🚀(project:maison): Install Paperless NGX application

Signed-off-by: Alexandre Nicolaie <[email protected]>

projects/maison/src/apps/kustomization.yaml

@@ -12,3 +12,4 @@ resources:
   - linkding.yaml
   - mealie.yaml
   - n8n.yaml
+  - paperless-ngx.yaml

projects/maison/src/apps/paperless-ngx.yaml

@@ -0,0 +1,18 @@
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: paperless-ngx
+spec:
+  interval: 12h0m0s
+  timeout: 30s
+  retryInterval: 0s
+
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+    namespace: flux-system
+  path: ./projects/maison/src/apps/paperless-ngx
+
+  prune: true
+  wait: true

projects/maison/src/apps/paperless-ngx/namespace.yaml

@@ -0,0 +1,5 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: paperless-ngx

projects/maison/src/apps/paperless-ngx/paperless.database.yaml

@@ -0,0 +1,20 @@
+---
+apiVersion: postgresql.cnpg.io/v1
+kind: Cluster
+metadata:
+  name: paperless-ngx-database
+  namespace: paperless-ngx
+  labels:
+    app.kubernetes.io/component: database
+    app.kubernetes.io/name: postgresql
+    app.kubernetes.io/part-of: paperless-ngx
+spec:
+  bootstrap:
+    initdb:
+      database: paperless-ngx
+      owner: paperless-ngx
+  description: PostgreSQL database dedicated to Paperless-NGX
+  instances: 1
+
+  storage:
+    size: 5Gi

projects/maison/src/apps/paperless-ngx/paperless.httproute.yaml

@@ -0,0 +1,16 @@
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: paperless-ngx-websecure
+  namespace: paperless-ngx
+spec:
+  parentRefs:
+    - name: default
+      namespace: default
+  hostnames:
+    - paperless-ngx.chezmoi.sh
+  rules:
+    - backendRefs:
+        - name: paperless-ngx
+          port: 80

projects/maison/src/apps/paperless-ngx/paperless.vpn.yaml

@@ -0,0 +1,16 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: paperless-ngx-tailscale
+  namespace: paperless-ngx
+spec:
+  defaultBackend:
+    service:
+      name: paperless-ngx
+      port:
+        number: 80
+  ingressClassName: tailscale
+  tls:
+    - hosts:
+        - paperless-ngx

