blumeops/argocd/manifests/paperless-ringtail/deployment.yaml

# Paperless-ngx on ringtail k3s — Nix image, multi-process.
#
# The upstream s6 image ran web + worker + scheduler + consumer (and DB
# migrations) in one container. The Nix image (containers/paperless/
# default.nix) ships the binaries but no supervisor, so we run those as
# four containers in one pod, sharing the local data/consume dirs
# (emptyDir) and the NFS media volume; redis is colocated so
# PAPERLESS_REDIS=localhost works for all. A migrate initContainer runs
# DB migrations once before the app containers start.
#
# DB points in-cluster at the ringtail blumeops-pg (was pg.ops.eblu.me on
# indri). PAPERLESS_{DATA_DIR,MEDIA_ROOT,CONSUMPTION_DIR} are set
# explicitly because the Nix package does not default to the upstream
# /usr/src/paperless paths.
apiVersion: apps/v1
kind: Deployment
metadata:
  name: paperless
  namespace: paperless
spec:
  replicas: 1
  strategy:
    type: Recreate
  selector:
    matchLabels:
      app: paperless
  template:
    metadata:
      labels:
        app: paperless
    spec:
      securityContext:
        seccompProfile:
          type: RuntimeDefault
      initContainers:
        # redis as a native sidecar (restartPolicy: Always): starts before
        # the migrate init and stays running for the app containers, so all
        # of them reach PAPERLESS_REDIS=localhost:6379.
        - name: redis
          image: docker.io/library/redis:kustomized
          restartPolicy: Always
          ports:
            - containerPort: 6379
          volumeMounts:
            - name: redis-data
              mountPath: /data
          resources:
            requests:
              memory: "32Mi"
              cpu: "10m"
            limits:
              memory: "128Mi"
        - name: migrate
          image: registry.ops.eblu.me/blumeops/paperless:kustomized
          command: ["paperless-ngx", "migrate", "--no-input"]
          env: &paperless-env
            - name: PAPERLESS_URL
              value: "https://paperless.ops.eblu.me"
            - name: PAPERLESS_REDIS
              value: "redis://localhost:6379"
            - name: PAPERLESS_DBHOST
              value: "blumeops-pg-rw.databases.svc.cluster.local"
            - name: PAPERLESS_DBPORT
              value: "5432"
            - name: PAPERLESS_DBNAME
              value: "paperless"
            - name: PAPERLESS_DBUSER
              value: "paperless"
            - name: PAPERLESS_DBPASS
              valueFrom:
                secretKeyRef:
                  name: paperless-secrets
                  key: db-password
            # Explicit port to override the k8s-injected PAPERLESS_PORT
            # (service named 'paperless' would set PAPERLESS_PORT=tcp://...)
            - name: PAPERLESS_PORT
              value: "8000"
            - name: PAPERLESS_DATA_DIR
              value: "/usr/src/paperless/data"
            - name: PAPERLESS_MEDIA_ROOT
              value: "/usr/src/paperless/media"
            - name: PAPERLESS_CONSUMPTION_DIR
              value: "/usr/src/paperless/consume"
            - name: PAPERLESS_SECRET_KEY
              valueFrom:
                secretKeyRef:
                  name: paperless-secrets
                  key: secret-key
            - name: PAPERLESS_TIME_ZONE
              value: "America/Los_Angeles"
            - name: PAPERLESS_OCR_LANGUAGE
              value: "eng"
            - name: PAPERLESS_TASK_WORKERS
              value: "1"
            - name: PAPERLESS_ADMIN_USER
              value: "eblume"
            - name: PAPERLESS_ADMIN_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: paperless-secrets
                  key: admin-password
            - name: PAPERLESS_ADMIN_MAIL
              value: "blume.erich@gmail.com"
            - name: PAPERLESS_APPS
              value: "allauth.socialaccount.providers.openid_connect"
            - name: PAPERLESS_SOCIALACCOUNT_PROVIDERS
              valueFrom:
                secretKeyRef:
                  name: paperless-secrets
                  key: socialaccount-providers
            - name: PAPERLESS_SOCIALACCOUNT_ALLOW_SIGNUPS
              value: "true"
            - name: PAPERLESS_SOCIAL_AUTO_SIGNUP
              value: "true"
            - name: PAPERLESS_ACCOUNT_ALLOW_SIGNUPS
              value: "false"
            - name: PAPERLESS_REDIRECT_LOGIN_TO_SSO
              value: "false"
          volumeMounts: &paperless-mounts
            - name: data
              mountPath: /usr/src/paperless/data
            - name: media
              mountPath: /usr/src/paperless/media
            - name: consume
              mountPath: /usr/src/paperless/consume
      containers:
        - name: web
          image: registry.ops.eblu.me/blumeops/paperless:kustomized
          ports:
            - containerPort: 8000
              name: http
          env: *paperless-env
          volumeMounts: *paperless-mounts
          resources:
            requests:
              memory: "256Mi"
              cpu: "100m"
            limits:
              memory: "1Gi"
              cpu: "1000m"
          livenessProbe:
            httpGet:
              path: /
              port: 8000
            initialDelaySeconds: 60
            periodSeconds: 30
          readinessProbe:
            httpGet:
              path: /
              port: 8000
            initialDelaySeconds: 30
            periodSeconds: 10

