + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/part-of: {{ .Release.Name }} +spec: + secretStoreRef: + kind: ClusterSecretStore + name: vault + data: + - secretKey: secret-key + remoteRef: + key: /cl01tl/paperless-ngx/secret + property: secret-key + - secretKey: admin-user + remoteRef: + key: /cl01tl/paperless-ngx/secret + property: admin-user + - secretKey: admin-password + remoteRef: + key: /cl01tl/paperless-ngx/secret + property: admin-password + +--- +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: paperless-ngx-oidc-secret + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: paperless-ngx-oidc-secret + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/part-of: {{ .Release.Name }} +spec: + secretStoreRef: + kind: ClusterSecretStore + name: vault + data: + - secretKey: OIDC_CLIENT_ID + remoteRef: + key: /authentik/oidc/headlamp + property: client + - secretKey: OIDC_CLIENT_SECRET + remoteRef: + key: /authentik/oidc/headlamp + property: secret + - secretKey: PAPERLESS_SOCIALACCOUNT_PROVIDERS + remoteRef: + key: /authentik/oidc/headlamp + property: PAPERLESS_SOCIALACCOUNT_PROVIDERS diff --git a/clusters/cl01tl/helm/paperless-ngx/values.yaml b/clusters/cl01tl/helm/paperless-ngx/values.yaml new file mode 100644 index 000000000..d41f79007 --- /dev/null +++ b/clusters/cl01tl/helm/paperless-ngx/values.yaml @@ -0,0 +1,207 @@ +paperless-ngx: + controllers: + main: + type: deployment + replicas: 1 + strategy: Recreate + containers: + main: + image: + repository: ghcr.io/paperless-ngx/paperless-ngx + tag: 2.20.13@sha256:4b05bcd28e6923768000b5d247cbf2c66fd49bdc3f3b05955bd4f6790a638b01 + env: + - name: PAPERLESS_REDIS + value: redis://paperless-ngx-valkey.paperless-ngx:6379 + - name: PAPERLESS_DBHOST + valueFrom: + secretKeyRef: + name: paperless-ngx-postgresql-18-cluster-app + key: host + - name: PAPERLESS_DBPORT + valueFrom: + secretKeyRef: + name: paperless-ngx-postgresql-18-cluster-app + key: port + - name: PAPERLESS_DBUSER + valueFrom: + secretKeyRef: + name: paperless-ngx-postgresql-18-cluster-app + key: user + - name: PAPERLESS_DBPASS + valueFrom: + secretKeyRef: + name: paperless-ngx-postgresql-18-cluster-app + key: password + - name: PAPERLESS_TIKA_ENABLED + value: true + - name: PAPERLESS_TIKA_GOTENBERG_ENDPOINT + value: http://localhost:3000/ + - name: PAPERLESS_SECRET_KEY + valueFrom: + secretKeyRef: + name: paperless-ngx-secret + key: secret-key + - name: PAPERLESS_URL + value: https://paperless-ngx.alexlebens.net + - name: PAPERLESS_ALLOWED_HOSTS + value: paperless-ngx.alexlebens.net, paperless-ngx.paperless-ngx + - name: PAPERLESS_ADMIN_USER + valueFrom: + secretKeyRef: + name: paperless-ngx-secret + key: admin-user + - name: PAPERLESS_ADMIN_PASSWORD + valueFrom: + secretKeyRef: + name: paperless-ngx-secret + key: admin-password + - name: PAPERLESS_ACCOUNT_ALLOW_SIGNUPS + value: true + - name: PAPERLESS_SOCIAL_AUTO_SIGNUP + value: true + - name: PAPERLESS_SOCIALACCOUNT_ALLOW_SIGNUPS + value: true + - name: PAPERLESS_APPS + value: allauth.socialaccount.providers.openid_connect + - name: PAPERLESS_LOGOUT_REDIRECT_URL + value: https://authentik.alexlebens.net/application/o/paperless-ngx/end-session/ + - name: PAPERLESS_SOCIALACCOUNT_PROVIDERS + valueFrom: + secretKeyRef: + name: paperless-ngx-oidc-secret + key: PAPERLESS_SOCIALACCOUNT_PROVIDERS + - name: PAPERLESS_TIME_ZONE + value: America/Chicago + resources: + requests: + cpu: 1m + memory: 100Mi + gotenberg: + image: + repository: gotenberg/gotenberg + tag: 8.29.1@sha256:36c925776fa0db0fd1030408d131fde7ac3453027a559883555155b72adb16a7 + service: + main: + controller: main + ports: + http: + port: 80 + targetPort: 8000 + route: + main: + kind: HTTPRoute + parentRefs: + - group: gateway.networking.k8s.io + kind: Gateway + name: traefik-gateway + namespace: traefik + hostnames: + - paperless-ngx.alexlebens.net + rules: + - backendRefs: + - name: paperless-ngx + port: 80 + matches: + - path: + type: PathPrefix + value: / + persistence: + data: + forceRename: paperless-ngx-data + storageClass: ceph-block + accessMode: ReadWriteOnce + size: 2Gi + advancedMounts: + main: + main: + - path: /usr/src/paperless/data + media: + forceRename: paperless-ngx-media + storageClass: ceph-block + accessMode: ReadWriteOnce + size: 10Gi + advancedMounts: + main: + main: + - path: /usr/src/paperless/media + export: + forceRename: paperless-ngx-export + storageClass: ceph-block + accessMode: ReadWriteOnce + size: 2Gi + advancedMounts: + main: + main: + - path: /usr/src/paperless/export + consume: + forceRename: paperless-ngx-consume + storageClass: ceph-block + accessMode: ReadWriteOnce + size: 2Gi + advancedMounts: + main: + main: + - path: /usr/src/paperless/consume +postgres-18-cluster: + mode: standalone + recovery: + method: objectStore + objectStore: + index: 1 + backup: + objectStore: + - name: garage-local + index: 1 + destinationBucket: postgres-backups + externalSecretCredentialPath: /garage/home-infra/postgres-backups + isWALArchiver: true + scheduledBackups: + - name: live-backup + suspend: false + immediate: true + schedule: "0 15 15 * * *" + backupName: garage-local +volsync-target-data: + pvcTarget: paperless-ngx-data + local: + enabled: true + schedule: 2 8 * * * + remote: + enabled: true + schedule: 2 9 * * * + external: + enabled: true + schedule: 2 10 * * * +volsync-target-media: + pvcTarget: paperless-ngx-metadata + local: + enabled: true + schedule: 4 8 * * * + remote: + enabled: true + schedule: 4 9 * * * + external: + enabled: true + schedule: 4 10 * * * +volsync-target-export: + pvcTarget: paperless-ngx-data + local: + enabled: true + schedule: 2 8 * * * + remote: + enabled: true + schedule: 2 9 * * * + external: + enabled: true + schedule: 2 10 * * * +volsync-target-consume: + pvcTarget: paperless-ngx-metadata + local: + enabled: true + schedule: 4 8 * * * + remote: + enabled: true + schedule: 4 9 * * * + external: + enabled: true + schedule: 4 10 * * * diff --git a/hosts/ps08rp/blocky/config.yml b/hosts/ps08rp/blocky/config.yml index ed01ad5d6..9bb0cb029 100644 --- a/hosts/ps08rp/blocky/config.yml +++ b/hosts/ps08rp/blocky/config.yml @@ -121,6 +121,7 @@ customDNS: objects IN CNAME traefik-cl01tl ollama IN CNAME traefik-cl01tl omni-tools IN CNAME traefik-cl01tl + paperless-ngx IN CNAME traefik-cl01tl photoview IN CNAME traefik-cl01tl plex IN CNAME traefik-cl01tl postiz IN CNAME traefik-cl01tl diff --git a/hosts/ps09rp/blocky/config.yml b/hosts/ps09rp/blocky/config.yml index 20667cc7f..91d65f2d9 100644 --- a/hosts/ps09rp/blocky/config.yml +++ b/hosts/ps09rp/blocky/config.yml @@ -142,6 +142,7 @@ customDNS: objects IN CNAME traefik-cl01tl ollama IN CNAME traefik-cl01tl omni-tools IN CNAME traefik-cl01tl + paperless-ngx IN CNAME traefik-cl01tl photoview IN CNAME traefik-cl01tl plex IN CNAME traefik-cl01tl postiz IN CNAME traefik-cl01tl