diff --git a/docs/assets/icons/apps/docspell.svg b/docs/assets/icons/apps/docspell.svg
deleted file mode 100644
index c4c0e6a8..00000000
--- a/docs/assets/icons/apps/docspell.svg
+++ /dev/null
@@ -1 +0,0 @@
-
\ No newline at end of file
diff --git a/docs/assets/icons/apps/paperless.svg b/docs/assets/icons/apps/paperless.svg
new file mode 100644
index 00000000..2d6dcaa0
--- /dev/null
+++ b/docs/assets/icons/apps/paperless.svg
@@ -0,0 +1 @@
+
\ No newline at end of file
diff --git a/projects/chezmoi.sh/src/kubevault/access_control/kubernetes.maison.chezmoi.sh b/projects/chezmoi.sh/src/kubevault/access_control/kubernetes.maison.chezmoi.sh
index 0bb3bf3d..09ba6526 100644
--- a/projects/chezmoi.sh/src/kubevault/access_control/kubernetes.maison.chezmoi.sh
+++ b/projects/chezmoi.sh/src/kubevault/access_control/kubernetes.maison.chezmoi.sh
@@ -5,4 +5,6 @@ cloud/tailscale/kubernetes.maison.chezmoi.sh
cloud/openai/mealie
security/sso/oidc/clients/linkding
security/sso/oidc/clients/mealie
+security/sso/oidc/clients/paperless-ngx
storage/minio/cnpg.maison.chezmoi.sh
+storage/smb/paperless-ngx
\ No newline at end of file
diff --git a/projects/chezmoi.sh/src/kubevault/kvstore.enc/security/sso/oidc/clients/paperless-ngx b/projects/chezmoi.sh/src/kubevault/kvstore.enc/security/sso/oidc/clients/paperless-ngx
new file mode 100644
index 00000000..4c74c773
--- /dev/null
+++ b/projects/chezmoi.sh/src/kubevault/kvstore.enc/security/sso/oidc/clients/paperless-ngx
@@ -0,0 +1,22 @@
+#ENC[AES256_GCM,data:efrgrEkhxEoncF/hB2+Rjrk/QZk51J3ujkv2cXI7oUH0CmBXGLEUNxyEdzXAkPlpTxuR2CyM,iv:FheiuFL8MOYsJ2g0FSRX40byW3K4RHb3MZLsJYCu1ME=,tag:lpVwfbLefQj63DqAGxB/1w==,type:comment]
+oidc_configuration: ENC[AES256_GCM,data:/tSKl+5Asppx//tDZrtBd5IDYRp3xIJsE5NnL2XP3+wuX3lLkOrXAROtCeU5SO1+rJOoqlWa1EgtBkpJ8kRvJtlfHZxoLeuXYVSTunMubMmIa+SOUdEnbnTNlT3UA60PwDU71FjWESv/lXzwFQklsIGzdqxnuRymPA6xxfPGh18XNZ0j2Pzu7SFMoZgLoInR+9vdPDIq1bQoMR2GjHxSLPv/stu46M2tDTe84HnOJUGuL4QIn4bCDJg16peAmnvZXxkPhzL9iA3doKI4vO+q9mOeWNxSRt9Xcza6FgzbYLQ5qLJhBWYt78U0zk2IrgZsmw19xLunv6pP1nLNA1gf4y/oU8OKhgN2j8k+uuQQBwksxULD7CVi66moLjV08unx16C/MCMS9BvE2E0a1j7ABau5oGzAeNI0UFL5PhcTus5DC0gRoJm/I1v/WLpHGO9+DtXCKdtG2nzY0H7pEI/HnfcXcy9hU9Ya+MZ69UC9SZ0LkB/d9CkNi3wMlj0dvuq7xbfw/uu9DTAkY3+0UqqASkEEHZewXiTUBIxjLmkzybbWoSd4Ean+L1uQwHRqZT+l+3tjCOchX+SJmIKROcuQ7NDQT2HOoKEw/L2LTDYOqv3oq7bR/EMb0oEu1C2cuTRZ9p+yYOiPulQcw8shov4mR3HEiT1dX9hgy4IvhARYF336UsGHHsh+EWvyPRxYTnl1JxSoWxdzxVComo0IQclVjKvdQH/EINh9zkmVBIu/V/TpzRWzvYk5l6IYTjcZVXUsiwOO3nXxwg7eF+qMMcdgJThd9SbHEmM6y6uXARLTjoiUZYId+Z0b6N0SrspwiEVTGmW5CSm71OqQlzDrG9E8Tio7ahC0gPRKD2eQwzRDZ6PXCDK5B0yWIp3hFd2PSJdAVBUkcdXbVVgDm7kFJDy5cz1gZI/2x/IFvYq4mueYwet9W25uwMiXNiQ7vbyvMd7OcF6YgzwnLQ9RYgoeDBgM/bJ2r6EqHev3T2keIeprSCULXRbGj4HhZDl406Hp8j0zXFdLJJkZbOTgMkyiy9Yu/89w3uFsCAsVU8fzYajVilBtoeae/VlpizBLr3TaKSLKCALf1wZbavjk,iv:e9zG8yR6QwnmoB3s7KYJqM3oVXqk/f5JybT8+XYM3+Q=,tag:j4Ctb7fi89HscCRGbTAEeA==,type:str]
+sops:
+ kms: []
+ gcp_kms: []
+ azure_kv: []
+ hc_vault: []
+ age:
+ - recipient: age1fj0yj3na3n5udfjmnxfwrlkp80tvj49w80wh699x33dh48clnvnshtjxe9
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmbUNmM1ptV0c0U0dEUnFi
+ aTFESCtUeGtUK21OYTlOaEpWVy9qMi8zdkhBCmNXWkJqV3d6S0hqY2I0NHRJSWdW
+ SkNONE1UYUNlN0RhUHd2bzF3aXdYL1UKLS0tIFlWRlNUZ29uZlNSUmlzaVZMSlkv
+ N0cyQ01uSEdtbVNTcmtzSlFQOG9ueDQKize085I5vBJjrQJy367GYKG4bWooMQpc
+ z5gfLHPtk/x5GilnvfCxCtYnpuc7LReW20vy0KU7+CEHQYMpXGR1DQ==
+ -----END AGE ENCRYPTED FILE-----
+ lastmodified: "2025-01-11T17:44:07Z"
+ mac: ENC[AES256_GCM,data:ddUT4F4JURyjS1fDTRyf28YFkoSZN69Y4JTpZU8/1SwOjoXDYLeL9nWU0WoZvfd/9OLkFUdbjZ6r6mnDFaHvEHDeldg7Oo/QYEbQObvJ1PhyrBBDY8jWrF0GCUCgoeAIvZZkoHWufj3xFzMuVyLxSPn8cD50ZeoE838xeduDKHg=,iv:11pLgqp+jmieoSkf3OZ/OpAqzT9kiKKDC6IoU6m5B4I=,tag:Sp1KTGsOVxFkuCKgi9QR9w==,type:str]
+ pgp: []
+ unencrypted_suffix: _unencrypted
+ version: 3.9.0
