diff --git a/clusters/cl01tl/manifests/blocky/ConfigMap-blocky.yaml b/clusters/cl01tl/manifests/blocky/ConfigMap-blocky.yaml index 0726b049b..8244d11eb 100644 --- a/clusters/cl01tl/manifests/blocky/ConfigMap-blocky.yaml +++ b/clusters/cl01tl/manifests/blocky/ConfigMap-blocky.yaml @@ -133,6 +133,7 @@ data: objects IN CNAME traefik-cl01tl ollama IN CNAME traefik-cl01tl omni-tools IN CNAME traefik-cl01tl + paperless-ngx IN CNAME traefik-cl01tl photoview IN CNAME traefik-cl01tl plex IN CNAME traefik-cl01tl postiz IN CNAME traefik-cl01tl diff --git a/clusters/cl01tl/manifests/blocky/Deployment-blocky.yaml b/clusters/cl01tl/manifests/blocky/Deployment-blocky.yaml index 7a8e9b4d5..7631f1fb2 100644 --- a/clusters/cl01tl/manifests/blocky/Deployment-blocky.yaml +++ b/clusters/cl01tl/manifests/blocky/Deployment-blocky.yaml @@ -22,7 +22,7 @@ spec: template: metadata: annotations: - checksum/configMaps: fff3976acfd7e840be4eea5ca10ef90051973222ed09a3fa4f0d64d37df4e364 + checksum/configMaps: d46129f10ef23f392c8d5ca28b7bbc5aba6deb158f1a6675eca8816f90baae43 labels: app.kubernetes.io/controller: main app.kubernetes.io/instance: blocky diff --git a/clusters/cl01tl/manifests/gatus/ConfigMap-gatus.yaml b/clusters/cl01tl/manifests/gatus/ConfigMap-gatus.yaml index 2d14fc718..ecc41a2db 100644 --- a/clusters/cl01tl/manifests/gatus/ConfigMap-gatus.yaml +++ b/clusters/cl01tl/manifests/gatus/ConfigMap-gatus.yaml @@ -213,6 +213,15 @@ data: interval: 30s name: roundcube url: https://mail.alexlebens.net + - alerts: + - type: ntfy + conditions: + - '[STATUS] == 200' + - '[CERTIFICATE_EXPIRATION] > 240h' + group: core + interval: 30s + name: paperless-ngx + url: https://paperless-ngx.alexlebens.net - alerts: - type: ntfy conditions: @@ -231,15 +240,6 @@ data: interval: 30s name: excalidraw url: https://excalidraw.alexlebens.net - - alerts: - - type: ntfy - conditions: - - '[STATUS] == 200' - - '[CERTIFICATE_EXPIRATION] > 240h' - group: core - interval: 30s - name: languagetool - url: https://languagetool.alexlebens.net - alerts: - type: ntfy conditions: diff --git a/clusters/cl01tl/manifests/gatus/Deployment-gatus.yaml b/clusters/cl01tl/manifests/gatus/Deployment-gatus.yaml index 53c496905..b97f2e0b1 100644 --- a/clusters/cl01tl/manifests/gatus/Deployment-gatus.yaml +++ b/clusters/cl01tl/manifests/gatus/Deployment-gatus.yaml @@ -26,7 +26,7 @@ spec: app.kubernetes.io/name: gatus app.kubernetes.io/instance: gatus annotations: - checksum/config: 4d8eb6239dd11e88919c8ab851bf983969febe5e0990e1ba1271dfe5d2d55b53 + checksum/config: 7d4de2aabf87644e8c8fdfd240605942fd0b0fcbcfb920b201cc532d7fd7026d spec: serviceAccountName: default automountServiceAccountToken: false diff --git a/clusters/cl01tl/manifests/homepage/ConfigMap-homepage.yaml b/clusters/cl01tl/manifests/homepage/ConfigMap-homepage.yaml index e86759f73..908051460 100644 --- a/clusters/cl01tl/manifests/homepage/ConfigMap-homepage.yaml +++ b/clusters/cl01tl/manifests/homepage/ConfigMap-homepage.yaml @@ -233,6 +233,12 @@ data: href: https://mail.alexlebens.net siteMonitor: http://roundcube.roundcube:80 statusStyle: dot + - Documents: + icon: sh-paperless-ngx.webp + description: Paperless-ngx + href: https://paperless-ngx.alexlebens.net + siteMonitor: http://paperless-ngx.paperless-ngx:80 + statusStyle: dot - Wiki: icon: sh-kiwix-light.webp description: Kiwix diff --git a/clusters/cl01tl/manifests/homepage/Deployment-homepage.yaml b/clusters/cl01tl/manifests/homepage/Deployment-homepage.yaml index 41bec51f6..384808e6a 100644 --- a/clusters/cl01tl/manifests/homepage/Deployment-homepage.yaml +++ b/clusters/cl01tl/manifests/homepage/Deployment-homepage.yaml @@ -24,7 +24,7 @@ spec: template: metadata: annotations: - checksum/configMaps: cd4de0fd768f675f285fcc324629b4b5b0704f7cd64f6d586cfa4db88b92a31b + checksum/configMaps: b099436b2138b2986efe41ddc70627bea4d122285574c37b284214a4157a0c7e checksum/secrets: d3ba83f111cd32f92c909268c55ad8bbd4f9e299b74b35b33c1a011180d8b378 labels: app.kubernetes.io/controller: main diff --git a/clusters/cl01tl/manifests/paperless-ngx/Cluster-paperless-ngx-postgresql-18-cluster.yaml b/clusters/cl01tl/manifests/paperless-ngx/Cluster-paperless-ngx-postgresql-18-cluster.yaml new file mode 100644 index 000000000..1b04e29f0 --- /dev/null +++ b/clusters/cl01tl/manifests/paperless-ngx/Cluster-paperless-ngx-postgresql-18-cluster.yaml @@ -0,0 +1,57 @@ +apiVersion: postgresql.cnpg.io/v1 +kind: Cluster +metadata: + name: paperless-ngx-postgresql-18-cluster + namespace: paperless-ngx + labels: + app.kubernetes.io/name: paperless-ngx-postgresql-18-cluster + helm.sh/chart: postgres-18-cluster-7.11.0 + app.kubernetes.io/instance: paperless-ngx + app.kubernetes.io/part-of: paperless-ngx + app.kubernetes.io/version: "7.11.0" + app.kubernetes.io/managed-by: Helm +spec: + instances: 3 + imageName: "ghcr.io/cloudnative-pg/postgresql:18.3-standard-trixie" + imagePullPolicy: IfNotPresent + postgresUID: 26 + postgresGID: 26 + storage: + size: 10Gi + storageClass: local-path + walStorage: + size: 2Gi + storageClass: local-path + resources: + limits: + hugepages-2Mi: 256Mi + requests: + cpu: 20m + memory: 150Mi + affinity: + enablePodAntiAffinity: true + topologyKey: kubernetes.io/hostname + primaryUpdateMethod: switchover + primaryUpdateStrategy: unsupervised + logLevel: info + enableSuperuserAccess: false + enablePDB: true + postgresql: + parameters: + hot_standby_feedback: "on" + max_slot_wal_keep_size: 2000MB + shared_buffers: 128MB + monitoring: + enablePodMonitor: true + disableDefaultQueries: false + plugins: + - name: barman-cloud.cloudnative-pg.io + enabled: true + isWALArchiver: true + parameters: + barmanObjectName: "paperless-ngx-postgresql-18-backup-garage-local" + serverName: "paperless-ngx-postgresql-18-backup-1" + bootstrap: + initdb: + database: app + owner: app diff --git a/clusters/cl01tl/manifests/paperless-ngx/ConfigMap-paperless-ngx-valkey-init-scripts.yaml b/clusters/cl01tl/manifests/paperless-ngx/ConfigMap-paperless-ngx-valkey-init-scripts.yaml new file mode 100644 index 000000000..32e8ee256 --- /dev/null +++ b/clusters/cl01tl/manifests/paperless-ngx/ConfigMap-paperless-ngx-valkey-init-scripts.yaml @@ -0,0 +1,87 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: paperless-ngx-valkey-init-scripts + labels: + helm.sh/chart: valkey-0.9.3 + app.kubernetes.io/name: valkey + app.kubernetes.io/instance: paperless-ngx + app.kubernetes.io/version: "9.0.3" + app.kubernetes.io/managed-by: Helm +data: + init.sh: |- + #!/bin/sh + set -eu + + # Default config paths + VALKEY_CONFIG=${VALKEY_CONFIG_PATH:-/data/conf/valkey.conf} + + LOGFILE="/data/init.log" + DATA_DIR="/data/conf" + + # Logging function (outputs to stderr and file) + log() { + echo "$(date) $1" | tee -a "$LOGFILE" >&2 + } + + # Clean old log if requested + if [ "${KEEP_OLD_LOGS:-false}" != "true" ]; then + rm -f "$LOGFILE" + fi + + if [ -f "$LOGFILE" ]; then + log "Detected restart of this instance ($HOSTNAME)" + fi + + log "Creating configuration in $DATA_DIR..." + mkdir -p "$DATA_DIR" + rm -f "$VALKEY_CONFIG" + + + # Base valkey.conf + log "Generating base valkey.conf" + { + echo "port 6379" + echo "protected-mode no" + echo "bind * -::*" + echo "dir /data" + } >>"$VALKEY_CONFIG" + # Replica mode configuration + log "Configuring replication mode" + + # Use POD_INDEX from Kubernetes metadata + POD_INDEX=${POD_INDEX:-0} + IS_MASTER=false + + # Check if this is pod-0 (master) + if [ "$POD_INDEX" = "0" ]; then + IS_MASTER=true + log "This pod (index $POD_INDEX) is configured as MASTER" + else + log "This pod (index $POD_INDEX) is configured as REPLICA" + fi + + # Configure replica settings + if [ "$IS_MASTER" = "false" ]; then + MASTER_HOST="paperless-ngx-valkey-0.paperless-ngx-valkey-headless.paperless-ngx.svc.cluster.local" + MASTER_PORT="6379" + + log "Configuring replica to follow master at $MASTER_HOST:$MASTER_PORT" + + { + echo "" + echo "# Replica Configuration" + echo "replicaof $MASTER_HOST $MASTER_PORT" + echo "replica-announce-ip paperless-ngx-valkey-$POD_INDEX.paperless-ngx-valkey-headless.paperless-ngx.svc.cluster.local" + } >>"$VALKEY_CONFIG" + fi + + # Append extra configs if present + if [ -f /usr/local/etc/valkey/valkey.conf ]; then + log "Appending /usr/local/etc/valkey/valkey.conf" + cat /usr/local/etc/valkey/valkey.conf >>"$VALKEY_CONFIG" + fi + if [ -d /extravalkeyconfigs ]; then + log "Appending files in /extravalkeyconfigs/" + cat /extravalkeyconfigs/* >>"$VALKEY_CONFIG" + fi diff --git a/clusters/cl01tl/manifests/paperless-ngx/Deployment-paperless-ngx.yaml b/clusters/cl01tl/manifests/paperless-ngx/Deployment-paperless-ngx.yaml new file mode 100644 