kubernetes: add and update new and existing projects

kubernetes/README.md

@@ -462,7 +462,10 @@ kubectl get secret wildcard-cert-secret --namespace=cert -o yaml \
 
 source .env
 helm upgrade --install adguard \
-  -f adguard/values.yaml \
+  --namespace adguard \
+  --create-namespace \
+  --atomic \
+  -f adguard-helm-chart/values.yaml \
   --set ingress.hosts[0].host=$ADGUARD_HOST \
   --set host=$ADGUARD_HOST \
   --atomic adguard-helm-chart
@@ -797,6 +800,23 @@ envsubst < cloud-native-pg/cloudnative-pg.yaml | kubectl apply -n immich -f -
 kubectl apply -f cloud-native-pg/backup.yaml -n immich
 ```
 
+## Barnman Cloud Plugin Implementation
+
+The cloudnative PG does not require the barman utility to be installed within
+the image anymore for backup and recovery. Instead barman plugin and the
+objectStore needs to be deployed in the destination namespace.
+
+Ref: https://cloudnative-pg.io/plugin-barman-cloud/docs/usage/
+
+```bash
+# Barman Cloud Plugin
+kubectl apply -f \
+https://github.com/cloudnative-pg/plugin-barman-cloud/releases/download/v0.6.0/manifest.yaml
+
+# Object Store
+envsubst < cloud-native-pg/objectStore.yaml | kubectl apply -n immich -f -
+```
+
 ## Recovery from Backup
 
 Ref: https://cloudnative-pg.io/documentation/1.20/recovery/
@@ -889,14 +909,14 @@ Finally, deploy the Immich helm chart with the following values:
 ```bash
 source .env
 helm upgrade --install \
-  --namespace immich immich oci://ghcr.io/immich-app/immich-charts/immich \
-  -f immich/values.yaml \
-  --set env.DB_USERNAME=$IMMICH_DB_USER \
-  --set env.DB_PASSWORD=$IMMICH_DB_PASSWORD \
-  --set env.DB_DATABASE_NAME=$IMMICH_DB_NAME \
-  --set server.ingress.main.hosts[0].host=$IMMICH_HOST \
-  --set server.ingress.main.tls[0].hosts[0]=$IMMICH_HOST \
-  --atomic
+    --namespace immich immich immich/immich-helm-chart \
+    -f immich/immich-helm-chart/values.yaml \
+    --set env.DB_USERNAME=$IMMICH_DB_USER \
+    --set env.DB_PASSWORD=$IMMICH_DB_PASSWORD \
+    --set env.DB_DATABASE_NAME=$IMMICH_DB_NAME \
+    --set server.ingress.main.hosts[0].host=$IMMICH_HOST \
+    --set server.ingress.main.tls[0].hosts[0]=$IMMICH_HOST \
+    --atomic
 ```
 
 # Cron Jobs for Periodic Tasks
@@ -980,3 +1000,16 @@ helm upgrade --install kube-prometheus prometheus-community/kube-prometheus-stac
   --set grafana.ingress.tls[0].hosts[0]=$GRAFANA_HOST \
   --atomic
 ```
+
+# Paperless-ngx
+
+Paperless-ngx is a document management system that allows you to manage your
+documents in a digital way. It provides features such as document scanning,
+OCR (Optical Character Recognition), and a web interface for easy access
+to your documents. The main advantage is finding documents quickly and easily
+using powerful search capabilities.
+
+```bash
+source .env
+envsubst < paperless-ngx/manifest.yaml | kubectl apply -f -
+```

kubernetes/cloud-native-pg/objectStore.yaml

@@ -0,0 +1,20 @@
+apiVersion: barmancloud.cnpg.io/v1
+kind: ObjectStore
+metadata:
+  name: immich-minio-store
+spec:
+  configuration:
+    destinationPath: s3://immich
+    endpointURL: ${MINIO_ENDPOINT_URL}
+    s3Credentials:
+      accessKeyId:
+        name: minio-creds
+        key: ACCESS_KEY_ID
+      secretAccessKey:
+        name: minio-creds
+        key: ACCESS_SECRET_KEY
+    wal:
+      compression: gzip
+    data:
+      compression: gzip
+  retentionPolicy: "15d"

