2026-04-06 15:28:24 +02:00
12 changed files with 229 additions and 48 deletions
--- a/.gitea/workflows/deploy.yaml
+++ b/.gitea/workflows/deploy.yaml
@@ -4,31 +4,12 @@ on:
  push:
    branches:
      - main
+    paths:
+      - "k8s/**"

 jobs:
-  check-changes:
-    runs-on: ubuntu-latest
-    outputs:
-      changes: ${{ steps.filter.outputs.k8s }}
-      helm: ${{ steps.filter.outputs.helm }}
-    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          fetch-depth: 0
-      - uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # v4.0.1
-        id: filter
-        with:
-          filters: |
-            k8s:
-              - 'k8s/**'
-            helm:
-              - 'values/**'
-              - 'helmfile.yaml'
-
  deploy:
    runs-on: ubuntu-latest
-    needs: check-changes
-    if: ${{ needs.check-changes.outputs.changes == 'true' || needs.check-changes.outputs.helm == 'true' }}
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - uses: https://gitea.t000-n.de/t.behrendt/k_deploy_workflows/.gitea/actions/extract-namespace-from-repo-name@c373c34c836716e663e2d6379e686997bfd7746c # 0.0.6
@@ -36,9 +17,6 @@ jobs:
        with:
          repo: ${{ github.repository }}
      - uses: azure/setup-kubectl@15650b3ad78fff148532a140b8a4c821796b2d7b # v5.0.0
-      - uses: azure/setup-helm@dda3372f752e03dde6b3237bc9431cdc2f7a02a2 # v5
-        with:
-          version: "3.15.0"
      - uses: azure/k8s-set-context@ae59a723ba9abe7a9655538854a025448dbab4aa # v4.0.2
        with:
          method: kubeconfig
@@ -56,6 +34,16 @@ jobs:
              "restic_rest_password": "${{ secrets.RESTIC_REST_PASSWORD }}",
              "gotify_token": "${{ secrets.GOTIFY_TOKEN }}"
            }
+      - name: Create paperless secret
+        uses: azure/k8s-create-secret@6e0ba8047235646753f2a3a3b359b4d0006ff218 # v5.0.1
+        with:
+          namespace: ${{ steps.namespace.outputs.namespace }}
+          secret-name: paperless-secret
+          secret-type: generic
+          data: |
+            {
+              "PAPERLESS_SECRET_KEY": "${{ secrets.PAPERLESS_SECRET_KEY }}"
+            }
      - name: Deploy
        uses: azure/k8s-deploy@c8cfec839dc09896b3b8cc40cd13d04792680771 # v5.1.0
        with:
@@ -63,7 +51,3 @@ jobs:
          manifests: "k8s/"
          strategy: basic
          namespace: ${{ steps.namespace.outputs.namespace }}
-      - name: Deploy helm
-        uses: helmfile/helmfile-action@d9fefe29b0d07e9ab187ecfe1d63eff91e0a070c # v2.4.1
-        with:
-          helmfile-args: apply
--- a/.gitea/workflows/run-backup.yaml
+++ b/.gitea/workflows/run-backup.yaml
@@ -0,0 +1,20 @@
+name: Run Backup
+
+on:
+  workflow_dispatch:
+
+jobs:
+  run-renovate:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: https://gitea.t000-n.de/t.behrendt/k_deploy_workflows/.gitea/actions/extract-namespace-from-repo-name@c41eeb249e8a47e009c5f070d71f167dd1d39760 # 0.0.7
+        id: namespace
+        with:
+          repo: ${{ github.repository }}
+      - uses: azure/setup-kubectl@15650b3ad78fff148532a140b8a4c821796b2d7b # v5.0.0
+      - uses: azure/k8s-set-context@ae59a723ba9abe7a9655538854a025448dbab4aa # v4.0.2
+        with:
+          method: kubeconfig
+          kubeconfig: ${{ secrets.KUBECONFIG }}
+      - run: |
+          kubectl -n ${{ steps.namespace.outputs.namespace }} create job --from=cronjob/backup backup-${{ github.run_id }}
--- a/.gitea/workflows/validate.yaml
+++ b/.gitea/workflows/validate.yaml
@@ -15,9 +15,6 @@ jobs:
        with:
          repo: ${{ github.repository }}
      - uses: azure/setup-kubectl@15650b3ad78fff148532a140b8a4c821796b2d7b # v5.0.0
-      - uses: azure/setup-helm@dda3372f752e03dde6b3237bc9431cdc2f7a02a2 # v5
-        with:
-          version: "3.15.0"
      - uses: azure/k8s-set-context@ae59a723ba9abe7a9655538854a025448dbab4aa # v4.0.2
        with:
          method: kubeconfig
@@ -28,7 +25,3 @@ jobs:
          namespace: ${{ steps.namespace.outputs.namespace }}
          lintType: dryrun
          manifests: "k8s/"
-      - name: Validate Helm
-        uses: helmfile/helmfile-action@d9fefe29b0d07e9ab187ecfe1d63eff91e0a070c # v2.4.1
-        with:
-          helmfile-args: diff
--- a/README.md
+++ b/README.md
@@ -1,17 +1,9 @@
-Template DoDos:
+# Kubernetes Deployment for Paperless

