Transitions the Docker image to use s6 and s6-overlay for process supervision instead of supervisord (#8886)

docker/rootfs/etc/ImageMagick-6/paperless-policy.xml

@@ -0,0 +1,96 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE policymap [
+  <!ELEMENT policymap (policy)+>
+  <!ATTLIST policymap xmlns CDATA #FIXED ''>
+  <!ELEMENT policy EMPTY>
+  <!ATTLIST policy xmlns CDATA #FIXED '' domain NMTOKEN #REQUIRED
+    name NMTOKEN #IMPLIED pattern CDATA #IMPLIED rights NMTOKEN #IMPLIED
+    stealth NMTOKEN #IMPLIED value CDATA #IMPLIED>
+]>
+<!--
+  Configure ImageMagick policies.
+
+  Domains include system, delegate, coder, filter, path, or resource.
+
+  Rights include none, read, write, execute and all.  Use | to combine them,
+  for example: "read | write" to permit read from, or write to, a path.
+
+  Use a glob expression as a pattern.
+
+  Suppose we do not want users to process MPEG video images:
+
+    <policy domain="delegate" rights="none" pattern="mpeg:decode" />
+
+  Here we do not want users reading images from HTTP:
+
+    <policy domain="coder" rights="none" pattern="HTTP" />
+
+  The /repository file system is restricted to read only.  We use a glob
+  expression to match all paths that start with /repository:
+
+    <policy domain="path" rights="read" pattern="/repository/*" />
+
+  Lets prevent users from executing any image filters:
+
+    <policy domain="filter" rights="none" pattern="*" />
+
+  Any large image is cached to disk rather than memory:
+
+    <policy domain="resource" name="area" value="1GP"/>
+
+  Define arguments for the memory, map, area, width, height and disk resources
+  with SI prefixes (.e.g 100MB).  In addition, resource policies are maximums
+  for each instance of ImageMagick (e.g. policy memory limit 1GB, -limit 2GB
+  exceeds policy maximum so memory limit is 1GB).
+
+  Rules are processed in order.  Here we want to restrict ImageMagick to only
+  read or write a small subset of proven web-safe image types:
+
+    <policy domain="delegate" rights="none" pattern="*" />
+    <policy domain="filter" rights="none" pattern="*" />
+    <policy domain="coder" rights="none" pattern="*" />
+    <policy domain="coder" rights="read|write" pattern="{GIF,JPEG,PNG,WEBP}" />
+-->
+<policymap>
+  <!-- <policy domain="system" name="shred" value="2"/> -->
+  <!-- <policy domain="system" name="precision" value="6"/> -->
+  <!-- <policy domain="system" name="memory-map" value="anonymous"/> -->
+  <!-- <policy domain="system" name="max-memory-request" value="256MiB"/> -->
+  <!-- <policy domain="resource" name="temporary-path" value="/tmp"/> -->
+  <policy domain="resource" name="memory" value="256MiB"/>
+  <policy domain="resource" name="map" value="512MiB"/>
+  <policy domain="resource" name="width" value="16KP"/>
+  <policy domain="resource" name="height" value="16KP"/>
+  <!-- <policy domain="resource" name="list-length" value="128"/> -->
+  <policy domain="resource" name="area" value="128MB"/>
+  <policy domain="resource" name="disk" value="1GiB"/>
+  <!-- <policy domain="resource" name="file" value="768"/> -->
+  <!-- <policy domain="resource" name="thread" value="4"/> -->
+  <!-- <policy domain="resource" name="throttle" value="0"/> -->
+  <!-- <policy domain="resource" name="time" value="3600"/> -->
+  <!-- <policy domain="coder" rights="none" pattern="MVG" /> -->
+  <!-- <policy domain="module" rights="none" pattern="{PS,PDF,XPS}" /> -->
+  <!-- <policy domain="delegate" rights="none" pattern="HTTPS" /> -->
+  <!-- <policy domain="path" rights="none" pattern="@*" /> -->
+  <!-- <policy domain="cache" name="memory-map" value="anonymous"/> -->
+  <!-- <policy domain="cache" name="synchronize" value="True"/> -->
+  <!-- <policy domain="cache" name="shared-secret" value="passphrase" stealth="true"/> -->
+  <!-- <policy domain="system" name="pixel-cache-memory" value="anonymous"/> -->
+  <!-- <policy domain="system" name="shred" value="2"/> -->
+  <!-- <policy domain="system" name="precision" value="6"/> -->
+  <!-- not needed due to the need to use explicitly by mvg: -->
+  <!-- <policy domain="delegate" rights="none" pattern="MVG" /> -->
+  <!-- use curl -->
+  <policy domain="delegate" rights="none" pattern="URL" />
+  <policy domain="delegate" rights="none" pattern="HTTPS" />
+  <policy domain="delegate" rights="none" pattern="HTTP" />
+  <!-- in order to avoid to get image with password text -->
+  <policy domain="path" rights="none" pattern="@*"/>
+  <!-- disable ghostscript format types -->
+  <policy domain="coder" rights="none" pattern="PS" />
+  <policy domain="coder" rights="none" pattern="PS2" />
+  <policy domain="coder" rights="none" pattern="PS3" />
+  <policy domain="coder" rights="none" pattern="EPS" />
+  <policy domain="coder" rights="read|write" pattern="PDF" />
+  <policy domain="coder" rights="none" pattern="XPS" />
+</policymap>

