✨ Ingress and SSL support

paperless-ngx/Dockerfile

@@ -62,7 +62,8 @@ ARG RUNTIME_PACKAGES="\
   wget \
   xz-utils=5.4.1-0.2 \
   redis-server=5:7.0.11-1+deb12u1 \
-  redis-tools=5:7.0.11-1+deb12u1"
+  redis-tools=5:7.0.11-1+deb12u1 \
+  nginx=1.22.1-9"
 
 # Install basic runtime packages.
 # These change very infrequently

paperless-ngx/config.yaml

@@ -4,23 +4,25 @@ version: dev
 slug: paperless-ngx
 url: https://github.com/paperless-ngx/paperless-ngx
 init: false
+ingress: true
+ingress_stream: true
 description:
   Paperless is an application that manages your personal documents. With
   the help of a document scanner, paperless transforms your wieldy physical document
   binders into a searchable archive and provides many utilities for finding and managing
   your documents.
-webui: http://[HOST]:[PORT:8000]
 arch:
   - aarch64
   - amd64
 startup: system
 ports:
-  8000/tcp: 8000
+  80/tcp: null
 ports_description:
-  8000/tcp: Web interface
+  80/tcp: Web interface (Not required for Ingress)
 map:
   - addon_config:rw
   - share:rw
+  - ssl
 options:
   filename: "{created_year}/{correspondent}/{title}"
   language: eng
@@ -30,6 +32,9 @@ options:
     email:
     password:
   timezone: UTC
+  ssl: false
+  certfile: fullchain.pem
+  keyfile: privkey.pem
 schema:
   url: str?
   filename: str
@@ -45,3 +50,6 @@ schema:
   barcodes_asn: bool?
   consumer_recursive: bool?
   consumer_subdirs_as_tags: bool?
+  ssl: bool
+  certfile: str
+  keyfile: str

paperless-ngx/rootfs/etc/nginx/includes/fastcgi_params.conf

@@ -0,0 +1,21 @@
+fastcgi_param  QUERY_STRING       $query_string;
+fastcgi_param  REQUEST_METHOD     $request_method;
+fastcgi_param  CONTENT_TYPE       $content_type;
+fastcgi_param  CONTENT_LENGTH     $content_length;
+
+fastcgi_param  SCRIPT_NAME        $fastcgi_script_name;
+fastcgi_param  REQUEST_URI        $request_uri;
+fastcgi_param  DOCUMENT_URI       $document_uri;
+fastcgi_param  DOCUMENT_ROOT      $document_root;
+fastcgi_param  SERVER_PROTOCOL    $server_protocol;
+fastcgi_param  REQUEST_SCHEME     $scheme;
+fastcgi_param  HTTPS              $https if_not_empty;
+
+fastcgi_param  GATEWAY_INTERFACE  CGI/1.1;
+fastcgi_param  SERVER_SOFTWARE    nginx/$nginx_version;
+
+fastcgi_param  REMOTE_ADDR        $remote_addr;
+fastcgi_param  REMOTE_PORT        $remote_port;
+fastcgi_param  SERVER_ADDR        $server_addr;
+fastcgi_param  SERVER_PORT        $server_port;
+fastcgi_param  SERVER_NAME        $server_name;

