ben
/
infra
1
1
Fork 2
Code Issues Pull Requests 1 Packages Projects Releases Wiki Activity

paperless-ngx: multiple users/setups, script+filebeat to log file consumption, .env file(s), and more #22

Merged
ben merged 7 commits from paperless-users into main 2022-10-26 00:03:46 +00:00
Conversation 0 Commits 7 Files Changed 18 +597 -56
18 changed files with 597 additions and 56 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
roles/nginx/tasks/nginx.yml
View File

@ -86,6 +86,7 @@
- nginx-conf - nginx-conf
- authelia-nginx - authelia-nginx
- well-known - well-known
- nginx-well-known
- gitea-nginx - gitea-nginx
notify: reload nginx notify: reload nginx

24
roles/nginx/templates/00-default.j2
View File

@ -14,20 +14,20 @@ server {
server_name {{ inventory_hostname }}; server_name {{ inventory_hostname }};
include /etc/nginx/authelia_internal.conf; include /etc/nginx/authelia_internal.conf;
location = /server_status { location = /server_status {
stub_status; stub_status;
access_log off; access_log off;
allow 127.0.0.1; allow 127.0.0.1;
{% if 'address' in ansible_default_ipv4 -%} {% if 'address' in ansible_default_ipv4 -%}
allow {{ ansible_default_ipv4.address }}; allow {{ ansible_default_ipv4.address }};
{% endif -%} {% endif -%}
{% if ansible_default_ipv6 is defined and 'address' in ansible_default_ipv6 -%} {% if ansible_default_ipv6 is defined and 'address' in ansible_default_ipv6 -%}
allow {{ ansible_default_ipv6.address }}; allow {{ ansible_default_ipv6.address }};
{% endif -%} {% endif -%}
allow {{ bridgewithdns_cidr }}; allow {{ bridgewithdns_cidr }};
deny all; deny all;
} }

12
roles/nginx/templates/nginx.conf.j2
View File

@ -18,6 +18,15 @@ http {
# nginx hack # nginx hack
# if $authelia_user doesnt exist, set it to empty string # if $authelia_user doesnt exist, set it to empty string
# if $authelia_user does exist, do nothing # if $authelia_user does exist, do nothing
# map $host $authelia_user {
# "" "";
# default $authelia_user;
# }
# map $host $authelia_groups {
# "" "";
# default $authelia_groups;
# }
map $host $authelia_user { map $host $authelia_user {
default ""; default "";
} }
@ -33,6 +42,9 @@ http {
' "request": "$request", ' ' "request": "$request", '
' "request_method": "$request_method", ' ' "request_method": "$request_method", '
' "request_uri": "$request_uri", ' ' "request_uri": "$request_uri", '
' "uri": "$uri", '
' "http_connection": "$http_connection", '
' "http_upgrade": "$http_upgrade", '
' "server_name": "$server_name", ' ' "server_name": "$server_name", '
' "server_port": "$server_port", ' ' "server_port": "$server_port", '
' "status": "$status", ' ' "status": "$status", '

9
roles/nginx/templates/sudo-known.conf.j2
View File

@ -23,3 +23,12 @@ location = /.sudo-known/info.html {
default_type text/html; default_type text/html;
return 200 '<!--\n hostname: {{ inventory_hostname }}\n server_name: $server_name\n-->\n\n '; return 200 '<!--\n hostname: {{ inventory_hostname }}\n server_name: $server_name\n-->\n\n ';
} }
location = /.sudo-known/header.html {
default_type text/html;
alias /var/www/shared/header.html;
}
location = /.sudo-known/footer.html {
default_type text/html;
alias /var/www/shared/footer.html;
}

3
roles/paperless-ngx/defaults/main.yml Normal file
View File

@ -0,0 +1,3 @@
---
paperless_user_specific_urls: true

28
roles/paperless-ngx/files/common_consume.py Normal file
View File

@ -0,0 +1,28 @@
#!/usr/bin/env python3
ben marked this conversation as resolved Outdated
ben commented 2022-10-14 20:31:21 +00:00
Outdated
Review
Copy Link

this file needs a better name, like common_consume_logger.py.

