{ config, ... }:
{

  sops.secrets = {
    "webdav/photosync/password" = { };
  };

  sops.templates."webdav.env" = {
    content = ''
      PHOTOSYNC_PASSWORD=${config.sops.placeholder."webdav/photosync/password"}
    '';
  };

  services.webdav = {
    enable = true;
    settings = {
      permissions = "RC";
      behindProxy = true;
      users = [
        {
          username = "photosync";
          password = "{ENV}PHOTOSYNC_PASSWORD";
        }
      ];
    };
    environmentFile = config.sops.templates."webdav.env".path;
  };

  systemd.services.webdav.serviceConfig = {
    BindReadOnlyPaths = [
      "/mnt/photos/xin/originals:%t/webdav/photosync"
    ];
    RuntimeDirectory = "webdav";
    WorkingDirectory = "%t/webdav";
  };

}