🚀(project:maison): Install Paperless NGX application

Signed-off-by: Alexandre Nicolaie <[email protected]>

projects/chezmoi.sh/src/kubevault/access_control/kubernetes.maison.chezmoi.sh

@@ -5,4 +5,6 @@ cloud/tailscale/kubernetes.maison.chezmoi.sh
 cloud/openai/mealie
 security/sso/oidc/clients/linkding
 security/sso/oidc/clients/mealie
+security/sso/oidc/clients/paperless-ngx
 storage/minio/cnpg.maison.chezmoi.sh
+storage/smb/paperless-ngx

projects/chezmoi.sh/src/kubevault/kvstore.enc/security/sso/oidc/clients/paperless-ngx

@@ -0,0 +1,22 @@
+#ENC[AES256_GCM,data:efrgrEkhxEoncF/hB2+Rjrk/QZk51J3ujkv2cXI7oUH0CmBXGLEUNxyEdzXAkPlpTxuR2CyM,iv:FheiuFL8MOYsJ2g0FSRX40byW3K4RHb3MZLsJYCu1ME=,tag:lpVwfbLefQj63DqAGxB/1w==,type:comment]
+oidc_configuration: ENC[AES256_GCM,data:/tSKl+5Asppx//tDZrtBd5IDYRp3xIJsE5NnL2XP3+wuX3lLkOrXAROtCeU5SO1+rJOoqlWa1EgtBkpJ8kRvJtlfHZxoLeuXYVSTunMubMmIa+SOUdEnbnTNlT3UA60PwDU71FjWESv/lXzwFQklsIGzdqxnuRymPA6xxfPGh18XNZ0j2Pzu7SFMoZgLoInR+9vdPDIq1bQoMR2GjHxSLPv/stu46M2tDTe84HnOJUGuL4QIn4bCDJg16peAmnvZXxkPhzL9iA3doKI4vO+q9mOeWNxSRt9Xcza6FgzbYLQ5qLJhBWYt78U0zk2IrgZsmw19xLunv6pP1nLNA1gf4y/oU8OKhgN2j8k+uuQQBwksxULD7CVi66moLjV08unx16C/MCMS9BvE2E0a1j7ABau5oGzAeNI0UFL5PhcTus5DC0gRoJm/I1v/WLpHGO9+DtXCKdtG2nzY0H7pEI/HnfcXcy9hU9Ya+MZ69UC9SZ0LkB/d9CkNi3wMlj0dvuq7xbfw/uu9DTAkY3+0UqqASkEEHZewXiTUBIxjLmkzybbWoSd4Ean+L1uQwHRqZT+l+3tjCOchX+SJmIKROcuQ7NDQT2HOoKEw/L2LTDYOqv3oq7bR/EMb0oEu1C2cuTRZ9p+yYOiPulQcw8shov4mR3HEiT1dX9hgy4IvhARYF336UsGHHsh+EWvyPRxYTnl1JxSoWxdzxVComo0IQclVjKvdQH/EINh9zkmVBIu/V/TpzRWzvYk5l6IYTjcZVXUsiwOO3nXxwg7eF+qMMcdgJThd9SbHEmM6y6uXARLTjoiUZYId+Z0b6N0SrspwiEVTGmW5CSm71OqQlzDrG9E8Tio7ahC0gPRKD2eQwzRDZ6PXCDK5B0yWIp3hFd2PSJdAVBUkcdXbVVgDm7kFJDy5cz1gZI/2x/IFvYq4mueYwet9W25uwMiXNiQ7vbyvMd7OcF6YgzwnLQ9RYgoeDBgM/bJ2r6EqHev3T2keIeprSCULXRbGj4HhZDl406Hp8j0zXFdLJJkZbOTgMkyiy9Yu/89w3uFsCAsVU8fzYajVilBtoeae/VlpizBLr3TaKSLKCALf1wZbavjk,iv:e9zG8yR6QwnmoB3s7KYJqM3oVXqk/f5JybT8+XYM3+Q=,tag:j4Ctb7fi89HscCRGbTAEeA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1fj0yj3na3n5udfjmnxfwrlkp80tvj49w80wh699x33dh48clnvnshtjxe9
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmbUNmM1ptV0c0U0dEUnFi
+            aTFESCtUeGtUK21OYTlOaEpWVy9qMi8zdkhBCmNXWkJqV3d6S0hqY2I0NHRJSWdW
+            SkNONE1UYUNlN0RhUHd2bzF3aXdYL1UKLS0tIFlWRlNUZ29uZlNSUmlzaVZMSlkv
+            N0cyQ01uSEdtbVNTcmtzSlFQOG9ueDQKize085I5vBJjrQJy367GYKG4bWooMQpc
+            z5gfLHPtk/x5GilnvfCxCtYnpuc7LReW20vy0KU7+CEHQYMpXGR1DQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-01-11T17:44:07Z"
+    mac: ENC[AES256_GCM,data:ddUT4F4JURyjS1fDTRyf28YFkoSZN69Y4JTpZU8/1SwOjoXDYLeL9nWU0WoZvfd/9OLkFUdbjZ6r6mnDFaHvEHDeldg7Oo/QYEbQObvJ1PhyrBBDY8jWrF0GCUCgoeAIvZZkoHWufj3xFzMuVyLxSPn8cD50ZeoE838xeduDKHg=,iv:11pLgqp+jmieoSkf3OZ/OpAqzT9kiKKDC6IoU6m5B4I=,tag:Sp1KTGsOVxFkuCKgi9QR9w==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.9.0