diff --git a/projects/chezmoi.sh/src/kubevault/kvstore.enc/storage/smb/paperless-ngx b/projects/chezmoi.sh/src/kubevault/kvstore.enc/storage/smb/paperless-ngx
new file mode 100644
index 00000000..b8f13ed3
--- /dev/null
+++ b/projects/chezmoi.sh/src/kubevault/kvstore.enc/storage/smb/paperless-ngx
@@ -0,0 +1,22 @@
+username: ENC[AES256_GCM,data:Uv+IbewcvZysl18Cmg==,iv:32fqPguQ4p6N83VHWkRza2+Nb1SNJ/Mj6/8+Qr9KOoo=,tag:hsjye42uN3147kPZBxYOKQ==,type:str]
+password: ENC[AES256_GCM,data:3VUYBCUGfDVCbJUUFBVeri026fnxOPN/U2mw4mbbJfLCVDhjrEdE2Q==,iv:QvZ5c8q+NlCOQjePTp22xJMmRfPuamy+zv4ySKnel48=,tag:Zg+y8kzlRxB/Xw+SYccXiQ==,type:str]
+sops:
+ kms: []
+ gcp_kms: []
+ azure_kv: []
+ hc_vault: []
+ age:
+ - recipient: age1fj0yj3na3n5udfjmnxfwrlkp80tvj49w80wh699x33dh48clnvnshtjxe9
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXeTR2NFFMMm9KdGw3WHBO
+ cGc3U2dYaUlBS2dyT0xzWVdtQ3lnMTlldWtVCmJTSExQQTd2RWlGeTJrSmdtNXMv
+ QmJTQmdReEtMQUZFWXB2ODBJcTBRTVEKLS0tIHBLZDFacDZKMFVZM0dQbGw4UUhl
+ YVdVeUliSGl1U1g5OFg5Yi9uWHN6eUUK0lv9aLMvWcLWO3uFjLeRHue99VPWhABf
+ S3W/jltGMzYpVRjNp7kAPCXxa1/eY+3Wz8/ImjlIOuwn9Ckqdx4NVA==
+ -----END AGE ENCRYPTED FILE-----
+ lastmodified: "2025-01-12T13:25:22Z"
+ mac: ENC[AES256_GCM,data:PCqwnYvo37rq3pCC2gh4DbiyYaRj9njIgUdkkSxVvTSj1YXLrsO399gT+OczFPfyqYMJLQH12YAEIXkqCksT4L/eE3wge+SGH3y0WsljSZZ3aSF0QE/WN7pSNuLcSBBgD0hEkJ3rFW7wK2P1qYLMyef9alupsPl+YG8YQCdpZ6E=,iv:xlL9dBEyxK3SLRkeBKRhtwz8SkYKtxdXFNyd8/zTgvI=,tag:Ye984L1zvrL49gzDS93rpQ==,type:str]
+ pgp: []
+ unencrypted_suffix: _unencrypted
+ version: 3.9.0
diff --git a/projects/maison/architecture.d2 b/projects/maison/architecture.d2
index b1b2c769..ca1c4b61 100644
--- a/projects/maison/architecture.d2
+++ b/projects/maison/architecture.d2
@@ -258,20 +258,19 @@ maison: {
source-arrowhead: HTTP (9000)
}
- # - Docspell
- Docspell: {
- class: [application; undeployed]
- icon: assets/icons/apps/docspell.svg
- link: https://docspell.org/
- tooltip: Docspell is a personal document management system.
+ # - Paperless
+ Paperless: {
+ class: [application]
+ icon: assets/icons/apps/paperless.svg
+ link: https://paperless-ngx.com/
+ tooltip: Paperless-ngx is a community-supported open-source document management system that transforms your physical documents into a searchable online archive.
}
- Docspell <- _.system.Traefik: {
- class: [undeployed]
- source-arrowhead: HTTP (7880)
+ Paperless <- _.system.Traefik: {
+ source-arrowhead: HTTP (8000)
}
- Docspell <- _.system.Tailscale: {
- class: [connect-vpn; undeployed]
- source-arrowhead: HTTP (7880)
+ Paperless <- _.system.Tailscale: {
+ class: [connect-vpn]
+ source-arrowhead: HTTP (8000)
}
}
@@ -292,6 +291,10 @@ maison: {
class: [connect-vpn]
source-arrowhead: HTTP (5678)
}
+ n8n -> _.life-management.Paperless: {
+ target-arrowhead: HTTP (8000)
+ }
+
# - Budibase
Budibase: {
diff --git a/projects/maison/assets/architecture.svg b/projects/maison/assets/architecture.svg
index b6869571..b97ad13a 100644
--- a/projects/maison/assets/architecture.svg
+++ b/projects/maison/assets/architecture.svg
@@ -1,13 +1,13 @@
-
diff --git a/projects/maison/src/apps/kustomization.yaml b/projects/maison/src/apps/kustomization.yaml
index 20f9849a..0efc8c3a 100644
--- a/projects/maison/src/apps/kustomization.yaml
+++ b/projects/maison/src/apps/kustomization.yaml
@@ -12,3 +12,4 @@ resources:
- linkding.yaml
- mealie.yaml
- n8n.yaml
+ - paperless-ngx.yaml
diff --git a/projects/maison/src/apps/paperless-ngx.yaml b/projects/maison/src/apps/paperless-ngx.yaml
new file mode 100644
index 00000000..7079da0f
--- /dev/null
+++ b/projects/maison/src/apps/paperless-ngx.yaml
@@ -0,0 +1,18 @@
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+ name: paperless-ngx
+spec:
+ interval: 12h0m0s
+ timeout: 30s # if the apply of the resources takes more than 5 minutes, it will be considered as failed ...
