diff --git a/nixos/stolas/default.nix b/nixos/stolas/default.nix
index 3a370c3..b72f6be 100644
--- a/nixos/stolas/default.nix
+++ b/nixos/stolas/default.nix
@@ -4,6 +4,7 @@
   imports = [
     ../modules/profiles/laptop.nix
     ./disks.nix
+    # TODO ./paperless.nix
   ];
 
   boot = {
@@ -32,7 +33,7 @@
       luks.devices = {
         root = {
           # TODO 
-          device = "/dev/disk/by-uuid/todo";
+          device = "/dev/disk/by-uuid/TODO";
           allowDiscards = true;
           # TODO lanzaboote + TPM2 unlock with PIN https://www.freedesktop.org/software/systemd/man/251/systemd-cryptenroll.html#--tpm2-with-pin=BOOL
           #crypttabExtraOpts = [ "fido2-device=auto" ];
@@ -115,11 +116,6 @@
       enable = true;
       browsing = true;
     };
-    paperless = {
-      # TODO migrate DB
-      enable = true;
-      passwordFile = config.age.secrets.paperless.path;
-    };
     tlp.enable = false;
   };
 
@@ -127,19 +123,6 @@
     stateVersion = "25.05";
   };
 
-  systemd.tmpfiles.rules =
-    let
-      cfg = config.services.paperless;
-    in
-    [
-      (
-        if cfg.consumptionDirIsPublic then
-          "d '${cfg.consumptionDir}' 777 - - - -"
-        else
-          "d '${cfg.consumptionDir}' 770 ${cfg.user} ${config.users.users.${cfg.user}.group} - -"
-      )
-    ];
-
   systemd.services = {
     modem-manager.enable = lib.mkForce false;
     "dbus-org.freedesktop.ModemManager1".enable = lib.mkForce false;
diff --git a/nixos/stolas/disks.nix b/nixos/stolas/disks.nix
index 6b07f9b..3ecb67d 100644
--- a/nixos/stolas/disks.nix
+++ b/nixos/stolas/disks.nix
@@ -25,7 +25,6 @@
                 mountOptions = [ "umask=0077" ];
               };
             };
-            # TODO tmpfs for nix/var/nix/builds
             luks = {
               size = "100%";
               content = {
diff --git a/nixos/stolas/paperless.nix b/nixos/stolas/paperless.nix
new file mode 100644
index 0000000..7591f0a
--- /dev/null
+++ b/nixos/stolas/paperless.nix
@@ -0,0 +1,20 @@
+{ config }:
+{
+  services.paperless = {
+    # TODO migrate DB
+    enable = true;
+    passwordFile = config.age.secrets.paperless.path;
+  };
+  systemd.tmpfiles.rules =
+    let
+      cfg = config.services.paperless;
+    in
+    [
+      (
+        if cfg.consumptionDirIsPublic then
+          "d '${cfg.consumptionDir}' 777 - - - -"
+        else
+          "d '${cfg.consumptionDir}' 770 ${cfg.user} ${config.users.users.${cfg.user}.group} - -"
+      )
+    ];
+}