wrenix/flux-charts
1
0
Fork 0
Code Issues 14 Pull requests 1 Projects Releases Packages Wiki Activity Actions

feat(mycloud-paperless): add paperless-ngx

Browse source
This commit is contained in:
WrenIX 2025-02-23 13:29:27 +01:00
parent 50d4fad2a3
commit 3424660b8b
Signed by: wrenix
GPG key ID: 7AFDB012974B1BB5
10 changed files with 612 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

17
base-values/mycloud-paperless.yaml Normal file
View file

@ -0,0 +1,17 @@
##
# commons are from mycloud-core
##
components:
mycloud-services:
# patch mycloud-core to get another database
values:
databases:
paperless:
type: postgresql
mycloud-paperless:
enabled: true
namespace:
# current namespace
name:

23
mycloud-paperless/.helmignore Normal file
View file

@ -0,0 +1,23 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*.orig
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/

9
mycloud-paperless/Chart.yaml Normal file
View file

@ -0,0 +1,9 @@
apiVersion: v2
name: mycloud-paperless
description: A Helm chart for Kubernetes
type: application
maintainers:
- name: WrenIX
url: https://wrenix.eu
version: 0.1.0

117
mycloud-paperless/README.md Normal file
View file

@ -0,0 +1,117 @@
---
title: "mycloud-paperless"
description: "A Helm chart for Kubernetes"
---
# mycloud-paperless
![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
A Helm chart for Kubernetes
## Maintainers
| Name | Email | Url |
| ---- | ------ | --- |
| WrenIX | | <https://wrenix.eu> |
## Values
### Commons
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| commons.auth.host | string | `nil` | default auth.(.Values.commons.ingress.domain) |
| commons.masterPassword | string | `"CHANGEME"` | masterPassword to generate secrets |
### Commons Monitoring
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| commons.grafana.dashboards.annotations | object | `{}` | annotations of grafana dashboard configmap |
| commons.grafana.dashboards.labels | object | `{}` | labels of grafana dashboard configmap |
| commons.prometheus.monitor.labels | object | `{}` | labels on Pod- and Service-Monitor |
| commons.prometheus.rules.labels | object | `{}` | labels on PrometheusRules |
### Commons helm release
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| commons.helm.release.driftDetection | object | `{}` | driftDetection of FluxCD HelmRelease |
| commons.helm.release.install | object | `{}` | install of FluxCD HelmRelease |
| commons.helm.release.test | object | `{}` | test of FluxCD HelmRelease |
| commons.helm.release.upgrade | object | `{}` | upgrade of FluxCD HelmRelease |
### Commons Ingress
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| commons.ingress.annotations | object | `{"cert-manager.io/cluster-issuer":"letsencrypt-prod"}` | annotations for all ingress objects |
| commons.ingress.domain | string | `"wrenix.eu"` | top domain for all services |
| commons.ingress.tls.enabled | bool | `true` | tls on every ingress |
| commons.ingress.tls.override | list | `[]` | use own definition of tls (e.g. for own or wildcard certificate) |
### Commons mail
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| commons.mail.from | string | `nil` | send from address |
| commons.mail.host | string | `nil` | smtp server |
| commons.mail.password | string | `nil` | smtp password |
| commons.mail.use_ssl | bool | `false` | smtp server use ssl |
| commons.mail.use_tls | bool | `false` | smtp server use start tls |
| commons.mail.username | string | `nil` | smtp username |
### Commons Persistence
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| commons.persistence.hostPath.enabled | bool | `false` | use hostPath instatt of PVC |
| commons.persistence.hostPath.prefix | string | `"/var/lib/mycloud"` | use hostPath under the following path |
| commons.persistence.storageClass | string | `nil` | storageClass of PVC |
### Commons theme
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| commons.theme.title | string | `"myCloud"` | title everywhere |
### Other Values
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| auth.clientID | string | `nil` | generated by .Values.commons.masterPassword |
| auth.clientSecret | string | `nil` | generated by .Values.commons.masterPassword |
| auth.extra | string | `nil` | in format of paperless |
| commons.auth.authentik.backend | string | `"authentik-server"` | |
| commons.auth.authentik.domain | string | `""` | |
| commons.auth.enabled | bool | `false` | |
| commons.auth.namespace | string | `""` | |
| commons.auth.type | string | `"authentik"` | |
| commons.networkpolicies.enabled | bool | `false` | |
| commons.networkpolicies.from.ingress | list | `[]` | |
| commons.networkpolicies.from.metrics | list | `[]` | |
| commons.networkpolicies.to.database | list | `[]` | |
| commons.networkpolicies.to.dns | list | `[]` | |
| commons.networkpolicies.to.smtp | list | `[]` | |
| database.host | string | `"mycloud-services-postgresql"` | default is from mysql-services |
| database.name | string | `"paperless"` | |
| database.password | string | `nil` | generated by .Values.commons.masterPassword (equal to mycloud-services) |
| database.username | string | `"paperless"` | |
| env.PAPERLESS_DISABLE_REGULAR_LOGIN | bool | `true` | |
| env.PAPERLESS_OCR_LANGUAGE | string | `"deu"` | |
| env.PAPERLESS_REDIRECT_LOGIN_TO_SSO | bool | `true` | |
| env.PAPERLESS_SOCIAL_ACCOUNT_SYNC_GROUPS | bool | `true` | |
| env.PAPERLESS_SOCIAL_AUTO_SIGNUP | bool | `true` | |
| ingress.annotations | object | `{}` | |
| ingress.host | string | `nil` | default: paperless.(Values.commons.ingress.domain) |
| init.namespace | string | `"bases"` | |
| init.version | int | `0` | |
| mail.from | string | `nil` | generade by Values.commons.mail.from |
| mail.host | string | `nil` | default Values.commons.mail.host |
| persistence.size | string | `"16Gi"` | |
| persistence.storageClass | string | `nil` | |
Autogenerated from chart metadata using [helm-docs](https://github.com/norwoodj/helm-docs)