        - name: worker
          image: registry.ops.eblu.me/blumeops/paperless:kustomized
          command: ["celery", "--app", "paperless", "worker", "--loglevel", "INFO"]
          env: *paperless-env
          volumeMounts: *paperless-mounts
          resources:
            requests:
              memory: "256Mi"
              cpu: "100m"
            limits:
              memory: "1Gi"
              cpu: "1000m"

        - name: beat
          image: registry.ops.eblu.me/blumeops/paperless:kustomized
          command: ["celery", "--app", "paperless", "beat", "--loglevel", "INFO"]
          env: *paperless-env
          volumeMounts: *paperless-mounts
          resources:
            requests:
              memory: "64Mi"
              cpu: "20m"
            limits:
              memory: "256Mi"

        - name: consumer
          image: registry.ops.eblu.me/blumeops/paperless:kustomized
          command: ["paperless-ngx", "document_consumer"]
          env: *paperless-env
          volumeMounts: *paperless-mounts
          resources:
            requests:
              memory: "128Mi"
              cpu: "50m"
            limits:
              memory: "512Mi"

      volumes:
        - name: data
          emptyDir: {}
        - name: media
          persistentVolumeClaim:
            claimName: paperless-media
        - name: consume
          emptyDir: {}
        - name: redis-data
          emptyDir:
            sizeLimit: 1Gi
Wave 1 indri→ringtail migration: paperless, teslamate, mealie (#363) Migrate paperless, teslamate, and mealie off the OOM-saturated minikube-indri node onto ringtail k3s, shedding ~1.1 GiB of resident load. Second chain in the indri-k8s decommission after immich. Containers ported to Nix (default.nix), build-verified on ringtail: - paperless → wraps nixpkgs paperless-ngx 2.20.15 (pinned unstable); runs as web/worker/beat/consumer - mealie → wraps nixpkgs mealie 3.16.0 (forward 4-minor bump, breaking-change reviewed); single gunicorn, SQLite - teslamate → from-scratch beamPackages mixRelease (not in nixpkgs); erlang_27+elixir_1_18, npm assets, ex_cldr locales pre-fetched Data: cold downtime-tolerant cutover. paperless+teslamate postgres dump/restore from quiesced source into a new ringtail blumeops-pg CNPG cluster; mealie SQLite PVC copied. Source DBs untouched until verified (rollback = repoint). Also: ringtail blumeops-pg cluster + ExternalSecrets scaffold; fixes pre-existing shower version-check drift. Runbook: docs/how-to/ringtail/migrate-wave1-ringtail.md. Deploy-from-branch + cutover happens before merge; container images rebuilt from main after merge. Reviewed-on: https://forge.eblu.me/eblume/blumeops/pulls/363 2026-06-03 10:34:00 -07:00			`# Paperless-ngx on ringtail k3s — Nix image, multi-process.`
			`#`
			`# The upstream s6 image ran web + worker + scheduler + consumer (and DB`
			`# migrations) in one container. The Nix image (containers/paperless/`
			`# default.nix) ships the binaries but no supervisor, so we run those as`
			`# four containers in one pod, sharing the local data/consume dirs`
			`# (emptyDir) and the NFS media volume; redis is colocated so`
			`# PAPERLESS_REDIS=localhost works for all. A migrate initContainer runs`
			`# DB migrations once before the app containers start.`
			`#`
			`# DB points in-cluster at the ringtail blumeops-pg (was pg.ops.eblu.me on`
			`# indri). PAPERLESS_{DATA_DIR,MEDIA_ROOT,CONSUMPTION_DIR} are set`
			`# explicitly because the Nix package does not default to the upstream`
			`# /usr/src/paperless paths.`
			`apiVersion: apps/v1`
			`kind: Deployment`
			`metadata:`
			`name: paperless`
			`namespace: paperless`
			`spec:`
			`replicas: 1`
			`strategy:`
			`type: Recreate`
			`selector:`
			`matchLabels:`
			`app: paperless`
			`template:`
			`metadata:`
			`labels:`
			`app: paperless`
			`spec:`
			`securityContext:`
			`seccompProfile:`
			`type: RuntimeDefault`
			`initContainers:`
			`# redis as a native sidecar (restartPolicy: Always): starts before`
			`# the migrate init and stays running for the app containers, so all`
			`# of them reach PAPERLESS_REDIS=localhost:6379.`
			`- name: redis`
			`image: docker.io/library/redis:kustomized`
			`restartPolicy: Always`
			`ports:`
			`- containerPort: 6379`
			`volumeMounts:`
			`- name: redis-data`
			`mountPath: /data`
			`resources:`
			`requests:`
			`memory: "32Mi"`
			`cpu: "10m"`
			`limits:`
			`memory: "128Mi"`
			`- name: migrate`
			`image: registry.ops.eblu.me/blumeops/paperless:kustomized`
			`command: ["paperless-ngx", "migrate", "--no-input"]`
			`env: &paperless-env`
			`- name: PAPERLESS_URL`
			`value: "https://paperless.ops.eblu.me"`
			`- name: PAPERLESS_REDIS`
			`value: "redis://localhost:6379"`
			`- name: PAPERLESS_DBHOST`
			`value: "blumeops-pg-rw.databases.svc.cluster.local"`
			`- name: PAPERLESS_DBPORT`
			`value: "5432"`
			`- name: PAPERLESS_DBNAME`
			`value: "paperless"`
			`- name: PAPERLESS_DBUSER`
			`value: "paperless"`
			`- name: PAPERLESS_DBPASS`
			`valueFrom:`
			`secretKeyRef:`
			`name: paperless-secrets`
			`key: db-password`
			`# Explicit port to override the k8s-injected PAPERLESS_PORT`
			`# (service named 'paperless' would set PAPERLESS_PORT=tcp://...)`
			`- name: PAPERLESS_PORT`
			`value: "8000"`
			`- name: PAPERLESS_DATA_DIR`
			`value: "/usr/src/paperless/data"`
			`- name: PAPERLESS_MEDIA_ROOT`
			`value: "/usr/src/paperless/media"`
			`- name: PAPERLESS_CONSUMPTION_DIR`
			`value: "/usr/src/paperless/consume"`
			`- name: PAPERLESS_SECRET_KEY`
			`valueFrom:`
			`secretKeyRef:`
			`name: paperless-secrets`
			`key: secret-key`
			`- name: PAPERLESS_TIME_ZONE`
			`value: "America/Los_Angeles"`
			`- name: PAPERLESS_OCR_LANGUAGE`
			`value: "eng"`
			`- name: PAPERLESS_TASK_WORKERS`
			`value: "1"`
			`- name: PAPERLESS_ADMIN_USER`
			`value: "eblume"`
			`- name: PAPERLESS_ADMIN_PASSWORD`
			`valueFrom:`
			`secretKeyRef:`
			`name: paperless-secrets`
			`key: admin-password`
			`- name: PAPERLESS_ADMIN_MAIL`
			`value: "blume.erich@gmail.com"`
			`- name: PAPERLESS_APPS`
			`value: "allauth.socialaccount.providers.openid_connect"`
			`- name: PAPERLESS_SOCIALACCOUNT_PROVIDERS`
			`valueFrom:`
			`secretKeyRef:`
			`name: paperless-secrets`
			`key: socialaccount-providers`
			`- name: PAPERLESS_SOCIALACCOUNT_ALLOW_SIGNUPS`
			`value: "true"`
			`- name: PAPERLESS_SOCIAL_AUTO_SIGNUP`
			`value: "true"`
			`- name: PAPERLESS_ACCOUNT_ALLOW_SIGNUPS`
			`value: "false"`
			`- name: PAPERLESS_REDIRECT_LOGIN_TO_SSO`
			`value: "false"`
			`volumeMounts: &paperless-mounts`
			`- name: data`
			`mountPath: /usr/src/paperless/data`
			`- name: media`
			`mountPath: /usr/src/paperless/media`
			`- name: consume`
			`mountPath: /usr/src/paperless/consume`
			`containers:`
			`- name: web`
			`image: registry.ops.eblu.me/blumeops/paperless:kustomized`
			`ports:`
			`- containerPort: 8000`
			`name: http`
			`env: *paperless-env`
			`volumeMounts: *paperless-mounts`
			`resources:`
			`requests:`
			`memory: "256Mi"`
			`cpu: "100m"`
			`limits:`
			`memory: "1Gi"`
			`cpu: "1000m"`
			`livenessProbe:`
			`httpGet:`
			`path: /`
			`port: 8000`
			`initialDelaySeconds: 60`
			`periodSeconds: 30`
			`readinessProbe:`
			`httpGet:`
			`path: /`
			`port: 8000`
			`initialDelaySeconds: 30`
			`periodSeconds: 10`

			`- name: worker`
			`image: registry.ops.eblu.me/blumeops/paperless:kustomized`
			`command: ["celery", "--app", "paperless", "worker", "--loglevel", "INFO"]`
			`env: *paperless-env`
			`volumeMounts: *paperless-mounts`
			`resources:`
			`requests:`
			`memory: "256Mi"`
			`cpu: "100m"`
			`limits:`
			`memory: "1Gi"`
			`cpu: "1000m"`

			`- name: beat`
			`image: registry.ops.eblu.me/blumeops/paperless:kustomized`
			`command: ["celery", "--app", "paperless", "beat", "--loglevel", "INFO"]`
			`env: *paperless-env`
			`volumeMounts: *paperless-mounts`
			`resources:`
			`requests:`
			`memory: "64Mi"`
			`cpu: "20m"`
			`limits:`
			`memory: "256Mi"`

			`- name: consumer`
			`image: registry.ops.eblu.me/blumeops/paperless:kustomized`
			`command: ["paperless-ngx", "document_consumer"]`
			`env: *paperless-env`
			`volumeMounts: *paperless-mounts`
			`resources:`
			`requests:`
			`memory: "128Mi"`
			`cpu: "50m"`
			`limits:`
			`memory: "512Mi"`

			`volumes:`
			`- name: data`
			`emptyDir: {}`
			`- name: media`
			`persistentVolumeClaim:`
			`claimName: paperless-media`
			`- name: consume`
			`emptyDir: {}`
			`- name: redis-data`
			`emptyDir:`
			`sizeLimit: 1Gi`