projects/maison/src/apps/paperless-ngx/paperless.workload.paperless.yaml

@@ -0,0 +1,194 @@
+# trunk-ignore-all(checkov/CKV_K8S_11,trivy/KSV011): DO NOT SET the CPU limit
+# trunk-ignore-all(checkov/CKV_K8S_15,checkov/CKV_K8S_43): Not aggreed with theses policies about the ImagePullPolicy=Always and digest verification.
+# trunk-ignore-all(checkov/CKV_K8S_25,trivy/KSV022,trivy/KSV106): add CHOWN capability is required by the official image
+# trunk-ignore-all(trivy,checkov)
+---
+# trunk-ignore(checkov/CKV2_K8S_6): NLP not ready
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  labels:
+    app.kubernetes.io/component: webserver
+    app.kubernetes.io/instance: paperless-ngx
+    app.kubernetes.io/name: paperless-ngx
+    app.kubernetes.io/part-of: paperless-ngx
+  name: paperless-ngx
+  namespace: paperless-ngx
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/instance: paperless-ngx
+      app.kubernetes.io/name: paperless-ngx
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/component: webserver
+        app.kubernetes.io/instance: paperless-ngx
+        app.kubernetes.io/name: paperless-ngx
+        app.kubernetes.io/part-of: paperless-ngx
+    spec:
+      automountServiceAccountToken: false
+      containers:
+        - name: paperless-ngx
+          env:
+            - name: PAPERLESS_DBENGINE
+              value: postgresql
+            - name: PAPERLESS_DBHOST
+              valueFrom:
+                secretKeyRef:
+                  name: paperless-ngx-database-app
+                  key: host
+            - name: PAPERLESS_DBPORT
+              valueFrom:
+                secretKeyRef:
+                  name: paperless-ngx-database-app
+                  key: port
+            - name: PAPERLESS_DBNAME
+              valueFrom:
+                secretKeyRef:
+                  name: paperless-ngx-database-app
+                  key: dbname
+            - name: PAPERLESS_DBUSER
+              valueFrom:
+                secretKeyRef:
+                  name: paperless-ngx-database-app
+                  key: user
+            - name: PAPERLESS_DBPASS
+              valueFrom:
+                secretKeyRef:
+                  name: paperless-ngx-database-app
+                  key: password
+
+            - name: PAPERLESS_REDIS
+              value: redis://paperless-ngx-redis:6379
+            - name: PAPERLESS_URL
+              value: https://paperless-ngx.chezmoi.sh
+          image: ghcr.io/paperless-ngx/paperless-ngx:2.13.5
+          livenessProbe: &probe
+            httpGet:
+              path: /
+              port: http
+            failureThreshold: 3
+            periodSeconds: 10
+            successThreshold: 1
+            timeoutSeconds: 5
+          ports:
+            - name: http
+              containerPort: 8000
+              protocol: TCP
+          readinessProbe:
+            <<: *probe
+          resources:
+            requests:
+              memory: "4Gi"
+              cpu: "250m"
+            limits:
+              memory: "4Gi"
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              add:
+                - CHOWN # required by the official image
+              drop:
+                - ALL
+            readOnlyRootFilesystem: false # required by the official image because of the logs ...
+            runAsGroup: 1000
+            runAsNonRoot: true
+            runAsUser: 1000
+          startupProbe:
+            <<: *probe
+            failureThreshold: 30
+            initialDelaySeconds: 0
+            periodSeconds: 2
+          volumeMounts:
+            - name: media
+              mountPath: /usr/src/paperless/media
+            - name: data
+              mountPath: /usr/src/paperless/data
+      securityContext:
+        fsGroup: 1000
+        runAsGroup: 1000
+        runAsUser: 1000
+        seccompProfile:
+          type: RuntimeDefault
+      volumes:
+        - name: media
+          persistentVolumeClaim:
+            claimName: media
+        - name: data
+          persistentVolumeClaim:
+            claimName: media
+        - name: tmpdir
+          emptyDir: {}
+  volumeClaimTemplates:
+    - metadata:
+        name: media
+        labels:
+          app.kubernetes.io/component: webserver
+          app.kubernetes.io/instance: paperless-ngx
+          app.kubernetes.io/name: paperless-ngx
+          app.kubernetes.io/part-of: paperless-ngx
+      spec:
+        accessModes:
+          - ReadWriteOnce
+        resources:
+          requests:
+            storage: 5Gi
+    - metadata:
+        name: data
+        labels:
+          app.kubernetes.io/component: webserver
+          app.kubernetes.io/instance: paperless-ngx
+          app.kubernetes.io/name: paperless-ngx
+          app.kubernetes.io/part-of: paperless-ngx
+      spec:
+        accessModes:
+          - ReadWriteOnce
+        resources:
+          requests:
+            storage: 5Gi
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app.kubernetes.io/component: webserver
+    app.kubernetes.io/instance: paperless-ngx
+    app.kubernetes.io/name: paperless-ngx
+    app.kubernetes.io/part-of: paperless-ngx
+  name: paperless-ngx
+  namespace: paperless-ngx
+spec:
+  ports:
+    - name: http
+      port: 80
+      protocol: TCP
+      targetPort: 8000
+  selector:
+    app.kubernetes.io/instance: paperless-ngx
+    app.kubernetes.io/name: paperless-ngx
+  type: ClusterIP
+# ---
+# apiVersion: networking.k8s.io/v1
+# kind: NetworkPolicy
+# metadata:
+#   name: paperless-ngx-redis
+#   namespace: paperless-ngx
+#   labels:
+#     app.kubernetes.io/component: tasks-broker
+#     app.kubernetes.io/part-of: paperless-ngx
+# spec:
+#   podSelector:
+#     matchLabels:
+#       app.kubernetes.io/instance: paperless-ngx-redis
+#       app.kubernetes.io/name: redis
+#   policyTypes:
+#     - Ingress
+#     - Egress
+#   ingress:
+#     - from:
+#         - podSelector: {}
+#       ports:
+#         - port: 6379
+#   egress: []