this file needs a better name, like `common_consume_logger.py`.
import json
from os import environ, path
from datetime import datetime
DATA_DIR = environ.get("PAPERLESS_DATA_DIR", "../data/")
LOGGING_DIR = environ.get("PAPERLESS_LOGGING_DIR", path.join(DATA_DIR, "log/"))
def logger(env_vars, consume_stage):
# paperless-ngx has a hardcoded log file name anyay
log_path = path.join(LOGGING_DIR, "consume.log")
log_item = {k.lower(): environ.get(k) for k in env_vars}
log_item.update({
"timestamp": datetime.now().isoformat(),
"paperless_user": environ.get("PAPERLESS_USER"),
"log_path": log_path,
"paperless_consume_stage": consume_stage
})
with open(log_path, 'a') as f:
#j = json.dumps(log_item, indent=2)
j = json.dumps(log_item)
f.write(j)
f.write("\n")

BIN
roles/paperless-ngx/files/favicon.ico Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 108 KiB

26
roles/paperless-ngx/files/post-consume.py Executable file
View File

@ -0,0 +1,26 @@
#!/usr/bin/env python3
from common_consume import logger
ben marked this conversation as resolved Outdated
ben commented 2022-10-14 20:32:01 +00:00
Outdated
Review
Copy Link

this file should be named something like post-consome-logger and do

from common_consome_logger import logger
this file should be named something like `post-consome-logger` and do ```python3 from common_consome_logger import logger ```
😆 1
def main():
post_consume_vars = [
"DOCUMENT_ID",
"DOCUMENT_FILE_NAME",
"DOCUMENT_CREATED",
"DOCUMENT_MODIFIED",
"DOCUMENT_ADDED",
"DOCUMENT_SOURCE_PATH",
"DOCUMENT_ARCHIVE_PATH",
"DOCUMENT_THUMBNAIL_PATH",
"DOCUMENT_DOWNLOAD_URL",
"DOCUMENT_THUMBNAIL_URL",
"DOCUMENT_CORRESPONDENT",
"DOCUMENT_TAGS",
"DOCUMENT_ORIGINAL_FILENAME"
]
logger(post_consume_vars, "post")
if __name__ == "__main__":
main()

14
roles/paperless-ngx/files/pre-consume.py Executable file
View File

@ -0,0 +1,14 @@
#!/usr/bin/env python3
from common_consume import logger
def main():
pre_consume_vars = [
"DOCUMENT_SOURCE_PATH"
]
logger(pre_consume_vars, "pre")
if __name__ == "__main__":
main()

11
roles/paperless-ngx/handlers/main.yml
View File

@ -4,3 +4,14 @@
service: service:
name: nginx name: nginx
state: reloaded state: reloaded
- name: restart filebeat
service:
name: filebeat
state: restarted
- name: restart paperless-ngx
docker_container:
name: paperless-ngx-user-{{ paperless_user }}
state: started
restart: true

4
roles/paperless-ngx/tasks/main.yml
View File

@ -1,3 +1,5 @@
--- ---
- import_tasks: paperless-ngx.yml - import_tasks: paperless-ngx.yml
tags: paperless-ngx tags:
- paperless-ngx
- paperless