+ retryInterval: 30s # ... and will be retried every 30 seconds
+
+ sourceRef:
+ kind: GitRepository
+ name: flux-system
+ namespace: flux-system
+ path: ./projects/maison/src/apps/paperless-ngx
+
+ prune: true
+ wait: true
diff --git a/projects/maison/src/apps/paperless-ngx/httproute.yaml b/projects/maison/src/apps/paperless-ngx/httproute.yaml
new file mode 100644
index 00000000..14435ab5
--- /dev/null
+++ b/projects/maison/src/apps/paperless-ngx/httproute.yaml
@@ -0,0 +1,16 @@
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+ name: paperless-ngx
+ namespace: paperless-ngx
+spec:
+ parentRefs:
+ - name: default
+ namespace: default
+ hostnames:
+ - paperless-ngx.chezmoi.sh
+ rules:
+ - backendRefs:
+ - name: paperless-ngx
+ port: 80
diff --git a/projects/maison/src/apps/paperless-ngx/kustomization.yaml b/projects/maison/src/apps/paperless-ngx/kustomization.yaml
new file mode 100644
index 00000000..6f382c4e
--- /dev/null
+++ b/projects/maison/src/apps/paperless-ngx/kustomization.yaml
@@ -0,0 +1,27 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+labels:
+ - pairs:
+ app.kubernetes.io/name: paperless-ngx
+ includeTemplates: true
+ includeSelectors: true
+ - pairs:
+ app.kubernetes.io/managed-by: fluxcd
+ app.kubernetes.io/part-of: document-management-system
+ includeTemplates: true
+
+resources:
+ # Workloads
+ - workload.database.yaml
+ - workload.paperless.yaml
+ - workload.redis.yaml
+
+ # Ingresses / Gateways
+ - httproute.yaml
+ - vpn.yaml
+
+ # Miscellaneous resources
+ - security-policies.yaml
+ - namespace.yaml
diff --git a/projects/maison/src/apps/paperless-ngx/namespace.yaml b/projects/maison/src/apps/paperless-ngx/namespace.yaml
new file mode 100644
index 00000000..7214ede6
--- /dev/null
+++ b/projects/maison/src/apps/paperless-ngx/namespace.yaml
@@ -0,0 +1,7 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+ labels:
+ clusterexternalsecret.eso.io/name: cnpg-s3-credentials
+ name: paperless-ngx
diff --git a/projects/maison/src/apps/paperless-ngx/policies/allow-egress-from-paperless-to-internet.yaml b/projects/maison/src/apps/paperless-ngx/policies/allow-egress-from-paperless-to-internet.yaml
new file mode 100644
index 00000000..1654768b
--- /dev/null
+++ b/projects/maison/src/apps/paperless-ngx/policies/allow-egress-from-paperless-to-internet.yaml
@@ -0,0 +1,27 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ annotations:
+ network-policy.k8s.io/description: |
+ This policy allows egress traffic from Paperless to POP/IMAP server
+ on internet.
+
+ **Why?**
+ - Paperless needs to connect to the POP/IMAP server to fetch emails
+ and process them (gmail in this case).
+ name: allow-egress-from-paperless-to-internet
+ namespace: paperless-ngx
+spec:
+ egress:
+ - to:
+ - ipBlock:
+ cidr: 0.0.0.0/0
+ ports:
+ - port: 993 # required for the email
+ podSelector:
+ matchLabels:
+ app.kubernetes.io/instance: paperless-ngx-webserver
+ app.kubernetes.io/name: paperless-ngx
+ policyTypes:
+ - Egress
diff --git a/projects/maison/src/apps/paperless-ngx/policies/allow-egress-from-paperless-to-localnet.yaml b/projects/maison/src/apps/paperless-ngx/policies/allow-egress-from-paperless-to-localnet.yaml
new file mode 100644
index 00000000..3286e732
--- /dev/null
+++ b/projects/maison/src/apps/paperless-ngx/policies/allow-egress-from-paperless-to-localnet.yaml
@@ -0,0 +1,25 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ annotations:
+ network-policy.k8s.io/description: |
+ This policy allows egress traffic from Paperless to localnet.
+
+ **Why?**
+ - Paperless needs to connect to SSO server to authenticate users.
+ name: allow-egress-from-paperless-to-localnet
+ namespace: paperless-ngx
+spec:
+ egress:
+ - to:
+ - ipBlock:
+ cidr: 10.0.0.0/20 # sso.chezmoi.sh
+ ports:
+ - port: 443
+ podSelector:
+ matchLabels:
+ app.kubernetes.io/instance: paperless-ngx-webserver
+ app.kubernetes.io/name: paperless-ngx
+ policyTypes:
+ - Egress
diff --git a/projects/maison/src/apps/paperless-ngx/policies/allow-egress-from-paperless-to-postgress.yaml b/projects/maison/src/apps/paperless-ngx/policies/allow-egress-from-paperless-to-postgress.yaml
new file mode 100644
index 00000000..fec45477
--- /dev/null
+++ b/projects/maison/src/apps/paperless-ngx/policies/allow-egress-from-paperless-to-postgress.yaml
@@ -0,0 +1,26 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ annotations:
+ network-policy.k8s.io/description: |
+ This policy allows egress traffic from Paperless to Postgres database.
+
+ **Why?**
+ - Paperless needs to connect to the Postgres database as data backend.