projects/chezmoi.sh/src/kubevault/kvstore.enc/storage/smb/paperless-ngx

@@ -0,0 +1,22 @@
+username: ENC[AES256_GCM,data:Uv+IbewcvZysl18Cmg==,iv:32fqPguQ4p6N83VHWkRza2+Nb1SNJ/Mj6/8+Qr9KOoo=,tag:hsjye42uN3147kPZBxYOKQ==,type:str]
+password: ENC[AES256_GCM,data:3VUYBCUGfDVCbJUUFBVeri026fnxOPN/U2mw4mbbJfLCVDhjrEdE2Q==,iv:QvZ5c8q+NlCOQjePTp22xJMmRfPuamy+zv4ySKnel48=,tag:Zg+y8kzlRxB/Xw+SYccXiQ==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1fj0yj3na3n5udfjmnxfwrlkp80tvj49w80wh699x33dh48clnvnshtjxe9
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXeTR2NFFMMm9KdGw3WHBO
+            cGc3U2dYaUlBS2dyT0xzWVdtQ3lnMTlldWtVCmJTSExQQTd2RWlGeTJrSmdtNXMv
+            QmJTQmdReEtMQUZFWXB2ODBJcTBRTVEKLS0tIHBLZDFacDZKMFVZM0dQbGw4UUhl
+            YVdVeUliSGl1U1g5OFg5Yi9uWHN6eUUK0lv9aLMvWcLWO3uFjLeRHue99VPWhABf
+            S3W/jltGMzYpVRjNp7kAPCXxa1/eY+3Wz8/ImjlIOuwn9Ckqdx4NVA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-01-12T13:25:22Z"
+    mac: ENC[AES256_GCM,data:PCqwnYvo37rq3pCC2gh4DbiyYaRj9njIgUdkkSxVvTSj1YXLrsO399gT+OczFPfyqYMJLQH12YAEIXkqCksT4L/eE3wge+SGH3y0WsljSZZ3aSF0QE/WN7pSNuLcSBBgD0hEkJ3rFW7wK2P1qYLMyef9alupsPl+YG8YQCdpZ6E=,iv:xlL9dBEyxK3SLRkeBKRhtwz8SkYKtxdXFNyd8/zTgvI=,tag:Ye984L1zvrL49gzDS93rpQ==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.9.0

projects/maison/architecture.d2

@@ -258,20 +258,19 @@ maison: {
       source-arrowhead: HTTP (9000)
     }
 
-    # - Docspell
-    Docspell: {
-      class: [application; undeployed]
-      icon: assets/icons/apps/docspell.svg
-      link: https://docspell.org/
-      tooltip: Docspell is a personal document management system.
+    # - Paperless
+    Paperless: {
+      class: [application]
+      icon: assets/icons/apps/paperless.svg
+      link: https://paperless-ngx.com/
+      tooltip: Paperless-ngx is a community-supported open-source document management system that transforms your physical documents into a searchable online archive.
     }
-    Docspell <- _.system.Traefik: {
-      class: [undeployed]
-      source-arrowhead: HTTP (7880)
+    Paperless <- _.system.Traefik: {
+      source-arrowhead: HTTP (8000)
     }
-    Docspell <- _.system.Tailscale: {
-      class: [connect-vpn; undeployed]
-      source-arrowhead: HTTP (7880)
+    Paperless <- _.system.Tailscale: {
+      class: [connect-vpn]
+      source-arrowhead: HTTP (8000)
     }
   }
 
