diff --git a/legacy/projects/docker_swarm/ansible/playbooks/stacks.yml b/legacy/projects/docker_swarm/ansible/playbooks/stacks.yml
index 40cac0a..4b20139 100644
--- a/legacy/projects/docker_swarm/ansible/playbooks/stacks.yml
+++ b/legacy/projects/docker_swarm/ansible/playbooks/stacks.yml
@@ -15,3 +15,4 @@
     - {role: nextcloud, tags: nextcloud}
     - {role: syncthing, tags: syncthing}
     - {role: kitchenowl, tags: kitchenowl}
+    - {role: paperless-ngx, tags: paperless-ngx}
diff --git a/legacy/projects/docker_swarm/ansible/roles/paperless-ngx/docker-stack.yml.j2 b/legacy/projects/docker_swarm/ansible/roles/paperless-ngx/docker-stack.yml.j2
new file mode 100644
index 0000000..42e5f1b
--- /dev/null
+++ b/legacy/projects/docker_swarm/ansible/roles/paperless-ngx/docker-stack.yml.j2
@@ -0,0 +1,113 @@
+# vi: ft=yaml
+# Docker Compose file for running paperless from the Docker Hub.
+# This file contains everything paperless needs to run.
+# Paperless supports amd64, arm and arm64 hardware.
+#
+# All compose files of paperless configure paperless in the following way:
+#
+# - Paperless is (re)started on system boot, if it was running before shutdown.
+# - Docker volumes for storing data are managed by Docker.
+# - Folders for importing and exporting files are created in the same directory
+#   as this file and mounted to the correct folders inside the container.
+# - Paperless listens on port 8000.
+#
+# In addition to that, this Docker Compose file adds the following optional
+# configurations:
+#
+# - Instead of SQLite (default), PostgreSQL is used as the database server.
+#
+# To install and update paperless with this file, do the following:
+#
+# - Copy this file as 'docker-compose.yml' and the files 'docker-compose.env'
+#   and '.env' into a folder.
+# - Run 'docker compose pull'.
+# - Run 'docker compose run --rm webserver createsuperuser' to create a user.
+# - Run 'docker compose up -d'.
+#
+# For more extensive installation and update instructions, refer to the
+# documentation.
+
+version: "3.7"
+
+networks:
+  traefik:
+    external: true
+  paperless-ngx:
+
+volumes:
+  data:
+    driver_opts:
+      type: "nfs"
+      o: "addr=lewis.dmz,nolock,soft,rw"
+      device: ":/mnt/data/nfs/paperless-ngx/data"
+  redisdata:
+    driver_opts:
+      type: "nfs"
+      o: "addr=lewis.dmz,nolock,soft,rw"
+      device: ":/mnt/data/nfs/paperless-ngx/redisdata"
+  nextcloud:
+    driver_opts:
+      type: "nfs"
+      o: "addr=lewis.dmz,nolock,soft,rw"
+      device: ":/mnt/data/nfs/nextcloud/data"
+
+services:
+  broker:
+    image: docker.io/library/redis:7
+    volumes:
+      - type: volume
+        source: redisdata
+        target: /data
+        volume:
+          nocopy: true
+    networks:
+      - paperless-ngx
+
+  webserver:
+    image: ghcr.io/paperless-ngx/paperless-ngx:2.3
+    depends_on:
+      - broker
+    volumes:
+      - type: volume
+        source: data
+        target: /data
+        volume:
+          nocopy: true
+      # TODO: what does this directory even do?