+ name: allow-egress-from-paperless-to-postgress
+ namespace: paperless-ngx
+spec:
+ egress:
+ - to:
+ - podSelector:
+ matchLabels:
+ cnpg.io/cluster: paperless-ngx-database
+ ports:
+ - port: 5432
+ podSelector:
+ matchLabels:
+ app.kubernetes.io/instance: paperless-ngx-webserver
+ app.kubernetes.io/name: paperless-ngx
+ policyTypes:
+ - Egress
diff --git a/projects/maison/src/apps/paperless-ngx/policies/allow-egress-from-paperless-to-redis.yaml b/projects/maison/src/apps/paperless-ngx/policies/allow-egress-from-paperless-to-redis.yaml
new file mode 100644
index 00000000..a9867159
--- /dev/null
+++ b/projects/maison/src/apps/paperless-ngx/policies/allow-egress-from-paperless-to-redis.yaml
@@ -0,0 +1,27 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ annotations:
+ network-policy.k8s.io/description: |
+ This policy allows egress traffic from Paperless to Redis broker.
+
+ **Why?**
+ - Paperless needs to connect to the Redis database as event broker.
+ name: allow-egress-from-paperless-to-redis
+ namespace: paperless-ngx
+spec:
+ egress:
+ - to:
+ - podSelector:
+ matchLabels:
+ app.kubernetes.io/instance: paperless-ngx-redis
+ app.kubernetes.io/name: paperless-ngx
+ ports:
+ - port: 6379
+ podSelector:
+ matchLabels:
+ app.kubernetes.io/instance: paperless-ngx-webserver
+ app.kubernetes.io/name: paperless-ngx
+ policyTypes:
+ - Egress
diff --git a/projects/maison/src/apps/paperless-ngx/policies/allow-ingress-to-paperless-from-n8n.yaml b/projects/maison/src/apps/paperless-ngx/policies/allow-ingress-to-paperless-from-n8n.yaml
new file mode 100644
index 00000000..98785c9f
--- /dev/null
+++ b/projects/maison/src/apps/paperless-ngx/policies/allow-ingress-to-paperless-from-n8n.yaml
@@ -0,0 +1,31 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ annotations:
+ network-policy.k8s.io/description: |
+ This policy allows ingress traffic from n8n application to
+ Paperless.
+
+ **Why?**
+ - n8n host some AI agent that needs to connect to Paperless
+ to fetch documents and process them.
+ name: allow-ingress-to-paperless-from-n8n
+ namespace: paperless-ngx
+spec:
+ ingress:
+ - from:
+ - namespaceSelector:
+ matchLabels:
+ kubernetes.io/metadata.name: n8n
+ podSelector:
+ matchLabels:
+ app.kubernetes.io/name: n8n
+ ports:
+ - port: 8000
+ podSelector:
+ matchLabels:
+ app.kubernetes.io/instance: paperless-ngx-webserver
+ app.kubernetes.io/name: paperless-ngx
+ policyTypes:
+ - Ingress
diff --git a/projects/maison/src/apps/paperless-ngx/policies/allow-ingress-to-paperless-from-tailscale.yaml b/projects/maison/src/apps/paperless-ngx/policies/allow-ingress-to-paperless-from-tailscale.yaml
new file mode 100644
index 00000000..e7f386cc
--- /dev/null
+++ b/projects/maison/src/apps/paperless-ngx/policies/allow-ingress-to-paperless-from-tailscale.yaml
@@ -0,0 +1,29 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ annotations:
+ network-policy.k8s.io/description: |
+ This policy allows ingress traffic from Paperless application to
+ Tailscale service.
+
+ **Why?**
+ - Tailscale is the ingress controller for the Kubernetes cluster
+ and needs to route traffic to Paperless application in order to be
+ accessible from the VPN.
+ name: allow-ingress-to-paperless-from-tailscale
+ namespace: paperless-ngx
+spec:
+ ingress:
+ - from:
+ - namespaceSelector:
+ matchLabels:
+ kubernetes.io/metadata.name: tailscale-system
+ ports:
+ - port: 8000
+ podSelector:
+ matchLabels:
+ app.kubernetes.io/instance: paperless-ngx-webserver
+ app.kubernetes.io/name: paperless-ngx
+ policyTypes:
+ - Ingress
diff --git a/projects/maison/src/apps/paperless-ngx/policies/allow-ingress-to-paperless-from-traefik.yaml b/projects/maison/src/apps/paperless-ngx/policies/allow-ingress-to-paperless-from-traefik.yaml
new file mode 100644
index 00000000..88e2a07d
--- /dev/null
+++ b/projects/maison/src/apps/paperless-ngx/policies/allow-ingress-to-paperless-from-traefik.yaml
@@ -0,0 +1,28 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ annotations:
+ network-policy.k8s.io/description: |
+ This policy allows ingress traffic from Paperless application to
+ Traefik service.
+
+ **Why?**
+ - Traefik is the gateway controller for the Kubernetes cluster
+ and needs to route traffic to Paperless application.
+ name: allow-ingress-to-paperless-from-traefik
+ namespace: paperless-ngx
+spec:
+ ingress:
+ - from:
+ - namespaceSelector:
+ matchLabels:
+ kubernetes.io/metadata.name: traefik-system
+ ports:
+ - port: 8000
+ podSelector:
+ matchLabels:
+ app.kubernetes.io/instance: paperless-ngx-webserver
+ app.kubernetes.io/name: paperless-ngx
+ policyTypes:
+ - Ingress
diff --git a/projects/maison/src/apps/paperless-ngx/policies/allow-ingress-to-redis-from-paperless.yaml b/projects/maison/src/apps/paperless-ngx/policies/allow-ingress-to-redis-from-paperless.yaml
new file mode 100644
index 00000000..8eac5430
--- /dev/null
+++ b/projects/maison/src/apps/paperless-ngx/policies/allow-ingress-to-redis-from-paperless.yaml
@@ -0,0 +1,27 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ annotations:
+ network-policy.k8s.io/description: |
+ This policy allows ingress traffic from Paperless to Redis broker.
+
+ **Why?**
+ - Paperless needs to connect to the Redis database as event broker.
