apiVersion: apps/v1 kind: Deployment metadata: name: paperless namespace: paperless spec: # Migrated to ringtail (paperless-ringtail). Scaled to 0 to prevent # double-writing the now-ringtail-owned database; manifest retained for # rollback until the decommission PR. See [[migrate-wave1-ringtail]]. replicas: 0 selector: matchLabels: app: paperless template: metadata: labels: app: paperless spec: securityContext: seccompProfile: type: RuntimeDefault containers: - name: paperless image: registry.ops.eblu.me/blumeops/paperless:kustomized ports: - containerPort: 8000 name: http env: - name: PAPERLESS_URL value: "https://paperless.ops.eblu.me" - name: PAPERLESS_REDIS value: "redis://localhost:6379" - name: PAPERLESS_DBHOST value: "pg.ops.eblu.me" - name: PAPERLESS_DBPORT value: "5432" - name: PAPERLESS_DBNAME value: "paperless" # Explicit port to override k8s-injected PAPERLESS_PORT env var # (k8s sets PAPERLESS_PORT=tcp://... for a service named 'paperless') - name: PAPERLESS_PORT value: "8000" - name: PAPERLESS_DBUSER value: "paperless" - name: PAPERLESS_DBPASS valueFrom: secretKeyRef: name: paperless-secrets key: db-password - name: PAPERLESS_SECRET_KEY valueFrom: secretKeyRef: name: paperless-secrets key: secret-key - name: PAPERLESS_TIME_ZONE value: "America/Los_Angeles" - name: PAPERLESS_OCR_LANGUAGE value: "eng" - name: PAPERLESS_TASK_WORKERS value: "1" # Admin account (created on first startup) - name: PAPERLESS_ADMIN_USER value: "eblume" - name: PAPERLESS_ADMIN_PASSWORD valueFrom: secretKeyRef: name: paperless-secrets key: admin-password - name: PAPERLESS_ADMIN_MAIL value: "blume.erich@gmail.com" # OIDC via Authentik # Full JSON blob pulled from 1Password (includes client secret) - name: PAPERLESS_APPS value: "allauth.socialaccount.providers.openid_connect" - name: PAPERLESS_SOCIALACCOUNT_PROVIDERS valueFrom: secretKeyRef: name: paperless-secrets key: socialaccount-providers - name: PAPERLESS_SOCIALACCOUNT_ALLOW_SIGNUPS value: "true" - name: PAPERLESS_SOCIAL_AUTO_SIGNUP value: "true" - name: PAPERLESS_ACCOUNT_ALLOW_SIGNUPS value: "false" - name: PAPERLESS_REDIRECT_LOGIN_TO_SSO value: "false" volumeMounts: - name: data mountPath: /usr/src/paperless/data - name: media mountPath: /usr/src/paperless/media - name: consume mountPath: /usr/src/paperless/consume resources: requests: memory: "256Mi" cpu: "100m" limits: memory: "2Gi" cpu: "1000m" livenessProbe: httpGet: path: / port: 8000 initialDelaySeconds: 60 periodSeconds: 30 readinessProbe: httpGet: path: / port: 8000 initialDelaySeconds: 30 periodSeconds: 10 - name: redis image: docker.io/library/redis:kustomized ports: - containerPort: 6379 resources: requests: memory: "32Mi" cpu: "10m" limits: memory: "128Mi" volumes: - name: data emptyDir: {} - name: media persistentVolumeClaim: claimName: paperless-media - name: consume emptyDir: {}