homelab-optimized/hosts/synology/calypso/paperless/docker-compose.yml

# Paperless-NGX with Office Document Support
# URL: https://docs.vish.gg
# Port: 8777
# Notifications: ntfy (http://192.168.0.210:8081/paperless)
# SSO: Authentik OIDC (sso.vish.gg/application/o/paperless/)

services:
  redis:
    image: redis:8
    command:
      - /bin/sh
      - -c
      - redis-server --requirepass REDACTED_PASSWORD
    container_name: PaperlessNGX-REDIS
    hostname: paper-redis
    security_opt:
      - no-new-privileges:true
    read_only: true
    user: 1026:100
    healthcheck:
      test: ["CMD-SHELL", "redis-cli ping || exit 1"]
    volumes:
      - /volume1/docker/paperlessngx/redis:/data:rw
    environment:
      TZ: America/Los_Angeles
    restart: on-failure:5

  db:
    image: postgres:18
    container_name: PaperlessNGX-DB
    hostname: paper-db
    security_opt:
      - no-new-privileges:true
    healthcheck:
      test: ["CMD", "pg_isready", "-q", "-d", "paperless", "-U", "paperlessuser"]
      timeout: 45s
      interval: 10s
      retries: 10
    volumes:
      - /volume1/docker/paperlessngx/db:/var/lib/postgresql:rw
    environment:
      POSTGRES_DB: paperless
      POSTGRES_USER: paperlessuser
      POSTGRES_PASSWORD: "REDACTED_PASSWORD"
    restart: on-failure:5

  gotenberg:
    image: gotenberg/gotenberg:latest
    container_name: PaperlessNGX-GOTENBERG
    hostname: gotenberg
    security_opt:
      - no-new-privileges:true
    user: 1026:100
    command:
      - "gotenberg"
      - "--chromium-disable-javascript=true"
      - "--chromium-allow-list=file:///tmp/.*"
    restart: on-failure:5

  tika:
    image: docker.io/apache/tika:latest
    container_name: PaperlessNGX-TIKA
    hostname: tika
    security_opt:
      - no-new-privileges:true
    user: 1026:100
    restart: on-failure:5

  paperless:
    image: ghcr.io/paperless-ngx/paperless-ngx:latest
    container_name: PaperlessNGX
    hostname: paperless-ngx
    security_opt:
      - no-new-privileges:true
    healthcheck:
      test: ["CMD", "curl", "-fs", "-S", "--max-time", "2", "http://localhost:8000"]
      interval: 30s
      timeout: 10s
      retries: 5
    ports:
      - 8777:8000
    volumes:
      - /volume1/docker/paperlessngx/data:/usr/src/paperless/data:rw
      - /volume1/docker/paperlessngx/media:/usr/src/paperless/media:rw
      - /volume1/docker/paperlessngx/export:/usr/src/paperless/export:rw
      - /volume1/docker/paperlessngx/consume:/usr/src/paperless/consume:rw
      - /volume1/docker/paperlessngx/trash:/usr/src/paperless/trash:rw
    environment:
      PAPERLESS_REDIS: redis://:redispass@paper-redis:6379
      PAPERLESS_DBENGINE: postgresql
      PAPERLESS_DBHOST: paper-db
      PAPERLESS_DBNAME: paperless
      PAPERLESS_DBUSER: paperlessuser
      PAPERLESS_DBPASS: paperlesspass
      PAPERLESS_EMPTY_TRASH_DIR: ../trash
      PAPERLESS_FILENAME_FORMAT: "{{ created_year }}/{{ correspondent }}/{{ document_type }}/{{ title }}"
      PAPERLESS_OCR_ROTATE_PAGES_THRESHOLD: 6
      PAPERLESS_TASK_WORKERS: 1
      USERMAP_UID: 1026
      USERMAP_GID: 100
      PAPERLESS_SECRET_KEY: "REDACTED_SECRET_KEY"
      PAPERLESS_TIME_ZONE: America/Los_Angeles
      PAPERLESS_ADMIN_USER: vish
      PAPERLESS_ADMIN_PASSWORD: "REDACTED_PASSWORD" # pragma: allowlist secret
      PAPERLESS_URL: https://docs.vish.gg
      PAPERLESS_CSRF_TRUSTED_ORIGINS: https://docs.vish.gg
      PAPERLESS_OCR_LANGUAGE: eng
      PAPERLESS_TIKA_ENABLED: 1
      PAPERLESS_TIKA_GOTENBERG_ENDPOINT: http://gotenberg:3000
      PAPERLESS_TIKA_ENDPOINT: http://tika:9998
      # ntfy notification on document consumption
      PAPERLESS_POST_CONSUME_SCRIPT: /usr/src/paperless/data/notify.sh
      # Authentik OIDC SSO
      PAPERLESS_APPS: allauth.socialaccount.providers.openid_connect
      PAPERLESS_SOCIALACCOUNT_PROVIDERS: >-
        {"openid_connect": {"APPS": [{"provider_id": "paperless", "name": "Authentik",
        "client_id": "paperless",
        "secret": "10e705242ca03f59b10ea831REDACTED_GITEA_TOKEN",
        "settings": {"server_url": "https://sso.vish.gg/application/o/paperless/.well-known/openid-configuration"}}]}}
    restart: on-failure:5
    depends_on:
      db:
        condition: service_healthy
      redis:
        condition: service_healthy
      tika:
        condition: service_started
      gotenberg:
        condition: service_started