diff --git a/paperless-ngx/.gitignore b/paperless-ngx/.gitignore
new file mode 100644
index 0000000..31014c3
--- /dev/null
+++ b/paperless-ngx/.gitignore
@@ -0,0 +1,2 @@
+charts/*.tgz
+values_test.yaml
diff --git a/paperless-ngx/.helmignore b/paperless-ngx/.helmignore
new file mode 100644
index 0000000..0e8a0eb
--- /dev/null
+++ b/paperless-ngx/.helmignore
@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
diff --git a/paperless-ngx/Chart.lock b/paperless-ngx/Chart.lock
new file mode 100644
index 0000000..47e26d1
--- /dev/null
+++ b/paperless-ngx/Chart.lock
@@ -0,0 +1,9 @@
+dependencies:
+- name: postgresql
+ repository: oci://docker.io/bitnamicharts
+ version: 16.4.14
+- name: redis
+ repository: oci://docker.io/bitnamicharts
+ version: 20.8.0
+digest: sha256:fdf0248d6b962b14c31dd1c124a0201a922ebc4da131e7e2bb30da85a0c8fe19
+generated: "2025-02-23T13:49:04.061387344+01:00"
diff --git a/paperless-ngx/Chart.yaml b/paperless-ngx/Chart.yaml
new file mode 100644
index 0000000..aa70bcd
--- /dev/null
+++ b/paperless-ngx/Chart.yaml
@@ -0,0 +1,31 @@
+apiVersion: v2
+name: paperless-ngx
+description: A document management system that transforms your physical documents into a searchable online archive so you can keep, well, less paper.
+type: application
+icon: https://github.com/paperless-ngx/paperless-ngx/raw/main/resources/logo/web/svg/square.svg
+home: https://wrenix.eu/docs/helm-charts/paperless-ngx/
+version: "0.1.0"
+# renovate: image=ghcr.io/paperless-ngx/paperless-ngx
+appVersion: "2.14.7"
+keywords:
+ - paperless
+ - paperless-ng
+ - paperless-ngx
+ - dms
+ - document
+maintainers:
+ - name: WrenIX
+ url: https://wrenix.eu
+sources:
+ - https://github.com/paperless-ngx/paperless-ngx
+ - https://git.chaos.fyi/wrenix/helm-charts/src/branch/main/paperless-ngx
+ - https://codeberg.org/wrenix/helm-charts/src/branch/main/paperless-ngx
+dependencies:
+ - name: postgresql
+ version: "^16.3.1"
+ repository: "oci://docker.io/bitnamicharts"
+ condition: postgresql.enabled
+ - name: redis
+ version: "20.8.0"
+ repository: "oci://docker.io/bitnamicharts"
+ condition: redis.enabled
diff --git a/paperless-ngx/README.md b/paperless-ngx/README.md
new file mode 100644
index 0000000..20829ab
--- /dev/null
+++ b/paperless-ngx/README.md
@@ -0,0 +1,162 @@
+---
+title: "paperless-ngx"
+
+description: "A document management system that transforms your physical documents into a searchable online archive so you can keep, well, less paper."
+
+---
+
+# paperless-ngx
+
+  
+
+A document management system that transforms your physical documents into a searchable online archive so you can keep, well, less paper.
+
+**Homepage:**
+
+## Maintainers
+
+| Name | Email | Url |
+| ---- | ------ | --- |
+| WrenIX | | |
+
+## Source Code
+
+*
+*
+*
+
+## Usage
+
+Helm must be installed and setup to your kubernetes cluster to use the charts.
+Refer to Helm's [documentation](https://helm.sh/docs) to get started.
+Once Helm has been set up correctly, fetch the charts as follows:
+
+```bash
+helm pull oci://codeberg.org/wrenix/helm-charts/paperless-ngx
+```
+
+You can install a chart release using the following command:
+
+```bash
+helm install paperless-ngx-release oci://codeberg.org/wrenix/helm-charts/paperless-ngx --values values.yaml
+```
+
+To uninstall a chart release use `helm`'s delete command:
+
+```bash
+helm uninstall paperless-ngx-release
+```
+
+## Requirements
+
+| Repository | Name | Version |
+|------------|------|---------|
+| oci://docker.io/bitnamicharts | postgresql | ^16.3.1 |
+| oci://docker.io/bitnamicharts | redis | 20.8.0 |
+
+## Values
+
+### NetworkPolicy
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| networkPolicy.egress.database | list | `[]` | rule to access Database (e.g. postgresql, redis) |
+| networkPolicy.egress.dns | list | `[{"namespaceSelector":{"matchLabels":{"kubernetes.io/metadata.name":"kube-system"}},"podSelector":{"matchLabels":{"k8s-app":"kube-dns"}}}]` | rule to access DNS |
+| networkPolicy.egress.enabled | bool | `true` | activate egress no networkpolicy |
+| networkPolicy.egress.extra | list | `[]` | allow additinal egress (e.g. smtp, imap) |
+| networkPolicy.enabled | bool | `false` | deploy networkpolicy |
+| networkPolicy.ingress.http | list | `[]` | allow to http ports should be your ingress-controller |
+| networkPolicy.ingress.metrics | list | `[]` | ingress for metrics port (e.g. prometheus) |
