feat(mycloud-paperless): add paperless-ngx

2025-02-23 13:29:27 +01:00 · 2025-02-23 13:29:27 +01:00 · 3424660b8b
commit 3424660b8b
parent 50d4fad2a3
10 changed files with 612 additions and 0 deletions
--- a/base-values/mycloud-paperless.yaml
+++ b/base-values/mycloud-paperless.yaml
@ -0,0 +1,17 @@
+##
+# commons are from mycloud-core
+##
+
+components:
+  mycloud-services:
+    # patch mycloud-core to get another database
+    values:
+      databases:
+        paperless:
+          type: postgresql
+
+  mycloud-paperless:
+    enabled: true
+    namespace:
+      # current namespace
+      name:
--- a/mycloud-paperless/.helmignore
+++ b/mycloud-paperless/.helmignore
@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
--- a/mycloud-paperless/Chart.yaml
+++ b/mycloud-paperless/Chart.yaml
@ -0,0 +1,9 @@
+apiVersion: v2
+name: mycloud-paperless
+description: A Helm chart for Kubernetes
+type: application
+maintainers:
+  - name: WrenIX
+    url: https://wrenix.eu
+
+version: 0.1.0
--- a/mycloud-paperless/README.md
+++ b/mycloud-paperless/README.md
@ -0,0 +1,117 @@
+---
+title: "mycloud-paperless"
+
+description: "A Helm chart for Kubernetes"
+
+---
+
+# mycloud-paperless
+
+![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
+
+A Helm chart for Kubernetes
+
+## Maintainers
+
+| Name | Email | Url |
+| ---- | ------ | --- |
+| WrenIX |  | <https://wrenix.eu> |
+
+## Values
+
+### Commons
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| commons.auth.host | string | `nil` | default auth.(.Values.commons.ingress.domain) |
+| commons.masterPassword | string | `"CHANGEME"` | masterPassword to generate secrets |
+
+### Commons Monitoring
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| commons.grafana.dashboards.annotations | object | `{}` | annotations of grafana dashboard configmap |
+| commons.grafana.dashboards.labels | object | `{}` | labels of grafana dashboard configmap |
+| commons.prometheus.monitor.labels | object | `{}` | labels on Pod- and Service-Monitor |
+| commons.prometheus.rules.labels | object | `{}` | labels on PrometheusRules |
+
+### Commons helm release
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| commons.helm.release.driftDetection | object | `{}` | driftDetection of FluxCD HelmRelease |
+| commons.helm.release.install | object | `{}` | install of FluxCD HelmRelease |
+| commons.helm.release.test | object | `{}` | test of FluxCD HelmRelease |
+| commons.helm.release.upgrade | object | `{}` | upgrade of FluxCD HelmRelease |
+
+### Commons Ingress
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| commons.ingress.annotations | object | `{"cert-manager.io/cluster-issuer":"letsencrypt-prod"}` | annotations for all ingress objects |
+| commons.ingress.domain | string | `"wrenix.eu"` | top domain for all services |
+| commons.ingress.tls.enabled | bool | `true` | tls on every ingress |
+| commons.ingress.tls.override | list | `[]` | use own definition of tls (e.g. for own or wildcard certificate) |
+
+### Commons mail
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| commons.mail.from | string | `nil` | send from address |
+| commons.mail.host | string | `nil` | smtp server |
+| commons.mail.password | string | `nil` | smtp password |
+| commons.mail.use_ssl | bool | `false` | smtp server use ssl |
+| commons.mail.use_tls | bool | `false` | smtp server use start tls |
+| commons.mail.username | string | `nil` | smtp username |
+
+### Commons Persistence
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| commons.persistence.hostPath.enabled | bool | `false` | use hostPath instatt of PVC |
+| commons.persistence.hostPath.prefix | string | `"/var/lib/mycloud"` | use hostPath under the following path |
+| commons.persistence.storageClass | string | `nil` | storageClass of PVC |
+
+### Commons theme
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| commons.theme.title | string | `"myCloud"` | title everywhere |
+
+### Other Values
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| auth.clientID | string | `nil` | generated by .Values.commons.masterPassword |
+| auth.clientSecret | string | `nil` | generated by .Values.commons.masterPassword |
+| auth.extra | string | `nil` | in format of paperless |
