diff --git a/paperless/init.sls b/paperless/init.sls index 6d9b64a..761f020 100644 --- a/paperless/init.sls +++ b/paperless/init.sls @@ -8,10 +8,63 @@ paperless-data-directory-exists: - name: /opt/paperless/webserver - makedirs: True +python3-pip: + pkg.installed + +# https://github.com/saltstack/salt/issues/61004 +python-pip-uptodate: + pip.installed: + - require: + - pkg: python3-pip + - pkgs: + - pip + - upgrade: True + +# https://bugs.launchpad.net/ubuntu/+source/python-docker/+bug/2066926 +# https://packages.debian.org/source/sid/python-docker +# does not work +# python-docker-package: +# pkg.installed: +# - name: python3-docker + +# https://stackoverflow.com/a/78224409 +# https://github.com/docker/docker-py/issues/3113 +# https://github.com/saltstack/salt/issues/62689 +docker-requirements: + pip.installed: + - require: + - pkg: python3-pip + - pkgs: + # - docker==6.1.3 + # - docker==7.0.0 + - docker==7.1.0 + # - docker==5.0.3 + # - docker-py==1.10.5 + # - requests<2.29.0 + # - urllib3<2.0 + +# other errors that were encountered +# keyerror http+docker +# https://github.com/geerlingguy/ansible-role-docker/issues/462 +# https://github.com/docker/docker-py/issues/3279 +# unexpected keyword argument 'chunked' +# https://github.com/saltstack/salt/issues/65526 +# 'docker.version' is not available +# https://github.com/saltstack/salt/issues/53836 +# https://github.com/saltstack/salt/issues/54449 +# https://github.com/saltstack/salt/issues/62602 +# network is always recreated +# https://github.com/saltstack/salt/issues/66408 + +# otherwise it complains about scope attribute, similar to +# https://github.com/saltstack/salt/issues/50194 +# https://github.com/saltstack/salt/issues/51009 +# but it should be possible according to docs +# https://docs.saltproject.io/en/latest/ref/states/all/salt.states.docker_network.html#salt.states.docker_network.present docker-network-paperless-exists: docker_network.present: - name: paperless-network - - scope: local + # - scope: local broker-docker-container-running: docker_container.running: @@ -47,6 +100,28 @@ tika-docker-container-running: - networks: - paperless-network +# Attempt to fix json with pillar variables in variable +{% set client_secret = salt['pillar.get']('paperless:webserver:keycloak:client_secret', '') %} +{% set oauth_server = salt['pillar.get']('paperless:webserver:keycloak:server_url', 'https:///realms//.well-known/openid-configuration') %} + +{% set PAPERLESS_SOCIALACCOUNT_PROVIDER = + { + 'openid_connect': { + 'APPS': [ + { + 'provider_id': 'keycloak', + 'name': 'Keycloak', + 'client_id': 'paperless', + 'secret': client_secret, + 'settings': { + 'server_url': oauth_server + } + } + ] + } + } +%} + paperless-docker-container-running: docker_container.running: # The Docker setup does not use the configuration file. @@ -63,18 +138,16 @@ paperless-docker-container-running: - PAPERLESS_TIKA_ENDPOINT={{ salt['pillar.get']('paperless:webserver:environment:tika_endpoint', 'http://tika:9998') }} - PAPERLESS_TIKA_GOTENBERG_ENDPOINT={{ salt['pillar.get']('paperless:webserver:environment:tika_gotenberg_endpoint', 'http://gotenberg:3000') }} - # - PAPERLESS_ENABLE_HTTP_REMOTE_USER={{ salt['pillar.get']('', 'false') }} - # - PAPERLESS_ENABLE_HTTP_REMOTE_USER_API={{ salt['pillar.get']('', 'false') }} - # - PAPERLESS_SECRET_KEY={{ salt['pillar.get']('paperless:webserver:environment:secret_key', 'change-me') }} - # - PAPERLESS_URL={{ salt['pillar.get']('paperless:webserver:environment:url', 'https://paperless.flipdot.org') }} + - PAPERLESS_APPS=allauth.socialaccount.providers.openid_connect + - PAPERLESS_SOCIALACCOUNT_PROVIDER="{{ PAPERLESS_SOCIALACCOUNT_PROVIDER }}" + - PAPERLESS_DISABLE_REGULAR_LOGIN={{ salt['pillar.get']('paperless:webserver:environment:disable_regular_login', 'true') }} + - PAPERLESS_REDIRECT_LOGIN_TO_SSO={{ salt['pillar.get']('paperless:webserver:environment:redirect_login_to_sso', 'true') }} - - PAPERLESS_APPS="allauth.socialaccount.providers.openid_connect" - - PAPERLESS_SOCIALACCOUNT_PROVIDERS='{"openid_connect": {"APPS": [{"provider_id": "keycloak", "name": "Keycloak", "client_id": "paperless", "secret": {{ salt['pillar.get']('paperless:webserver:keycloak:client_secret', '') }}, "settings": {"server_url": {{ salt['pillar.get']('paperless:webserver:keycloak:server_url', 'https:///realms//.well-known/openid-configuration') }} }}]}}' + - PAPERLESS_ADMIN_USER={{ salt['pillar.get']('paperless:webserver:environment:admin_user', 'admin') }} + - PAPERLESS_ADMIN_PASSWORD={{ salt['pillar.get']('paperless:webserver:environment:admin_password', 'change-me') }} - restart: always - networks: - paperless-network - - extra_hosts: - - ldap.flipdot.space:192.168.3.233 - binds: - /opt/paperless/webserver/data:/usr/src/paperless/data - /opt/paperless/webserver/media:/usr/src/paperless/media diff --git a/pillar.example b/pillar.example index 16311d4..4e1c7af 100644 --- a/pillar.example +++ b/pillar.example @@ -36,6 +36,9 @@ paperless: # (if doing so please consider security measures such as reverse proxy) # url=https://paperless.flipdot.org + admin_user: admin + admin_password: change-me + keycloak: client_secret: server_url: https:///realms//.well-known/openid-configuration