Gitiles
Code Review Sign In
gerrit.hackerspace.pl / hscloud / 5a12c4048f58897033b7f6911ead00c8da89e0aa / . / hswaw / paperless / paperless.libsonnet
blob: 3b8114b414d4978098b212370446d9eb954080b6 [file] [log] [blame]
Piotr Dobrowolski7ad415f2022-04-30 12:55:26 +0200[diff] [blame]1# kubectl -n paperless create secret generic paperless-proxy --from-literal=cookie_secret=$(pwgen 32 1) --from-literal=oidc_secret=...
2# kubectl -n paperless create secret generic paperless --from-literal=postgres_password=$(pwgen 32 1) --from-literal=redis_password=$(pwgen 32 1) --from-literal=secret_key=$(pwgen 32 1)
3
4# There is no way of handling superusers (Admin panel access) automatically when
5# using OAuth2-Proxy, thus we need to run the following command to mark the
6# first user as such:
7# kubectl -n paperless exec -it deploy/paperless -c paperless -- python ./manage.py shell -c "from django.contrib.auth.models import User; u = User.objects.get_by_natural_key('informatic'); u.is_superuser = True; u.is_staff = True; u.save()"
8
Radek Pietruszewskif5844312023-10-27 22:41:18 +0200[diff] [blame]9local kube = import "../../kube/hscloud.libsonnet";
Piotr Dobrowolski7ad415f2022-04-30 12:55:26 +0200[diff] [blame]10local postgres = import "../../kube/postgres.libsonnet";
11local redis = import "../../kube/redis.libsonnet";
12
13{
radexc995c212023-11-24 12:01:49 +0100[diff] [blame]14 local top = self,
Piotr Dobrowolski7ad415f2022-04-30 12:55:26 +0200[diff] [blame]15 local cfg = self.cfg,
16
17 cfg:: {
radex7a4c27d2023-11-24 13:20:10 +0100[diff] [blame]18 name: "paperless",
Piotr Dobrowolski7ad415f2022-04-30 12:55:26 +0200[diff] [blame]19 namespace: "paperless",
20 domain: "paperless.hackerspace.pl",
21
22 images: {
Piotr Dobrowolski0bb2fca2023-10-10 00:42:03 +0200[diff] [blame]23 paperless: "registry.k0.hswaw.net/informatic/paperless-ngx:1.17.4",
Piotr Dobrowolski7ad415f2022-04-30 12:55:26 +0200[diff] [blame]24 proxy: "quay.io/oauth2-proxy/oauth2-proxy:v7.2.1",
25 },
26
27 storageClassName: "waw-hdd-redundant-3",
28 },
29
radex1439fde2023-11-24 12:22:22 +0100[diff] [blame]30 secretRefs:: {
31 redis_password: { secretKeyRef: { name: "paperless", key: "redis_password" } },
32 postgres_password: { secretKeyRef: { name: "paperless", key: "postgres_password" } },
33 secret_key: { secretKeyRef: { name: "paperless", key: "secret_key" } },
34 proxy: {
35 cookie_secret: { secretKeyRef: { name: "paperless-proxy", key: "cookie_secret" } },
36 oidc_secret: { secretKeyRef: { name: "paperless-proxy", key: "oidc_secret" } },
37 },
38 },
39
radex99ed6a72023-11-24 11:42:55 +0100[diff] [blame]40 local ns = kube.Namespace(cfg.namespace),
Piotr Dobrowolski7ad415f2022-04-30 12:55:26 +0200[diff] [blame]41
radex0e128492023-11-24 12:47:27 +0100[diff] [blame]42 redis: ns.Contain(redis) {
Piotr Dobrowolski7ad415f2022-04-30 12:55:26 +0200[diff] [blame]43 cfg+: {
Piotr Dobrowolski7ad415f2022-04-30 12:55:26 +0200[diff] [blame]44 storageClassName: cfg.storageClassName,
45 appName: "paperless",
46 image: "redis:6.0",
radex1439fde2023-11-24 12:22:22 +0100[diff] [blame]47 password: top.secretRefs.redis_password,