index 000000000..e69b0d192 --- /dev/null +++ b/clusters/cl01tl/manifests/paperless-ngx/Deployment-paperless-ngx.yaml @@ -0,0 +1,129 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: paperless-ngx + labels: + app.kubernetes.io/controller: main + app.kubernetes.io/instance: paperless-ngx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: paperless-ngx + helm.sh/chart: paperless-ngx-4.6.2 + namespace: paperless-ngx +spec: + revisionHistoryLimit: 3 + replicas: 1 + strategy: + type: Recreate + selector: + matchLabels: + app.kubernetes.io/controller: main + app.kubernetes.io/name: paperless-ngx + app.kubernetes.io/instance: paperless-ngx + template: + metadata: + labels: + app.kubernetes.io/controller: main + app.kubernetes.io/instance: paperless-ngx + app.kubernetes.io/name: paperless-ngx + spec: + enableServiceLinks: false + serviceAccountName: default + automountServiceAccountToken: true + hostIPC: false + hostNetwork: false + hostPID: false + dnsPolicy: ClusterFirst + containers: + - image: gotenberg/gotenberg:8.29.1@sha256:36c925776fa0db0fd1030408d131fde7ac3453027a559883555155b72adb16a7 + name: gotenberg + - env: + - name: PAPERLESS_REDIS + value: redis://paperless-ngx-valkey.paperless-ngx:6379 + - name: PAPERLESS_DBHOST + valueFrom: + secretKeyRef: + key: host + name: paperless-ngx-postgresql-18-cluster-app + - name: PAPERLESS_DBPORT + valueFrom: + secretKeyRef: + key: port + name: paperless-ngx-postgresql-18-cluster-app + - name: PAPERLESS_DBUSER + valueFrom: + secretKeyRef: + key: user + name: paperless-ngx-postgresql-18-cluster-app + - name: PAPERLESS_DBPASS + valueFrom: + secretKeyRef: + key: password + name: paperless-ngx-postgresql-18-cluster-app + - name: PAPERLESS_TIKA_ENABLED + value: "true" + - name: PAPERLESS_TIKA_GOTENBERG_ENDPOINT + value: http://localhost:3000/ + - name: PAPERLESS_SECRET_KEY + valueFrom: + secretKeyRef: + key: secret-key + name: paperless-ngx-secret + - name: PAPERLESS_URL + value: https://paperless-ngx.alexlebens.net + - name: PAPERLESS_ALLOWED_HOSTS + value: paperless-ngx.alexlebens.net, paperless-ngx.paperless-ngx + - name: PAPERLESS_ADMIN_USER + valueFrom: + secretKeyRef: + key: admin-user + name: paperless-ngx-secret + - name: PAPERLESS_ADMIN_PASSWORD + valueFrom: + secretKeyRef: + key: admin-password + name: paperless-ngx-secret + - name: PAPERLESS_ACCOUNT_ALLOW_SIGNUPS + value: "true" + - name: PAPERLESS_SOCIAL_AUTO_SIGNUP + value: "true" + - name: PAPERLESS_SOCIALACCOUNT_ALLOW_SIGNUPS + value: "true" + - name: PAPERLESS_APPS + value: allauth.socialaccount.providers.openid_connect + - name: PAPERLESS_LOGOUT_REDIRECT_URL + value: https://authentik.alexlebens.net/application/o/paperless-ngx/end-session/ + - name: PAPERLESS_SOCIALACCOUNT_PROVIDERS + valueFrom: + secretKeyRef: + key: PAPERLESS_SOCIALACCOUNT_PROVIDERS + name: paperless-ngx-oidc-secret + - name: PAPERLESS_TIME_ZONE + value: America/Chicago + image: ghcr.io/paperless-ngx/paperless-ngx:2.20.13@sha256:4b05bcd28e6923768000b5d247cbf2c66fd49bdc3f3b05955bd4f6790a638b01 + name: main + resources: + requests: + cpu: 1m + memory: 100Mi + volumeMounts: + - mountPath: /usr/src/paperless/consume + name: consume + - mountPath: /usr/src/paperless/data + name: data + - mountPath: /usr/src/paperless/export + name: export + - mountPath: /usr/src/paperless/media + name: media + volumes: + - name: consume + persistentVolumeClaim: + claimName: paperless-ngx-consume + - name: data + persistentVolumeClaim: + claimName: paperless-ngx-data + - name: export + persistentVolumeClaim: + claimName: paperless-ngx-export + - name: media + persistentVolumeClaim: + claimName: paperless-ngx-media diff --git a/clusters/cl01tl/manifests/paperless-ngx/ExternalSecret-paperless-ngx-data-backup-secret-external.yaml b/clusters/cl01tl/manifests/paperless-ngx/ExternalSecret-paperless-ngx-data-backup-secret-external.yaml new file mode 100644 index 000000000..edbe866a3 --- /dev/null +++ b/clusters/cl01tl/manifests/paperless-ngx/ExternalSecret-paperless-ngx-data-backup-secret-external.yaml @@ -0,0 +1,58 @@ +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: paperless-ngx-data-backup-secret-external + namespace: paperless-ngx + labels: + helm.sh/chart: volsync-target-export-0.8.0 + app.kubernetes.io/instance: paperless-ngx + app.kubernetes.io/part-of: paperless-ngx + app.kubernetes.io/version: "0.8.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: paperless-ngx-data-backup-secret-external +spec: + secretStoreRef: + kind: ClusterSecretStore + name: vault + target: + template: + mergePolicy: Merge + engineVersion: v2 + data: + RESTIC_REPOSITORY: "{{ .BUCKET_ENDPOINT }}/paperless-ngx/paperless-ngx-data" + data: + - secretKey: BUCKET_ENDPOINT + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /volsync/restic/digital-ocean + metadataPolicy: None + property: BUCKET_ENDPOINT + - secretKey: RESTIC_PASSWORD + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /volsync/restic/digital-ocean + metadataPolicy: None + property: RESTIC_PASSWORD + - secretKey: AWS_DEFAULT_REGION + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /digital-ocean/home-infra/volsync-backups + metadataPolicy: None + property: AWS_DEFAULT_REGION + - secretKey: AWS_ACCESS_KEY_ID + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /digital-ocean/home-infra/volsync-backups + metadataPolicy: None + property: AWS_ACCESS_KEY_ID + - secretKey: AWS_SECRET_ACCESS_KEY + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /digital-ocean/home-infra/volsync-backups + metadataPolicy: None + property: AWS_SECRET_ACCESS_KEY diff --git a/clusters/cl01tl/manifests/paperless-ngx/ExternalSecret-paperless-ngx-data-backup-secret-local.yaml b/clusters/cl01tl/manifests/paperless-ngx/ExternalSecret-paperless-ngx-data-backup-secret-local.yaml new file mode 100644 index 000000000..0eee1416d --- /dev/null +++ b/clusters/cl01tl/manifests/paperless-ngx/ExternalSecret-paperless-ngx-data-backup-secret-local.yaml @@ -0,0 +1,58 @@ +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: paperless-ngx-data-backup-secret-local + namespace: paperless-ngx + labels: + helm.sh/chart: volsync-target-export-0.8.0 + app.kubernetes.io/instance: paperless-ngx + app.kubernetes.io/part-of: paperless-ngx + app.kubernetes.io/version: "0.8.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: paperless-ngx-data-backup-secret-local +spec: + secretStoreRef: + kind: ClusterSecretStore + name: vault + target: + template: + mergePolicy: Merge + engineVersion: v2 + data: + RESTIC_REPOSITORY: "{{ .BUCKET_ENDPOINT }}/paperless-ngx/paperless-ngx-data" + data: + - secretKey: BUCKET_ENDPOINT + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /volsync/restic/garage-local + metadataPolicy: None + property: BUCKET_ENDPOINT + - secretKey: RESTIC_PASSWORD + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /volsync/restic/garage-local + metadataPolicy: None + property: RESTIC_PASSWORD + - secretKey: AWS_DEFAULT_REGION + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /garage/home-infra/volsync-backups + metadataPolicy: None + property: ACCESS_REGION + - secretKey: AWS_ACCESS_KEY_ID + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /garage/home-infra/volsync-backups + metadataPolicy: None + property: ACCESS_KEY_ID + - secretKey: AWS_SECRET_ACCESS_KEY + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /garage/home-infra/volsync-backups + metadataPolicy: None + property: ACCESS_SECRET_KEY diff --git a/clusters/cl01tl/manifests/paperless-ngx/ExternalSecret-paperless-ngx-data-backup-secret-remote.yaml b/clusters/cl01tl/manifests/paperless-ngx/ExternalSecret-paperless-ngx-data-backup-secret-remote.yaml new file mode 100644 index 000000000..515abe88d --- /dev/null +++ b/clusters/cl01tl/manifests/paperless-ngx/ExternalSecret-paperless-ngx-data-backup-secret-remote.yaml @@ -0,0 +1,58 @@ +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: paperless-ngx-data-backup-secret-remote + namespace: paperless-ngx + labels: + helm.sh/chart: volsync-target-export-0.8.0 + app.kubernetes.io/instance: paperless-ngx + app.kubernetes.io/part-of: paperless-ngx + app.kubernetes.io/version: "0.8.