diff --git a/hosts/hub/apps/open-webui.nix b/hosts/hub/apps/open-webui.nix
new file mode 100644
index 0000000..38b5fdc
--- /dev/null
+++ b/hosts/hub/apps/open-webui.nix
@@ -0,0 +1,22 @@
+{ config, ... }:
+
+{
+  systemd.tmpfiles.rules = [
+    "d /var/lib/open-webui 0755 root root"
+  ];
+
+  virtualisation.oci-containers.containers.open-webui = {
+    image = "ghcr.io/open-webui/open-webui:main";
+    ports = [
+      "8090:8080"
+    ];
+    volumes = [ "/var/lib/open-webui:/app/backend/data" ];
+  };
+
+  services.caddy.virtualHosts."https://open-webui.tailc50184.ts.net".extraConfig = ''
+    bind tailscale/open-webui
+    reverse_proxy http://localhost:8090
+  '';
+
+  networking.firewall.trustedInterfaces = [ "podman0" ];
+}
diff --git a/hosts/hub/apps/paperless.nix b/hosts/hub/apps/paperless.nix
new file mode 100644
index 0000000..2e3bd6e
--- /dev/null
+++ b/hosts/hub/apps/paperless.nix
@@ -0,0 +1,24 @@
+{
+  services = {
+    paperless = {
+      enable = true;
+      settings = {
+        PAPERLESS_ENABLE_HTTP_REMOTE_USER = true;
+        PAPERLESS_ENABLE_HTTP_REMOTE_USER_API = true;
+        PAPERLESS_LOGOUT_REDIRECT_URL = "https://auth.tailc50184.ts.net/logout";
+        PAPERLESS_OCR_USER_ARGS = {
+          "invalidate_digital_signatures" = true;
+        };
+      };
+    };
+
+    caddy.virtualHosts."paperless.tailc50184.ts.net".extraConfig = ''
+      bind tailscale/paperless
+      forward_auth localhost:9091 {
+        uri /api/authz/forward-auth
+        copy_headers Remote-User
+      }
+      reverse_proxy localhost:28981
+    '';
+  };
+}
diff --git a/hosts/hub/default.nix b/hosts/hub/default.nix
index 5feec1a..777a409 100644
--- a/hosts/hub/default.nix
+++ b/hosts/hub/default.nix
@@ -22,11 +22,13 @@
     ../../roles/syncthing.nix
     ./apps/dev.nix
     ./apps/nextcloud.nix
+    ./apps/paperless.nix
     ./apps/searxng.nix
     ./apps/actual.nix
     ./apps/adguard.nix
     ./apps/audiobookshelf.nix
     ./apps/ollama.nix
+    ./apps/open-webui.nix
   ];
 
   boot.loader.grub = {
@@ -139,6 +141,11 @@
     reverse_proxy localhost:9091
   '';
 
+  services.caddy.virtualHosts."auth.tailc50184.ts.net".extraConfig = ''
+    bind tailscale/auth
+    reverse_proxy localhost:9091
+  '';
+
   services.authelia.instances.main.settings.access_control.rules = [
     {
       domain = "syncthing.thewordnerd.info";
diff --git a/roles/authelia.nix b/roles/authelia.nix
index abacde7..3a5fce3 100644
--- a/roles/authelia.nix
+++ b/roles/authelia.nix
@@ -82,6 +82,10 @@
               domain = "*.thewordnerd.info";
               policy = "one_factor";
             }
+            {
+              domain = "*.tailc50184.ts.net";
+              policy = "one_factor";
+            }
           ];
         };
         session = {
@@ -90,6 +94,10 @@
               domain = "thewordnerd.info";
               authelia_url = "https://auth.thewordnerd.info";
             }
+            {
+              domain = "tailc50184.ts.net";
+              authelia_url = "https://auth.tailc50184.ts.net";
+            }
           ];
         };
         notifier = {