diff --git a/configuration.nix b/configuration.nix
index 4395b3d..e3d0afa 100644
--- a/configuration.nix
+++ b/configuration.nix
@@ -8,6 +8,8 @@ in
     ./firewall.nix
     ./borgbackup.nix
 
+    ./ftp.nix
+
     (import ./acme.nix { inherit base-domain; })
     (import ./nginx.nix { inherit base-domain; })
     ./postgresql.nix
diff --git a/firewall.nix b/firewall.nix
index fe34e6c..8074529 100644
--- a/firewall.nix
+++ b/firewall.nix
@@ -1,7 +1,14 @@
 {
   networking.firewall = {
     enable = true;
-    allowedTCPPorts = [ 22 80 443 ];
+    allowedTCPPorts = [ 22 80 443 21 ];
     allowedUDPPorts = [ 22 80 443 ];
+    allowedTCPPortRanges = [
+      # vsftpd passive
+      {
+        from = 51000;
+        to = 51999;
+      }
+    ];
   };
 }
diff --git a/ftp.nix b/ftp.nix
new file mode 100644
index 0000000..7d66a3d
--- /dev/null
+++ b/ftp.nix
@@ -0,0 +1,13 @@
+{
+  services.vsftpd = {
+    enable = true;
+    localUsers = true;
+    writeEnable = true;
+    extraConfig = ''
+      log_ftp_protocol=YES
+      pasv_enable=YES
+      pasv_min_port=51000
+      pasv_max_port=51999
+    '';
+  };
+}