Piotr Dobrowolski7ad415f2022-04-30 12:55:26 +0200[diff] [blame]48 },
49 },
50
radex0e128492023-11-24 12:47:27 +0100[diff] [blame]51 postgres: ns.Contain(postgres) {
Piotr Dobrowolski7ad415f2022-04-30 12:55:26 +0200[diff] [blame]52 cfg+: {
Piotr Dobrowolski7ad415f2022-04-30 12:55:26 +0200[diff] [blame]53 appName: "paperless",
54 database: "paperless",
55 username: "paperless",
56
radex1439fde2023-11-24 12:22:22 +0100[diff] [blame]57 password: top.secretRefs.postgres_password,
Piotr Dobrowolski7ad415f2022-04-30 12:55:26 +0200[diff] [blame]58 storageClassName: cfg.storageClassName,
59 storageSize: "20Gi",
Piotr Dobrowolski0bb2fca2023-10-10 00:42:03 +0200[diff] [blame]60
61 image: "postgres:15.4-bookworm",
62 pgupgrade+: {
63 enable: true,
64 from: "10",
65 },
Piotr Dobrowolski7ad415f2022-04-30 12:55:26 +0200[diff] [blame]66 },
Piotr Dobrowolski7ad415f2022-04-30 12:55:26 +0200[diff] [blame]67 },
68
radex99ed6a72023-11-24 11:42:55 +0100[diff] [blame]69 dataVolume: ns.Contain(kube.PersistentVolumeClaim("paperless-data")) {
radex36964dc2023-11-24 11:19:46 +0100[diff] [blame]70 storage:: "100Gi",
71 storageClass:: cfg.storageClassName,
Piotr Dobrowolski7ad415f2022-04-30 12:55:26 +0200[diff] [blame]72 },
73
radex7a4c27d2023-11-24 13:20:10 +0100[diff] [blame]74 deploy: ns.Contain(kube.Deployment(cfg.name)) {
Piotr Dobrowolski7ad415f2022-04-30 12:55:26 +0200[diff] [blame]75 spec+: {
76 replicas: 1,
77 template+: {
78 spec+: {
79 volumes_: {
radex4ffc64d2023-11-24 13:28:57 +0100[diff] [blame]80 data: top.dataVolume.volume,
Piotr Dobrowolski7ad415f2022-04-30 12:55:26 +0200[diff] [blame]81 },
82
83 securityContext: {
84 runAsUser: 1000,
85 runAsGroup: 1000,
86 fsGroup: 1000,
87 },
88
89 default_container:: "auth",
90 containers_: {
91 auth: kube.Container("authproxy") {
92 image: cfg.images.proxy,
93 ports_: {
94 http: { containerPort: 8001 },
95 },
96
97 env_: {
98 OAUTH2_PROXY_UPSTREAMS: "http://127.0.0.1:8000",
99 OAUTH2_PROXY_HTTP_ADDRESS: "0.0.0.0:8001",
100
radex1439fde2023-11-24 12:22:22 +0100[diff] [blame]101 OAUTH2_PROXY_COOKIE_SECRET: top.secretRefs.proxy.cookie_secret,
Piotr Dobrowolski7ad415f2022-04-30 12:55:26 +0200[diff] [blame]102
103 OAUTH2_PROXY_PROVIDER: "oidc",
104 OAUTH2_PROXY_OIDC_ISSUER_URL: "https://sso.hackerspace.pl",
105 OAUTH2_PROXY_SKIP_PROVIDER_BUTTON: "true",
106
107 OAUTH2_PROXY_CLIENT_ID: "b4859334-140b-432a-81f6-8f3e135e021a",
radex1439fde2023-11-24 12:22:22 +0100[diff] [blame]108 OAUTH2_PROXY_CLIENT_SECRET: top.secretRefs.proxy.oidc_secret,
Piotr Dobrowolski7ad415f2022-04-30 12:55:26 +0200[diff] [blame]109
110 OAUTH2_PROXY_EMAIL_DOMAINS: "*",
Piotr Dobrowolski69dd2bf2023-09-04 20:48:51 +0200[diff] [blame]111 OAUTH2_PROXY_ALLOWED_GROUPS: "zarzad,paperless-admin",
Piotr Dobrowolski7ad415f2022-04-30 12:55:26 +0200[diff] [blame]112
113 # Security considerations:
114 #
115 # * OAuth2-Proxy *will* strip X-Forwarded-User
116 # header from requests passed through to
117 # endpoint, preventing authentication bypass
118 #
119 # * OAuth2-Proxy *will not* strip Authorization
120 # header - that can either be a user token,
121 # or a username/password pair. Former can only
