Add Authentik OIDC provider and application for Paperless

Blueprint with confidential client, ExternalSecret for client secret, and worker env var injection — follows existing service pattern. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-08 17:49:24 -07:00 · 2026-04-08 17:49:24 -07:00 · ba5c3a6bae
commit ba5c3a6bae
parent 0bde34d6e1
3 changed files with 53 additions and 0 deletions
--- a/argocd/manifests/authentik/configmap-blueprint.yaml
+++ b/argocd/manifests/authentik/configmap-blueprint.yaml
@ -346,6 +346,50 @@ data:
          meta_launch_url: https://jellyfin.ops.eblu.me
          policy_engine_mode: all

+  paperless.yaml: |
+    version: 1
+    metadata:
+      name: BlumeOps Paperless SSO
+      labels:
+        blueprints.goauthentik.io/description: "Paperless-ngx OIDC provider and application"
+    entries:
+      # OAuth2 provider for Paperless-ngx (confidential client)
+      - model: authentik_providers_oauth2.oauth2provider
+        id: paperless-provider
+        identifiers:
+          name: Paperless
+        attrs:
+          name: Paperless
+          authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
+          invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
+          client_type: confidential
+          client_id: paperless
+          client_secret: !Env AUTHENTIK_PAPERLESS_CLIENT_SECRET
+          redirect_uris:
+            - matching_mode: strict
+              url: https://paperless.ops.eblu.me/accounts/oidc/authentik/login/callback/
+            - matching_mode: strict
+              url: https://paperless.tail8d86e.ts.net/accounts/oidc/authentik/login/callback/
+          signing_key: !Find [authentik_crypto.certificatekeypair, [name, authentik Self-signed Certificate]]
+          property_mappings:
+            - !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]
+            - !Find [authentik_providers_oauth2.scopemapping, [scope_name, email]]
+            - !Find [authentik_providers_oauth2.scopemapping, [scope_name, profile]]
+          sub_mode: hashed_user_id
+          include_claims_in_id_token: true
+
+      # Paperless application — all authenticated users allowed
+      - model: authentik_core.application
+        id: paperless-app
+        identifiers:
+          slug: paperless
+        attrs:
+          name: Paperless
+          slug: paperless
+          provider: !KeyOf paperless-provider
+          meta_launch_url: https://paperless.ops.eblu.me
+          policy_engine_mode: all
+
  mealie.yaml: |
    version: 1
    metadata:
--- a/argocd/manifests/authentik/deployment-worker.yaml
+++ b/argocd/manifests/authentik/deployment-worker.yaml
@ -85,6 +85,11 @@ spec:
                secretKeyRef:
                  name: authentik-config
                  key: mealie-client-secret
+            - name: AUTHENTIK_PAPERLESS_CLIENT_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: authentik-config
+                  key: paperless-client-secret
          volumeMounts:
            - name: blueprints
              mountPath: /blueprints/custom
--- a/argocd/manifests/authentik/external-secret.yaml
+++ b/argocd/manifests/authentik/external-secret.yaml
@ -61,3 +61,7 @@ spec:
      remoteRef:
        key: "Authentik (blumeops)"
        property: mealie-client-secret
+    - secretKey: paperless-client-secret
+      remoteRef:
+        key: "Authentik (blumeops)"
+        property: paperless-client-secret