238
roles/paperless-ngx/tasks/paperless-ngx.yml
View File

@ -39,30 +39,83 @@
tags: tags:
- mariadb-users - mariadb-users
- name: create dir structure - name: create dir structure for paperless-ngx
file: file:
path: "{{ systemuserlist.paperless.home }}/{{ item.name }}" path: "{{ systemuserlist.paperless.home }}/{{ item.name }}"
state: directory state: directory
mode: 0775 mode: 0775
owner: "{{ item.owner|default('paperless') }}" owner: "{{ item.owner|default('paperless') }}"
group: "{{ item.group|default('paperless') }}" group: "{{ item.group|default('paperless') }}"
tags:
- paperless-dirs
with_items: with_items:
# checked dockerfile: https://github.com/docker-library/redis/blob/master/7.0/Dockerfile # checked dockerfile: https://github.com/docker-library/redis/blob/master/7.0/Dockerfile
- name: redis - name: redis
owner: 999 owner: 999
group: 999 group: 999
- name: redis/data - name: redis/data-{{ paperless_user }}
owner: 999 owner: 999
group: 999 group: 999
- name: paperless-ngx - name: paperless-ngx
- name: paperless-ngx/bin
- name: paperless-ngx/data - name: paperless-ngx/data
- name: paperless-ngx/media - name: paperless-ngx/data/{{ paperless_user }}
- name: paperless-ngx/export owner: "{{ paperless_user }}"
- name: paperless-ngx/consume group: "{{ paperless_user }}"
- name: redis container for paperless-nx - name: ensure {{ paperless_users_path }} exists
file:
path: "{{ paperless_users_path }}"
state: directory
mode: 0755
owner: paperless
group: paperless
tags:
- paperless-dirs
- name: ensure {{ paperless_users_path }}/{{ paperless_user }} exists
file:
path: "{{ paperless_users_path }}/{{ paperless_user }}"
state: directory
mode: 0750
owner: "{{ paperless_user }}"
group: "{{ paperless_user }}"
tags:
- paperless-dirs
- name: create dir structure for user in {{ paperless_users_path }}/{{ paperless_user }}}
file:
path: "{{ paperless_users_path }}/{{ paperless_user }}/{{ item }}"
state: directory
mode: 0750
owner: "{{ paperless_user }}"
group: "{{ paperless_user }}"
tags:
- paperless-dirs
with_items:
- media
- media/trash
- export
- consume
- name: paperless scripts
copy:
src: "{{ item }}"
dest: "{{ systemuserlist.paperless.home }}/paperless-ngx/bin/{{ item }}"
owner: paperless
group: paperless
mode: 0775
with_items:
- common_consume.py
- post-consume.py
- pre-consume.py
tags:
- paperless-scripts
- paperless-bin
- name: redis container for paperless-ngx user {{ paperless_user }}
docker_container: docker_container:
name: paperless-ngx-redis name: paperless-ngx-redis-{{ paperless_user }}
image: "redis:latest" image: "redis:latest"
restart_policy: "unless-stopped" restart_policy: "unless-stopped"
auto_remove: false auto_remove: false
@ -71,7 +124,7 @@
state: started state: started
container_default_behavior: compatibility container_default_behavior: compatibility
env: env:
REDIS_HOST: paperless-ngx-redis REDIS_HOST: paperless-ngx-redis-{{ paperless_user }}
networks_cli_compatible: false networks_cli_compatible: false
networks: networks:
- name: bridgewithdns - name: bridgewithdns
@ -82,7 +135,7 @@
test: "redis-cli --raw incr ping" test: "redis-cli --raw incr ping"
mounts: mounts:
- type: bind - type: bind
source: "{{ systemuserlist.paperless.home }}/redis/data" source: "{{ systemuserlist.paperless.home }}/redis/data-{{ paperless_user }}"
target: /data target: /data
tags: tags:
- paperless-containers - paperless-containers
@ -91,6 +144,62 @@
- paperless-ngx-redis - paperless-ngx-redis
- redis - redis
# https://tika.apache.org/
# used to convert office documents
- name: tika container for paperless-ngx
