diff --git a/main.tf b/main.tf
index 0b43ba4a..ed16d7d5 100644
--- a/main.tf
+++ b/main.tf
@@ -69,6 +69,7 @@ variable "vaultwarden_smtp_password" {}
 variable "resume_database_url" {}
 variable "resume_redis_url" {}
 variable "frigate_valchedrym_camera_credentials" { default = "" }
+variable "paperless_db_password" {}
 
 variable "ansible_prefix" {
   default     = "ANSIBLE_VAULT_PASSWORD_FILE=~/.ansible/vault_pass.txt ansible-playbook -i playbook/hosts.yaml playbook/linux.yml -t linux/initial_setup"
@@ -350,6 +351,8 @@ module "kubernetes_cluster" {
   // updating technitium records
   technitium_username = var.technitium_username
   technitium_password = var.technitium_password
+
+  paperless_db_password = var.paperless_db_password
 }
 
 
diff --git a/modules/kubernetes/main.tf b/modules/kubernetes/main.tf
index 7ae8da3d..55f5367f 100644
--- a/modules/kubernetes/main.tf
+++ b/modules/kubernetes/main.tf
@@ -56,6 +56,7 @@ variable "vaultwarden_smtp_password" {}
 variable "resume_database_url" {}
 variable "resume_redis_url" {}
 variable "frigate_valchedrym_camera_credentials" { default = "" }
+variable "paperless_db_password" {}
 
 resource "null_resource" "core_services" {
   # List all the core modules that must be provisioned first
@@ -438,3 +439,9 @@ module "metrics-server" {
   source          = "./metrics-server"
   tls_secret_name = var.tls_secret_name
 }
+
+module "paperless-ngx" {
+  source          = "./paperless-ngx"
+  tls_secret_name = var.tls_secret_name
+  db_password     = var.paperless_db_password
+}
diff --git a/modules/kubernetes/paperless-ngx/main.tf b/modules/kubernetes/paperless-ngx/main.tf
new file mode 100644
index 00000000..3f8a14a5
--- /dev/null
+++ b/modules/kubernetes/paperless-ngx/main.tf
@@ -0,0 +1,166 @@
+variable "tls_secret_name" {}
+variable "db_password" {}
+
+resource "kubernetes_namespace" "paperless-ngx" {
+  metadata {
+    name = "paperless-ngx"
+    # labels = {
+    #   "istio-injection" : "enabled"
+    # }
+  }
+}
+module "tls_secret" {
+  source          = "../setup_tls_secret"
+  namespace       = "paperless-ngx"
+  tls_secret_name = var.tls_secret_name
+}
+
+
+resource "kubernetes_deployment" "paperless-ngx" {
+  metadata {
+    name      = "paperless-ngx"
+    namespace = "paperless-ngx"
+    labels = {
+      app = "paperless-ngx"
+    }
+    annotations = {
+      "reloader.stakater.com/search" = "true"
+    }
+  }
+  spec {
+    replicas = 1
+    strategy {
+      type = "Recreate"
+    }
+    selector {
+      match_labels = {
+        app = "paperless-ngx"
+      }
+    }
+    template {
+      metadata {
+        labels = {
+          app = "paperless-ngx"
+        }
+      }
+      spec {
+        container {
+          image = "paperlessngx/paperless-ngx:2.4.3"
+          name  = "paperless-ngx"
+          env {
+            name  = "PAPERLESS_REDIS"
+            value = "redis://redis.redis"
+          }
+          env {
+            name  = "PAPERLESS_REDIS_PREFIX"
+            value = "paperless-ngx"
+          }
+          env {
+            name  = "PAPERLESS_DBENGINE"
+            value = "mariadb"
+          }
+          env {
+            name  = "PAPERLESS_DBHOST"
+            value = "mysql.dbaas"
+          }
+          env {
+            name  = "PAPERLESS_DBNAME"
+            value = "paperless-ngx"
+          }
+          env {
+            name  = "PAPERLESS_DBUSER"
+            value = "paperless-ngx"
+          }
+          env {
+            name  = "PAPERLESS_DBPASS"
+            value = var.db_password
+          }
+          env {
+            name  = "PAPERLESS_URL"
+            value = "https://paperless-ngx.viktorbarzin.me"
+          }
+          env {
+            name  = "PAPERLESS_DEBUG"
+            value = "false"
+          }
+          env {
+            name  = "PAPERLESS_MEDIA_ROOT"
+            value = "../data"
+          }
+          volume_mount {
+            name       = "data"
+            mount_path = "/usr/src/paperless/data"
+          }
+
+          port {
+            container_port = 8000
+          }
+        }
+        volume {
+          name = "data"
+          nfs {
+            path   = "/mnt/main/paperless-ngx"
+            server = "10.0.10.15"
+          }
+        }
+      }
+    }
+  }
+}
+
+resource "kubernetes_service" "paperless-ngx" {
+  metadata {
+    name      = "paperless-ngx"
+    namespace = "paperless-ngx"
+    labels = {
+      "app" = "paperless-ngx"
+    }
+  }
+
+  spec {
+    selector = {
+      app = "paperless-ngx"
+    }
+    port {
+      name        = "http"
+      target_port = 8000
+      port        = 80
+      protocol    = "TCP"
+    }
+  }
+}
+
+
+resource "kubernetes_ingress_v1" "paperless-ngx" {
+  metadata {
+    name      = "paperless-ngx"
+    namespace = "paperless-ngx"
+    annotations = {
+      "kubernetes.io/ingress.class" = "nginx"
+      "nginx.ingress.kubernetes.io/proxy-body-size" : "100000m"
+    }
+  }
+
+  spec {
+    tls {
+      hosts       = ["paperless-ngx.viktorbarzin.me"]
+      secret_name = var.tls_secret_name
+    }
+    rule {
+      host = "paperless-ngx.viktorbarzin.me"
+      http {
+        path {
+          path = "/"
+          backend {
+            service {
+              name = "paperless-ngx"
+              port {
+                number = 8000
+              }
+            }
+          }
+        }
+      }
+    }
+  }
+}
diff --git a/terraform.tfstate b/terraform.tfstate
index 816c9942..f9e00fbe 100644
Binary files a/terraform.tfstate and b/terraform.tfstate differ
diff --git a/terraform.tfvars b/terraform.tfvars
index 6b3fd83d..ce528417 100644
Binary files a/terraform.tfvars and b/terraform.tfvars differ