+
+### Other Values
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| affinity | object | `{}` | |
+| autoscaling.enabled | bool | `false` | |
+| autoscaling.maxReplicas | int | `100` | |
+| autoscaling.minReplicas | int | `1` | |
+| autoscaling.targetCPUUtilizationPercentage | int | `80` | |
+| config.apps | string | `nil` | |
+| config.database.engine | string | `"postgresql"` | |
+| config.database.host | string | `""` | |
+| config.database.name | string | `"paperless"` | |
+| config.database.pass | string | `"paperless"` | |
+| config.database.port | int | `5432` | |
+| config.database.sslmode | string | `"prefer"` | |
+| config.database.user | string | `"paperless"` | |
+| config.oidcProviders | string | `nil` | |
+| config.redis.prefix | string | `""` | |
+| config.redis.url | string | `""` | |
+| config.url | string | `nil` | default first ingress host |
+| env.PAPERLESS_ENABLE_FLOWER | bool | `true` | start service for monitor background jobs e.g. for prometheus (example value for env) |
+| env.PAPERLESS_USE_X_FORWARD_HOST | bool | `true` | correct ip-address by X-Forwarded-For (example value for env) |
+| fullnameOverride | string | `""` | |
+| global.image.pullPolicy | string | `nil` | if set it will overwrite all pullPolicy |
+| global.image.registry | string | `nil` | if set it will overwrite all registry entries |
+| grafana.dashboards.annotations | object | `{}` | |
+| grafana.dashboards.enabled | bool | `false` | |
+| grafana.dashboards.labels.grafana_dashboard | string | `"1"` | |
+| image.pullPolicy | string | `"IfNotPresent"` | This sets the pull policy for images. |
+| image.registry | string | `"ghcr.io"` | |
+| image.repository | string | `"paperless-ngx/paperless-ngx"` | |
+| image.tag | string | `""` | |
+| imagePullSecrets | list | `[]` | This is for the secrets for pulling an image from a private repository more information can be found here: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ |
+| ingress.annotations | object | `{}` | |
+| ingress.className | string | `""` | |
+| ingress.enabled | bool | `false` | |
+| ingress.hosts[0].host | string | `"chart-example.local"` | |
+| ingress.hosts[0].paths[0].path | string | `"/"` | |
+| ingress.hosts[0].paths[0].pathType | string | `"ImplementationSpecific"` | |
+| ingress.tls | list | `[]` | |
+| livenessProbe.httpGet.path | string | `"/"` | |
+| livenessProbe.httpGet.port | string | `"http"` | |
+| nameOverride | string | `""` | This is to override the chart name. |
+| nodeSelector | object | `{}` | |
+| persistence.accessMode | string | `"ReadWriteOnce"` | |
+| persistence.annotations | object | `{}` | |
+| persistence.enabled | bool | `true` | |
+| persistence.existingClaim | string | `nil` | A manually managed Persistent Volume and Claim Requires persistence.enabled: true If defined, PVC must be created manually before volume will be bound |
+| persistence.hostPath | string | `nil` | Do not create an PVC, direct use hostPath in Pod |
+| persistence.size | string | `"5Gi"` | |
+| persistence.storageClass | string | `nil` | Persistent Volume Storage Class If defined, storageClassName: If set to "-", storageClassName: "", which disables dynamic provisioning If undefined (the default) or set to null, no storageClassName spec is set, choosing the default provisioner. (gp2 on AWS, standard on GKE, AWS & OpenStack) |
+| podAnnotations | object | `{}` | This is for setting Kubernetes Annotations to a Pod. For more information checkout: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ |
+| podLabels | object | `{}` | This is for setting Kubernetes Labels to a Pod. For more information checkout: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ |
+| podSecurityContext | object | `{}` | |
+| postgresql.auth.database | string | `"pretix"` | |
+| postgresql.auth.password | string | `"pretix"` | |
+| postgresql.auth.postgresPassword | string | `"supersecureadminpassword"` | |
+| postgresql.auth.username | string | `"pretix"` | |
+| postgresql.enabled | bool | `true` | |
+| prometheus.rules.additionalRules | list | `[]` | |
+| prometheus.rules.enabled | bool | `false` | |
+| prometheus.rules.labels | object | `{}` | |
+| prometheus.servicemonitor.enabled | bool | `false` | broken, Host need to be localhost on request (instatt of ip) needs: https://github.com/prometheus-operator/prometheus-operator/pull/7003 |