docker_container:
name: paperless-ngx-tika
image: "ghcr.io/paperless-ngx/tika:latest"
restart_policy: "unless-stopped"
auto_remove: false
detach: true
pull: true
state: started
container_default_behavior: compatibility
networks_cli_compatible: false
networks:
- name: bridgewithdns
tags:
- paperless-containers
- paperless-ngx-containers
- docker-containers
- paperless-ngx-tika
- tika-container
# https://gotenberg.dev/
# also used for office documents, converting them
- name: gotenberg container for paperless-ngx
docker_container:
name: paperless-ngx-gotenberg
image: "docker.io/gotenberg/gotenberg:7"
restart_policy: "unless-stopped"
auto_remove: false
detach: true
pull: true
state: started
container_default_behavior: compatibility
networks_cli_compatible: false
networks:
- name: bridgewithdns
env:
CHROMIUM_DISABLE_ROUTES: "1"
tags:
- paperless-containers
- paperless-ngx-containers
- docker-containers
- paperless-ngx-gotenberg
- gotenberg-container
- name: template {{ paperless_user }}.env
template:
src: paperless-ngx.env.j2
dest: "{{ systemuserlist.paperless.home }}/paperless-ngx/{{ paperless_user }}.env"
owner: root
group: root
mode: 0750
tags:
- paperless-config
# https://github.com/paperless-ngx/paperless-ngx/blob/main/Dockerfile # https://github.com/paperless-ngx/paperless-ngx/blob/main/Dockerfile
# uid stuff docs: https://paperless-ngx.readthedocs.io/en/latest/setup.html?highlight=usermap # uid stuff docs: https://paperless-ngx.readthedocs.io/en/latest/setup.html?highlight=usermap
# uid stuff source: https://github.com/paperless-ngx/paperless-ngx/blob/main/docker/docker-entrypoint.sh#L37 # uid stuff source: https://github.com/paperless-ngx/paperless-ngx/blob/main/docker/docker-entrypoint.sh#L37
@ -106,9 +215,10 @@
# tika: metadata extracter # tika: metadata extracter
# #
# proxy auth for authelia: https://paperless-ngx.readthedocs.io/en/latest/configuration.html?highlight=auth#hosting-security # proxy auth for authelia: https://paperless-ngx.readthedocs.io/en/latest/configuration.html?highlight=auth#hosting-security
- name: start paperless-ngx-webserver container - name: start paperless-ngx-webserver container
docker_container: docker_container:
name: paperless-ngx-webserver name: paperless-ngx-user-{{ paperless_user }}
image: ghcr.io/paperless-ngx/paperless-ngx:latest image: ghcr.io/paperless-ngx/paperless-ngx:latest
restart_policy: "unless-stopped" restart_policy: "unless-stopped"
auto_remove: false auto_remove: false
@ -124,38 +234,21 @@
ipv4_address: "{{ bridgewithdns['paperless-ngx-webserver'] }}" ipv4_address: "{{ bridgewithdns['paperless-ngx-webserver'] }}"
mounts: mounts:
- type: bind - type: bind
source: "{{ systemuserlist.paperless.home }}/paperless-ngx/data" source: "{{ systemuserlist.paperless.home }}/paperless-ngx/data/{{ paperless_user }}"
target: /usr/src/paperless/data target: /usr/src/paperless/data
- type: bind - type: bind
source: "{{ systemuserlist.paperless.home }}/paperless-ngx/media" source: "{{ paperless_users_path }}/{{ paperless_user }}/media"
target: /usr/src/paperless/media target: /usr/src/paperless/media
- type: bind - type: bind
source: "{{ systemuserlist.paperless.home }}/paperless-ngx/export" source: "{{ paperless_users_path }}/{{ paperless_user }}/export"
target: /usr/src/paperless/export target: /usr/src/paperless/export
- type: bind - type: bind
source: "{{ systemuserlist.paperless.home }}/paperless-ngx/consume" source: "{{ paperless_users_path }}/{{ paperless_user }}/consume"
