diff --git a/third_party/nixpkgs/patches/pr167221.patch b/third_party/nixpkgs/patches/pr167221.patch
new file mode 100644
index 0000000000..080310712e
--- /dev/null
+++ b/third_party/nixpkgs/patches/pr167221.patch
@@ -0,0 +1,327 @@
+From 2c60fcf22061dc2e44502667224bc3d448dcbabc Mon Sep 17 00:00:00 2001
+From: Luke Granger-Brown <git@lukegb.com>
+Date: Mon, 4 Apr 2022 18:30:41 +0000
+Subject: [PATCH 1/2] paperless-ngx: init at 1.6.0
+
+---
+ .../office/paperless-ngx/default.nix          | 193 ++++++++++++++++++
+ pkgs/top-level/all-packages.nix               |   2 +
+ 2 files changed, 195 insertions(+)
+ create mode 100644 pkgs/applications/office/paperless-ngx/default.nix
+
+diff --git a/pkgs/applications/office/paperless-ngx/default.nix b/pkgs/applications/office/paperless-ngx/default.nix
+new file mode 100644
+index 0000000000000..2abf66f1e8362
+--- /dev/null
++++ b/pkgs/applications/office/paperless-ngx/default.nix
+@@ -0,0 +1,193 @@
++{ lib
++, fetchurl
++, fetchpatch
++, nixosTests
++, python3
++, ghostscript
++, imagemagick
++, jbig2enc
++, optipng
++, pngquant
++, qpdf
++, tesseract4
++, unpaper
++, liberation_ttf
++}:
++
++let
++  py = python3.override {
++    packageOverrides = self: super: {
++      django = super.django_3;
++
++      # Incompatible with aioredis 2
++      aioredis = super.aioredis.overridePythonAttrs (oldAttrs: rec {
++        version = "1.3.1";
++        src = oldAttrs.src.override {
++          inherit version;
++          sha256 = "0fi7jd5hlx8cnv1m97kv9hc4ih4l8v15wzkqwsp73is4n0qazy0m";
++        };
++      });
++    };
++  };
++
++  path = lib.makeBinPath [ ghostscript imagemagick jbig2enc optipng pngquant qpdf tesseract4 unpaper ];
++in
++py.pkgs.pythonPackages.buildPythonApplication rec {
++  pname = "paperless-ngx";
++  version = "1.6.0";
++
++  src = fetchurl {
++    url = "https://github.com/paperless-ngx/paperless-ngx/releases/download/ngx-${version}/${pname}-${version}.tar.xz";
++    sha256 = "07mrxbwahkm00n9nvssd6d13p80w333g84cd38bzp0l34nzim5zl";
++  };
++
++  format = "other";
++
++  # Make bind address configurable
++  postPatch = ''
++    substituteInPlace gunicorn.conf.py --replace "bind = " "# bind = "
++  '';
++
++  propagatedBuildInputs = with py.pkgs.pythonPackages; [
++    aioredis
++    arrow
++    asgiref
++    async-timeout
++    attrs
++    autobahn
++    automat
++    blessed
++    certifi
++    cffi
++    channels-redis
++    channels
++    chardet
++    click
++    coloredlogs
++    concurrent-log-handler
++    constantly
++    cryptography
++    daphne
++    dateparser
++    django-cors-headers
++    django-extensions
++    django-filter
++    django-picklefield
++    django-q
++    django
++    djangorestframework
++    filelock
++    fuzzywuzzy
++    gunicorn
++    h11
++    hiredis
++    httptools
++    humanfriendly
++    hyperlink
++    idna
++    imap-tools
++    img2pdf
++    incremental
++    inotify-simple
++    inotifyrecursive
++    joblib
++    langdetect
++    lxml
++    msgpack
++    numpy
++    ocrmypdf
++    pathvalidate
++    pdfminer
++    pikepdf
++    pillow
++    pluggy
++    portalocker
++    psycopg2
++    pyasn1-modules
++    pyasn1
++    pycparser
++    pyopenssl
++    python-dateutil
++    python-dotenv
++    python-gnupg
++    python-Levenshtein
++    python_magic
++    pytz
++    pyyaml
++    redis
++    regex
++    reportlab
++    requests
++    scikit-learn
++    scipy
++    service-identity
++    six
++    sortedcontainers
