diff --git a/README.md b/README.md
index 26d8da0..1325811 100644
--- a/README.md
+++ b/README.md
@@ -136,11 +136,9 @@ openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 -nodes \
 
 
 ```bash
-# Recover admin account (server must not be running)
-systemctl stop kanidm
-kanidmd recover-account -c server.toml admin
+# Recover admin account
+kanidmd recover-account admin
 > AhNeQgKkwwEHZ85dxj1GPjx58vWsBU8QsvKSyYwUL7bz57bp
-systemctl start kanidm
 # Login with recovered root account
 kanidm login --name admin
 # Generate new credentials for idm_admin account
@@ -166,6 +164,15 @@ kanidm system oauth2 update-scope-map web-sentinel web-sentinel-access openid em
 kanidm system oauth2 update-sup-scope-map web-sentinel web-sentinel-adguardhome-access access_adguardhome
 kanidm system oauth2 update-sup-scope-map web-sentinel web-sentinel-influxdb-access access_influxdb
 kanidm system oauth2 show-basic-secret web-sentinel
+# Generate new oauth2 app for forgejo
+kanidm group create forgejo-access
+kanidm group create forgejo-admins
+kanidm system oauth2 create forgejo "Forgejo" https://git.${personalDomain}
+kanidm system oauth2 update-scope-map forgejo forgejo-access openid email profile
+kanidm system oauth2 update-sup-scope-map forgejo forgejo-server-admins server_admin
+kanidm system oauth2 update-sup-scope-map forgejo forgejo-admins admin
+kanidm system oauth2 update-sup-scope-map forgejo forgejo-editors editor
+kanidm system oauth2 show-basic-secret forgejo
 # Add new user
 kanidm login --name idm_admin
 kanidm person create myuser "My User"
diff --git a/hosts/ward/default.nix b/hosts/ward/default.nix
index 96b6b8f..ca4c016 100644
--- a/hosts/ward/default.nix
+++ b/hosts/ward/default.nix
@@ -59,8 +59,16 @@
       ];
     };
   in
-    lib.genAttrs
-    ["kanidm" "grafana" "loki" "vaultwarden" "adguardhome" "influxdb" "forgejo"]
+    lib.genAttrs [
+      "adguardhome"
+      "forgejo"
+      "grafana"
+      "influxdb"
+      "kanidm"
+      "loki"
+      "paperless"
+      "vaultwarden"
+    ]
     defaultConfig;
 
   #ddclient = defineVm;
diff --git a/hosts/ward/microvms/paperless.nix b/hosts/ward/microvms/paperless.nix
new file mode 100644
index 0000000..4d33984
--- /dev/null
+++ b/hosts/ward/microvms/paperless.nix
@@ -0,0 +1,73 @@
+{
+  config,
+  lib,
+  nodes,
+  utils,
+  ...
+}: let
+  sentinelCfg = nodes.sentinel.config;
+  paperlessDomain = "paperless.${sentinelCfg.repo.secrets.local.personalDomain}";
+in {
+  microvm.mem = 1024 * 12;
+  # XXX: increase once real hardware is used
+  microvm.vcpu = 4;
+
+  meta.wireguard-proxy.sentinel.allowedTCPPorts = [
+    config.services.paperless.port
+  ];
+
+  age.secrets.paperless-admin-password = {
+    rekeyFile = config.node.secretsDir + "/paperless-admin-password.age";
+    generator.script = "alnum";
+    mode = "440";
+    group = "paperless";
+  };
+
+  nodes.sentinel = {
+    networking.providedDomains.paperless = paperlessDomain;
+
+    services.nginx = {
+      upstreams.paperless = {
+        servers."${config.services.paperless.address}:${toString config.services.paperless.port}" = {};
+        extraConfig = ''
+          zone paperless 64k;
+          keepalive 2;
