diff --git a/nixos/modules/borg-server.nix b/nixos/modules/borg-server.nix
index 594f356..e498cd1 100644
--- a/nixos/modules/borg-server.nix
+++ b/nixos/modules/borg-server.nix
@@ -39,6 +39,14 @@ in
         path = "${cfg.path}/gorgon";
         quota = "1T";
       };
+      "stolas" = {
+        allowSubRepos = false;
+        authorizedKeysAppendOnly = [
+          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINC/mVYd3o7oA0dsA58CgkqR40CSfeuU+rikleSrSXFz dadada@gorgon"
+        ];
+        path = "${cfg.path}/stolas";
+        quota = "1T";
+      };
       "surgat" = {
         allowSubRepos = false;
         authorizedKeysAppendOnly = [
diff --git a/nixos/stolas/default.nix b/nixos/stolas/default.nix
index 04fd504..b72f6be 100644
--- a/nixos/stolas/default.nix
+++ b/nixos/stolas/default.nix
@@ -4,6 +4,7 @@
   imports = [
     ../modules/profiles/laptop.nix
     ./disks.nix
+    # TODO ./paperless.nix
   ];
 
   boot = {
@@ -32,7 +33,7 @@
       luks.devices = {
         root = {
           # TODO 
-          device = "/dev/disk/by-uuid/todo";
+          device = "/dev/disk/by-uuid/TODO";
           allowDiscards = true;
           # TODO lanzaboote + TPM2 unlock with PIN https://www.freedesktop.org/software/systemd/man/251/systemd-cryptenroll.html#--tpm2-with-pin=BOOL
           #crypttabExtraOpts = [ "fido2-device=auto" ];
@@ -85,13 +86,11 @@
     settings.max-jobs = lib.mkDefault 16;
   };
 
-  # TODO dadada.backupClient.backup1.enable = true;
-  # dadada.backupClient.backup2 = {
-  #   enable = true;
-  #   passphrasePath = config.age.secrets."${config.networking.hostName}-backup-passphrase".path;
-  #   sshIdentityFile = config.age.secrets."${config.networking.hostName}-backup-ssh-key".path;
-  #   repo = "u355513-subX@u355513-subX.your-storagebox.de:/home/backup";
-  # };
+  dadada.backupClient.backup1.enable = true;
+  dadada.backupClient.backup2 = {
+    enable = true;
+    repo = "u355513-sub5@u355513-sub5.your-storagebox.de:/home/backup";
+  };
 
   programs = {
     adb.enable = true;
@@ -117,11 +116,6 @@
       enable = true;
       browsing = true;
     };
-    paperless = {
-      # TODO migrate DB
-      enable = true;
-      passwordFile = config.age.secrets.paperless.path;
-    };
     tlp.enable = false;
   };
 
@@ -129,19 +123,6 @@
     stateVersion = "25.05";
   };
 
