{ config, ... }: {
  services.webdav = {
    enable = true;
    settings = {
      # only listen over tailscale, so weak auth ok. TODO: secrets management with sops or agenix
      address = "100.64.0.2";
      port = 8080;
      directory = "/srv/webdav";
      permissions = "RCUD";
      users = [{
        username = "defin";
        password = "password";
      }];
    };
  };
  networking.firewall.allowedTCPPorts = [ 8080 ];
}