+| commons.auth.authentik.backend | string | `"authentik-server"` |  |
+| commons.auth.authentik.domain | string | `""` |  |
+| commons.auth.enabled | bool | `false` |  |
+| commons.auth.namespace | string | `""` |  |
+| commons.auth.type | string | `"authentik"` |  |
+| commons.networkpolicies.enabled | bool | `false` |  |
+| commons.networkpolicies.from.ingress | list | `[]` |  |
+| commons.networkpolicies.from.metrics | list | `[]` |  |
+| commons.networkpolicies.to.database | list | `[]` |  |
+| commons.networkpolicies.to.dns | list | `[]` |  |
+| commons.networkpolicies.to.smtp | list | `[]` |  |
+| database.host | string | `"mycloud-services-postgresql"` | default is from mysql-services |
+| database.name | string | `"paperless"` |  |
+| database.password | string | `nil` | generated by .Values.commons.masterPassword (equal to mycloud-services) |
+| database.username | string | `"paperless"` |  |
+| env.PAPERLESS_DISABLE_REGULAR_LOGIN | bool | `true` |  |
+| env.PAPERLESS_OCR_LANGUAGE | string | `"deu"` |  |
+| env.PAPERLESS_REDIRECT_LOGIN_TO_SSO | bool | `true` |  |
+| env.PAPERLESS_SOCIAL_ACCOUNT_SYNC_GROUPS | bool | `true` |  |
+| env.PAPERLESS_SOCIAL_AUTO_SIGNUP | bool | `true` |  |
+| ingress.annotations | object | `{}` |  |
+| ingress.host | string | `nil` | default: paperless.(Values.commons.ingress.domain) |
+| init.namespace | string | `"bases"` |  |
+| init.version | int | `0` |  |
+| mail.from | string | `nil` | generade by Values.commons.mail.from |
+| mail.host | string | `nil` | default Values.commons.mail.host |
+| persistence.size | string | `"16Gi"` |  |
+| persistence.storageClass | string | `nil` |  |
+
+Autogenerated from chart metadata using [helm-docs](https://github.com/norwoodj/helm-docs)
--- a/mycloud-paperless/_docs.gotmpl
+++ b/mycloud-paperless/_docs.gotmpl
--- a/mycloud-paperless/templates/authentik-application.yaml
+++ b/mycloud-paperless/templates/authentik-application.yaml
@ -0,0 +1,56 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: {{ .Release.Name }}-auth
+spec:
+  chart:
+    spec:
+      sourceRef:
+        kind: GitRepository
+        name: "wrenix-helm-charts"
+        namespace: "flux-system"
+      chart: "./authentik-application"
+      reconcileStrategy: "Revision"
+  install:
+    {{- toYaml .Values.commons.helm.release.install | nindent 4 }}
+  test:
+    {{- toYaml .Values.commons.helm.release.test | nindent 4 }}
+  upgrade:
+    {{- toYaml .Values.commons.helm.release.upgrade | nindent 4 }}
+  driftDetection:
+    {{- toYaml .Values.commons.helm.release.driftDetection | nindent 4 }}
+  interval: 10m
+  values:
+    {{- $host := .Values.ingress.host | default (printf "paperless.%s" .Values.commons.ingress.domain) }}
+    blueprint:
+      authentik:
+        domain: "https://{{ .Values.commons.auth.host | default (printf "auth.%s" .Values.commons.ingress.domain) }}"
+      provider:
+        type: "oidc"
+        name: "Paperless"
+        oidc:
+          clientType: "confidential"
+          redirectURL: "https://{{ $host }}/accounts/oidc/mycloud/login/callback/"
+          clientID: {{ .Values.auth.clientID | default (derivePassword 1 "long" .Values.commons.masterPassword "paperless" "auth.clientID") | quote }}
+          clientSecret: {{ .Values.auth.clientSecret | default (derivePassword 1 "long" .Values.commons.masterPassword "paperless" "auth.clientSecret") | quote }}
+          signingKey: "authentik Self-signed Certificate"
+          scopes:
+            - name: "authentik default OAuth Mapping: OpenID 'openid'"
+            - name: "authentik default OAuth Mapping: OpenID 'email'"
+            - name: "authentik default OAuth Mapping: OpenID 'profile'"
+
+      groups:
+        - slug: "mycloud - users"
+          bindID: "cefc0c13-49fa-4374-a909-e201a88a473b"
+
+      application:
+        policyEngineMode: "any"
+        openInNewTab: true
+        publisher: "WrenIX's myCloud"
+        slug: "mycloud-paperless"
+        group: "Office"
+        name: "Paperless"
+        launchURL: "https://{{ $host }}/"
+        icon: "https://{{ $host }}/favicon.ico"
+        description: "A document management system that transforms your physical documents into a searchable online archive so you can keep, well, less paper."