@@ -292,6 +291,10 @@ maison: {
       class: [connect-vpn]
       source-arrowhead: HTTP (5678)
     }
+    n8n -> _.life-management.Paperless: {
+      target-arrowhead: HTTP (8000)
+    }
+
 
     # - Budibase
     Budibase: {

projects/maison/src/apps/kustomization.yaml

@@ -12,3 +12,4 @@ resources:
   - linkding.yaml
   - mealie.yaml
   - n8n.yaml
+  - paperless-ngx.yaml

projects/maison/src/apps/paperless-ngx.yaml

@@ -0,0 +1,18 @@
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: paperless-ngx
+spec:
+  interval: 12h0m0s
+  timeout: 30s # if the apply of the resources takes more than 5 minutes, it will be considered as failed ...
+  retryInterval: 30s # ... and will be retried every 30 seconds
+
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+    namespace: flux-system
+  path: ./projects/maison/src/apps/paperless-ngx
+
+  prune: true
+  wait: true

projects/maison/src/apps/paperless-ngx/httproute.yaml

@@ -0,0 +1,16 @@
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: paperless-ngx
+  namespace: paperless-ngx
+spec:
+  parentRefs:
+    - name: default
+      namespace: default
+  hostnames:
+    - paperless-ngx.chezmoi.sh
+  rules:
+    - backendRefs:
+        - name: paperless-ngx
+          port: 80

projects/maison/src/apps/paperless-ngx/kustomization.yaml

@@ -0,0 +1,27 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+labels:
+  - pairs:
+      app.kubernetes.io/name: paperless-ngx
+    includeTemplates: true
+    includeSelectors: true
+  - pairs:
+      app.kubernetes.io/managed-by: fluxcd
+      app.kubernetes.io/part-of: document-management-system
+    includeTemplates: true
+
+resources:
+  # Workloads
+  - workload.database.yaml
+  - workload.paperless.yaml
+  - workload.redis.yaml
+
+  # Ingresses / Gateways
+  - httproute.yaml
+  - vpn.yaml
+
+  # Miscellaneous resources
+  - security-policies.yaml
+  - namespace.yaml

projects/maison/src/apps/paperless-ngx/namespace.yaml

@@ -0,0 +1,7 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  labels:
+    clusterexternalsecret.eso.io/name: cnpg-s3-credentials
+  name: paperless-ngx

projects/maison/src/apps/paperless-ngx/policies/allow-egress-from-paperless-to-internet.yaml

@@ -0,0 +1,27 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  annotations:
+    network-policy.k8s.io/description: |
+      This policy allows egress traffic from Paperless to POP/IMAP server
+      on internet.
+
+      **Why?**
+      - Paperless needs to connect to the POP/IMAP server to fetch emails
+        and process them (gmail in this case).
+  name: allow-egress-from-paperless-to-internet
+  namespace: paperless-ngx
+spec:
+  egress:
+    - to:
+        - ipBlock:
+            cidr: 0.0.0.0/0
+      ports:
+        - port: 993 # required for the email
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: paperless-ngx-webserver
+      app.kubernetes.io/name: paperless-ngx
+  policyTypes:
+    - Egress

projects/maison/src/apps/paperless-ngx/policies/allow-egress-from-paperless-to-localnet.yaml

