FFS this environment variable

2024-10-04 22:02:38 +02:00 · 2024-10-04 22:02:38 +02:00 · cef3f9a5e4
commit cef3f9a5e4
parent 4cf8c5c7d4
2 changed files with 85 additions and 9 deletions
--- a/paperless/init.sls
+++ b/paperless/init.sls
@ -8,10 +8,63 @@ paperless-data-directory-exists:
    - name: /opt/paperless/webserver
    - makedirs: True

+python3-pip:
+  pkg.installed
+
+# https://github.com/saltstack/salt/issues/61004
+python-pip-uptodate:
+  pip.installed:
+    - require:
+      - pkg: python3-pip
+    - pkgs:
+      - pip
+    - upgrade: True
+
+# https://bugs.launchpad.net/ubuntu/+source/python-docker/+bug/2066926
+# https://packages.debian.org/source/sid/python-docker
+# does not work
+# python-docker-package:
+#   pkg.installed:
+#   - name: python3-docker
+
+# https://stackoverflow.com/a/78224409
+# https://github.com/docker/docker-py/issues/3113
+# https://github.com/saltstack/salt/issues/62689
+docker-requirements:
+  pip.installed:
+    - require:
+      - pkg: python3-pip
+    - pkgs:
+      # - docker==6.1.3
+      # - docker==7.0.0
+      - docker==7.1.0
+      # - docker==5.0.3
+      # - docker-py==1.10.5
+      # - requests<2.29.0
+      # - urllib3<2.0
+
+# other errors that were encountered
+# keyerror http+docker
+# https://github.com/geerlingguy/ansible-role-docker/issues/462
+# https://github.com/docker/docker-py/issues/3279
+# unexpected keyword argument 'chunked'
+# https://github.com/saltstack/salt/issues/65526
+# 'docker.version' is not available
+# https://github.com/saltstack/salt/issues/53836
+# https://github.com/saltstack/salt/issues/54449
+# https://github.com/saltstack/salt/issues/62602
+# network is always recreated
+# https://github.com/saltstack/salt/issues/66408
+
+# otherwise it complains about scope attribute, similar to
+# https://github.com/saltstack/salt/issues/50194
+# https://github.com/saltstack/salt/issues/51009
+# but it should be possible according to docs
+# https://docs.saltproject.io/en/latest/ref/states/all/salt.states.docker_network.html#salt.states.docker_network.present
 docker-network-paperless-exists:
  docker_network.present:
    - name: paperless-network
-    - scope: local
+    # - scope: local

 broker-docker-container-running:
  docker_container.running:
@ -47,6 +100,28 @@ tika-docker-container-running:
    - networks:
      - paperless-network

+# Attempt to fix json with pillar variables in variable
+{% set client_secret = salt['pillar.get']('paperless:webserver:keycloak:client_secret', '<CLIENT_SECRET>') %}
+{% set oauth_server = salt['pillar.get']('paperless:webserver:keycloak:server_url', 'https://<KEYCLOAK_SERVER>/realms/<REALM>/.well-known/openid-configuration') %}
+
+{% set PAPERLESS_SOCIALACCOUNT_PROVIDER =
+  {
+    'openid_connect': {
+        'APPS': [
+            {
+              'provider_id': 'keycloak',
+              'name': 'Keycloak',
+              'client_id': 'paperless',
+              'secret': client_secret,
+              'settings': {
+                'server_url': oauth_server
+              }
+            }
+        ]
+    }
+  }
+%}
+
 paperless-docker-container-running:
  docker_container.running:
    # The Docker setup does not use the configuration file.
@ -63,18 +138,16 @@ paperless-docker-container-running:
      - PAPERLESS_TIKA_ENDPOINT={{ salt['pillar.get']('paperless:webserver:environment:tika_endpoint', 'http://tika:9998') }}
      - PAPERLESS_TIKA_GOTENBERG_ENDPOINT={{ salt['pillar.get']('paperless:webserver:environment:tika_gotenberg_endpoint', 'http://gotenberg:3000') }}

-      # - PAPERLESS_ENABLE_HTTP_REMOTE_USER={{ salt['pillar.get']('', 'false') }}
-      # - PAPERLESS_ENABLE_HTTP_REMOTE_USER_API={{ salt['pillar.get']('', 'false') }}
-      # - PAPERLESS_SECRET_KEY={{ salt['pillar.get']('paperless:webserver:environment:secret_key', 'change-me') }}
-      # - PAPERLESS_URL={{ salt['pillar.get']('paperless:webserver:environment:url', 'https://paperless.flipdot.org') }}
+      - PAPERLESS_APPS=allauth.socialaccount.providers.openid_connect
+      - PAPERLESS_SOCIALACCOUNT_PROVIDER="{{ PAPERLESS_SOCIALACCOUNT_PROVIDER }}"
+      - PAPERLESS_DISABLE_REGULAR_LOGIN={{ salt['pillar.get']('paperless:webserver:environment:disable_regular_login', 'true') }}
+      - PAPERLESS_REDIRECT_LOGIN_TO_SSO={{ salt['pillar.get']('paperless:webserver:environment:redirect_login_to_sso', 'true') }}

-      - PAPERLESS_APPS="allauth.socialaccount.providers.openid_connect"
-      - PAPERLESS_SOCIALACCOUNT_PROVIDERS='{"openid_connect": {"APPS": [{"provider_id": "keycloak", "name": "Keycloak", "client_id": "paperless", "secret": {{ salt['pillar.get']('paperless:webserver:keycloak:client_secret', '<CLIENT_SECRET>') }}, "settings": {"server_url": {{ salt['pillar.get']('paperless:webserver:keycloak:server_url', 'https://<KEYCLOAK_SERVER>/realms/<REALM>/.well-known/openid-configuration') }} }}]}}'
+      - PAPERLESS_ADMIN_USER={{ salt['pillar.get']('paperless:webserver:environment:admin_user', 'admin') }}
+      - PAPERLESS_ADMIN_PASSWORD={{ salt['pillar.get']('paperless:webserver:environment:admin_password', 'change-me') }}
    - restart: always
    - networks:
      - paperless-network
-    - extra_hosts:
-      - ldap.flipdot.space:192.168.3.233
    - binds:
      - /opt/paperless/webserver/data:/usr/src/paperless/data
      - /opt/paperless/webserver/media:/usr/src/paperless/media
--- a/pillar.example
+++ b/pillar.example
@ -36,6 +36,9 @@ paperless:
      # (if doing so please consider security measures such as reverse proxy)
      # url=https://paperless.flipdot.org

+      admin_user: admin
+      admin_password: change-me
+
    keycloak:
      client_secret: <CLIENT_SECRET>
      server_url: https://<KEYCLOAK_SERVER>/realms/<REALM>/.well-known/openid-configuration