add: paperless oauthproxy layer

group_vars/all.yaml

@@ -125,7 +125,6 @@ keycloak_clients:
         party_secret : "HISTORY_PURGED_SECRET"
         client_id: z_heimdall
         client_secret: "HISTORY_PURGED_SECRET"
-        client_secret: "HISTORY_PURGED_SECRET"
         redirect_uris:
             - "https://hub.atlantishq.de/*"
         description: "AtlantisHQ Hub"
@@ -133,3 +132,15 @@ keycloak_clients:
         groups:
         master_address: "https://hub.atlantishq.de"
         skips:
+
+    paperless:
+        party_secret : "HISTORY_PURGED_SECRET"
+        client_id: z_paperless
+        client_secret: "HISTORY_PURGED_SECRET"
+        redirect_uris:
+            - "https://paperless.atlantishq.de/*"
+        description: "AtlantisHQ Paperless Archiving"
+        keycloak_id: "00000000-0000-0000-0000-000000000008"
+        groups: "paperless"
+        master_address: "https://paperless.atlantishq.de"
+        skips:

roles/paperless/tasks/main.yaml

@@ -32,3 +32,28 @@
   community.docker.docker_compose:
     project_src: /opt/paperless/
     pull: true
+
+- name: OAuth2Proxy directories
+  file:
+    path: "/opt/oauth2proxy/{{ item }}/"
+    state: directory
+    recurse: yes
+  with_items:
+   - paperless
+
+- name: include services ports
+  include_vars: services.yaml
+
+- name: Deploy OAuth2Proxy compose files
+  template:
+    src: oauth-standalone-docker-compose.yaml
+    dest: "/opt/oauth2proxy/{{ item }}/docker-compose.yaml"
+  with_items:
+    - paperless
+
+- name: Deploy OAuth2Proxy
+  community.docker.docker_compose:
+    project_src: /opt/oauth2proxy/{{ item }}/
+    pull: true
+  with_items:
+    - paperless

roles/paperless/templates/docker-compose.env

@@ -4,3 +4,5 @@ PAPERLESS_OCR_LANGUAGE=deu
 PAPERLESS_SECRET_KEY=HISTORY_PURGED_SECRET
 PAPERLESS_ADMIN_USER=sheppy
 PAPERLESS_ADMIN_PASSWORD=HISTORY_PURGED_SECRET
+PAPERLESS_ENABLE_HTTP_REMOTE_USER=TRUE
+PAPERLESS_HTTP_REMOTE_USER_HEADER_NAME=X-Forwarded-Preferred-Username

roles/paperless/templates/docker-compose.yml

@@ -57,7 +57,7 @@ services:
       - gotenberg
       - tika
     ports:
-      - "8000:8000"
+      - "9000:8000"
     healthcheck:
       test: ["CMD", "curl", "-fs", "-S", "--max-time", "2", "http://localhost:8000"]
       interval: 30s

vars/services.yaml

@@ -13,3 +13,5 @@ services:
         port: 5010
     heimdall:
         port: 5011
+    paperless:
+        port: 8000