paperless-ngx/rootfs/etc/nginx/includes/mime.types

@@ -0,0 +1,96 @@
+types {
+    text/html                                        html htm shtml;
+    text/css                                         css;
+    text/xml                                         xml;
+    image/gif                                        gif;
+    image/jpeg                                       jpeg jpg;
+    application/javascript                           js;
+    application/atom+xml                             atom;
+    application/rss+xml                              rss;
+
+    text/mathml                                      mml;
+    text/plain                                       txt;
+    text/vnd.sun.j2me.app-descriptor                 jad;
+    text/vnd.wap.wml                                 wml;
+    text/x-component                                 htc;
+
+    image/png                                        png;
+    image/svg+xml                                    svg svgz;
+    image/tiff                                       tif tiff;
+    image/vnd.wap.wbmp                               wbmp;
+    image/webp                                       webp;
+    image/x-icon                                     ico;
+    image/x-jng                                      jng;
+    image/x-ms-bmp                                   bmp;
+
+    font/woff                                        woff;
+    font/woff2                                       woff2;
+
+    application/java-archive                         jar war ear;
+    application/json                                 json;
+    application/mac-binhex40                         hqx;
+    application/msword                               doc;
+    application/pdf                                  pdf;
+    application/postscript                           ps eps ai;
+    application/rtf                                  rtf;
+    application/vnd.apple.mpegurl                    m3u8;
+    application/vnd.google-earth.kml+xml             kml;
+    application/vnd.google-earth.kmz                 kmz;
+    application/vnd.ms-excel                         xls;
+    application/vnd.ms-fontobject                    eot;
+    application/vnd.ms-powerpoint                    ppt;
+    application/vnd.oasis.opendocument.graphics      odg;
+    application/vnd.oasis.opendocument.presentation  odp;
+    application/vnd.oasis.opendocument.spreadsheet   ods;
+    application/vnd.oasis.opendocument.text          odt;
+    application/vnd.openxmlformats-officedocument.presentationml.presentation
+                                                     pptx;
+    application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
+                                                     xlsx;
+    application/vnd.openxmlformats-officedocument.wordprocessingml.document
+                                                     docx;
+    application/vnd.wap.wmlc                         wmlc;
+    application/x-7z-compressed                      7z;
+    application/x-cocoa                              cco;
+    application/x-java-archive-diff                  jardiff;
+    application/x-java-jnlp-file                     jnlp;
+    application/x-makeself                           run;
+    application/x-perl                               pl pm;
+    application/x-pilot                              prc pdb;
+    application/x-rar-compressed                     rar;
+    application/x-redhat-package-manager             rpm;
+    application/x-sea                                sea;
+    application/x-shockwave-flash                    swf;
+    application/x-stuffit                            sit;
+    application/x-tcl                                tcl tk;
+    application/x-x509-ca-cert                       der pem crt;
+    application/x-xpinstall                          xpi;
+    application/xhtml+xml                            xhtml;
+    application/xspf+xml                             xspf;
+    application/zip                                  zip;
+
+    application/octet-stream                         bin exe dll;
+    application/octet-stream                         deb;
+    application/octet-stream                         dmg;
+    application/octet-stream                         iso img;
+    application/octet-stream                         msi msp msm;
+
+    audio/midi                                       mid midi kar;
+    audio/mpeg                                       mp3;
+    audio/ogg                                        ogg;
+    audio/x-m4a                                      m4a;
+    audio/x-realaudio                                ra;
+
+    video/3gpp                                       3gpp 3gp;
+    video/mp2t                                       ts;
+    video/mp4                                        mp4;
+    video/mpeg                                       mpeg mpg;
+    video/quicktime                                  mov;
+    video/webm                                       webm;
+    video/x-flv                                      flv;
+    video/x-m4v                                      m4v;
+    video/x-mng                                      mng;
+    video/x-ms-asf                                   asx asf;
+    video/x-ms-wmv                                   wmv;
+    video/x-msvideo                                  avi;
+}

paperless-ngx/rootfs/etc/nginx/includes/server_params.conf

@@ -0,0 +1,24 @@
+server_name     $hostname;
+
+add_header X-Content-Type-Options nosniff;
+add_header X-XSS-Protection "1; mode=block";
+add_header X-Robots-Tag none;
+
+client_max_body_size 10M;
+
+location / {
+    # Adjust host and port as required.
+    proxy_pass http://localhost:8000/;
+
+    # These configuration options are required for WebSockets to work.
+    proxy_http_version 1.1;
+    proxy_set_header Upgrade $http_upgrade;
+    proxy_set_header Connection "upgrade";
+
+    proxy_redirect off;
+    proxy_set_header Host $host;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Host $server_name;
+    add_header Referrer-Policy "strict-origin-when-cross-origin";
+}

paperless-ngx/rootfs/etc/nginx/includes/ssl_params.conf

@@ -0,0 +1,8 @@
+ssl_protocols TLSv1.2 TLSv1.3;
+ssl_prefer_server_ciphers off;
+ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+ssl_session_timeout  10m;
+ssl_session_cache shared:SSL:10m;
+ssl_session_tickets off;
+ssl_stapling on;
+ssl_stapling_verify on;

paperless-ngx/rootfs/etc/nginx/nginx.conf

@@ -0,0 +1,43 @@
+# Run nginx in foreground.
+daemon off;
+
+# This is run inside Docker.
+user root;
+
+# Pid storage location.
+pid /var/run/nginx.pid;
+
+# Set number of worker processes.
+worker_processes 1;
+
+# Enables the use of JIT for regular expressions to speed-up their processing.
+pcre_jit on;
+
+# Write error log to the add-on log.
+error_log /proc/1/fd/1 error;
+
+# Max num of simultaneous connections by a worker process.
+events {
+    worker_connections 512;
+}
+
+http {
+    include /etc/nginx/includes/mime.types;
+
+    access_log              off;
+    client_max_body_size    4G;
+    default_type            application/octet-stream;
+    gzip                    on;
+    keepalive_timeout       65;
+    sendfile                on;
+    server_tokens           off;
+    tcp_nodelay             on;
+    tcp_nopush              on;
+
+    map $http_upgrade $connection_upgrade {
+        default upgrade;
+        ''      close;
+    }
+
+    include /etc/nginx/servers/*.conf;
+}

paperless-ngx/rootfs/etc/nginx/servers/.gitkeep

@@ -0,0 +1 @@
+Without requirements or design, programming is the art of adding bugs to an empty text file. (Louis Srygley)

paperless-ngx/rootfs/etc/nginx/templates/direct.gtpl

@@ -0,0 +1,16 @@
+server {
+    {{ if not .ssl }}
+    listen 80 default_server;
+    {{ else }}
+    listen 80 default_server ssl http2;
+    {{ end }}
+
+    include /etc/nginx/includes/server_params.conf;
+
+    {{ if .ssl }}
+    include /etc/nginx/includes/ssl_params.conf;
+
+    ssl_certificate /ssl/{{ .certfile }};
+    ssl_certificate_key /ssl/{{ .keyfile }};
+    {{ end }}
+}

paperless-ngx/rootfs/etc/nginx/templates/ingress-disabled.gtpl

@@ -0,0 +1,11 @@
+server {
+    listen {{ .interface }}:8099 default_server;
+
+    location / {
+        return 200 'Ingress is disabled because you opended a port';
+        default_type text/plain;
+    }
+
+    allow   172.30.32.2;
+    deny    all;
+}

paperless-ngx/rootfs/etc/nginx/templates/ingress.gtpl

@@ -0,0 +1,8 @@
+server {
+    listen {{ .interface }}:8099 default_server;
+
+    include /etc/nginx/includes/server_params.conf;
+
+    allow   172.30.32.2;
+    deny    all;
+}

paperless-ngx/rootfs/etc/s6-overlay/s6-rc.d/init-nginx/run

@@ -0,0 +1,36 @@
+#!/command/with-contenv bashio
+# shellcheck shell=bash
+# ==============================================================================
+# Benoit Anastay Add-on: Paperlexx-ngx
+# Configures NGINX for use with Paperless-ngx
+# ==============================================================================
+
+# Generate direct access configuration, if enabled.
+if bashio::var.has_value "$(bashio::addon.port 80)"; then
+    bashio::log.red "Ingress is disabled because a listening port is defined"
+    bashio::config.require.ssl
+    bashio::var.json \
+        certfile "$(bashio::config 'certfile')" \
+        keyfile "$(bashio::config 'keyfile')" \
+        ssl "^$(bashio::config 'ssl')" \
+        | tempio \
+            -template /etc/nginx/templates/direct.gtpl \
+            -out /etc/nginx/servers/direct.conf
+
+    # Generate Disabled Ingress NGINX configuration
+    bashio::var.json \
+        interface "$(bashio::addon.ip_address)" \
+        | tempio \
+            -template /etc/nginx/templates/ingress-disabled.gtpl \
+            -out /etc/nginx/servers/ingress.conf
+else
+    ingress_entry=$(bashio::addon.ingress_entry)
+    echo -n "${ingress_entry}" > /var/run/s6/container_environment/PAPERLESS_FORCE_SCRIPT_NAME
+    bashio::log.blue "Ingress is enabled"
+    # Generate Ingress NGINX configuration
+    bashio::var.json \
+        interface "$(bashio::addon.ip_address)" \
+        | tempio \
+            -template /etc/nginx/templates/ingress.gtpl \
+            -out /etc/nginx/servers/ingress.conf
+fi

paperless-ngx/rootfs/etc/s6-overlay/s6-rc.d/init-nginx/type

@@ -0,0 +1 @@
+oneshot

paperless-ngx/rootfs/etc/s6-overlay/s6-rc.d/init-nginx/up

@@ -0,0 +1 @@
+/etc/s6-overlay/s6-rc.d/init-nginx/run

paperless-ngx/rootfs/etc/s6-overlay/s6-rc.d/nginx/finish

@@ -0,0 +1,26 @@
+#!/command/with-contenv bashio
+# ==============================================================================
+# Benoit Anastay Add-on: Paperlexx-ngx
+# Take down the S6 supervision tree when Nginx fails
+# ==============================================================================
+declare exit_code
+readonly exit_code_container=$(</run/s6-linux-init-container-results/exitcode)
+readonly exit_code_service="${1}"
+readonly exit_code_signal="${2}"
+readonly service="NGINX"
+
+bashio::log.info \
+  "Service ${service} exited with code ${exit_code_service}" \
+  "(by signal ${exit_code_signal})"
+
+if [[ "${exit_code_service}" -eq 256 ]]; then
+  if [[ "${exit_code_container}" -eq 0 ]]; then
+    echo $((128 + $exit_code_signal)) > /run/s6-linux-init-container-results/exitcode
+  fi
+  [[ "${exit_code_signal}" -eq 15 ]] && exec /run/s6/basedir/bin/halt
+elif [[ "${exit_code_service}" -ne 0 ]]; then
+  if [[ "${exit_code_container}" -eq 0 ]]; then
+    echo "${exit_code_service}" > /run/s6-linux-init-container-results/exitcode
+  fi
+  exec /run/s6/basedir/bin/halt
+fi

paperless-ngx/rootfs/etc/s6-overlay/s6-rc.d/nginx/run

@@ -0,0 +1,12 @@
+#!/command/with-contenv bashio
+# ==============================================================================
+# Benoit Anastay Add-on: Paperlexx-ngx
+# Runs the Nginx daemon
+# ==============================================================================
+
+# Wait for Paperless-ngx to become available
+bashio::net.wait_for 8000
+
+bashio::log.info "Starting NGinx...."
+
+exec nginx

paperless-ngx/rootfs/etc/s6-overlay/s6-rc.d/nginx/type

@@ -0,0 +1 @@
+longrun

paperless-ngx/rootfs/etc/s6-overlay/s6-rc.d/paperless/run

@@ -22,6 +22,8 @@ PAPERLESS_CONSUMER_SUBDIRS_AS_TAGS=$(bashio::config 'consumer_subdirs_as_tags')
 PAPERLESS_CONSUMPTION_DIR=/share/paperless/consume
 PAPERLESS_DATA_DIR=/config/data
 PAPERLESS_MEDIA_ROOT=/share/paperless/media
+PAPERLESS_USE_X_FORWARD_HOST=true
+PAPERLESS_USE_X_FORWARD_PORT=true
 PAPERLESS_CONSUMER_BARCODE_SCANNER=ZXING
 PAPERLESS_CONFIGURATION_PATH="/config/paperless.conf"
 
@@ -56,6 +58,8 @@ export PAPERLESS_CONSUMER_ENABLE_BARCODES
 export PAPERLESS_CONSUMER_ENABLE_ASN_BARCODE
 export PAPERLESS_CONSUMER_RECURSIVE
 export PAPERLESS_CONSUMER_SUBDIRS_AS_TAGS
+export PAPERLESS_USE_X_FORWARD_HOST
+export PAPERLESS_USE_X_FORWARD_PORT
 export PAPERLESS_CONSUMER_BARCODE_SCANNER
 export PAPERLESS_CONFIGURATION_PATH