Skip to content

Commit

Permalink
🚀(project:maison): Install Paperless NGX application
Browse files Browse the repository at this point in the history
Signed-off-by: Alexandre Nicolaie <[email protected]>
  • Loading branch information
xunleii committed Jan 19, 2025
1 parent 45445dc commit 6786ed0
Show file tree
Hide file tree
Showing 31 changed files with 1,346 additions and 361 deletions.
1 change: 0 additions & 1 deletion docs/assets/icons/apps/docspell.svg

This file was deleted.

1 change: 1 addition & 0 deletions docs/assets/icons/apps/paperless.svg
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Original file line number Diff line number Diff line change
Expand Up @@ -5,4 +5,6 @@ cloud/tailscale/kubernetes.maison.chezmoi.sh
cloud/openai/mealie
security/sso/oidc/clients/linkding
security/sso/oidc/clients/mealie
security/sso/oidc/clients/paperless-ngx
storage/minio/cnpg.maison.chezmoi.sh
storage/smb/paperless-ngx
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
#ENC[AES256_GCM,data:efrgrEkhxEoncF/hB2+Rjrk/QZk51J3ujkv2cXI7oUH0CmBXGLEUNxyEdzXAkPlpTxuR2CyM,iv:FheiuFL8MOYsJ2g0FSRX40byW3K4RHb3MZLsJYCu1ME=,tag:lpVwfbLefQj63DqAGxB/1w==,type:comment]
oidc_configuration: ENC[AES256_GCM,data:/tSKl+5Asppx//tDZrtBd5IDYRp3xIJsE5NnL2XP3+wuX3lLkOrXAROtCeU5SO1+rJOoqlWa1EgtBkpJ8kRvJtlfHZxoLeuXYVSTunMubMmIa+SOUdEnbnTNlT3UA60PwDU71FjWESv/lXzwFQklsIGzdqxnuRymPA6xxfPGh18XNZ0j2Pzu7SFMoZgLoInR+9vdPDIq1bQoMR2GjHxSLPv/stu46M2tDTe84HnOJUGuL4QIn4bCDJg16peAmnvZXxkPhzL9iA3doKI4vO+q9mOeWNxSRt9Xcza6FgzbYLQ5qLJhBWYt78U0zk2IrgZsmw19xLunv6pP1nLNA1gf4y/oU8OKhgN2j8k+uuQQBwksxULD7CVi66moLjV08unx16C/MCMS9BvE2E0a1j7ABau5oGzAeNI0UFL5PhcTus5DC0gRoJm/I1v/WLpHGO9+DtXCKdtG2nzY0H7pEI/HnfcXcy9hU9Ya+MZ69UC9SZ0LkB/d9CkNi3wMlj0dvuq7xbfw/uu9DTAkY3+0UqqASkEEHZewXiTUBIxjLmkzybbWoSd4Ean+L1uQwHRqZT+l+3tjCOchX+SJmIKROcuQ7NDQT2HOoKEw/L2LTDYOqv3oq7bR/EMb0oEu1C2cuTRZ9p+yYOiPulQcw8shov4mR3HEiT1dX9hgy4IvhARYF336UsGHHsh+EWvyPRxYTnl1JxSoWxdzxVComo0IQclVjKvdQH/EINh9zkmVBIu/V/TpzRWzvYk5l6IYTjcZVXUsiwOO3nXxwg7eF+qMMcdgJThd9SbHEmM6y6uXARLTjoiUZYId+Z0b6N0SrspwiEVTGmW5CSm71OqQlzDrG9E8Tio7ahC0gPRKD2eQwzRDZ6PXCDK5B0yWIp3hFd2PSJdAVBUkcdXbVVgDm7kFJDy5cz1gZI/2x/IFvYq4mueYwet9W25uwMiXNiQ7vbyvMd7OcF6YgzwnLQ9RYgoeDBgM/bJ2r6EqHev3T2keIeprSCULXRbGj4HhZDl406Hp8j0zXFdLJJkZbOTgMkyiy9Yu/89w3uFsCAsVU8fzYajVilBtoeae/VlpizBLr3TaKSLKCALf1wZbavjk,iv:e9zG8yR6QwnmoB3s7KYJqM3oVXqk/f5JybT8+XYM3+Q=,tag:j4Ctb7fi89HscCRGbTAEeA==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1fj0yj3na3n5udfjmnxfwrlkp80tvj49w80wh699x33dh48clnvnshtjxe9
