Gitiles
Code Review Sign In
gerrit.hackerspace.pl / hscloud / c1b7fe4ce561c20bd4d303e41d753acd6298c531 / . / hswaw / paperless / paperless.libsonnet
blob: 9cafe42a884c7f2fbc5892db34996aca6176bc0b [file] [log] [blame]
Piotr Dobrowolski7ad415f2022-04-30 12:55:26 +0200[diff] [blame]1# kubectl -n paperless create secret generic paperless-proxy --from-literal=cookie_secret=$(pwgen 32 1) --from-literal=oidc_secret=...
2# kubectl -n paperless create secret generic paperless --from-literal=postgres_password=$(pwgen 32 1) --from-literal=redis_password=$(pwgen 32 1) --from-literal=secret_key=$(pwgen 32 1)
3
4# There is no way of handling superusers (Admin panel access) automatically when
5# using OAuth2-Proxy, thus we need to run the following command to mark the
6# first user as such:
7# kubectl -n paperless exec -it deploy/paperless -c paperless -- python ./manage.py shell -c "from django.contrib.auth.models import User; u = User.objects.get_by_natural_key('informatic'); u.is_superuser = True; u.is_staff = True; u.save()"
8
Piotr Dobrowolskicebcddf2024-03-01 19:20:30 +0100[diff] [blame]9# Quick full backup:
10# kubectl -n paperless exec deploy/paperless -c paperless -- tar -c /usr/src/paperless/data /usr/src/paperless/media /usr/src/paperless/consume | pv > ~/paperless-backup/backup-....tar
11# kubectl -n paperless exec deploy/postgres pg_dumpall > ~/paperless-backup/postgres-backup-....sql
12
Radek Pietruszewskif5844312023-10-27 22:41:18 +0200[diff] [blame]13local kube = import "../../kube/hscloud.libsonnet";
Piotr Dobrowolski7ad415f2022-04-30 12:55:26 +0200[diff] [blame]14local postgres = import "../../kube/postgres.libsonnet";
15local redis = import "../../kube/redis.libsonnet";
16
17{
radexc995c212023-11-24 12:01:49 +0100[diff] [blame]18 local top = self,
Piotr Dobrowolski7ad415f2022-04-30 12:55:26 +0200[diff] [blame]19 local cfg = self.cfg,
20
21 cfg:: {
radex7a4c27d2023-11-24 13:20:10 +0100[diff] [blame]22 name: "paperless",
Piotr Dobrowolski7ad415f2022-04-30 12:55:26 +0200[diff] [blame]23 namespace: "paperless",
24 domain: "paperless.hackerspace.pl",
25
26 images: {
Piotr Dobrowolskicebcddf2024-03-01 19:20:30 +0100[diff] [blame]27 paperless: "registry.k0.hswaw.net/informatic/paperless-ngx:2.5.4",
Piotr Dobrowolski7ad415f2022-04-30 12:55:26 +0200[diff] [blame]28 proxy: "quay.io/oauth2-proxy/oauth2-proxy:v7.2.1",
29 },
30
31 storageClassName: "waw-hdd-redundant-3",
32 },
33
radex1439fde2023-11-24 12:22:22 +0100[diff] [blame]34 secretRefs:: {
35 redis_password: { secretKeyRef: { name: "paperless", key: "redis_password" } },
36 postgres_password: { secretKeyRef: { name: "paperless", key: "postgres_password" } },
37 secret_key: { secretKeyRef: { name: "paperless", key: "secret_key" } },
38 proxy: {
39 cookie_secret: { secretKeyRef: { name: "paperless-proxy", key: "cookie_secret" } },
40 oidc_secret: { secretKeyRef: { name: "paperless-proxy", key: "oidc_secret" } },
41 },
42 },
43
radex99ed6a72023-11-24 11:42:55 +0100[diff] [blame]44 local ns = kube.Namespace(cfg.namespace),
Piotr Dobrowolski7ad415f2022-04-30 12:55:26 +0200[diff] [blame]45
radex0e128492023-11-24 12:47:27 +0100[diff] [blame]46 redis: ns.Contain(redis) {
Piotr Dobrowolski7ad415f2022-04-30 12:55:26 +0200[diff] [blame]47 cfg+: {
Piotr Dobrowolski7ad415f2022-04-30 12:55:26 +0200[diff] [blame]48 storageClassName: cfg.storageClassName,