target: /usr/src/paperless/consume target: /usr/src/paperless/consume
env: - type: bind
USERMAP_UID: "{{ systemuserlist.paperless.uid }}" source: "{{ systemuserlist.paperless.home }}/paperless-ngx/bin"
USERMAP_GID: "{{ systemuserlist.paperless.gid }}" target: /usr/src/paperless/bin/
PAPERLESS_URL: "https://{{ paperless_url }}" env_file: "{{ systemuserlist.paperless.home }}/paperless-ngx/{{ paperless_user }}.env"
PAPERLESS_SECRET_KEY: "{{ paperless_secret_key }}"
PAPERLESS_OCR_LANGUAGES: "{{ paperless_ocr_langs }}"
PAPERLESS_OCR_LANGUAGE: "{{ paperless_ocr_default_lang }}"
PAPERLESS_REDIS: redis://paperless-ngx-redis:6379
PAPERLESS_DBENGINE: mariadb
PAPERLESS_DBHOST: "{{ mariadb_host }}"
PAPERLESS_DBNAME: "{{ mariadb_db }}"
PAPERLESS_DBUSER: "{{ systemuserlist.paperless.username }}"
PAPERLESS_DBPASS: "{{ systemuserlist.paperless.mariadb_pass }}"
PAPERLESS_DBPORT: "3306"
PAPERLESS_TIME_ZONE: UTC
PAPERLESS_ADMIN_USER: "{{ paperless_admin_user }}"
PAPERLESS_ADMIN_MAIL: "{{ paperless_admin_email }}"
PAPERLESS_ADMIN_PASSWORD: "{{ paperless_admin_passwd }}"
# AUTH
PAPERLESS_ENABLE_HTTP_REMOTE_USER: "true"
PAPERLESS_LOGOUT_REDIRECT_URL: "https://{{ authelia_login_url }}/logout"
healthcheck: healthcheck:
test: ["CMD", "curl", "-f", "http://localhost:8000"] test: ["CMD", "curl", "-f", "http://localhost:8000"]
interval: 30s interval: 30s
@ -163,6 +256,8 @@
retries: 5 retries: 5
tags: tags:
- paperless-containers - paperless-containers
- paperless-container
- paperless-config
- paperless-ngx-containers - paperless-ngx-containers
- paperless-ngx-container - paperless-ngx-container
- docker-containers - docker-containers
@ -182,10 +277,69 @@
with_items: with_items:
- "{{ paperless_url }}" - "{{ paperless_url }}"
- name: make www dirs
file:
state: directory
path: /var/www/{{ item }}
owner: www-data
group: www-data
mode: 0755
loop_control:
label: /var/www/{{ item }}
with_items:
- "{{ paperless_url }}"
# helper dir for try_file
- "{{ paperless_url }}/{{ paperless_user }}"
tags:
- paperless-nginx
- name: template index file for user if user specific urls
template:
src: paperless_user.html.j2
dest: /var/www/{{ paperless_url }}/{{ paperless_user }}.html
owner: www-data
group: www-data
mode: 0755
tags:
- paperless-nginx
when:
- paperless_user_specific_urls
- name: remove index files for user if not user specific urls
file:
state: absent
dest: /var/www/{{ paperless_url }}/{{ paperless_user }}.html
tags:
- paperless-nginx
when:
- not paperless_user_specific_urls
- name: template whoami.json
template:
src: "{{ item }}.j2"
dest: /var/www/{{ paperless_url }}/{{ item }}
owner: www-data
group: www-data
mode: 0644
with_items:
- whoami.json
tags:
- paperless-nginx
- name: add favicon
copy:
src: favicon.ico
dest: /var/www/{{ paperless_url }}/favicon.ico
owner: www-data
group: www-data
mode: 0755
tags:
- paperless-nginx
- name: template nginx vhost for paperless - name: template nginx vhost for paperless
template: template:
src: 01-paperless.j2 src: 01-paperless.j2
dest: /etc/nginx/sites-enabled/01-paperless dest: /etc/nginx/sites-enabled/01-{{ paperless_url }}
owner: root owner: root
group: root group: root
mode: 0644 mode: 0644
@ -193,3 +347,15 @@
- nginx - nginx
- paperless-nginx - paperless-nginx
notify: reload nginx notify: reload nginx
- name: template filebeat config
template:
src: filebeat-paperless.yml.j2
dest: "/etc/filebeat/inputs.d/paperless-{{ paperless_user }}.yml"
owner: root
group: root
mode: 0644
tags:
- filebeat
- filebeat-paperless-ngx
notify: restart filebeat

80
roles/paperless-ngx/templates/01-paperless-same-urls.j2 Normal file
View File

@ -0,0 +1,80 @@
map $authelia_user $paperless_upstream {
ben {{ bridgewithdns['paperless-ngx-webserver'] }}:8000;
#default localhost:8000;
}
# cant use variables in the regex of a map
map $uri $paperless_uri {
'/$authelia_user' '/$authelia_user/';
}
server {
listen 443 ssl http2;
{% if inventory_hostname in wg_clients -%}
listen {{ wg_clients[inventory_hostname].ip }}:443 ssl http2;
{% endif -%}
root /var/www/{{ paperless_url }};
server_name {{ paperless_url }};
include listen-proxy-protocol.conf;
include /etc/nginx/authelia_internal.conf;
include /etc/nginx/sudo-known.conf;
resolver {{ pihole_dns }} ipv6=off;
# set_real_ip_from 10.0.0.0/8;
# set_real_ip_from 172.16.0.0/12;
# set_real_ip_from 192.168.0.0/16;
# set_real_ip_from fc00::/7;
# real_ip_header X-Forwarded-For;
# real_ip_recursive on;
include /etc/nginx/require_auth.conf;
if ($paperless_uri)
{
rewrite ^/(\w+)$ $1/ last;
}
location / {
include /etc/nginx/require_auth_proxy.conf;
# both work!
set $paperless_user $authelia_user;
#set $paperless_user $1;
# this also works! (but not if you use return)
#add_header "paperless-authelia-user" $authelia_user always;
set $paperless_user $authelia_user;
add_header "paperless-user" $authelia_user always;
add_header "paperless-uri" $uri always;
add_header "paperless-proxy" "true" always;
add_header "paperless-location-root" "true" always;
add_header "paperless-upstream" $paperless_upstream always;
# rewrite ^ $request_uri;
#rewrite '^/\w*(/ws/.*)$' $1 break;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
proxy_pass http://$paperless_upstream;
}
access_log /var/log/nginx/access_{{ paperless_url }}.log main;
error_log /var/log/nginx/error_{{ paperless_url }}.log warn;
ssl_session_timeout 5m;
ssl_certificate /usr/local/etc/certs/{{ paperless_url }}/fullchain.pem;
ssl_certificate_key /usr/local/etc/certs/{{ paperless_url }}/privkey.pem;
fastcgi_hide_header X-Powered-By;
}

71
roles/paperless-ngx/templates/01-paperless.j2
View File

@ -1,16 +1,21 @@
map $authelia_user $paperless_upstream {
{{ paperless_user }} {{ bridgewithdns['paperless-ngx-webserver'] }}:8000;
}
server { server {
listen 443 ssl http2; listen 443 ssl http2;
{% if inventory_hostname in wg_clients -%} {% if inventory_hostname in wg_clients -%}
listen {{ wg_clients[inventory_hostname].ip }}:443 ssl http2; listen {{ wg_clients[inventory_hostname].ip }}:443 ssl http2;
{% endif -%} {% endif -%}
include /etc/nginx/authelia_internal.conf; root /var/www/{{ paperless_url }};
include listen-proxy-protocol.conf;
include /etc/nginx/sudo-known.conf;
server_name {{ paperless_url }}; server_name {{ paperless_url }};
include listen-proxy-protocol.conf;
include /etc/nginx/authelia_internal.conf;
include /etc/nginx/sudo-known.conf;
resolver {{ pihole_dns }} ipv6=off;
# set_real_ip_from 10.0.0.0/8; # set_real_ip_from 10.0.0.0/8;
# set_real_ip_from 172.16.0.0/12; # set_real_ip_from 172.16.0.0/12;
@ -19,11 +24,56 @@ server {
# real_ip_header X-Forwarded-For; # real_ip_header X-Forwarded-For;
# real_ip_recursive on; # real_ip_recursive on;
include /etc/nginx/require_auth.conf;
location = / {
add_before_body /.sudo-known/header.html;
add_after_body /.sudo-known/footer.html;
add_header "paperless-user" $authelia_user always;
add_header "paperless-uri" $uri always;
add_header "paperless-proxy" "false" always;
add_header "paperless-location-root" "true" always;
# if there is no file '$authelia_user.html', nginx issues
# a redirect to /$authelia_user/ instead (via an internal
# location)
try_files /$authelia_user.html /_redirect?user=$authelia_user;
}
location / { location / {
include /etc/nginx/require_auth.conf; # this block serves files from the www root (/whoami, mostly), unless
# there is a directory with the same name as $uri is looking for (without
# the leading /, then it gets caught by the regexp location), then it will
# redirect to $uri/ which should be caught by the regexp block, otherwise
# a 404 is returned.
# theres no logic in the nginx config for this, it just depends on try_files
# finding a dir with the matching name, then nginx will issue a redirect, and
# is probably expecting to serve up files from that dir next.
add_header "paperless-user" $authelia_user always;
add_header "paperless-uri" $uri always;
add_header "paperless-proxy" "false" always;
add_header "paperless-location-root" "false" always;
try_files $uri $uri/ =404;
}
location /_redirect {
internal;
}
location ~* ^/(?<paperless_user>\w+)/(.*)$ {
include /etc/nginx/require_auth_proxy.conf; include /etc/nginx/require_auth_proxy.conf;
proxy_pass http://{{ bridgewithdns['paperless-ngx-webserver'] }}:8000; # both work!
#set $paperless_user $authelia_user;
#set $paperless_user $1;
# this also works! (but not if you use return)
#add_header "paperless-authelia-user" $authelia_user always;
# rewrite ^ $request_uri;
rewrite '^/\w*(/ws/.*)$' $1 break;
proxy_http_version 1.1; proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade; proxy_set_header Upgrade $http_upgrade;
@ -34,6 +84,13 @@ server {
proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name; proxy_set_header X-Forwarded-Host $server_name;
add_header "paperless-user" $authelia_user always;
add_header "paperless-uri" $uri always;
add_header "paperless-proxy" "true" always;
add_header "paperless-upstream" $paperless_upstream always;
proxy_pass http://$paperless_upstream;
} }
access_log /var/log/nginx/access_{{ paperless_url }}.log main; access_log /var/log/nginx/access_{{ paperless_url }}.log main;

38
roles/paperless-ngx/templates/filebeat-paperless.yml.j2 Normal file
View File

@ -0,0 +1,38 @@
- type: filestream
paths:
- "{{ systemuserlist.paperless.home }}/paperless-ngx/data/{{ paperless_user }}/log/consume.log"
scan_frequency: 10s
enabled: true
parsers:
- ndjson:
keys_under_root: true
add_error_key: true
fields_under_root: true
fields:
service.type: paperless
consume: true
#paperless_user: "{{ paperless_user }}"
tags:
- paperless
- consumer
- type: filestream
paths:
- "{{ systemuserlist.paperless.home }}/paperless-ngx/data/{{ paperless_user }}/log/paperless.log"
- "{{ systemuserlist.paperless.home }}/paperless-ngx/data/{{ paperless_user }}/log/mail.log"
scan_frequency: 10s
enabled: true
fields_under_root: true
fields:
service.type: paperless
paperless_user: "{{ paperless_user }}"
tags:
- paperless

52
roles/paperless-ngx/templates/paperless-ngx.env.j2 Normal file
View File

@ -0,0 +1,52 @@
PAPERLESS_URL=https://{{ paperless_url }}
PAPERLESS_SECRET_KEY={{ paperless_secret_key }}
PAPERLESS_DBENGINE=mariadb
PAPERLESS_DBHOST={{ mariadb_host }}
PAPERLESS_DBNAME={{ mariadb_db }}
PAPERLESS_DBUSER={{ systemuserlist.paperless.username }}
PAPERLESS_DBPASS={{ systemuserlist.paperless.mariadb_pass }}
PAPERLESS_DBPORT=3306
PAPERLESS_TIME_ZONE=UTC
# USER
USERMAP_UID={{ userlist[paperless_user]['uid'] }}
USERMAP_GID={{ userlist[paperless_user]['gid'] }}
{% if paperless_user_specific_urls -%}
PAPERLESS_FORCE_SCRIPT_NAME=/{{ paperless_user }}
PAPERLESS_STATIC_URL=/{{ paperless_user }}/static/
{% endif %}
# FILES
PAPERLESS_FILENAME_FORMAT_REMOVE_NONE=true
PAPERLESS_TRASH_DIR=../media/trash
#PAPERLESS_FILENAME_FORMAT={{ paperless_filename_format }}
# OCR
# see=https://ocrmypdf.readthedocs.io/en/latest/api.html#reference
# PAPERLESS_OCR_USER_ARGS=<json>
PAPERLESS_OCR_CLEAN=clean
PAPERLESS_OCR_MODE={{ paperless_ocr_mode }}
# lang codes=https://www.loc.gov/standards/iso639-2/php/code_list.php
PAPERLESS_OCR_LANGUAGES={{ paperless_ocr_langs|join(' ') }}
PAPERLESS_OCR_LANGUAGE={{ paperless_ocr_langs|join('+') }}
# INITIAL ADMIN USER
PAPERLESS_ADMIN_USER={{ paperless_admin_user }}
PAPERLESS_ADMIN_MAIL={{ paperless_admin_email }}
PAPERLESS_ADMIN_PASSWORD={{ paperless_admin_passwd }}
# DATES
PAPERLESS_IGNORE_DATES={{ userlist[paperless_user]['birthday'] }},1970-01-01
PAPERLESS_NUMBER_OF_SUGGESTED_DATES=5
# AUTH
PAPERLESS_ENABLE_HTTP_REMOTE_USER=true
PAPERLESS_LOGOUT_REDIRECT_URL=https://{{ authelia_login_url }}/logout
# CONSUMER
PAPERLESS_POST_CONSUME_SCRIPT=/usr/src/paperless/bin/post-consume.py
PAPERLESS_PRE_CONSUME_SCRIPT=/usr/src/paperless/bin/pre-consume.py
PAPERLESS_CONSUMER_RECURSIVE=true
PAPERLESS_CONSUMER_SUBDIRS_AS_TAG=true
# (default) leave duplicates
PAPERLESS_CONSUMER_DELETE_DUPLICATES=false
# REDIS, TIKA, GOTENBERG
PAPERLESS_REDIS=redis://paperless-ngx-redis-{{ paperless_user }}:6379
PAPERLESS_TIKA_ENABLED=true
PAPERLESS_TIKA_ENDPOINT=http://paperless-ngx-tika:9998
PAPERLESS_TIKA_GOTENBERG_ENDPOINT=http://paperless-ngx-gotenberg:3000
# CUSTOM
PAPERLESS_USER={{ paperless_user }}

41
roles/paperless-ngx/templates/paperless_user.html.j2 Normal file
View File

@ -0,0 +1,41 @@
<div class="terminal">
<div class="pagetitle">{{ paperless_url }} | {{ paperless_user }}</div>
<ul>
<li class="icon">
<a href="/ben">/ben</a>
</li>
</ul>
</div>
<div class="terminal">
<div class="subpagetitle">> shared</div>
<ul>
<li class="icon">
<a href="/petstore">/petstore</a>
</li>
</ul>
</div>
{{ inventory_hostname }}
<script>
window.onload = function() {
console.log(document.location);
if (document.location == "https://{{ paperless_url }}/") {
var xhr = new XMLHttpRequest();
xhr.addEventListener("load", function() {
paperless_user = xhr.getResponseHeader("Paperless-User").toLowerCase();
redirect = "https://{{ paperless_url }}/" + paperless_user + "/";
console.log(redirect)
setTimeout(function() {
window.location.replace(redirect);
}, 10000);
}, false);
xhr.open('GET', "/whoami.json");
xhr.send();
}
}
</script>

1
roles/paperless-ngx/templates/whoami.json.j2 Normal file
View File

@ -0,0 +1 @@
{{ {} | to_nice_json() }}