122 # be generated by staff/superuser in Admin
123 # panel, and the latter will not work for our
124 # OAuth2 autogenerated users since these do
125 # not have any password set
126 OAUTH2_PROXY_SKIP_AUTH_ROUTES: "^/api/.*",
127 },
128 },
129
130 paperless: kube.Container("paperless") {
131 image: cfg.images.paperless,
132 resources: {
133 requests: { cpu: "500m", memory: "1024M" },
134 limits: { cpu: "4", memory: "6144M" },
135 },
136 env_: {
137 PAPERLESS_PORT: "8000",
Piotr Dobrowolskie9413de2023-12-03 18:34:16 +0100[diff] [blame]138 PAPERLESS_BIND_ADDR: "127.0.0.1",
Piotr Dobrowolski0bb2fca2023-10-10 00:42:03 +0200[diff] [blame]139 PAPERLESS_URL: "https://%s" % [cfg.domain],
Piotr Dobrowolski7ad415f2022-04-30 12:55:26 +0200[diff] [blame]140
radex1439fde2023-11-24 12:22:22 +0100[diff] [blame]141 PAPERLESS_SECRET_KEY: top.secretRefs.secret_key,
Piotr Dobrowolski7ad415f2022-04-30 12:55:26 +0200[diff] [blame]142
radexc995c212023-11-24 12:01:49 +0100[diff] [blame]143 A_REDIS_PASSWORD: top.redis.cfg.password,
Piotr Dobrowolski7ad415f2022-04-30 12:55:26 +0200[diff] [blame]144 PAPERLESS_REDIS: "redis://:$(A_REDIS_PASSWORD)@redis:6379",
145
radex37991742023-11-24 12:37:37 +0100[diff] [blame]146 PAPERLESS_DBHOST: top.postgres.svc.host,
radexc995c212023-11-24 12:01:49 +0100[diff] [blame]147 PAPERLESS_DBNAME: top.postgres.cfg.database,
148 PAPERLESS_DBUSER: top.postgres.cfg.username,
149 PAPERLESS_DBPASS: top.postgres.cfg.password,
Piotr Dobrowolski7ad415f2022-04-30 12:55:26 +0200[diff] [blame]150
151 PAPERLESS_ENABLE_HTTP_REMOTE_USER: "true",
152 PAPERLESS_HTTP_REMOTE_USER_HEADER_NAME: "HTTP_X_FORWARDED_USER",
153
154 PAPERLESS_OCR_LANGUAGE: "pol",
155 PAPERLESS_OCR_MODE: "force",
Piotr Dobrowolski6963e8b2023-11-12 15:51:23 +0100[diff] [blame]156 PAPERLESS_OCR_USER_ARGS: '{"continue_on_soft_render_error": true}',
Piotr Dobrowolski7ad415f2022-04-30 12:55:26 +0200[diff] [blame]157 PAPERLESS_DATE_ORDER: "YMD",
Piotr Dobrowolski0bb2fca2023-10-10 00:42:03 +0200[diff] [blame]158 PAPERLESS_EMAIL_TASK_CRON: "*/2 * * * *",
Piotr Dobrowolski7ad415f2022-04-30 12:55:26 +0200[diff] [blame]159 },
160
161 volumeMounts: [
162 { name: "data", mountPath: "/usr/src/paperless/data", subPath: "data" },
163 { name: "data", mountPath: "/usr/src/paperless/media", subPath: "media" },
164 { name: "data", mountPath: "/usr/src/paperless/consume", subPath: "consume" },
165 ],
166 },
167 },
168 },
169 },
170 },
171 },
172
radex7a4c27d2023-11-24 13:20:10 +0100[diff] [blame]173 service: ns.Contain(kube.Service(cfg.name)) {
radexc995c212023-11-24 12:01:49 +0100[diff] [blame]174 target:: top.deploy,
Piotr Dobrowolski7ad415f2022-04-30 12:55:26 +0200[diff] [blame]175 },
176
radex7a4c27d2023-11-24 13:20:10 +0100[diff] [blame]177 ingress: ns.Contain(kube.SimpleIngress(cfg.name)) {
Radek Pietruszewskif5844312023-10-27 22:41:18 +0200[diff] [blame]178 hosts:: [cfg.domain],
radexd45584a2023-11-24 12:51:57 +0100[diff] [blame]179 target:: top.service,
Radek Pietruszewskif5844312023-10-27 22:41:18 +0200[diff] [blame]180 },
Piotr Dobrowolski7ad415f2022-04-30 12:55:26 +0200[diff] [blame]181}