49 appName: "paperless",
radexec11a812023-11-18 17:58:19 +0100[diff] [blame]50 version: "6.0",
radex1439fde2023-11-24 12:22:22 +0100[diff] [blame]51 password: top.secretRefs.redis_password,
Piotr Dobrowolski7ad415f2022-04-30 12:55:26 +0200[diff] [blame]52 },
53 },
54
radex0e128492023-11-24 12:47:27 +0100[diff] [blame]55 postgres: ns.Contain(postgres) {
Piotr Dobrowolski7ad415f2022-04-30 12:55:26 +0200[diff] [blame]56 cfg+: {
Piotr Dobrowolski7ad415f2022-04-30 12:55:26 +0200[diff] [blame]57 appName: "paperless",
58 database: "paperless",
59 username: "paperless",
60
radex1439fde2023-11-24 12:22:22 +0100[diff] [blame]61 password: top.secretRefs.postgres_password,
Piotr Dobrowolski7ad415f2022-04-30 12:55:26 +0200[diff] [blame]62 storageClassName: cfg.storageClassName,
63 storageSize: "20Gi",
Piotr Dobrowolski0bb2fca2023-10-10 00:42:03 +0200[diff] [blame]64
radexad91bd22023-11-16 22:55:45 +0100[diff] [blame]65 version: "15.4-bookworm",
Piotr Dobrowolski0bb2fca2023-10-10 00:42:03 +0200[diff] [blame]66 pgupgrade+: {
67 enable: true,
68 from: "10",
69 },
Piotr Dobrowolski7ad415f2022-04-30 12:55:26 +0200[diff] [blame]70 },
Piotr Dobrowolski7ad415f2022-04-30 12:55:26 +0200[diff] [blame]71 },
72
radex99ed6a72023-11-24 11:42:55 +0100[diff] [blame]73 dataVolume: ns.Contain(kube.PersistentVolumeClaim("paperless-data")) {
radex36964dc2023-11-24 11:19:46 +0100[diff] [blame]74 storage:: "100Gi",
75 storageClass:: cfg.storageClassName,
Piotr Dobrowolski7ad415f2022-04-30 12:55:26 +0200[diff] [blame]76 },
77
radex7a4c27d2023-11-24 13:20:10 +0100[diff] [blame]78 deploy: ns.Contain(kube.Deployment(cfg.name)) {
Piotr Dobrowolski7ad415f2022-04-30 12:55:26 +0200[diff] [blame]79 spec+: {
80 replicas: 1,
81 template+: {
82 spec+: {
83 volumes_: {
radex4ffc64d2023-11-24 13:28:57 +0100[diff] [blame]84 data: top.dataVolume.volume,
Piotr Dobrowolski7ad415f2022-04-30 12:55:26 +0200[diff] [blame]85 },
86
87 securityContext: {
88 runAsUser: 1000,
89 runAsGroup: 1000,
90 fsGroup: 1000,
91 },
92
93 default_container:: "auth",
94 containers_: {
95 auth: kube.Container("authproxy") {
96 image: cfg.images.proxy,
97 ports_: {
98 http: { containerPort: 8001 },
99 },
100
101 env_: {
102 OAUTH2_PROXY_UPSTREAMS: "http://127.0.0.1:8000",
103 OAUTH2_PROXY_HTTP_ADDRESS: "0.0.0.0:8001",
104
radex1439fde2023-11-24 12:22:22 +0100[diff] [blame]105 OAUTH2_PROXY_COOKIE_SECRET: top.secretRefs.proxy.cookie_secret,
Piotr Dobrowolski7ad415f2022-04-30 12:55:26 +0200[diff] [blame]106
107 OAUTH2_PROXY_PROVIDER: "oidc",
108 OAUTH2_PROXY_OIDC_ISSUER_URL: "https://sso.hackerspace.pl",
109 OAUTH2_PROXY_SKIP_PROVIDER_BUTTON: "true",
110
111 OAUTH2_PROXY_CLIENT_ID: "b4859334-140b-432a-81f6-8f3e135e021a",
radex1439fde2023-11-24 12:22:22 +0100[diff] [blame]112 OAUTH2_PROXY_CLIENT_SECRET: top.secretRefs.proxy.oidc_secret,
Piotr Dobrowolski7ad415f2022-04-30 12:55:26 +0200[diff] [blame]113
114 OAUTH2_PROXY_EMAIL_DOMAINS: "*",
Piotr Dobrowolski69dd2bf2023-09-04 20:48:51 +0200[diff] [blame]115 OAUTH2_PROXY_ALLOWED_GROUPS: "zarzad,paperless-admin",
Piotr Dobrowolski7ad415f2022-04-30 12:55:26 +0200[diff] [blame]116
117 # Security considerations:
118 #
119 # * OAuth2-Proxy *will* strip X-Forwarded-User
120 # header from requests passed through to
121 # endpoint, preventing authentication bypass
122 #
123 # * OAuth2-Proxy *will not* strip Authorization
124 # header - that can either be a user token,
125 # or a username/password pair. Former can only
126 # be generated by staff/superuser in Admin
127 # panel, and the latter will not work for our
128 # OAuth2 autogenerated users since these do
129 # not have any password set
130 OAUTH2_PROXY_SKIP_AUTH_ROUTES: "^/api/.*",
131 },
132 },
133
134 paperless: kube.Container("paperless") {
135 image: cfg.images.paperless,
136 resources: {
137 requests: { cpu: "500m", memory: "1024M" },
138 limits: { cpu: "4", memory: "6144M" },
139 },
140 env_: {
141 PAPERLESS_PORT: "8000",
Piotr Dobrowolskie9413de2023-12-03 18:34:16 +0100[diff] [blame]142 PAPERLESS_BIND_ADDR: "127.0.0.1",
Piotr Dobrowolski0bb2fca2023-10-10 00:42:03 +0200[diff] [blame]143 PAPERLESS_URL: "https://%s" % [cfg.domain],
Piotr Dobrowolski7ad415f2022-04-30 12:55:26 +0200[diff] [blame]144
radex1439fde2023-11-24 12:22:22 +0100[diff] [blame]145 PAPERLESS_SECRET_KEY: top.secretRefs.secret_key,
Piotr Dobrowolski7ad415f2022-04-30 12:55:26 +0200[diff] [blame]146
radexc995c212023-11-24 12:01:49 +0100[diff] [blame]147 A_REDIS_PASSWORD: top.redis.cfg.password,
Piotr Dobrowolski7ad415f2022-04-30 12:55:26 +0200[diff] [blame]148 PAPERLESS_REDIS: "redis://:$(A_REDIS_PASSWORD)@redis:6379",
149
radex37991742023-11-24 12:37:37 +0100[diff] [blame]150 PAPERLESS_DBHOST: top.postgres.svc.host,
radexc995c212023-11-24 12:01:49 +0100[diff] [blame]151 PAPERLESS_DBNAME: top.postgres.cfg.database,
152 PAPERLESS_DBUSER: top.postgres.cfg.username,
153 PAPERLESS_DBPASS: top.postgres.cfg.password,
Piotr Dobrowolski7ad415f2022-04-30 12:55:26 +0200[diff] [blame]154
155 PAPERLESS_ENABLE_HTTP_REMOTE_USER: "true",
156 PAPERLESS_HTTP_REMOTE_USER_HEADER_NAME: "HTTP_X_FORWARDED_USER",
157
158 PAPERLESS_OCR_LANGUAGE: "pol",
159 PAPERLESS_OCR_MODE: "force",
Piotr Dobrowolskic1b7fe42024-03-17 23:14:30 +0100[diff] [blame^]160 PAPERLESS_OCR_USER_ARGS: '{"continue_on_soft_render_error": true, "invalidate_digital_signatures": true}',
Piotr Dobrowolski7ad415f2022-04-30 12:55:26 +0200[diff] [blame]161 PAPERLESS_DATE_ORDER: "YMD",
Piotr Dobrowolski0bb2fca2023-10-10 00:42:03 +0200[diff] [blame]162 PAPERLESS_EMAIL_TASK_CRON: "*/2 * * * *",
Piotr Dobrowolski7ad415f2022-04-30 12:55:26 +0200[diff] [blame]163 },
164
165 volumeMounts: [
166 { name: "data", mountPath: "/usr/src/paperless/data", subPath: "data" },
167 { name: "data", mountPath: "/usr/src/paperless/media", subPath: "media" },
168 { name: "data", mountPath: "/usr/src/paperless/consume", subPath: "consume" },
169 ],
170 },
171 },
172 },
173 },
174 },
175 },
176
radex7a4c27d2023-11-24 13:20:10 +0100[diff] [blame]177 service: ns.Contain(kube.Service(cfg.name)) {
radexc995c212023-11-24 12:01:49 +0100[diff] [blame]178 target:: top.deploy,
Piotr Dobrowolski7ad415f2022-04-30 12:55:26 +0200[diff] [blame]179 },
180
radex7a4c27d2023-11-24 13:20:10 +0100[diff] [blame]181 ingress: ns.Contain(kube.SimpleIngress(cfg.name)) {
Radek Pietruszewskif5844312023-10-27 22:41:18 +0200[diff] [blame]182 hosts:: [cfg.domain],
radexd45584a2023-11-24 12:51:57 +0100[diff] [blame]183 target:: top.service,
Radek Pietruszewskif5844312023-10-27 22:41:18 +0200[diff] [blame]184 },
Piotr Dobrowolski7ad415f2022-04-30 12:55:26 +0200[diff] [blame]185}