--- a/mycloud-paperless/templates/configmap_init_crd.yaml
+++ b/mycloud-paperless/templates/configmap_init_crd.yaml
@ -0,0 +1,14 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ .Release.Name }}-init
+  namespace: "{{ .Values.init.namespace }}"
+data:
+  {{- if and
+    (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1/PrometheusRule")
+    (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1/ServiceMonitor")
+  }}
+  init: "-1"
+  {{- else }}
+  init: "{{ add1 .Values.init.version }}"
+  {{- end }}
--- a/mycloud-paperless/templates/release.yaml
+++ b/mycloud-paperless/templates/release.yaml
@ -0,0 +1,185 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: "{{ .Release.Name }}-ngx"
+spec:
+  chart:
+    spec:
+      sourceRef:
+        kind: GitRepository
+        name: "wrenix-helm-charts"
+        namespace: "flux-system"
+      chart: "./paperless-ngx"
+      reconcileStrategy: "Revision"
+  install:
+    {{- toYaml .Values.commons.helm.release.install | nindent 4 }}
+  test:
+    {{- toYaml .Values.commons.helm.release.test | nindent 4 }}
+  upgrade:
+    {{- toYaml .Values.commons.helm.release.upgrade | nindent 4 }}
+  driftDetection:
+    {{- toYaml .Values.commons.helm.release.driftDetection | nindent 4 }}
+  interval: 10m
+  valuesFrom:
+    - name: {{ .Release.Name }}
+      kind: Secret
+      valuesKey: "DB_PASS"
+      targetPath: "config.database.pass"
+    - name: {{ .Release.Name }}
+      kind: Secret
+      valuesKey: "ADMIN_PASS"
+      targetPath: "env.PAPERLESS_ADMIN_PASSWORD"
+    - name: {{ .Release.Name }}
+      kind: Secret
+      valuesKey: "EMAIL_PASS"
+      targetPath: "env.PAPERLESS_EMAIL_HOST_PASSWORD"
+      optional: true
+    - name: {{ .Release.Name }}
+      kind: Secret
+      valuesKey: "oidc"
+  values:
+    {{- $host := .Values.ingress.host | default (printf "paperless.%s" .Values.commons.ingress.domain) }}
+    config:
+      redis:
+        prefix: {{ .Release.Name }}
+      database:
+        engine: postgres
+        host: {{ .Values.database.host | quote }}
+        name: {{ .Values.database.name | quote }}
+        user: {{ .Values.database.username | quote }}
+      apps: allauth.socialaccount.providers.openid_connect
+      oidcProviders:
+        openid_connect:
+          OAUTH_PKCE_ENABLED: true
+    env:
+      PAPERLESS_APP_TITLE: {{ .Values.commons.theme.title }}
+      PAPERLESS_ADMIN_USER: admin
+
+      PAPERLESS_EMAIL_HOST: {{ .Values.mail.host | default .Values.commons.mail.host | quote }}
+      PAPERLESS_EMAIL_PORT: 587
+      PAPERLESS_EMAIL_HOST_USER: {{ .Values.commons.mail.username | quote }}
+      PAPERLESS_EMAIL_FROM: {{ .Values.mail.from | default (printf "\"[%s] %s\" <%s>" .Values.commons.theme.title "paperless" .Values.commons.mail.from) | quote }}
+      PAPERLESS_EMAIL_USE_TLS: true
+      {{- with .Values.env }}
+      {{- toYaml . | nindent 6 }}
+      {{- end }}
+
+    podLabels:
+      "{{ .Release.Name }}-ngx-redis-client": "true"
+    postgresql:
+      enabled: false
+    redis:
+      metrics:
+        enabled: true
+        serviceMonitor:
+          enabled: {{ (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1/ServiceMonitor") }}
+          additionalLabels:
+            {{- toYaml .Values.commons.prometheus.monitor.labels | nindent 12 }}
+        prometheusRule:
+          # empty rules
+          enabled: false
+          # {{ (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1/PrometheusRule") }}
+          additionalLabels:
+            {{- toYaml .Values.commons.prometheus.rules.labels | nindent 12 }}
+          rules: []
+      networkPolicy:
+        allowExternal: false
+        allowExternalEgress: false
+        metrics:
+          allowExternal: false
+          {{- with .Values.commons.networkpolicies.from.metrics }}
+          {{- $nsMetrics := first . }}
+          ingressNSMatchLabels:
+            {{- toYaml $nsMetrics.namespaceSelector.matchLabels | nindent 12 }}
+          ingressNSPodMatchLabels:
+            {{- toYaml $nsMetrics.podSelector.matchLabels | nindent 12 }}
+          {{- end }}
+
+    networkPolicy:
+      enabled: true
+      ingress:
+        http:
