feat(paperless): create scanner drop point

New layout:
Scanner -(unsecure ftp over lan)-> t470 -(secure rsync)-> paperless.005540.xyz

t470.nix

@@ -2,7 +2,7 @@
 # your system.  Help is available in the configuration.nix(5) man page
 # and in the NixOS manual (accessible by running ‘nixos-help’).
 
-{ pkgs, ... }:
+{ lib, ... }:
 {
   imports = [
     ./hardware-configuration-t470.nix
@@ -32,6 +32,47 @@
     in [ "${automount_opts},credentials=/etc/nixos/secrets/books.smb" ];
   };
 
+  # scanner drop point
+  services.vsftpd = {
+    enable = true;
+    localUsers = true;
+    anonymousUser = false;
+    writeEnable = true;
+    chrootlocalUser = true;
+    userlistEnable = true;
+    userlist = [ "paperless-upload" ];
+    userlistDeny = false;
+    extraConfig = ''
+      log_ftp_protocol=YES
+      pasv_enable=YES
+      pasv_min_port=51000
+      pasv_max_port=51999
+      local_umask=022
+      file_open_mode=0777
+      user_sub_token=$USER
+      local_root=/var/lib/ftp/$USER
+      allow_writeable_chroot=YES
+    '';
+  };
+  networking.firewall.allowedTCPPorts = [ 21 ];
+  networking.firewall.allowedTCPPortRanges = [
+    {
+      from = 51000;
+      to = 51999;
+    }
+  ];
+  users.groups.paperless-upload = {};
+  users.users.paperless-upload = {
+    isSystemUser = true;
+    group = "paperless-upload";
+  };
+  system.activationScripts.makeFtpDirectory = lib.stringAfter [ "var" ] ''
+    mkdir -m 775 -p /var/lib/ftp
+    chown root:root /var/lib/ftp
+    mkdir -m 700 -p /var/lib/ftp/paperless-upload
+    chown paperless-upload:paperless-upload /var/lib/ftp/paperless-upload
+  '';
+
   # fingerprint sensor setup
   services.open-fprintd.enable = true;
   services.python-validity.enable = true;