From 533082b8d424ac28ace17494086df96871d46026 Mon Sep 17 00:00:00 2001
From: dogeystamp <dogeystamp@disroot.org>
Date: Sat, 9 Dec 2023 21:36:36 -0500
Subject: [PATCH] paperless-ngx: add service

---
 README.md                                     | 13 ++---
 group_vars/all/00-secret_template.yml         |  3 ++
 inventory.example.yml                         |  3 ++
 roles/caddy/defaults/main.yml                 |  1 +
 roles/caddy/templates/Caddyfile.j2            |  6 +++
 roles/containers/defaults/main.yml            |  2 +
 roles/containers/tasks/main.yml               | 39 ++++++++++++++-
 .../templates/docker-compose.yml.j2           | 49 +++++++++++++++++++
 roles/containers/templates/paperless.env.j2   |  1 +
 9 files changed, 109 insertions(+), 8 deletions(-)
 create mode 100644 roles/containers/templates/paperless.env.j2

diff --git a/README.md b/README.md
index ba57a65..753028e 100644
--- a/README.md
+++ b/README.md
@@ -9,12 +9,13 @@ This project was largely inspired by his own [infra](https://github.com/notthebe
 ## services
 
 The following services are managed completely automatically:
-- Gitea
-- Matrix Synapse
-- Syncthing
-- Navidrome
-- Exim mail (internal use only)
-- Caddy reverse proxy
+- [Gitea](https://about.gitea.com/)
+- [Matrix Synapse](https://github.com/matrix-org/synapse)
+- [Syncthing](https://syncthing.net/)
+- [Navidrome](https://www.navidrome.org/)
+- [Paperless-ngx](https://docs.paperless-ngx.com/)
+- [Exim](https://www.exim.org/) mail (internal use only)
+- [Caddy](https://caddyserver.com/) reverse proxy
 
 ## misc features
 
diff --git a/group_vars/all/00-secret_template.yml b/group_vars/all/00-secret_template.yml
index e750712..a3d0589 100644
--- a/group_vars/all/00-secret_template.yml
+++ b/group_vars/all/00-secret_template.yml
@@ -20,3 +20,6 @@ syncthing_gui_pass: ""
 registration_shared_secret: ""
 macaroon_secret_key: ""
 form_secret: ""
+
+# paperless secret key
+paperless_secret: ""
diff --git a/inventory.example.yml b/inventory.example.yml
index d3a3f36..5f753c1 100644
--- a/inventory.example.yml
+++ b/inventory.example.yml
@@ -45,6 +45,9 @@ all:
         navidrome:
           hosts:
             your_fleet_host:
+        paperless:
+          hosts:
+            your_fleet_host:
     bastion:
       children:
         ddclient:
diff --git a/roles/caddy/defaults/main.yml b/roles/caddy/defaults/main.yml
index 5cc520c..e82c421 100644
--- a/roles/caddy/defaults/main.yml
+++ b/roles/caddy/defaults/main.yml
@@ -9,6 +9,7 @@ website_path: /srv/http
 gitea_domain: "git.{{ domain }}"
 navidrome_domain: "mus.{{ domain }}"
 matrix_domain: "m.{{ domain }}"
+paperless_domain: "doc.{{ domain }}"
 
 ## send renewal reminders to this address
 email: null
diff --git a/roles/caddy/templates/Caddyfile.j2 b/roles/caddy/templates/Caddyfile.j2
index aa8888e..8f80e05 100644
--- a/roles/caddy/templates/Caddyfile.j2
+++ b/roles/caddy/templates/Caddyfile.j2
@@ -38,3 +38,9 @@ www.{{ domain }} {
 	reverse_proxy /_matrix/* {{ groups["synapse"][0] }}:8008
 }
 {% endif %}
+
+{% if groups["paperless"] | length > 0 %}
+{{ paperless_domain }} {
+	reverse_proxy {{ groups["paperless"][0] }}:8000
+}
+{% endif %}
diff --git a/roles/containers/defaults/main.yml b/roles/containers/defaults/main.yml
index 48564f1..3e455c5 100644
--- a/roles/containers/defaults/main.yml
+++ b/roles/containers/defaults/main.yml
@@ -16,3 +16,5 @@ syncthing_conf_dir: "{{ dataroot }}/syncthing/config"
 music_path: "{{ dataroot }}/music"
 
 navidrome_domain: "mus.{{ domain }}"
+
+paperless_domain: "doc.{{ domain }}"
diff --git a/roles/containers/tasks/main.yml b/roles/containers/tasks/main.yml
index e7b3ca6..d17d320 100644
--- a/roles/containers/tasks/main.yml
+++ b/roles/containers/tasks/main.yml
@@ -21,7 +21,6 @@
   group:
     name: vault
     state: present
-  when: '"syncthing" in groups'
 