-  systemd.tmpfiles.rules =
-    let
-      cfg = config.services.paperless;
-    in
-    [
-      (
-        if cfg.consumptionDirIsPublic then
-          "d '${cfg.consumptionDir}' 777 - - - -"
-        else
-          "d '${cfg.consumptionDir}' 770 ${cfg.user} ${config.users.users.${cfg.user}.group} - -"
-      )
-    ];
-
   systemd.services = {
     modem-manager.enable = lib.mkForce false;
     "dbus-org.freedesktop.ModemManager1".enable = lib.mkForce false;
diff --git a/nixos/stolas/disks.nix b/nixos/stolas/disks.nix
index 6b07f9b..3ecb67d 100644
--- a/nixos/stolas/disks.nix
+++ b/nixos/stolas/disks.nix
@@ -25,7 +25,6 @@
                 mountOptions = [ "umask=0077" ];
               };
             };
-            # TODO tmpfs for nix/var/nix/builds
             luks = {
               size = "100%";
               content = {
diff --git a/nixos/stolas/paperless.nix b/nixos/stolas/paperless.nix
new file mode 100644
index 0000000..7591f0a
--- /dev/null
+++ b/nixos/stolas/paperless.nix
@@ -0,0 +1,20 @@
+{ config }:
+{
+  services.paperless = {
+    # TODO migrate DB
+    enable = true;
+    passwordFile = config.age.secrets.paperless.path;
+  };
+  systemd.tmpfiles.rules =
+    let
+      cfg = config.services.paperless;
+    in
+    [
+      (
+        if cfg.consumptionDirIsPublic then
+          "d '${cfg.consumptionDir}' 777 - - - -"
+        else
+          "d '${cfg.consumptionDir}' 770 ${cfg.user} ${config.users.users.${cfg.user}.group} - -"
+      )
+    ];
+}
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 1da186e..a3255e1 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -7,6 +7,7 @@ let
     ninurta = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO8TDCzjVVO7A4k6rp+srMj0HHc5gmUOlskTBOvhMkEc root@nixos";
     pruflas = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBqZHu5ygTODgrNzcU9C2O+b8yCfVsnztV83qxXV4aA8 root@pruflas";
     surgat = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOOJ9UgAle5sX0pAawfRztckVwaQm2U8o0Bawv7cZfXE root@surgat";
+    stolas = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFV1LSH8jeMnXJ/eqhJCebbwxenJmxNoeB6UGrBmRjZk root@stolas";
   };
   backupSecrets = hostName: {
     "${hostName}-backup-passphrase.age".publicKeys = [
@@ -88,3 +89,4 @@ in
 // backupSecrets "pruflas"
 // backupSecrets "surgat"
 // backupSecrets "agares"
+// backupSecrets "stolas"
diff --git a/secrets/stolas-backup-passphrase.age b/secrets/stolas-backup-passphrase.age
new file mode 100644
index 0000000..ff9d514
--- /dev/null
+++ b/secrets/stolas-backup-passphrase.age
@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 OgKXZA A8XAP2YQw/CnN//rHPM9m9p1A/l4IiWV1Qhc9+RHdxQ
+mcpcULPCQUMtoCiTwiAU2AXD5UVrQkF5LxZqCJ3VEMA
+-> ssh-ed25519 Otklkw UzdSM3CCvzQ4owHWWmrBfiC6NuBAu0onns6s4nlR9Vs
+UQ4TBW/4O5rVi0xpS2lAS6M7zgUcWtGlXeL+i748KYE
+--- tqrtKyZVDght0KJQZDSDVdnEL38KZjPA2xZ3LjeKlI0
+�2�l�C@����(��N�3�-ig�aH?�~�F���n��q����c�ɝ���<�ۼ�#F�7�aB%���&t�}�vr_<�
\ No newline at end of file
diff --git a/secrets/stolas-backup-ssh-key.age b/secrets/stolas-backup-ssh-key.age
new file mode 100644
index 0000000..cb98c8d
--- /dev/null
+++ b/secrets/stolas-backup-ssh-key.age
@@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> ssh-ed25519 OgKXZA gTx4Ozd2BU13T8GpiBxSCZdjAwJ/zb10xqW62QMTwms
+M9y1f/ndVYnujqIDo0rocQEX/8Isg0vn97mQm8K83iE
+-> ssh-ed25519 Otklkw 2hyKMpf/Z8wgBowMgxwb77cj9B5b0/a7q4hq3CxWp0M
+jFLwfV72isKUdtr5m2n5303KZiJDKTJny9koUOHLLLg
+--- GQfIExiJTJEQTnesTVqF3X7AcorV+SH8TQ9uo5xLwso
+u`6^���|��&��Q�[KPF��A�ƇшU*n�55��O��z�v�傺-C�0��r;6�J����C={�'��@Ժ9�O'b����#�Rw-���(؊�R�jF�[=��uD�3���vڝ5bW�xi�z�͢�={�S;	r��.��O
���2��|�����j�tOr�p���K2�97���Y/����?�8���&��p��P�:g���<��h��*iK�Rڨ�ɫ��S�"A�+�
+&%��9^�QR���]���s�'��D�D���B�����^������;�~���O[
+�ڈ'[������'k�'�b���O_B��%z�#��{��6LD���8�'	������^���2Y�BL��ZWs�!��Hi��X△���r��Z!�\•��j�ـQ��Ă�ӏ
\ No newline at end of file