diff --git a/group_vars/all.yaml b/group_vars/all.yaml
index b85c9fd..ef3e798 100644
--- a/group_vars/all.yaml
+++ b/group_vars/all.yaml
@@ -125,7 +125,6 @@ keycloak_clients:
         party_secret : "HISTORY_PURGED_SECRET"
         client_id: z_heimdall
         client_secret: "HISTORY_PURGED_SECRET"
-        client_secret: "HISTORY_PURGED_SECRET"
         redirect_uris:
             - "https://hub.atlantishq.de/*"
         description: "AtlantisHQ Hub"
@@ -133,3 +132,15 @@ keycloak_clients:
         groups:
         master_address: "https://hub.atlantishq.de"
         skips:
+
+    paperless:
+        party_secret : "HISTORY_PURGED_SECRET"
+        client_id: z_paperless
+        client_secret: "HISTORY_PURGED_SECRET"
+        redirect_uris:
+            - "https://paperless.atlantishq.de/*"
+        description: "AtlantisHQ Paperless Archiving"
+        keycloak_id: "00000000-0000-0000-0000-000000000008"
+        groups: "paperless"
+        master_address: "https://paperless.atlantishq.de"
+        skips:
diff --git a/roles/paperless/tasks/main.yaml b/roles/paperless/tasks/main.yaml
index a7c1367..d7913d9 100644
--- a/roles/paperless/tasks/main.yaml
+++ b/roles/paperless/tasks/main.yaml
@@ -32,3 +32,28 @@
   community.docker.docker_compose:
     project_src: /opt/paperless/
     pull: true
+
+- name: OAuth2Proxy directories
+  file:
+    path: "/opt/oauth2proxy/{{ item }}/"
+    state: directory
+    recurse: yes
+  with_items:
+   - paperless
+
+- name: include services ports
+  include_vars: services.yaml
+
+- name: Deploy OAuth2Proxy compose files
+  template:
+    src: oauth-standalone-docker-compose.yaml
+    dest: "/opt/oauth2proxy/{{ item }}/docker-compose.yaml"
+  with_items:
+    - paperless
+
+- name: Deploy OAuth2Proxy
+  community.docker.docker_compose:
+    project_src: /opt/oauth2proxy/{{ item }}/
+    pull: true
+  with_items:
+    - paperless
diff --git a/roles/paperless/templates/docker-compose.env b/roles/paperless/templates/docker-compose.env
index 3b01356..a2e3b1e 100644
--- a/roles/paperless/templates/docker-compose.env
+++ b/roles/paperless/templates/docker-compose.env
@@ -4,3 +4,5 @@ PAPERLESS_OCR_LANGUAGE=deu
 PAPERLESS_SECRET_KEY=HISTORY_PURGED_SECRET
 PAPERLESS_ADMIN_USER=sheppy
 PAPERLESS_ADMIN_PASSWORD=HISTORY_PURGED_SECRET
+PAPERLESS_ENABLE_HTTP_REMOTE_USER=TRUE
+PAPERLESS_HTTP_REMOTE_USER_HEADER_NAME=X-Forwarded-Preferred-Username
diff --git a/roles/paperless/templates/docker-compose.yml b/roles/paperless/templates/docker-compose.yml
index 936a647..669b453 100644
--- a/roles/paperless/templates/docker-compose.yml
+++ b/roles/paperless/templates/docker-compose.yml
@@ -57,7 +57,7 @@ services:
       - gotenberg
       - tika
     ports:
-      - "8000:8000"
+      - "9000:8000"
     healthcheck:
       test: ["CMD", "curl", "-fs", "-S", "--max-time", "2", "http://localhost:8000"]
       interval: 30s
diff --git a/vars/services.yaml b/vars/services.yaml
index f6833b3..e13887e 100644
--- a/vars/services.yaml
+++ b/vars/services.yaml
@@ -13,3 +13,5 @@ services:
         port: 5010
     heimdall:
         port: 5011
+    paperless:
+        port: 8000