diff --git a/nixos/machines/frumar/default.nix b/nixos/machines/frumar/default.nix
index 0b5fcfa..90fb442 100644
--- a/nixos/machines/frumar/default.nix
+++ b/nixos/machines/frumar/default.nix
@@ -3,6 +3,7 @@
     ./fractal.nix
     ../../roles/server.nix
     ../../roles/homeserver.nix
+    ./paperless.nix
   ];
 
   system.stateVersion = "15.09";
@@ -137,12 +138,19 @@
     #   unifiPassword = "ReadOnlyPassword";
     # };
   };
+  services.yorick.paperless = {
+    enable = true;
+    openFirewall = true;
+    scanner_ip = "192.168.2.49";
+  };
   boot.zfs.requestEncryptionCredentials = false;
-  networking.firewall.interfaces.wg-y.allowedTCPPorts = [ 3000 9090 8443 ];
-  # mqtt, wsdd, ??, minecraft
-  networking.firewall.allowedTCPPorts = [ 1883 5357 443 25565 ];
-  # mqtt, wsdd, minecraft
-  networking.firewall.allowedUDPPorts = [ 1883 3702 25565 ];
+  networking.firewall = {
+    interfaces.wg-y.allowedTCPPorts = [ 3000 9090 8443 ];
+    # mqtt, wsdd, ??, minecraft
+    allowedTCPPorts = [ 1883 5357 443 25565 ];
+    # mqtt, wsdd, minecraft
+    allowedUDPPorts = [ 1883 3702 25565 ];
+  };
   services.rabbitmq = {
     enable = true;
     plugins = [ "rabbitmq_mqtt" "rabbitmq_management" ];
@@ -315,5 +323,4 @@
     TRANSIP_Username = "yorickvp";
     TRANSIP_Key_File = config.age.secrets.transip-key.path;
   };
-
 }
diff --git a/nixos/machines/frumar/paperless.nix b/nixos/machines/frumar/paperless.nix
new file mode 100644
index 0000000..838dcee
--- /dev/null
+++ b/nixos/machines/frumar/paperless.nix
@@ -0,0 +1,45 @@
+{ config, lib, pkgs, ... }:
+let cfg = config.services.yorick.paperless;
+in {
+  options.services.yorick.paperless = with lib; {
+    enable = mkEnableOption "yorick paperless";
+    openFirewall = mkEnableOption "open firewall for scanner";
+    scanner_ip = mkOption {
+      type = types.str;
+    };
+  };
+  config = lib.mkIf cfg.enable {
+    networking.firewall = lib.mkIf cfg.openFirewall {
+      connectionTrackingModules = [ "ftp" ];
+      extraCommands = ''
+        iptables -t raw -A PREROUTING -i eno1 -s ${cfg.scanner_ip}/32 -p tcp --dport 21 -j CT --helper ftp
+        iptables -A nixos-fw -p tcp -m tcp --dport 21 -s ${cfg.scanner_ip}/32 -j nixos-fw-accept
+      '';
+      extraStopCommands = ''
+        iptables -t raw -D PREROUTING -i eno1 -s ${cfg.scanner_ip}/32 -p tcp --dport 21 -j CT --helper ftp
+        iptables -D nixos-fw -p tcp -m tcp --dport 21 -s ${cfg.scanner_ip}/32 -j nixos-fw-accept
+      '';
+    };
+
+    users.users.ads1600w = {
+      home = "/var/ads1600w";
+      group = "ads1600w";
+      initialHashedPassword =
+        "$6$q7E6hnTHHt9v.$OHZjuWISanANGwfhznWwfDlHAqbXBjqcr/q0lGe9ff2r.X9xCSoLP4giME5J9WoEUNuWssMLGBPMfXowBjXg70";
+      isSystemUser = true;
+      shell = "${pkgs.shadow}/bin/nologin";
+      createHome = true;
+    };
+    users.groups.ads1600w = { };
+
+    services.vsftpd = {
+      enable = true;
+      localUsers = true;
+      writeEnable = true;
+      chrootlocalUser = true;
+      allowWriteableChroot = true;
+      userlist = [ "ads1600w" ];
+    };
+    # todo: back up this dir
+  };
+}