+ name: allow-ingress-to-redis-from-paperless
+ namespace: paperless-ngx
+spec:
+ ingress:
+ - from:
+ - podSelector:
+ matchLabels:
+ app.kubernetes.io/instance: paperless-ngx-webserver
+ app.kubernetes.io/name: paperless-ngx
+ ports:
+ - port: 6379
+ podSelector:
+ matchLabels:
+ app.kubernetes.io/instance: paperless-ngx-redis
+ app.kubernetes.io/name: paperless-ngx
+ policyTypes:
+ - Ingress
diff --git a/projects/maison/src/apps/paperless-ngx/policies/allow-to-kubernetes-dns.yaml b/projects/maison/src/apps/paperless-ngx/policies/allow-to-kubernetes-dns.yaml
new file mode 100644
index 00000000..3ef75d5c
--- /dev/null
+++ b/projects/maison/src/apps/paperless-ngx/policies/allow-to-kubernetes-dns.yaml
@@ -0,0 +1,32 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ annotations:
+ network-policy.k8s.io/description: |
+ This policy allows egress traffic from pods with the label
+ `network-policy.k8s.io/allow-to-kubernetes-dns` to the Kubernetes DNS
+ service.
+
+ **Why?**
+ - Required for DNS resolution in the Kubernetes cluster.
+ name: allow-to-kubernetes-dns
+ namespace: paperless-ngx
+spec:
+ egress:
+ - to:
+ - namespaceSelector:
+ matchLabels:
+ kubernetes.io/metadata.name: kube-system
+ podSelector:
+ matchLabels:
+ k8s-app: kube-dns
+ ports:
+ - port: 53
+ protocol: UDP
+ podSelector:
+ matchExpressions:
+ - key: network-policy.k8s.io/allow-to-kubernetes-dns
+ operator: Exists
+ policyTypes:
+ - Egress
diff --git a/projects/maison/src/apps/paperless-ngx/policies/cnpg.default.yaml b/projects/maison/src/apps/paperless-ngx/policies/cnpg.default.yaml
new file mode 100644
index 00000000..042f9ef6
--- /dev/null
+++ b/projects/maison/src/apps/paperless-ngx/policies/cnpg.default.yaml
@@ -0,0 +1,70 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ annotations:
+ network-policy.k8s.io/description: |
+ This policy allows required ingress and egress traffic for the
+ PostgreSQL database (managed by the CloudNative PostgreSQL operator)
+ to function correctly.
+
+ **Why?**
+ - The PostgreSQL database requires access to the Kubernetes API server
+ for fetching secrets and resources.
+ - The database also needs to communicate with the kube-dns service for
+ DNS resolution.
+ - The database needs to connect to the MinIO object store for backups.
+ - The operator requires access to the database to manage it.
+
+ **Note:**
+ - The policy allows any pod in the namespace to connect to the database.
+ name: postgres-default-policy
+ namespace: paperless-ngx
+spec:
+ egress:
+ # Rule #1: allow traffic to the Kubernetes API server
+ - to:
+ - ipBlock:
+ cidr: 10.43.0.1/32 # kubernetes.default.svc
+ ports:
+ - port: 443
+
+ # Rule #2: allow traffic to the kube-dns service (required for the DNS resolution)
+ - to:
+ - namespaceSelector:
+ matchLabels:
+ kubernetes.io/metadata.name: kube-system
+ podSelector:
+ matchLabels:
+ k8s-app: kube-dns
+ ports:
+ - port: 53
+ protocol: UDP
+
+ # Rule #3: allow traffic to the MinIO object store
+ - to:
+ - ipBlock:
+ cidr: 10.0.0.0/20 # s3.chezmoi.sh
+ ports:
+ - port: 9000
+ ingress:
+ # Rule #1: allow traffic from the operator
+ - from:
+ - namespaceSelector:
+ matchLabels:
+ kubernetes.io/metadata.name: cnpg-system
+ ports:
+ - port: 8000
+
+ # Rule #2: allow traffic from the namespace
+ - from:
+ - podSelector: {}
+ ports:
+ - port: 5432
+ podSelector:
+ matchExpressions:
+ - key: cnpg.io/cluster
+ operator: Exists
+ policyTypes:
+ - Egress
+ - Ingress
diff --git a/projects/maison/src/apps/paperless-ngx/policies/deny-by-default.yaml b/projects/maison/src/apps/paperless-ngx/policies/deny-by-default.yaml
new file mode 100644
index 00000000..152b01c2
--- /dev/null
+++ b/projects/maison/src/apps/paperless-ngx/policies/deny-by-default.yaml
@@ -0,0 +1,17 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ annotations:
+ network-policy.k8s.io/description: |
+ This policy denies all traffic to and from any pods by default.
+
+ **Why?**
+ - This policy is the default policy for all pods for security reasons.
+ name: deny-by-default
+ namespace: paperless-ngx
+spec:
+ podSelector: {}
+ policyTypes:
+ - Ingress
+ - Egress
diff --git a/projects/maison/src/apps/paperless-ngx/security-policies.yaml b/projects/maison/src/apps/paperless-ngx/security-policies.yaml
new file mode 100644
index 00000000..643360c8
--- /dev/null
+++ b/projects/maison/src/apps/paperless-ngx/security-policies.yaml
@@ -0,0 +1,28 @@
+---
+# NOTE: because of the way the kustomize `labels` work, we need to include
+# all network policies in another kustomization file in order to
+# not apply labels selectors to them.
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+ name: security-policies
+ namespace: paperless-ngx
+spec:
+ interval: 2h0m0s
+ timeout: 30s # if the apply of the resources takes more than 5 minutes, it will be considered as failed ...
