diff --git a/base-values/mycloud-paperless.yaml b/base-values/mycloud-paperless.yaml new file mode 100644 index 0000000..cb97a7c --- /dev/null +++ b/base-values/mycloud-paperless.yaml @@ -0,0 +1,17 @@ +## +# commons are from mycloud-core +## + +components: + mycloud-services: + # patch mycloud-core to get another database + values: + databases: + paperless: + type: postgresql + + mycloud-paperless: + enabled: true + namespace: + # current namespace + name: diff --git a/mycloud-paperless/.helmignore b/mycloud-paperless/.helmignore new file mode 100644 index 0000000..0e8a0eb --- /dev/null +++ b/mycloud-paperless/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/mycloud-paperless/Chart.yaml b/mycloud-paperless/Chart.yaml new file mode 100644 index 0000000..b844c38 --- /dev/null +++ b/mycloud-paperless/Chart.yaml @@ -0,0 +1,9 @@ +apiVersion: v2 +name: mycloud-paperless +description: A Helm chart for Kubernetes +type: application +maintainers: + - name: WrenIX + url: https://wrenix.eu + +version: 0.1.0 diff --git a/mycloud-paperless/README.md b/mycloud-paperless/README.md new file mode 100644 index 0000000..236e6dc --- /dev/null +++ b/mycloud-paperless/README.md @@ -0,0 +1,117 @@ +--- +title: "mycloud-paperless" + +description: "A Helm chart for Kubernetes" + +--- + +# mycloud-paperless + +![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) + +A Helm chart for Kubernetes + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| WrenIX | | | + +## Values + +### Commons + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| commons.auth.host | string | `nil` | default auth.(.Values.commons.ingress.domain) | +| commons.masterPassword | string | `"CHANGEME"` | masterPassword to generate secrets | + +### Commons Monitoring + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| commons.grafana.dashboards.annotations | object | `{}` | annotations of grafana dashboard configmap | +| commons.grafana.dashboards.labels | object | `{}` | labels of grafana dashboard configmap | +| commons.prometheus.monitor.labels | object | `{}` | labels on Pod- and Service-Monitor | +| commons.prometheus.rules.labels | object | `{}` | labels on PrometheusRules | + +### Commons helm release + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| commons.helm.release.driftDetection | object | `{}` | driftDetection of FluxCD HelmRelease | +| commons.helm.release.install | object | `{}` | install of FluxCD HelmRelease | +| commons.helm.release.test | object | `{}` | test of FluxCD HelmRelease | +| commons.helm.release.upgrade | object | `{}` | upgrade of FluxCD HelmRelease | + +### Commons Ingress + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| commons.ingress.annotations | object | `{"cert-manager.io/cluster-issuer":"letsencrypt-prod"}` | annotations for all ingress objects | +| commons.ingress.domain | string | `"wrenix.eu"` | top domain for all services | +| commons.ingress.tls.enabled | bool | `true` | tls on every ingress | +| commons.ingress.tls.override | list | `[]` | use own definition of tls (e.g. for own or wildcard certificate) | + +### Commons mail + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| commons.mail.from | string | `nil` | send from address | +| commons.mail.host | string | `nil` | smtp server | +| commons.mail.password | string | `nil` | smtp password | +| commons.mail.use_ssl | bool | `false` | smtp server use ssl | +| commons.mail.use_tls | bool | `false` | smtp server use start tls | +| commons.mail.username | string | `nil` | smtp username | + +### Commons Persistence + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| commons.persistence.hostPath.enabled | bool | `false` | use hostPath instatt of PVC | +| commons.persistence.hostPath.prefix | string | `"/var/lib/mycloud"` | use hostPath under the following path | +| commons.persistence.storageClass | string | `nil` | storageClass of PVC | + +### Commons theme + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| commons.theme.title | string | `"myCloud"` | title everywhere | + +### Other Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| auth.clientID | string | `nil` | generated by .Values.commons.masterPassword | +| auth.clientSecret | string | `nil` | generated by .Values.commons.masterPassword | +| auth.extra | string | `nil` | in format of paperless | +| commons.auth.authentik.backend | string | `"authentik-server"` | | +| commons.auth.authentik.domain | string | `""` | | +| commons.auth.enabled | bool | `false` | | +| commons.auth.namespace | string | `""` | | +| commons.auth.type | string | `"authentik"` | | +| commons.networkpolicies.enabled | bool | `false` | | +| commons.networkpolicies.from.ingress | list | `[]` | | +| commons.networkpolicies.from.metrics | list | `[]` | | +| commons.networkpolicies.to.database | list | `[]` | | +| commons.networkpolicies.to.dns | list | `[]` | | +| commons.networkpolicies.to.smtp | list | `[]` | | +| database.host | string | `"mycloud-services-postgresql"` | default is from mysql-services | +| database.name | string | `"paperless"` | | +| database.password | string | `nil` | generated by .Values.commons.masterPassword (equal to mycloud-services) | +| database.username | string | `"paperless"` | | +| env.PAPERLESS_DISABLE_REGULAR_LOGIN | bool | `true` | | +| env.PAPERLESS_OCR_LANGUAGE | string | `"deu"` | | +| env.PAPERLESS_REDIRECT_LOGIN_TO_SSO | bool | `true` | | +| env.PAPERLESS_SOCIAL_ACCOUNT_SYNC_GROUPS | bool | `true` | | +| env.PAPERLESS_SOCIAL_AUTO_SIGNUP | bool | `true` | | +| ingress.annotations | object | `{}` | | +| ingress.host | string | `nil` | default: paperless.(Values.commons.ingress.domain) | +| init.namespace | string | `"bases"` | | +| init.version | int | `0` | | +| mail.from | string | `nil` | generade by Values.commons.mail.from | +| mail.host | string | `nil` | default Values.commons.mail.host | +| persistence.size | string | `"16Gi"` | | +| persistence.storageClass | string | `nil` | | + +Autogenerated from chart metadata using [helm-docs](https://github.com/norwoodj/helm-docs) diff --git a/mycloud-paperless/_docs.gotmpl b/mycloud-paperless/_docs.gotmpl new file mode 100644 index 0000000..e69de29 diff --git a/mycloud-paperless/templates/authentik-application.yaml b/mycloud-paperless/templates/authentik-application.yaml new file mode 100644 index 0000000..b4fcdff --- /dev/null +++ b/mycloud-paperless/templates/authentik-application.yaml @@ -0,0 +1,56 @@ +--- +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: {{ .Release.Name }}-auth +spec: + chart: + spec: + sourceRef: + kind: GitRepository + name: "wrenix-helm-charts" + namespace: "flux-system" + chart: "./authentik-application" + reconcileStrategy: "Revision" + install: + {{- toYaml .Values.commons.helm.release.install | nindent 4 }} + test: + {{- toYaml .Values.commons.helm.release.test | nindent 4 }} + upgrade: + {{- toYaml .Values.commons.helm.release.upgrade | nindent 4 }} + driftDetection: + {{- toYaml .Values.commons.helm.release.driftDetection | nindent 4 }} + interval: 10m + values: + {{- $host := .Values.ingress.host | default (printf "paperless.%s" .Values.commons.ingress.domain) }} + blueprint: + authentik: + domain: "https://{{ .Values.commons.auth.host | default (printf "auth.%s" .Values.commons.ingress.domain) }}" + provider: + type: "oidc" + name: "Paperless" + oidc: + clientType: "confidential" + redirectURL: "https://{{ $host }}/accounts/oidc/mycloud/login/callback/" + clientID: {{ .Values.auth.clientID | default (derivePassword 1 "long" .Values.commons.masterPassword "paperless" "auth.clientID") | quote }} + clientSecret: {{ .Values.auth.clientSecret | default (derivePassword 1 "long" .Values.commons.masterPassword "paperless" "auth.clientSecret") | quote }} + signingKey: "authentik Self-signed Certificate" + scopes: + - name: "authentik default OAuth Mapping: OpenID 'openid'" + - name: "authentik default OAuth Mapping: OpenID 'email'" + - name: "authentik default OAuth Mapping: OpenID 'profile'" + + groups: + - slug: "mycloud - users" + bindID: "cefc0c13-49fa-4374-a909-e201a88a473b" + + application: + policyEngineMode: "any" + openInNewTab: true + publisher: "WrenIX's myCloud" + slug: "mycloud-paperless" + group: "Office" + name: "Paperless" + launchURL: "https://{{ $host }}/" + icon: "https://{{ $host }}/favicon.ico" + description: "A document management system that transforms your physical documents into a searchable online archive so you can keep, well, less paper." diff --git a/mycloud-paperless/templates/configmap_init_crd.yaml b/mycloud-paperless/templates/configmap_init_crd.yaml new file mode 100644 index 0000000..f82bbe4 --- /dev/null +++ b/mycloud-paperless/templates/configmap_init_crd.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ .Release.Name }}-init + namespace: "{{ .Values.init.namespace }}" +data: + {{- if and + (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1/PrometheusRule") + (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1/ServiceMonitor") + }} + init: "-1" + {{- else }} + init: "{{ add1 .Values.init.version }}" + {{- end }} diff --git a/mycloud-paperless/templates/release.yaml b/mycloud-paperless/templates/release.yaml new file mode 100644 index 0000000..9d438a9 --- /dev/null +++ b/mycloud-paperless/templates/release.yaml @@ -0,0 +1,185 @@ +--- +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: "{{ .Release.Name }}-ngx" +spec: + chart: + spec: + sourceRef: + kind: GitRepository + name: "wrenix-helm-charts" + namespace: "flux-system" + chart: "./paperless-ngx" + reconcileStrategy: "Revision" + install: + {{- toYaml .Values.commons.helm.release.install | nindent 4 }} + test: + {{- toYaml .Values.commons.helm.release.test | nindent 4 }} + upgrade: + {{- toYaml .Values.commons.helm.release.upgrade | nindent 4 }} + driftDetection: + {{- toYaml .Values.commons.helm.release.driftDetection | nindent 4 }} + interval: 10m + valuesFrom: + - name: {{ .Release.Name }} + kind: Secret + valuesKey: "DB_PASS" + targetPath: "config.database.pass" + - name: {{ .Release.Name }} + kind: Secret + valuesKey: "ADMIN_PASS" + targetPath: "env.PAPERLESS_ADMIN_PASSWORD" + - name: {{ .Release.Name }} + kind: Secret + valuesKey: "EMAIL_PASS" + targetPath: "env.PAPERLESS_EMAIL_HOST_PASSWORD" + optional: true + - name: {{ .Release.Name }} + kind: Secret + valuesKey: "oidc" + values: + {{- $host := .Values.ingress.host | default (printf "paperless.%s" .Values.commons.ingress.domain) }} + config: + redis: + prefix: {{ .Release.Name }} + database: + engine: postgres + host: {{ .Values.database.host | quote }} + name: {{ .Values.database.name | quote }} + user: {{ .Values.database.username | quote }} + apps: allauth.socialaccount.providers.openid_connect + oidcProviders: + openid_connect: + OAUTH_PKCE_ENABLED: true + env: + PAPERLESS_APP_TITLE: {{ .Values.commons.theme.title }} + PAPERLESS_ADMIN_USER: admin + + PAPERLESS_EMAIL_HOST: {{ .Values.mail.host | default .Values.commons.mail.host | quote }} + PAPERLESS_EMAIL_PORT: 587 + PAPERLESS_EMAIL_HOST_USER: {{ .Values.commons.mail.username | quote }} + PAPERLESS_EMAIL_FROM: {{ .Values.mail.from | default (printf "\"[%s] %s\" <%s>" .Values.commons.theme.title "paperless" .Values.commons.mail.from) | quote }} + PAPERLESS_EMAIL_USE_TLS: true + {{- with .Values.env }} + {{- toYaml . | nindent 6 }} + {{- end }} + + podLabels: + "{{ .Release.Name }}-ngx-redis-client": "true" + postgresql: + enabled: false + redis: + metrics: + enabled: true + serviceMonitor: + enabled: {{ (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1/ServiceMonitor") }} + additionalLabels: + {{- toYaml .Values.commons.prometheus.monitor.labels | nindent 12 }} + prometheusRule: + # empty rules + enabled: false + # {{ (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1/PrometheusRule") }} + additionalLabels: + {{- toYaml .Values.commons.prometheus.rules.labels | nindent 12 }} + rules: [] + networkPolicy: + allowExternal: false + allowExternalEgress: false + metrics: + allowExternal: false + {{- with .Values.commons.networkpolicies.from.metrics }} + {{- $nsMetrics := first . }} + ingressNSMatchLabels: + {{- toYaml $nsMetrics.namespaceSelector.matchLabels | nindent 12 }} + ingressNSPodMatchLabels: + {{- toYaml $nsMetrics.podSelector.matchLabels | nindent 12 }} + {{- end }} + + networkPolicy: + enabled: true + ingress: + http: + {{- toYaml .Values.commons.networkpolicies.from.ingress | nindent 12 }} + metrics: + {{- toYaml .Values.commons.networkpolicies.from.metrics | nindent 12 }} + egress: + enabled: true + dns: + {{- toYaml .Values.commons.networkpolicies.to.dns | nindent 10 }} + database: + - ports: + - port: 6379 + protocol: TCP + to: + - podSelector: + matchLabels: + app.kubernetes.io/instance: "{{ .Release.Name }}-ngx" + app.kubernetes.io/name: redis + app.kubernetes.io/component: master + {{- with .Values.commons.networkpolicies.to.database }} + {{- toYaml . | nindent 10 }} + {{- end }} + + extra: + - ports: + - port: 443 + protocol: TCP + to: + {{- toYaml .Values.commons.networkpolicies.from.ingress | nindent 14 }} + {{- with .Values.commons.networkpolicies.to.smtp }} + {{- toYaml . | nindent 10 }} + {{- end }} + + ingress: + enabled: true + annotations: + {{- with .Values.commons.ingress.annotations }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.ingress.annotations }} + {{- toYaml . | nindent 8 }} + {{- end }} + hosts: + - host: "{{ $host }}" + paths: + - path: / + pathType: Prefix + {{- if .Values.commons.ingress.tls.enabled }} + tls: + {{- with .Values.commons.ingress.tls.override }} + {{- toYaml . | nindent 8 }} + {{- else }} + - secretName: "mycloud-paperless-cert" + hosts: + - "{{ $host }}" + {{- end }} + {{- end }} + + persistence: + enabled: true + size: {{ .Values.persistence.size }} + {{- with .Values.persistence.storageClass | default .Values.commons.persistence.storageClass }} + storageClass: {{ . }} + {{- end }} + {{- if .Values.commons.persistence.hostPath.enabled }} + hostPath: "{{ .Values.commons.persistence.hostPath.prefix }}/paperless" + {{- end }} + + prometheus: + servicemonitor: + enabled: {{ (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1/ServiceMonitor") }} + labels: + {{- toYaml .Values.commons.prometheus.monitor.labels | nindent 10 }} + rules: + enabled: {{ (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1/PrometheusRule") }} + additionalLabels: + {{- toYaml .Values.commons.prometheus.rules.labels | nindent 10 }} + + grafana: + dashboards: + enabled: true + labels: + {{- toYaml .Values.commons.grafana.dashboards.labels | nindent 10 }} + annotations: + {{- toYaml .Values.commons.grafana.dashboards.annotations | nindent 10 }} diff --git a/mycloud-paperless/templates/secret.yaml b/mycloud-paperless/templates/secret.yaml new file mode 100644 index 0000000..a292ecc --- /dev/null +++ b/mycloud-paperless/templates/secret.yaml @@ -0,0 +1,29 @@ +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }} +data: + DB_PASS: {{ .Values.database.password | default (derivePassword 1 "long" .Values.commons.masterPassword "paperless" "database_password" | b64enc) | b64enc }} + {{- with .Values.commons.mail.password }} + EMAIL_PASS: {{ . | b64enc }} + {{- end }} + ADMIN_PASS: {{ .Values.auth.admin | default (derivePassword 1 "long" .Values.commons.masterPassword "paperless" "admin_password" | b64enc) | b64enc }} + # - "authentik Admins" + oidc: {{ toYaml (dict + "config" (dict + "oidcProviders" (dict + "openid_connect" (dict + "APPS" (list (dict + "provider_id" "mycloud" + "name" .Values.commons.theme.title + "client_id" (.Values.auth.clientID | default (derivePassword 1 "long" .Values.commons.masterPassword "paperless" "auth.clientID")) + "secret" (.Values.auth.clientSecret | default (derivePassword 1 "long" .Values.commons.masterPassword "paperless" "auth.clientSecret")) + "settings" (dict + "server_url" (printf "https://%s/application/o/mycloud-paperless/.well-known/openid-configuration" (.Values.commons.auth.host | default (printf "auth.%s" .Values.commons.ingress.domain))) + ) + ) .Values.auth.extra | compact) + ) + ) + ) + ) | b64enc }} diff --git a/mycloud-paperless/values.yaml b/mycloud-paperless/values.yaml new file mode 100644 index 0000000..824b876 --- /dev/null +++ b/mycloud-paperless/values.yaml @@ -0,0 +1,162 @@ +init: + version: 0 + namespace: "bases" + +commons: + # -- masterPassword to generate secrets + # @section -- Commons + masterPassword: "CHANGEME" + + # template for infra- + auth: + enabled: false + type: "authentik" + namespace: "" + authentik: + domain: "" + backend: "authentik-server" + + # template for mycloud- + auth: + # -- default auth.(.Values.commons.ingress.domain) + # @section -- Commons + host: + + # template for mycloud- + theme: + # -- title everywhere + # @section -- Commons theme + title: myCloud + + # template for mycloud- + mail: + # -- smtp server + # @section -- Commons mail + host: + # -- smtp username + # @section -- Commons mail + username: + # -- smtp password + # @section -- Commons mail + password: + # -- send from address + # @section -- Commons mail + from: + # -- smtp server use start tls + # @section -- Commons mail + use_tls: false + # -- smtp server use ssl + # @section -- Commons mail + use_ssl: false + + # template for mycloud- + persistence: + # -- storageClass of PVC + # @section -- Commons Persistence + storageClass: + hostPath: + # -- use hostPath instatt of PVC + # @section -- Commons Persistence + enabled: false + # -- use hostPath under the following path + # @section -- Commons Persistence + prefix: "/var/lib/mycloud" + + helm: + release: + # -- install of FluxCD HelmRelease + # @section -- Commons helm release + install: {} + # -- test of FluxCD HelmRelease + # @section -- Commons helm release + test: {} + # -- upgrade of FluxCD HelmRelease + # @section -- Commons helm release + upgrade: {} + # -- driftDetection of FluxCD HelmRelease + # @section -- Commons helm release + driftDetection: {} + + networkpolicies: + enabled: false + from: + ingress: [] + metrics: [] + to: + dns: [] + database: [] + smtp: [] + + ingress: + # -- top domain for all services + # @section -- Commons Ingress + domain: "wrenix.eu" + # -- annotations for all ingress objects + # @section -- Commons Ingress + annotations: + cert-manager.io/cluster-issuer: letsencrypt-prod + tls: + # -- tls on every ingress + # @section -- Commons Ingress + enabled: true + # -- use own definition of tls (e.g. for own or wildcard certificate) + # @section -- Commons Ingress + override: [] + + prometheus: + monitor: + # -- labels on Pod- and Service-Monitor + # @section -- Commons Monitoring + labels: {} + rules: + # -- labels on PrometheusRules + # @section -- Commons Monitoring + labels: {} + + grafana: + dashboards: + # -- labels of grafana dashboard configmap + # @section -- Commons Monitoring + labels: {} + # -- annotations of grafana dashboard configmap + # @section -- Commons Monitoring + annotations: {} + +auth: + # -- generated by .Values.commons.masterPassword + clientID: + # -- generated by .Values.commons.masterPassword + clientSecret: + # -- in format of paperless + extra: + +env: + PAPERLESS_OCR_LANGUAGE: "deu" + PAPERLESS_REDIRECT_LOGIN_TO_SSO: true + PAPERLESS_DISABLE_REGULAR_LOGIN: true + PAPERLESS_SOCIAL_AUTO_SIGNUP: true + PAPERLESS_SOCIAL_ACCOUNT_SYNC_GROUPS: true + +ingress: + # -- default: paperless.(Values.commons.ingress.domain) + host: + annotations: {} + +database: + # -- default is from mysql-services + host: mycloud-services-postgresql + name: paperless + username: paperless + # -- generated by .Values.commons.masterPassword (equal to mycloud-services) + password: + + +persistence: + storageClass: + size: 16Gi + +mail: + # -- generade by Values.commons.mail.from + from: + # -- default Values.commons.mail.host + host: