Deploy Paperless-ngx document management #328

Merged

eblume merged 8 commits from deploy-paperless into main 2026-04-08 17:54:13 -07:00

Conversation 0 Commits 8 Files changed 21 +578

eblume commented 2026-04-08 16:34:41 -07:00

Owner

Copy link

Summary

• Add paperless-ngx (v2.20.13) as a new ArgoCD-managed service on indri
• Dockerfile built from forge mirror (mirrors/paperless-ngx), multi-stage with s6-overlay
• PostgreSQL database via blumeops-pg CNPG cluster, Redis sidecar for Celery
• NFS document storage on sifaka (/volume1/paperless)
• Authentik OIDC SSO via baked JSON blob from 1Password
• Caddy route at paperless.ops.eblu.me
• 1Password item "Paperless (blumeops)" created with all secrets

Files

• containers/paperless/Dockerfile — multi-stage build
• argocd/manifests/paperless/ — full k8s manifest set
• argocd/apps/paperless.yaml — ArgoCD application
• argocd/manifests/databases/ — CNPG role + ExternalSecret
• ansible/roles/caddy/defaults/main.yml — Caddy route
• service-versions.yaml — version tracking entry
• docs/reference/services/paperless.md — reference card

Remaining deploy steps

1. Build container: mise run container-build-and-release paperless
2. Update kustomization.yaml newTag with actual image tag
3. Create Authentik application/provider for paperless
4. Create paperless database on blumeops-pg
5. Sync ArgoCD apps, then sync paperless from branch
6. Provision Caddy: mise run provision-indri -- --tags caddy
7. Verify at https://paperless.ops.eblu.me

🤖 Generated with Claude Code

## Summary - Add paperless-ngx (v2.20.13) as a new ArgoCD-managed service on indri - Dockerfile built from forge mirror (`mirrors/paperless-ngx`), multi-stage with s6-overlay - PostgreSQL database via `blumeops-pg` CNPG cluster, Redis sidecar for Celery - NFS document storage on sifaka (`/volume1/paperless`) - Authentik OIDC SSO via baked JSON blob from 1Password - Caddy route at `paperless.ops.eblu.me` - 1Password item "Paperless (blumeops)" created with all secrets ## Files - `containers/paperless/Dockerfile` — multi-stage build - `argocd/manifests/paperless/` — full k8s manifest set - `argocd/apps/paperless.yaml` — ArgoCD application - `argocd/manifests/databases/` — CNPG role + ExternalSecret - `ansible/roles/caddy/defaults/main.yml` — Caddy route - `service-versions.yaml` — version tracking entry - `docs/reference/services/paperless.md` — reference card ## Remaining deploy steps 1. Build container: `mise run container-build-and-release paperless` 2. Update kustomization.yaml `newTag` with actual image tag 3. Create Authentik application/provider for paperless 4. Create `paperless` database on blumeops-pg 5. Sync ArgoCD apps, then sync paperless from branch 6. Provision Caddy: `mise run provision-indri -- --tags caddy` 7. Verify at https://paperless.ops.eblu.me 🤖 Generated with [Claude Code](https://claude.com/claude-code)

eblume added 1 commit 2026-04-08 16:34:41 -07:00

Deploy Paperless-ngx document management system ... 041c47acfb

Add paperless-ngx (v2.20.13) as a new ArgoCD-managed service on indri
with Authentik OIDC SSO, PostgreSQL on blumeops-pg, Redis sidecar, and
NFS document storage on sifaka. Includes Dockerfile built from forge
mirror, full k8s manifests, Caddy route, 1Password secrets, and
reference documentation.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

eblume added 1 commit 2026-04-08 16:39:16 -07:00

Fix paperless admin username and email ... d036782b43

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

eblume added 1 commit 2026-04-08 16:44:18 -07:00

Fix jbig2enc download: ADD doesn't expand shell subcommands ... fba339e543

Use curl in a RUN instead of ADD so $(dpkg --print-architecture)
is evaluated by the shell.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

eblume added 1 commit 2026-04-08 17:03:37 -07:00

Rewrite paperless Dockerfile to match upstream structure ... 42f6299eaa

Add syntax directive for BuildKit, use COPY --from=source instead of
inline git clone, fix s6-overlay arch mapping, use upstream jbig2enc
v0.30 trixie build, and enable RUN --mount=type=cache for Python deps.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

eblume added 1 commit 2026-04-08 17:34:25 -07:00

Pin paperless and redis image tags from registry ... 919ad04e30

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

eblume added 1 commit 2026-04-08 17:39:58 -07:00

Fix paperless port: override k8s-injected PAPERLESS_PORT env var ... 0bde34d6e1

Kubernetes auto-injects PAPERLESS_PORT=tcp://... for a service named
'paperless', which conflicts with Granian's --port flag. Explicitly
set PAPERLESS_PORT=8000 to take precedence.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

eblume added 1 commit 2026-04-08 17:49:32 -07:00

Add Authentik OIDC provider and application for Paperless ... ba5c3a6bae

Blueprint with confidential client, ExternalSecret for client secret,
and worker env var injection — follows existing service pattern.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

eblume added 1 commit 2026-04-08 17:50:55 -07:00

Disable local self-service registration in paperless ... 3027fa6089

Users must be added via Authentik OIDC; eblume is the only local account.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

eblume merged commit 07f52e9488 into main 2026-04-08 17:54:13 -07:00

eblume referenced this pull request from a commit 2026-04-08 17:54:14 -07:00

Deploy Paperless-ngx document management (#328)

Sign in to join this conversation.

Reviewers

No reviewers

Labels

Clear labels

No items

No labels

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

eblume/blumeops!328

No description provided.