diff --git a/hosts/kilgharrah/default.nix b/hosts/kilgharrah/default.nix
index 75dd2ec..7740df5 100644
--- a/hosts/kilgharrah/default.nix
+++ b/hosts/kilgharrah/default.nix
@@ -8,6 +8,7 @@
     ./networking.nix
 
     ./datasets.nix
+    ./ftp.nix
   ];
 
   nixpkgs.hostPlatform = "x86_64-linux";
diff --git a/hosts/kilgharrah/ftp.nix b/hosts/kilgharrah/ftp.nix
new file mode 100644
index 0000000..23fe390
--- /dev/null
+++ b/hosts/kilgharrah/ftp.nix
@@ -0,0 +1,75 @@
+{ config, lib, pkgs, ... }:
+
+{
+  randomcat.services.zfs.datasets = {
+    "rpool_albion/srv" = { mountpoint = "none"; };
+    "rpool_albion/srv/ftp" = { mountpoint = "/srv/ftp"; };
+  };
+
+  age.secrets.ftp-userDb-qenya = {
+    # To update this, see the nixos docs for services.vsftpd.userDbPath. Note
+    # that the command it gives to create a userDb, if applied to an *existing*
+    # userDb, will *add* the entries from the source file, overwriting any
+    # entries with the same username but leaving other existing entries intact.
+    # Also note the database format does not salt hashes.
+    file = ../../secrets/ftp-userDb-qenya.age;
+
+    # we have to specify this manually because pam_userdb strips the extension
+    path = "/etc/vsftpd/userDb.db";
+  };
+
+  services.vsftpd = {
+    enable = true;
+    localUsers = true;
+    forceLocalLoginsSSL = true;
+    forceLocalDataSSL = true;
+    rsaCertFile = "${config.security.acme.certs."ftp.qenya.tel".directory}/fullchain.pem";
+    rsaKeyFile = "${config.security.acme.certs."ftp.qenya.tel".directory}/key.pem";
+
+    enableVirtualUsers = true;
+    userlistDeny = false; # turn userlist from a denylist into an allowlist
+    userlist = [ "qenya" ]; # this is just a list of the users in the userDb
+    userDbPath = "/etc/vsftpd/userDb";
+
+    localRoot = "/srv/ftp";
+
+    extraConfig = ''
+      # nothing in the default cipher suite is enabled in modern ssl clients!
+      ssl_ciphers=HIGH
+
+      # set this to something firewallable
+      pasv_min_port=51000
+      pasv_max_port=51099
+
+      # don't bother with upgrading to TLS, just listen on FTPS only
+      implicit_ssl=YES
+      listen_port=990
+    '';
+  };
+
+  services.nginx = {
+    enable = true;
+    virtualHosts = {
+      "ftp.qenya.tel" = {
+        forceSSL = true;
+        useACMEHost = "ftp.qenya.tel";
+        locations."/".return = "503";
+      };
+    };
+  };
+
+  security.acme.certs = {
+    "ftp.qenya.tel" = {
+      webroot = "/var/lib/acme/acme-challenge";
+      group = "acme_ftp.qenya.tel";
+    };
+  };
+
+  users.groups."acme_ftp.qenya.tel".members = [
+    "vsftpd" # not configurable in the vsftpd nixos module
+    config.services.nginx.group
+  ];
+
+  networking.firewall.allowedTCPPorts = [ 990 80 443 ];
+  networking.firewall.allowedTCPPortRanges = [{ from = 51000; to = 51099; }];
+}
diff --git a/secrets.nix b/secrets.nix
index d59c4e7..1db2c04 100644
--- a/secrets.nix
+++ b/secrets.nix
@@ -4,6 +4,7 @@ let
   commonKeys = keys.users.qenya;
 
   secrets = with keys; {
+    ftp-userDb-qenya = [ machines.kilgharrah ];
     user-password-kilgharrah-qenya = [ machines.kilgharrah ];
     user-password-tohru-qenya = [ machines.tohru ];
     wireguard-peer-orm = [ machines.orm ];
diff --git a/secrets/ftp-userDb-qenya.age b/secrets/ftp-userDb-qenya.age
new file mode 100644
index 0000000..3d40119
Binary files /dev/null and b/secrets/ftp-userDb-qenya.age differ