diff --git a/hosts/stratus/containers/default.nix b/hosts/stratus/containers/default.nix
new file mode 100644
index 0000000..0a9119d
--- /dev/null
+++ b/hosts/stratus/containers/default.nix
@@ -0,0 +1,15 @@
+{
+  networking.useNetworkd = true;
+  systemd.network = {
+    enable = true;
+    networks."40-eno1" = {
+      matchConfig.Name = "eno1";
+      networkConfig.DHCP = "yes";
+    };
+  };
+
+  imports = [
+    ./nextcloud
+    ./paperless
+  ];
+}
diff --git a/hosts/stratus/containers/nextcloud/default.nix b/hosts/stratus/containers/nextcloud/default.nix
index 0d7abbf..57da011 100644
--- a/hosts/stratus/containers/nextcloud/default.nix
+++ b/hosts/stratus/containers/nextcloud/default.nix
@@ -7,26 +7,21 @@
   };
 
   systemd.tmpfiles.rules = [
-    "d /var/lib/tailscale-nextcloud - - -"
     "d /data/nextcloud - - -"
+    "d /var/lib/tailscale-nextcloud - - -"
   ];
 
-  networking.useNetworkd = true;
-  systemd.network = {
-    enable = true;
-    networks."40-eno1" = {
-      matchConfig.Name = "eno1";
-      networkConfig.DHCP = "yes";
-    };
-  };
-
   containers.nextcloud = {
     autoStart = true;
     ephemeral = true;
     macvlans = [ "eno1" ];
+
     bindMounts = {
+      # Secrets
       "/run/secrets/nextcloud".isReadOnly = false;
       "/run/secrets/tailscale-auth-key" = { };
+
+      # State
       "/data/nextcloud".isReadOnly = false;
       "/var/lib/tailscale" = {
         hostPath = "/var/lib/tailscale-nextcloud";
@@ -41,7 +36,7 @@
       { domain, ... }:
       {
         system.stateVersion = "24.05";
-        
+
         networking = {
           inherit domain;
           useNetworkd = true;
diff --git a/hosts/stratus/containers/nextcloud/tailscale.nix b/hosts/stratus/containers/nextcloud/tailscale.nix
index 3f26dd4..2eb0f10 100644
--- a/hosts/stratus/containers/nextcloud/tailscale.nix
+++ b/hosts/stratus/containers/nextcloud/tailscale.nix
@@ -9,6 +9,7 @@
     enable = true;
     authKeyFile = "/run/secrets/tailscale-auth-key";
     useRoutingFeatures = "server";
+    openFirewall = true;
     interfaceName = "userspace-networking";
     extraUpFlags = [ "--ssh" ];
   };
diff --git a/hosts/stratus/containers/paperless/default.nix b/hosts/stratus/containers/paperless/default.nix
new file mode 100644
index 0000000..0442797
--- /dev/null
+++ b/hosts/stratus/containers/paperless/default.nix
@@ -0,0 +1,60 @@
+{ config, ... }:
+{
+  sops.secrets = {
+    "paperless-admin-password" = { };
+    tailscale-auth-key = { };
+  };
+
+  systemd.tmpfiles.rules = [
+    "d /data/paperless - - -"
+    "d /var/lib/tailscale-paperless - - -"
+  ];
+
+  containers.paperless = {
+    autoStart = true;
+    ephemeral = true;
+    macvlans = [ "eno1" ];
+
+    bindMounts = {
+      # Secrets
+      "/run/secrets/paperless-admin-password" = { };
+      "/run/secrets/tailscale-auth-key" = { };
+
+      # State
+      "/data/paperless".isReadOnly = false;
+      "/var/lib/tailscale" = {
+        hostPath = "/var/lib/tailscale-paperless";
+        isReadOnly = false;
+      };
+    };
+
+    specialArgs = {
+      inherit (config.networking) domain;
+    };
+    config =
+      { domain, ... }:
+      {
+        system.stateVersion = "24.05";
+
+        networking = {
+          inherit domain;
+          useNetworkd = true;
+          useHostResolvConf = false;
+        };
+        systemd.network = {
+          enable = true;
+          networks."40-mv-eno1" = {
+            matchConfig.Name = "mv-eno1";
+            address = [ "192.168.2.253/24" ];
+            networkConfig.DHCP = "yes";
+            dhcpV4Config.ClientIdentifier = "mac";
+          };
+        };
+
+        imports = [
+          ./paperless.nix
+          ./tailscale.nix
+        ];
+      };
+  };
+}
diff --git a/hosts/stratus/containers/paperless/paperless.nix b/hosts/stratus/containers/paperless/paperless.nix
new file mode 100644
index 0000000..f9d0d72
--- /dev/null
+++ b/hosts/stratus/containers/paperless/paperless.nix
@@ -0,0 +1,8 @@
+{
+  services.paperless = {
+    enable = true;
+    dataDir = "/data/paperless";
+    passwordFile = "/run/secrets/paperless-admin-password";
+    settings.PAPERLESS_OCR_LANGUAGE = "deu+eng";
+  };
+}
diff --git a/hosts/stratus/containers/paperless/tailscale.nix b/hosts/stratus/containers/paperless/tailscale.nix
new file mode 100644
index 0000000..152bf80
--- /dev/null
+++ b/hosts/stratus/containers/paperless/tailscale.nix
@@ -0,0 +1,31 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+{
+  services.tailscale = {
+    enable = true;
+    authKeyFile = "/run/secrets/tailscale-auth-key";
+    useRoutingFeatures = "server";
+    openFirewall = true;
+    interfaceName = "userspace-networking";
+    extraUpFlags = [ "--ssh" ];
+  };
+
+  systemd.services.nextcloud-serve = {
+    after = [
+      "tailscaled.service"
+      "tailscaled-autoconnect.service"
+    ];
+    wants = [ "tailscaled.service" ];
+    wantedBy = [ "multi-user.target" ];
+    serviceConfig.Type = "oneshot";
+    script = ''
+      ${lib.getExe pkgs.tailscale} cert ${config.networking.fqdn}
+      ${lib.getExe pkgs.tailscale} serve reset
+      ${lib.getExe pkgs.tailscale} serve --bg 28981
+    '';
+  };
+}
diff --git a/hosts/stratus/default.nix b/hosts/stratus/default.nix
index 2ce4d13..5b78e89 100644
--- a/hosts/stratus/default.nix
+++ b/hosts/stratus/default.nix
@@ -3,8 +3,7 @@
     ../common.nix
     ./hardware.nix
     ./disko.nix
-
-    ./containers/nextcloud
+    ./containers
   ];
 