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmbUNmM1ptV0c0U0dEUnFi
aTFESCtUeGtUK21OYTlOaEpWVy9qMi8zdkhBCmNXWkJqV3d6S0hqY2I0NHRJSWdW
SkNONE1UYUNlN0RhUHd2bzF3aXdYL1UKLS0tIFlWRlNUZ29uZlNSUmlzaVZMSlkv
N0cyQ01uSEdtbVNTcmtzSlFQOG9ueDQKize085I5vBJjrQJy367GYKG4bWooMQpc
z5gfLHPtk/x5GilnvfCxCtYnpuc7LReW20vy0KU7+CEHQYMpXGR1DQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-01-11T17:44:07Z"
mac: ENC[AES256_GCM,data:ddUT4F4JURyjS1fDTRyf28YFkoSZN69Y4JTpZU8/1SwOjoXDYLeL9nWU0WoZvfd/9OLkFUdbjZ6r6mnDFaHvEHDeldg7Oo/QYEbQObvJ1PhyrBBDY8jWrF0GCUCgoeAIvZZkoHWufj3xFzMuVyLxSPn8cD50ZeoE838xeduDKHg=,iv:11pLgqp+jmieoSkf3OZ/OpAqzT9kiKKDC6IoU6m5B4I=,tag:Sp1KTGsOVxFkuCKgi9QR9w==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.0
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
username: ENC[AES256_GCM,data:Uv+IbewcvZysl18Cmg==,iv:32fqPguQ4p6N83VHWkRza2+Nb1SNJ/Mj6/8+Qr9KOoo=,tag:hsjye42uN3147kPZBxYOKQ==,type:str]
password: ENC[AES256_GCM,data:3VUYBCUGfDVCbJUUFBVeri026fnxOPN/U2mw4mbbJfLCVDhjrEdE2Q==,iv:QvZ5c8q+NlCOQjePTp22xJMmRfPuamy+zv4ySKnel48=,tag:Zg+y8kzlRxB/Xw+SYccXiQ==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1fj0yj3na3n5udfjmnxfwrlkp80tvj49w80wh699x33dh48clnvnshtjxe9
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXeTR2NFFMMm9KdGw3WHBO
cGc3U2dYaUlBS2dyT0xzWVdtQ3lnMTlldWtVCmJTSExQQTd2RWlGeTJrSmdtNXMv
QmJTQmdReEtMQUZFWXB2ODBJcTBRTVEKLS0tIHBLZDFacDZKMFVZM0dQbGw4UUhl
YVdVeUliSGl1U1g5OFg5Yi9uWHN6eUUK0lv9aLMvWcLWO3uFjLeRHue99VPWhABf
S3W/jltGMzYpVRjNp7kAPCXxa1/eY+3Wz8/ImjlIOuwn9Ckqdx4NVA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-01-12T13:25:22Z"
mac: ENC[AES256_GCM,data:PCqwnYvo37rq3pCC2gh4DbiyYaRj9njIgUdkkSxVvTSj1YXLrsO399gT+OczFPfyqYMJLQH12YAEIXkqCksT4L/eE3wge+SGH3y0WsljSZZ3aSF0QE/WN7pSNuLcSBBgD0hEkJ3rFW7wK2P1qYLMyef9alupsPl+YG8YQCdpZ6E=,iv:xlL9dBEyxK3SLRkeBKRhtwz8SkYKtxdXFNyd8/zTgvI=,tag:Ye984L1zvrL49gzDS93rpQ==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.0
27 changes: 15 additions & 12 deletions projects/maison/architecture.d2
Original file line number Diff line number Diff line change
Expand Up @@ -258,20 +258,19 @@ maison: {
source-arrowhead: HTTP (9000)
}