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: paperless-ngx-data-backup-secret-remote +spec: + secretStoreRef: + kind: ClusterSecretStore + name: vault + target: + template: + mergePolicy: Merge + engineVersion: v2 + data: + RESTIC_REPOSITORY: "{{ .BUCKET_ENDPOINT }}/paperless-ngx/paperless-ngx-data" + data: + - secretKey: BUCKET_ENDPOINT + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /volsync/restic/garage-remote + metadataPolicy: None + property: BUCKET_ENDPOINT + - secretKey: RESTIC_PASSWORD + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /volsync/restic/garage-remote + metadataPolicy: None + property: RESTIC_PASSWORD + - secretKey: AWS_DEFAULT_REGION + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /garage/home-infra/volsync-backups + metadataPolicy: None + property: ACCESS_REGION + - secretKey: AWS_ACCESS_KEY_ID + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /garage/home-infra/volsync-backups + metadataPolicy: None + property: ACCESS_KEY_ID + - secretKey: AWS_SECRET_ACCESS_KEY + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /garage/home-infra/volsync-backups + metadataPolicy: None + property: ACCESS_SECRET_KEY diff --git a/clusters/cl01tl/manifests/paperless-ngx/ExternalSecret-paperless-ngx-metadata-backup-secret-external.yaml b/clusters/cl01tl/manifests/paperless-ngx/ExternalSecret-paperless-ngx-metadata-backup-secret-external.yaml new file mode 100644 index 000000000..dd87b1b2e --- /dev/null +++ b/clusters/cl01tl/manifests/paperless-ngx/ExternalSecret-paperless-ngx-metadata-backup-secret-external.yaml @@ -0,0 +1,58 @@ +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: paperless-ngx-metadata-backup-secret-external + namespace: paperless-ngx + labels: + helm.sh/chart: volsync-target-media-0.8.0 + app.kubernetes.io/instance: paperless-ngx + app.kubernetes.io/part-of: paperless-ngx + app.kubernetes.io/version: "0.8.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: paperless-ngx-metadata-backup-secret-external +spec: + secretStoreRef: + kind: ClusterSecretStore + name: vault + target: + template: + mergePolicy: Merge + engineVersion: v2 + data: + RESTIC_REPOSITORY: "{{ .BUCKET_ENDPOINT }}/paperless-ngx/paperless-ngx-metadata" + data: + - secretKey: BUCKET_ENDPOINT + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /volsync/restic/digital-ocean + metadataPolicy: None + property: BUCKET_ENDPOINT + - secretKey: RESTIC_PASSWORD + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /volsync/restic/digital-ocean + metadataPolicy: None + property: RESTIC_PASSWORD + - secretKey: AWS_DEFAULT_REGION + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /digital-ocean/home-infra/volsync-backups + metadataPolicy: None + property: AWS_DEFAULT_REGION + - secretKey: AWS_ACCESS_KEY_ID + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /digital-ocean/home-infra/volsync-backups + metadataPolicy: None + property: AWS_ACCESS_KEY_ID + - secretKey: AWS_SECRET_ACCESS_KEY + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /digital-ocean/home-infra/volsync-backups + metadataPolicy: None + property: AWS_SECRET_ACCESS_KEY diff --git a/clusters/cl01tl/manifests/paperless-ngx/ExternalSecret-paperless-ngx-metadata-backup-secret-local.yaml b/clusters/cl01tl/manifests/paperless-ngx/ExternalSecret-paperless-ngx-metadata-backup-secret-local.yaml new file mode 100644 index 000000000..322b4386a --- /dev/null +++ b/clusters/cl01tl/manifests/paperless-ngx/ExternalSecret-paperless-ngx-metadata-backup-secret-local.yaml @@ -0,0 +1,58 @@ +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: paperless-ngx-metadata-backup-secret-local + namespace: paperless-ngx + labels: + helm.sh/chart: volsync-target-media-0.8.0 + app.kubernetes.io/instance: paperless-ngx + app.kubernetes.io/part-of: paperless-ngx + app.kubernetes.io/version: "0.8.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: paperless-ngx-metadata-backup-secret-local +spec: + secretStoreRef: + kind: ClusterSecretStore + name: vault + target: + template: + mergePolicy: Merge + engineVersion: v2 + data: + RESTIC_REPOSITORY: "{{ .BUCKET_ENDPOINT }}/paperless-ngx/paperless-ngx-metadata" + data: + - secretKey: BUCKET_ENDPOINT + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /volsync/restic/garage-local + metadataPolicy: None + property: BUCKET_ENDPOINT + - secretKey: RESTIC_PASSWORD + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /volsync/restic/garage-local + metadataPolicy: None + property: RESTIC_PASSWORD + - secretKey: AWS_DEFAULT_REGION + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /garage/home-infra/volsync-backups + metadataPolicy: None + property: ACCESS_REGION + - secretKey: AWS_ACCESS_KEY_ID + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /garage/home-infra/volsync-backups + metadataPolicy: None + property: ACCESS_KEY_ID + - secretKey: AWS_SECRET_ACCESS_KEY + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /garage/home-infra/volsync-backups + metadataPolicy: None + property: ACCESS_SECRET_KEY diff --git a/clusters/cl01tl/manifests/paperless-ngx/ExternalSecret-paperless-ngx-metadata-backup-secret-remote.yaml b/clusters/cl01tl/manifests/paperless-ngx/ExternalSecret-paperless-ngx-metadata-backup-secret-remote.yaml new file mode 100644 index 000000000..d3f0cb682 --- /dev/null +++ b/clusters/cl01tl/manifests/paperless-ngx/ExternalSecret-paperless-ngx-metadata-backup-secret-remote.yaml @@ -0,0 +1,58 @@ +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: paperless-ngx-metadata-backup-secret-remote + namespace: paperless-ngx + labels: + helm.sh/chart: volsync-target-media-0.8.0 + app.kubernetes.io/instance: paperless-ngx + app.kubernetes.io/part-of: paperless-ngx + app.kubernetes.io/version: "0.8.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: paperless-ngx-metadata-backup-secret-remote +spec: + secretStoreRef: + kind: ClusterSecretStore + name: vault + target: + template: + mergePolicy: Merge + engineVersion: v2 + data: + RESTIC_REPOSITORY: "{{ .BUCKET_ENDPOINT }}/paperless-ngx/paperless-ngx-metadata" + data: + - secretKey: BUCKET_ENDPOINT + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /volsync/restic/garage-remote + metadataPolicy: None + property: BUCKET_ENDPOINT + - secretKey: RESTIC_PASSWORD + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /volsync/restic/garage-remote + metadataPolicy: None + property: RESTIC_PASSWORD + - secretKey: AWS_DEFAULT_REGION + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /garage/home-infra/volsync-backups + metadataPolicy: None + property: ACCESS_REGION + - secretKey: AWS_ACCESS_KEY_ID + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /garage/home-infra/volsync-backups + metadataPolicy: None + property: ACCESS_KEY_ID + - secretKey: AWS_SECRET_ACCESS_KEY + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /garage/home-infra/volsync-backups + metadataPolicy: None + property: ACCESS_SECRET_KEY diff --git a/clusters/cl01tl/manifests/paperless-ngx/ExternalSecret-paperless-ngx-oidc-secret.yaml b/clusters/cl01tl/manifests/paperless-ngx/ExternalSecret-paperless-ngx-oidc-secret.yaml new file mode 100644 index 000000000..2441753e7 --- /dev/null +++ b/clusters/cl01tl/manifests/paperless-ngx/ExternalSecret-paperless-ngx-oidc-secret.yaml @@ -0,0 +1,26 @@ +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: paperless-ngx-oidc-secret + namespace: paperless-ngx + labels: + app.kubernetes.io/name: paperless-ngx-oidc-secret + app.kubernetes.io/instance: paperless-ngx + app.kubernetes.io/part-of: paperless-ngx +spec: + secretStoreRef: + kind: ClusterSecretStore + name: vault + data: + - secretKey: OIDC_CLIENT_ID + remoteRef: + key: /authentik/oidc/headlamp + property: client + - secretKey: OIDC_CLIENT_SECRET + remoteRef: + key: /authentik/oidc/headlamp + property: secret + - secretKey: PAPERLESS_SOCIALACCOUNT_PROVIDERS + remoteRef: + key: /authentik/oidc/headlamp + property: PAPERLESS_SOCIALACCOUNT_PROVIDERS diff --git a/clusters/cl01tl/manifests/paperless-ngx/ExternalSecret-paperless-ngx-postgresql-18-backup-garage-local-secret.yaml b/clusters/cl01tl/manifests/paperless-ngx/ExternalSecret-paperless-ngx-postgresql-18-backup-garage-local-secret.yaml new file mode 100644 index 000000000..48ee2cfb9 --- /dev/null +++ b/clusters/cl01tl/manifests/paperless-ngx/ExternalSecret-paperless-ngx-postgresql-18-backup-garage-local-secret.yaml @@ -0,0 +1,38 @@ +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: paperless-ngx-postgresql-18-backup-garage-local-secret + namespace: paperless-ngx + labels: + app.kubernetes.io/name: paperless-ngx-postgresql-18-backup-garage-local-secret + helm.sh/chart: postgres-18-cluster-7.11.0 + app.kubernetes.io/instance: paperless-ngx + app.kubernetes.io/part-of: paperless-ngx + app.kubernetes.io/version: "7.11.0" + app.kubernetes.io/managed-by: Helm +spec: + secretStoreRef: + kind: ClusterSecretStore + name: vault + data: + - secretKey: ACCESS_REGION + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /garage/home-infra/postgres-backups + metadataPolicy: None + property: ACCESS_REGION + - secretKey: ACCESS_KEY_ID + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /garage/home-infra/postgres-backups + metadataPolicy: None + property: ACCESS_KEY_ID + - secretKey: ACCESS_SECRET_KEY + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /garage/home-infra/postgres-backups + metadataPolicy: None + property: ACCESS_SECRET_KEY diff --git a/clusters/cl01tl/manifests/paperless-ngx/ExternalSecret-paperless-ngx-postgresql-18-recovery-secret.yaml b/clusters/cl01tl/manifests/paperless-ngx/ExternalSecret-paperless-ngx-postgresql-18-recovery-secret.yaml new file mode 100644 index 000000000..a2f905e40 --- /dev/null +++ b/clusters/cl01tl/manifests/paperless-ngx/ExternalSecret-paperless-ngx-postgresql-18-recovery-secret.yaml @@ -0,0 +1,38 @@ +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: paperless-ngx-postgresql-18-recovery-secret + namespace: paperless-ngx + labels: + helm.sh/chart: postgres-18-cluster-7.11.0 + app.kubernetes.io/instance: paperless-ngx + app.kubernetes.io/part-of: paperless-ngx + app.kubernetes.io/version: "7.11.