+| prometheus.servicemonitor.interval | string | `nil` | interval |
+| prometheus.servicemonitor.labels | object | `{}` | |
+| prometheus.servicemonitor.scrapeTimeout | string | `nil` | scrape timeout |
+| readinessProbe.httpGet.path | string | `"/"` | |
+| readinessProbe.httpGet.port | string | `"http"` | |
+| redis.architecture | string | `"standalone"` | |
+| redis.auth.enabled | bool | `true` | |
+| redis.auth.existingSecret | string | `""` | name of an existing secret with Redis credentials (instead of auth.password), must be created ahead of time |
+| redis.auth.existingSecretPasswordKey | string | `""` | Password key to be retrieved from existing secret |
+| redis.auth.password | string | `"changeme"` | |
+| redis.enabled | bool | `true` | |
+| redis.global.storageClass | string | `""` | |
+| redis.master.persistence.enabled | bool | `true` | |
+| redis.replica.persistence.enabled | bool | `true` | |
+| replicaCount | int | `1` | |
+| resources | object | `{}` | |
+| securityContext | object | `{}` | |
+| service.port | int | `80` | This sets the ports more information can be found here: https://kubernetes.io/docs/concepts/services-networking/service/#field-spec-ports |
+| service.type | string | `"ClusterIP"` | This sets the service type more information can be found here: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types |
+| serviceAccount.annotations | object | `{}` | Annotations to add to the service account |
+| serviceAccount.automount | bool | `true` | Automatically mount a ServiceAccount's API credentials? |
+| serviceAccount.create | bool | `true` | Specifies whether a service account should be created |
+| serviceAccount.name | string | `""` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template |
+| tolerations | list | `[]` | |
+| volumeMounts | list | `[]` | |
+| volumes | list | `[]` | |
+
+Autogenerated from chart metadata using [helm-docs](https://github.com/norwoodj/helm-docs)
diff --git a/paperless-ngx/_docs.gotmpl b/paperless-ngx/_docs.gotmpl
new file mode 100644
index 0000000..e69de29
diff --git a/paperless-ngx/templates/NOTES.txt b/paperless-ngx/templates/NOTES.txt
new file mode 100644
index 0000000..f6c153f
--- /dev/null
+++ b/paperless-ngx/templates/NOTES.txt
@@ -0,0 +1,22 @@
+1. Get the application URL by running these commands:
+{{- if .Values.ingress.enabled }}
+{{- range $host := .Values.ingress.hosts }}
+ {{- range .paths }}
+ http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }}{{ .path }}
+ {{- end }}
+{{- end }}
+{{- else if contains "NodePort" .Values.service.type }}
+ export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "paperless-ngx.fullname" . }})
+ export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
+ echo http://$NODE_IP:$NODE_PORT
+{{- else if contains "LoadBalancer" .Values.service.type }}
+ NOTE: It may take a few minutes for the LoadBalancer IP to be available.
+ You can watch its status by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "paperless-ngx.fullname" . }}'
+ export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "paperless-ngx.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}")
+ echo http://$SERVICE_IP:{{ .Values.service.port }}
+{{- else if contains "ClusterIP" .Values.service.type }}
+ export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "paperless-ngx.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
+ export CONTAINER_PORT=$(kubectl get pod --namespace {{ .Release.Namespace }} $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}")
+ echo "Visit http://127.0.0.1:8080 to use your application"
+ kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:$CONTAINER_PORT
+{{- end }}
diff --git a/paperless-ngx/templates/_helpers.tpl b/paperless-ngx/templates/_helpers.tpl
new file mode 100644
index 0000000..b8b5e3b
--- /dev/null
+++ b/paperless-ngx/templates/_helpers.tpl
@@ -0,0 +1,62 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "paperless-ngx.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "paperless-ngx.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "paperless-ngx.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "paperless-ngx.labels" -}}
+helm.sh/chart: {{ include "paperless-ngx.chart" . }}