+ retryInterval: 30s # ... and will be retried every 30 seconds
+
+ sourceRef:
+ kind: GitRepository
+ name: flux-system
+ namespace: flux-system
+ path: ./projects/maison/src/apps/paperless-ngx/policies
+
+ commonMetadata:
+ labels:
+ app.kubernetes.io/managed-by: fluxcd
+ app.kubernetes.io/name: paperless-ngx
+ app.kubernetes.io/part-of: document-management-system
+
+ prune: true
+ wait: true
diff --git a/projects/maison/src/apps/paperless-ngx/vpn.yaml b/projects/maison/src/apps/paperless-ngx/vpn.yaml
new file mode 100644
index 00000000..7e543bd0
--- /dev/null
+++ b/projects/maison/src/apps/paperless-ngx/vpn.yaml
@@ -0,0 +1,16 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+ name: paperless-ngx
+ namespace: paperless-ngx
+spec:
+ defaultBackend:
+ service:
+ name: paperless-ngx
+ port:
+ number: 80
+ ingressClassName: tailscale
+ tls:
+ - hosts:
+ - paperless-ngx
diff --git a/projects/maison/src/apps/paperless-ngx/workload.database.yaml b/projects/maison/src/apps/paperless-ngx/workload.database.yaml
new file mode 100644
index 00000000..0367f87d
--- /dev/null
+++ b/projects/maison/src/apps/paperless-ngx/workload.database.yaml
@@ -0,0 +1,55 @@
+---
+apiVersion: postgresql.cnpg.io/v1
+kind: Cluster
+metadata:
+ labels:
+ app.kubernetes.io/component: database
+ app.kubernetes.io/instance: paperless-ngx-database
+ name: paperless-ngx-database
+ namespace: paperless-ngx
+spec:
+ backup:
+ barmanObjectStore: &barmanObjectStore
+ data:
+ compression: bzip2
+ destinationPath: s3://cnpg-backups/maison.chezmoi.sh/paperless-ngx
+ endpointURL: https://s3.chezmoi.sh:9000
+ serverName: 01JHBM7C42DXESVSHDSSHNC6KQ # DRP::dst_ulid
+ s3Credentials:
+ accessKeyId:
+ name: cnpg-s3-credentials
+ key: access_key_id
+ secretAccessKey:
+ name: cnpg-s3-credentials
+ key: access_secret_key
+ wal:
+ compression: bzip2
+ retentionPolicy: 30d
+ bootstrap:
+ # initdb:
+ # database: app
+ # owner: app
+ recovery:
+ source: recoveryBackup
+ description: PostgreSQL database dedicated to Paperless-NGX
+ externalClusters:
+ - name: recoveryBackup
+ barmanObjectStore:
+ <<: *barmanObjectStore
+ serverName: 01JHBM73EKV1N00JNDH7Q5CGJZ # DRP::src_ulid
+ instances: 1
+ storage:
+ size: 5Gi
+---
+apiVersion: postgresql.cnpg.io/v1
+kind: ScheduledBackup
+metadata:
+ labels:
+ app.kubernetes.io/component: database-backup
+ name: paperless-ngx-database
+ namespace: paperless-ngx
+spec:
+ schedule: "@daily"
+ backupOwnerReference: cluster
+ cluster:
+ name: paperless-ngx-database
diff --git a/projects/maison/src/apps/paperless-ngx/workload.paperless.yaml b/projects/maison/src/apps/paperless-ngx/workload.paperless.yaml
new file mode 100644
index 00000000..dafc3fab
--- /dev/null
+++ b/projects/maison/src/apps/paperless-ngx/workload.paperless.yaml
@@ -0,0 +1,291 @@
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+ labels:
+ app.kubernetes.io/component: webserver
+ app.kubernetes.io/instance: paperless-ngx-webserver
+ name: paperless-ngx
+ namespace: paperless-ngx
+spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ app.kubernetes.io/instance: paperless-ngx-webserver
+ serviceName: paperless-ngx
+ template:
+ metadata:
+ labels:
+ app.kubernetes.io/component: webserver
+ app.kubernetes.io/instance: paperless-ngx-webserver
+ network-policy.k8s.io/allow-to-kubernetes-dns: "true"
+ spec:
+ automountServiceAccountToken: false
+ containers:
+ # trunk-ignore(trivy/KSV014): some path must be writable by the user ... so this is a TODO to find all writable path
+ # trunk-ignore(trivy/KSV020,trivy/KSV021): unfortunately, the official image is difficult to run with a custom user ID
+ # trunk-ignore(trivy/KSV022): add CHOWN capability is required by the official image
+ - name: paperless-ngx
+ env:
+ - name: PAPERLESS_APPS
+ value: allauth.socialaccount.providers.openid_connect
+ - name: PAPERLESS_CONSUMER_POLLING
+ value: "60"
+ - name: PAPERLESS_CORS_ALLOWED_HOSTS
+ value: https://paperless-ngx.chezmoi.sh,https://paperless-ngx.tail25fed.ts.net,https://paperless-ngx
+ - name: PAPERLESS_CSRF_TRUSTED_ORIGINS
+ value: https://paperless-ngx.chezmoi.sh,https://paperless-ngx.tail25fed.ts.net,https://paperless-ngx
+ - name: PAPERLESS_DBENGINE
+ value: postgresql
+ - name: PAPERLESS_DBHOST
+ valueFrom:
+ secretKeyRef:
+ name: paperless-ngx-database-app
+ key: host
+ - name: PAPERLESS_DBNAME
+ valueFrom:
+ secretKeyRef:
+ name: paperless-ngx-database-app
+ key: dbname
+ - name: PAPERLESS_DBPASS
+ valueFrom:
+ secretKeyRef:
+ name: paperless-ngx-database-app
+ key: password
+ - name: PAPERLESS_DBPORT
+ valueFrom:
+ secretKeyRef:
+ name: paperless-ngx-database-app
+ key: port
+ - name: PAPERLESS_DBUSER
+ valueFrom:
+ secretKeyRef:
+ name: paperless-ngx-database-app
+ key: user
+ - name: PAPERLESS_REDIS
+ value: redis://paperless-ngx-redis:6379
+ - name: PAPERLESS_SOCIALACCOUNT_PROVIDERS
+ valueFrom:
+ secretKeyRef:
+ name: paperless-ngx-oidc-credentials
+ key: socialaccount_providers
+ image: ghcr.io/paperless-ngx/paperless-ngx:2.13.5@sha256:199c67ed55bfb9d58bf90db2ee280880ae9ebc63413e54c73522f9c4ebdc7bad
+ imagePullPolicy: Always
+ livenessProbe:
+ httpGet:
+ path: /
+ port: http
+ failureThreshold: 3
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 5
+ ports:
+ - name: http
+ containerPort: 8000
+ protocol: TCP
+ readinessProbe:
+ httpGet:
+ path: /
+ port: http
+ failureThreshold: 3
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 5
+ resources:
+ requests:
+ memory: 4Gi
+ cpu: 250m
+ limits:
+ memory: 4Gi
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ # trunk-ignore(trivy/KSV106): add CHOWN capability is required by the official image
+ add:
+ - CHOWN # required by the official image
+ drop:
+ - ALL
+ readOnlyRootFilesystem: false # required by the official image because of the logs ...
