paperless-ngx: add service

README.md

@@ -9,12 +9,13 @@ This project was largely inspired by his own [infra](https://github.com/notthebe
 ## services
 
 The following services are managed completely automatically:
-- Gitea
-- Matrix Synapse
-- Syncthing
-- Navidrome
-- Exim mail (internal use only)
-- Caddy reverse proxy
+- [Gitea](https://about.gitea.com/)
+- [Matrix Synapse](https://github.com/matrix-org/synapse)
+- [Syncthing](https://syncthing.net/)
+- [Navidrome](https://www.navidrome.org/)
+- [Paperless-ngx](https://docs.paperless-ngx.com/)
+- [Exim](https://www.exim.org/) mail (internal use only)
+- [Caddy](https://caddyserver.com/) reverse proxy
 
 ## misc features
 

group_vars/all/00-secret_template.yml

@@ -20,3 +20,6 @@ syncthing_gui_pass: ""
 registration_shared_secret: ""
 macaroon_secret_key: ""
 form_secret: ""
+
+# paperless secret key
+paperless_secret: ""

inventory.example.yml

@@ -45,6 +45,9 @@ all:
         navidrome:
           hosts:
             your_fleet_host:
+        paperless:
+          hosts:
+            your_fleet_host:
     bastion:
       children:
         ddclient:

roles/caddy/defaults/main.yml

@@ -9,6 +9,7 @@ website_path: /srv/http
 gitea_domain: "git.{{ domain }}"
 navidrome_domain: "mus.{{ domain }}"
 matrix_domain: "m.{{ domain }}"
+paperless_domain: "doc.{{ domain }}"
 
 ## send renewal reminders to this address
 email: null

roles/caddy/templates/Caddyfile.j2

@@ -38,3 +38,9 @@ www.{{ domain }} {
 	reverse_proxy /_matrix/* {{ groups["synapse"][0] }}:8008
 }
 {% endif %}
+
+{% if groups["paperless"] | length > 0 %}
+{{ paperless_domain }} {
+	reverse_proxy {{ groups["paperless"][0] }}:8000
+}
+{% endif %}

roles/containers/defaults/main.yml

@@ -16,3 +16,5 @@ syncthing_conf_dir: "{{ dataroot }}/syncthing/config"
 music_path: "{{ dataroot }}/music"
 
 navidrome_domain: "mus.{{ domain }}"
+
+paperless_domain: "doc.{{ domain }}"

roles/containers/tasks/main.yml

@@ -21,7 +21,6 @@
   group:
     name: vault
     state: present
-  when: '"syncthing" in groups'
 
 - name: Create Syncthing user
   user:
@@ -54,7 +53,43 @@
     name: "{{ username }}"
     append: yes
     groups: vault
-  when: '"syncthing" in groups'
+
+- name: Create Paperless group
+  group:
+    name: paperless
+    state: present
+  register: group_paperless
+
+- name: Create Paperless user
+  user:
+    name: paperless
+    group: paperless
+  register: user_paperless
+
+- name: Create Paperless directories
+  file:
+    path: "{{ dataroot }}/paperless/{{ item }}"
+    state: directory
+    owner: paperless
+    group: paperless
+    mode: "u=rwX,g=,o="
+  with_items:
+    - data
+    - media
+
+- name: Create Paperless consume directory
+  file:
+    path: "{{ dataroot }}/paperless/consume"
+    state: directory
+    owner: paperless
+    group: paperless
+    mode: "u=rwX,g=rwX,o="
+
+- name: Create Paperless .env file
+  template:
+    src: "paperless.env.j2"
+    dest: "{{ docker_compose_dir }}/paperless.env"
+    lstrip_blocks: true
 
 - name: Create Navidrome user
   user:

roles/containers/templates/docker-compose.yml.j2

@@ -47,6 +47,7 @@ services:
       - {{ archive_path }}/:/vault_a
       - {{ syncthing_conf_dir }}/:/var/syncthing/config
       - "{{ music_path }}:/music"
+      - "{{ dataroot }}/paperless/consume:/paperless"
 
 {% endif %}
 {% if "navidrome" in group_names %}
@@ -83,3 +84,51 @@ services:
       - "8008:8008/tcp"
 
 {% endif %}
+
+{% if "paperless" in group_names %}
+  paperless-broker:
+    container_name: paperless-broker
+    image: docker.io/library/redis:7
+    restart: unless-stopped
+    volumes:
+      - redisdata:/data
+
+  paperless-web:
+    container_name: paperless-web
+    image: ghcr.io/paperless-ngx/paperless-ngx:latest
+    restart: unless-stopped
+    depends_on:
+      - paperless-broker
+    ports:
+      - "8000:8000"
+    healthcheck:
+      test: ["CMD", "curl", "-fs", "-S", "--max-time", "2", "http://localhost:8000"]
+      interval: 30s
+      timeout: 10s
+      retries: 5
+    volumes:
+      - "{{ dataroot }}/paperless/data:/usr/src/paperless/data"
+      - "{{ dataroot }}/paperless/media:/usr/src/paperless/media"
+      - paperless-export:/usr/src/paperless/export
+      - "{{ dataroot }}/paperless/consume:/usr/src/paperless/consume"
+    env_file: paperless.env
+    environment:
+      USERMAP_UID: "{{ user_paperless.uid }}"
+      # it gets the vault group because otherwise syncthing can't read the consume dir
+      USERMAP_GID: "{{ user_syncthing.group }}"
+      PAPERLESS_REDIS: redis://paperless-broker:6379
+      PAPERLESS_URL: "https://{{ paperless_domain }}"
+      PAPERLESS_USE_X_FORWARD_HOST: true
+      PAPERLESS_USE_X_FORWARD_PORT: true
+      PAPERLESS_OCR_PAGES: 1
+      PAPERLESS_TASK_WORKERS: 2
+      PAPERLESS_THREADS_PER_WORKER: 2
+      PAPERLESS_WEBSERVER_WORKERS: 1
+      PAPERLESS_ENABLE_NLTK: false
+{% endif %}
+
+{% if "paperless" in group_names %}
+volumes:
+  redisdata:
+  paperless-export:
+{% endif %}

roles/containers/templates/paperless.env.j2

@@ -0,0 +1 @@
+PAPERLESS_SECRET_KEY={{ paperless_secret }}