+{{ include "paperless-ngx.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "paperless-ngx.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "paperless-ngx.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "paperless-ngx.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "paperless-ngx.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}
diff --git a/paperless-ngx/templates/configmap_grafana_dashboards.yaml b/paperless-ngx/templates/configmap_grafana_dashboards.yaml
new file mode 100644
index 0000000..a0c6b4b
--- /dev/null
+++ b/paperless-ngx/templates/configmap_grafana_dashboards.yaml
@@ -0,0 +1,14 @@
+{{- if .Values.grafana.dashboards.enabled }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: {{ include "paperless-ngx.fullname" . }}-grafana-dashboards
+ labels:
+ {{- include "paperless-ngx.labels" . | nindent 4 }}
+ {{- toYaml .Values.grafana.dashboards.labels | nindent 4 }}
+ annotations:
+ {{- toYaml .Values.grafana.dashboards.annotations | nindent 4 }}
+data:
+ {{- (.Files.Glob "grafana_dashboards/*.json" ).AsConfig | nindent 2 }}
+{{- end }}
diff --git a/paperless-ngx/templates/deployment.yaml b/paperless-ngx/templates/deployment.yaml
new file mode 100644
index 0000000..193e7a0
--- /dev/null
+++ b/paperless-ngx/templates/deployment.yaml
@@ -0,0 +1,129 @@
+---
+{{- $fullname := include "paperless-ngx.fullname" . }}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: {{ $fullname }}
+ labels:
+ {{- include "paperless-ngx.labels" . | nindent 4 }}
+spec:
+ {{- if not .Values.autoscaling.enabled }}
+ replicas: {{ .Values.replicaCount }}
+ {{- end }}
+ selector:
+ matchLabels:
+ {{- include "paperless-ngx.selectorLabels" . | nindent 6 }}
+ template:
+ metadata:
+ annotations:
+ "checksum/config": {{ toYaml .Values.config | sha256sum }}
+ "checksum/env": {{ toYaml .Values.env | sha256sum }}
+ {{- with .Values.podAnnotations }}
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ labels:
+ {{- include "paperless-ngx.labels" . | nindent 8 }}
+ {{- with .Values.podLabels }}
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ spec:
+ {{- with .Values.imagePullSecrets }}
+ imagePullSecrets:
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ serviceAccountName: {{ include "paperless-ngx.serviceAccountName" . }}
+ {{- with .Values.podSecurityContext }}
+ securityContext:
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ containers:
+ - name: {{ .Chart.Name }}
+ {{- with .Values.securityContext }}
+ securityContext:
+ {{- toYaml . | nindent 12 }}
+ {{- end }}
+ {{- with .Values.image }}
+ image: "{{ coalesce $.Values.global.image.registry .registry }}/{{ .repository }}:{{ .tag | default $.Chart.AppVersion }}"
+ imagePullPolicy: {{ coalesce $.Values.global.image.pullPolicy .pullPolicy }}
+ {{- end }}
+ ports:
+ - name: http
+ containerPort: 8000
+ protocol: TCP
+ {{- if .Values.env.PAPERLESS_ENABLE_FLOWER }}
+ - name: metrics
+ containerPort: 5555
+ protocol: TCP
+ {{- end }}
+ envFrom:
+ - secretRef:
+ name: {{ $fullname }}
+ {{- with .Values.redis.auth }}
+ {{- if and .enabled .existingSecret }}
+ env:
+ - name: "REDIS_PASSWORD"
+ valueFrom:
+ secretKeyRef:
+ name: {{ .existingSecret }}
+ key: {{ .existingSecretPasswordKey }}
+ {{- end }}
+ {{- end }}{{/* end-with redis.auth */}}
+ {{- with .Values.livenessProbe }}
+ livenessProbe:
+ {{- toYaml . | nindent 12 }}
+ {{- end }}
+ {{- with .Values.readinessProbe }}
+ readinessProbe:
+ {{- toYaml . | nindent 12 }}
+ {{- end }}
+ {{- with .Values.resources }}
+ resources:
+ {{- toYaml . | nindent 12 }}
+ {{- end }}
+ volumeMounts:
+ - mountPath: /usr/src/paperless/data
+ name: storage
+ subPath: data
+ - mountPath: /usr/src/paperless/media
+ name: storage
+ subPath: media
+ - mountPath: /usr/src/paperless/consume
+ name: storage
+ subPath: consume
+ - mountPath: /usr/src/paperless/export
+ name: storage
+ subPath: export
+ {{- with .Values.volumeMounts }}
+ {{- toYaml . | nindent 12 }}
+ {{- end }}
+ volumes:
+ - name: storage
+ {{- with .Values.persistence }}
+ {{- with .hostPath }}
+ hostPath:
+ type: Directory
+ path: {{ . | quote }}
+ {{- else }}
+ {{- if .enabled }}
+ persistentVolumeClaim:
+ claimName: {{ coalesce .existingClaim $fullname }}
+ {{- else }}
+ emptyDir: {}
+ {{- end }}{{/* end-if persistence.enabled */}}
+ {{- end }}{{/* end-else-with hostPath */}}
+ {{- end }}{{/* end-with persistence */}}
+ {{- with .Values.volumes }}
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ {{- with .Values.nodeSelector }}
+ nodeSelector:
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ {{- with .Values.affinity }}
+ affinity:
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ {{- with .Values.tolerations }}
+ tolerations:
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
diff --git a/paperless-ngx/templates/hpa.yaml b/paperless-ngx/templates/hpa.yaml
new file mode 100644
index 0000000..c7a3875
--- /dev/null
+++ b/paperless-ngx/templates/hpa.yaml
@@ -0,0 +1,32 @@
+{{- if .Values.autoscaling.enabled }}
+apiVersion: autoscaling/v2
+kind: HorizontalPodAutoscaler
+metadata:
+ name: {{ include "paperless-ngx.fullname" . }}
+ labels:
+ {{- include "paperless-ngx.labels" . | nindent 4 }}
+spec:
+ scaleTargetRef:
+ apiVersion: apps/v1
+ kind: Deployment
+ name: {{ include "paperless-ngx.fullname" . }}
+ minReplicas: {{ .Values.autoscaling.minReplicas }}
+ maxReplicas: {{ .Values.autoscaling.maxReplicas }}
+ metrics:
+ {{- if .Values.autoscaling.targetCPUUtilizationPercentage }}
+ - type: Resource
+ resource:
+ name: cpu
+ target:
+ type: Utilization
+ averageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }}
+ {{- end }}
+ {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }}
+ - type: Resource
+ resource:
+ name: memory
+ target:
+ type: Utilization
+ averageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }}
+ {{- end }}
+{{- end }}
diff --git a/paperless-ngx/templates/ingress.yaml b/paperless-ngx/templates/ingress.yaml
new file mode 100644
index 0000000..d205bd2
--- /dev/null
+++ b/paperless-ngx/templates/ingress.yaml
@@ -0,0 +1,43 @@
+{{- if .Values.ingress.enabled -}}
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+ name: {{ include "paperless-ngx.fullname" . }}
+ labels:
+ {{- include "paperless-ngx.labels" . | nindent 4 }}
+ {{- with .Values.ingress.annotations }}
+ annotations:
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+spec:
+ {{- with .Values.ingress.className }}
+ ingressClassName: {{ . }}
+ {{- end }}
+ {{- if .Values.ingress.tls }}
+ tls:
+ {{- range .Values.ingress.tls }}
+ - hosts:
+ {{- range .hosts }}
+ - {{ . | quote }}
+ {{- end }}
+ secretName: {{ .secretName }}
+ {{- end }}
+ {{- end }}
+ rules:
+ {{- range .Values.ingress.hosts }}
+ - host: {{ .host | quote }}
+ http:
+ paths:
+ {{- range .paths }}
+ - path: {{ .path }}
+ {{- with .pathType }}
+ pathType: {{ . }}
+ {{- end }}
+ backend:
+ service:
+ name: {{ include "paperless-ngx.fullname" $ }}
+ port:
+ number: {{ $.Values.service.port }}
+ {{- end }}
+ {{- end }}
+{{- end }}
diff --git a/paperless-ngx/templates/networkpolicy.yaml b/paperless-ngx/templates/networkpolicy.yaml
new file mode 100644
index 0000000..54d538e
--- /dev/null
+++ b/paperless-ngx/templates/networkpolicy.yaml
@@ -0,0 +1,73 @@
+{{- with .Values.networkPolicy }}
+{{- if .enabled }}
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: {{ include "paperless-ngx.fullname" $ }}
+ labels:
+ {{- include "paperless-ngx.labels" $ | nindent 4 }}
+spec:
+ podSelector:
+ matchLabels:
+ {{- include "paperless-ngx.selectorLabels" $ | nindent 6 }}
+ policyTypes:
+ - Ingress
+ {{- if .egress.enabled }}
+ - Egress
+ {{- end }}
+ ingress:
+ {{- with .ingress.http }}
+ - ports:
+ - port: 8000
+ protocol: TCP
+ from:
+ {{- toYaml . | nindent 8 }}
+ {{- end }}{{/* end-with .ingress.http */}}
+
+ {{- with .ingress.metrics }}
+ - ports:
+ - port: 5555
+ protocol: TCP
+ from:
+ {{- toYaml . | nindent 8 }}
+ {{- end }}{{/* end-with .ingress.metrics */}}
+
+ {{- with .egress }}
+ {{- if .enabled }}
+ egress:
+ {{- with .dns }}
+ - ports:
+ - port: 53
+ protocol: UDP
+ to:
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ {{- with .database }}
+ {{- toYaml . | nindent 4 }}
+ {{- else }}
+ - ports:
+ - port: 5432
+ protocol: TCP
+ to:
+ - podSelector:
+ matchLabels:
+ app.kubernetes.io/instance: {{ .Release.Name }}
+ app.kubernetes.io/name: postgresql
+ - ports:
+ - port: 6379
+ protocol: TCP
+ to:
+ - podSelector:
+ matchLabels:
+ app.kubernetes.io/instance: {{ .Release.Name }}
+ app.kubernetes.io/name: redis
+ app.kubernetes.io/component: master
+ {{- end }}
+ {{- with .extra }}
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+ {{- end }}{{/* end-if egress.enabled */}}
+ {{- end }}{{/* end-with .egress */}}
+{{- end }}
+{{- end }}
diff --git a/paperless-ngx/templates/prometheus-rules.yaml b/paperless-ngx/templates/prometheus-rules.yaml
new file mode 100644