+      # - ./export:/usr/src/paperless/export
+      - type: volume
+        source: nextcloud
+        target: /nextcloud
+        volume:
+          nocopy: true
+    environment:
+      PAPERLESS_REDIS: redis://broker:6379
+      PAPERLESS_DBENGINE: postgresql
+      PAPERLESS_DBHOST: lewis.dmz
+      PAPERLESS_DBNAME: paperless
+      PAPERLESS_DBUSER: paperless
+      PAPERLESS_DBPASS: "{{ paperless_db_password }}"
+      PAPERLESS_CONSUMPTION_DIR: /nextcloud/data/pim/files/paperless-ngx/consumption/
+      PAPERLESS_DATA_DIR: /data/
+      PAPERLESS_MEDIA_ROOT: /data/
+      PAPERLESS_CONSUMER_POLLING: 10
+      PAPERLESS_OCR_LANGUAGES: nld eng
+      PAPERLESS_URL: https://paperless.kun.is
+      PAPERLESS_TIME_ZONE: Europe/Amsterdam
+      PAPERLESS_OCR_LANGUAGE: nld
+      PAPERLESS_SECRET_KEY: "{{ paperless_secret_key }}"
+      USERMAP_UID: "33"
+      USERMAP_GID: "33"
+    deploy:
+      labels:
+        - traefik.enable=true
+        - traefik.http.routers.paperless-ngx.entrypoints=websecure
+        - traefik.http.routers.paperless-ngx.rule=Host(`paperless.kun.is`)
+        - traefik.http.routers.paperless-ngx.tls=true
+        - traefik.http.routers.paperless-ngx.tls.certresolver=letsencrypt
+        - traefik.http.routers.paperless-ngx.service=paperless-ngx
+        - traefik.http.services.paperless-ngx.loadbalancer.server.port=8000
+        - traefik.docker.network=traefik
+    networks:
+      - traefik
+      - paperless-ngx
diff --git a/legacy/projects/docker_swarm/ansible/roles/paperless-ngx/tasks/main.yml b/legacy/projects/docker_swarm/ansible/roles/paperless-ngx/tasks/main.yml
new file mode 100644
index 0000000..24bc81c
--- /dev/null
+++ b/legacy/projects/docker_swarm/ansible/roles/paperless-ngx/tasks/main.yml
@@ -0,0 +1,5 @@
+- name: Deploy Docker stack
+  docker_stack:
+    name: paperless-ngx
+    compose:
+      - "{{ lookup('template', '{{ role_path }}/docker-stack.yml.j2') | from_yaml }}"
diff --git a/legacy/projects/docker_swarm/ansible/roles/paperless-ngx/vars/main.yml b/legacy/projects/docker_swarm/ansible/roles/paperless-ngx/vars/main.yml
new file mode 100644
index 0000000..179c8e1
--- /dev/null
+++ b/legacy/projects/docker_swarm/ansible/roles/paperless-ngx/vars/main.yml
@@ -0,0 +1,14 @@
+paperless_secret_key: !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          63306337643736303137376130613866353330633632633233376463626366316562623836613065
+          6337353539323238643739323964613464666163333161350a323532333239303161383164616535
+          38343534663664356131653838626139653838393437633461333035323933356262366232643635
+          6165373765653132360a346132653262316232306237336337393861646466613831323837636138
+          61373633653562363636373835656665643537313864313266626638343063643039
+paperless_db_password: !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          66366431303231626232303861383735373733373035663864326235623731643561336333626536
+          6135316437376361656636386337373637343237613139640a393232373136323466363465393562
+          61383963353931353931306261366566656264303034373936336539346337316639626538616661
+          6438383134366333360a616538373533373533326264666463396666353532333864343832333239
