diff --git a/modules/services/default.nix b/modules/services/default.nix
index 4760ab1..9f132d0 100644
--- a/modules/services/default.nix
+++ b/modules/services/default.nix
@@ -18,6 +18,7 @@
     ./navidrome.nix
     ./nextcloud.nix
     ./nginx.nix
+    ./paperless.nix
     ./pirate.nix
     ./podgrab.nix
     ./postgresql-backup.nix
diff --git a/modules/services/paperless.nix b/modules/services/paperless.nix
new file mode 100644
index 0000000..dd3a98b
--- /dev/null
+++ b/modules/services/paperless.nix
@@ -0,0 +1,113 @@
+{ config, lib, pkgs, ... }:
+let
+  cfg = config.my.services.paperless;
+in
+{
+  options.my.services.paperless = with lib; {
+    enable = mkEnableOption "Paperless service";
+
+    port = mkOption {
+      type = types.port;
+      default = 4535;
+      example = 8080;
+      description = "Internal port for webui";
+    };
+
+    secretKey = mkOption {
+      type = types.str;
+      example = "e11fl1oa-*ytql8p)(06fbj4ukrlo+n7k&q5+$1md7i+mge=ee";
+      description = "Secret key used for sessions tokens";
+    };
+
+    documentPath = mkOption {
+      type = with types; nullOr str;
+      default = null;
+      example = "/mnt/paperless";
+      description = ''
+        Path to the directory to store the documents. Use default if null
+      '';
+    };
+
+    username = mkOption {
+      type = types.str;
+      default = "ambroisie";
+      example = "username";
+      description = "Name of the administrator";
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    services.paperless-ng = {
+      enable = true;
+
+      port = cfg.port;
+
+      mediaDir = lib.mkIf (cfg.documentPath != null) cfg.documentPath;
+
+      extraConfig =
+        let
+          paperlessDomain = "paperless.${config.networking.domain}";
+        in
+        {
+          # Use SSO
+          PAPERLESS_ENABLE_HTTP_REMOTE_USER = true;
+          PAPERLESS_HTTP_REMOTE_USER_HEADER_NAME = "HTTP_X_USER";
+
+          # Use PostgreSQL
+          PAPERLESS_DBHOST = "/run/postgresql";
+          PAPERLESS_DBUSER = "paperless";
+          PAPERLESS_DBNAME = "paperless";
+
+          # Security settings
+          PAPERLESS_SECRET_KEY = cfg.secretKey; # Insecure, I don't care
+          PAPERLESS_ALLOWED_HOSTS = paperlessDomain;
+          PAPERLESS_CORS_ALLOWED_HOSTS = "https://${paperlessDomain}";
+
+          # OCR settings
+          PAPERLESS_OCR_LANGUAGE = "fra+eng";
+
+          # Misc
+          PAPERLESS_TIME_ZONE = config.time.timeZone;
+          PAPERLESS_ADMIN_USER = cfg.username;
+        };
+    };
+
+    # Set-up database
+    services.postgresql = {
+      enable = true;
+      ensureDatabases = [ "paperless" ];
+      ensureUsers = [
+        {
+          name = "paperless";
+          ensurePermissions."DATABASE paperless" = "ALL PRIVILEGES";
+        }
+      ];
+    };
+
+    systemd.services.paperless-ng-server = {
+      # Make sure the DB is available
+      after = [ "postgresql.service" ];
+    };
+
+
+    users.users.${config.services.paperless-ng.user} = {
+      extraGroups = [ "media" ];
+    };
+
+    my.services.nginx.virtualHosts = [
+      {
+        subdomain = "paperless";
+        inherit (cfg) port;
+        sso = {
+          enable = true;
+        };
+      }
+    ];
+
+    my.services.backup = {
+      paths = [
+        config.services.paperless-ng.mediaDir
+      ];
+    };
+  };
+}
diff --git a/modules/system/media.nix b/modules/system/media.nix
index 4ad2fee..630a351 100644
--- a/modules/system/media.nix
+++ b/modules/system/media.nix
@@ -5,6 +5,7 @@ let
   mediaServices = with config.my.services; [
     calibre-web
     jellyfin
+    paperless
     pirate
     sabnzbd
     transmission