kubernetes/gabernetes/apps/paperless-ngx/app/helmrelease.yaml

# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/app-template-3.5.1/charts/other/app-template/schemas/helmrelease-helm-v2.schema.json
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
  name: paperless-ngx
  namespace: paperless-ngx
spec:
  chart:
    spec:
      chart: app-template
      version: 3.5.1
      reconcileStrategy: ChartVersion
      sourceRef:
        kind: HelmRepository
        namespace: flux-system
        name: bjw-s
  interval: 1h
  driftDetection:
    mode: enabled
  values:
    controllers:
      paperless-ngx:
        containers:
          app:
            image:
              repository: ghcr.io/paperless-ngx/paperless-ngx
              tag: 2.13.5@sha256:199c67ed55bfb9d58bf90db2ee280880ae9ebc63413e54c73522f9c4ebdc7bad
              pullPolicy: IfNotPresent
            env:
              PAPERLESS_URL: https://${app_url}
              PAPERLESS_TIME_ZONE: America/Chicago
              PAPERLESS_SECRET_KEY: ${secret_key}
              PAPERLESS_ENABLE_HTTP_REMOTE_USER: "true"
              PAPERLESS_HTTP_REMOTE_USER_HEADER_NAME: HTTP_X_AUTHENTIK_USERNAME
              PAPERLESS_LOGOUT_REDIRECT_URL: /outpost.goauthentik.io/sign_out
              PAPERLESS_ALLOWED_HOSTS: "*"

              PAPERLESS_DBENGINE: postgresql
              PAPERLESS_DBHOST: postgresql-rw
              PAPERLESS_DBNAME: paperless-ngx
              PAPERLESS_DBUSER: paperless-ngx
              PAPERLESS_DBPASS:
                secretKeyRef:
                  name: postgresql-app
                  key: password

              REDIS_PASSWORD:
                secretKeyRef:
                  name: valkey
                  key: valkey-password
              PAPERLESS_REDIS:
                value: redis://:$(REDIS_PASSWORD)@valkey-primary
                dependsOn: REDIS_PASSWORD
            probes:
              startup:
                enabled: true
                spec:
                  failureThreshold: 30
                  periodSeconds: 5
              liveness:
                enabled: true
              readiness:
                enabled: true
            securityContext:
              readOnlyRootFilesystem: true
        pod:
          labels:
            policy.gabe565.com/egress-namespace: "true"
            policy.gabe565.com/egress-world: "true"
            policy.gabe565.com/ingress-ingress: "true"

    service:
      paperless-ngx:
        controller: paperless-ngx
        ports:
          http:
            port: 8000

    persistence:
      data:
        enabled: true
        storageClass: longhorn-ssd
        accessMode: ReadWriteOnce
        size: 1Gi
        retain: true
        globalMounts:
          - path: /usr/src/paperless/data
      media:
        enabled: true
        type: nfs
        server: 192.168.1.240
        path: /volume1/documents/paperless/media
        globalMounts:
          - path: /usr/src/paperless/media
      export:
        enabled: true
        type: nfs
        server: 192.168.1.240
        path: /volume1/documents/paperless/export
        globalMounts:
          - path: /usr/src/paperless/export
      consume:
        enabled: true
        type: nfs
        server: 192.168.1.240
        path: /volume1/documents/paperless/consume
        globalMounts:
          - path: /usr/src/paperless/consume
      tmp:
        enabled: true
        type: emptyDir
      supervisord:
        enabled: true
        type: emptyDir
        globalMounts:
          - path: /var/log/supervisord
            subPath: log
          - path: /var/run/supervisord
            subPath: run

    ingress:
      paperless-ngx:
        enabled: true
        annotations:
          nginx.ingress.kubernetes.io/auth-url: |-
            http://ak-outpost-gabernetes.authentik.svc.cluster.local:9000/outpost.goauthentik.io/auth/nginx
          nginx.ingress.kubernetes.io/auth-signin: |-
            /outpost.goauthentik.io/start?rd=$escaped_request_uri
          nginx.ingress.kubernetes.io/auth-response-headers: |-
            Set-Cookie,X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid
          nginx.ingress.kubernetes.io/auth-snippet: |
            proxy_set_header X-Forwarded-Host $http_host;
          nginx.ingress.kubernetes.io/proxy-body-size: 64m
        hosts:
          - host: ${app_url}
            paths:
              - path: /
                service:
                  identifier: paperless-ngx
                  port: http
        tls:
          - secretName: ${certificate_name}
            hosts:
              - ${app_url}