+          62343237653431633030366230373137343564313334363736363232346238646361
diff --git a/nixos/modules/backups.nix b/nixos/modules/backups.nix
index a10a790..b7d0a63 100644
--- a/nixos/modules/backups.nix
+++ b/nixos/modules/backups.nix
@@ -37,6 +37,11 @@ let
         username: hedgedoc
         password: ''${HEDGEDOC_DATABASE_PASSWORD}
         format: tar
+      - name: paperless
+        hostname: lewis.dmz
+        username: paperless
+        password: ''${PAPERLESS_DATABASE_PASSWORD}
+        format: tar
     '';
   };
 in
diff --git a/nixos/modules/data-sharing.nix b/nixos/modules/data-sharing.nix
index 566260e..772a9a5 100644
--- a/nixos/modules/data-sharing.nix
+++ b/nixos/modules/data-sharing.nix
@@ -13,6 +13,8 @@ let
     "/forgejo"
     "/kitchenowl/data"
     "/syncthing/config"
+    "/paperless-ngx/data"
+    "/paperless-ngx/redisdata"
   ];
   nfsExports = lib.strings.concatLines (
     builtins.map
@@ -73,6 +75,7 @@ in
         authentication = ''
           host	nextcloud	nextcloud	all	      md5
           host	hedgedoc	hedgedoc	all	      md5
+          host	paperless	paperless	all	      md5
         '';
       };
     };
diff --git a/nixos/secrets/database_passwords.env.age b/nixos/secrets/database_passwords.env.age
index 0deb2ed..89f0254 100644
--- a/nixos/secrets/database_passwords.env.age
+++ b/nixos/secrets/database_passwords.env.age
@@ -1,15 +1,16 @@
 age-encryption.org/v1
--> ssh-ed25519 UwNSRQ 4tVNE9qMbAvdgvUV/lllntSWjschSe3gY8nknp1DgQk
-8nQh/bM1tkSyPd0j5Tn9DeUT6V4p8Fdk3GiGZUwoBwk
--> ssh-ed25519 JJ7S4A QHRi+zGVWfa6+l/gpUC1SyCSrDjMRk89MAYUVmdINWQ
-RstWCyCv2sSQCqgcFT6Djza7gkztlFf3af1EvNQTg6k
--> ssh-ed25519 aqswPA BSwMu/VwsKqpHaqWbP7TNVE3kNWeGV1xdj2AhIhJOQE
-1QwREnDoFi5UTd20dAbJEVeA9lp3R6746PTAyF5KRqQ
--> ssh-ed25519 LAPUww zFWdRmb38deepDWtFIlQYFA205jKrM6T4iU6nURnBU4
-gxA0pT9DKQMXMSJjQ+fFp7K6rhwHx90pXwFcBuc1ptI
--> ssh-ed25519 vBZj5g uYJyvL//qPFg1QXgvacb+0Z0+4NMTXCg5dddlVDJJDQ
-2DqHQ6FIw8oCXbkZPl5fLmUVmXzBMLe9wFJsPSEDoZQ
--> ssh-ed25519 QP0PgA +CHjn/rPhNrsXSVMFgoyhSdhn8k6BWS58XSDwjipi0U
-DGVkPVEMzPZDRPygjIxX4VWv9wbknmrMXFMAXnWVI1Q
---- GZXaTJpDKi0WIHeOzamI/MygV50iPVV94UFyqPMd1GA
-%�XQcZ�XZ���������\�i�#_��{L��f���Oc�Es���"�G:�M	D}�{\.��ن���	��~�6�,|C�v0��*Rr74�{��u��s�Z=s}YH:��Z�ޅ&(�vR���Mkq����_PEK�M�"?k�\���֗��Z��P
\ No newline at end of file
+-> ssh-ed25519 UwNSRQ XKuX/onJklTJ1ws0svIwJy1PZN1MHsf5+N3z7XGvCyY
+JkyemSdV/ZcbjWLrwYLhKCE4Ln2seLR0WyYXGMepgBw
+-> ssh-ed25519 JJ7S4A 9wzkTABOPcmTG7LNWvZa7dKG0Ingf+KDckZ1tL2c3QQ
+IkxcStI4kwXkWj+j3PWl7FdyoVMVsiH9SZBnyffbcYQ
+-> ssh-ed25519 aqswPA 3i/v1qWLseD+FrPrnAXtSoK98a6Nrb3XrHinp2QPTn0
+RxuPM1oICEoF5oZAyQlCm+fOivI9sfZenZSlOGBIZK8
+-> ssh-ed25519 LAPUww MkvAMN/fZiV66+ub4Q/CDTIxJ3N3cMWBT0SQajespR0
+uh6SGtxR3BvsU/fTTTOnsNXD+bHNYMhTAFoc3QUtMr8
+-> ssh-ed25519 vBZj5g Jiu1sEmlws4eFPriuL2oS99Q9tFCyf4Zkv/khLONvT0
+cLLHcvmIb1Nb7eVmKJyYdvfulgbcZ73N0x6GWyKeJPs
+-> ssh-ed25519 QP0PgA A1Raf1CiVJ5tnJXRIeS0VpCUNX/iYNzGozQxApY9KGM
+998c6IZfPNW8uMttkK8xGp1hgKXBcrwuBOgOpXWPCu8
+--- /Qv6sfhphlYb9WtWdmPt6RZJPHxBO4jCSgauazsHIt8
+1kYiL7����-�}�`����N�V�o�C�'�ۧ�h��[�vD�U�pv������~e��0y������2`�ݐ��Ʊ��ѥ����8�/��	�
+�MEЎh�s�q���|�kت�<Ӱ�+��9e�0󟑸;�)�?IL-��JY�g�pk+����HR��5���ۥ������p�:8��o��1�z�s�`�_MS���Q�;Q_o]�
\ No newline at end of file