kubernetes/immich/backup/immich-intermediate-db.yaml

@@ -0,0 +1,51 @@
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: immich-migration-db
+spec:
+  serviceName: "immich-migration-db"
+  replicas: 1
+  selector:
+    matchLabels:
+      app: immich-migration-db
+  template:
+    metadata:
+      labels:
+        app: immich-migration-db
+    spec:
+      containers:
+        - name: postgres
+          image: ghcr.io/immich-app/postgres:14-vectorchord0.4.3-pgvectors0.2.0
+          ports:
+            - containerPort: 5432
+          env:
+            - name: POSTGRES_DB
+              value: immich
+            - name: POSTGRES_USER
+              value: immich
+            - name: POSTGRES_PASSWORD
+              value: arsehole
+          volumeMounts:
+            - name: pgdata
+              mountPath: /var/lib/postgresql/data
+  volumeClaimTemplates:
+    - metadata:
+        name: pgdata
+      spec:
+        accessModes: ["ReadWriteOnce"]
+        resources:
+          requests:
+            storage: 10Gi
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: immich-migration-db
+spec:
+  selector:
+    app: immich-migration-db
+  ports:
+    - name: postgres
+      port: 5432
+      targetPort: 5432
+  type: LoadBalancer

kubernetes/immich/immich-helm-chart/.helmignore

@@ -0,0 +1,30 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
+# OWNERS file for Kubernetes
+OWNERS
+
+# helm-docs templates
+*.gotmpl
+
+# helm unit tests
+tests/

kubernetes/immich/immich-helm-chart/Chart.lock

@@ -0,0 +1,6 @@
+dependencies:
+- name: common
+  repository: https://bjw-s-labs.github.io/helm-charts
+  version: 1.4.0
+digest: sha256:7acd0966a8a046c2dc4f5eecdc4c34439c1f0fcacc4dcb99630721d21414234c
+generated: "2025-10-05T00:42:21.037899892+03:00"

kubernetes/immich/immich-helm-chart/Chart.yaml

@@ -0,0 +1,25 @@
+---
+apiVersion: v2
+description: A chart to power Immich (immich.app) running on kubernetes
+name: immich
+version: 0.9.3
+appVersion: v1.143.1
+home: https://immich.app/
+icon: https://raw.githubusercontent.com/immich-app/immich/main/design/immich-logo.svg
+sources:
+  - https://github.com/immich-app/immich-charts/tree/main/charts/immich
+  - https://github.com/immich-app/immich
+maintainers:
+  - name: PixelJonas
+    email: 5434875+PixelJonas@users.noreply.github.com
+  - name: bo0tzz
+    email: immich@bo0tzz.me
+dependencies:
+  - name: common
+    repository: https://bjw-s-labs.github.io/helm-charts
+    version: 1.4.0
+annotations:
+  artifacthub.io/category: storage
+  artifacthub.io/changes: |-
+    - kind: added
+      description: Made chart available through OCI repository

kubernetes/immich/immich-helm-chart/templates/checks.yaml

@@ -0,0 +1,12 @@
+{{- $name := .Values.immich.persistence.library.existingClaim | required ".Values.immich.persistence.library.existingClaim is required." -}}
+{{- if not (kindIs "string" $name) -}}{{- fail ".Values.immich.persistence.library.existingClaim must be a string" -}}{{- end -}}
+
+{{ if .Values.postgresql }}
+    {{ fail "The postgres subchart has been removed. Please see https://github.com/immich-app/immich-charts/issues/149 for more detail." }}
+{{ end }}
+
+{{ if hasKey .Values "redis" }}
+  {{ if .Values.redis.enabled }}
+    {{ fail "The bitnami redis subchart has been deprecated and removed. Please use the included valkey deployment or an external instance."}}
+  {{ end }}
+{{ end }}

kubernetes/immich/immich-helm-chart/templates/immich-config.yml

@@ -0,0 +1,15 @@
+{{- if .Values.immich.configuration }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ .Release.Name }}-immich-config
+  labels:
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    app.kubernetes.io/name: {{ .Chart.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    helm.sh/chart: {{ printf "%s-%s\n" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+data:
+  immich-config.yaml: |
+{{- .Values.immich.configuration | toYaml | nindent 4 }}
+{{- end }}

kubernetes/immich/immich-helm-chart/templates/machine-learning.yaml

@@ -0,0 +1,52 @@
+{{- define "immich.machine-learning.hardcodedValues" -}}
+global:
+  nameOverride: machine-learning
+
+controller:
+  strategy: RollingUpdate
+
+service:
+  main:
+    enabled: true
+    primary: true
+    type: ClusterIP
+    ports:
+      http:
+        enabled: true
+        primary: true
+        port: 3003
+        protocol: HTTP
+
+probes:
+  liveness: &probes
+    enabled: true
+    custom: true
+    spec:
+      httpGet:
+        path: /ping
+        port: http
+      initialDelaySeconds: 0
+      periodSeconds: 10
+      timeoutSeconds: 1
+      failureThreshold: 3
+  readiness: *probes
+  startup:
+    enabled: true
+    custom: true
+    spec:
+      httpGet:
+        path: /ping
+        port: http
+      initialDelaySeconds: 0
+      periodSeconds: 10
+      timeoutSeconds: 1
+      failureThreshold: 60
+{{- end }}
+
+{{- /* Have to reference with index here because the dash breaks a normal dereference */}}
+{{ if (index .Values "machine-learning").enabled }}
+{{- $ctx := deepCopy . -}}
+{{- $_ := get .Values "machine-learning" | mergeOverwrite $ctx.Values -}}
+{{- $_ = include "immich.machine-learning.hardcodedValues" . | fromYaml | merge $ctx.Values -}}
+{{- include "bjw-s.common.loader.all" $ctx }}
+{{ end }}

kubernetes/immich/immich-helm-chart/templates/server.yaml

@@ -0,0 +1,94 @@
+{{- define "immich.server.hardcodedValues" -}}
+global:
+  nameOverride: server
+
+env:
+  {{ if .Values.immich.metrics.enabled }}
+      IMMICH_TELEMETRY_INCLUDE: all
+  {{ end }}
+  {{- if .Values.immich.configuration }}
+      IMMICH_CONFIG_FILE: /config/immich-config.yaml
+  {{- end }}
+
+{{- if .Values.immich.configuration }}
+podAnnotations:
+  checksum/config: {{ .Values.immich.configuration | toYaml | sha256sum }}
+{{- end }}
+
+controller:
+  strategy: RollingUpdate
+
+service:
+  main:
+    enabled: true
+    primary: true
+    type: ClusterIP
+    ports:
+      http:
+        enabled: true
+        primary: true
+        port: 2283
+        protocol: HTTP
+      metrics-api:
+        enabled: {{ .Values.immich.metrics.enabled }}
+        port: 8081
+        protocol: HTTP
+      metrics-ms:
+        enabled: {{ .Values.immich.metrics.enabled }}
+        port: 8082
+        protocol: HTTP
+
+
+serviceMonitor:
+  main:
+    enabled: {{ .Values.immich.metrics.enabled }}
+    endpoints:
+      - port: metrics-api
+        scheme: http
+      - port: metrics-ms
+        scheme: http
+
+probes:
+  liveness: &probes
+    enabled: true
+    custom: true
+    spec:
+      httpGet:
+        path: /api/server/ping
+        port: http
+      initialDelaySeconds: 0
+      periodSeconds: 10
+      timeoutSeconds: 1
+      failureThreshold: 3
+  readiness: *probes
+  startup:
+    enabled: true
+    custom: true
+    spec:
+      httpGet:
+        path: /api/server/ping
+        port: http
+      initialDelaySeconds: 0
+      periodSeconds: 10
+      timeoutSeconds: 1
+      failureThreshold: 30
+
+persistence:
+{{- if .Values.immich.configuration }}
+  config:
+    enabled: true
+    type: configMap
+    name: {{ .Release.Name }}-immich-config
+{{- end }}
+  library:
+    enabled: true
+    mountPath: /usr/src/app/upload
+    existingClaim: {{ .Values.immich.persistence.library.existingClaim }}
+{{- end }}
+
+{{ if .Values.server.enabled }}
+{{- $ctx := deepCopy . -}}
+{{- $_ := get .Values "server" | mergeOverwrite $ctx.Values -}}
+{{- $_ = include "immich.server.hardcodedValues" . | fromYaml | merge $ctx.Values -}}
+{{- include "bjw-s.common.loader.all" $ctx }}
+{{ end }}

kubernetes/immich/immich-helm-chart/templates/valkey.yaml

@@ -0,0 +1,69 @@
+{{- define "valkey.hardcodedValues" -}}
+global:
+  nameOverride: valkey
+
+controller:
+  strategy: Recreate
+
+service:
+  main:
+    enabled: true
+    primary: true
+    type: ClusterIP
+    ports:
+      redis:
+        enabled: true
+        primary: true
+        port: 6379
+        protocol: TCP
+      http:
+        enabled: false
+
+probes:
+  liveness:
+    enabled: true
+    custom: true
+    spec:
+      exec:
+        command:
+          - sh
+          - -c
+          - "valkey-cli ping | grep PONG"
+      initialDelaySeconds: 30
+      periodSeconds: 10
+      timeoutSeconds: 5
+      failureThreshold: 3
+  readiness:
+    enabled: true
+    custom: true
+    spec:
+      exec:
+        command:
+          - sh
+          - -c
+          - "valkey-cli ping | grep PONG"
+      initialDelaySeconds: 5
+      periodSeconds: 10
+      timeoutSeconds: 5
+      failureThreshold: 3
+  startup:
+    enabled: true
+    custom: true
+    spec:
+      exec:
+        command:
+          - sh
+          - -c
+          - "valkey-cli ping | grep PONG"
+      initialDelaySeconds: 0
+      periodSeconds: 10
+      timeoutSeconds: 5
+      failureThreshold: 30
+{{- end }}
+
+{{ if .Values.valkey.enabled }}
+{{- $ctx := deepCopy . -}}
+{{- $_ := get .Values "valkey" | mergeOverwrite $ctx.Values -}}
+{{- $_ = include "valkey.hardcodedValues" . | fromYaml | merge $ctx.Values -}}
+{{- include "bjw-s.common.loader.all" $ctx }}
+{{ end }}

kubernetes/immich/immich-helm-chart/values.yaml

@@ -0,0 +1,92 @@
+## This chart relies on the common library chart from bjw-s
+## You can find it at https://github.com/bjw-s-labs/helm-charts/tree/923ef40a39520979c98f354ea23963ee54f54433/charts/library/common
+## Refer there for more detail about the supported values
+
+# These entries are shared between all the Immich components
+
+env:
+  REDIS_HOSTNAME: '{{ printf "%s-valkey" .Release.Name }}'
+  DB_HOSTNAME: immich-database-rw.immich.svc.cluster.local
+  DB_USERNAME: placeholder
+  DB_DATABASE_NAME: immich
+  # -- You should provide your own secret outside of this helm-chart and use `postgresql.global.postgresql.auth.existingSecret` to provide credentials to the postgresql instance
+  DB_PASSWORD: placeholder
+  IMMICH_IGNORE_MOUNT_CHECK_ERRORS: "true"
+  IMMICH_MACHINE_LEARNING_URL: '{{ printf "http://%s-machine-learning:3003" .Release.Name }}'
+
+image:
+  tag: v2.0.1
+
+immich:
+  metrics:
+    # Enabling this will create the service monitors needed to monitor immich with the prometheus operator
+    enabled: false
+  persistence:
+    # Main data store for all photos shared between different components.
+    library:
+      # Automatically creating the library volume is not supported by this chart
+      # You have to specify an existing PVC to use
+      existingClaim: immich-library
+  # configuration is immich-config.json converted to yaml
+  # ref: https://immich.app/docs/install/config-file/
+  #
+  configuration:
+    trash:
+      enabled: true
+      days: 30
+    storageTemplate:
+      enabled: true
+      template: "{{y}}/{{y}}-{{MM}}-{{dd}}/{{filename}}"
+
+redis:
+  enabled: false
+
+valkey:
+  enabled: true
+  image:
+    repository: docker.io/valkey/valkey
+    tag: 8.0-alpine
+    pullPolicy: IfNotPresent
+  persistence:
+    data:
+      enabled: true
+      size: 1Gi
+      # Optional: Set this to pvc to keep job queues persistent
+      type: pvc
+      accessMode: ReadWriteOnce
+
+# Immich components
+server:
+  enabled: true
+  image:
+    repository: ghcr.io/immich-app/immich-server
+    pullPolicy: IfNotPresent
+  ingress:
+    main:
+      enabled: true
+      annotations:
+        traefik.ingress.kubernetes.io/router.entrypoints: websecure
+        cert-manager.io/cluster-issuer: "acme-issuer"
+      hosts:
+        - host: placeholder.immich.app
+          paths:
+            - path: "/"
+      tls:
+        - secretName: immich-tls
+          hosts:
+            - placeholder.immich.app
+
+machine-learning:
+  enabled: true
+  image:
+    repository: ghcr.io/immich-app/immich-machine-learning
+    pullPolicy: IfNotPresent
+  env:
+    TRANSFORMERS_CACHE: /cache
+  persistence:
+    cache:
+      enabled: true
+      size: 10Gi
+      # Optional: Set this to pvc to avoid downloading the ML models every start.
+      type: pvc
+      accessMode: ReadWriteMany

kubernetes/immich/immichDatabase.yaml

@@ -0,0 +1,37 @@
+apiVersion: postgresql.cnpg.io/v1
+kind: Cluster
+metadata:
+  name: immich-database
+spec:
+  instances: 1
+  imageName: ghcr.io/tensorchord/cloudnative-vectorchord:16.9-0.4.3
+  postgresql:
+    shared_preload_libraries:
+      - "vectors.so"
+      - "vchord.so"
+
+  managed:
+    roles:
+      - name: immich
+        superuser: true
+        login: true
+
+  postgresql:
+    shared_preload_libraries:
+      - "vchord.so"
+
+  bootstrap:
+    initdb:
+      postInitApplicationSQL:
+        - CREATE EXTENSION vchord CASCADE;
+        - CREATE EXTENSION earthdistance CASCADE;
+
+  plugins:
+  - name: barman-cloud.cloudnative-pg.io
+    isWALArchiver: true
+    parameters:
+      barmanObjectName: immich-minio-store
+
+  storage:
+    storageClass: longhorn-2x
+    size: 5Gi

kubernetes/immich/values.yaml

@@ -5,17 +5,17 @@
 # These entries are shared between all the Immich components
 
 env:
-  # REDIS_HOSTNAME: '{{ printf "%s-redis-master" .Release.Name }}'
-  DB_HOSTNAME: pg-backup-rw.immich.svc.cluster.local
+  REDIS_HOSTNAME: '{{ printf "%s-valkey" .Release.Name }}'
+  DB_HOSTNAME: immich-database-rw.immich.svc.cluster.local
   DB_USERNAME: placeholder
   DB_DATABASE_NAME: immich
   # -- You should provide your own secret outside of this helm-chart and use `postgresql.global.postgresql.auth.existingSecret` to provide credentials to the postgresql instance
   DB_PASSWORD: placeholder
   IMMICH_IGNORE_MOUNT_CHECK_ERRORS: "true"
-  # IMMICH_MACHINE_LEARNING_URL: '{{ printf "http://%s-machine-learning:3003" .Release.Name }}'
+  IMMICH_MACHINE_LEARNING_URL: '{{ printf "http://%s-machine-learning:3003" .Release.Name }}'
 
 image:
-  tag: v1.119.0
+  tag: v2.0.1
 
 immich:
   metrics:
@@ -38,19 +38,22 @@ immich:
       enabled: true
       template: "{{y}}/{{y}}-{{MM}}-{{dd}}/{{filename}}"
 
-# Dependencies
-
-# DEPRECATED
-# The postgres subchart is deprecated and will be removed in chart version 0.10.0
-# See https://github.com/immich-app/immich-charts/issues/149 for more detail.
-postgresql:
+redis:
   enabled: false
 
-redis:
+valkey:
   enabled: true
-  architecture: standalone
-  auth:
-    enabled: false
+  image:
+    repository: docker.io/valkey/valkey
+    tag: 8.0-alpine
+    pullPolicy: IfNotPresent
+  persistence:
+    data:
+      enabled: true
+      size: 1Gi
+      # Optional: Set this to pvc to keep job queues persistent
+      type: pvc
+      accessMode: ReadWriteOnce
 
 # Immich components
 server:
@@ -74,7 +77,7 @@ server:
             - placeholder.immich.app
 
 machine-learning:
-  enabled: false # disabled due to resource constraints
+  enabled: true
   image:
     repository: ghcr.io/immich-app/immich-machine-learning
     pullPolicy: IfNotPresent

kubernetes/media/jellyfin-deploy.yaml

@@ -35,7 +35,7 @@ spec:
     spec:
       containers:
         - name: jellyfin
-          image: jellyfin/jellyfin:latest
+          image: jellyfin/jellyfin:10.10.7
           ports:
             - containerPort: 8096
           volumeMounts:
@@ -52,7 +52,7 @@ spec:
             claimName: media-nfs-pvc
         - name: config
           persistentVolumeClaim:
-            claimName: plex-config-pvc
+            claimName: jellyfin-config-pvc
         - name: network-config
           configMap:
             name: jellyfin-network-config

kubernetes/media/jellyfin-fix.yaml

@@ -0,0 +1,17 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: jellyfin-fix
+  namespace: media
+spec:
+  containers:
+  - name: helper
+    image: busybox
+    command: ["sleep", "3600"]
+    volumeMounts:
+    - name: jellyfin-config
+      mountPath: /config
+  volumes:
+  - name: jellyfin-config
+    persistentVolumeClaim:
+      claimName: plex-config-pvc