# - Docspell
Docspell: {
class: [application; undeployed]
icon: assets/icons/apps/docspell.svg
link: https://docspell.org/
tooltip: Docspell is a personal document management system.
# - Paperless
Paperless: {
class: [application]
icon: assets/icons/apps/paperless.svg
link: https://paperless-ngx.com/
tooltip: Paperless-ngx is a community-supported open-source document management system that transforms your physical documents into a searchable online archive.
}
Docspell <- _.system.Traefik: {
class: [undeployed]
source-arrowhead: HTTP (7880)
Paperless <- _.system.Traefik: {
source-arrowhead: HTTP (8000)
}
Docspell <- _.system.Tailscale: {
class: [connect-vpn; undeployed]
source-arrowhead: HTTP (7880)
Paperless <- _.system.Tailscale: {
class: [connect-vpn]
source-arrowhead: HTTP (8000)
}
}

Expand All @@ -292,6 +291,10 @@ maison: {
class: [connect-vpn]
source-arrowhead: HTTP (5678)
}
n8n -> _.life-management.Paperless: {
target-arrowhead: HTTP (8000)
}


# - Budibase
Budibase: {
Expand Down
696 changes: 348 additions & 348 deletions projects/maison/assets/architecture.svg
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
1 change: 1 addition & 0 deletions projects/maison/src/apps/kustomization.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -12,3 +12,4 @@ resources:
- linkding.yaml
- mealie.yaml
- n8n.yaml
- paperless-ngx.yaml
18 changes: 18 additions & 0 deletions projects/maison/src/apps/paperless-ngx.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
---
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: paperless-ngx
spec:
interval: 12h0m0s
timeout: 30s # if the apply of the resources takes more than 5 minutes, it will be considered as failed ...
retryInterval: 30s # ... and will be retried every 30 seconds

sourceRef:
kind: GitRepository
name: flux-system
namespace: flux-system
path: ./projects/maison/src/apps/paperless-ngx

prune: true
wait: true
16 changes: 16 additions & 0 deletions projects/maison/src/apps/paperless-ngx/httproute.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
---
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: paperless-ngx
namespace: paperless-ngx
spec:
parentRefs:
- name: default
namespace: default
hostnames:
- paperless-ngx.chezmoi.sh
rules:
- backendRefs:
- name: paperless-ngx
port: 80
27 changes: 27 additions & 0 deletions projects/maison/src/apps/paperless-ngx/kustomization.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization

labels:
- pairs:
app.kubernetes.io/name: paperless-ngx
includeTemplates: true
includeSelectors: true
- pairs:
app.kubernetes.io/managed-by: fluxcd
app.kubernetes.io/part-of: document-management-system
includeTemplates: true

resources:
# Workloads
- workload.database.yaml
- workload.paperless.yaml
- workload.redis.yaml

