Hashicorp Vault is an incredible tool when it comes to keeping passwords safe on the server. Using Authelia as an example, I will show how to keep Docker passwords secure on the server even without Docker swarm.
Relatively unknown are Nextcloud's audit logs. If you enable them, the admin has the possibility to check his instance for suspicious activities.
Few know that you can also configure Nextcloud via environment variables. With this possibility you can save the storage of passwords in the Nextcloud config.php.
One problem with PHP web applications is that they are usually slow. Imaginary is an external application written in GO that speeds up the creation of previews and thumbnails in Nextcloud.
Paperless-ngx does not support a second factor by default. However, with Authelia and a NGINX reverse proxy, this can be retrofitted.