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: paperless-ngx-postgresql-18-recovery-secret +spec: + secretStoreRef: + kind: ClusterSecretStore + name: vault + data: + - secretKey: ACCESS_REGION + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /garage/home-infra/postgres-backups + metadataPolicy: None + property: ACCESS_REGION + - secretKey: ACCESS_KEY_ID + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /garage/home-infra/postgres-backups + metadataPolicy: None + property: ACCESS_KEY_ID + - secretKey: ACCESS_SECRET_KEY + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /garage/home-infra/postgres-backups + metadataPolicy: None + property: ACCESS_SECRET_KEY diff --git a/clusters/cl01tl/manifests/paperless-ngx/ExternalSecret-paperless-ngx-secret.yaml b/clusters/cl01tl/manifests/paperless-ngx/ExternalSecret-paperless-ngx-secret.yaml new file mode 100644 index 000000000..a336bda51 --- /dev/null +++ b/clusters/cl01tl/manifests/paperless-ngx/ExternalSecret-paperless-ngx-secret.yaml @@ -0,0 +1,26 @@ +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: paperless-ngx-secret + namespace: paperless-ngx + labels: + app.kubernetes.io/name: paperless-ngx-secret + app.kubernetes.io/instance: paperless-ngx + app.kubernetes.io/part-of: paperless-ngx +spec: + secretStoreRef: + kind: ClusterSecretStore + name: vault + data: + - secretKey: secret-key + remoteRef: + key: /cl01tl/paperless-ngx/secret + property: secret-key + - secretKey: admin-user + remoteRef: + key: /cl01tl/paperless-ngx/secret + property: admin-user + - secretKey: admin-password + remoteRef: + key: /cl01tl/paperless-ngx/secret + property: admin-password diff --git a/clusters/cl01tl/manifests/paperless-ngx/HTTPRoute-paperless-ngx.yaml b/clusters/cl01tl/manifests/paperless-ngx/HTTPRoute-paperless-ngx.yaml new file mode 100644 index 000000000..4dc7a4c9f --- /dev/null +++ b/clusters/cl01tl/manifests/paperless-ngx/HTTPRoute-paperless-ngx.yaml @@ -0,0 +1,30 @@ +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: paperless-ngx + labels: + app.kubernetes.io/instance: paperless-ngx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: paperless-ngx + helm.sh/chart: paperless-ngx-4.6.2 + namespace: paperless-ngx +spec: + parentRefs: + - group: gateway.networking.k8s.io + kind: Gateway + name: traefik-gateway + namespace: traefik + hostnames: + - "paperless-ngx.alexlebens.net" + rules: + - backendRefs: + - group: "" + kind: Service + name: paperless-ngx + namespace: paperless-ngx + port: 80 + weight: 1 + matches: + - path: + type: PathPrefix + value: / diff --git a/clusters/cl01tl/manifests/paperless-ngx/ObjectStore-paperless-ngx-postgresql-18-backup-garage-local.yaml b/clusters/cl01tl/manifests/paperless-ngx/ObjectStore-paperless-ngx-postgresql-18-backup-garage-local.yaml new file mode 100644 index 000000000..6c90df926 --- /dev/null +++ b/clusters/cl01tl/manifests/paperless-ngx/ObjectStore-paperless-ngx-postgresql-18-backup-garage-local.yaml @@ -0,0 +1,33 @@ +apiVersion: barmancloud.cnpg.io/v1 +kind: ObjectStore +metadata: + name: paperless-ngx-postgresql-18-backup-garage-local + namespace: paperless-ngx + labels: + app.kubernetes.io/name: paperless-ngx-postgresql-18-backup-garage-local + helm.sh/chart: postgres-18-cluster-7.11.0 + app.kubernetes.io/instance: paperless-ngx + app.kubernetes.io/part-of: paperless-ngx + app.kubernetes.io/version: "7.11.0" + app.kubernetes.io/managed-by: Helm +spec: + retentionPolicy: 7d + instanceSidecarConfiguration: + env: + - name: AWS_REQUEST_CHECKSUM_CALCULATION + value: when_required + - name: AWS_RESPONSE_CHECKSUM_VALIDATION + value: when_required + configuration: + destinationPath: s3://postgres-backups/cl01tl/paperless-ngx/paperless-ngx-postgresql-18-cluster + endpointURL: http://garage-main.garage:3900 + s3Credentials: + accessKeyId: + name: paperless-ngx-postgresql-18-backup-garage-local-secret + key: ACCESS_KEY_ID + secretAccessKey: + name: paperless-ngx-postgresql-18-backup-garage-local-secret + key: ACCESS_SECRET_KEY + region: + name: paperless-ngx-postgresql-18-backup-garage-local-secret + key: ACCESS_REGION diff --git a/clusters/cl01tl/manifests/paperless-ngx/ObjectStore-paperless-ngx-postgresql-18-recovery.yaml b/clusters/cl01tl/manifests/paperless-ngx/ObjectStore-paperless-ngx-postgresql-18-recovery.yaml new file mode 100644 index 000000000..1ef0107b4 --- /dev/null +++ b/clusters/cl01tl/manifests/paperless-ngx/ObjectStore-paperless-ngx-postgresql-18-recovery.yaml @@ -0,0 +1,32 @@ +apiVersion: barmancloud.cnpg.io/v1 +kind: ObjectStore +metadata: + name: "paperless-ngx-postgresql-18-recovery" + namespace: paperless-ngx + labels: + helm.sh/chart: postgres-18-cluster-7.11.0 + app.kubernetes.io/instance: paperless-ngx + app.kubernetes.io/part-of: paperless-ngx + app.kubernetes.io/version: "7.11.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: "paperless-ngx-postgresql-18-recovery" +spec: + configuration: + destinationPath: s3://postgres-backups/cl01tl/paperless-ngx/paperless-ngx-postgresql-18-cluster + endpointURL: http://garage-main.garage:3900 + wal: + compression: snappy + maxParallel: 1 + data: + compression: snappy + jobs: 1 + s3Credentials: + accessKeyId: + name: paperless-ngx-postgresql-18-recovery-secret + key: ACCESS_KEY_ID + secretAccessKey: + name: paperless-ngx-postgresql-18-recovery-secret + key: ACCESS_SECRET_KEY + region: + name: paperless-ngx-postgresql-18-recovery-secret + key: ACCESS_REGION diff --git a/clusters/cl01tl/manifests/paperless-ngx/PersistentVolumeClaim-paperless-ngx-consume.yaml b/clusters/cl01tl/manifests/paperless-ngx/PersistentVolumeClaim-paperless-ngx-consume.yaml new file mode 100644 index 000000000..f2b3d2f72 --- /dev/null +++ b/clusters/cl01tl/manifests/paperless-ngx/PersistentVolumeClaim-paperless-ngx-consume.yaml @@ -0,0 +1,17 @@ +kind: PersistentVolumeClaim +apiVersion: v1 +metadata: + name: paperless-ngx-consume + labels: + app.kubernetes.io/instance: paperless-ngx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: paperless-ngx + helm.sh/chart: paperless-ngx-4.6.2 + namespace: paperless-ngx +spec: + accessModes: + - "ReadWriteOnce" + resources: + requests: + storage: "2Gi" + storageClassName: "ceph-block" diff --git a/clusters/cl01tl/manifests/paperless-ngx/PersistentVolumeClaim-paperless-ngx-data.yaml b/clusters/cl01tl/manifests/paperless-ngx/PersistentVolumeClaim-paperless-ngx-data.yaml new file mode 100644 index 000000000..24a177f51 --- /dev/null +++ b/clusters/cl01tl/manifests/paperless-ngx/PersistentVolumeClaim-paperless-ngx-data.yaml @@ -0,0 +1,17 @@ +kind: PersistentVolumeClaim +apiVersion: v1 +metadata: + name: paperless-ngx-data + labels: + app.kubernetes.io/instance: paperless-ngx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: paperless-ngx + helm.sh/chart: paperless-ngx-4.6.2 + namespace: paperless-ngx +spec: + accessModes: + - "ReadWriteOnce" + resources: + requests: + storage: "2Gi" + storageClassName: "ceph-block" diff --git a/clusters/cl01tl/manifests/paperless-ngx/PersistentVolumeClaim-paperless-ngx-export.yaml b/clusters/cl01tl/manifests/paperless-ngx/PersistentVolumeClaim-paperless-ngx-export.yaml new file mode 100644 index 000000000..629af7354 --- /dev/null +++ b/clusters/cl01tl/manifests/paperless-ngx/PersistentVolumeClaim-paperless-ngx-export.yaml @@ -0,0 +1,17 @@ +kind: PersistentVolumeClaim +apiVersion: v1 +metadata: + name: paperless-ngx-export + labels: + app.kubernetes.io/instance: paperless-ngx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: paperless-ngx + helm.sh/chart: paperless-ngx-4.6.2 + namespace: paperless-ngx +spec: + accessModes: + - "ReadWriteOnce" + resources: + requests: + storage: "2Gi" + storageClassName: "ceph-block" diff --git a/clusters/cl01tl/manifests/paperless-ngx/PersistentVolumeClaim-paperless-ngx-media.yaml b/clusters/cl01tl/manifests/paperless-ngx/PersistentVolumeClaim-paperless-ngx-media.yaml new file mode 100644 index 000000000..933a60cd2 --- /dev/null +++ b/clusters/cl01tl/manifests/paperless-ngx/PersistentVolumeClaim-paperless-ngx-media.yaml @@ -0,0 +1,17 @@ +kind: PersistentVolumeClaim +apiVersion: v1 +metadata: + name: paperless-ngx-media + labels: + app.kubernetes.io/instance: paperless-ngx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: paperless-ngx + helm.sh/chart: paperless-ngx-4.6.2 + namespace: paperless-ngx +spec: + accessModes: + - "ReadWriteOnce" + resources: + requests: + storage: "10Gi" + storageClassName: "ceph-block" diff --git a/clusters/cl01tl/manifests/paperless-ngx/PodMonitor-paperless-ngx-valkey.yaml b/clusters/cl01tl/manifests/paperless-ngx/PodMonitor-paperless-ngx-valkey.yaml new file mode 100644 index 000000000..535ad8827 --- /dev/null +++ b/clusters/cl01tl/manifests/paperless-ngx/PodMonitor-paperless-ngx-valkey.yaml @@ -0,0 +1,23 @@ +apiVersion: monitoring.coreos.com/v1 +kind: PodMonitor +metadata: + name: paperless-ngx-valkey + labels: + helm.sh/chart: valkey-0.9.3 + app.kubernetes.io/name: valkey + app.kubernetes.io/instance: paperless-ngx + app.kubernetes.io/version: "9.0.3" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: valkey + app.kubernetes.io/component: podmonitor +spec: + podMetricsEndpoints: + - port: metrics + interval: 30s + namespaceSelector: + matchNames: + - paperless-ngx + selector: + matchLabels: + app.kubernetes.io/name: valkey + app.kubernetes.io/instance: paperless-ngx diff --git a/clusters/cl01tl/manifests/paperless-ngx/PrometheusRule-paperless-ngx-postgresql-18-alert-rules.yaml b/clusters/cl01tl/manifests/paperless-ngx/PrometheusRule-paperless-ngx-postgresql-18-alert-rules.yaml new file mode 100644 index 000000000..ec5c1fd70 --- /dev/null +++ b/clusters/cl01tl/manifests/paperless-ngx/PrometheusRule-paperless-ngx-postgresql-18-alert-rules.yaml @@ -0,0 +1,270 @@ +apiVersion: monitoring.coreos.com/v1 +kind: PrometheusRule +metadata: + name: paperless-ngx-postgresql-18-alert-rules + namespace: paperless-ngx + labels: + app.kubernetes.io/name: paperless-ngx-postgresql-18-alert-rules + helm.sh/chart: postgres-18-cluster-7.11.0 + app.kubernetes.io/instance: paperless-ngx + app.kubernetes.io/part-of: paperless-ngx + app.kubernetes.io/version: "7.11.0" + app.kubernetes.io/managed-by: Helm +spec: + groups: + - name: cloudnative-pg/paperless-ngx-postgresql-18 + rules: + - alert: CNPGClusterBackendsWaitingWarning + annotations: + summary: CNPG Cluster a backend is waiting for longer than 5 minutes. + description: |- + Pod {{ $labels.pod }} + has been waiting for longer than 5 minutes + expr: | + cnpg_backends_waiting_total{namespace="paperless-ngx"} > 300 + for: 1m + labels: + severity: warning + namespace: paperless-ngx + cnpg_cluster: paperless-ngx-postgresql-18-cluster + - alert: CNPGClusterDatabaseDeadlockConflictsWarning + annotations: + summary: CNPG Cluster has over 10 deadlock conflicts. + description: |- + There are over 10 deadlock conflicts in + {{ $labels.pod }} + expr: | + cnpg_pg_stat_database_deadlocks{namespace="paperless-ngx"} > 10 + for: 1m + labels: + severity: warning + namespace: paperless-ngx + cnpg_cluster: paperless-ngx-postgresql-18-cluster + - alert: CNPGClusterHACritical + annotations: + summary: CNPG Cluster has no standby replicas! + description: |- + CloudNativePG Cluster "{{`{{`}} $labels.job {{`}}`}}" has no ready standby replicas. Your cluster at a severe + risk of data loss and downtime if the primary instance fails. + + The primary instance is still online and able to serve queries, although connections to the `-ro` endpoint + will fail. The `-r` endpoint os operating at reduced capacity and all traffic is being served by the main. + + This can happen during a normal fail-over or automated minor version upgrades in a cluster with 2 or less + instances. The replaced instance may need some time to catch-up with the cluster primary instance. + + This alarm will be always trigger if your cluster is configured to run with only 1 instance. In this + case you may want to silence it. + runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHACritical.md + expr: | + max by (job) (cnpg_pg_replication_streaming_replicas{namespace="paperless-ngx"} - cnpg_pg_replication_is_wal_receiver_up{namespace="paperless-ngx"}) < 1 + for: 5m + labels: + severity: critical + namespace: paperless-ngx + cnpg_cluster: paperless-ngx-postgresql-18-cluster + - alert: CNPGClusterHAWarning + annotations: + summary: CNPG Cluster less than 2 standby replicas. + description: |- + CloudNativePG Cluster "{{`{{`}} $labels.job {{`}}`}}" has only {{`{{`}} $value {{`}}`}} standby replicas, putting + your cluster at risk if another instance fails. The cluster is still able to operate normally, although + the `-ro` and `-r` endpoints operate at reduced capacity. + + This can happen during a normal fail-over or automated minor version upgrades. The replaced instance may + need some time to catch-up with the cluster primary instance. + + This alarm will be constantly triggered if your cluster is configured to run with less than 3 instances. + In this case you may want to silence it. + runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHAWarning.md + expr: | + max by (job) (cnpg_pg_replication_streaming_replicas{namespace="paperless-ngx"} - cnpg_pg_replication_is_wal_receiver_up{namespace="paperless-ngx"}) < 2 + for: 5m + labels: + severity: warning + namespace: paperless-ngx + cnpg_cluster: paperless-ngx-postgresql-18-cluster + - alert: CNPGClusterHighConnectionsCritical + annotations: + summary: CNPG Instance maximum number of connections critical! + description: |- + CloudNativePG Cluster "paperless-ngx/paperless-ngx-postgresql-18-cluster" instance {{`{{`}} $labels.pod {{`}}`}} is using {{`{{`}} $value {{`}}`}}% of + the maximum number of connections. + runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHighConnectionsCritical.md + expr: | + sum by (pod) (cnpg_backends_total{namespace="paperless-ngx", pod=~"paperless-ngx-postgresql-18-cluster-([1-9][0-9]*)$"}) / max by (pod) (cnpg_pg_settings_setting{name="max_connections", namespace="paperless-ngx", pod=~"paperless-ngx-postgresql-18-cluster-([1-9][0-9]*)$"}) * 100 > 95 + for: 5m + labels: + severity: critical + namespace: paperless-ngx + cnpg_cluster: paperless-ngx-postgresql-18-cluster + - alert: CNPGClusterHighConnectionsWarning + annotations: + summary: CNPG Instance is approaching the maximum number of connections. + description: |- + CloudNativePG Cluster "paperless-ngx/paperless-ngx-postgresql-18-cluster" instance {{`{{`}} $labels.pod {{`}}`}} is using {{`{{`}} $value {{`}}`}}% of + the maximum number of connections. + runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHighConnectionsWarning.md + expr: | + sum by (pod) (cnpg_backends_total{namespace="paperless-ngx", pod=~"paperless-ngx-postgresql-18-cluster-([1-9][0-9]*)$"}) / max by (pod) (cnpg_pg_settings_setting{name="max_connections", namespace="paperless-ngx", pod=~"paperless-ngx-postgresql-18-cluster-([1-9][0-9]*)$"}) * 100 > 80 + for: 5m + labels: + severity: warning + namespace: paperless-ngx + cnpg_cluster: paperless-ngx-postgresql-18-cluster + - alert: CNPGClusterHighReplicationLag + annotations: + summary: CNPG Cluster high replication lag + description: |- + CloudNativePG Cluster "paperless-ngx/paperless-ngx-postgresql-18-cluster" is experiencing a high replication lag of + {{`{{`}} $value {{`}}`}}ms. + + High replication lag indicates network issues, busy instances, slow queries or suboptimal configuration. + runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHighReplicationLag.md + expr: | + max(cnpg_pg_replication_lag{namespace="paperless-ngx",pod=~"paperless-ngx-postgresql-18-cluster-([1-9][0-9]*)$"}) * 1000 > 1000 + for: 5m + labels: + severity: warning + namespace: paperless-ngx + cnpg_cluster: paperless-ngx-postgresql-18-cluster + - alert: CNPGClusterInstancesOnSameNode + annotations: + summary: CNPG Cluster instances are located on the same node. + description: |- + CloudNativePG Cluster "paperless-ngx/paperless-ngx-postgresql-18-cluster" has {{`{{`}} $value {{`}}`}} + instances on the same node {{`{{`}} $labels.node {{`}}`}}. + + A failure or scheduled downtime of a single node will lead to a potential service disruption and/or data loss. + runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterInstancesOnSameNode.md + expr: | + count by (node) (kube_pod_info{namespace="paperless-ngx", pod=~"paperless-ngx-postgresql-18-cluster-([1-9][0-9]*)$"}) > 1 + for: 5m + labels: + severity: warning + namespace: paperless-ngx + cnpg_cluster: paperless-ngx-postgresql-18-cluster + - alert: CNPGClusterLongRunningTransactionWarning + annotations: + summary: CNPG Cluster query is taking longer than 5 minutes. + description: |- + CloudNativePG Cluster Pod {{ $labels.pod }} + is taking more than 5 minutes (300 seconds) for a query. + expr: |- + cnpg_backends_max_tx_duration_seconds{namespace="paperless-ngx"} > 300 + for: 1m + labels: + severity: warning + namespace: paperless-ngx + cnpg_cluster: paperless-ngx-postgresql-18-cluster + - alert: CNPGClusterLowDiskSpaceCritical + annotations: + summary: CNPG Instance is running out of disk space! + description: |- + CloudNativePG Cluster "paperless-ngx/paperless-ngx-postgresql-18-cluster" is running extremely low on disk space. Check attached PVCs! + runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterLowDiskSpaceCritical.md + expr: | + max(max by(persistentvolumeclaim) (1 - kubelet_volume_stats_available_bytes{namespace="paperless-ngx", persistentvolumeclaim=~"paperless-ngx-postgresql-18-cluster-([1-9][0-9]*)$"} / kubelet_volume_stats_capacity_bytes{namespace="paperless-ngx", persistentvolumeclaim=~"paperless-ngx-postgresql-18-cluster-([1-9][0-9]*)$"})) > 0.9 OR + max(max by(persistentvolumeclaim) (1 - kubelet_volume_stats_available_bytes{namespace="paperless-ngx", persistentvolumeclaim=~"paperless-ngx-postgresql-18-cluster-([1-9][0-9]*)$-wal"} / kubelet_volume_stats_capacity_bytes{namespace="paperless-ngx", persistentvolumeclaim=~"paperless-ngx-postgresql-18-cluster-([1-9][0-9]*)$-wal"})) > 0.9 OR + max(sum by (namespace,persistentvolumeclaim) (kubelet_volume_stats_used_bytes{namespace="paperless-ngx", persistentvolumeclaim=~"paperless-ngx-postgresql-18-cluster-([1-9][0-9]*)$-tbs.*"}) + / + sum by (namespace,persistentvolumeclaim) (kubelet_volume_stats_capacity_bytes{namespace="paperless-ngx", persistentvolumeclaim=~"paperless-ngx-postgresql-18-cluster-([1-9][0-9]*)$-tbs.*"}) + * + on(namespace, persistentvolumeclaim) group_left(volume) + kube_pod_spec_volumes_persistentvolumeclaims_info{pod=~"paperless-ngx-postgresql-18-cluster-([1-9][0-9]*)$"} + ) > 0.9 + for: 5m + labels: + severity: critical + namespace: paperless-ngx + cnpg_cluster: paperless-ngx-postgresql-18-cluster + - alert: CNPGClusterLowDiskSpaceWarning + annotations: + summary: CNPG Instance is running out of disk space. + description: |- + CloudNativePG Cluster "paperless-ngx/paperless-ngx-postgresql-18-cluster" is running low on disk space. Check attached PVCs. + runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterLowDiskSpaceWarning.md + expr: | + max(max by(persistentvolumeclaim) (1 - kubelet_volume_stats_available_bytes{namespace="paperless-ngx", persistentvolumeclaim=~"paperless-ngx-postgresql-18-cluster-([1-9][0-9]*)$"} / kubelet_volume_stats_capacity_bytes{namespace="paperless-ngx", persistentvolumeclaim=~"paperless-ngx-postgresql-18-cluster-([1-9][0-9]*)$"})) > 0.7 OR + max(max by(persistentvolumeclaim) (1 - kubelet_volume_stats_available_bytes{namespace="paperless-ngx", persistentvolumeclaim=~"paperless-ngx-postgresql-18-cluster-([1-9][0-9]*)$-wal"} / kubelet_volume_stats_capacity_bytes{namespace="paperless-ngx", persistentvolumeclaim=~"paperless-ngx-postgresql-18-cluster-([1-9][0-9]*)$-wal"})) > 0.7 OR + max(sum by (namespace,persistentvolumeclaim) (kubelet_volume_stats_used_bytes{namespace="paperless-ngx", persistentvolumeclaim=~"paperless-ngx-postgresql-18-cluster-([1-9][0-9]*)$-tbs.*"}) + / + sum by (namespace,persistentvolumeclaim) (kubelet_volume_stats_capacity_bytes{namespace="paperless-ngx", persistentvolumeclaim=~"paperless-ngx-postgresql-18-cluster-([1-9][0-9]*)$-tbs.*"}) + * + on(namespace, persistentvolumeclaim) group_left(volume) + kube_pod_spec_volumes_persistentvolumeclaims_info{pod=~"paperless-ngx-postgresql-18-cluster-([1-9][0-9]*)$"} + ) > 0.7 + for: 5m + labels: + severity: warning + namespace: paperless-ngx + cnpg_cluster: paperless-ngx-postgresql-18-cluster + - alert: CNPGClusterOffline + annotations: + summary: CNPG Cluster has no running instances! + description: |- + CloudNativePG Cluster "paperless-ngx/paperless-ngx-postgresql-18-cluster" has no ready instances. + + Having an offline cluster means your applications will not be able to access the database, leading to + potential service disruption and/or data loss. + runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterOffline.md + expr: | + (count(cnpg_collector_up{namespace="paperless-ngx",pod=~"paperless-ngx-postgresql-18-cluster-([1-9][0-9]*)$"}) OR on() vector(0)) == 0 + for: 5m + labels: + severity: critical + namespace: paperless-ngx + cnpg_cluster: paperless-ngx-postgresql-18-cluster + - alert: CNPGClusterPGDatabaseXidAgeWarning + annotations: + summary: CNPG Cluster has a number of transactions from the frozen XID to the current one. + description: |- + Over 300,000,000 transactions from frozen xid + on pod {{ $labels.pod }} + expr: | + cnpg_pg_database_xid_age{namespace="paperless-ngx"} > 300000000 + for: 1m + labels: + severity: warning + namespace: paperless-ngx + cnpg_cluster: paperless-ngx-postgresql-18-cluster + - alert: CNPGClusterPGReplicationWarning + annotations: + summary: CNPG Cluster standby is lagging behind the primary. + description: |- + Standby is lagging behind by over 300 seconds (5 minutes) + expr: | + cnpg_pg_replication_lag{namespace="paperless-ngx"} > 300 + for: 1m + labels: + severity: warning + namespace: paperless-ngx + cnpg_cluster: paperless-ngx-postgresql-18-cluster + - alert: CNPGClusterReplicaFailingReplicationWarning + annotations: + summary: CNPG Cluster has a replica is failing to replicate. + description: |- + Replica {{ $labels.pod }} + is failing to replicate + expr: | + cnpg_pg_replication_in_recovery{namespace="paperless-ngx"} > cnpg_pg_replication_is_wal_receiver_up{namespace="paperless-ngx"} + for: 1m + labels: + severity: warning + namespace: paperless-ngx + cnpg_cluster: paperless-ngx-postgresql-18-cluster + - alert: CNPGClusterZoneSpreadWarning + annotations: + summary: CNPG Cluster instances in the same zone. + description: |- + CloudNativePG Cluster "paperless-ngx/paperless-ngx-postgresql-18-cluster" has instances in the same availability zone. + + A disaster in one availability zone will lead to a potential service disruption and/or data loss. + runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterZoneSpreadWarning.md + expr: | + 3 > count(count by (label_topology_kubernetes_io_zone) (kube_pod_info{namespace="paperless-ngx", pod=~"paperless-ngx-postgresql-18-cluster-([1-9][0-9]*)$"} * on(node,instance) group_left(label_topology_kubernetes_io_zone) kube_node_labels)) < 3 + for: 5m + labels: + severity: warning + namespace: paperless-ngx + cnpg_cluster: paperless-ngx-postgresql-18-cluster diff --git a/clusters/cl01tl/manifests/paperless-ngx/PrometheusRule-paperless-ngx-valkey.yaml b/clusters/cl01tl/manifests/paperless-ngx/PrometheusRule-paperless-ngx-valkey.yaml new file mode 100644 index 000000000..8839c3863 --- /dev/null +++ b/clusters/cl01tl/manifests/paperless-ngx/PrometheusRule-paperless-ngx-valkey.yaml @@ -0,0 +1,47 @@ +apiVersion: monitoring.coreos.com/v1 +kind: PrometheusRule +metadata: + name: paperless-ngx-valkey + labels: + helm.sh/chart: valkey-0.9.3 + app.kubernetes.io/name: valkey + app.kubernetes.io/instance: paperless-ngx + app.kubernetes.io/version: "9.0.3" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: valkey +spec: + groups: + - name: paperless-ngx-valkey + rules: + - alert: ValkeyDown + annotations: + description: Valkey instance {{ $labels.instance }} is down. + summary: Valkey instance {{ $labels.instance }} down + expr: | + redis_up{service="paperless-ngx-valkey-metrics"} == 0 + for: 2m + labels: + severity: error + - alert: ValkeyMemoryHigh + annotations: + description: | + Valkey instance {{ $labels.instance }} is using {{ $value }}% of its available memory. + summary: Valkey instance {{ $labels.instance }} is using too much memory + expr: | + redis_memory_used_bytes{service="paperless-ngx-valkey-metrics"} * 100 + / + redis_memory_max_bytes{service="paperless-ngx-valkey-metrics"} + > 90 <= 100 + for: 2m + labels: + severity: error + - alert: ValkeyKeyEviction + annotations: + description: | + Valkey instance {{ $labels.instance }} has evicted {{ $value }} keys in the last 5 minutes. + summary: Valkey instance {{ $labels.instance }} has evicted keys + expr: | + increase(redis_evicted_keys_total{service="paperless-ngx-valkey-metrics"}[5m]) > 0 + for: 1s + labels: + severity: error diff --git a/clusters/cl01tl/manifests/paperless-ngx/ReplicationSource-paperless-ngx-data-backup-source-external.yaml b/clusters/cl01tl/manifests/paperless-ngx/ReplicationSource-paperless-ngx-data-backup-source-external.yaml new file mode 100644 index 000000000..a7972488b --- /dev/null +++ b/clusters/cl01tl/manifests/paperless-ngx/ReplicationSource-paperless-ngx-data-backup-source-external.yaml @@ -0,0 +1,29 @@ +apiVersion: volsync.backube/v1alpha1 +kind: ReplicationSource +metadata: + name: paperless-ngx-data-backup-source-external + namespace: paperless-ngx + labels: + helm.sh/chart: volsync-target-export-0.8.0 + app.kubernetes.io/instance: paperless-ngx + app.kubernetes.io/part-of: paperless-ngx + app.kubernetes.io/version: "0.8.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: paperless-ngx-data-backup +spec: + sourcePVC: paperless-ngx-data + trigger: + schedule: 2 10 * * * + restic: + pruneIntervalDays: 7 + repository: paperless-ngx-data-backup-secret-external + retain: + daily: 7 + hourly: 0 + monthly: 3 + weekly: 4 + yearly: 1 + copyMethod: Snapshot + storageClassName: ceph-block + volumeSnapshotClassName: ceph-blockpool-snapshot + cacheCapacity: 1Gi diff --git a/clusters/cl01tl/manifests/paperless-ngx/ReplicationSource-paperless-ngx-data-backup-source-local.yaml b/clusters/cl01tl/manifests/paperless-ngx/ReplicationSource-paperless-ngx-data-backup-source-local.yaml new file mode 100644 index 000000000..968ce56d3 --- /dev/null +++ b/clusters/cl01tl/manifests/paperless-ngx/ReplicationSource-paperless-ngx-data-backup-source-local.yaml @@ -0,0 +1,29 @@ +apiVersion: volsync.backube/v1alpha1 +kind: ReplicationSource +metadata: + name: paperless-ngx-data-backup-source-local + namespace: paperless-ngx + labels: + helm.sh/chart: volsync-target-export-0.8.0 + app.kubernetes.io/instance: paperless-ngx + app.kubernetes.io/part-of: paperless-ngx + app.kubernetes.io/version: "0.8.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: paperless-ngx-data-backup +spec: + sourcePVC: paperless-ngx-data + trigger: + schedule: 2 8 * * * + restic: + pruneIntervalDays: 7 + repository: paperless-ngx-data-backup-secret-local + retain: + daily: 7 + hourly: 0 + monthly: 3 + weekly: 4 + yearly: 1 + copyMethod: Snapshot + storageClassName: ceph-block + volumeSnapshotClassName: ceph-blockpool-snapshot + cacheCapacity: 1Gi diff --git a/clusters/cl01tl/manifests/paperless-ngx/ReplicationSource-paperless-ngx-data-backup-source-remote.yaml b/clusters/cl01tl/manifests/paperless-ngx/ReplicationSource-paperless-ngx-data-backup-source-remote.yaml new file mode 100644 index 000000000..83f99dfc8 --- /dev/null +++ b/clusters/cl01tl/manifests/paperless-ngx/ReplicationSource-paperless-ngx-data-backup-source-remote.yaml @@ -0,0 +1,29 @@ +apiVersion: volsync.backube/v1alpha1 +kind: ReplicationSource +metadata: + name: paperless-ngx-data-backup-source-remote + namespace: paperless-ngx + labels: + helm.sh/chart: volsync-target-export-0.8.0 + app.kubernetes.io/instance: paperless-ngx + app.kubernetes.io/part-of: paperless-ngx + app.kubernetes.io/version: "0.8.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: paperless-ngx-data-backup +spec: + sourcePVC: paperless-ngx-data + trigger: + schedule: 2 9 * * * + restic: + pruneIntervalDays: 7 + repository: paperless-ngx-data-backup-secret-remote + retain: + daily: 7 + hourly: 0 + monthly: 3 + weekly: 4 + yearly: 1 + copyMethod: Snapshot + storageClassName: ceph-block + volumeSnapshotClassName: ceph-blockpool-snapshot + cacheCapacity: 1Gi diff --git a/clusters/cl01tl/manifests/paperless-ngx/ReplicationSource-paperless-ngx-metadata-backup-source-external.yaml b/clusters/cl01tl/manifests/paperless-ngx/ReplicationSource-paperless-ngx-metadata-backup-source-external.yaml new file mode 100644 index 000000000..ed1a6a0ad --- /dev/null +++ b/clusters/cl01tl/manifests/paperless-ngx/ReplicationSource-paperless-ngx-metadata-backup-source-external.yaml @@ -0,0 +1,29 @@ +apiVersion: volsync.backube/v1alpha1 +kind: ReplicationSource +metadata: + name: paperless-ngx-metadata-backup-source-external + namespace: paperless-ngx + labels: + helm.sh/chart: volsync-target-media-0.8.0 + app.kubernetes.io/instance: paperless-ngx + app.kubernetes.io/part-of: paperless-ngx + app.kubernetes.io/version: "0.8.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: paperless-ngx-metadata-backup +spec: + sourcePVC: paperless-ngx-metadata + trigger: + schedule: 4 10 * * * + restic: + pruneIntervalDays: 7 + repository: paperless-ngx-metadata-backup-secret-external + retain: + daily: 7 + hourly: 0 + monthly: 3 + weekly: 4 + yearly: 1 + copyMethod: Snapshot + storageClassName: ceph-block + volumeSnapshotClassName: ceph-blockpool-snapshot + cacheCapacity: 1Gi diff --git a/clusters/cl01tl/manifests/paperless-ngx/ReplicationSource-paperless-ngx-metadata-backup-source-local.yaml b/clusters/cl01tl/manifests/paperless-ngx/ReplicationSource-paperless-ngx-metadata-backup-source-local.yaml new file mode 100644 index 000000000..f8332b51b --- /dev/null +++ b/clusters/cl01tl/manifests/paperless-ngx/ReplicationSource-paperless-ngx-metadata-backup-source-local.yaml @@ -0,0 +1,29 @@ +apiVersion: volsync.backube/v1alpha1 +kind: ReplicationSource +metadata: + name: paperless-ngx-metadata-backup-source-local + namespace: paperless-ngx + labels: + helm.sh/chart: volsync-target-media-0.8.0 + app.kubernetes.io/instance: paperless-ngx + app.kubernetes.io/part-of: paperless-ngx + app.kubernetes.io/version: "0.8.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: paperless-ngx-metadata-backup +spec: + sourcePVC: paperless-ngx-metadata + trigger: + schedule: 4 8 * * * + restic: + pruneIntervalDays: 7 + repository: paperless-ngx-metadata-backup-secret-local + retain: + daily: 7 + hourly: 0 + monthly: 3 + weekly: 4 + yearly: 1 + copyMethod: Snapshot + storageClassName: ceph-block + volumeSnapshotClassName: ceph-blockpool-snapshot + cacheCapacity: 1Gi diff --git a/clusters/cl01tl/manifests/paperless-ngx/ReplicationSource-paperless-ngx-metadata-backup-source-remote.yaml b/clusters/cl01tl/manifests/paperless-ngx/ReplicationSource-paperless-ngx-metadata-backup-source-remote.yaml new file mode 100644 index 000000000..0ac032128 --- /dev/null +++ b/clusters/cl01tl/manifests/paperless-ngx/ReplicationSource-paperless-ngx-metadata-backup-source-remote.yaml @@ -0,0 +1,29 @@ +apiVersion: volsync.backube/v1alpha1 +kind: ReplicationSource +metadata: + name: paperless-ngx-metadata-backup-source-remote + namespace: paperless-ngx + labels: + helm.sh/chart: volsync-target-media-0.8.0 + app.kubernetes.io/instance: paperless-ngx + app.kubernetes.io/part-of: paperless-ngx + app.kubernetes.io/version: "0.8.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: paperless-ngx-metadata-backup +spec: + sourcePVC: paperless-ngx-metadata + trigger: + schedule: 4 9 * * * + restic: + pruneIntervalDays: 7 + repository: paperless-ngx-metadata-backup-secret-remote + retain: + daily: 7 + hourly: 0 + monthly: 3 + weekly: 4 + yearly: 1 + copyMethod: Snapshot + storageClassName: ceph-block + volumeSnapshotClassName: ceph-blockpool-snapshot + cacheCapacity: 1Gi diff --git a/clusters/cl01tl/manifests/paperless-ngx/ScheduledBackup-paperless-ngx-postgresql-18-scheduled-backup-live-backup.yaml b/clusters/cl01tl/manifests/paperless-ngx/ScheduledBackup-paperless-ngx-postgresql-18-scheduled-backup-live-backup.yaml new file mode 100644 index 000000000..c0c665246 --- /dev/null +++ b/clusters/cl01tl/manifests/paperless-ngx/ScheduledBackup-paperless-ngx-postgresql-18-scheduled-backup-live-backup.yaml @@ -0,0 +1,24 @@ +apiVersion: postgresql.cnpg.io/v1 +kind: ScheduledBackup +metadata: + name: "paperless-ngx-postgresql-18-scheduled-backup-live-backup" + namespace: paperless-ngx + labels: + app.kubernetes.io/name: "paperless-ngx-postgresql-18-scheduled-backup-live-backup" + helm.sh/chart: postgres-18-cluster-7.11.0 + app.kubernetes.io/instance: paperless-ngx + app.kubernetes.io/part-of: paperless-ngx + app.kubernetes.io/version: "7.11.0" + app.kubernetes.io/managed-by: Helm +spec: + immediate: true + suspend: false + schedule: "0 15 15 * * *" + backupOwnerReference: self + cluster: + name: paperless-ngx-postgresql-18-cluster + method: plugin + pluginConfiguration: + name: barman-cloud.cloudnative-pg.io + parameters: + barmanObjectName: "paperless-ngx-postgresql-18-backup-garage-local" diff --git a/clusters/cl01tl/manifests/paperless-ngx/Service-paperless-ngx-valkey-headless.yaml b/clusters/cl01tl/manifests/paperless-ngx/Service-paperless-ngx-valkey-headless.yaml new file mode 100644 index 000000000..efdd94614 --- /dev/null +++ b/clusters/cl01tl/manifests/paperless-ngx/Service-paperless-ngx-valkey-headless.