diff --git a/machines/weilite/default.nix b/machines/weilite/default.nix
index 7f88d95..9b9d442 100644
--- a/machines/weilite/default.nix
+++ b/machines/weilite/default.nix
@@ -102,6 +102,13 @@
         type = "virtiofs";
         options = "rw,nodev,nosuid";
       }
+{
+        what = "originals";
+        where = "/mnt/photos/xin/originals";
+        type = "virtiofs";
+        options = "rw,nodev,nosuid";
+        wantedBy = [ "immich-server.service" ];
+      }
       {
         what = "/mnt/nixos/ocis";
         where = "/var/lib/ocis";
diff --git a/machines/weilite/secrets.yaml b/machines/weilite/secrets.yaml
index c41b0ce..b5b0e87 100644
--- a/machines/weilite/secrets.yaml
+++ b/machines/weilite/secrets.yaml
@@ -12,6 +12,9 @@ sonarr:
     api-key: ENC[AES256_GCM,data:/CkApTCLQy8TLHGKSM1saacNi9uQDswAjshRSLJk1hg=,iv:PNX4BZLx7krs12lxgORMSarnt0c/ga8yPtoLSzbQ+sY=,tag:V1pp9OCtX5/5fbwLBMGlOQ==,type:str]
 radarr:
     api-key: ENC[AES256_GCM,data:AeJArngvgmqnxk2g13QjMa6XS893B+3ZdX2K8OqXRQg=,iv:NrQf3yyqRpHMeWQ3bpPH4fUDdo/x2uB6pQCq0ZrFP5c=,tag:Yj2PSy6zRfe8anW0RGuZAQ==,type:str]
+webdav:
+    photosync:
+        password: ENC[AES256_GCM,data:s+omleBtVALG5bpbTnlzbwBj0oCZX8Dm8IbcUV6COnI=,iv:vwCs3ujmCcE87rl91ZtOEAgSQF1/0t17/7/0UM4x8fE=,tag:ylw76CX9SCylWoJt86rmjg==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -36,8 +39,8 @@ sops:
             V0thRjU4WGpQRGFpcnoxSjZTZHhTTkUKzNMHh9p7GUY3hL5XZ9S4x20CwaItsXFV
             RKujsFVVBd8Kuq/jyOCBTRCscuHI4LW/wYeZYHFEZFSTK2liAqspgw==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-03-30T06:50:46Z"
-    mac: ENC[AES256_GCM,data:o9mucckntBoKzO3+S1lWcvKeyolqlzYcRRWkosjLnJ7kY3S2ssYxdEz9PPBihpIU4z8ogy/TIuRjLV/XOiPyNUZy0a++2erfQjpr4YIc8KvivG9erE4S4YkNFCVOXv6XjQ7gypaYScX8pdhh0idkyuxJPb0N5HcB1Ngtx/bhrBY=,iv:YfFXYt0GGZsssyoImWKep0in0STGqgUgQ87v2g7E0MU=,tag:aMb/SDiboeRyCW9AItnhzw==,type:str]
+    lastmodified: "2025-04-06T14:28:44Z"
+    mac: ENC[AES256_GCM,data:tYAhkwRs2CFOUCw3Iuq6T5C+QkbpSz80fI6CP65VyFrNiej9hshmjngPnf8bFElF+bHI64a/zpo2y4CqV213011tOX2YYvLD5zrAQb18rBFUdJblY5wQyx/DXiPaIf5jK6WGHIRaOmqZJuqXKrQKnf99N12JydXjt6usBGGZr8M=,iv:wySf7lctw14iUbKo5fDu+p6TMY5QXGYYmBukh2qb19I=,tag:pZrnFiNZEK01pnDN0+1Rcw==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.9.4
diff --git a/machines/weilite/services/default.nix b/machines/weilite/services/default.nix
index 649ca08..c0a3ef9 100644
--- a/machines/weilite/services/default.nix
+++ b/machines/weilite/services/default.nix
@@ -7,5 +7,6 @@
     ./immich.nix
     ./jellyfin.nix
     ./transmission.nix
+    ./webdav.nix
   ];
 }
diff --git a/machines/weilite/services/immich.nix b/machines/weilite/services/immich.nix
index 25e403f..79fe7d6 100644
--- a/machines/weilite/services/immich.nix
+++ b/machines/weilite/services/immich.nix
@@ -86,16 +86,6 @@ in
       '';
     };
 
-    systemd.mounts = [
-      {
-        what = "originals";
-        where = "/mnt/immich/external-library/xin";
-        type = "virtiofs";
-        options = "ro,nodev,nosuid";
-        wantedBy = [ "immich-server.service" ];
-      }
-    ];
-
     systemd.timers.immich-auto-stack = {
       enable = true;
       wantedBy = [ "immich-server.service" ];
@@ -135,8 +125,8 @@ in
 
     systemd.services.immich-server = {
       serviceConfig = {
-        ReadWritePaths = [
-          "/mnt/immich/external-library/xin"
+        BindReadOnlyPaths = [
+          "/mnt/photos/xin/originals:/mnt/immich/external-library/xin"
         ];
         Environment = "IMMICH_CONFIG_FILE=${config.sops.templates."immich/config.json".path}";
       };
@@ -161,8 +151,11 @@ in
     users.users.immich.extraGroups = [
       "video"
       "render"
+      "privimg"
     ];
 
+    users.groups.privimg = { };
+
     users.groups.immich_auto_stack = { };
     users.users.immich_auto_stack = {
       isSystemUser = true;
diff --git a/machines/weilite/services/webdav.nix b/machines/weilite/services/webdav.nix
new file mode 100644
index 0000000..eac5147
--- /dev/null
+++ b/machines/weilite/services/webdav.nix
@@ -0,0 +1,47 @@
+{ config, ... }:
+{
+
+  sops.secrets = {
+    "webdav/photosync/password" = { };
+  };
+
+  sops.templates."webdav.env" = {
+    content = ''
+      PHOTOSYNC_PASSWORD=${config.sops.placeholder."webdav/photosync/password"}
+    '';
+  };
+
+  services.webdav = {
+    enable = true;
+    settings = {
+      address = "127.0.0.1";
+      port = "16065";
+      permissions = "CRUD";
+      behindProxy = true;
+      users = [
+        {
+          username = "photosync";
+          password = "{env}PHOTOSYNC_PASSWORD";
+        }
+      ];
+    };
+    group = "privimg";
+    environmentFile = config.sops.templates."webdav.env".path;
+  };
+
+  systemd.services.webdav.serviceConfig = {
+    BindPaths = [
+      "/mnt/photos/xin/originals:%t/webdav/photosync"
+    ];
+    RuntimeDirectory = "webdav";
+    WorkingDirectory = "%t/webdav";
+  };
+
+  users.users."${config.services.webdav.user}".extraGroups = [
+    "privimg"
+  ];
+
+  services.caddy.virtualHosts."https://weilite.coho-tet.ts.net:6065".extraConfig = ''
+    reverse_proxy 127.0.0.1:16065
+  '';
+}