index 0000000..f6b5e7d
--- /dev/null
+++ b/paperless-ngx/templates/prometheus-rules.yaml
@@ -0,0 +1,20 @@
+{{- if and .Values.prometheus.rules.enabled }}
+apiVersion: monitoring.coreos.com/v1
+kind: PrometheusRule
+metadata:
+ name: {{ include "paperless-ngx.fullname" . }}
+ labels:
+ {{- include "paperless-ngx.labels" . | nindent 4 }}
+ {{- with .Values.prometheus.rules.labels }}
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+spec:
+ groups:
+ - name: {{ template "paperless-ngx.fullname" . }}-Additional
+ rules: []
+ {{- with .Values.prometheus.rules.additionalRules }}
+ - name: {{ template "paperless-ngx.fullname" $ }}-Additional
+ rules:
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+{{- end }}
diff --git a/paperless-ngx/templates/pvc.yaml b/paperless-ngx/templates/pvc.yaml
new file mode 100644
index 0000000..2d652be
--- /dev/null
+++ b/paperless-ngx/templates/pvc.yaml
@@ -0,0 +1,29 @@
+{{- if and
+ .Values.persistence.enabled
+ (not .Values.persistence.hostPath)
+ (not .Values.persistence.existingClaim)
+}}
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+ name: {{ template "paperless-ngx.fullname" . }}
+ labels:
+ {{- include "paperless-ngx.labels" . | nindent 4 }}
+ {{- with .Values.persistence.annotations }}
+ annotations:
+ {{ toYaml . | indent 4 }}
+ {{- end }}
+spec:
+ accessModes:
+ - {{ .Values.persistence.accessMode | quote }}
+ resources:
+ requests:
+ storage: {{ .Values.persistence.size | quote }}
+ {{- with .Values.persistence.storageClass }}
+ {{- if (eq "-" .) }}
+ storageClassName: ""
+ {{- else }}
+ storageClassName: {{ . | quote }}
+ {{- end }}
+ {{- end }}
+{{- end -}}
diff --git a/paperless-ngx/templates/secrets.yaml b/paperless-ngx/templates/secrets.yaml
new file mode 100644
index 0000000..70baf40
--- /dev/null
+++ b/paperless-ngx/templates/secrets.yaml
@@ -0,0 +1,81 @@
+---
+{{- $fullname := include "paperless-ngx.fullname" . }}
+{{- $secret := (lookup "v1" "Secret" .Release.Namespace $fullname) }}
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ $fullname }}
+ labels:
+ {{- include "paperless-ngx.labels" . | nindent 4 }}
+ annotations:
+ "checksum/config": {{ toYaml .Values.config | sha256sum }}
+ "checksum/env": {{ toYaml .Values.env | sha256sum }}
+
+data:
+ {{- with .Values.config.url }}
+ PAPERLESS_URL: {{ toYaml . | b64enc }}
+ {{- else }}
+ {{- $ingressTLS := ne ( len .Values.ingress.tls ) 0 }}
+ PAPERLESS_URL: {{ printf "%s://%s" (ternary "https" "http" $ingressTLS) (first .Values.ingress.hosts).host | b64enc }}
+ {{- end }}
+ {{- with .Values.config.redis }}
+ {{- with .url }}
+ PAPERLESS_REDIS: {{ toYaml . | b64enc }}
+ {{- else }}
+ {{- if $.Values.redis.auth.enabled }}
+ {{- if $.Values.redis.auth.existingSecret }}
+ PAPERLESS_REDIS: {{ printf "redis://:$(REDIS_PASSWORD)@%s-redis-master" (include "paperless-ngx.fullname" $)| b64enc }}
+ {{- else }}
+ PAPERLESS_REDIS: {{ printf "redis://:%s@%s-redis-master" $.Values.redis.auth.password (include "paperless-ngx.fullname" $)| b64enc }}
+ {{- end }}
+ {{- else }}
+ PAPERLESS_REDIS: {{ printf "redis://%s-redis-master" (include "paperless-ngx.fullname" $)| b64enc }}
+ {{- end }}
+ {{- end }}
+ {{- with .prefix }}
+ PAPERLESS_REDIS_PREFIX: {{ toYaml . | b64enc }}
+ {{- end }}
+ {{- end }}
+
+ {{- with .Values.config.database }}
+ {{- with .engine }}
+ PAPERLESS_DBENGINE: {{ toYaml . | b64enc }}
+ {{- end }}
+ {{- with .host }}
+ PAPERLESS_DBHOST: {{ toYaml . | b64enc }}
+ {{- else }}
+ PAPERLESS_DBHOST: {{ printf "%s-postgresql" (include "paperless-ngx.fullname" $) | b64enc }}
+ {{- end }}
+ {{- with .port }}
+ PAPERLESS_DBPORT: {{ toYaml . | b64enc }}
+ {{- end }}
+ {{- with .name }}
+ PAPERLESS_DBNAME: {{ toYaml . | b64enc }}
+ {{- end }}
+ {{- with .user }}
+ PAPERLESS_DBUSER: {{ toYaml . | b64enc }}
+ {{- end }}
+ {{- with .pass }}
+ PAPERLESS_DBPASS: {{ toYaml . | b64enc }}
+ {{- end }}
+ {{- with .sslmode }}
+ PAPERLESS_DBSSLMODE: {{ toYaml . | b64enc }}
+ {{- end }}
+ {{- end }}{{/* end-with .config.database */}}
+
+ {{- with .Values.config.apps }}
+ PAPERLESS_APPS: {{ toYaml . | b64enc }}
+ {{- end }}
+ {{- with .Values.config.oidcProviders }}
+ PAPERLESS_SOCIALACCOUNT_PROVIDERS: {{ toJson . | b64enc }}
+ {{- end }}
+
+ PAPERLESS_SECRET_KEY: {{ .Values.env.PAPERLESS_SECRET_KEY
+ | default (dig "data" "PAPERLESS_SECRET_KEY" "" $secret | b64dec)
+ | default (randAlphaNum 64)
+ | b64enc