0
mycloud-paperless/_docs.gotmpl Normal file
View file

56
mycloud-paperless/templates/authentik-application.yaml Normal file
View file

@ -0,0 +1,56 @@
---
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: {{ .Release.Name }}-auth
spec:
chart:
spec:
sourceRef:
kind: GitRepository
name: "wrenix-helm-charts"
namespace: "flux-system"
chart: "./authentik-application"
reconcileStrategy: "Revision"
install:
{{- toYaml .Values.commons.helm.release.install | nindent 4 }}
test:
{{- toYaml .Values.commons.helm.release.test | nindent 4 }}
upgrade:
{{- toYaml .Values.commons.helm.release.upgrade | nindent 4 }}
driftDetection:
{{- toYaml .Values.commons.helm.release.driftDetection | nindent 4 }}
interval: 10m
values:
{{- $host := .Values.ingress.host | default (printf "paperless.%s" .Values.commons.ingress.domain) }}
blueprint:
authentik:
domain: "https://{{ .Values.commons.auth.host | default (printf "auth.%s" .Values.commons.ingress.domain) }}"
provider:
type: "oidc"
name: "Paperless"
oidc:
clientType: "confidential"
redirectURL: "https://{{ $host }}/accounts/oidc/mycloud/login/callback/"
clientID: {{ .Values.auth.clientID | default (derivePassword 1 "long" .Values.commons.masterPassword "paperless" "auth.clientID") | quote }}
clientSecret: {{ .Values.auth.clientSecret | default (derivePassword 1 "long" .Values.commons.masterPassword "paperless" "auth.clientSecret") | quote }}
signingKey: "authentik Self-signed Certificate"
scopes:
- name: "authentik default OAuth Mapping: OpenID 'openid'"
- name: "authentik default OAuth Mapping: OpenID 'email'"
- name: "authentik default OAuth Mapping: OpenID 'profile'"
groups:
- slug: "mycloud - users"
bindID: "cefc0c13-49fa-4374-a909-e201a88a473b"
application:
policyEngineMode: "any"
openInNewTab: true
publisher: "WrenIX's myCloud"
slug: "mycloud-paperless"
group: "Office"
name: "Paperless"
launchURL: "https://{{ $host }}/"
icon: "https://{{ $host }}/favicon.ico"
description: "A document management system that transforms your physical documents into a searchable online archive so you can keep, well, less paper."

14
mycloud-paperless/templates/configmap_init_crd.yaml Normal file
View file

@ -0,0 +1,14 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ .Release.Name }}-init
namespace: "{{ .Values.init.namespace }}"
data:
{{- if and
(.Capabilities.APIVersions.Has "monitoring.coreos.com/v1/PrometheusRule")
(.Capabilities.APIVersions.Has "monitoring.coreos.com/v1/ServiceMonitor")
}}
init: "-1"
{{- else }}
init: "{{ add1 .Values.init.version }}"
{{- end }}

185
mycloud-paperless/templates/release.yaml Normal file
View file

@ -0,0 +1,185 @@
---
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: "{{ .Release.Name }}-ngx"
spec:
chart:
spec:
sourceRef:
kind: GitRepository
name: "wrenix-helm-charts"
namespace: "flux-system"
chart: "./paperless-ngx"
reconcileStrategy: "Revision"
install:
{{- toYaml .Values.commons.helm.release.install | nindent 4 }}
test:
{{- toYaml .Values.commons.helm.release.test | nindent 4 }}
upgrade:
{{- toYaml .Values.commons.helm.release.upgrade | nindent 4 }}
driftDetection:
{{- toYaml .Values.commons.helm.release.driftDetection | nindent 4 }}
interval: 10m
valuesFrom:
- name: {{ .Release.Name }}
kind: Secret
valuesKey: "DB_PASS"
targetPath: "config.database.pass"
- name: {{ .Release.Name }}
kind: Secret
valuesKey: "ADMIN_PASS"
targetPath: "env.PAPERLESS_ADMIN_PASSWORD"
- name: {{ .Release.Name }}
kind: Secret
valuesKey: "EMAIL_PASS"
targetPath: "env.PAPERLESS_EMAIL_HOST_PASSWORD"
optional: true
- name: {{ .Release.Name }}
kind: Secret
valuesKey: "oidc"
values:
{{- $host := .Values.ingress.host | default (printf "paperless.%s" .Values.commons.ingress.domain) }}
config:
redis:
prefix: {{ .Release.Name }}
database:
engine: postgres
host: {{ .Values.database.host | quote }}
name: {{ .Values.database.name | quote }}
user: {{ .Values.database.username | quote }}
apps: allauth.socialaccount.providers.openid_connect
oidcProviders:
openid_connect:
OAUTH_PKCE_ENABLED: true
env:
PAPERLESS_APP_TITLE: {{ .Values.commons.theme.title }}
PAPERLESS_ADMIN_USER: admin
PAPERLESS_EMAIL_HOST: {{ .Values.mail.host | default .Values.commons.mail.host | quote }}
PAPERLESS_EMAIL_PORT: 587
PAPERLESS_EMAIL_HOST_USER: {{ .Values.commons.mail.username | quote }}
PAPERLESS_EMAIL_FROM: {{ .Values.mail.from | default (printf "\"[%s] %s\" <%s>" .Values.commons.theme.title "paperless" .Values.commons.mail.from) | quote }}
PAPERLESS_EMAIL_USE_TLS: true
{{- with .Values.env }}
{{- toYaml . | nindent 6 }}
{{- end }}
podLabels:
"{{ .Release.Name }}-ngx-redis-client": "true"
postgresql:
enabled: false
redis:
metrics:
enabled: true
serviceMonitor:
enabled: {{ (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1/ServiceMonitor") }}
additionalLabels:
{{- toYaml .Values.commons.prometheus.monitor.labels | nindent 12 }}
prometheusRule:
# empty rules
enabled: false
# {{ (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1/PrometheusRule") }}
additionalLabels:
{{- toYaml .Values.commons.prometheus.rules.labels | nindent 12 }}
rules: []
networkPolicy:
allowExternal: false
allowExternalEgress: false
metrics:
allowExternal: false
{{- with .Values.commons.networkpolicies.from.metrics }}
{{- $nsMetrics := first . }}
ingressNSMatchLabels:
{{- toYaml $nsMetrics.namespaceSelector.matchLabels | nindent 12 }}
ingressNSPodMatchLabels:
{{- toYaml $nsMetrics.podSelector.matchLabels | nindent 12 }}
{{- end }}
networkPolicy:
enabled: true
ingress:
http:
{{- toYaml .Values.commons.networkpolicies.from.ingress | nindent 12 }}
metrics:
{{- toYaml .Values.commons.networkpolicies.from.metrics | nindent 12 }}
egress:
enabled: true
dns:
{{- toYaml .Values.commons.networkpolicies.to.dns | nindent 10 }}
database:
- ports:
- port: 6379
protocol: TCP
to:
- podSelector:
matchLabels:
app.kubernetes.io/instance: "{{ .Release.Name }}-ngx"
app.kubernetes.io/name: redis
app.kubernetes.io/component: master
{{- with .Values.commons.networkpolicies.to.database }}
{{- toYaml . | nindent 10 }}
{{- end }}
extra:
- ports:
- port: 443
protocol: TCP
to:
{{- toYaml .Values.commons.networkpolicies.from.ingress | nindent 14 }}
{{- with .Values.commons.networkpolicies.to.smtp }}
{{- toYaml . | nindent 10 }}
{{- end }}
ingress:
enabled: true
annotations:
{{- with .Values.commons.ingress.annotations }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.ingress.annotations }}
{{- toYaml . | nindent 8 }}
{{- end }}
hosts:
- host: "{{ $host }}"
paths:
- path: /
pathType: Prefix
{{- if .Values.commons.ingress.tls.enabled }}
tls:
{{- with .Values.commons.ingress.tls.override }}
{{- toYaml . | nindent 8 }}
{{- else }}
- secretName: "mycloud-paperless-cert"
hosts:
- "{{ $host }}"
{{- end }}
{{- end }}
persistence:
enabled: true
size: {{ .Values.persistence.size }}
{{- with .Values.persistence.storageClass | default .Values.commons.persistence.storageClass }}
storageClass: {{ . }}
{{- end }}
{{- if .Values.commons.persistence.hostPath.enabled }}
hostPath: "{{ .Values.commons.persistence.hostPath.prefix }}/paperless"
{{- end }}
prometheus:
servicemonitor:
enabled: {{ (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1/ServiceMonitor") }}
labels:
{{- toYaml .Values.commons.prometheus.monitor.labels | nindent 10 }}
rules:
enabled: {{ (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1/PrometheusRule") }}
additionalLabels:
{{- toYaml .Values.commons.prometheus.rules.labels | nindent 10 }}
grafana:
dashboards:
enabled: true
labels:
{{- toYaml .Values.commons.grafana.dashboards.labels | nindent 10 }}
annotations:
{{- toYaml .Values.commons.grafana.dashboards.annotations | nindent 10 }}

29
mycloud-paperless/templates/secret.yaml Normal file
View file

@ -0,0 +1,29 @@
---
apiVersion: v1
kind: Secret
metadata:
name: {{ .Release.Name }}
data:
DB_PASS: {{ .Values.database.password | default (derivePassword 1 "long" .Values.commons.masterPassword "paperless" "database_password" | b64enc) | b64enc }}
{{- with .Values.commons.mail.password }}
EMAIL_PASS: {{ . | b64enc }}
{{- end }}
ADMIN_PASS: {{ .Values.auth.admin | default (derivePassword 1 "long" .Values.commons.masterPassword "paperless" "admin_password" | b64enc) | b64enc }}
# - "authentik Admins"
oidc: {{ toYaml (dict
"config" (dict
"oidcProviders" (dict
"openid_connect" (dict
"APPS" (list (dict
"provider_id" "mycloud"
"name" .Values.commons.theme.title
"client_id" (.Values.auth.clientID | default (derivePassword 1 "long" .Values.commons.masterPassword "paperless" "auth.clientID"))
"secret" (.Values.auth.clientSecret | default (derivePassword 1 "long" .Values.commons.masterPassword "paperless" "auth.clientSecret"))
"settings" (dict
"server_url" (printf "https://%s/application/o/mycloud-paperless/.well-known/openid-configuration" (.Values.commons.auth.host | default (printf "auth.%s" .Values.commons.ingress.domain)))
)
) .Values.auth.extra | compact)
)
)
)
) | b64enc }}

162
mycloud-paperless/values.yaml Normal file
View file

@ -0,0 +1,162 @@
init:
version: 0
namespace: "bases"
commons:
# -- masterPassword to generate secrets
# @section -- Commons
masterPassword: "CHANGEME"
# template for infra-
auth:
enabled: false
type: "authentik"
namespace: ""
authentik:
domain: ""
backend: "authentik-server"
# template for mycloud-
auth:
# -- default auth.(.Values.commons.ingress.domain)
# @section -- Commons
host:
# template for mycloud-
theme:
# -- title everywhere
# @section -- Commons theme
title: myCloud
# template for mycloud-
mail:
# -- smtp server
# @section -- Commons mail
host:
# -- smtp username
# @section -- Commons mail
username:
# -- smtp password
# @section -- Commons mail
password:
# -- send from address
# @section -- Commons mail
from:
# -- smtp server use start tls
# @section -- Commons mail
use_tls: false
# -- smtp server use ssl
# @section -- Commons mail
use_ssl: false
# template for mycloud-
persistence:
# -- storageClass of PVC
# @section -- Commons Persistence
storageClass:
hostPath:
# -- use hostPath instatt of PVC
# @section -- Commons Persistence
enabled: false
# -- use hostPath under the following path
# @section -- Commons Persistence
prefix: "/var/lib/mycloud"
helm:
release:
# -- install of FluxCD HelmRelease
# @section -- Commons helm release
install: {}
# -- test of FluxCD HelmRelease
# @section -- Commons helm release
test: {}
# -- upgrade of FluxCD HelmRelease
# @section -- Commons helm release
upgrade: {}
# -- driftDetection of FluxCD HelmRelease
# @section -- Commons helm release
driftDetection: {}
networkpolicies:
enabled: false
from:
ingress: []
metrics: []
to:
dns: []
database: []
smtp: []
ingress:
# -- top domain for all services
# @section -- Commons Ingress
domain: "wrenix.eu"
# -- annotations for all ingress objects
# @section -- Commons Ingress
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
tls:
# -- tls on every ingress
# @section -- Commons Ingress
enabled: true
# -- use own definition of tls (e.g. for own or wildcard certificate)
# @section -- Commons Ingress
override: []
prometheus:
monitor:
# -- labels on Pod- and Service-Monitor
# @section -- Commons Monitoring
labels: {}
rules:
# -- labels on PrometheusRules
# @section -- Commons Monitoring
labels: {}
grafana:
dashboards:
# -- labels of grafana dashboard configmap
# @section -- Commons Monitoring
labels: {}
# -- annotations of grafana dashboard configmap
# @section -- Commons Monitoring
annotations: {}
auth:
# -- generated by .Values.commons.masterPassword
clientID:
# -- generated by .Values.commons.masterPassword
clientSecret:
# -- in format of paperless
extra:
env:
PAPERLESS_OCR_LANGUAGE: "deu"
PAPERLESS_REDIRECT_LOGIN_TO_SSO: true
PAPERLESS_DISABLE_REGULAR_LOGIN: true
PAPERLESS_SOCIAL_AUTO_SIGNUP: true
PAPERLESS_SOCIAL_ACCOUNT_SYNC_GROUPS: true
ingress:
# -- default: paperless.(Values.commons.ingress.domain)
host:
annotations: {}
database:
# -- default is from mysql-services
host: mycloud-services-postgresql
name: paperless
username: paperless
# -- generated by .Values.commons.masterPassword (equal to mycloud-services)
password:
persistence:
storageClass:
size: 16Gi
mail:
# -- generade by Values.commons.mail.from
from:
# -- default Values.commons.mail.host
host: