From ac36fa13ac447e51b91b2ae1fee59f598d6c19fc Mon Sep 17 00:00:00 2001
From: "Lennart J. Kurzweg (Nx2)" <git@nx2.site>
Date: Mon, 27 Jan 2025 22:18:57 +0100
Subject: [PATCH] paperless update

---
 git-crypt/secrets.nix                | Bin 3512 -> 3490 bytes
 system-modules/nx2site/paperless.nix | 330 ++++++++++++++-------------
 system-modules/nx2site/proxy.nix     |  21 +-
 system-modules/postgres.nix          |   5 +
 4 files changed, 191 insertions(+), 165 deletions(-)
 mode change 100755 => 100644 git-crypt/secrets.nix

diff --git a/git-crypt/secrets.nix b/git-crypt/secrets.nix
old mode 100755
new mode 100644
index d500f2ebb8888408f3b786a9c620ec0d9463a538..c616a1ed376884e9aba07cc13d7496f86fd9a235
GIT binary patch
literal 3490
zcmZQ@_Y83kiVO&0c(XCVyYM&v;Z0M+c@xf0QJ-)xWwr66nSBvbC;D#O{`8@DPHpyy
z!|UgNw#@A=KYC(?mD?r7!YjLSB`<j1j+WTq=o9(uN7v$zgBPEF-?7N=jFDJT%h5y2
zuC?iZT`Fz!)_?zkRHcjWUKlNTJAHAAX21XTm8^N~{d)`csbnu-b2W3`#?}54a=uRg
zabPRoQ_*WRM@y&em%M+nKHSv!iK)|J@jVx|D%DIai+qy*<JOyfv%lOFRm@p*;8^R$
z%!7~2TQ=^|Uel57Us`PPa>}HGQ`(!~PQI17$=u@c@fSV**LEnXd0aPOlmB`uy#J};
zjKI0kn-2;6-^lGeiQD|f9n+QlQ+{SwuAG*!uB?TbQK+%SG)U#n<g4l#{(oJLXa(CE
zzT*@8TKMF1RsYx18|GvlY}@eY9Vd(3)NKocCvE=vt^55`xmm^R48ONm+%*<(%et_~
zeowXU)}^v)r7Q1CznlK%|HrM-`)^Cw%{zJ4A}W=0^Y+fLXsw17=0B=qLM}8hOy93C
ziMfp9E{nfH+8$<hgMY;=_m7A!QP{F)kNu(wxdU07Wxu{xV2X9nZ8@_p^4qT+Qu8Zj
z&bAZem;D{3xc;+%T?4Zvukp>CRelzGLeEvq$Xye~dg1Tf>9KF*rZH+Cx_PX!IO*e`
z*V-EWe?BbqjY-)b@BcWfe@=>3*Xp_YMu*R@pCfThbeYj>w%T-yB-RSO^;agE74sgh
zzhpe+$lLt|8~>Vw8b6GX{x6l1WTfhUE7t4S)VrqZA4rSr@{(J=$8Fs{55dz1Ztgsi
z5Mz{e#r%>*Ue{6EnAi8-zCD-d>B18pz<kJdYU9Ny&$m}jgtWdoR3^*xRca+m!X=)-
zgXwRR1U*ju{}OSdlk<|egDczQka^bfjQ+1SAILhkW=3P*v3>q_2g}OK-UM@h4NQ|_
zm>h9k^xUZwG0A>+CEbq~PyS8e{jRHf_H4{;mdAWo*MuByd;G*I|GoXcXybJ^T$;>h
z$^XCEA}TXoXi5IMn3r>^<_frJq&|8Ybnou6rn?7g0?k`_lIP~6q~y+jD#8>t@qhVc
z&LW<Lb&pr;Z7sHXZ_D{Y^<R<{*YBx;C%@@tuHjREV9z>j)wgHU!sfQEO_6%Ch-uQz
z+RdI9QmUU=?{}Bwnzq?5eUhYBYoPi%;Y67dMX@_!n-6LjKAPR}`<3myuVoLLSi*j9
zHoPVO{Hx|;JHxu>#E8dsu6FjFF7F>tj$pF<S)ZDA@^<Wv3#Q3;zA<0RU|wLF`C(U|
z`)9#>tNwlcCwG@Q^y~MP)^*h;+n235)SSh-`Ek_5|6i{E=9;kY+V{V$y%+o%Ru))H
zH0N_sym+Yf8uz0wim&zVM?~@66^rbj8?G<4_3PtLOS4aS>}R$O@>C40_)@QViDS=1
z5sf77r~ZELAK329VEA%nzWIc|4-7Y55tO(*drGl;!lPh2$2n_R3WS)w?oX~*UK_Fh
zL->XOciwd;pKET{TRZ2#1o7038<cm<O53x=!SmHO{=LuFq;h92oAi+1`bmjSirMqp
zDc5S}?=tLrmg2W+qGx^PwdSant=6So(V;UHJUln@9>@(X|EO3!-OVO+`o55Z;vu(I
zR;*bul}mK7TGH2tVQyM#R~x@E-v4cPe!BRPC%1RJx82^~>Ttg9g5hmNm*aZ2fnIkn
z+<m{<)6O6#;Md!eT%C*9#M(YK1}(MHRe$=)X6>e5=AFR-sW(#t4Sy_q@xnm$CeP2A
z3_cR_t@$cnzVKZ<lHPiF$HY3(1nX$?qXkVS_1P}(0~8-Dyl=ej@vZ$+=O-kwwlAu_
zc=_Jk<SROj3LcY|>n;q)-fbUvZmQRD+4oy#oaA55V!Hh5vRB!snYJnYELeNXPVi~R
z>Sgx%M>^kL%sa;__TE*j?aZO?D+@D4k{Wm(ZTf3;P5H*mJ=?@4imYsiP*5?uy|Gev
z%L=Qlkx%B$%sgP#e01H7!}s+i*4f8?2$!ECQ2+fvdoNpVvhIPY=UTJ*jb4kF^~qk}
z8h`0j5MPLfgyHqz$Xz=AyZqUO<hSQOOn>z8Rq0Lt>fnAI-NF>N)~D?6Ix<|-y4erp
zgs>)V;yk!B_+O;vXH~tOTQ^=2bc-}w?Yz(Gg^THaLCa5HrW<_x_I;LF-DHQ8T?@}y
zA9<8<`{KT^QpKy6{|b0~__{_iX<wO!yRD2yCBOUsRf|QoDYAw<G?0_b6_EGd@qwS^
zZ^wMO5Kp;}6|-JHa#vNJ_WO0Sz{W@CinZ?BM#u{vc30h{y&=lBR$|R9ZPTKAPxY-b
zYSZ1Hns(}oe!5aN+eRt5K<^uq#IfDS&&uzrySeh@|9Xa+^lv!}?9J9#v*|VJKYN#!
zne}LyH}CsIqxCKa3&d`jTi06s2sxWMYw_*VyDxuP#H9JcZ^5f*&Em(l+0GFUa-5A0
zYEM~dsG{&O=;{v3=NlbZ^P1*;e8s)(gilgm!u*{KOvl8U)|ooX$<@YYKR>zS!vfiw
z#3TLuY{6`b1`><^gzx^Jb+2e$R{hH6Fh6eJ1DQ@tuBj1kYQIkm-nw?HwBq}F7Aqc{
zC|`bfvEz1259_~w^mpcM=x5J0*pcD%>-hZ{(JeU}`8LGLSEx<T_{Jf{xH?8M;-%yN
z^X+>$Htc)5t1`JrtL)U}%Rhb}vts%j&VSP3TD9#5-`Dcf7F#uP^SZ1xD2c6lDLFgF
zeT&GigC+t`I+$Kq`&sDa%(CLCyFSI^>7x%b61Vl3h<bU;2}ZFhhptO_XnQdC&?%*m
zx0h`<-!AF<a92noT=wl7<ATiT->0k>|M^@)eMh>_joOIRS&w{Vrf<owD@f`S7WAKB
zeSYU%8|DMWl1a;}ma!JSOP>(oIUy+H<?@T)Pak=ESShvVo%65R2PSYP8VGD^?z?0Y
zvroEqe)(Q5j?FjTWiQF8<7U-su}a9uk4t?tO~3rY2GjIe)dud-f@0!M^G{5k<?YUx
zRW6r)@crtJzVwQ@(`}bI{g>*Uv6la~vv%Zv4YR7Q7ZHCd4<3qIyjU{wx)`%g>9k43
z_g~9?eXVL3%dkUm+S8AR=Oo?{X=i6RTM$w=Q{79d<fHuGj{;KNt#_7mbNy5C%CodN
zJmJ2Wr~i~lOVtc^SBq61&1`*Jk9Yjjnf$m#ul8dCx6<DOJ|<hD44kIqsW19<`DoS$
zy{$E~>k=l_Id|`O$yvVa*>jI2bIv`TcZT)C_3lH;8H+b*RrXJHym$Bhk)V!Bi<Gzv
zPP)>KE${Xz%4}Tw{^rI7M>cU)cAq?>)6uANx`^kqbDWO0!lvctmWdp<Vvwt_4Ew8l
z`q93?x6fm`{;0g&A8}8DjYp>4mdoVaLK)e;ty&8guV7vL*Z3Vv&yL_zdF}U>Rme#u
znr(kt{xdbMq3qFr&S24*JZwn@yLHk!o4BuZzMPyK=^T4Tyz%ea4XsXTJKVk}ZMTxR
zZ+7L<gY`#OO|6_W<@?hzi7)Mm+vVMr7oGd#!N?U_Bv8=v%DB<KhiB(G@fPbJ&5_1l
zml8i`f1Mo6bTLxqY0>m%mQa1W3)f#6_4HS~p7_WyzWu6pSVrQyh{tIwZ=Tkuxw$fU
zTk7-g48h#q=4)<b+c`e*bG9vvEuI`aDY~fW<<g+@Q}ir!KQ&DcXMD9lYq`)4F{OxH
zi^Da&-(%)|_tamzK#1x3mi25G81o+LEMCu*d%AS{v=S8+7PiUn(;lA7GGyGYslCMZ
zWy&1QkCWEQ2suTor#@Ql^iAj7S2N8c-0Vvi2N|F9ty9@9mw(#qJ;M)!LtKvz%$Vfy
zmPbb_ba#h61H(!mC-xuD4~uB;@tEl{p-WZTsyWovYaaXhQ1|K2y*tY9huiWl78c{+
z%-B}_<eG`b`o2O&_Lt9EuW8r|oz{(M&RQ*fAV}kXM7)LEx??9?A6%1LeBRA0Ow8h7
zdGcmmp6biab23gRHU{);;(TD=8Wbq};^)83n^w;b?rZ#$vwO?i_M}iVk>_POuCuSS
z7^}K#FFs?vy<q2?oyIc+clI>+PjXAW@!RuE<>SZBr+??q`=m5??OCQKjemJ8{yyFh
zpX^y7EWTq$f7VLJ%kJH;%mqqgm;Oz@FyAsyYufSm{HFU{U%v@m8(C2;6Cj%!5Y{r|
z>-50j6Cz&}Q+%cQmrmkNI+B>Em1S3(;G6&PiKyZ1yI)Il6ExmLSok^`%bkut;L^p=
zvg6ZrfpDWIi@*PxQ=%S`EZ8D)IyGWn==n))WjEi<+Th+e$1o_$<90xV8@KCA`5bY#
zqyMK_99j2!(?mgsPnT!i+QYpw|H8pr`}V7z`;=`iwfvX8-o&_o2YfH)%_*L!Cs63u
zkuJhCami8#5w(Cxq3(XyqkZRY>l5banz_U|{qUSr_hWvG&Pd9C_{8=?-C0M>dPaG7
z+d9kbBJY2t@8b?q40^Co?dWT3-t5JTcFIq`ywlQiiP#SgPww<r`{h-t>(p77-4s})
zIm7BC(>WcrTn8OSm7j+m8+|Kw^gEPU?Q)zWdGgm)8>juVcUW(J_d{{?^h(p$2YyUj
ztz&Y3N@MxPi2C@)eDW_07D&%EC~p3-bJ4{Ew_Q@B_@$%wom)0hXr8d3>*|i%E8gfN
zzW(U4@T7$4>YMQsi+5yp%@o<0=FQ5P#vT~m7dLzLY~R3)n2-BoKYaP=T_EkF{c`p9
zB@6l1e7MFi^MuwXn-y7cFBb3Aw^<NtdG63IsncJs`>nh&KW~B6od0i3xesJth=|MH
uEito_v#oM@zLUdhf#b8M2`|u)7uaT{>cRV{ukwfttKUDp^z9LT1}^~m-@2Os

literal 3512
zcmZQ@_Y83kiVO&0@R?V9^J4YQcM1oLo8xP@^1O_aQWr08`}&aSbn;;d+tWYpU%T1I
z$#b`|+I;4cQ2y9Q3(OxKxz?*b<C4Om^>S9%maXmka+teXWO8tOKpt1(&pBuKd*)<+
zc&cS9vmv!<ZCiC#Yig<L7Jj?xtKP4sM(S@gQ?}n;xj5t0SLw+)^LcmNys=<oNay`G
z+l~Lfi+FPVb#OpP#O~&!zpl&<@XYOsbCKvUpLcf8{|~Io-4|+BPLB(pW0tL`Z}7g%
zTlsovs^r!e{^_b!-z?bIeG&CLUc80z_~y?}%<r$dHN+mXZf|hg$DJp5d&P<8F*d;u
zS$_-P_<bOFV(F~nyIQ*pqu6)Jy2T!f&vg3aQS0pFmv@1+GXKNe8QWj8B!8*noM~|I
z_yVVWw;$>&+MoUqaA(%^4ZC-(a$fOEpZRybO~U>;=Yr1|N`KF9+xcwy!g;;FW9P0^
zW^tH&;$27O+lyPQ4oNk9|5cjQDR+W9{@m9#9jA*N;Wd)8ln?!?5;!JS<y{i>R+vlf
zbjcA9WqJ27%L#SIS{*fW4fRwFX4XEAW_9S^T5?=lVE^Nw-)~AZPR%?NqjkBDaa-WF
zZ4Jk!emV9-S<ZUm>5I8mhi&fPd44(aotNw-t*e($MxSuiX*12dTJJdXTCwGo(y-5w
zvnxUw66T(J{W^s4j-kHf-PVi^9FyZiZ#Yz%tGVsId_6JfdM@`8--)w0jV>MM?LIg8
zW)-KJ$+g2-XHQNkV|=(t)kmc^ST(e!P)@u)iM1>*zI4%r@E)Cavk!%f?}_)`6S*Sl
z@a2<zce5gHP5azu>ASq?`O^hk^8NV}jPu2P-n%|6|Gc~Wb;bWx&&~@c=ER%$<s3Qv
zI(_DKi+{qo%qp_HI$y45YrYixXMLsa@|sg~dyd<=PAK2hKUaEDoqCws8{q>-Uw^MU
zD*mhNnrmb1qs#kFYE_<#x-WFS&C@9-(<7-d=%zX61XKP{+lPGRKOX*&<-ar`Dsk;x
zBaQqcRj>Q6bxm1pVx-7%%%+-MP~6QeWlibC4L5l<25h~hc3teMQQ!7y376--?!MR&
zZo$@m-|z427b_BUt5ohdr^$+cO<y&K({q2yk^9Fom)u)ky;I@eX^DrYHmk6GeEOi{
zRJPY%?w-w?GWPg8e&%RQzqruiP3uADqz#jORX07YY2J0I{)L#`p9tloJ-;}(Sp|xh
zf1b~+^psP8)BIz8&zJj`yuQ85f62mG&tdt1XZ6;nGHXuEy;SgekKFAx!E<&>U+(F(
zha6h0@QHVWdTFYAX!{2~opsw1MVz(7g8xpmuKhE6i80SEo{FO!$yf3M>Yem56+WDi
zy?gP&r;P_D6;%|*^;_)UCT)~4C4H)R&Zot$>m~?2$-B-wp-_LV^*O;;2RF4$H{p8A
z&Lw2!6wtIHtoB;V>7_0*ab62%+Z~88sJybq!~fFZ<2mupkJyhXt!palc3ArU*WBL^
zV={i-sG8ifCns+9#RUH8VSE2KYF8_N_2kN}b2HCZ2>ueWd-|am^Q1M*Nxng=(>Z^$
zdVaaTQ&>zd_|UBv-TM!9^7yCN24uSayvtc+b90Wdzwac!ctPjD2ZFP1EOgrF-`I8F
zQ*pWbi-2`5&3E^G&dV>l6lZdPp(K$%KfLdg+<ZkQ>y_nkXCCFZTe5E1;U~c}pYNpB
zq>r9T*M0Z0tWjK(r{UEVcH_tO6#{Y1zFKn)U;GQpUXf>aua>j8Ih;HHqf&=cs{h@Z
zsc&rWEOS?hc&g6B+-j1VE+AGQcOvkZ(e$6OTPLmhW$S!&<>s$PPW-Ln_3^9P-m%f+
z!7C4!A8u3f%pwncNH%Z{H-1|9C7=7tzV1bux6f&?r^g@ICtGHs&bn^1(77!EyRvgW
zq%uix#OpHbuPvLLz51bTA&=qp>0Wv4=baC2PTwpn|FNv5ahK`rYr+iMn2$<+^_=Z`
zdcm^*mZcXXe=YT5DR}T{cD>ruwmoV`c3b=DOH7-o^VXX)o9DZ>v$E-_@9KtMqm~tE
zo|aY7=ebrZoWC;Asxmz}Z?SOHt0tF!$&2!3mYC%$bGKDZpAet_|J(YDGj4XqGWtJD
zpV;u<Os+P>rKbJ6OWRVT)+Ba@w>=$iP8`VJ{V}LpE_;S<`u^_^ndQ!>UeexeC6V!}
zPQ5he6vyg?n)-3ywtT&@!pP8clM2I(c=eN^yLr{mP1tbd=I1qAC(B;eJCb~e|1R&*
z(=%=>yh>BL*7|R@){U<_6k@g-$6v4b{_#lu8iRKWdH(r3Jo)+bc(d@U1&n4_{vAEU
zwes2=ckUM-uS!Q}IQ1vqm~Fsew`k|4_GIx@Wtx|Imwh`GtiGXA*?+p%qNRee%9BnV
z2(#X|TJ+L}Eez^EZc5dJ{Xdc-b5#GL(z263t0c~GcV}jAw4RgS=atd!Smem3c1t&_
zX#Sa_r=Og;^;EfPe(@5<Kfh(qZIB6)op|OFQ{I9p>qJyO$MfF)azI#6qGR?Vx0`pj
zajdoP`)TKU@fGvVU+udc?Qbf`eP`jiSl_xs>e=J8RrU9-XbN05)10(a{56AAuZhY0
zX@A;JOwR4m;4G{EQMT{jt}hxcr<(QV*s$yi|Ii^Bcc3N8ro8#H^URb~qo3<}rgeY1
zIH_0piu#_6cjq$m*ZYe`m?jtb9E%m>u6tZA6{^oDAt)Za^OD_PqyCetE424<n@vnr
zJ6;ee999=w@GHDo^62727BOOc$Dc)IwzvJibjq~+kmL13j5%{H9y=*aR|-mCVcVFt
zbIYkoRVf!I?dK>+TUE^;wzRQ#pZ7I;kruZ@KirO=ohc^97pmJlXJNhY%Nz?khnoEr
zD_?zjrSG&mbo;M+H8T=A6~Yf$dy4-*a{IiAN^iGLM^WRW^DlB=-!*?5zG&Cwz|xlD
z@YCPxtB(ZxyyX%WEts_Ga?q12do9D?zjR)8@T+_K|G>Vr%x5?kB>DP!N=H3T`j}O2
z5x(u#&a&B8=6zMzdgzJN`L^F@mpv^PW=uPO`<R2K+tKdST{GSbS6<2R{@(YnQ$H&H
zPtM`W#~dZ!-7d|Z;K{b%R<8D;hV$gtZ6-};s;6<))h93YnS4C%A@`LEh8pihX*~b)
zm8Y4`OPjHGK}lnz=qkscxjQ}o$xoXtf8a+|@|#G5d%tZtANdxW>gQdvm^16yGZkai
z*{+Lr=ao)gwKJ`DvedE@t%1z$>ug^e@UWDB?7XxzuiBt+D~sKpw>KG7XXWo%)@*pM
z{I8jFT4n9?X;%#nsIh+FJ^hv;ZhmmsjQA71M|5Z0uU_+mXW66U8MhAjeCx>Qc(-}~
zmrL)tzpAiqu6^OM>$iH|vI@_CCv6wje!VW@<~seOG0Q40XI7J$k`g---m`w=J#}|&
zb6Cgwy?48l4j-7DU4Ovu((whEnf`Y!>2V1gnREsQc^A}4eQ5}Zj;sDrc{QGmEw_^U
zOuB4;$6U=Cwi`Roip*K?*@yX$qPLZMvvd2A((ZY&v*aJ1aA@5b{h-lWp1J;XfPzGo
z%;_n<R~TyaUG4sH_RGC~d!VZC^J$;(g0IhoN&|l;?|3h~KFr=~`cx^+KM^_m7lnL^
z6c>oC|K2iZt3+wA(;p=d<uB4_s~0WbyT|43L;3o3vr?=!uiLxn(D9{nS9$U}1Q$+Q
z)4PD7jJG(jCu#ZO+G(oxx1yh^x~}?kpyK}xEtS6Hx!Oy)ijGFPwEhWY*WU3Y$yrbE
zNnO^&Ey0%#?(DF5<9&YDiDq}7HZ9%#JKVLzURk{IH9sYC^ws5z(?72?PM3e)uYc11
z>pE+XwJ-MaKHc?HGvIeq=8u0CQ!bV>yp`H(5Vn57GT)z}{mWDKa$kEcb~y62)gjk3
z_L*MWeRH18Up!59WnJ%)#*9xAVN-bLT;b{t`}^tc{)Kj{l+|@)R2RG~Ke2-8$H_ef
zlW*SByv1^`X3p-3hg;*m#6Nn+bN0;Y8#{Ksb-DH3`1?(kqLsTQ^Gr6n5cKepON8^6
z&}7XmPi#7!G=Hdj9ZpkSpl1BG{ZP!R%0)8*9(^#G6f!?_jbfGS^9}DD7TNra_!aWc
zqCvMJL&o#MyEnqk9G#WjXJ%`yI6e9Aj$C;o(QfW;nZrk~^!P0Ev)lT9YvAIFGIx2N
zgU7#J`NcM+p8w_CS7{7)eGIJ=v{IE$c-_6F<Tx*&we+%64x7=zpP#qxQ7+0lboifU
zzG3e9$mWI&uGRP46@!j#mTjM6K2vFl!ac^Gh0i~o>u{R(qeSP}yg#`If?hv<d#K0%
z^fTQXe8LvXW*nSmGnr4?+cNL8@}y@9rAxMFrku7-bQVxfn%5vv=2WMiHQ{`c)P)YK
zhns{WTB05@dfxuufBVQM`vp=<)|=*6obR0Jx$EdzpLd~g@+_BshfUp?=*0X(;bV&2
zcVq4+=lC8@D7c~YZGWVhE`v~p;j>j~O*1Q3p63v~-S+7`cf{0S)*6}b-JcjPZ1Ci`
zU%yf1<;DMRl`npNWUwME_Ty=tWp~|gxGP*Ze8gF=oiW8J$>IddkEj`Qy&b<zjCz{4
z=ADBp=PJ>vkL(BMHWkk)Dz^OXwdttP9;*V4Pu*poc2!K|)Lq>byFn!@<wxQ+o$34Y
zPPYBO!DLxdQ>o@+R3R{P=QNXv)AOR=9$em~94E7K-^Jyc^ZH9-PG>JL7vc(gyj(|U
z{y}yfV_6Gj<|ncjmX%pNb2B(|;d@x6M9ZtZ{7~-g{|$CV%xQe|vgBm%?XGLqDs9ti
zm$!ATe9?4b$@bq%ESDZEx}ETh<EGArUAppn{*^6Msh>Zcvr~{~L)6O;t<BYienB5&
RkF5z6R8u>*`}+2yM*szd+tmO7

diff --git a/system-modules/nx2site/paperless.nix b/system-modules/nx2site/paperless.nix
index a5e45c9..185fe33 100644
--- a/system-modules/nx2site/paperless.nix
+++ b/system-modules/nx2site/paperless.nix
@@ -1,4 +1,4 @@
-{ config, pkgs, secrets, user, domain, ... }:
+{ pkgs, config, secrets, domain, user, ... }:
 let paperless-user = "paperless"; in
 {
   sops.secrets = {
@@ -7,7 +7,10 @@ let paperless-user = "paperless"; in
     };
   };
 
-  users.users."${user}".extraGroups = [ paperless-user ];
+  users.users = {
+    "${user}".extraGroups = [ paperless-user ];
+    "${paperless-user}".extraGroups = [ "redis-paperless" ];
+  }; 
 
   services = {
     postgresql = {
@@ -19,179 +22,182 @@ let paperless-user = "paperless"; in
     };
     paperless = {
       enable = true;
-      address = "127.0.0.1";
+      # address = "0.0.0.0";
       port = 8441;
       user = paperless-user;
       consumptionDirIsPublic = true;
       # package = pkgs.paperless-ngx;
       # dataDir = "/var/lib/paperless"; # default
-      # address = "127.0.0.1";
+      address = "127.0.0.1";
       # mediaDir = "${dataDir}/media";
       passwordFile = config.sops.secrets."nx2site/paperless.pw".path;
       # consumptionDir = "${dataDir}/consume";
       # consumptionDirIsPublic = false;
       # openMPThreadingWorkaround = true;
       settings = {
-        # PAPERLESS_REDIS = "redis://localhost:6379";
-        # PAPERLESS_REDIS_PREFIX=""
-
-      PAPERLESS_DBENGINE = "postgresql";
-      # PAPERLESS_DBHOST = "/run/postgresql"; # config.services.postgresql.settings.listen_addresses;
-      # PAPERLESS_DBPORT = config.services.postgresql.settings.port;
-      PAPERLESS_DBNAME = paperless-user;
-      PAPERLESS_DBUSER = paperless-user;
-      PAPERLESS_DBPASS = secrets.nx2site.paperless.PAPERLESS_DBPASS;
-        # PAPERLESS_DBSSLMODE=
-        # PAPERLESS_DBSSLROOTCERT=null; # unset, using the documented path in the home directory.
-        # PAPERLESS_DBSSLCERT=null; # unset, using the documented path in the home directory.
-        # PAPERLESS_DBSSLKEY=null; # unset, using the documented path in the home directory.
-        # PAPERLESS_DB_TIMEOUT=null; # unset, keeping the Django defaults.
-        # PAPERLESS_TIKA_ENABLED=false
-        # PAPERLESS_TIKA_ENDPOINT="http://localhost:9998".
-        # PAPERLESS_TIKA_GOTENBERG_ENDPOINT="http://localhost:3000".
-      PAPERLESS_CONSUMPTION_DIR = "${config.services.paperless.dataDir}/consume/";  
-      # PAPERLESS_DATA_DIR = "${config.services.paperless.dataDir}/data/"; 
-      PAPERLESS_EMPTY_TRASH_DIR ="${config.services.paperless.dataDir}/trash/"; # null = really delete files
-      # PAPERLESS_MEDIA_ROOT = "${config.services.paperless.dataDir}/media/"; 
-      # PAPERLESS_STATICDIR = "${config.services.paperless.dataDir}/static/"; 
-        # PAPERLESS_FILENAME_FORMAT=
-        # PAPERLESS_FILENAME_FORMAT_REMOVE_NONE=
-      # PAPERLESS_LOGGING_DIR = "${config.services.paperless.dataDir}/log/";
-        # PAPERLESS_NLTK_DIR =
-        # PAPERLESS_MODEL_FILE= PAPERLESS_DATA_DIR/classification_model.pickle.
-        # PAPERLESS_LOGROTATE_MAX_SIZE= 1 MiB.
-        # PAPERLESS_LOGROTATE_MAX_BACKUPS= 20.
-        # PAPERLESS_SECRET_KEY=
-        # PAPERLESS_URL="" # empty string, leaving the other settings unaffected.
-        # PAPERLESS_CSRF_TRUSTED_ORIGINS=
-        # PAPERLESS_ALLOWED_HOSTS=
-        # PAPERLESS_CORS_ALLOWED_HOSTS=
-        # PAPERLESS_TRUSTED_PROXIES=
-        # PAPERLESS_FORCE_SCRIPT_NAME=
-        # PAPERLESS_STATIC_URL= "/static/".
-        # PAPERLESS_AUTO_LOGIN_USERNAME=null;
-      PAPERLESS_ADMIN_USER="${user}";
-      PAPERLESS_ADMIN_MAIL=secrets.email.gmail-online.mail;
-      # PAPERLESS_ADMIN_PASSWORD=;
-        # PAPERLESS_COOKIE_PREFIX=
-        # PAPERLESS_ENABLE_HTTP_REMOTE_USER=
-        # PAPERLESS_ENABLE_HTTP_REMOTE_USER_API=
-        # PAPERLESS_HTTP_REMOTE_USER_HEADER_NAME=
-      # PAPERLESS_LOGOUT_REDIRECT_URL="https://youtu.be/dMN-pjcchrE?si=EcFYvAnbXFkounYR";
-        # PAPERLESS_USE_X_FORWARD_HOST= false
-        # PAPERLESS_USE_X_FORWARD_PORT= false
-        # PAPERLESS_PROXY_SSL_HEADER= null
-        # PAPERLESS_EMAIL_CERTIFICATE_LOCATION = null;
-        # PAPERLESS_SOCIALACCOUNT_PROVIDERS=;
-        # PAPERLESS_SOCIAL_AUTO_SIGNUP = false;
-        # PAPERLESS_SOCIALACCOUNT_ALLOW_SIGNUPS= True
-        # PAPERLESS_ACCOUNT_ALLOW_SIGNUPS= False
-        # PAPERLESS_ACCOUNT_DEFAULT_HTTP_PROTOCOL= 'https'
-        # PAPERLESS_ACCOUNT_EMAIL_VERIFICATION= 'optional'
-        # PAPERLESS_DISABLE_REGULAR_LOGIN= False
-        # PAPERLESS_REDIRECT_LOGIN_TO_SSO= False
-        # PAPERLESS_ACCOUNT_SESSION_REMEMBER= True
-        # PAPERLESS_SESSION_COOKIE_AGE= 1209600; # (2 weeks)
-        PAPERLESS_OCR_LANGUAGE = "eng+deu";
-        # PAPERLESS_OCR_MODE= "skip";
-        # PAPERLESS_OCR_SKIP_ARCHIVE_FILE=
-        # PAPERLESS_OCR_CLEAN= clean.
-        # PAPERLESS_OCR_DESKEW = true; # which enables this feature.
-        # PAPERLESS_OCR_ROTATE_PAGES = true; # which enables this feature.
-        # PAPERLESS_OCR_ROTATE_PAGES_THRESHOLD = "12";
-        # PAPERLESS_OCR_OUTPUT_TYPE = "pdfa";
-        # PAPERLESS_OCR_PAGES = null;
-        # PAPERLESS_OCR_IMAGE_DPI = null;
-        # PAPERLESS_OCR_MAX_IMAGE_PIXELS=
-        # PAPERLESS_OCR_COLOR_CONVERSION_STRATEGY=
-        PAPERLESS_OCR_USER_ARGS = {
-          optimize = 1;
-          pdfa_image_compression = "lossless";
-        };
-        # PAPERLESS_TASK_WORKERS= 1
-        # PAPERLESS_THREADS_PER_WORKER=
-        # PAPERLESS_WORKER_TIMEOUT=
-        PAPERLESS_TIME_ZONE = "CET";
-        # PAPERLESS_ENABLE_NLTK=1;
-        # PAPERLESS_EMAIL_TASK_CRON= */10 * * * * or every ten minutes.
-        # PAPERLESS_TRAIN_TASK_CRON= 5 */1 * * * or every hour at 5 minutes past the hour.
-        # PAPERLESS_INDEX_TASK_CRON= 0 0 * * * or daily at midnight.
-        # PAPERLESS_SANITY_TASK_CRON= 30 0 * * sun or Sunday at 30 minutes past midnight.
-        # PAPERLESS_ENABLE_COMPRESSION = 1; # enabling compression.
-        # PAPERLESS_CONVERT_MEMORY_LIMIT = 0; # which disables the limit.
-        # PAPERLESS_CONVERT_TMPDIR =
-        # PAPERLESS_APPS = null;
-        # PAPERLESS_MAX_IMAGE_PIXELS = null;
-        # PAPERLESS_CONSUMER_DELETE_DUPLICATES= false.
-        # PAPERLESS_CONSUMER_RECURSIVE= false.
-        # PAPERLESS_CONSUMER_SUBDIRS_AS_TAGS= false.
-        PAPERLESS_CONSUMER_IGNORE_PATTERNS = [
-          ".DS_Store"
-          ".DS_STORE"
-          "._*"
-          ".stfolder/*"
-          ".stversions/*"
-          ".localized/*"
-          "desktop.ini"
-          "@eaDir/*"
-          "Thumbs.db"
-        ];
-        # PAPERLESS_CONSUMER_BARCODE_SCANNER=
-        # PAPERLESS_PRE_CONSUME_SCRIPT=
-        # PAPERLESS_POST_CONSUME_SCRIPT=
-        # PAPERLESS_FILENAME_DATE_ORDER= none, which disables this feature.
-        # PAPERLESS_NUMBER_OF_SUGGESTED_DATES= 3. Set to 0 to disable this feature.
-        # PAPERLESS_THUMBNAIL_FONT_NAME= /usr/share/fonts/liberation/LiberationSerif-Regular.ttf.
-        # PAPERLESS_IGNORE_DATES="";
-        # PAPERLESS_DATE_ORDER = "DMY";
-        # PAPERLESS_ENABLE_GPG_DECRYPTOR = false;
-        # PAPERLESS_CONSUMER_POLLING = 0; # which disables polling and uses filesystem notifications.
-        # PAPERLESS_CONSUMER_POLLING_RETRY_COUNT = 5;
-        # PAPERLESS_CONSUMER_POLLING_DELAY = 5;
-        # PAPERLESS_CONSUMER_INOTIFY_DELAY= 0.5; # seconds.
-        # PAPERLESS_OAUTH_CALLBACK_BASE_URL = null;
-        # PAPERLESS_GMAIL_OAUTH_CLIENT_ID = null;
-        # PAPERLESS_GMAIL_OAUTH_CLIENT_SECRET = null;
-        # PAPERLESS_OUTLOOK_OAUTH_CLIENT_ID = null;
-        # PAPERLESS_OUTLOOK_OAUTH_CLIENT_SECRET = null;
-        # PAPERLESS_EMAIL_GNUPG_HOME=
-        # PAPERLESS_CONSUMER_ENABLE_BARCODES=
-        # PAPERLESS_CONSUMER_BARCODE_TIFF_SUPPORT= false.
-        # PAPERLESS_CONSUMER_BARCODE_STRING= "PATCHT"
-        # PAPERLESS_CONSUMER_BARCODE_RETAIN_SPLIT_PAGES= false.
-        # PAPERLESS_CONSUMER_ENABLE_ASN_BARCODE= false.
-        # PAPERLESS_CONSUMER_ASN_BARCODE_PREFIX= "ASN"
-        # PAPERLESS_CONSUMER_BARCODE_UPSCALE= 0.0
-        # PAPERLESS_CONSUMER_BARCODE_DPI= "300"
-        # PAPERLESS_CONSUMER_BARCODE_MAX_PAGES= "0"
-        # PAPERLESS_CONSUMER_ENABLE_TAG_BARCODE= false.
-        # PAPERLESS_CONSUMER_TAG_BARCODE_MAPPING=
-        # PAPERLESS_AUDIT_LOG_ENABLED= true.
-        # PAPERLESS_CONSUMER_ENABLE_COLLATE_DOUBLE_SIDED= false.
-        # PAPERLESS_CONSUMER_COLLATE_DOUBLE_SIDED_SUBDIR_NAME= "double-sided".
-        # PAPERLESS_CONSUMER_COLLATE_DOUBLE_SIDED_TIFF_SUPPORT= false.
-      # PAPERLESS_EMPTY_TRASH_DELAY = 30; # days, minimum of 1 day.
-        # PAPERLESS_EMPTY_TRASH_TASK_CRON= 0 1 * * *, once per day.
-        # PAPERLESS_CONVERT_BINARY = "convert".
-      # PAPERLESS_GS_BINARY = "${pkgs.ghostscript}/bin/gs";
-        # PAPERLESS_WEBSERVER_WORKERS= 1;
-        # PAPERLESS_BIND_ADDR= [::], meaning all interfaces, including IPv6.
-        # PAPERLESS_PORT = config.services.paperless.port;
-        # PAPERLESS_OCR_LANGUAGES=
-        # PAPERLESS_ENABLE_FLOWER=
-        # PAPERLESS_SUPERVISORD_WORKING_DIR=
-      # PAPERLESS_APP_TITLE = "NxPPL";
-        # PAPERLESS_APP_LOGO =
-        # PAPERLESS_ENABLE_UPDATE_CHECK=false;
-        # PAPERLESS_EMAIL_HOST = "localhost";
-        # PAPERLESS_EMAIL_PORT= 25.
-        # PAPERLESS_EMAIL_HOST_USER= "";
-        # PAPERLESS_EMAIL_FROM=
-        # PAPERLESS_EMAIL_HOST_PASSWORD = "".
-        # PAPERLESS_EMAIL_USE_TLS = false.
-        # PAPERLESS_EMAIL_USE_SSL = false. 
+          # PAPERLESS_REDIS = "redis://localhost:6379";
+          # PAPERLESS_REDIS_PREFIX=""
+        # PAPERLESS_DBENGINE = "postgresql";
+        PAPERLESS_DBHOST = "/run/postgresql";
+        # PAPERLESS_DBHOST = config.services.postgresql.settings.listen_addresses;
+        # PAPERLESS_DBPORT = config.services.postgresql.settings.port;
+        # PAPERLESS_DBNAME = paperless-user;
+        # PAPERLESS_DBUSER = paperless-user;
+        PAPERLESS_DBPASS = secrets.nx2site.paperless.PAPERLESS_DBPASS;
+          # PAPERLESS_DBSSLMODE=
+          # PAPERLESS_DBSSLROOTCERT=null; # unset, using the documented path in the home directory.
+          # PAPERLESS_DBSSLCERT=null; # unset, using the documented path in the home directory.
+          # PAPERLESS_DBSSLKEY=null; # unset, using the documented path in the home directory.
+          # PAPERLESS_DB_TIMEOUT=null; # unset, keeping the Django defaults.
+          # PAPERLESS_TIKA_ENABLED=false
+          # PAPERLESS_TIKA_ENDPOINT="http://localhost:9998".
+          # PAPERLESS_TIKA_GOTENBERG_ENDPOINT="http://localhost:3000".
+        PAPERLESS_CONSUMPTION_DIR = "${config.services.paperless.dataDir}/consume/";  
+        # PAPERLESS_DATA_DIR = "${config.services.paperless.dataDir}/data/"; 
+        # PAPERLESS_MEDIA_ROOT = "${config.services.paperless.dataDir}/media/"; 
+        # PAPERLESS_STATICDIR = "${config.services.paperless.dataDir}/static/"; 
+          # PAPERLESS_FILENAME_FORMAT=
+          # PAPERLESS_FILENAME_FORMAT_REMOVE_NONE=
+        # PAPERLESS_LOGGING_DIR = "${config.services.paperless.dataDir}/log/";
+          # PAPERLESS_NLTK_DIR =
+          # PAPERLESS_MODEL_FILE= PAPERLESS_DATA_DIR/classification_model.pickle.
+          # PAPERLESS_LOGROTATE_MAX_SIZE= 1 MiB.
+          # PAPERLESS_LOGROTATE_MAX_BACKUPS= 20.
+          # PAPERLESS_SECRET_KEY=
+          PAPERLESS_URL = "https://doc.${domain}";
+          # PAPERLESS_CSRF_TRUSTED_ORIGINS=
+          # PAPERLESS_ALLOWED_HOSTS=
+          # PAPERLESS_CORS_ALLOWED_HOSTS=
+          # PAPERLESS_TRUSTED_PROXIES=
+          # PAPERLESS_FORCE_SCRIPT_NAME=
+          # PAPERLESS_STATIC_URL= "/static/".
+          # PAPERLESS_AUTO_LOGIN_USERNAME=null;
+        # PAPERLESS_ADMIN_USER="${user}";
+        # PAPERLESS_ADMIN_MAIL=secrets.email.gmail-online.mail;
+        # PAPERLESS_ADMIN_PASSWORD=;
+          # PAPERLESS_COOKIE_PREFIX=
+          # PAPERLESS_ENABLE_HTTP_REMOTE_USER=
+          # PAPERLESS_ENABLE_HTTP_REMOTE_USER_API=
+          # PAPERLESS_HTTP_REMOTE_USER_HEADER_NAME=
+        # PAPERLESS_LOGOUT_REDIRECT_URL="https://youtu.be/dMN-pjcchrE?si=EcFYvAnbXFkounYR";
+          # PAPERLESS_USE_X_FORWARD_HOST= false
+          # PAPERLESS_USE_X_FORWARD_PORT= false
+          # PAPERLESS_PROXY_SSL_HEADER= null
+          # PAPERLESS_EMAIL_CERTIFICATE_LOCATION = null;
+          # PAPERLESS_SOCIALACCOUNT_PROVIDERS=;
+          # PAPERLESS_SOCIAL_AUTO_SIGNUP = false;
+          # PAPERLESS_SOCIALACCOUNT_ALLOW_SIGNUPS= True
+          # PAPERLESS_ACCOUNT_ALLOW_SIGNUPS= False
+          # PAPERLESS_ACCOUNT_DEFAULT_HTTP_PROTOCOL= 'https'
+          # PAPERLESS_ACCOUNT_EMAIL_VERIFICATION= 'optional'
+          # PAPERLESS_DISABLE_REGULAR_LOGIN= False
+          # PAPERLESS_REDIRECT_LOGIN_TO_SSO= False
+          # PAPERLESS_ACCOUNT_SESSION_REMEMBER= True
+          # PAPERLESS_SESSION_COOKIE_AGE= 1209600; # (2 weeks)
+          PAPERLESS_OCR_LANGUAGE = "eng+deu";
+          # PAPERLESS_OCR_MODE= "skip";
+          # PAPERLESS_OCR_SKIP_ARCHIVE_FILE=
+          # PAPERLESS_OCR_CLEAN= clean.
+          # PAPERLESS_OCR_DESKEW = true; # which enables this feature.
+          # PAPERLESS_OCR_ROTATE_PAGES = true; # which enables this feature.
+          # PAPERLESS_OCR_ROTATE_PAGES_THRESHOLD = "12";
+          # PAPERLESS_OCR_OUTPUT_TYPE = "pdfa";
+          # PAPERLESS_OCR_PAGES = null;
+          # PAPERLESS_OCR_IMAGE_DPI = null;
+          # PAPERLESS_OCR_MAX_IMAGE_PIXELS=
+          # PAPERLESS_OCR_COLOR_CONVERSION_STRATEGY=
+          PAPERLESS_OCR_USER_ARGS = {
+            optimize = 1;
+            pdfa_image_compression = "lossless";
+          };
+          # PAPERLESS_TASK_WORKERS= 1
+          # PAPERLESS_THREADS_PER_WORKER=
+          # PAPERLESS_WORKER_TIMEOUT=
+          PAPERLESS_TIME_ZONE = "CET";
+          # PAPERLESS_ENABLE_NLTK=1;
+          # PAPERLESS_EMAIL_TASK_CRON= */10 * * * * or every ten minutes.
+          # PAPERLESS_TRAIN_TASK_CRON= 5 */1 * * * or every hour at 5 minutes past the hour.
+          # PAPERLESS_INDEX_TASK_CRON= 0 0 * * * or daily at midnight.
+          # PAPERLESS_SANITY_TASK_CRON= 30 0 * * sun or Sunday at 30 minutes past midnight.
+          # PAPERLESS_ENABLE_COMPRESSION = 1; # enabling compression.
+          # PAPERLESS_CONVERT_MEMORY_LIMIT = 0; # which disables the limit.
+          # PAPERLESS_CONVERT_TMPDIR =
+          # PAPERLESS_APPS = null;
+          # PAPERLESS_MAX_IMAGE_PIXELS = null;
+          # PAPERLESS_CONSUMER_DELETE_DUPLICATES= false.
+          # PAPERLESS_CONSUMER_RECURSIVE= false.
+          # PAPERLESS_CONSUMER_SUBDIRS_AS_TAGS= false.
+          PAPERLESS_CONSUMER_IGNORE_PATTERNS = [
+            ".DS_Store"
+            ".DS_STORE"
+            "._*"
+            ".stfolder/*"
+            ".stversions/*"
+            ".localized/*"
+            "desktop.ini"
+            "@eaDir/*"
+            "Thumbs.db"
+          ];
+          # PAPERLESS_CONSUMER_BARCODE_SCANNER=
+          # PAPERLESS_PRE_CONSUME_SCRIPT=
+          # PAPERLESS_POST_CONSUME_SCRIPT=
+          # PAPERLESS_FILENAME_DATE_ORDER= none, which disables this feature.
+          # PAPERLESS_NUMBER_OF_SUGGESTED_DATES= 3. Set to 0 to disable this feature.
+          # PAPERLESS_THUMBNAIL_FONT_NAME= /usr/share/fonts/liberation/LiberationSerif-Regular.ttf.
+          # PAPERLESS_IGNORE_DATES="";
+          # PAPERLESS_DATE_ORDER = "DMY";
+          # PAPERLESS_ENABLE_GPG_DECRYPTOR = false;
+          # PAPERLESS_CONSUMER_POLLING = 0; # which disables polling and uses filesystem notifications.
+          # PAPERLESS_CONSUMER_POLLING_RETRY_COUNT = 5;
+          # PAPERLESS_CONSUMER_POLLING_DELAY = 5;
+          # PAPERLESS_CONSUMER_INOTIFY_DELAY= 0.5; # seconds.
+          # PAPERLESS_OAUTH_CALLBACK_BASE_URL = null;
+          # PAPERLESS_GMAIL_OAUTH_CLIENT_ID = null;
+          # PAPERLESS_GMAIL_OAUTH_CLIENT_SECRET = null;
+          # PAPERLESS_OUTLOOK_OAUTH_CLIENT_ID = null;
+          # PAPERLESS_OUTLOOK_OAUTH_CLIENT_SECRET = null;
+          # PAPERLESS_EMAIL_GNUPG_HOME=
+          # PAPERLESS_CONSUMER_ENABLE_BARCODES=
+          # PAPERLESS_CONSUMER_BARCODE_TIFF_SUPPORT= false.
+          # PAPERLESS_CONSUMER_BARCODE_STRING= "PATCHT"
+          # PAPERLESS_CONSUMER_BARCODE_RETAIN_SPLIT_PAGES= false.
+          # PAPERLESS_CONSUMER_ENABLE_ASN_BARCODE= false.
+          # PAPERLESS_CONSUMER_ASN_BARCODE_PREFIX= "ASN"
+          # PAPERLESS_CONSUMER_BARCODE_UPSCALE= 0.0
+          # PAPERLESS_CONSUMER_BARCODE_DPI= "300"
+          # PAPERLESS_CONSUMER_BARCODE_MAX_PAGES= "0"
+          # PAPERLESS_CONSUMER_ENABLE_TAG_BARCODE= false.
+          # PAPERLESS_CONSUMER_TAG_BARCODE_MAPPING=
+          # PAPERLESS_AUDIT_LOG_ENABLED= true.
+          # PAPERLESS_CONSUMER_ENABLE_COLLATE_DOUBLE_SIDED= false.
+          # PAPERLESS_CONSUMER_COLLATE_DOUBLE_SIDED_SUBDIR_NAME= "double-sided".
+          # PAPERLESS_CONSUMER_COLLATE_DOUBLE_SIDED_TIFF_SUPPORT= false.
+        PAPERLESS_EMPTY_TRASH_DELAY = 30; # days, minimum of 1 day.
+          # PAPERLESS_EMPTY_TRASH_TASK_CRON= 0 1 * * *, once per day.
+          # PAPERLESS_CONVERT_BINARY = "convert".
+        PAPERLESS_GS_BINARY = "${pkgs.ghostscript}/bin/gs";
+          # PAPERLESS_WEBSERVER_WORKERS= 1;
+          # PAPERLESS_BIND_ADDR= [::], meaning all interfaces, including IPv6.
+          # PAPERLESS_PORT = config.services.paperless.port;
+          # PAPERLESS_OCR_LANGUAGES=
+          # PAPERLESS_ENABLE_FLOWER=
+          # PAPERLESS_SUPERVISORD_WORKING_DIR=
+        PAPERLESS_APP_TITLE = "NxPPL";
+          # PAPERLESS_APP_LOGO =
+          # PAPERLESS_ENABLE_UPDATE_CHECK=false;
+          # PAPERLESS_EMAIL_HOST = "localhost";
+          # PAPERLESS_EMAIL_PORT= 25.
+          # PAPERLESS_EMAIL_HOST_USER= "";
+          # PAPERLESS_EMAIL_FROM=
+          # PAPERLESS_EMAIL_HOST_PASSWORD = "".
+          # PAPERLESS_EMAIL_USE_TLS = false.
+          # PAPERLESS_EMAIL_USE_SSL = false. 
 
       };
     };
   };
+  systemd.services.paperless-web.after = [ "postgresql.service" ];
+  systemd.services.paperless-task-queue.after = [ "postgresql.service" ];
+  systemd.services.paperless-consumer.after = [ "postgresql.service" ];
+  systemd.services.paperless-sceduler.after = [ "postgresql.service" ];
 }
diff --git a/system-modules/nx2site/proxy.nix b/system-modules/nx2site/proxy.nix
index d961d1e..fe6b9cb 100644
--- a/system-modules/nx2site/proxy.nix
+++ b/system-modules/nx2site/proxy.nix
@@ -14,7 +14,7 @@
     };
     certs = {
       "${domain}" = {
-        extraDomainNames = builtins.map (subd: "${subd}.${domain}") [ "git" "pw" "sync" ];
+        extraDomainNames = builtins.map (subd: "${subd}.${domain}") [ "sync" ];
       };
     };
   };
@@ -140,9 +140,24 @@
         listen = dl;
         locations = { "/" = { proxyPass = "http://127.0.0.1:5232"; }; }; 
       });
-      "nc.${domain}" = vh // {
-        # directly to nc 
+      # "nc.${domain}" = vh // {
+      #   # directly to nc 
+      # };
+      "abs.${domain}" = vh // {
+        listen = dl;
+        locations = { "/" = { 
+          proxyPass = "http://127.0.0.1:${builtins.toString config.services.audiobookshelf.port}";
+          proxyWebsockets = true;
+        }; }; 
       };
+      # is done atomatically
+      # "cal.${domain}" = vh // {
+      #   listen = dl;
+      #   locations = { "/" = { 
+      #     proxyPass = "http://unix:///run/open-web-calendar/socket";
+      #     proxyWebsockets = true;
+      #   }; }; 
+      # };
       "~^(.*).${domain}$" = {
         listen = dl;
         root = "/var/nginx/webroot";
diff --git a/system-modules/postgres.nix b/system-modules/postgres.nix
index 6ab4f63..39c3f15 100644
--- a/system-modules/postgres.nix
+++ b/system-modules/postgres.nix
@@ -26,6 +26,7 @@
 			ensureDatabases = [
 				"gitea"
 				"vaultwarden"
+				"paperless"
 				"nextcloud"
 			];
 			settings = {
@@ -49,6 +50,10 @@
 					name = "nextcloud";
 					ensureDBOwnership = true;
 				}
+				{
+					name = "paperless";
+					ensureDBOwnership = true;
+				}
 			];
 		};
 		postgresqlBackup = {