+ runAsGroup: 1000
+ runAsNonRoot: true
+ runAsUser: 1000
+ startupProbe:
+ httpGet:
+ path: /
+ port: http
+ failureThreshold: 30
+ initialDelaySeconds: 0
+ periodSeconds: 2
+ successThreshold: 1
+ timeoutSeconds: 5
+ volumeMounts:
+ - name: media
+ mountPath: /usr/src/paperless/media
+ - name: data
+ mountPath: /usr/src/paperless/data
+ - name: public
+ mountPath: /usr/src/paperless/media/documents/archive/nas.chezmoi.sh/Public
+ subPath: Documents
+ securityContext:
+ fsGroup: 1000
+ runAsGroup: 1000
+ runAsUser: 1000
+ seccompProfile:
+ type: RuntimeDefault
+ volumes:
+ - name: media
+ persistentVolumeClaim:
+ claimName: media
+ - name: data
+ persistentVolumeClaim:
+ claimName: media
+ - name: public
+ persistentVolumeClaim:
+ claimName: paperless-ngx-smb-archive
+ volumeClaimTemplates:
+ - metadata:
+ name: media
+ labels:
+ app.kubernetes.io/component: webserver
+ app.kubernetes.io/instance: paperless-ngx-webserver
+ spec:
+ accessModes:
+ - ReadWriteOnce
+ resources:
+ requests:
+ storage: 5Gi
+ - metadata:
+ name: data
+ labels:
+ app.kubernetes.io/component: webserver
+ app.kubernetes.io/instance: paperless-ngx-webserver
+ spec:
+ accessModes:
+ - ReadWriteOnce
+ resources:
+ requests:
+ storage: 5Gi
+---
+apiVersion: v1
+kind: Service
+metadata:
+ labels:
+ app.kubernetes.io/component: webserver
+ app.kubernetes.io/instance: paperless-ngx-webserver
+ name: paperless-ngx
+ namespace: paperless-ngx
+spec:
+ ports:
+ - name: http
+ port: 80
+ protocol: TCP
+ targetPort: 8000
+ selector:
+ app.kubernetes.io/instance: paperless-ngx-webserver
+ type: ClusterIP
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+ name: paperless-ngx-oidc-credentials
+ namespace: paperless-ngx
+spec:
+ data:
+ - remoteRef:
+ key: security-sso-oidc-clients-paperless-ngx
+ property: oidc_configuration
+ secretKey: oidc_configuration
+ secretStoreRef:
+ kind: ClusterSecretStore
+ name: kubernetes.maison.chezmoi.sh
+ target:
+ name: paperless-ngx-oidc-credentials
+ template:
+ type: Opaque
+ engineVersion: v2
+ data:
+ socialaccount_providers: |
+ {
+ "openid_connect": {
+ "APPS": [
+ {
+ "provider_id": "sso",
+ "name": "Authelia",
+ "client_id": "{{ regexReplaceAll "client_id: (.+?)" (.oidc_configuration | split "\n")._1 "${1}" }}",
+ "secret": "{{ regexReplaceAll "# client_secret: (.+?)" (.oidc_configuration | split "\n")._3 "${1}" }}",
+ "settings": {
+ "server_url": "https://sso.chezmoi.sh/.well-known/openid-configuration"
+ }
+ }
+ ],
+ "OAUTH_PKCE_ENABLED": "True"
+ }
+ }
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+ name: paperless-ngx-smb-credentials
+ namespace: paperless-ngx
+spec:
+ data:
+ - remoteRef:
+ key: storage-smb-paperless-ngx
+ property: username
+ secretKey: username
+ - remoteRef:
+ key: storage-smb-paperless-ngx
+ property: password
+ secretKey: password
+ secretStoreRef:
+ kind: ClusterSecretStore
+ name: kubernetes.maison.chezmoi.sh
+ target:
+ name: paperless-ngx-smb-credentials
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+ name: paperless-ngx-smb-archive
+ namespace: paperless-ngx
+spec:
+ accessModes:
+ - ReadWriteMany
+ resources:
+ requests:
+ storage: 100Gi
+ storageClassName: smb
+ volumeName: paperless-ngx-smb-archive
+---
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+ annotations:
+ pv.kubernetes.io/provisioned-by: smb.csi.k8s.io
+ name: paperless-ngx-smb-archive
+spec:
+ capacity:
+ storage: 100Gi
+ accessModes:
+ - ReadWriteMany
+ persistentVolumeReclaimPolicy: Retain
+ storageClassName: smb
+ mountOptions:
+ - dir_mode=0777
+ - file_mode=0777
+ - uid=1000
+ - gid=1000
+ - noperm
+ - mfsymlinks
+ - cache=strict
+ - noserverino # required to prevent data corruption
+ csi:
+ driver: smb.csi.k8s.io
+ # volumeHandle format: {smb-server-address}#{sub-dir-name}#{share-name}
+ # make sure this value is unique for every share in the cluster
+ volumeHandle: smb-server.default.svc.cluster.local/share##
+ volumeAttributes:
+ source: //nas.chezmoi.sh/Public
+ nodeStageSecretRef:
+ name: paperless-ngx-smb-credentials
+ namespace: paperless-ngx
diff --git a/projects/maison/src/apps/paperless-ngx/workload.redis.yaml b/projects/maison/src/apps/paperless-ngx/workload.redis.yaml
new file mode 100644
index 00000000..ba2f9f25
--- /dev/null
+++ b/projects/maison/src/apps/paperless-ngx/workload.redis.yaml
@@ -0,0 +1,118 @@
+---
+# trunk-ignore(checkov/CKV2_K8S_6): The NetworkPolicy is defined but checkov does not validate it
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+ labels:
+ app.kubernetes.io/component: tasks-broker
+ app.kubernetes.io/instance: paperless-ngx-redis
+ name: paperless-ngx-redis
+ namespace: paperless-ngx
+spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ app.kubernetes.io/instance: paperless-ngx-redis
+ serviceName: paperless-ngx-redis
+ template:
+ metadata:
+ labels:
+ app.kubernetes.io/component: tasks-broker
+ app.kubernetes.io/instance: paperless-ngx-redis
+ spec:
+ automountServiceAccountToken: false
+ containers:
+ - name: redis
+ args:
+ - redis-server
+ - --save
+ - "300" # save every 5 minutes ...
