Deploy Paperless-ngx document management (#328)

## Summary

- Add paperless-ngx (v2.20.13) as a new ArgoCD-managed service on indri
- Dockerfile built from forge mirror (`mirrors/paperless-ngx`), multi-stage with s6-overlay
- PostgreSQL database via `blumeops-pg` CNPG cluster, Redis sidecar for Celery
- NFS document storage on sifaka (`/volume1/paperless`)
- Authentik OIDC SSO via baked JSON blob from 1Password
- Caddy route at `paperless.ops.eblu.me`
- 1Password item "Paperless (blumeops)" created with all secrets

## Files

- `containers/paperless/Dockerfile` — multi-stage build
- `argocd/manifests/paperless/` — full k8s manifest set
- `argocd/apps/paperless.yaml` — ArgoCD application
- `argocd/manifests/databases/` — CNPG role + ExternalSecret
- `ansible/roles/caddy/defaults/main.yml` — Caddy route
- `service-versions.yaml` — version tracking entry
- `docs/reference/services/paperless.md` — reference card

## Remaining deploy steps

1. Build container: `mise run container-build-and-release paperless`
2. Update kustomization.yaml `newTag` with actual image tag
3. Create Authentik application/provider for paperless
4. Create `paperless` database on blumeops-pg
5. Sync ArgoCD apps, then sync paperless from branch
6. Provision Caddy: `mise run provision-indri -- --tags caddy`
7. Verify at https://paperless.ops.eblu.me

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Reviewed-on: #328

docs/reference/infrastructure/routing.md

@@ -41,6 +41,7 @@ DNS points to [[indri]]'s Tailscale IP. TLS via Let's Encrypt (ACME DNS-01 with
 | [[jellyfin]] | https://jellyfin.ops.eblu.me | Media server |
 | [[postgresql]] | pg.ops.eblu.me:5432 | Database |
 | [[mealie]] | https://meals.ops.eblu.me | Recipe manager |
+| [[paperless]] | https://paperless.ops.eblu.me | Document management |
 | [[sifaka|Sifaka]] | https://nas.ops.eblu.me | NAS dashboard |
 
 ## Public Services (`*.eblu.me`)

docs/reference/kubernetes/apps.md

@@ -40,6 +40,7 @@ Registry of all applications deployed via [[argocd]].
 | `forgejo-runner` | forgejo-runner | `argocd/manifests/forgejo-runner/` | [[forgejo]] CI |
 | `ollama` | ollama | `argocd/manifests/ollama/` | [[ollama]] |
 | `mealie` | mealie | `argocd/manifests/mealie/` | [[mealie]] |
+| `paperless` | paperless | `argocd/manifests/paperless/` | [[paperless]] |
 | `prowler` | prowler | `argocd/manifests/prowler/` | [[prowler]] |
 
 ## Sync Policies

docs/reference/services/paperless.md

@@ -0,0 +1,45 @@
+---
+title: Paperless-ngx
+modified: 2026-04-08
+tags:
+  - service
+---
+
+# Paperless-ngx
+
+Self-hosted document management system with OCR, tagging, and full-text search.
+
+## Quick Reference
+
+| Property | Value |
+|----------|-------|
+| **URL** | https://paperless.ops.eblu.me |
+| **Tailscale URL** | https://paperless.tail8d86e.ts.net |
+| **Namespace** | `paperless` |
+| **Image** | `registry.ops.eblu.me/blumeops/paperless` |
+| **Manifests** | `argocd/manifests/paperless/` |
+| **Container source** | `containers/paperless/Dockerfile` |
+| **Upstream** | [paperless-ngx/paperless-ngx](https://github.com/paperless-ngx/paperless-ngx) |
+| **Database** | `paperless` on [[postgresql|blumeops-pg]] |
+| **Storage** | NFS on [[sifaka]] at `/volume1/paperless` |
+| **Auth** | [[authentik]] OIDC + local admin |
+
+## Architecture
+
+- **Web server**: Granian (ASGI), port 8000
+- **Task queue**: Celery worker + beat (Redis sidecar)
+- **OCR**: Tesseract (English)
+- **Process supervisor**: s6-overlay
+
+## Secrets
+
+1Password item "Paperless (blumeops)" in vault `blumeops`:
+- `secret-key`: Django SECRET_KEY
+- `postgresql-password`: database credential
+- `admin-password`: initial admin account password
+- `socialaccount-providers`: OIDC provider JSON (includes Authentik client secret)
+
+## Related
+
+- [[adding-a-service]] — Deployment tutorial
+- [[authentik]] — SSO provider