+        '';
+      };
+      virtualHosts.${paperlessDomain} = {
+        forceSSL = true;
+        useACMEWildcardHost = true;
+        extraConfig = ''
+          client_max_body_size 512M;
+        '';
+        locations."/" = {
+          proxyPass = "http://paperless";
+          proxyWebsockets = true;
+          X-Frame-Options = "SAMEORIGIN";
+        };
+      };
+    };
+  };
+
+  services.paperless = {
+    enable = true;
+    address = config.meta.wireguard.proxy-sentinel.ipv4;
+    passwordFile = config.age.secrets.paperless-admin-password.path;
+    extraConfig = {
+      PAPERLESS_URL = "https://${paperlessDomain}";
+      PAPERLESS_CONSUMER_ENABLE_ASN_BARCODE = true;
+      PAPERLESS_FILENAME_FORMAT = "{created_year}-{created_month}-{created_day}_{asn}_{title}";
+      #PAPERLESS_IGNORE_DATES = concatStringsSep "," ignoreDates;
+      PAPERLESS_NUMBER_OF_SUGGESTED_DATES = 4;
+      PAPERLESS_OCR_LANGUAGE = "deu+eng";
+      PAPERLESS_TASK_WORKERS = 4;
+      PAPERLESS_WEBSERVER_WORKERS = 4;
+    };
+  };
+
+  #systemd.services.paperless = {
+  #  after = ["sys-subsystem-net-devices-${utils.escapeSystemdPath "proxy-sentinel"}.device"];
+  #  serviceConfig.StateDirectory = lib.mkForce "paperless";
+  #  serviceConfig.RestartSec = "600"; # Retry every 10 minutes
+  #};
+}
diff --git a/hosts/ward/secrets/paperless/host.pub b/hosts/ward/secrets/paperless/host.pub
new file mode 100644
index 0000000..e099a60
--- /dev/null
+++ b/hosts/ward/secrets/paperless/host.pub
@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKCpvF0FjDWj1a2fE+3VuMV9naHIJIAufxYEScxM7s0B
diff --git a/hosts/ward/secrets/paperless/paperless-admin-password.age b/hosts/ward/secrets/paperless/paperless-admin-password.age
new file mode 100644
index 0000000..7c247e7
--- /dev/null
+++ b/hosts/ward/secrets/paperless/paperless-admin-password.age
@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> X25519 T+p8DC+r5eXbafinXz0AuqaDgyTXzVEk75YCzbzPORg
+AocHJ7AtX2NWN7PeLjc6tbaYKW6p793vajC+eBAtA2k
+-> piv-p256 xqSe8Q A5oLMFDESd7+zHU0i/DXaiFC/G8OWgW2y8boYRR5NUQ1
+qcIQJlkPhS/ARwzV6ajvnefELmxI4/a6kXnJyjryq5I
+-> +8Z-grease o*-Th)vX %TAq
+nQRpWbLvit6lC0NV/sZk
+--- p4feRTSXzE66RtPi9F/vxSxJv1tlcnYa7OFnt0FyDeI
+vh³	ºa«ç9/YýU¹¶œþã¼S}üZ&'Yõ7Y´=K†L,»HWç‹tÂŸ¨…¤ïé1º„h¦æf'£š±M÷ðßpÿ{E×£,«d™4
\ No newline at end of file
diff --git a/hosts/ward/secrets/paperless/telegraf-influxdb-token.age b/hosts/ward/secrets/paperless/telegraf-influxdb-token.age
new file mode 100644
index 0000000..b2da0f5
--- /dev/null
+++ b/hosts/ward/secrets/paperless/telegraf-influxdb-token.age
@@ -0,0 +1,13 @@
+age-encryption.org/v1
+-> X25519 DCVhASEENA4z7QkZIAz+7shz69B3UGfuR4QwV28e3w4
+KcvcVb5PxsRMlA5n35c/4nRLdv7WoIL2bqJn6Ry0tBU
+-> piv-p256 xqSe8Q ArDV5TYzLEFhnRxXIY1OMPe4nPE7rtNhsUhU+7J2La3o
+SoqSbbPvxlF4uaGSRNKSumajM9aEr2EoHE8PyPr3sMk
+-> e\9`z-grease
+PtN7lO2jjyBoMojXSiPLmWGgv23uUbzd9TxrAwwDiCcBbW5RL5vvR2HFzc+k+ZVa
+RA3xLg5UeIzjsZdkWBezPHX1p7OALN49ZxtJ21fzfDhdUCTfVIKK4mi++At2hEJF
+6g
+--- FdR7X/jFWv+BhzuO8kpGr8xC3SKgmrwHg4YaHRxnwHE
+¶ßÌÚÝp 6SD´…˜W(¶YRÜ3ƒs_Ûª/2g}ÄÜ¶§W?ub
+)‘¯/û,{÷&ƒFÿ-ŒØ5£ß/u.p¬	\%ÊÉŸæ—üï4qÓ‰ðÛ˜yKQk4W™3÷ËŒ
+§Óˆ[Áþ°t‡__4y× ±q¬^/F×©*
\ No newline at end of file
diff --git a/modules/config/users.nix b/modules/config/users.nix
index f631c8b..aca86c1 100644
--- a/modules/config/users.nix
+++ b/modules/config/users.nix
@@ -24,5 +24,6 @@
     telegraf = uidGid 985;
     rtkit = uidGid 984;
     gitea = uidGid 983;
+    redis-paperless = uidGid 982;
   };
 }
diff --git a/secrets/generated/sentinel/loki-basic-auth-hashes.age b/secrets/generated/sentinel/loki-basic-auth-hashes.age
index b831edc..c00089b 100644
Binary files a/secrets/generated/sentinel/loki-basic-auth-hashes.age and b/secrets/generated/sentinel/loki-basic-auth-hashes.age differ
diff --git a/secrets/generated/ward-paperless/promtail-loki-basic-auth-password.age b/secrets/generated/ward-paperless/promtail-loki-basic-auth-password.age
new file mode 100644
index 0000000..6087fe8
--- /dev/null
+++ b/secrets/generated/ward-paperless/promtail-loki-basic-auth-password.age
@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> X25519 MFMlVVVbu3eYcmxKOR15d8Y1OLKuFGPwpbIpTwaIHX8
+J2IOsGRqErwce89aB7T1rja3SW/017lxm0dirFplG68
+-> piv-p256 xqSe8Q A74Ivea0NjcFql+TgRh3826EDJYwG1s1GHVPclTPsTta
+1JjTAroG6lkJKSxhDVm57Jz5lbugDl9UGrnkeRXof3U
+-> qBL8W-grease V p MWH1` 3!#Aut=c
+q1Q0
+--- 2HAreXSGFKj8uWhpQcmhFFLFhx1KvVIDEkFKI/sfowo
+¥C|7§>í•§‡Lƒ£ZÉÝ|ókj‘íÙ²PD•‘ÆË=9©„zá ÏS9ýí £øfóÚS‚[rÊûoáª)Úgy­ýæÉßc
\ No newline at end of file
diff --git a/secrets/wireguard/proxy-sentinel/keys/ward-paperless.age b/secrets/wireguard/proxy-sentinel/keys/ward-paperless.age
new file mode 100644
index 0000000..98001fe
--- /dev/null
+++ b/secrets/wireguard/proxy-sentinel/keys/ward-paperless.age
@@ -0,0 +1,11 @@
+age-encryption.org/v1
+-> X25519 rUkrb/IJCEqIurde8bsrG1/Ut8GvCrcTkQ+92/dTcTw
+DkezFKaJCftcqgmbuPS9MaePqAwp77FtCwzwhbQGDqk
+-> piv-p256 xqSe8Q AmL9y2iktPhe13jamhHQ+PiSduEay6yz8GUtJBtb7PJC
+FCfyLD4PGk7HXcvMrUtlZIMIVEk3//pCi11l/AW2r6s
+-> u-grease 0& y3;s< zMl MG
+phIk2ihy5iMBEhI7y0rYbm0+LCcrZSfdQSmdG5TfczSHCGsMtkvgk4N2e5k/lQMO
++KSu9qp2A6bxm54IGUKUhQ
+--- iag+JUxptmLfr1nTBuFfqE7cgb9z71c3yLqepf1C8AA
+k"ÌÂ[ô»£þÛq½P„@†BR» ”UÕ©‡÷€,ª9
+»À}j¹ÀS€>G%•‰D5^JÿË%W’d`)î¬ˆÙg3A
\ No newline at end of file
diff --git a/secrets/wireguard/proxy-sentinel/keys/ward-paperless.pub b/secrets/wireguard/proxy-sentinel/keys/ward-paperless.pub
new file mode 100644
index 0000000..79e2af9
--- /dev/null
+++ b/secrets/wireguard/proxy-sentinel/keys/ward-paperless.pub
@@ -0,0 +1 @@
+bPwKLfoXJUZP04BxbfacyUPp/NLgSqsvA/10Q05onhw=
diff --git a/secrets/wireguard/proxy-sentinel/psks/sentinel+ward-paperless.age b/secrets/wireguard/proxy-sentinel/psks/sentinel+ward-paperless.age
new file mode 100644
index 0000000..33e38f0
--- /dev/null
+++ b/secrets/wireguard/proxy-sentinel/psks/sentinel+ward-paperless.age
@@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> X25519 7ZQ55YhLawpfz23LAOUqRDbmLUhr7dL2/ZkUgDD6mBg
+Nzh7u4SF5pLg7g9u717hl+wPzXINi+6BroQ2Jqeqb5o
+-> piv-p256 xqSe8Q Age9jnlRoiyfCxIXn5vVhiwO7a1HiTZnz9/a+V7qS0YI
+fJzHUFYUkGto1WfNcUD8UQsScNPt8d3qRF+sqFGjTts
+-> HI@6(W-grease O<2e |P>^1C1 '
+9OgaVkrKDXDkP9BYSzR3/ryEcsFftsHwXMZ8N5H+BVRkIJWjCW190xRilQwX25s
+--- yxHWX2gZaxD1Plx6u31Sr4nce1/sHmRcGRghAwbbQfo
+;ŒIãY†Ï6`ôŸe%B¨8;,tì¤¾ByY
+ˆ—Ä‚bä¢{{¡	¼B-"ÿ¾l6¸ðöüÌôÄSþÜ‚ú„“®H¥üpê·í5
\ No newline at end of file