+          {{- toYaml .Values.commons.networkpolicies.from.ingress | nindent 12 }}
+        metrics:
+          {{- toYaml .Values.commons.networkpolicies.from.metrics | nindent 12 }}
+      egress:
+        enabled: true
+        dns:
+          {{- toYaml .Values.commons.networkpolicies.to.dns | nindent 10 }}
+        database:
+          - ports:
+              - port: 6379
+                protocol: TCP
+            to:
+              - podSelector:
+                  matchLabels:
+                    app.kubernetes.io/instance: "{{ .Release.Name }}-ngx"
+                    app.kubernetes.io/name: redis
+                    app.kubernetes.io/component: master
+          {{- with .Values.commons.networkpolicies.to.database }}
+          {{- toYaml . | nindent 10 }}
+          {{- end }}
+
+        extra:
+          - ports:
+              - port: 443
+                protocol: TCP
+            to:
+              {{- toYaml .Values.commons.networkpolicies.from.ingress | nindent 14 }}
+          {{- with .Values.commons.networkpolicies.to.smtp }}
+          {{- toYaml . | nindent 10 }}
+          {{- end }}
+
+    ingress:
+      enabled: true
+      annotations:
+        {{- with .Values.commons.ingress.annotations }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
+        {{- with .Values.ingress.annotations }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
+      hosts:
+        - host: "{{ $host }}"
+          paths:
+            - path: /
+              pathType: Prefix
+      {{- if .Values.commons.ingress.tls.enabled }}
+      tls:
+        {{- with .Values.commons.ingress.tls.override }}
+        {{- toYaml . | nindent 8 }}
+        {{- else }}
+        - secretName: "mycloud-paperless-cert"
+          hosts:
+            - "{{ $host }}"
+        {{- end }}
+      {{- end }}
+
+    persistence:
+      enabled: true
+      size: {{ .Values.persistence.size }}
+      {{- with .Values.persistence.storageClass | default .Values.commons.persistence.storageClass }}
+      storageClass: {{ . }}
+      {{- end }}
+      {{- if .Values.commons.persistence.hostPath.enabled }}
+      hostPath: "{{ .Values.commons.persistence.hostPath.prefix }}/paperless"
+      {{- end }}
+
+    prometheus:
+      servicemonitor:
+        enabled: {{ (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1/ServiceMonitor") }}
+        labels:
+          {{- toYaml .Values.commons.prometheus.monitor.labels | nindent 10 }}
+      rules:
+        enabled: {{ (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1/PrometheusRule") }}
+        additionalLabels:
+          {{- toYaml .Values.commons.prometheus.rules.labels | nindent 10 }}
+
+    grafana:
+      dashboards:
+        enabled: true
+        labels:
+          {{- toYaml .Values.commons.grafana.dashboards.labels | nindent 10 }}
+        annotations:
+          {{- toYaml .Values.commons.grafana.dashboards.annotations | nindent 10 }}
--- a/mycloud-paperless/templates/secret.yaml
+++ b/mycloud-paperless/templates/secret.yaml
@ -0,0 +1,29 @@
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ .Release.Name }}
+data:
+  DB_PASS: {{ .Values.database.password | default (derivePassword 1 "long" .Values.commons.masterPassword "paperless" "database_password" | b64enc) | b64enc }}
+  {{- with .Values.commons.mail.password }}
+  EMAIL_PASS: {{ . | b64enc }}
+  {{- end }}
+  ADMIN_PASS: {{ .Values.auth.admin | default (derivePassword 1 "long" .Values.commons.masterPassword "paperless" "admin_password" | b64enc) | b64enc }}
+  # - "authentik Admins"
+  oidc: {{ toYaml (dict
+    "config" (dict
+      "oidcProviders" (dict
+        "openid_connect" (dict
+          "APPS" (list (dict
+            "provider_id" "mycloud"
+            "name" .Values.commons.theme.title
+            "client_id" (.Values.auth.clientID | default (derivePassword 1 "long" .Values.commons.masterPassword "paperless" "auth.clientID"))
+            "secret" (.Values.auth.clientSecret | default (derivePassword 1 "long" .Values.commons.masterPassword "paperless" "auth.clientSecret"))
+            "settings" (dict
+              "server_url" (printf "https://%s/application/o/mycloud-paperless/.well-known/openid-configuration" (.Values.commons.auth.host | default (printf "auth.%s" .Values.commons.ingress.domain)))
