Blame - hswaw/paperless/paperless.libsonnet - hscloud

blob: 1d5965f531b2438d2609689d2519013571aead9d [file] [log] [blame]

Piotr Dobrowolski	7ad415f	2022-04-30 12:55:26 +0200	[diff] [blame]	1	# kubectl -n paperless create secret generic paperless-proxy --from-literal=cookie_secret=$(pwgen 32 1) --from-literal=oidc_secret=...
				2	# kubectl -n paperless create secret generic paperless --from-literal=postgres_password=$(pwgen 32 1) --from-literal=redis_password=$(pwgen 32 1) --from-literal=secret_key=$(pwgen 32 1)
				3
				4	# There is no way of handling superusers (Admin panel access) automatically when
				5	# using OAuth2-Proxy, thus we need to run the following command to mark the
				6	# first user as such:
				7	# kubectl -n paperless exec -it deploy/paperless -c paperless -- python ./manage.py shell -c "from django.contrib.auth.models import User; u = User.objects.get_by_natural_key('informatic'); u.is_superuser = True; u.is_staff = True; u.save()"
				8
Radek Pietruszewski	f584431	2023-10-27 22:41:18 +0200	[diff] [blame^]	9	local kube = import "../../kube/hscloud.libsonnet";
Piotr Dobrowolski	7ad415f	2022-04-30 12:55:26 +0200	[diff] [blame]	10	local postgres = import "../../kube/postgres.libsonnet";
				11	local redis = import "../../kube/redis.libsonnet";
				12
				13	{
				14	local app = self,
				15	local cfg = self.cfg,
				16
				17	cfg:: {
				18	namespace: "paperless",
				19	domain: "paperless.hackerspace.pl",
				20
				21	images: {
Piotr Dobrowolski	0bb2fca	2023-10-10 00:42:03 +0200	[diff] [blame]	22	paperless: "registry.k0.hswaw.net/informatic/paperless-ngx:1.17.4",
Piotr Dobrowolski	7ad415f	2022-04-30 12:55:26 +0200	[diff] [blame]	23	proxy: "quay.io/oauth2-proxy/oauth2-proxy:v7.2.1",
				24	},
				25
				26	storageClassName: "waw-hdd-redundant-3",
				27	},
				28
				29	ns: kube.Namespace(cfg.namespace),
				30
				31	redis: redis {
				32	cfg+: {
				33	namespace: cfg.namespace,
				34	storageClassName: cfg.storageClassName,
				35	appName: "paperless",
				36	image: "redis:6.0",
				37	password: { secretKeyRef: { name: "paperless", key: "redis_password" } },
				38	},
				39	},
				40
				41	postgres: postgres {
				42	cfg+: {
				43	namespace: cfg.namespace,
				44	appName: "paperless",
				45	database: "paperless",
				46	username: "paperless",
				47
				48	password: { secretKeyRef: { name: "paperless", key: "postgres_password" } },
				49	storageClassName: cfg.storageClassName,
				50	storageSize: "20Gi",
Piotr Dobrowolski	0bb2fca	2023-10-10 00:42:03 +0200	[diff] [blame]	51
				52	image: "postgres:15.4-bookworm",
				53	pgupgrade+: {
				54	enable: true,
				55	from: "10",
				56	},
Piotr Dobrowolski	7ad415f	2022-04-30 12:55:26 +0200	[diff] [blame]	57	},
				58	bouncer: {},
				59	},
				60
				61	dataVolume: app.ns.Contain(kube.PersistentVolumeClaim("paperless-data")) {
				62	spec+: {
				63	storageClassName: cfg.storageClassName,
				64	accessModes: [ "ReadWriteOnce" ],
				65	resources: {
				66	requests: {
				67	storage: "100Gi",
				68	},
				69	},
				70	},
				71	},
				72
				73	deploy: app.ns.Contain(kube.Deployment("paperless")) {
				74	spec+: {
				75	replicas: 1,
				76	template+: {
				77	spec+: {
				78	volumes_: {
				79	data: kube.PersistentVolumeClaimVolume(app.dataVolume),
				80	},
				81
				82	securityContext: {
				83	runAsUser: 1000,
				84	runAsGroup: 1000,
				85	fsGroup: 1000,
				86	},
				87
				88	default_container:: "auth",
				89	containers_: {
				90	auth: kube.Container("authproxy") {
				91	image: cfg.images.proxy,
				92	ports_: {
				93	http: { containerPort: 8001 },
				94	},
				95
				96	env_: {
				97	OAUTH2_PROXY_UPSTREAMS: "http://127.0.0.1:8000",
				98	OAUTH2_PROXY_HTTP_ADDRESS: "0.0.0.0:8001",
				99
				100	OAUTH2_PROXY_COOKIE_SECRET: { secretKeyRef: { name: "paperless-proxy", key: "cookie_secret" } },
				101
				102	OAUTH2_PROXY_PROVIDER: "oidc",
				103	OAUTH2_PROXY_OIDC_ISSUER_URL: "https://sso.hackerspace.pl",
				104	OAUTH2_PROXY_SKIP_PROVIDER_BUTTON: "true",
				105
				106	OAUTH2_PROXY_CLIENT_ID: "b4859334-140b-432a-81f6-8f3e135e021a",
				107	OAUTH2_PROXY_CLIENT_SECRET: { secretKeyRef: { name: "paperless-proxy", key: "oidc_secret" } },
				108
				109	OAUTH2_PROXY_EMAIL_DOMAINS: "*",
Piotr Dobrowolski	69dd2bf	2023-09-04 20:48:51 +0200	[diff] [blame]	110	OAUTH2_PROXY_ALLOWED_GROUPS: "zarzad,paperless-admin",
Piotr Dobrowolski	7ad415f	2022-04-30 12:55:26 +0200	[diff] [blame]	111
				112	# Security considerations:
				113	#
				114	# * OAuth2-Proxy will strip X-Forwarded-User
				115	# header from requests passed through to
				116	# endpoint, preventing authentication bypass
				117	#
				118	# * OAuth2-Proxy will not strip Authorization
				119	# header - that can either be a user token,
				120	# or a username/password pair. Former can only
				121	# be generated by staff/superuser in Admin
				122	# panel, and the latter will not work for our
				123	# OAuth2 autogenerated users since these do
				124	# not have any password set
				125	OAUTH2_PROXY_SKIP_AUTH_ROUTES: "^/api/.*",
				126	},
				127	},
				128
				129	paperless: kube.Container("paperless") {
				130	image: cfg.images.paperless,
				131	resources: {
				132	requests: { cpu: "500m", memory: "1024M" },
				133	limits: { cpu: "4", memory: "6144M" },
				134	},
				135	env_: {
				136	PAPERLESS_PORT: "8000",
Piotr Dobrowolski	0bb2fca	2023-10-10 00:42:03 +0200	[diff] [blame]	137	PAPERLESS_URL: "https://%s" % [cfg.domain],
Piotr Dobrowolski	7ad415f	2022-04-30 12:55:26 +0200	[diff] [blame]	138
				139	PAPERLESS_SECRET_KEY: { secretKeyRef: { name: "paperless", key: "secret_key" } },
				140
				141	A_REDIS_PASSWORD: app.redis.cfg.password,
				142	PAPERLESS_REDIS: "redis://:$(A_REDIS_PASSWORD)@redis:6379",
				143
				144	PAPERLESS_DBHOST: "postgres",
				145	PAPERLESS_DBNAME: app.postgres.cfg.database,
				146	PAPERLESS_DBUSER: app.postgres.cfg.username,
				147	PAPERLESS_DBPASS: app.postgres.cfg.password,
				148
				149	PAPERLESS_ENABLE_HTTP_REMOTE_USER: "true",
				150	PAPERLESS_HTTP_REMOTE_USER_HEADER_NAME: "HTTP_X_FORWARDED_USER",
				151
				152	PAPERLESS_OCR_LANGUAGE: "pol",
				153	PAPERLESS_OCR_MODE: "force",
				154	PAPERLESS_DATE_ORDER: "YMD",
Piotr Dobrowolski	0bb2fca	2023-10-10 00:42:03 +0200	[diff] [blame]	155	PAPERLESS_EMAIL_TASK_CRON: "/2 * * *",
Piotr Dobrowolski	7ad415f	2022-04-30 12:55:26 +0200	[diff] [blame]	156	},
				157
				158	volumeMounts: [
				159	{ name: "data", mountPath: "/usr/src/paperless/data", subPath: "data" },
				160	{ name: "data", mountPath: "/usr/src/paperless/media", subPath: "media" },
				161	{ name: "data", mountPath: "/usr/src/paperless/consume", subPath: "consume" },
				162	],
				163	},
				164	},
				165	},
				166	},
				167	},
				168	},
				169
				170	service: app.ns.Contain(kube.Service("paperless")) {
				171	target_pod:: app.deploy.spec.template,
				172	},
				173
Radek Pietruszewski	f584431	2023-10-27 22:41:18 +0200	[diff] [blame^]	174	ingress: app.ns.Contain(kube.SimpleIngress("paperless")) {
				175	hosts:: [cfg.domain],
				176	target_service:: app.service,
				177	},
Piotr Dobrowolski	7ad415f	2022-04-30 12:55:26 +0200	[diff] [blame]	178	}