+ - "1" # ... if at least 1 key changed
+ image: docker.io/library/redis:7.4.2-alpine@sha256:1bf97f21f01b0e7bd4b7b34a26d3b9d8086e41e70c10f262e8a9e0b49b5116a0
+ livenessProbe:
+ exec:
+ command:
+ - redis-cli
+ - ping
+ failureThreshold: 3
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 5
+ ports:
+ - name: redis
+ containerPort: 6379
+ protocol: TCP
+ readinessProbe:
+ exec:
+ command:
+ - redis-cli
+ - ping
+ failureThreshold: 3
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 5
+ resources:
+ requests:
+ memory: 64Mi
+ cpu: 100m
+ limits:
+ memory: 64Mi
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ readOnlyRootFilesystem: true
+ runAsGroup: 52678
+ runAsNonRoot: true
+ runAsUser: 52678
+ startupProbe:
+ exec:
+ command:
+ - redis-cli
+ - ping
+ failureThreshold: 30
+ initialDelaySeconds: 0
+ periodSeconds: 2
+ successThreshold: 1
+ timeoutSeconds: 5
+ volumeMounts:
+ - name: data
+ mountPath: /data
+ securityContext:
+ fsGroup: 52678
+ runAsGroup: 52678
+ runAsUser: 52678
+ seccompProfile:
+ type: RuntimeDefault
+ volumes:
+ - name: data
+ persistentVolumeClaim:
+ claimName: data
+ volumeClaimTemplates:
+ - metadata:
+ name: data
+ spec:
+ accessModes:
+ - ReadWriteOnce
+ resources:
+ requests:
+ storage: 256Mi
+---
+apiVersion: v1
+kind: Service
+metadata:
+ labels:
+ app.kubernetes.io/component: tasks-broker
+ app.kubernetes.io/instance: paperless-ngx-redis
+ name: paperless-ngx-redis
+ namespace: paperless-ngx
+spec:
+ ports:
+ - name: redis
+ port: 6379
+ protocol: TCP
+ targetPort: 6379
+ selector:
+ app.kubernetes.io/instance: paperless-ngx-redis
+ type: ClusterIP
diff --git a/projects/nex.rpi/src/apps/nx-sso/live/production/authelia-secrets.yaml b/projects/nex.rpi/src/apps/nx-sso/live/production/authelia-secrets.yaml
index 427903b2..7f748547 100644
--- a/projects/nex.rpi/src/apps/nx-sso/live/production/authelia-secrets.yaml
+++ b/projects/nex.rpi/src/apps/nx-sso/live/production/authelia-secrets.yaml
@@ -88,6 +88,23 @@ spec:
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
+metadata:
+ name: authelia-oidc-paperless-ngx
+spec:
+ refreshInterval: 15s
+ secretStoreRef:
+ kind: ClusterSecretStore
+ name: kubevault
+ target:
+ name: authelia-oidc-paperless-ngx
+ data:
+ - secretKey: oidc_client_paperless_ngx
+ remoteRef:
+ key: security-sso-oidc-clients-paperless-ngx
+ property: oidc_configuration
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
metadata:
name: authelia-oidc-proxmox
spec:
diff --git a/projects/nex.rpi/src/apps/nx-sso/live/production/configurations/authelia.yaml b/projects/nex.rpi/src/apps/nx-sso/live/production/configurations/authelia.yaml
index 428cc363..7bdbcedf 100644
--- a/projects/nex.rpi/src/apps/nx-sso/live/production/configurations/authelia.yaml
+++ b/projects/nex.rpi/src/apps/nx-sso/live/production/configurations/authelia.yaml
@@ -1319,6 +1319,7 @@ identity_providers:
- {{ secret "/var/run/secrets/authelia.com/oidc_client_budibase" | nindent 8 }}
- {{ secret "/var/run/secrets/authelia.com/oidc_client_linkding" | nindent 8 }}
- {{ secret "/var/run/secrets/authelia.com/oidc_client_mealie" | nindent 8 }}
+ - {{ secret "/var/run/secrets/authelia.com/oidc_client_paperless_ngx" | nindent 8 }}
- {{ secret "/var/run/secrets/authelia.com/oidc_client_proxmox" | nindent 8 }}
# -
## The Client ID is the OAuth 2.0 and OpenID Connect 1.0 Client ID which is used to link an application to a
diff --git a/projects/nex.rpi/src/apps/nx-sso/live/production/kustomization.yaml b/projects/nex.rpi/src/apps/nx-sso/live/production/kustomization.yaml
index b44ed308..f08ab112 100644
--- a/projects/nex.rpi/src/apps/nx-sso/live/production/kustomization.yaml
+++ b/projects/nex.rpi/src/apps/nx-sso/live/production/kustomization.yaml
@@ -43,6 +43,8 @@ patches:
name: authelia-oidc-linkding
- secret:
name: authelia-oidc-mealie
+ - secret:
+ name: authelia-oidc-paperless-ngx
- secret:
name: authelia-oidc-proxmox
- secret: