Paperless-ngx, Syncthing and rootless Podman

I finally migrated Paperless-ngx, the last remaining service, from Docker on Synology to rootless Podman on Fedora Core OS. The official documentation provides steps to run rootless but I had to tweak them a little bit to fit my use case.

I run Paperless-ngx with two sidecar containers to allow deployment as a self-contained service:

• Tailscale with Serve for remote connectivity
• Syncthing for synchronizing document files, this is the part that required tweaking

Paperless-ngx has three key directories:

• data - stores the SQLite database, Celery configuration and logs
• consume - scanned for new documents to ingest
• media - stores the original and processed document files as well as thumbnails

In my setup the first directory is local-only while the other two are synced with a laptop and a NAS using Syncthing. This requires both Paperless-ngx and Syncthing to have read/write access to the relevant directories (consume, media/documents/archive, media/documents/originals). Since Paperless changes ownership of these folders at startup, it runs as root within the container, and the paperless user’s UID and GID are mapped to 0.

UserNS=host
Environment=USERMAP_UID=0
Environment=USERMAP_GID=0

This ensures the directories and files retain the permissions of the user running the Podman containers for both services and there are no permission conflicts.

One other step to remember is to mount the volumes shared between Paperless-ngx and Syncthing using the shared content label.

Volume=%h/consume/:/usr/src/paperless/consume:z