+ }}
+
+ {{- range $name, $value := .Values.env }}
+ {{ $name }}: {{ toString $value | b64enc }}
+ {{- end }}
diff --git a/paperless-ngx/templates/service.yaml b/paperless-ngx/templates/service.yaml
new file mode 100644
index 0000000..36ea306
--- /dev/null
+++ b/paperless-ngx/templates/service.yaml
@@ -0,0 +1,21 @@
+apiVersion: v1
+kind: Service
+metadata:
+ name: {{ include "paperless-ngx.fullname" . }}
+ labels:
+ {{- include "paperless-ngx.labels" . | nindent 4 }}
+spec:
+ type: {{ .Values.service.type }}
+ selector:
+ {{- include "paperless-ngx.selectorLabels" . | nindent 4 }}
+ ports:
+ - name: http
+ port: {{ .Values.service.port }}
+ protocol: TCP
+ targetPort: http
+ {{- if .Values.env.PAPERLESS_ENABLE_FLOWER }}
+ - name: metrics
+ port: 9100
+ protocol: TCP
+ targetPort: metrics
+ {{- end }}
diff --git a/paperless-ngx/templates/serviceaccount.yaml b/paperless-ngx/templates/serviceaccount.yaml
new file mode 100644
index 0000000..2d0cff1
--- /dev/null
+++ b/paperless-ngx/templates/serviceaccount.yaml
@@ -0,0 +1,13 @@
+{{- if .Values.serviceAccount.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: {{ include "paperless-ngx.serviceAccountName" . }}
+ labels:
+ {{- include "paperless-ngx.labels" . | nindent 4 }}
+ {{- with .Values.serviceAccount.annotations }}
+ annotations:
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+automountServiceAccountToken: {{ .Values.serviceAccount.automount }}
+{{- end }}
diff --git a/paperless-ngx/templates/servicemonitor.yaml b/paperless-ngx/templates/servicemonitor.yaml
new file mode 100644
index 0000000..9ed119e
--- /dev/null
+++ b/paperless-ngx/templates/servicemonitor.yaml
@@ -0,0 +1,27 @@
+{{- if and .Values.prometheus.servicemonitor.enabled }}
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+ name: {{ include "paperless-ngx.fullname" . }}
+ labels:
+ {{- include "paperless-ngx.labels" . | nindent 4 }}
+ {{- with .Values.prometheus.servicemonitor.labels }}
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+spec:
+ selector:
+ matchLabels:
+ {{- include "paperless-ngx.selectorLabels" . | nindent 6 }}
+ endpoints:
+ - port: metrics
+ path: "/metrics"
+ {{- with .Values.prometheus.servicemonitor }}
+ {{- with .interval }}
+ interval: {{ . }}
+ {{- end }}
+ {{- with .scrapeTimeout }}
+ scrapeTimeout: {{ . }}
+ {{- end }}
+ {{- end }}
+{{- end }}
+
diff --git a/paperless-ngx/templates/tests/test-connection.yaml b/paperless-ngx/templates/tests/test-connection.yaml
new file mode 100644
index 0000000..d9c1f5e
--- /dev/null
+++ b/paperless-ngx/templates/tests/test-connection.yaml
@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Pod
+metadata:
+ name: "{{ include "paperless-ngx.fullname" . }}-test-connection"
+ labels:
+ {{- include "paperless-ngx.labels" . | nindent 4 }}
+ annotations:
+ "helm.sh/hook": test
+spec:
+ containers:
+ - name: wget
+ image: busybox
+ command: ['wget']
+ args: ['{{ include "paperless-ngx.fullname" . }}:{{ .Values.service.port }}']
+ restartPolicy: Never
diff --git a/paperless-ngx/values.yaml b/paperless-ngx/values.yaml
new file mode 100644
index 0000000..c762be0
--- /dev/null
+++ b/paperless-ngx/values.yaml
@@ -0,0 +1,252 @@
+global:
+ image:
+ # -- if set it will overwrite all registry entries
+ registry:
+ # -- if set it will overwrite all pullPolicy
+ pullPolicy:
+
+# -- This is for the secrets for pulling an image from a private repository more information can be found here: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
+imagePullSecrets: []
+# -- This is to override the chart name.
+nameOverride: ""
+fullnameOverride: ""
+
+replicaCount: 1
+
+image:
+ registry: "ghcr.io"
+ repository: paperless-ngx/paperless-ngx
+ # -- This sets the pull policy for images.
+ pullPolicy: IfNotPresent
+ tag: ""
+
+
+serviceAccount:
+ # -- Specifies whether a service account should be created
+ create: true
+ # -- Automatically mount a ServiceAccount's API credentials?
+ automount: true
+ # -- Annotations to add to the service account
+ annotations: {}
+ # -- The name of the service account to use.
+ # If not set and create is true, a name is generated using the fullname template
+ name: ""
+
+# -- This is for setting Kubernetes Annotations to a Pod.
+# For more information checkout: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
+podAnnotations: {}
+# -- This is for setting Kubernetes Labels to a Pod.
+# For more information checkout: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
+podLabels: {}
+
+podSecurityContext: {}
+ # fsGroup: 2000
+
+securityContext: {}
+ # capabilities:
+ # drop:
+ # - ALL
+ # readOnlyRootFilesystem: true
+ # runAsNonRoot: true
+ # runAsUser: 1000
+
+config:
+ # -- default first ingress host
+ url:
+ apps:
+ redis:
+ url: ""
+ prefix: ""
+ database:
+ engine: "postgresql"
+ host: ""
+ port: 5432
+ name: "paperless"
+ user: "paperless"
+ pass: "paperless"
+ sslmode: "prefer"
+ oidcProviders:
+
+env:
+ # -- correct ip-address by X-Forwarded-For (example value for env)
+ PAPERLESS_USE_X_FORWARD_HOST: true
+ # -- start service for monitor background jobs e.g. for prometheus (example value for env)
+ PAPERLESS_ENABLE_FLOWER: true
+
+# This is for setting up a service more information can be found here: https://kubernetes.io/docs/concepts/services-networking/service/
+service:
+ # -- This sets the service type more information can be found here: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types
+ type: ClusterIP
+ # -- This sets the ports more information can be found here: https://kubernetes.io/docs/concepts/services-networking/service/#field-spec-ports
+ port: 80
+
+# This block is for setting up the ingress for more information can be found here: https://kubernetes.io/docs/concepts/services-networking/ingress/
+ingress:
+ enabled: false
+ className: ""
+ annotations: {}
+ # kubernetes.io/ingress.class: nginx
+ # kubernetes.io/tls-acme: "true"
+ hosts:
+ - host: chart-example.local
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ tls: []
+ # - secretName: chart-example-tls
+ # hosts:
+ # - chart-example.local
+
+resources: {}
+ # We usually recommend not to specify default resources and to leave this as a conscious
+ # choice for the user. This also increases chances charts run on environments with little
+ # resources, such as Minikube. If you do want to specify resources, uncomment the following
+ # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
+ # limits:
+ # cpu: 100m
+ # memory: 128Mi
+ # requests:
+ # cpu: 100m
+ # memory: 128Mi
+
+# This is to setup the liveness and readiness probes more information can be found here: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/
+livenessProbe:
+ httpGet:
+ path: /
+ port: http
+readinessProbe:
+ httpGet:
+ path: /
+ port: http
+
+networkPolicy:
+ # -- deploy networkpolicy
+ # @section -- NetworkPolicy
+ enabled: false
+ ingress:
+ # -- allow to http ports
+ # should be your ingress-controller
+ # @section -- NetworkPolicy
+ http: []
+ # -- ingress for metrics port (e.g. prometheus)
+ # @section -- NetworkPolicy
+ metrics: []
+ egress:
+ # -- activate egress no networkpolicy
+ # @section -- NetworkPolicy
+ enabled: true
+ # -- rule to access DNS
+ # @section -- NetworkPolicy
+ dns:
+ - namespaceSelector:
+ matchLabels:
+ kubernetes.io/metadata.name: kube-system
+ podSelector:
+ matchLabels:
+ k8s-app: kube-dns
+ # -- rule to access Database (e.g. postgresql, redis)
+ # @section -- NetworkPolicy
+ database: []
+ # -- allow additinal egress (e.g. smtp, imap)
+ # @section -- NetworkPolicy
+ extra: []
+
+persistence:
+ enabled: true
+ annotations: {}
+ # -- Persistent Volume Storage Class
+ # If defined, storageClassName:
+ # If set to "-", storageClassName: "", which disables dynamic provisioning
+ # If undefined (the default) or set to null, no storageClassName spec is
+ # set, choosing the default provisioner. (gp2 on AWS, standard on
+ # GKE, AWS & OpenStack)
+ #
+ storageClass:
+
+ # -- A manually managed Persistent Volume and Claim
+ # Requires persistence.enabled: true
+ # If defined, PVC must be created manually before volume will be bound
+ existingClaim:
+
+ # -- Do not create an PVC, direct use hostPath in Pod
+ hostPath:
+ accessMode: ReadWriteOnce
+ size: 5Gi
+
+# This section is for setting up autoscaling more information can be found here: https://kubernetes.io/docs/concepts/workloads/autoscaling/
+autoscaling:
+ enabled: false
+ minReplicas: 1
+ maxReplicas: 100
+ targetCPUUtilizationPercentage: 80
+ # targetMemoryUtilizationPercentage: 80
+
+# Additional volumes on the output Deployment definition.
+volumes: []
+# - name: foo
+# secret:
+# secretName: mysecret
+# optional: false
+
+# Additional volumeMounts on the output Deployment definition.
+volumeMounts: []
+# - name: foo
+# mountPath: "/etc/foo"
+# readOnly: true
+
+nodeSelector: {}
+
+tolerations: []
+
+affinity: {}
+
+
+prometheus:
+ servicemonitor:
+ # -- broken, Host need to be localhost on request (instatt of ip)
+ # needs: https://github.com/prometheus-operator/prometheus-operator/pull/7003
+ enabled: false
+ labels: {}
+ # -- interval
+ interval:
+ # -- scrape timeout
+ scrapeTimeout:
+ rules:
+ enabled: false
+ labels: {}
+ # current no default alertrules are provided
+ additionalRules: []
+
+grafana:
+ dashboards:
+ enabled: false
+ labels:
+ grafana_dashboard: "1"
+ annotations: {}
+
+postgresql:
+ enabled: true
+ auth:
+ database: pretix
+ username: pretix
+ password: pretix
+ postgresPassword: supersecureadminpassword
+
+redis:
+ enabled: true
+ architecture: standalone
+ auth:
+ enabled: true
+ password: 'changeme'
+ # -- name of an existing secret with Redis credentials (instead of auth.password), must be created ahead of time
+ existingSecret: ""
+ # -- Password key to be retrieved from existing secret
+ existingSecretPasswordKey: ""
+ global:
+ storageClass: ""
+ master:
+ persistence:
+ enabled: true
+ replica:
+ persistence:
+ enabled: true