docker/rootfs/etc/s6-overlay/s6-rc.d/init-complete/run

@@ -0,0 +1,8 @@
+#!/command/with-contenv /usr/bin/bash
+# shellcheck shell=bash
+declare -r log_prefix="[init-complete]"
+declare -r end_time=$(date +%s)
+declare -r start_time=${PAPERLESS_START_TIME_S}
+
+echo "${log_prefix} paperless-ngx docker container init completed in $(($end_time-$start_time)) seconds"
+echo "${log_prefix} Starting services"

docker/rootfs/etc/s6-overlay/s6-rc.d/init-complete/type

@@ -0,0 +1 @@
+oneshot

docker/rootfs/etc/s6-overlay/s6-rc.d/init-complete/up

@@ -0,0 +1 @@
+/etc/s6-overlay/s6-rc.d/init-complete/run

docker/rootfs/etc/s6-overlay/s6-rc.d/init-custom-init/run

@@ -0,0 +1,44 @@
+#!/command/with-contenv /usr/bin/bash
+# shellcheck shell=bash
+
+declare -r log_prefix="[custom-init]"
+
+# Mostly borrowed from the LinuxServer.io base image
+# https://github.com/linuxserver/docker-baseimage-ubuntu/tree/bionic/root/etc/cont-init.d
+declare -r custom_script_dir="/custom-cont-init.d"
+
+# Tamper checking.
+# Don't run files which are owned by anyone except root
+# Don't run files which are writeable by others
+if [ -d "${custom_script_dir}" ]; then
+	if [ -n "$(/usr/bin/find "${custom_script_dir}" -maxdepth 1 ! -user root)" ]; then
+		echo "${log_prefix} **** Potential tampering with custom scripts detected ****"
+		echo "${log_prefix} **** The folder '${custom_script_dir}' must be owned by root ****"
+		exit 0
+	fi
+	if [ -n "$(/usr/bin/find "${custom_script_dir}" -maxdepth 1 -perm -o+w)" ]; then
+		echo "${log_prefix} **** The folder '${custom_script_dir}' or some of contents have write permissions for others, which is a security risk. ****"
+		echo "${log_prefix} **** Please review the permissions and their contents to make sure they are owned by root, and can only be modified by root. ****"
+		exit 0
+	fi
+
+	# Make sure custom init directory has files in it
+	if [ -n "$(/bin/ls --almost-all "${custom_script_dir}" 2>/dev/null)" ]; then
+		echo "${log_prefix} files found in ${custom_script_dir} executing"
+		# Loop over files in the directory
+		for SCRIPT in "${custom_script_dir}"/*; do
+			NAME="$(basename "${SCRIPT}")"
+			if [ -f "${SCRIPT}" ]; then
+				echo "${log_prefix} ${NAME}: executing..."
+				/command/with-contenv /bin/bash "${SCRIPT}"
+				echo "${log_prefix} ${NAME}: exited $?"
+			elif [ ! -f "${SCRIPT}" ]; then
+				echo "${log_prefix} ${NAME}: is not a file"
+			fi
+		done
+	else
+		echo "${log_prefix} no custom files found exiting..."
+	fi
+else
+	echo "${log_prefix} ${custom_script_dir} doesn't exist, nothing to do"
+fi

docker/rootfs/etc/s6-overlay/s6-rc.d/init-custom-init/type

@@ -0,0 +1 @@
+oneshot

docker/rootfs/etc/s6-overlay/s6-rc.d/init-custom-init/up

@@ -0,0 +1 @@
+/etc/s6-overlay/s6-rc.d/init-custom-init/run

docker/rootfs/etc/s6-overlay/s6-rc.d/init-env-file/run

@@ -0,0 +1,30 @@
+#!/command/with-contenv /usr/bin/bash
+# shellcheck shell=bash
+
+declare -r log_prefix="[env-init]"
+
+echo "${log_prefix} Checking for environment from files"
+
+if find /run/s6/container_environment/*"_FILE" -maxdepth 1 > /dev/null 2>&1; then
+	for FILENAME in /run/s6/container_environment/*; do
+		if [[ "${FILENAME##*/}" == PAPERLESS_*_FILE ]]; then
+			# This should have been named different..
+			if [[ ${FILENAME} == "PAPERLESS_OCR_SKIP_ARCHIVE_FILE" || ${FILENAME} == "PAPERLESS_MODEL_FILE" ]]; then
+				continue
+			fi
+			SECRETFILE=$(cat "${FILENAME}")
+			# Check the file exists
+			if [[ -f ${SECRETFILE} ]]; then
+				# Trim off trailing _FILE
+				FILESTRIP=${FILENAME//_FILE/}
+				# Set environment variable
+				cat "${SECRETFILE}" > "${FILESTRIP}"
+				echo "${log_prefix} ${FILESTRIP##*/} set from ${FILENAME##*/}"
+			else
+				echo "${log_prefix} cannot find secret in ${FILENAME##*/}"
+			fi
+		fi
+	done
+else
+		echo "${log_prefix} No *_FILE environment found"
+fi

docker/rootfs/etc/s6-overlay/s6-rc.d/init-env-file/type

@@ -0,0 +1 @@
+oneshot

docker/rootfs/etc/s6-overlay/s6-rc.d/init-env-file/up

@@ -0,0 +1 @@
+/etc/s6-overlay/s6-rc.d/init-env-file/run

docker/rootfs/etc/s6-overlay/s6-rc.d/init-folders/run

@@ -0,0 +1,33 @@
+#!/command/with-contenv /usr/bin/bash
+# shellcheck shell=bash
+
+declare -r log_prefix="[init-folders]"
+
+declare -r export_dir="/usr/src/paperless/export"
+declare -r data_dir="${PAPERLESS_DATA_DIR:-/usr/src/paperless/data}"
+declare -r media_root_dir="${PAPERLESS_MEDIA_ROOT:-/usr/src/paperless/media}"
+declare -r consume_dir="${PAPERLESS_CONSUMPTION_DIR:-/usr/src/paperless/consume}"
+declare -r tmp_dir="${PAPERLESS_SCRATCH_DIR:=/tmp/paperless}"
+
+echo "${log_prefix} Checking for folder existence"
+
+for dir in \
+	"${export_dir}" \
+	"${data_dir}" "${data_dir}/index" \
+	"${media_root_dir}" "${media_root_dir}/documents" "${media_root_dir}/documents/originals" "${media_root_dir}/documents/thumbnails" \
+	"${consume_dir}" \
+	"${tmp_dir}"; do
+	if [[ ! -d "${dir}" ]]; then
+		mkdir --parents --verbose "${dir}"
+	fi
+done
+
+echo "${log_prefix} Adjusting file and folder permissions"
+for dir in \
+	"${export_dir}" \
+	"${data_dir}" \
+	"${media_root_dir}" \
+	"${consume_dir}" \
+	"${tmp_dir}"; do
+	find "${dir}" -not \( -user paperless -and -group paperless \) -exec chown --changes paperless:paperless {} +
+done

docker/rootfs/etc/s6-overlay/s6-rc.d/init-folders/type

@@ -0,0 +1 @@
+oneshot

docker/rootfs/etc/s6-overlay/s6-rc.d/init-folders/up

@@ -0,0 +1 @@
+/etc/s6-overlay/s6-rc.d/init-folders/run

docker/rootfs/etc/s6-overlay/s6-rc.d/init-migrations/run

@@ -0,0 +1,20 @@
+#!/command/with-contenv /usr/bin/bash
+# shellcheck shell=bash
+declare -r log_prefix="[init-migrations]"
+declare -r data_dir="${PAPERLESS_DATA_DIR:-/usr/src/paperless/data}"
+
+(
+	# flock is in place to prevent multiple containers from doing migrations
+	# simultaneously. This also ensures that the db is ready when the command
+	# of the current container starts.
+	flock 200
+	echo "${log_prefix} Apply database migrations..."
+	cd "${PAPERLESS_SRC_DIR}"
+
+	if [[ -n "${USER_IS_NON_ROOT}" ]]; then
+		exec python3 manage.py migrate --skip-checks --no-input
+	else
+		exec s6-setuidgid paperless python3 manage.py migrate --skip-checks --no-input
+	fi
+
+) 200>"${data_dir}/migration_lock"

docker/rootfs/etc/s6-overlay/s6-rc.d/init-migrations/type

@@ -0,0 +1 @@
+oneshot

docker/rootfs/etc/s6-overlay/s6-rc.d/init-migrations/up

@@ -0,0 +1 @@
+/etc/s6-overlay/s6-rc.d/init-migrations/run

docker/rootfs/etc/s6-overlay/s6-rc.d/init-modify-user/run

@@ -0,0 +1,22 @@
+#!/command/with-contenv /usr/bin/bash
+# shellcheck shell=bash
+declare -r log_prefix="[init-user]"
+
+declare -r usermap_original_uid=$(id -u paperless)
+declare -r usermap_original_gid=$(id -g paperless)
+declare -r usermap_new_uid=${USERMAP_UID:-$usermap_original_uid}
+declare -r usermap_new_gid=${USERMAP_GID:-${usermap_original_gid:-$usermap_new_uid}}
+
+if [[ ${usermap_new_uid} != "${usermap_original_uid}" ]]; then
+	echo "${log_prefix} Mapping UID for paperless to $usermap_new_uid"
+	usermod --non-unique --uid "${usermap_new_uid}" paperless
+else
+	echo "${log_prefix} No UID changes for paperless"
+fi
+
+if [[ ${usermap_new_gid} != "${usermap_original_gid}" ]]; then
+	echo "${log_prefix} Mapping GID for paperless to $usermap_new_gid"
+	groupmod --non-unique --gid "${usermap_new_gid}" paperless
+else
+	echo "${log_prefix} No GID changes for paperless"
+fi

docker/rootfs/etc/s6-overlay/s6-rc.d/init-modify-user/type

@@ -0,0 +1 @@
+oneshot

docker/rootfs/etc/s6-overlay/s6-rc.d/init-modify-user/up

@@ -0,0 +1 @@
+/etc/s6-overlay/s6-rc.d/init-modify-user/run

docker/rootfs/etc/s6-overlay/s6-rc.d/init-search-index/run

@@ -0,0 +1,28 @@
+#!/command/with-contenv /usr/bin/bash
+# shellcheck shell=bash
+
+declare -r log_prefix="[init-index]"
+
+declare -r index_version=9
+declare -r data_dir="${PAPERLESS_DATA_DIR:-/usr/src/paperless/data}"
+declare -r index_version_file="${data_dir}/.index_version"
+
+update_index () {
+	echo "${log_prefix} Search index out of date. Updating..."
+	cd "${PAPERLESS_SRC_DIR}"
+	if [[ -n "${USER_IS_NON_ROOT}" ]]; then
+		python3 manage.py document_index reindex --no-progress-bar
+		echo ${index_version} | tee "${index_version_file}" > /dev/null
+	else
+		s6-setuidgid paperless python3 manage.py document_index reindex --no-progress-bar
+		echo ${index_version} | s6-setuidgid paperless tee "${index_version_file}" > /dev/null
+	fi
+}
+
+if [[ (! -f "${index_version_file}") ]]; then
+	echo "${log_prefix} No index version file found"
+	update_index
+elif [[ $(<"${index_version_file}") != "$index_version" ]]; then
+	echo "${log_prefix} index version updated"
+	update_index
+fi

docker/rootfs/etc/s6-overlay/s6-rc.d/init-search-index/type

@@ -0,0 +1 @@
+oneshot

docker/rootfs/etc/s6-overlay/s6-rc.d/init-search-index/up

@@ -0,0 +1 @@
+/etc/s6-overlay/s6-rc.d/init-search-index/run

docker/rootfs/etc/s6-overlay/s6-rc.d/init-start/run

@@ -0,0 +1,19 @@
+#!/command/with-contenv /usr/bin/bash
+# shellcheck shell=bash
+
+declare -r log_prefix="[init-start]"
+
+echo "${log_prefix} paperless-ngx docker container starting..."
+
+# Set some directories into environment for other steps to access via environment
+# Sort of like variables for later
+printf "/usr/src/paperless/src" > /var/run/s6/container_environment/PAPERLESS_SRC_DIR
+echo $(date +%s) > /var/run/s6/container_environment/PAPERLESS_START_TIME_S
+
+# Check if we're starting as a non-root user
+if [ $(id -u) == $(id -u paperless) ]; then
+	printf "true" > /var/run/s6/container_environment/USER_IS_NON_ROOT
+	echo "${log_prefix}  paperless-ngx docker container running under a user"
+else
+	echo "${log_prefix}  paperless-ngx docker container starting init as root"
+fi

docker/rootfs/etc/s6-overlay/s6-rc.d/init-start/type

@@ -0,0 +1 @@
+oneshot

docker/rootfs/etc/s6-overlay/s6-rc.d/init-start/up

@@ -0,0 +1 @@
+/etc/s6-overlay/s6-rc.d/init-start/run

docker/rootfs/etc/s6-overlay/s6-rc.d/init-superuser/run

@@ -0,0 +1,20 @@
+#!/command/with-contenv /usr/bin/bash
+# shellcheck shell=bash
+
+declare -r log_prefix="[init-superuser]"
+
+if [[ -n "${PAPERLESS_ADMIN_USER}" ]]; then
+	echo "${log_prefix} Creating superuser..."
+	cd "${PAPERLESS_SRC_DIR}"
+
+	if [[ -n "${USER_IS_NON_ROOT}" ]]; then
+		python3 manage.py manage_superuser
+	else
+		s6-setuidgid paperless python3 manage.py manage_superuser
+	fi
+
+	echo "${log_prefix} Superuser creation done"
+
+else
+	echo "${log_prefix} Not creating superuser"
+fi

docker/rootfs/etc/s6-overlay/s6-rc.d/init-superuser/type

@@ -0,0 +1 @@
+oneshot

docker/rootfs/etc/s6-overlay/s6-rc.d/init-superuser/up

@@ -0,0 +1 @@
+/etc/s6-overlay/s6-rc.d/init-superuser/run

docker/rootfs/etc/s6-overlay/s6-rc.d/init-system-checks/run

@@ -0,0 +1,15 @@
+#!/command/with-contenv /usr/bin/bash
+# shellcheck shell=bash
+
+declare -r log_prefix="[init-checks]"
+
+# Explicitly run the Django system checks
+echo "${log_prefix} Running Django checks"
+
+cd "${PAPERLESS_SRC_DIR}"
+
+if [[ -n "${USER_IS_NON_ROOT}" ]]; then
+	python3 manage.py check
+else
+	s6-setuidgid paperless python3 manage.py check
+fi

docker/rootfs/etc/s6-overlay/s6-rc.d/init-system-checks/type

@@ -0,0 +1 @@
+oneshot

docker/rootfs/etc/s6-overlay/s6-rc.d/init-system-checks/up

@@ -0,0 +1 @@
+/etc/s6-overlay/s6-rc.d/init-system-checks/run

docker/rootfs/etc/s6-overlay/s6-rc.d/init-tesseract-langs/run

@@ -0,0 +1,65 @@
+#!/command/with-contenv /usr/bin/bash
+# shellcheck shell=bash
+
+declare -r log_prefix="[init-tesseract-langs]"
+
+install_languages() {
+	echo "Installing languages..."
+
+	read -ra langs <<<"$1"
+
+	# Check that it is not empty
+	if [ ${#langs[@]} -eq 0 ]; then
+		return
+	fi
+
+	# Build list of packages to install
+	to_install=()
+	for lang in "${langs[@]}"; do
+		pkg="tesseract-ocr-$lang"
+
+		if dpkg --status "$pkg" &>/dev/null; then
+			echo "${log_prefix} Package $pkg already installed!"
+			continue
+		else
+			to_install+=("$pkg")
+		fi
+	done
+
+	# Use apt only when we install packages
+	if [ ${#to_install[@]} -gt 0 ]; then
+
+		# Warn the user if they're not root, but try anyway
+		if [[ -n "${USER_IS_NON_ROOT}" ]]; then
+			echo "${log_prefix} ERROR: Unable to install language ${pkg} as non-root, startup may fail"
+		fi
+
+		apt-get --quiet update &>/dev/null
+
+		for pkg in "${to_install[@]}"; do
+			if ! apt-cache --quiet show "$pkg" &>/dev/null; then
+				echo "${log_prefix} Skipped $pkg: Package not found! :("
+				continue
+			fi
+			echo "${log_prefix} Installing package $pkg..."
+			if ! apt-get --quiet --assume-yes install "$pkg" &>/dev/null; then
+				echo "${log_prefix} Could not install $pkg"
+				exit 1
+			else
+				echo "${log_prefix} Installed $pkg"
+			fi
+		done
+
+	fi
+}
+
+echo "${log_prefix} Checking if additional teseract languages needed"
+
+# Install additional languages if specified
+if [[ -n "$PAPERLESS_OCR_LANGUAGES" ]]; then
+
+	install_languages "$PAPERLESS_OCR_LANGUAGES"
+	echo "${log_prefix} Additional packages installed"
+else
+	echo "${log_prefix} No additional installs requested"
+fi

docker/rootfs/etc/s6-overlay/s6-rc.d/init-tesseract-langs/type

@@ -0,0 +1 @@
+oneshot

docker/rootfs/etc/s6-overlay/s6-rc.d/init-tesseract-langs/up

@@ -0,0 +1 @@
+/etc/s6-overlay/s6-rc.d/init-tesseract-langs/run

docker/rootfs/etc/s6-overlay/s6-rc.d/init-wait-for-db/run

@@ -0,0 +1,70 @@
+#!/command/with-contenv /usr/bin/bash
+# shellcheck shell=bash
+
+declare -r log_prefix="[init-db-wait]"
+
+wait_for_postgres() {
+	local attempt_num=1
+	local -r max_attempts=5
+
+	echo "${log_prefix} Waiting for PostgreSQL to start..."
+
+	local -r host="${PAPERLESS_DBHOST:-localhost}"
+	local -r port="${PAPERLESS_DBPORT:-5432}"
+	local -r user="${PAPERLESS_DBUSER:-paperless}"
+
+	# Disable warning, host and port can't have spaces
+	# shellcheck disable=SC2086
+	while [ ! "$(pg_isready -h ${host} -p ${port} --username ${user})" ]; do
+
+		if [ $attempt_num -eq $max_attempts ]; then
+			echo "${log_prefix} Unable to connect to database."
+			exit 1
+		else
+			echo "${log_prefix} Attempt $attempt_num failed! Trying again in 5 seconds..."
+		fi
+
+		attempt_num=$(("$attempt_num" + 1))
+		sleep 5
+	done
+	# Extra in case this is a first start
+	sleep 5
+	echo "Connected to PostgreSQL"
+}
+
+wait_for_mariadb() {
+	echo "${log_prefix} Waiting for MariaDB to start..."
+
+	local -r host="${PAPERLESS_DBHOST:=localhost}"
+	local -r port="${PAPERLESS_DBPORT:=3306}"
+
+	local attempt_num=1
+	local -r max_attempts=5
+
+	# Disable warning, host and port can't have spaces
+	# shellcheck disable=SC2086
+	while ! true > /dev/tcp/$host/$port; do
+
+		if [ $attempt_num -eq $max_attempts ]; then
+			echo "${log_prefix} Unable to connect to database."
+			exit 1
+		else
+			echo "${log_prefix} Attempt $attempt_num failed! Trying again in 5 seconds..."
+
+		fi
+
+		attempt_num=$(("$attempt_num" + 1))
+		sleep 5
+	done
+	echo "Connected to MariaDB"
+}
+
+if [[ "${PAPERLESS_DBENGINE}" == "mariadb" ]]; then
+	echo "${log_prefix} Waiting for MariaDB to report ready"
+	wait_for_mariadb
+elif [[ -n "${PAPERLESS_DBHOST}" ]]; then
+	echo "${log_prefix} Waiting for postgresql to report ready"
+	wait_for_postgres
+fi
+
+	echo "${log_prefix} Database is ready"

docker/rootfs/etc/s6-overlay/s6-rc.d/init-wait-for-db/type

@@ -0,0 +1 @@
+oneshot

docker/rootfs/etc/s6-overlay/s6-rc.d/init-wait-for-db/up

@@ -0,0 +1 @@
+/etc/s6-overlay/s6-rc.d/init-wait-for-db/run

docker/rootfs/etc/s6-overlay/s6-rc.d/init-wait-for-redis/run

@@ -0,0 +1,14 @@
+#!/command/with-contenv /usr/bin/bash
+# shellcheck shell=bash
+
+declare -r log_prefix="[init-redis-wait]"
+
+echo "${log_prefix} Waiting for Redis to report ready"
+
+# We use a Python script to send the Redis ping
+# instead of installing redis-tools just for 1 thing
+if ! python3 /usr/local/bin/wait-for-redis.py; then
+	exit 1
+else
+	echo "${log_prefix} Redis ready"
+fi

docker/rootfs/etc/s6-overlay/s6-rc.d/init-wait-for-redis/type

@@ -0,0 +1 @@
+oneshot

docker/rootfs/etc/s6-overlay/s6-rc.d/init-wait-for-redis/up

@@ -0,0 +1 @@
+/etc/s6-overlay/s6-rc.d/init-wait-for-redis/run

docker/rootfs/etc/s6-overlay/s6-rc.d/svc-consumer/run

@@ -0,0 +1,10 @@
+#!/command/with-contenv /usr/bin/bash
+# shellcheck shell=bash
+
+cd ${PAPERLESS_SRC_DIR}
+
+if [[ -n "${USER_IS_NON_ROOT}" ]]; then
+	exec python3 manage.py document_consumer
+else
+	exec s6-setuidgid paperless python3 manage.py document_consumer
+fi

docker/rootfs/etc/s6-overlay/s6-rc.d/svc-consumer/type

@@ -0,0 +1 @@
+longrun

docker/rootfs/etc/s6-overlay/s6-rc.d/svc-flower/run

@@ -0,0 +1,24 @@
+#!/command/with-contenv /usr/bin/bash
+# shellcheck shell=bash
+
+declare -r log_prefix="[svc-flower]"
+
+echo "${log_prefix} Checking if we should start flower..."
+
+if [[ -n "${PAPERLESS_ENABLE_FLOWER}" ]]; then
+	# Small delay to allow celery to be up first
+	echo "${log_prefix} Starting flower in 5s"
+	sleep 5
+	cd ${PAPERLESS_SRC_DIR}
+
+	if [[ -n "${USER_IS_NON_ROOT}" ]]; then
+		exec /usr/local/bin/celery --app paperless flower --conf=${PAPERLESS_SRC_DIR}/paperless/flowerconfig.py
+	else
+		exec s6-setuidgid paperless /usr/local/bin/celery --app paperless flower --conf=${PAPERLESS_SRC_DIR}/paperless/flowerconfig.py
+	fi
+
+else
+	echo "${log_prefix} Not starting flower"
+	# https://skarnet.org/software/s6/s6-svc.html
+	s6-svc -Od .
+fi

docker/rootfs/etc/s6-overlay/s6-rc.d/svc-flower/type

@@ -0,0 +1 @@
+longrun

docker/rootfs/etc/s6-overlay/s6-rc.d/svc-scheduler/run

@@ -0,0 +1,10 @@
+#!/command/with-contenv /usr/bin/bash
+# shellcheck shell=bash
+
+cd ${PAPERLESS_SRC_DIR}
+
+if [[ -n "${USER_IS_NON_ROOT}" ]]; then
+	exec /usr/local/bin/celery --app paperless beat --loglevel INFO
+else
+	exec s6-setuidgid paperless /usr/local/bin/celery --app paperless beat --loglevel INFO
+fi

docker/rootfs/etc/s6-overlay/s6-rc.d/svc-scheduler/type

@@ -0,0 +1 @@
+longrun

docker/rootfs/etc/s6-overlay/s6-rc.d/svc-webserver/run

@@ -0,0 +1,10 @@
+#!/command/with-contenv /usr/bin/bash
+# shellcheck shell=bash
+
+cd ${PAPERLESS_SRC_DIR}
+
+if [[ -n "${USER_IS_NON_ROOT}" ]]; then
+	exec /usr/local/bin/gunicorn -c /usr/src/paperless/gunicorn.conf.py paperless.asgi:application
+else
+	exec s6-setuidgid paperless /usr/local/bin/gunicorn -c /usr/src/paperless/gunicorn.conf.py paperless.asgi:application
+fi

docker/rootfs/etc/s6-overlay/s6-rc.d/svc-webserver/type

@@ -0,0 +1 @@
+longrun

docker/rootfs/etc/s6-overlay/s6-rc.d/svc-worker/run

@@ -0,0 +1,10 @@
+#!/command/with-contenv /usr/bin/bash
+# shellcheck shell=bash
+
+cd ${PAPERLESS_SRC_DIR}
+
+if [[ -n "${USER_IS_NON_ROOT}" ]]; then
+	exec /usr/local/bin/celery --app paperless worker --loglevel INFO --without-mingle --without-gossip
+else
+	exec s6-setuidgid paperless /usr/local/bin/celery --app paperless worker --loglevel INFO --without-mingle --without-gossip
+fi

docker/rootfs/etc/s6-overlay/s6-rc.d/svc-worker/type

@@ -0,0 +1 @@
+longrun

docker/rootfs/usr/local/bin/convert_mariadb_uuid

@@ -0,0 +1,14 @@
+#!/command/with-contenv /usr/bin/bash
+# shellcheck shell=bash
+
+set -e
+
+cd "${PAPERLESS_SRC_DIR}"
+
+if [[ $(id -u) == 0 ]]; then
+	s6-setuidgid paperless python3 manage.py convert_mariadb_uuid "$@"
+elif [[ $(id -un) == "paperless" ]]; then
+	python3 manage.py convert_mariadb_uuid "$@"
+else
+	echo "Unknown user."
+fi

docker/rootfs/usr/local/bin/decrypt_documents

@@ -0,0 +1,14 @@
+#!/command/with-contenv /usr/bin/bash
+# shellcheck shell=bash
+
+set -e
+
+cd "${PAPERLESS_SRC_DIR}"
+
+if [[ $(id -u) == 0 ]]; then
+	s6-setuidgid paperless python3 manage.py decrypt_documents "$@"
+elif [[ $(id -un) == "paperless" ]]; then
+	python3 manage.py decrypt_documents "$@"
+else
+	echo "Unknown user."
+fi

docker/rootfs/usr/local/bin/document_archiver

@@ -0,0 +1,14 @@
+#!/command/with-contenv /usr/bin/bash
+# shellcheck shell=bash
+
+set -e
+
+cd "${PAPERLESS_SRC_DIR}"
+
+if [[ $(id -u) == 0 ]]; then
+	s6-setuidgid paperless python3 manage.py document_archiver "$@"
+elif [[ $(id -un) == "paperless" ]]; then
+	python3 manage.py document_archiver "$@"
+else
+	echo "Unknown user."
+fi