eblume/blumeops
1
1
Fork 0
Code Issues Pull requests Projects Releases 83 Packages Wiki Activity Actions
blumeops/argocd/manifests/authentik/external-secret.yaml
Erich Blume 07f52e9488
All checks were successful
Build Container / detect (push) Successful in 2s
Details
Build Container / build-dockerfile (paperless) (push) Successful in 9s
Details
Deploy Paperless-ngx document management (#328) 
## Summary

- Add paperless-ngx (v2.20.13) as a new ArgoCD-managed service on indri
- Dockerfile built from forge mirror (`mirrors/paperless-ngx`), multi-stage with s6-overlay
- PostgreSQL database via `blumeops-pg` CNPG cluster, Redis sidecar for Celery
- NFS document storage on sifaka (`/volume1/paperless`)
- Authentik OIDC SSO via baked JSON blob from 1Password
- Caddy route at `paperless.ops.eblu.me`
- 1Password item "Paperless (blumeops)" created with all secrets

## Files

- `containers/paperless/Dockerfile` — multi-stage build
- `argocd/manifests/paperless/` — full k8s manifest set
- `argocd/apps/paperless.yaml` — ArgoCD application
- `argocd/manifests/databases/` — CNPG role + ExternalSecret
- `ansible/roles/caddy/defaults/main.yml` — Caddy route
- `service-versions.yaml` — version tracking entry
- `docs/reference/services/paperless.md` — reference card

## Remaining deploy steps

1. Build container: `mise run container-build-and-release paperless`
2. Update kustomization.yaml `newTag` with actual image tag
3. Create Authentik application/provider for paperless
4. Create `paperless` database on blumeops-pg
5. Sync ArgoCD apps, then sync paperless from branch
6. Provision Caddy: `mise run provision-indri -- --tags caddy`
7. Verify at https://paperless.ops.eblu.me

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Reviewed-on: #328
2026-04-08 17:54:12 -07:00

67 lines
1.9 KiB
YAML
Raw Blame History

---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: authentik-config
namespace: authentik
spec:
refreshInterval: 1h
secretStoreRef:
kind: ClusterSecretStore
name: onepassword-blumeops
target:
name: authentik-config
creationPolicy: Owner
data:
- secretKey: secret-key
remoteRef:
key: "Authentik (blumeops)"
property: secret-key
- secretKey: postgresql-host
remoteRef:
key: "Authentik (blumeops)"
property: postgresql-host
- secretKey: postgresql-port
remoteRef:
key: "Authentik (blumeops)"
property: postgresql-port
- secretKey: postgresql-name
remoteRef:
key: "Authentik (blumeops)"
property: postgresql-name
- secretKey: postgresql-user
remoteRef:
key: "Authentik (blumeops)"
property: postgresql-user
- secretKey: postgresql-password
remoteRef:
key: "Authentik (blumeops)"
property: postgresql-password
- secretKey: grafana-client-secret
remoteRef:
key: "Authentik (blumeops)"
property: grafana-client-secret
- secretKey: forgejo-client-secret
remoteRef:
key: "Authentik (blumeops)"
property: forgejo-client-secret
- secretKey: zot-client-secret
remoteRef:
key: "Authentik (blumeops)"
property: zot-client-secret
- secretKey: jellyfin-client-secret
remoteRef:
key: "Authentik (blumeops)"
property: jellyfin-client-secret
- secretKey: argocd-client-secret
remoteRef:
key: "Authentik (blumeops)"
property: argocd-client-secret
- secretKey: mealie-client-secret
remoteRef:
key: "Authentik (blumeops)"
property: mealie-client-secret
- secretKey: paperless-client-secret
remoteRef:
key: "Authentik (blumeops)"
property: paperless-client-secret
Reference in a new issue View git blame Copy permalink