@@ -0,0 +1,25 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  annotations:
+    network-policy.k8s.io/description: |
+      This policy allows egress traffic from Paperless to localnet.
+
+      **Why?**
+      - Paperless needs to connect to SSO server to authenticate users.
+  name: allow-egress-from-paperless-to-localnet
+  namespace: paperless-ngx
+spec:
+  egress:
+    - to:
+        - ipBlock:
+            cidr: 10.0.0.0/20 # sso.chezmoi.sh
+      ports:
+        - port: 443
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: paperless-ngx-webserver
+      app.kubernetes.io/name: paperless-ngx
+  policyTypes:
+    - Egress

projects/maison/src/apps/paperless-ngx/policies/allow-egress-from-paperless-to-postgress.yaml

@@ -0,0 +1,26 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  annotations:
+    network-policy.k8s.io/description: |
+      This policy allows egress traffic from Paperless to Postgres database.
+
+      **Why?**
+      - Paperless needs to connect to the Postgres database as data backend.
+  name: allow-egress-from-paperless-to-postgress
+  namespace: paperless-ngx
+spec:
+  egress:
+    - to:
+        - podSelector:
+            matchLabels:
+              cnpg.io/cluster: paperless-ngx-database
+      ports:
+        - port: 5432
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: paperless-ngx-webserver
+      app.kubernetes.io/name: paperless-ngx
+  policyTypes:
+    - Egress

projects/maison/src/apps/paperless-ngx/policies/allow-egress-from-paperless-to-redis.yaml

@@ -0,0 +1,27 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  annotations:
+    network-policy.k8s.io/description: |
+      This policy allows egress traffic from Paperless to Redis broker.
+
+      **Why?**
+      - Paperless needs to connect to the Redis database as event broker.
+  name: allow-egress-from-paperless-to-redis
+  namespace: paperless-ngx
+spec:
+  egress:
+    - to:
+        - podSelector:
+            matchLabels:
+              app.kubernetes.io/instance: paperless-ngx-redis
+              app.kubernetes.io/name: paperless-ngx
+      ports:
+        - port: 6379
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: paperless-ngx-webserver
+      app.kubernetes.io/name: paperless-ngx
+  policyTypes:
+    - Egress

projects/maison/src/apps/paperless-ngx/policies/allow-ingress-to-paperless-from-n8n.yaml

@@ -0,0 +1,31 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  annotations:
+    network-policy.k8s.io/description: |
+      This policy allows ingress traffic from n8n application to
+      Paperless.
+
+      **Why?**
+      - n8n host some AI agent that needs to connect to Paperless
+        to fetch documents and process them.
+  name: allow-ingress-to-paperless-from-n8n
+  namespace: paperless-ngx
+spec:
+  ingress:
+    - from:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: n8n
+          podSelector:
+            matchLabels:
+              app.kubernetes.io/name: n8n
+      ports:
+        - port: 8000
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: paperless-ngx-webserver
+      app.kubernetes.io/name: paperless-ngx
+  policyTypes:
+    - Ingress

projects/maison/src/apps/paperless-ngx/policies/allow-ingress-to-paperless-from-tailscale.yaml

@@ -0,0 +1,29 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  annotations:
+    network-policy.k8s.io/description: |
+      This policy allows ingress traffic from Paperless application to
+      Tailscale service.
+
+      **Why?**
+      - Tailscale is the ingress controller for the Kubernetes cluster
+        and needs to route traffic to Paperless application in order to be
+        accessible from the VPN.
+  name: allow-ingress-to-paperless-from-tailscale
+  namespace: paperless-ngx
+spec:
+  ingress:
+    - from:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: tailscale-system
+      ports:
+        - port: 8000
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: paperless-ngx-webserver
+      app.kubernetes.io/name: paperless-ngx
+  policyTypes:
+    - Ingress

projects/maison/src/apps/paperless-ngx/policies/allow-ingress-to-paperless-from-traefik.yaml

@@ -0,0 +1,28 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  annotations:
+    network-policy.k8s.io/description: |
+      This policy allows ingress traffic from Paperless application to
+      Traefik service.
+
+      **Why?**
+      - Traefik is the gateway controller for the Kubernetes cluster
+        and needs to route traffic to Paperless application.
+  name: allow-ingress-to-paperless-from-traefik
+  namespace: paperless-ngx
+spec:
+  ingress:
+    - from:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: traefik-system
+      ports:
+        - port: 8000
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: paperless-ngx-webserver
+      app.kubernetes.io/name: paperless-ngx
+  policyTypes:
+    - Ingress