Paperless

Paperless-ngx is a open-source document management system. It provides the ability to organise and manage copies of digital and physical documents and makes them searchable.

In the Shivering-Isles infrastructure it provides a secure place to store documents with strong isolation features.

Usage

Create a kustomization.yaml in your GitOps setup:

# kustomization.yaml
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: paperless
resources:
  - https://git.shivering-isles.com/shivering-isles/infrastructure-gitops//apps/base/paperless?ref=main
  - ingress.yaml
components:
  - https://git.shivering-isles.com/shivering-isles/infrastructure-gitops//apps/base/paperless/postgres-zalando?ref=main
  - https://git.shivering-isles.com/shivering-isles/infrastructure-gitops//apps/base/paperless/redis-keydb?ref=main
  # optional
  - https://git.shivering-isles.com/shivering-isles/infrastructure-gitops//apps/base/paperless/gotenberg?ref=main
  # optional
  - https://git.shivering-isles.com/shivering-isles/infrastructure-gitops//apps/base/paperless/tika?ref=main

# common labels help to identify common resources
commonLabels:
  app.kubernetes.io/name: paperless
  app.kubernetes.io/instance: paperless

# Config example
# secretGenerator:
#   - name: paperless
#     literals:
#       - PAPERLESS_URL=https://paperless.example.com/
#       - PAPERLESS_ADMIN_USER=paperless
#       - PAPERLESS_ADMIN_PASSWORD=paperless

Add your Ingress configuration:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
    name: paperless
    annotations:
        # proxy-body-size is set to 0 to remove the body limit on file uploads
        nginx.ingress.kubernetes.io/proxy-body-size: "0"
    labels: {}
spec:
    rules:
        - host: paperless.example.com
          http:
            paths:
                - backend:
                    service:
                        name: webserver
                        port:
                            name: http
                  path: /
                  pathType: Prefix
    tls:
        - hosts:
            - paperless.example.com
          secretName: ingress-tls

And optionally use the secretGenerator from above to configure your instance to your needs.

Security

Be aware that the Usage above does not include this hardening. Check the fully implemented kustomization for information on hardening.

Given the sensitive nature of the documents stored in paperless, the instance is isolated by restricting access to VPN-only, adding step-up authentication to minimize access times, and isolate the network of all related containers from and to the internet.

Workflow

The majority of the workflow currently used is based on this presentation and the best-practices mentioned in the documentation.

References