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Service +metadata: + name: paperless-ngx-valkey-headless + labels: + helm.sh/chart: valkey-0.9.3 + app.kubernetes.io/name: valkey + app.kubernetes.io/instance: paperless-ngx + app.kubernetes.io/version: "9.0.3" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: headless +spec: + type: ClusterIP + clusterIP: None + publishNotReadyAddresses: true + ports: + - name: tcp + port: 6379 + targetPort: tcp + protocol: TCP + selector: + app.kubernetes.io/name: valkey + app.kubernetes.io/instance: paperless-ngx diff --git a/clusters/cl01tl/manifests/paperless-ngx/Service-paperless-ngx-valkey-metrics.yaml b/clusters/cl01tl/manifests/paperless-ngx/Service-paperless-ngx-valkey-metrics.yaml new file mode 100644 index 000000000..ba7622b75 --- /dev/null +++ b/clusters/cl01tl/manifests/paperless-ngx/Service-paperless-ngx-valkey-metrics.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Service +metadata: + name: paperless-ngx-valkey-metrics + labels: + helm.sh/chart: valkey-0.9.3 + app.kubernetes.io/name: valkey + app.kubernetes.io/instance: paperless-ngx + app.kubernetes.io/version: "9.0.3" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: metrics + app.kubernetes.io/part-of: valkey + annotations: +spec: + type: ClusterIP + ports: + - name: metrics + port: 9121 + protocol: TCP + targetPort: metrics + selector: + app.kubernetes.io/name: valkey + app.kubernetes.io/instance: paperless-ngx diff --git a/clusters/cl01tl/manifests/paperless-ngx/Service-paperless-ngx-valkey-read.yaml b/clusters/cl01tl/manifests/paperless-ngx/Service-paperless-ngx-valkey-read.yaml new file mode 100644 index 000000000..7c87418c9 --- /dev/null +++ b/clusters/cl01tl/manifests/paperless-ngx/Service-paperless-ngx-valkey-read.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Service +metadata: + name: paperless-ngx-valkey-read + labels: + helm.sh/chart: valkey-0.9.3 + app.kubernetes.io/name: valkey + app.kubernetes.io/instance: paperless-ngx + app.kubernetes.io/version: "9.0.3" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: read +spec: + type: ClusterIP + ports: + - name: tcp + port: 6379 + targetPort: tcp + protocol: TCP + selector: + app.kubernetes.io/name: valkey + app.kubernetes.io/instance: paperless-ngx diff --git a/clusters/cl01tl/manifests/paperless-ngx/Service-paperless-ngx-valkey.yaml b/clusters/cl01tl/manifests/paperless-ngx/Service-paperless-ngx-valkey.yaml new file mode 100644 index 000000000..0d0a6f039 --- /dev/null +++ b/clusters/cl01tl/manifests/paperless-ngx/Service-paperless-ngx-valkey.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Service +metadata: + name: paperless-ngx-valkey + labels: + helm.sh/chart: valkey-0.9.3 + app.kubernetes.io/name: valkey + app.kubernetes.io/instance: paperless-ngx + app.kubernetes.io/version: "9.0.3" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: primary +spec: + type: ClusterIP + ports: + - port: 6379 + targetPort: tcp + protocol: TCP + name: tcp + selector: + app.kubernetes.io/name: valkey + app.kubernetes.io/instance: paperless-ngx + statefulset.kubernetes.io/pod-name: paperless-ngx-valkey-0 diff --git a/clusters/cl01tl/manifests/paperless-ngx/Service-paperless-ngx.yaml b/clusters/cl01tl/manifests/paperless-ngx/Service-paperless-ngx.yaml new file mode 100644 index 000000000..35797c034 --- /dev/null +++ b/clusters/cl01tl/manifests/paperless-ngx/Service-paperless-ngx.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Service +metadata: + name: paperless-ngx + labels: + app.kubernetes.io/instance: paperless-ngx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: paperless-ngx + app.kubernetes.io/service: paperless-ngx + helm.sh/chart: paperless-ngx-4.6.2 + namespace: paperless-ngx +spec: + type: ClusterIP + ports: + - port: 80 + targetPort: 8000 + protocol: TCP + name: http + selector: + app.kubernetes.io/controller: main + app.kubernetes.io/instance: paperless-ngx + app.kubernetes.io/name: paperless-ngx diff --git a/clusters/cl01tl/manifests/paperless-ngx/ServiceAccount-paperless-ngx-valkey.yaml b/clusters/cl01tl/manifests/paperless-ngx/ServiceAccount-paperless-ngx-valkey.yaml new file mode 100644 index 000000000..481d2dfcc --- /dev/null +++ b/clusters/cl01tl/manifests/paperless-ngx/ServiceAccount-paperless-ngx-valkey.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: paperless-ngx-valkey + labels: + helm.sh/chart: valkey-0.9.3 + app.kubernetes.io/name: valkey + app.kubernetes.io/instance: paperless-ngx + app.kubernetes.io/version: "9.0.3" + app.kubernetes.io/managed-by: Helm +automountServiceAccountToken: false diff --git a/clusters/cl01tl/manifests/paperless-ngx/ServiceMonitor-paperless-ngx-valkey.yaml b/clusters/cl01tl/manifests/paperless-ngx/ServiceMonitor-paperless-ngx-valkey.yaml new file mode 100644 index 000000000..1aad6e265 --- /dev/null +++ b/clusters/cl01tl/manifests/paperless-ngx/ServiceMonitor-paperless-ngx-valkey.yaml @@ -0,0 +1,24 @@ +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: paperless-ngx-valkey + labels: + helm.sh/chart: valkey-0.9.3 + app.kubernetes.io/name: valkey + app.kubernetes.io/instance: paperless-ngx + app.kubernetes.io/version: "9.0.3" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: valkey + app.kubernetes.io/component: service-monitor +spec: + endpoints: + - port: metrics + interval: 30s + namespaceSelector: + matchNames: + - paperless-ngx + selector: + matchLabels: + app.kubernetes.io/name: valkey + app.kubernetes.io/instance: paperless-ngx + app.kubernetes.io/component: metrics diff --git a/clusters/cl01tl/manifests/paperless-ngx/StatefulSet-paperless-ngx-valkey.yaml b/clusters/cl01tl/manifests/paperless-ngx/StatefulSet-paperless-ngx-valkey.yaml new file mode 100644 index 000000000..1a31060a6 --- /dev/null +++ b/clusters/cl01tl/manifests/paperless-ngx/StatefulSet-paperless-ngx-valkey.yaml @@ -0,0 +1,129 @@ +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: paperless-ngx-valkey + labels: + helm.sh/chart: valkey-0.9.3 + app.kubernetes.io/name: valkey + app.kubernetes.io/instance: paperless-ngx + app.kubernetes.io/version: "9.0.3" + app.kubernetes.io/managed-by: Helm +spec: + serviceName: paperless-ngx-valkey-headless + replicas: 3 + podManagementPolicy: OrderedReady + selector: + matchLabels: + app.kubernetes.io/name: valkey + app.kubernetes.io/instance: paperless-ngx + volumeClaimTemplates: + - metadata: + name: valkey-data + spec: + accessModes: + - ReadWriteOnce + storageClassName: "ceph-block" + resources: + requests: + storage: "1Gi" + template: + metadata: + labels: + app.kubernetes.io/name: valkey + app.kubernetes.io/instance: paperless-ngx + annotations: + checksum/initconfig: "a1d6929543a3ab299e8e2250e7b7375b" + spec: + automountServiceAccountToken: false + serviceAccountName: paperless-ngx-valkey + securityContext: + fsGroup: 1000 + runAsGroup: 1000 + runAsUser: 1000 + initContainers: + - name: paperless-ngx-valkey-init + image: docker.io/valkey/valkey:9.0.3 + imagePullPolicy: IfNotPresent + securityContext: + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1000 + command: ["/scripts/init.sh"] + env: + - name: POD_INDEX + valueFrom: + fieldRef: + fieldPath: metadata.labels['apps.kubernetes.io/pod-index'] + volumeMounts: + - name: valkey-data + mountPath: /data + - name: scripts + mountPath: /scripts + containers: + - name: paperless-ngx-valkey + image: docker.io/valkey/valkey:9.0.3 + imagePullPolicy: IfNotPresent + command: ["valkey-server"] + args: ["/data/conf/valkey.conf"] + securityContext: + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1000 + env: + - name: POD_INDEX + valueFrom: + fieldRef: + fieldPath: metadata.labels['apps.kubernetes.io/pod-index'] + - name: VALKEY_LOGLEVEL + value: "notice" + ports: + - name: tcp + containerPort: 6379 + protocol: TCP + startupProbe: + exec: + command: ["sh", "-c", "valkey-cli ping"] + livenessProbe: + exec: + command: ["sh", "-c", "valkey-cli ping"] + resources: + requests: + cpu: 10m + memory: 20Mi + volumeMounts: + - name: valkey-data + mountPath: /data + - name: metrics + image: ghcr.io/oliver006/redis_exporter:v1.82.0 + imagePullPolicy: "IfNotPresent" + ports: + - name: metrics + containerPort: 9121 + startupProbe: + tcpSocket: + port: metrics + livenessProbe: + tcpSocket: + port: metrics + readinessProbe: + httpGet: + path: / + port: metrics + resources: + requests: + cpu: 1m + memory: 10M + env: + - name: REDIS_ALIAS + value: paperless-ngx-valkey + volumes: + - name: scripts + configMap: + name: paperless-ngx-valkey-init-scripts + defaultMode: 0555