- Add KUBECONFIG secret to your repo
- Place your k8s files in ./k8s/
- Replace \<service\> with the name of the service
- Replace \<url\> with the URL of the service
- Replace \<auth\> with the authentication method used
- Replace \<namespace\> with the namespace where the service is deployed in .github/workflows/deploy.yaml
- Provide a screenshot of the service in action in ./screenshot.png
+Document management system.

-# Kubernetes Deployment for \<service\>
+Deployed to: [paperless.t00n.de](https://paperless.t00n.de)

-Deployed to: \<url\>
-
-Authentication: \<auth\>
+Authentication: built-in

 ![Screenshot](screenshot.png)
--- a/k8s/10_namespace.yaml
+++ b/k8s/10_namespace.yaml
@@ -1,4 +1,4 @@
 apiVersion: v1
 kind: Namespace
 metadata:
-  name: <namespace>
+  name: paperless
--- a/k8s/11_backup.yaml
+++ b/k8s/11_backup.yaml
@@ -0,0 +1,63 @@
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: backup
+spec:
+  schedule: "0 20 */14 * *"
+  concurrencyPolicy: Forbid
+  successfulJobsHistoryLimit: 5
+  failedJobsHistoryLimit: 3
+  jobTemplate:
+    metadata:
+      labels:
+        t00n.de/restic-backup: "true"
+    spec:
+      backoffLimit: 3
+      activeDeadlineSeconds: 300
+      template:
+        spec:
+          nodeSelector:
+            kubernetes.io/hostname: k3sh0
+          restartPolicy: OnFailure
+          containers:
+            - name: backup-paperless
+              image: gitea.t000-n.de/t.behrendt/backupsidecar:6ff6e8759e827b9aa8ec7ecec4356cc04e4ca75a@sha256:f0841b9d74c6c9db8445d130b79c631a5526a2890ce34371859b3bb65f0ee5be
+              env:
+                - name: BACKUP_MODE
+                  value: "directory"
+                - name: RESTIC_REPOSITORY
+                  value: "rest:http://restserver.restic.svc.cluster.local:8000/paperless"
+                - name: RESTIC_PASSWORD
+                  valueFrom:
+                    secretKeyRef:
+                      name: backup-secret
+                      key: restic_password
+                - name: RESTIC_REST_USERNAME
+                  valueFrom:
+                    secretKeyRef:
+                      name: backup-secret
+                      key: restic_rest_username
+                - name: RESTIC_REST_PASSWORD
+                  valueFrom:
+                    secretKeyRef:
+                      name: backup-secret
+                      key: restic_rest_password
+                - name: GOTIFYHOST
+                  value: "https://gotify.t000-n.de"
+                - name: GOTIFYTOKEN
+                  valueFrom:
+                    secretKeyRef:
+                      name: backup-secret
+                      key: gotify_token
+                - name: GOTIFYTOPIC
+                  value: "Paperless Backup"
+                - name: SOURCEDIR
+                  value: "/data"
+              volumeMounts:
+                - name: source-data
+                  mountPath: /data
+          volumes:
+            - name: source-data
+              hostPath:
+                path: /mnt/longhorn1/svc/paperless/main
+                type: Directory
--- a/k8s/21_deployment_paperless.yaml
+++ b/k8s/21_deployment_paperless.yaml
@@ -0,0 +1,54 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: webserver
+  namespace: paperless
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: webserver