+            )
+          ) .Values.auth.extra | compact)
+        )
+      )
+    )
+  ) | b64enc }}
--- a/mycloud-paperless/values.yaml
+++ b/mycloud-paperless/values.yaml
@ -0,0 +1,162 @@
+init:
+  version: 0
+  namespace: "bases"
+
+commons:
+  # -- masterPassword to generate secrets
+  # @section -- Commons
+  masterPassword: "CHANGEME"
+
+  # template for infra-
+  auth:
+    enabled: false
+    type: "authentik"
+    namespace: ""
+    authentik:
+      domain: ""
+      backend: "authentik-server"
+
+  # template for mycloud-
+  auth:
+    # -- default auth.(.Values.commons.ingress.domain)
+    # @section -- Commons
+    host:
+
+  # template for mycloud-
+  theme:
+    # -- title everywhere
+    # @section -- Commons theme
+    title: myCloud
+
+  # template for mycloud-
+  mail:
+    # -- smtp server
+    # @section -- Commons mail
+    host:
+    # -- smtp username
+    # @section -- Commons mail
+    username:
+    # -- smtp password
+    # @section -- Commons mail
+    password:
+    # -- send from address
+    # @section -- Commons mail
+    from:
+    # -- smtp server use start tls
+    # @section -- Commons mail
+    use_tls: false
+    # -- smtp server use ssl
+    # @section -- Commons mail
+    use_ssl: false
+
+  # template for mycloud-
+  persistence:
+    # -- storageClass of PVC
+    # @section -- Commons Persistence
+    storageClass:
+    hostPath:
+      # -- use hostPath instatt of PVC
+      # @section -- Commons Persistence
+      enabled: false
+      # -- use hostPath under the following path
+      # @section -- Commons Persistence
+      prefix: "/var/lib/mycloud"
+
+  helm:
+    release:
+      # -- install of FluxCD HelmRelease
+      # @section -- Commons helm release
+      install: {}
+      # -- test of FluxCD HelmRelease
+      # @section -- Commons helm release
+      test: {}
+      # -- upgrade of FluxCD HelmRelease
+      # @section -- Commons helm release
+      upgrade: {}
+      # -- driftDetection of FluxCD HelmRelease
+      # @section -- Commons helm release
+      driftDetection: {}
+
+  networkpolicies:
+    enabled: false
+    from:
+      ingress: []
+      metrics: []
+    to:
+      dns: []
+      database: []
+      smtp: []
+
+  ingress:
+    # -- top domain for all services
+    # @section -- Commons Ingress
+    domain: "wrenix.eu"
+    # -- annotations for all ingress objects
+    # @section -- Commons Ingress
+    annotations:
+      cert-manager.io/cluster-issuer: letsencrypt-prod
+    tls:
+      # -- tls on every ingress
+      # @section -- Commons Ingress
+      enabled: true
+      # -- use own definition of tls (e.g. for own or wildcard certificate)
+      # @section -- Commons Ingress
+      override: []
+
+  prometheus:
+    monitor:
+      # -- labels on Pod- and Service-Monitor
+      # @section -- Commons Monitoring
+      labels: {}
+    rules:
+      # -- labels on PrometheusRules
+      # @section -- Commons Monitoring
+      labels: {}
+
+  grafana:
+    dashboards:
+      # -- labels of grafana dashboard configmap
+      # @section -- Commons Monitoring
+      labels: {}
+      # -- annotations of grafana dashboard configmap
+      # @section -- Commons Monitoring
+      annotations: {}
+
+auth:
+  # -- generated by .Values.commons.masterPassword
+  clientID:
+  # -- generated by .Values.commons.masterPassword
+  clientSecret:
+  # -- in format of paperless
+  extra:
+
+env:
+  PAPERLESS_OCR_LANGUAGE: "deu"
+  PAPERLESS_REDIRECT_LOGIN_TO_SSO: true
+  PAPERLESS_DISABLE_REGULAR_LOGIN: true
+  PAPERLESS_SOCIAL_AUTO_SIGNUP: true
+  PAPERLESS_SOCIAL_ACCOUNT_SYNC_GROUPS: true
+
+ingress:
+  # -- default: paperless.(Values.commons.ingress.domain)
+  host:
+  annotations: {}
+
+database:
+  # -- default is from mysql-services
+  host: mycloud-services-postgresql
+  name: paperless
+  username: paperless
+  # -- generated by .Values.commons.masterPassword (equal to mycloud-services)
+  password:
+
+
+persistence:
+  storageClass:
+  size: 16Gi
+
+mail:
+  # -- generade by Values.commons.mail.from
+  from:
+  # -- default Values.commons.mail.host
+  host: