paperless: port container from Dockerfile to Nix (default.nix)

Wrap nixpkgs paperless-ngx in dockerTools.buildLayeredImage, replacing the s6-overlay Dockerfile build. The package bundles the full OCR/imaging closure (tesseract, qpdf, jbig2enc, unpaper, pngquant, ocrmypdf, pikepdf) and nltk data, so the image stays lean. Unlike the s6 image, this runs as four containers on ringtail sharing one image (web/worker/beat/consumer); the web wrapper mirrors the NixOS module's granian + PYTHONPATH invocation. Self-pins nixos-unstable (stable lags at 2.19.6) for paperless-ngx 2.20.15 -- a same-minor forward patch bump from the v2.20.13 Dockerfile build. Build verified on ringtail (nix-build, exit 0, version assert passes). Also fixes pre-existing shower version drift (service-versions 1.1.2 -> 1.1.3 to match its default.nix) so container-version-check passes; the paperless service-versions edit widens that check to all containers. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-03 08:39:07 -07:00 · 2026-06-03 08:39:07 -07:00 · 43047423c4
commit 43047423c4
parent 944a1570cf
3 changed files with 86 additions and 160 deletions
--- a/containers/paperless/Dockerfile
+++ b/containers/paperless/Dockerfile
@ -1,156 +0,0 @@
 # syntax=docker/dockerfile:1
 # Paperless-ngx — self-hosted document management
 # Built from source via forge mirror of paperless-ngx/paperless-ngx
 # Closely follows upstream Dockerfile structure with git clone instead of COPY
 ARG CONTAINER_APP_VERSION=v2.20.13
 ###############################################
 # Stage 1: Clone source (reused by later stages)
 ###############################################
 FROM docker.io/library/alpine:3.22 AS source
 ARG CONTAINER_APP_VERSION
 RUN apk add --no-cache git
 RUN git clone --depth 1 --branch ${CONTAINER_APP_VERSION} \
    https://forge.ops.eblu.me/mirrors/paperless-ngx.git /src
 ###############################################
 # Stage 2: Compile frontend
 ###############################################
 FROM --platform=$BUILDPLATFORM docker.io/node:20-trixie-slim AS compile-frontend
 COPY --from=source /src/src-ui /src/src-ui
 WORKDIR /src/src-ui
 RUN set -eux \
    && npm update -g pnpm \
    && npm install -g corepack@latest \
    && corepack enable \
    && pnpm install
 RUN set -eux \
    && ./node_modules/.bin/ng build --configuration production
 ###############################################
 # Stage 3: s6-overlay base
 ###############################################
 FROM ghcr.io/astral-sh/uv:0.9.15-python3.12-trixie-slim AS s6-overlay-base
 WORKDIR /usr/src/s6
 ENV S6_BEHAVIOUR_IF_STAGE2_FAILS=2 \
    S6_CMD_WAIT_FOR_SERVICES_MAXTIME=0 \
    S6_VERBOSITY=1 \
    PATH=/command:$PATH
 ARG TARGETARCH
 ARG TARGETVARIANT
 ARG S6_OVERLAY_VERSION=3.2.1.0
 RUN set -eux \
    && apt-get update \
    && apt-get install --yes --quiet --no-install-recommends curl xz-utils \
    && S6_ARCH="" \
    && if [ "${TARGETARCH}${TARGETVARIANT}" = "amd64" ]; then S6_ARCH="x86_64"; \
    elif [ "${TARGETARCH}${TARGETVARIANT}" = "arm64" ]; then S6_ARCH="aarch64"; fi \
    && if [ -z "${S6_ARCH}" ]; then echo "Error: Cannot determine arch"; exit 1; fi \
    && curl --fail --silent --show-error --location --remote-name-all --parallel \
        "https://github.com/just-containers/s6-overlay/releases/download/v${S6_OVERLAY_VERSION}/s6-overlay-noarch.tar.xz" \
        "https://github.com/just-containers/s6-overlay/releases/download/v${S6_OVERLAY_VERSION}/s6-overlay-noarch.tar.xz.sha256" \
        "https://github.com/just-containers/s6-overlay/releases/download/v${S6_OVERLAY_VERSION}/s6-overlay-${S6_ARCH}.tar.xz" \
        "https://github.com/just-containers/s6-overlay/releases/download/v${S6_OVERLAY_VERSION}/s6-overlay-${S6_ARCH}.tar.xz.sha256" \
    && sha256sum --check ./*.sha256 \
    && tar --directory / -Jxpf s6-overlay-noarch.tar.xz \
    && tar --directory / -Jxpf s6-overlay-${S6_ARCH}.tar.xz \
    && rm ./*.tar.xz ./*.sha256 \
    && apt-get --yes purge curl xz-utils \
    && apt-get --yes autoremove --purge \
    && rm -rf /var/lib/apt/lists/*
 # Copy rootfs (s6 service definitions, init scripts)
 COPY --from=source /src/docker/rootfs /
 ###############################################
 # Stage 4: Main application
 ###############################################
 FROM s6-overlay-base AS main-app
 ARG CONTAINER_APP_VERSION
 ARG DEBIAN_FRONTEND=noninteractive
 ARG TARGETARCH
 ARG JBIG2ENC_VERSION=0.30
 ENV PYTHONDONTWRITEBYTECODE=1 \
    PYTHONUNBUFFERED=1 \
    PYTHONWARNINGS="ignore:::django.http.response:517" \
    PNGX_CONTAINERIZED=1 \
    UV_LINK_MODE=copy \
    UV_CACHE_DIR=/cache/uv/
 # Runtime packages
 RUN set -eux \
    && apt-get update \
    && apt-get install --yes --quiet --no-install-recommends \
        curl gosu tzdata fonts-liberation gettext ghostscript gnupg \
        icc-profiles-free imagemagick postgresql-client \
        tesseract-ocr tesseract-ocr-eng tesseract-ocr-deu tesseract-ocr-fra \
        tesseract-ocr-ita tesseract-ocr-spa unpaper pngquant jbig2dec \
        libxml2 libxslt1.1 qpdf file libmagic1 media-types zlib1g \
        libzbar0 poppler-utils \
    && curl --fail --silent --show-error --location --remote-name-all \
        "https://github.com/paperless-ngx/builder/releases/download/jbig2enc-trixie-v${JBIG2ENC_VERSION}/jbig2enc_${JBIG2ENC_VERSION}-1_${TARGETARCH}.deb" \
    && dpkg --install ./jbig2enc_${JBIG2ENC_VERSION}-1_${TARGETARCH}.deb \
    && cp /etc/ImageMagick-6/paperless-policy.xml /etc/ImageMagick-6/policy.xml \
    && rm --force *.deb \
    && rm -rf /var/lib/apt/lists/*
 WORKDIR /usr/src/paperless/src/
 # Python dependencies
 COPY --from=source /src/pyproject.toml /src/uv.lock /usr/src/paperless/src/
 RUN --mount=type=cache,target=${UV_CACHE_DIR},id=python-cache \
    set -eux \
    && apt-get update \
    && apt-get install --yes --quiet --no-install-recommends \
        build-essential default-libmysqlclient-dev pkg-config \
    && uv export --quiet --no-dev --all-extras --format requirements-txt --output-file requirements.txt \
    && uv pip install --system --no-python-downloads --python-preference system --requirements requirements.txt \
    && python3 -W ignore::RuntimeWarning -m nltk.downloader -d "/usr/share/nltk_data" snowball_data \
    && python3 -W ignore::RuntimeWarning -m nltk.downloader -d "/usr/share/nltk_data" stopwords \
    && python3 -W ignore::RuntimeWarning -m nltk.downloader -d "/usr/share/nltk_data" punkt_tab \
    && apt-get --yes purge build-essential default-libmysqlclient-dev pkg-config \
    && apt-get --yes autoremove --purge \
    && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
 # Copy backend source
 COPY --from=source /src/src ./
 # Copy compiled frontend
 COPY --from=compile-frontend /src/src/documents/static/frontend/ ./documents/static/frontend/
 # Create user and finalize
 RUN set -eux \
    && addgroup --gid 1000 paperless \
    && useradd --uid 1000 --gid paperless --home-dir /usr/src/paperless paperless \
    && mkdir -p /usr/src/paperless/data /usr/src/paperless/media \
                /usr/src/paperless/consume /usr/src/paperless/export \
    && chown -R paperless:paperless /usr/src/paperless \
    && s6-setuidgid paperless python3 manage.py collectstatic --clear --no-input --link \
    && s6-setuidgid paperless python3 manage.py compilemessages
 VOLUME ["/usr/src/paperless/data", "/usr/src/paperless/media", \
        "/usr/src/paperless/consume", "/usr/src/paperless/export"]
 ENTRYPOINT ["/init"]
 EXPOSE 8000
 HEALTHCHECK --interval=30s --timeout=10s --retries=5 \
    CMD [ "curl", "-fs", "-S", "-L", "--max-time", "2", "http://localhost:8000" ]
 LABEL org.opencontainers.image.title="Paperless-ngx"
 LABEL org.opencontainers.image.description="Self-hosted document management system"
 LABEL org.opencontainers.image.version="${CONTAINER_APP_VERSION}"
 LABEL org.opencontainers.image.source="https://forge.eblu.me/eblume/blumeops"
 LABEL org.opencontainers.image.vendor="blumeops"
--- a/containers/paperless/default.nix
+++ b/containers/paperless/default.nix
@ -0,0 +1,77 @@
 # Nix-built Paperless-ngx for ringtail (amd64).
 #
 # Replaces the from-source Dockerfile build (s6-overlay) with nixpkgs'
 # paperless-ngx, which already bundles the full OCR/imaging closure
 # (tesseract, ghostscript, imagemagick, qpdf, poppler, jbig2enc) and the
 # NLTK data via wrappers — so the image stays lean.
 #
 # Unlike the upstream s6 image, this image does NOT run all processes
 # itself. Paperless is multi-process; on ringtail it runs as four
 # containers sharing this one image, each with a different command:
 #   web      -> paperless-web        (granian, the wrapper below)
 #   worker   -> celery --app paperless worker
 #   beat     -> celery --app paperless beat
 #   consumer -> paperless-ngx document_consumer
 # plus a redis/valkey sidecar. The PYTHONPATH/granian invocation mirrors
 # the nixpkgs paperless NixOS module's paperless-web service exactly.
 #
 # Self-pins nixos-unstable: stable nixpkgs lags at 2.19.6, while unstable
 # carries 2.20.15 — a same-minor forward patch bump from the previous
 # Dockerfile build (v2.20.13). The version assertion makes nix-build fail
 # if a pin bump changes the version, forcing an explicit acknowledgment
 # here and in service-versions.yaml (enforced by container-version-check).
 let
  nixpkgs = fetchTarball {
    url = "https://github.com/NixOS/nixpkgs/archive/331800de5053fcebacf6813adb5db9c9dca22a0c.tar.gz";
    sha256 = "1p54fm6dkbq62kpi55cr4wyx7b1nsajpsnjgs64cmp073fwi15f7";
  };
  pkgs = import nixpkgs { system = "x86_64-linux"; };
  version = "2.20.15";
  app = pkgs.paperless-ngx;
  # Mirror the NixOS module's paperless-web service: granian serving the
  # ASGI app with the package's propagated deps + src on PYTHONPATH.
  pythonPath =
    "${app.python.pkgs.makePythonPath app.propagatedBuildInputs}:${app}/lib/paperless-ngx/src";
  paperless-web = pkgs.writeShellScriptBin "paperless-web" ''
    export PYTHONPATH="${pythonPath}"
    export PAPERLESS_NLTK_DIR="${app.nltkDataDir}"
    exec ${app.python.pkgs.granian}/bin/granian \
      --interface asginl --ws \
      --host 0.0.0.0 --port 8000 \
      "paperless.asgi:application"
  '';
 in
 assert app.version == version;
 pkgs.dockerTools.buildLayeredImage {
  name = "blumeops/paperless";
  contents = [
    app
    paperless-web
    pkgs.bashInteractive
    pkgs.coreutils
    pkgs.cacert
    pkgs.tzdata
  ];
  config = {
    # Default command is the web server; worker/beat/consumer containers
    # override `command` in their k8s manifests.
    Cmd = [ "${paperless-web}/bin/paperless-web" ];
    Env = [
      "PAPERLESS_NLTK_DIR=${app.nltkDataDir}"
      "SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"
      "PYTHONUNBUFFERED=1"
      "PNGX_CONTAINERIZED=1"
    ];
    ExposedPorts = {
      "8000/tcp" = { };
    };
  };
 }
--- a/service-versions.yaml
+++ b/service-versions.yaml
@ -47,7 +47,7 @@ services:
  - name: shower
    type: argocd
    last-reviewed: 2026-05-15
-    current-version: "1.1.2"
+    current-version: "1.1.3"
    upstream-source: https://forge.eblu.me/eblume/adelaide-baby-shower-app
    notes: |
      Django app for Adelaide / Heidi / Addie's baby shower. Wheel
@ -339,10 +339,15 @@ services:
  - name: paperless
    type: argocd
-    last-reviewed: "2026-04-08"
+    last-reviewed: "2026-06-03"
-    current-version: "v2.20.13"
+    current-version: "v2.20.15"
    upstream-source: https://github.com/paperless-ngx/paperless-ngx/releases
-    notes: Document management; built from source via forge mirror
+    notes: >-
      Document management. Container ported from Dockerfile to Nix
      (containers/paperless/default.nix wraps nixpkgs paperless-ngx from a
      pinned nixos-unstable). Runs as web/worker/beat/consumer containers on
      ringtail (multi-process; no s6). Bumped v2.20.13 -> v2.20.15 (the
      unstable package version, same-minor patch) as part of the port.
  - name: unpoller
    type: argocd