++    sqlparse
++    threadpoolctl
++    tika
++    tqdm
++    twisted.extras.tls
++    txaio
++    tzlocal
++    urllib3
++    uvicorn
++    uvloop
++    watchdog
++    watchgod
++    wcwidth
++    websockets
++    whitenoise
++    whoosh
++    zope_interface
++  ];
++
++  installPhase = ''
++    mkdir -p $out/lib
++    cp -r . $out/lib/paperless-ngx
++    chmod +x $out/lib/paperless-ngx/src/manage.py
++    makeWrapper $out/lib/paperless-ngx/src/manage.py $out/bin/paperless-ngx \
++      --prefix PYTHONPATH : "$PYTHONPATH" \
++      --prefix PATH : "${path}"
++    ln -s $out/lib/paperless-ngx $out/lib/paperless-ng
++    ln -s $out/bin/paperless-ngx $out/bin/paperless-ng
++  '';
++
++  checkInputs = with py.pkgs.pythonPackages; [
++    pytest-django
++    pytest-env
++    pytest-sugar
++    pytest-xdist
++    factory_boy
++    pytestCheckHook
++  ];
++
++  pytestFlagsArray = [ "src" ];
++
++  # The tests require:
++  # - PATH with runtime binaries
++  # - A temporary HOME directory for gnupg
++  # - XDG_DATA_DIRS with test-specific fonts
++  preCheck = ''
++    export PATH="${path}:$PATH"
++    export HOME=$(mktemp -d)
++    export XDG_DATA_DIRS="${liberation_ttf}/share:$XDG_DATA_DIRS"
++
++    # Disable unneeded code coverage test
++    substituteInPlace src/setup.cfg \
++      --replace "--cov --cov-report=html" ""
++  '';
++
++  passthru = {
++    # PYTHONPATH of all dependencies used by the package
++    pythonPath = python3.pkgs.makePythonPath propagatedBuildInputs;
++    inherit path;
++  };
++
++  meta = with lib; {
++    description = "A supercharged version of paperless: scan, index, and archive all of your physical documents";
++    homepage = "https://paperless-ngx.readthedocs.io/en/latest/";
++    license = licenses.gpl3Only;
++    maintainers = with maintainers; [ lukegb ];
++  };
++}
+diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
+index 65c5b9e133f04..367a8c95fbd8c 100644
+--- a/pkgs/top-level/all-packages.nix
++++ b/pkgs/top-level/all-packages.nix
+@@ -8857,6 +8857,8 @@ with pkgs;
+ 
+   paperless-ng = callPackage ../applications/office/paperless-ng { };
+ 
++  paperless-ngx = callPackage ../applications/office/paperless-ngx { };
++
+   paperwork = callPackage ../applications/office/paperwork/paperwork-gtk.nix { };
+ 
+   papertrail = callPackage ../tools/text/papertrail { };
+
+From c6fe5d87b7525cbb2581a6a48bc20ef05483afa2 Mon Sep 17 00:00:00 2001
+From: Luke Granger-Brown <git@lukegb.com>
+Date: Mon, 4 Apr 2022 18:31:19 +0000
+Subject: [PATCH 2/2] nixos/tests: add test for paperless-ngx using
+ paperless-ng module
+
+---
+ nixos/modules/services/misc/paperless-ng.nix  |  1 -
+ nixos/tests/all-tests.nix                     |  1 +
+ nixos/tests/paperless-ngx.nix                 | 46 +++++++++++++++++++
+ .../office/paperless-ngx/default.nix          |  2 +
+ 4 files changed, 49 insertions(+), 1 deletion(-)
+ create mode 100644 nixos/tests/paperless-ngx.nix
+
+diff --git a/nixos/modules/services/misc/paperless-ng.nix b/nixos/modules/services/misc/paperless-ng.nix
+index 881fa93c04eed..716049070d11e 100644
+--- a/nixos/modules/services/misc/paperless-ng.nix
++++ b/nixos/modules/services/misc/paperless-ng.nix
+@@ -53,7 +53,6 @@ let
+     PrivateNetwork = true;
+     PrivateTmp = true;
+     PrivateUsers = true;
+-    ProcSubset = "pid";
+     ProtectClock = true;
+     # Breaks if the home dir of the user is in /home
+     # Also does not add much value in combination with the TemporaryFileSystem.
+diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix
+index dcbdf34e9441c..efffc6464f593 100644
+--- a/nixos/tests/all-tests.nix
++++ b/nixos/tests/all-tests.nix
+@@ -399,6 +399,7 @@ in
+   pantalaimon = handleTest ./matrix/pantalaimon.nix {};
+   pantheon = handleTest ./pantheon.nix {};
+   paperless-ng = handleTest ./paperless-ng.nix {};
++  paperless-ngx = handleTest ./paperless-ngx.nix {};
+   parsedmarc = handleTest ./parsedmarc {};
+   pdns-recursor = handleTest ./pdns-recursor.nix {};
+   peerflix = handleTest ./peerflix.nix {};
+diff --git a/nixos/tests/paperless-ngx.nix b/nixos/tests/paperless-ngx.nix
+new file mode 100644
+index 0000000000000..6752b6391e42c
+--- /dev/null
++++ b/nixos/tests/paperless-ngx.nix
+@@ -0,0 +1,46 @@
++import ./make-test-python.nix ({ lib, ... }: {
++  name = "paperless-ngx";
++  meta.maintainers = with lib.maintainers; [ lukegb ];
++
++  nodes.machine = { pkgs, ... }: {
++    environment.systemPackages = with pkgs; [ imagemagick jq ];
++    services.paperless-ng = {
++      enable = true;
++      package = pkgs.paperless-ngx;
++      passwordFile = builtins.toFile "password" "admin";
++    };
++  };
++
++  testScript = ''
++    machine.wait_for_unit("paperless-ng-consumer.service")
++
++    with subtest("Create test doc"):
++        machine.succeed(
++            "convert -size 400x40 xc:white -font 'DejaVu-Sans' -pointsize 20 -fill black "
++            "-annotate +5+20 'hello world 16-10-2005' /var/lib/paperless/consume/doc.png"
++        )
++
++    with subtest("Web interface gets ready"):
++        machine.wait_for_unit("paperless-ng-web.service")
++        # Wait until server accepts connections
++        machine.wait_until_succeeds("curl -fs localhost:28981")
++
++    with subtest("Create web test doc"):
++        machine.succeed(
++            "convert -size 400x40 xc:white -font 'DejaVu-Sans' -pointsize 20 -fill black "
++            "-annotate +5+20 'hello web 16-10-2005' /tmp/webdoc.png"
++        )
++        machine.wait_until_succeeds("curl -u admin:admin -F document=@/tmp/webdoc.png -fs localhost:28981/api/documents/post_document/")
++
++    with subtest("Documents are consumed"):
++        machine.wait_until_succeeds(
++            "(($(curl -u admin:admin -fs localhost:28981/api/documents/ | jq .count) == 2))"
++        )
++        assert "2005-10-16" in machine.succeed(
++            "curl -u admin:admin -fs localhost:28981/api/documents/ | jq '.results | .[0] | .created'"
++        )
++        assert "2005-10-16" in machine.succeed(
++            "curl -u admin:admin -fs localhost:28981/api/documents/ | jq '.results | .[1] | .created'"
++        )
++  '';
++})
+diff --git a/pkgs/applications/office/paperless-ngx/default.nix b/pkgs/applications/office/paperless-ngx/default.nix
+index 2abf66f1e8362..02d93e3cc4ead 100644
+--- a/pkgs/applications/office/paperless-ngx/default.nix
++++ b/pkgs/applications/office/paperless-ngx/default.nix
+@@ -182,6 +182,8 @@ py.pkgs.pythonPackages.buildPythonApplication rec {
+     # PYTHONPATH of all dependencies used by the package
+     pythonPath = python3.pkgs.makePythonPath propagatedBuildInputs;
+     inherit path;
++
++    tests = { inherit (nixosTests) paperless-ngx; };
+   };
+ 
+   meta = with lib; {
diff --git a/third_party/nixpkgs/patches/series b/third_party/nixpkgs/patches/series
index 3cc1ca6fd2..4c07b08012 100644
--- a/third_party/nixpkgs/patches/series
+++ b/third_party/nixpkgs/patches/series
@@ -2,5 +2,6 @@ nvidia-sideband-socket.patch
 pr163673.patch
 pr163678.patch
 pr164025.patch
+pr167221.patch
 networkd-support-more-wg-options.patch
 networkd-global-options.patch