 - name: Create Syncthing user
   user:
@@ -54,7 +53,43 @@
     name: "{{ username }}"
     append: yes
     groups: vault
-  when: '"syncthing" in groups'
+
+- name: Create Paperless group
+  group:
+    name: paperless
+    state: present
+  register: group_paperless
+
+- name: Create Paperless user
+  user:
+    name: paperless
+    group: paperless
+  register: user_paperless
+
+- name: Create Paperless directories
+  file:
+    path: "{{ dataroot }}/paperless/{{ item }}"
+    state: directory
+    owner: paperless
+    group: paperless
+    mode: "u=rwX,g=,o="
+  with_items:
+    - data
+    - media
+
+- name: Create Paperless consume directory
+  file:
+    path: "{{ dataroot }}/paperless/consume"
+    state: directory
+    owner: paperless
+    group: paperless
+    mode: "u=rwX,g=rwX,o="
+
+- name: Create Paperless .env file
+  template:
+    src: "paperless.env.j2"
+    dest: "{{ docker_compose_dir }}/paperless.env"
+    lstrip_blocks: true
 
 - name: Create Navidrome user
   user:
diff --git a/roles/containers/templates/docker-compose.yml.j2 b/roles/containers/templates/docker-compose.yml.j2
index ba2879e..381f6f0 100644
--- a/roles/containers/templates/docker-compose.yml.j2
+++ b/roles/containers/templates/docker-compose.yml.j2
@@ -47,6 +47,7 @@ services:
       - {{ archive_path }}/:/vault_a
       - {{ syncthing_conf_dir }}/:/var/syncthing/config
       - "{{ music_path }}:/music"
+      - "{{ dataroot }}/paperless/consume:/paperless"
 
 {% endif %}
 {% if "navidrome" in group_names %}
@@ -83,3 +84,51 @@ services:
       - "8008:8008/tcp"
 
 {% endif %}
+
+{% if "paperless" in group_names %}
+  paperless-broker:
+    container_name: paperless-broker
+    image: docker.io/library/redis:7
+    restart: unless-stopped
+    volumes:
+      - redisdata:/data
+
+  paperless-web:
+    container_name: paperless-web
+    image: ghcr.io/paperless-ngx/paperless-ngx:latest
+    restart: unless-stopped
+    depends_on:
+      - paperless-broker
+    ports:
+      - "8000:8000"
+    healthcheck:
+      test: ["CMD", "curl", "-fs", "-S", "--max-time", "2", "http://localhost:8000"]
+      interval: 30s
+      timeout: 10s
+      retries: 5
+    volumes:
+      - "{{ dataroot }}/paperless/data:/usr/src/paperless/data"
+      - "{{ dataroot }}/paperless/media:/usr/src/paperless/media"
+      - paperless-export:/usr/src/paperless/export
+      - "{{ dataroot }}/paperless/consume:/usr/src/paperless/consume"
+    env_file: paperless.env
+    environment:
+      USERMAP_UID: "{{ user_paperless.uid }}"
+      # it gets the vault group because otherwise syncthing can't read the consume dir
+      USERMAP_GID: "{{ user_syncthing.group }}"
+      PAPERLESS_REDIS: redis://paperless-broker:6379
+      PAPERLESS_URL: "https://{{ paperless_domain }}"
+      PAPERLESS_USE_X_FORWARD_HOST: true
+      PAPERLESS_USE_X_FORWARD_PORT: true
+      PAPERLESS_OCR_PAGES: 1
+      PAPERLESS_TASK_WORKERS: 2
+      PAPERLESS_THREADS_PER_WORKER: 2
+      PAPERLESS_WEBSERVER_WORKERS: 1
+      PAPERLESS_ENABLE_NLTK: false
+{% endif %}
+
+{% if "paperless" in group_names %}
+volumes:
+  redisdata:
+  paperless-export:
+{% endif %}
diff --git a/roles/containers/templates/paperless.env.j2 b/roles/containers/templates/paperless.env.j2
new file mode 100644
index 0000000..e5ddbed
--- /dev/null
+++ b/roles/containers/templates/paperless.env.j2
@@ -0,0 +1 @@
+PAPERLESS_SECRET_KEY={{ paperless_secret }}