diff --git a/hosts/thrall/default.nix b/hosts/thrall/default.nix
index 028c2db..74c4298 100644
--- a/hosts/thrall/default.nix
+++ b/hosts/thrall/default.nix
@@ -175,25 +175,46 @@ in {
   services.restic.backups = { };
   services.keybase = { enable = true; };
 
-  services.nginx.enable = true;
   services.nginx = {
+    enable = true;
+
+    statusPage = true;
+    clientMaxBodySize = "64m";
     recommendedTlsSettings = true;
     recommendedOptimisation = true;
     recommendedGzipSettings = true;
     recommendedProxySettings = true;
   };
   services.nginx.virtualHosts = {
+    # main site
     "failco.de" = {
       forceSSL = true;
       enableACME = true;
       root = "/srv/www/failco.de";
       serverAliases = [ "www.failco.de" "mail.failco.de" ];
+      extraConfig = ''
+        add_header X-Frame-Options 'SAMEORIGIN';
+      '';
     };
 
+    # gitea
     "git.failco.de" = {
       forceSSL = true;
       enableACME = true;
-      locations."/" = { proxyPass = "http://127.0.0.1:3001/"; };
+      locations."/" = {
+        proxyPass = "http://127.0.0.1:3001/";
+        proxyWebsockets = true;
+      };
+    };
+
+    # paperless
+    "docs.failco.de" = {
+      forceSSL = true;
+      enableACME = true;
+      locations."/" = {
+        proxyPass = "http://127.0.0.1:3002/";
+        proxyWebsockets = true;
+      };
     };
   };
 
@@ -215,11 +236,20 @@ in {
         FROM = "git@failco.de";
         HOST = "thrall.failco.de:25";
         IS_TLS_ENABLED = false;
-        SENDMAIL_PATH = "/run/wrappers/bin/sendmail";
       };
     };
   };
 
+  services.paperless = {
+    enable = true;
+    address = "127.0.0.1";
+    port = 3002;
+    extraConfig = {
+      PAPERLESS_OCR_LANGUAGE = "deu+eng";
+      PAPERLESS_URL = "https://docs.failco.de";
+    };
+  };
+
   services.fail2ban = {
     enable = true;
     maxretry = 5;