diff --git a/hosts/cyper-controller/smb.nix b/hosts/cyper-controller/smb.nix
index 71ab463..9cbb4d9 100644
--- a/hosts/cyper-controller/smb.nix
+++ b/hosts/cyper-controller/smb.nix
@@ -59,6 +59,18 @@
         "valid users" = primaryUser;
         "force user" = primaryUser;
       };
+
+      paperless-consume = {
+        "path" = "/storage/fast/paperless/consume";
+        "comment" = "Paperless incoming documents";
+        "browseable" = "yes";
+        "read only" = "no";
+        "valid users" = primaryUser;
+        "create mask" = "0664";
+        "directory mask" = "0775";
+        "force user" = "paperless";
+        "force group" = "paperless";
+      };
     };
   };
 
diff --git a/nixos/roles/paperless-ngx.nix b/nixos/roles/paperless-ngx.nix
index ee3e22d..e7bf250 100644
--- a/nixos/roles/paperless-ngx.nix
+++ b/nixos/roles/paperless-ngx.nix
@@ -1,39 +1,49 @@
-{ pkgs, ... }:
+{ config, ... }:
 {
 
-  services = {
-    paperless = {
-      enable = true;
-      package = pkgs.paperless-ngx;
-      address = "0.0.0.0";
-      port = 28101;
-      settings = {
-        PAPERLESS_USE_X_FORWARDED_HOST = "true";
-        PAPERLESS_USE_X_FORWARDED_PORT = "true";
-        PAPERLESS_ALLOWED_HOSTS = "ngx.cyperpunk.de,100.109.179.25,localhost";
-        PAPERLESS_CSRF_TRUSTED_ORIGINS = [
-          "https://ngx.cyperpunk.de"
-          "http://100.109.179.25:28101"
-        ];
-        PAPERLESS_OCR_LANGUAGE = "deu+eng";
-        PAPERLESS_CONSUMPTION_DIR = "/var/lib/paperless/consume";
-        PAPERLESS_URL = "https://ngx.cyperpunk.de";
-      };
+  sops.secrets.paperless_admin = {
+    owner = "paperless";
+  };
+  services.paperless = {
+    enable = true;
+    address = "0.0.0.0";
+    port = 28101;
+    domain = "ngx.cyperpunk.de";
+    consumptionDir = "/var/lib/paperless/consume";
+    dataDir = "/storage/fast/paperless";
+    configureTika = true;
+    passwordFile = config.sops.secrets.paperless_admin.path;
+    settings = {
+      PAPERLESS_USE_X_FORWARDED_HOST = true;
+      PAPERLESS_USE_X_FORWARDED_PORT = true;
+      PAPERLESS_ALLOWED_HOSTS = "ngx.cyperpunk.de,100.109.179.25,localhost";
+      PAPERLESS_CSRF_TRUSTED_ORIGINS = [
+        "https://ngx.cyperpunk.de"
+        "http://100.109.179.25:28101"
+      ];
+      PAPERLESS_OCR_LANGUAGE = "deu+eng";
+    };
 
-      exporter = {
-        enable = true;
-      };
+    exporter = {
+      enable = true;
+      directory = "/storage/backup/paperless";
     };
   };
 
   users.users.paperless.extraGroups = [ "users" ];
 
-  systemd.tmpfiles.rules = [
-    "d /storage/internal/paperless 0775 root users -"
-    "z /storage/internal/paperless 0775 root users -"
-  ];
+  systemd = {
+    tmpfiles.rules = [
+      "d /storage/fast/paperless 0775 paperless paperless -"
+      "d /storage/fast/paperless/media 0775 paperless paperless -"
+      "d /storage/fast/paperless/consume 0775 paperless paperless -"
+      "d /storage/backup/paperless 0775 root users -"
+    ];
 
-  networking.firewall.allowedTCPPorts = [
-    28101
-  ];
+    services.paperless-scheduler = {
+      after = [ "systemd-tmpfiles-setup.service" ];
+      requires = [ "systemd-tmpfiles-setup.service" ];
+    };
+  };
+  networking.firewall.allowedTCPPorts = [ 28101 ];
 }
diff --git a/secrets/secrets.yaml b/secrets/secrets.yaml
index 00081f3..0a044df 100644
--- a/secrets/secrets.yaml
+++ b/secrets/secrets.yaml
@@ -7,6 +7,7 @@ matrix_registration_secret: ENC[AES256_GCM,data:KhKkJZqwE8xk4/tuQ7NYTv/Ot1qCAiy8
 vaultwarden_admin_token: ENC[AES256_GCM,data:yoBs4CaIEJXB5b3PEwTpXFgxpX39hR9A4r9yamwDV7cTSRRp3n3O2VjDKTcI5Vo6RP2QUjcqUqYf98cZ09wDMc+6+oHHJke7+O0FgRgOC0vOQFs4bfZCBJBLxogrGiwtLGkyykR6VYhrT64AN3CbrXflj82OED2Hl8WwEdruBzGIcfnh6FqQowDx6vDR/kXXJHk=,iv:PJQo5V7FaKPQ+GzZNsy3KB+xyjcDKJ1UBHErrqgn/1U=,tag:BRIDJEDOAeToqio/DHMQaA==,type:str]
 flame_phil_password: ENC[AES256_GCM,data:Xy2ixMeRlnzC2gjKGrjfSbz/ee4=,iv:WFuBS8jn7WYRxEDG3XBzCMnm4eNkHQpSs5+GUwq/dcg=,tag:1zzj0eB9/4KrmYAqcxJMlg==,type:str]
 flame_calvin_password: ENC[AES256_GCM,data:P5ppyqTjAJ1TL4hXtx5WyoS9a+g=,iv:sq98P3Oqud2FXfqsD76YS/p5NEF2xlN0MfG+ukCB9B0=,tag:AeKnu4Hg4xQ3tII0y6oNpQ==,type:str]
+paperless_admin: ENC[AES256_GCM,data:sVvlMQ3dDE2XsDfpwpCTbzPCEKdUMNTFtRXDIuBbgyf1gd6oiJzE23Ytc57plNUGg5h5aEtgxZ7NXeuK5vrhQw==,iv:x+QNAzY9k9t23UYlM9GcAke0urEA5jlV0VzHaBQkm7M=,tag:D/bMtjuwrX6pquZfJLwdkQ==,type:str]
 gitea:
     dbPassword: ENC[AES256_GCM,data:S6VvRgkdYk1AzXljyQEEq68UJ9zrFy6+INBMIAspXNcqcM6o+es19o0mcXA=,iv:/pHYpkZZq+9Md+75uSCb2YXfSvaDzUh6mMfH53wb7eg=,tag:ZnbyCQwrK2JnbO5HFqgJYw==,type:str]
     internalToken: ENC[AES256_GCM,data:7N8TkPNb1YdCk2uAcCvVd2pKRVOf85//DYxAvz0UCg1E8ccEI5630xVyKafDFiSTM4ER7xiYelartzXL0jLWSf3QNOjSHUP8TIAz4bJRAZUJPxO917bURSLGGe7WEOfONzqy3Ts5QhrJ,iv:DiIs1ytlwLvqD/Ejep6m2fmpSqdFZkxBcgLNt6+29jY=,tag:8jsEcOkH0p+1mP9cnVjiDQ==,type:str]
@@ -25,7 +26,7 @@ sops:
             N3I5dzUwc3JtYzczMUhyT04vSHlZamMKT+FzYcDLmlEFYxm/XoBpJb8XaZzBH1v9
             6fuez+zApathZfl14w41kAUojPWBznnxDqYtNvzVVLXwnpp3BMx+7w==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-04-28T20:24:56Z"
-    mac: ENC[AES256_GCM,data:ckUMW2VucN8foLbSk8iKBHOtIOSFi0eOy4d0unLlJZpaKEFO91UofHN00Gh+sfw3jG0VNRWGUhAGxQC+di4LFbITlODPkWOzY10FMAES5FSQVyKkW9gnQY/BGbHlDX63iwZ9FLQEbCg4LSVA1emVlCmZ5QEYy5bBH7LddNdnEbo=,iv:u9akYdHujAuFoSAv0Q7rcsSAn5PJZhBhkKjrBWn0XBg=,tag:GvN2Kgi2+5bTZ7t/tZASRw==,type:str]
+    lastmodified: "2026-04-28T20:56:41Z"
+    mac: ENC[AES256_GCM,data:7LzlnFm2R7YFtZ2Nei/uOG2G/VSGcN3KQtTZSUM+TKvPXgCcFXa/ZF8u4WtoXSJOiVTJ9gQ2wvtKjW8OPtd4ALGId33dM4fapB9fl3LTF9hgVpu01s5kIkYKPf1bRZ8vpsFzMUoPDUHXgIlTgobf9dTxeyu6utBrM9+7AHCQxV4=,iv:LYgDr+10bXmk9Jg0oyvfr3jty4Y7GeFDuUMkjsXYzXs=,tag:/553lafJUjOdUrljLYd2Wg==,type:str]
     unencrypted_suffix: _unencrypted
     version: 3.12.2