+  template:
+    metadata:
+      labels:
+        app: webserver
+    spec:
+      nodeSelector:
+        kubernetes.io/hostname: k3sh0
+      containers:
+        - name: webserver
+          image: ghcr.io/paperless-ngx/paperless-ngx:2.20.13@sha256:4b05bcd28e6923768000b5d247cbf2c66fd49bdc3f3b05955bd4f6790a638b01
+          ports:
+            - containerPort: 8000
+          env:
+            - name: PAPERLESS_REDIS
+              value: redis://broker.paperless.svc.cluster.local:6379
+            - name: PAPERLESS_URL
+              value: https://paperless.t00n.de
+            - name: PAPERLESS_SECRET_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: paperless-secret
+                  key: PAPERLESS_SECRET_KEY
+            - name: PAPERLESS_TIME_ZONE
+              value: Europe/Amsterdam
+            - name: PAPERLESS_OCR_LANGUAGE
+              value: deu
+          volumeMounts:
+            - name: data
+              mountPath: /usr/src/paperless/data
+            - name: media
+              mountPath: /usr/src/paperless/media
+          resources:
+            limits:
+              cpu: 1000m
+              memory: 4096Mi
+      volumes:
+        - name: data
+          hostPath:
+            path: /mnt/longhorn1/svc/paperless/main/paperless/data
+            type: Directory
+        - name: media
+          hostPath:
+            path: /mnt/longhorn1/svc/paperless/main/paperless/media
+            type: Directory
--- a/k8s/22_service_paperless.yaml
+++ b/k8s/22_service_paperless.yaml
@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: webserver
+  namespace: paperless
+spec:
+  selector:
+    app: webserver
+  ports:
+    - port: 8000
+      targetPort: 8000
--- a/k8s/23_ingress_paperless.yaml
+++ b/k8s/23_ingress_paperless.yaml
@@ -0,0 +1,18 @@
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  namespace: paperless
+  name: ingressroute
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - kind: Rule
+      match: Host(`paperless.t00n.de`)
+      middlewares:
+        - name: localipfilter
+          namespace: kube-system
+      services:
+        - kind: Service
+          name: webserver
+          port: 8000
--- a/k8s/31_deployment_broker.yaml
+++ b/k8s/31_deployment_broker.yaml
@@ -0,0 +1,34 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: broker
+  namespace: paperless
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: broker
+  template:
+    metadata:
+      labels:
+        app: broker
+    spec:
+      nodeSelector:
+        kubernetes.io/hostname: k3sh0
+      containers:
+        - name: redis
+          image: docker.io/library/redis:7
+          volumeMounts:
+            - name: data
+              mountPath: /data
+          ports:
+            - containerPort: 6379
+          resources:
+            limits:
+              cpu: 250m
+              memory: 512Mi
+      volumes:
+        - name: data
+          hostPath:
+            path: /mnt/longhorn1/svc/paperless/main/broker/data
+            type: Directory
--- a/k8s/32_service_broker.yaml
+++ b/k8s/32_service_broker.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: broker
+  namespace: paperless
+spec:
+  selector:
+    app: broker
+  ports:
+    - protocol: TCP
+      port: 6379
+      targetPort: 6379
--- a/screenshot.png
+++ b/screenshot.png