# Ingresses / Gateways
- httproute.yaml
- vpn.yaml

# Miscellaneous resources
- security-policies.yaml
- namespace.yaml
7 changes: 7 additions & 0 deletions projects/maison/src/apps/paperless-ngx/namespace.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
---
apiVersion: v1
kind: Namespace
metadata:
labels:
clusterexternalsecret.eso.io/name: cnpg-s3-credentials
name: paperless-ngx
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
annotations:
network-policy.k8s.io/description: |
This policy allows egress traffic from Paperless to POP/IMAP server
on internet.
**Why?**
- Paperless needs to connect to the POP/IMAP server to fetch emails
and process them (gmail in this case).
name: allow-egress-from-paperless-to-internet
namespace: paperless-ngx
spec:
egress:
- to:
- ipBlock:
cidr: 0.0.0.0/0
ports:
- port: 993 # required for the email
podSelector:
matchLabels:
app.kubernetes.io/instance: paperless-ngx-webserver
app.kubernetes.io/name: paperless-ngx
policyTypes:
- Egress
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
annotations:
network-policy.k8s.io/description: |
This policy allows egress traffic from Paperless to localnet.
**Why?**
- Paperless needs to connect to SSO server to authenticate users.
name: allow-egress-from-paperless-to-localnet
namespace: paperless-ngx
spec:
egress:
- to:
- ipBlock:
cidr: 10.0.0.0/20 # sso.chezmoi.sh
ports:
- port: 443
podSelector:
matchLabels:
app.kubernetes.io/instance: paperless-ngx-webserver
app.kubernetes.io/name: paperless-ngx
policyTypes:
- Egress
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
annotations:
network-policy.k8s.io/description: |
This policy allows egress traffic from Paperless to Postgres database.
**Why?**
- Paperless needs to connect to the Postgres database as data backend.
name: allow-egress-from-paperless-to-postgress
namespace: paperless-ngx
spec:
egress:
- to:
- podSelector:
matchLabels:
cnpg.io/cluster: paperless-ngx-database
ports:
- port: 5432
podSelector:
matchLabels:
app.kubernetes.io/instance: paperless-ngx-webserver
app.kubernetes.io/name: paperless-ngx
policyTypes:
- Egress
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
annotations:
network-policy.k8s.io/description: |
This policy allows egress traffic from Paperless to Redis broker.
**Why?**
- Paperless needs to connect to the Redis database as event broker.
name: allow-egress-from-paperless-to-redis
namespace: paperless-ngx
spec:
egress:
- to:
- podSelector:
matchLabels:
app.kubernetes.io/instance: paperless-ngx-redis
app.kubernetes.io/name: paperless-ngx
ports:
- port: 6379
podSelector:
matchLabels:
app.kubernetes.io/instance: paperless-ngx-webserver
app.kubernetes.io/name: paperless-ngx
policyTypes:
- Egress
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
annotations:
network-policy.k8s.io/description: |
This policy allows ingress traffic from n8n application to
Paperless.
**Why?**
- n8n host some AI agent that needs to connect to Paperless
to fetch documents and process them.
name: allow-ingress-to-paperless-from-n8n
namespace: paperless-ngx
spec:
ingress:
- from:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: n8n
podSelector:
matchLabels:
app.kubernetes.io/name: n8n
ports:
- port: 8000
podSelector:
matchLabels:
app.kubernetes.io/instance: paperless-ngx-webserver
app.kubernetes.io/name: paperless-ngx
policyTypes:
- Ingress
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
annotations:
network-policy.k8s.io/description: |
This policy allows ingress traffic from Paperless application to
Tailscale service.
**Why?**
- Tailscale is the ingress controller for the Kubernetes cluster
and needs to route traffic to Paperless application in order to be
accessible from the VPN.
name: allow-ingress-to-paperless-from-tailscale
namespace: paperless-ngx
spec:
ingress:
- from:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: tailscale-system
ports:
- port: 8000
podSelector:
matchLabels:
app.kubernetes.io/instance: paperless-ngx-webserver
app.kubernetes.io/name: paperless-ngx
policyTypes:
- Ingress
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
annotations:
network-policy.k8s.io/description: |
This policy allows ingress traffic from Paperless application to
Traefik service.
**Why?**
- Traefik is the gateway controller for the Kubernetes cluster
and needs to route traffic to Paperless application.
name: allow-ingress-to-paperless-from-traefik
namespace: paperless-ngx
spec:
ingress:
- from:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: traefik-system
ports:
- port: 8000
podSelector:
matchLabels:
app.kubernetes.io/instance: paperless-ngx-webserver
app.kubernetes.io/name: paperless-ngx
policyTypes:
- Ingress
Loading

0 comments on commit 6786ed0

Please sign in to comment.