   system.stateVersion = "24.05";
diff --git a/hosts/stratus/secrets.yaml b/hosts/stratus/secrets.yaml
index 88481c2..073eaf8 100644
--- a/hosts/stratus/secrets.yaml
+++ b/hosts/stratus/secrets.yaml
@@ -3,6 +3,7 @@ tailscale-auth-key: ENC[AES256_GCM,data:zKjJsG23GYrAIAoTe9pRI/b9w6JPB/0EDrdtspQq
 nextcloud:
   admin-password: ENC[AES256_GCM,data:+gNp7oDzLk2gxalEtj8R0FWW3Jwvr1PzWo7+iZj0,iv:zZjwG+Z1KyrZN/i/rSg5LZ0lnQGBhxlAaREgKUCxco8=,tag:kBQjz1ISX5Gh9LeUfO4KdQ==,type:str]
   gmail-password: ENC[AES256_GCM,data:lbdSZPEmXx1zU0fdaXHle9by9rk=,iv:SSN379SVvonVQjEpopFe8O6tY30k1l9YxKPB6a+xo6U=,tag:jiWy3b16i0zXTyaOhY+5Vw==,type:str]
+paperless-admin-password: ENC[AES256_GCM,data:xBk3n5czMwuf0I7kU2WkTExJnw8=,iv:4Fegh3sogB1ga+zdBBlWdpsAgQmqmhZoun/ShfHISGk=,tag:s7U4gQK3E5mh3Rd0DAMEqA==,type:str]
 sops:
   kms: []
   gcp_kms: []
@@ -27,8 +28,8 @@ sops:
         aW00MUpGdXpYam5LYVFUenh2VndzcE0KT6Hfx1CYJFseFaEZxwi4Fds4v1HEFzBo
         FdSC6pzpZkfXso8EtSftq0lPx10GfJ6GZXYb+bCB2S9ROvUMPYDH3A==
         -----END AGE ENCRYPTED FILE-----
-  lastmodified: "2024-08-29T13:58:05Z"
-  mac: ENC[AES256_GCM,data:E1zrsHL+mVaX6mVuPVw793e5/epoRV06nMguU7CT3v9yeDJ4ftO3dwqBChsR2xcISeIuTMc7W72GS57UMhrY08q/jwAKnR7WiPt6/6iK3TLyAKdOj9q/B8FYVuRu+T5cN5CY7cNE0EK+KAVXUcfNi6KAzt1Mow39cgjfddTMdA4=,iv:+GaMKNQaI4mtg0E5b0Ua0c7+K66/9cIUNkWFTxG6gzY=,tag:NnmL6HKv9J3RuqwH01UyNA==,type:str]
+  lastmodified: "2024-08-31T15:16:37Z"
+  mac: ENC[AES256_GCM,data:moMeG8RCInTiMVBHca3Z4XxDT1p/51E/PEUDwTDk7skOYasAfse2VAGAI5c8TlwudrzNICDoKP7ks8KUfruv8WVSd+omUxjmSiO5ZuS7KdW9nu/vvTPwSOfk7wS39+Wt8B+/LNlkECOJeCOKIqiPeShDt0rf0shEOgmtj2jJXD8=,iv:P6hPnhpdr46FHfzZinPwZzDcjaRteSrCQwzGqk6iKc4=,tag:t8qYGxObcLuGIYtFdc3SLw==,type:str]
   pgp: []
   unencrypted_suffix: _unencrypted
   version: 3.9.0