From 7bda5fe69c3394ed44e69beaadea143f2a4be97c Mon Sep 17 00:00:00 2001
From: Ultradesu <ultradesu@hexor.cy>
Date: Sun, 13 Apr 2025 15:58:11 +0100
Subject: [PATCH] Added paperless

---
 k8s/apps/paperless/app.yaml              | 21 ++++++
 k8s/apps/paperless/external-secrets.yaml | 67 +++++++++++++++++
 k8s/apps/paperless/kustomization.yaml    | 16 ++++
 k8s/apps/paperless/values.yaml           | 95 ++++++++++++++++++++++++
 4 files changed, 199 insertions(+)
 create mode 100644 k8s/apps/paperless/app.yaml
 create mode 100644 k8s/apps/paperless/external-secrets.yaml
 create mode 100644 k8s/apps/paperless/kustomization.yaml
 create mode 100644 k8s/apps/paperless/values.yaml

diff --git a/k8s/apps/paperless/app.yaml b/k8s/apps/paperless/app.yaml
new file mode 100644
index 0000000..ca2b039
--- /dev/null
+++ b/k8s/apps/paperless/app.yaml
@@ -0,0 +1,21 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: paperless
+  namespace: argocd
+spec:
+  project: apps
+  destination:
+    namespace: paperless
+    server: https://kubernetes.default.svc
+  source:
+    repoURL: ssh://git@gt.hexor.cy:30022/ab/homelab.git
+    targetRevision: HEAD
+    path: k8s/apps/paperless
+  syncPolicy:
+    automated:
+      selfHeal: true
+      prune: true
+    syncOptions:
+      - CreateNamespace=true
+
diff --git a/k8s/apps/paperless/external-secrets.yaml b/k8s/apps/paperless/external-secrets.yaml
new file mode 100644
index 0000000..d4b4a6e
--- /dev/null
+++ b/k8s/apps/paperless/external-secrets.yaml
@@ -0,0 +1,67 @@
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: postgres-creds
+  namespace: paperless-ngx
+spec:
+  target:
+    name: postgres-creds
+    deletionPolicy: Delete
+    template:
+      type: Opaque
+      data:
+        psql_user: paperless
+        psql_pass: |-
+          {{ .psql_pass }}
+        oauth_config: |-
+          {
+            "openid_connect": {
+              "APPS": [
+                {
+                  "provider_id": "authentik",
+                  "name": "Authentik",
+                  "client_id": "{{ .oauth_id }}",
+                  "secret": "{{ .oauth_secret }}",
+                  "settings": {
+                    "server_url": "{{ .server_url }}"
+                  }
+                }
+              ],
+              "OAUTH_PKCE_ENABLED": "True"
+            }
+          }
+  data:
+    - secretKey: psql_pass
+      sourceRef:
+        storeRef:
+          name: vaultwarden-login
+          kind: ClusterSecretStore
+      remoteRef:
+        key: 2a9deb39-ef22-433e-a1be-df1555625e22
+        property: fields[5].value
+    - secretKey: oauth_id
+      sourceRef:
+        storeRef:
+          name: vaultwarden-login
+          kind: ClusterSecretStore
+      remoteRef:
+        key: 07d4efd9-597c-4a4c-a78d-13bfc43e6055
+        property: fields[0].value
+    - secretKey: oauth_secret
+      sourceRef:
+        storeRef:
+          name: vaultwarden-login
+          kind: ClusterSecretStore
+      remoteRef:
+        key: 07d4efd9-597c-4a4c-a78d-13bfc43e6055
+        property: fields[1].value
+    - secretKey: server_url
+      sourceRef:
+        storeRef:
+          name: vaultwarden-login
+          kind: ClusterSecretStore
+      remoteRef:
+        key: 07d4efd9-597c-4a4c-a78d-13bfc43e6055
+        property: fields[2].value
+
diff --git a/k8s/apps/paperless/kustomization.yaml b/k8s/apps/paperless/kustomization.yaml
new file mode 100644
index 0000000..a653fa8
--- /dev/null
+++ b/k8s/apps/paperless/kustomization.yaml
@@ -0,0 +1,16 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - app.yaml
+  - external-secrets.yaml
+
+helmCharts:
+  - name: paperless-ngx
+    repo: https://charts.gabe565.com
+    version: latest
+    releaseName: paperless-ngx
+    namespace: paperless
+    valuesFile: values.yaml
+    includeCRDs: true
+
diff --git a/k8s/apps/paperless/values.yaml b/k8s/apps/paperless/values.yaml
new file mode 100644
index 0000000..696d7e2
--- /dev/null
+++ b/k8s/apps/paperless/values.yaml
@@ -0,0 +1,95 @@
+image:
+  tag: 2.15.1
+initContainers:
+  install-tesseract-langs:
+    image: ghcr.io/paperless-ngx/paperless-ngx:2.15.1
+    command: ["/bin/sh", "-c"]
+    args:
+      - apt-get update && apt-get install -y --reinstall tesseract-ocr-rus tesseract-ocr-eng tesseract-ocr-ell && cp -v -r /usr/share/tesseract-ocr/5/tessdata/* /custom-tessdata/
+    volumeMounts:
+      - name: tessdata
+        mountPath: /custom-tessdata
+nodeSelector:
+  kubernetes.io/hostname: nas.tail2fe2d.ts.net
+env:
+  TZ: Asia/Nicosia
+  PAPERLESS_URL: https://docs.hexor.cy
+  PAPERLESS_ALLOWED_HOSTS: docs.hexor.cy
+  PAPERLESS_CSRF_TRUSTED_ORIGINS: https://idm.hexor.cy
+  PAPERLESS_OCR_LANGUAGE: "eng+rus+ell"
+  TESSDATA_PREFIX: /custom-tessdata
+  PAPERLESS_DBENGINE: postgresql
+  PAPERLESS_DBHOST: psql-nas.psql.svc
+  PAPERLESS_DBPORT: "5432"
+  PAPERLESS_DBNAME: paperless
+  PAPERLESS_DBUSER:
+    valueFrom:
+      secretKeyRef:
+        name: postgres-creds
+        key: psql_user
+  PAPERLESS_DBPASS:
+    valueFrom:
+      secretKeyRef:
+        name: postgres-creds
+        key: psql_pass
+  PAPERLESS_ACCOUNT_AUTO_CREATION: "true"
+  PAPERLESS_ACCOUNT_SUPERUSER_GROUP: PaperlessAdmins
+  PAPERLESS_ACCOUNT_SOCIAL_OIDC_GROUPS_CLAIM: groups
+  PAPERLESS_DISABLE_REGULAR_LOGIN: "true"
+  PAPERLESS_APPS: allauth.socialaccount.providers.openid_connect
+  PAPERLESS_SOCIALACCOUNT_PROVIDERS:
+    valueFrom:
+      secretKeyRef:
+        name: postgres-creds
+        key: oauth_config
+ingress:
+  main:
+    enabled: true
+    ingressClassName: traefik
+    annotations:
+      cert-manager.io/cluster-issuer: letsencrypt
+      traefik.ingress.kubernetes.io/router.middlewares: kube-system-https-redirect@kubernetescrd
+    hosts:
+      - host: docs.hexor.cy
+        paths:
+          - path: /
+            pathType: Prefix
+    tls:
+      - hosts:
+          - '*.hexor.cy'
+        secretName: docs-tls
+persistence:
+  tessdata:
+    enabled: true
+    type: emptyDir
+    mountPath: /custom-tessdata
+  data:
+    enabled: true
+    type: hostPath
+    hostPath: /mnt/storage/Storage/k8s/paperless/data
+    globalMounts:
+      - path: /usr/src/paperless/data
+  media:
+    enabled: true
+    type: hostPath
+    hostPath: /mnt/storage/Storage/k8s/paperless/media
+    globalMounts:
+      - path: /usr/src/paperless/media
+  export:
+    enabled: true
+    type: hostPath
+    hostPath: /mnt/storage/Storage/k8s/paperless/export
+    globalMounts:
+      - path: /usr/src/paperless/export
+  consume:
+    enabled: true
+    type: hostPath
+    hostPath: /mnt/storage/Storage/k8s/paperless/consume
+    globalMounts:
+      - path: /usr/src/paperless/consume
+postgresql:
+  enabled: false
+mariadb:
+  enabled: false
+
+