kubernetes/media/pvc-longhorn.yaml

@@ -1,7 +1,7 @@
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
-  name: plex-config-pvc
+  name: jellyfin-config-pvc
 spec:
   accessModes:
     - ReadWriteOnce

kubernetes/minio/values-tenant.yaml

@@ -497,10 +497,7 @@ ingress:
     ingressClassName: "nginx"
     labels: {}
     annotations:
-      traefik.ingress.kubernetes.io/router.entrypoints: websecure
       cert-manager.io/cluster-issuer: "acme-issuer"
-      traefik.ingress.kubernetes.io/service.serversTransport: insecure-transport
-      traefik.ingress.kubernetes.io/router.middlewares: kube-system-ip-whitelist@kubernetescrd
     tls:
       - secretName: minio-console-tls
         hosts:

kubernetes/paperless-ngx/manifest.yaml

@@ -0,0 +1,195 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: paperless-ngx
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: redis-data
+  namespace: paperless-ngx
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 1Gi
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: paperless-config
+  namespace: paperless-ngx
+data:
+  PAPERLESS_REDIS: "redis://redis:6379"
+  PAPERLESS_URL: "https://${PAPERLESS_HOST}"
+  PAPERLESS_TIME_ZONE: "Europe/Helsinki"
+  PAPERLESS_OCR_LANGUAGE: "eng"
+  PAPERLESS_SECRET_KEY: "change-me-to-a-secure-secret-key"
+  PAPERLESS_CSRF_TRUSTED_ORIGINS: "https://${PAPERLESS_HOST}"
+  PAPERLESS_USE_X_FORWARD_HOST: "true"
+  PAPERLESS_USE_X_FORWARD_PORT: "true"
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: paperless-data
+  namespace: paperless-ngx
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 5Gi
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: paperless-media
+  namespace: paperless-ngx
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 5Gi
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: redis
+  namespace: paperless-ngx
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: redis
+  template:
+    metadata:
+      labels:
+        app: redis
+    spec:
+      containers:
+        - name: redis
+          image: redis:7
+          ports:
+            - containerPort: 6379
+          volumeMounts:
+            - name: redis-data
+              mountPath: /data
+          resources:
+            requests:
+              memory: "128Mi"
+              cpu: "50m"
+            limits:
+              memory: "256Mi"
+              cpu: "200m"
+      volumes:
+        - name: redis-data
+          persistentVolumeClaim:
+            claimName: redis-data
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: paperless-ngx
+  namespace: paperless-ngx
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: paperless-ngx
+  template:
+    metadata:
+      labels:
+        app: paperless-ngx
+    spec:
+      containers:
+        - name: paperless-ngx
+          image: ghcr.io/paperless-ngx/paperless-ngx:latest
+          ports:
+            - containerPort: 8000
+          envFrom:
+            - configMapRef:
+                name: paperless-config
+          volumeMounts:
+            - name: paperless-data
+              mountPath: /usr/src/paperless/data
+            - name: paperless-media
+              mountPath: /usr/src/paperless/media
+          resources:
+            requests:
+              memory: "512Mi"
+              cpu: "200m"
+            limits:
+              memory: "2Gi"
+              cpu: "1000m"
+          livenessProbe:
+            httpGet:
+              path: /
+              port: 8000
+            initialDelaySeconds: 60
+            periodSeconds: 30
+          readinessProbe:
+            httpGet:
+              path: /
+              port: 8000
+            initialDelaySeconds: 30
+            periodSeconds: 10
+      volumes:
+        - name: paperless-data
+          persistentVolumeClaim:
+            claimName: paperless-data
+        - name: paperless-media
+          persistentVolumeClaim:
+            claimName: paperless-media
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: redis
+  namespace: paperless-ngx
+spec:
+  selector:
+    app: redis
+  ports:
+    - port: 6379
+      targetPort: 6379
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: paperless-ngx
+  namespace: paperless-ngx
+spec:
+  selector:
+    app: paperless-ngx
+  ports:
+    - port: 8000
+      targetPort: 8000
+  type: ClusterIP
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: paperless-ngx-ingress
+  namespace: paperless-ngx
+  annotations:
+    cert-manager.io/cluster-issuer: "acme-issuer"
+spec:
+  ingressClassName: nginx
+  tls:
+    - hosts:
+        - "${PAPERLESS_HOST}"
+      secretName: paperless-tls
+  rules:
+    - host: "${PAPERLESS_HOST}"
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: paperless-ngx
+                port:
+                  number: 8000